From e406f1f45a60c4d12eab0266a30077856ea05c7a Mon Sep 17 00:00:00 2001 From: Fran Mulero Date: Fri, 13 Sep 2024 12:15:42 +0200 Subject: [PATCH] [bitnami/kafka] feature: NetworkPolicy review (#29274) * [bitnami/kafka] feature: Users can restrict access to their deployments in a cleaner way Signed-off-by: Fran Mulero * Update CHANGELOG.md Signed-off-by: Bitnami Containers * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * Add missing changes Signed-off-by: Fran Mulero * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * Amend missing variables Signed-off-by: Fran Mulero --------- Signed-off-by: Fran Mulero Signed-off-by: Bitnami Containers Co-authored-by: Bitnami Containers --- bitnami/kafka/CHANGELOG.md | 8 ++++++-- bitnami/kafka/Chart.yaml | 2 +- bitnami/kafka/README.md | 6 ++++-- bitnami/kafka/templates/networkpolicy.yaml | 20 +++++++++----------- bitnami/kafka/values.yaml | 13 +++++++++++-- 5 files changed, 31 insertions(+), 18 deletions(-) diff --git a/bitnami/kafka/CHANGELOG.md b/bitnami/kafka/CHANGELOG.md index 290253c300..e1134226d4 100644 --- a/bitnami/kafka/CHANGELOG.md +++ b/bitnami/kafka/CHANGELOG.md @@ -1,8 +1,12 @@ # Changelog -## 30.0.5 (2024-08-20) +## 30.1.0 (2024-09-06) -* bitnami/kafka Fix pem auth with custom encrypted private key ([#28618](https://github.com/bitnami/charts/pull/28618)) +* [bitnami/kafka] feature: NetworkPolicy review ([#29274](https://github.com/bitnami/charts/pull/29274)) + +## 30.0.5 (2024-08-23) + +* bitnami/kafka Fix pem auth with custom encrypted private key (#28618) ([96b751e](https://github.com/bitnami/charts/commit/96b751e3eb0a6acba28e0fcbca907bb2de88fdf5)), closes [#28618](https://github.com/bitnami/charts/issues/28618) ## 30.0.4 (2024-08-14) diff --git a/bitnami/kafka/Chart.yaml b/bitnami/kafka/Chart.yaml index fd9b674d49..7103b02f4b 100644 --- a/bitnami/kafka/Chart.yaml +++ b/bitnami/kafka/Chart.yaml @@ -40,4 +40,4 @@ maintainers: name: kafka sources: - https://github.com/bitnami/charts/tree/main/bitnami/kafka -version: 30.0.5 +version: 30.1.0 diff --git a/bitnami/kafka/README.md b/bitnami/kafka/README.md index 00fe03dab5..ad6c67f975 100644 --- a/bitnami/kafka/README.md +++ b/bitnami/kafka/README.md @@ -874,10 +874,12 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru | `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `networkPolicy.allowExternal` | Don't require client label for connections | `true` | | `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. | `true` | | `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` | ### Volume Permissions parameters diff --git a/bitnami/kafka/templates/networkpolicy.yaml b/bitnami/kafka/templates/networkpolicy.yaml index 9407c6252b..65f27ae33b 100644 --- a/bitnami/kafka/templates/networkpolicy.yaml +++ b/bitnami/kafka/templates/networkpolicy.yaml @@ -61,24 +61,22 @@ spec: {{- if not .Values.networkPolicy.allowExternal }} from: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.addExternalClientAccess }} - podSelector: matchLabels: - {{ include "common.names.fullname" . }}-client: "true" + {{ template "common.names.fullname" . }}-client: "true" + {{- end }} + {{- if .Values.networkPolicy.ingressPodMatchLabels }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} {{- if .Values.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressNSMatchLabels "context" $ ) | nindent 14 }} {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} podSelector: - matchLabels: - {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressNSPodMatchLabel "context" $ ) | nindent 14 }} {{- end }} {{- end }} {{- end }} diff --git a/bitnami/kafka/values.yaml b/bitnami/kafka/values.yaml index 055acf0aac..6394525fd3 100644 --- a/bitnami/kafka/values.yaml +++ b/bitnami/kafka/values.yaml @@ -1765,6 +1765,9 @@ networkPolicy: ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## allowExternalEgress: true + ## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -1798,8 +1801,14 @@ networkPolicy: ## - frontend ## extraEgress: [] - ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {}