Skip to content
Permalink
Browse files
Add optional network policy
Adds a NetworkPolicy to enable communication between CouchDB pods
and external ingress on port 5984.

This is required in environments (e.g. Red Hat OpenShift) which apply
DenyAll network policies by default.

ported from helm/charts#17262
  • Loading branch information
willholley committed Oct 31, 2019
1 parent 8bba11e commit 17b38890805b3040333c8dfa4da9ab0a5597edf4
Showing 3 changed files with 37 additions and 0 deletions.
@@ -140,6 +140,7 @@ A variety of other parameters are also configurable. See the comments in the
| `service.type` | ClusterIP |
| `service.externalPort` | 5984 |
| `dns.clusterDomainSuffix` | cluster.local |
| `networkPolicy.enabled` | true |
| `serviceAccount.enabled` | true |
| `serviceAccount.create` | true |
| `serviceAccount.imagePullSecrets` | |
@@ -0,0 +1,31 @@

{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ template "couchdb.fullname" . }}
labels:
app: {{ template "couchdb.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
podSelector:
matchLabels:
{{ include "couchdb.ss.selector" . | indent 6 }}
ingress:
- ports:
- protocol: TCP
port: 5984
- ports:
- protocol: TCP
port: 9100
- protocol: TCP
port: 4369
from:
- podSelector:
matchLabels:
{{ include "couchdb.ss.selector" . | indent 14 }}
policyTypes:
- Ingress
{{- end }}
@@ -25,6 +25,11 @@ adminUsername: admin
# adminPassword: this_is_not_secure
# cookieAuthSecret: neither_is_this

## When enabled, will deploy a networkpolicy that allows CouchDB pods to
## communicate with each other for clustering and ingress on port 5984
networkPolicy:
enabled: true

## Use an alternate scheduler, e.g. "stork".
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##

0 comments on commit 17b3889

Please sign in to comment.