Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-16 06:47:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/postgresql] fix: 🐛 Set correct references in network policy (#23328)

Browse Source 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-02-12 10:49:31 +01:00
committed by GitHub
parent 8580945a6a
commit e8c2230b05
5 changed files with 15 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/postgresql/Chart.yaml
View File

@@ -35,4 +35,4 @@ maintainers:
name: postgresql name: postgresql
sources: sources:
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql - https://github.com/bitnami/charts/tree/main/bitnami/postgresql
version: 14.0.4 version: 14.0.5

19
bitnami/postgresql/README.md
View File

@@ -435,25 +435,6 @@ kubectl delete pvc -l release=my-release
| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | | `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` |
| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | | `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` |
### NetworkPolicy parameters
| Name | Description | Value |
| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `networkPolicy.enabled` | Enable network policies | `false` |
| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` |
| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` |
| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` |
| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `[]` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` |
| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `[]` |
| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` |
| `networkPolicy.egressRules.customRules` | Custom network policy rule | `[]` |
### Volume Permissions parameters ### Volume Permissions parameters
| Name | Description | Value | | Name | Description | Value |

3
bitnami/postgresql/templates/primary/networkpolicy.yaml
View File

@@ -22,7 +22,7 @@ spec:
policyTypes: policyTypes:
- Ingress - Ingress
- Egress - Egress
{{- if .Values.networkPolicy.allowExternalEgress }} {{- if .Values.primary.networkPolicy.allowExternalEgress }}
egress: egress:
- {} - {}
{{- else }} {{- else }}
@@ -35,7 +35,6 @@ spec:
protocol: TCP protocol: TCP
# Allow outbound connections to read-replicas # Allow outbound connections to read-replicas
- ports: - ports:
- port: {{ include "postgresql.v1.readReplica.service.port" . }}
- port: {{ .Values.containerPorts.postgresql }} - port: {{ .Values.containerPorts.postgresql }}
to: to:
- podSelector: - podSelector:

27
bitnami/postgresql/templates/read/networkpolicy.yaml
View File

@@ -3,7 +3,7 @@ Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0 SPDX-License-Identifier: APACHE-2.0
*/}} */}}
{{- if .Values.primary.networkPolicy.enabled }} {{- if .Values.readReplicas.networkPolicy.enabled }}
kind: NetworkPolicy kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata: metadata:
@@ -15,14 +15,14 @@ metadata:
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
podSelector: podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: read app.kubernetes.io/component: read
policyTypes: policyTypes:
- Ingress - Ingress
- Egress - Egress
{{- if .Values.primary.networkPolicy.allowExternalEgress }} {{- if .Values.readReplicas.networkPolicy.allowExternalEgress }}
egress: egress:
- {} - {}
{{- else }} {{- else }}
@@ -35,14 +35,13 @@ spec:
protocol: TCP protocol: TCP
# Allow outbound connections to primary # Allow outbound connections to primary
- ports: - ports:
- port: {{ include "postgresql.v1.service.port" . }}
- port: {{ .Values.containerPorts.postgresql }} - port: {{ .Values.containerPorts.postgresql }}
to: to:
- podSelector: - podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
app.kubernetes.io/component: primary app.kubernetes.io/component: primary
{{- if .Values.primary.networkPolicy.extraEgress }} {{- if .Values.readReplicas.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
ingress: ingress:
@@ -51,29 +50,29 @@ spec:
{{- if .Values.metrics.enabled }} {{- if .Values.metrics.enabled }}
- port: {{ .Values.metrics.containerPorts.metrics }} - port: {{ .Values.metrics.containerPorts.metrics }}
{{- end }} {{- end }}
{{- if not .Values.primary.networkPolicy.allowExternal }} {{- if not .Values.readReplicas.networkPolicy.allowExternal }}
from: from:
- podSelector: - podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
- podSelector: - podSelector:
matchLabels: matchLabels:
{{ template "postgresql.v1.primary.fullname" . }}-client: "true" {{ template "postgresql.v1.readReplica.fullname" . }}-client: "true"
{{- if .Values.primary.networkPolicy.ingressNSMatchLabels }} {{- if .Values.readReplicas.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
{{- range $key, $value := .Values.primary.networkPolicy.ingressNSMatchLabels }} {{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }} {{ $key | quote }}: {{ $value | quote }}
{{- end }} {{- end }}
{{- if .Values.primary.networkPolicy.ingressNSPodMatchLabels }} {{- if .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }}
podSelector: podSelector:
matchLabels: matchLabels:
{{- range $key, $value := .Values.primary.networkPolicy.ingressNSPodMatchLabels }} {{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }} {{ $key | quote }}: {{ $value | quote }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.primary.networkPolicy.extraIngress }} {{- if .Values.readReplicas.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }} {{- end }}
{{- end }} {{- end }}

96
bitnami/postgresql/values.yaml
View File

@@ -1324,102 +1324,6 @@ backup:
## ##
selector: {} selector: {}
## @section NetworkPolicy parameters
##
## Add networkpolicies
##
networkPolicy:
## @param networkPolicy.enabled Enable network policies
##
enabled: false
## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus)
## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace.
## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods.
##
metrics:
enabled: false
## e.g:
## namespaceSelector:
## label: monitoring
##
namespaceSelector: {}
## e.g:
## podSelector:
## label: monitoring
##
podSelector: {}
## Ingress Rules
##
ingressRules:
## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin.
## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s).
## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s).
## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules Custom network policy for the PostgreSQL primary node.
##
primaryAccessOnlyFrom:
enabled: false
## e.g:
## namespaceSelector:
## label: ingress
##
namespaceSelector: {}
## e.g:
## podSelector:
## label: access
##
podSelector: {}
## custom ingress rules
## e.g:
## customRules:
## - from:
## - namespaceSelector:
## matchLabels:
## label: example
##
customRules: []
## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin.
## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s).
## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s).
## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules Custom network policy for the PostgreSQL read-only nodes.
##
readReplicasAccessOnlyFrom:
enabled: false
## e.g:
## namespaceSelector:
## label: ingress
##
namespaceSelector: {}
## e.g:
## podSelector:
## label: access
##
podSelector: {}
## custom ingress rules
## e.g:
## CustomRules:
## - from:
## - namespaceSelector:
## matchLabels:
## label: example
##
customRules: []
## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53).
## @param networkPolicy.egressRules.customRules Custom network policy rule
##
egressRules:
# Deny connections to external. This is not compatible with an external database.
denyConnectionsToExternal: false
## Additional custom egress rules
## e.g:
## customRules:
## - to:
## - namespaceSelector:
## matchLabels:
## label: example
##
customRules: []
## @section Volume Permissions parameters ## @section Volume Permissions parameters
## ##