Skip to content

Commit 70084c4

Browse files
javsalgarjavsalgar
authored
[bitnami/haproxy] feat: 🔒 Enable networkPolicy (#23206)
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
1 parent cce6165 commit 70084c4

File tree

4 files changed

+158
-28
lines changed

4 files changed

+158
-28
lines changed

bitnami/haproxy/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,4 @@ maintainers:
2828
name: haproxy
2929
sources:
3030
- https://github.com/bitnami/charts/tree/main/bitnami/haproxy
31-
version: 0.13.7
31+
version: 0.14.0

bitnami/haproxy/README.md

Lines changed: 34 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -80,33 +80,40 @@ The command removes all the Kubernetes components associated with the chart and
8080

8181
### Traffic Exposure Parameters
8282

83-
| Name | Description | Value |
84-
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
85-
| `service.type` | haproxy service type | `LoadBalancer` |
86-
| `service.ports` | List of haproxy service ports | `[]` |
87-
| `service.clusterIP` | haproxy service Cluster IP | `""` |
88-
| `service.loadBalancerIP` | haproxy service Load Balancer IP | `""` |
89-
| `service.loadBalancerSourceRanges` | haproxy service Load Balancer sources | `[]` |
90-
| `service.externalTrafficPolicy` | haproxy service external traffic policy | `Cluster` |
91-
| `service.annotations` | Additional custom annotations for haproxy service | `{}` |
92-
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
93-
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
94-
| `service.labels` | Additional custom labels for haproxy service | `{}` |
95-
| `ingress.enabled` | Enable ingress record generation for haproxy | `false` |
96-
| `ingress.pathType` | Ingress path type | `ImplementationSpecific` |
97-
| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
98-
| `ingress.hostname` | Default host for the ingress record | `haproxy.local` |
99-
| `ingress.path` | Default path for the ingress record | `/` |
100-
| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
101-
| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` |
102-
| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
103-
| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` |
104-
| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
105-
| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
106-
| `ingress.secrets` | Custom TLS certificates as secrets | `[]` |
107-
| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
108-
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
109-
| `terminationGracePeriodSeconds` | Seconds HAProxy pod needs to terminate gracefully | `""` |
83+
| Name | Description | Value |
84+
| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
85+
| `service.type` | haproxy service type | `LoadBalancer` |
86+
| `service.ports` | List of haproxy service ports | `[]` |
87+
| `service.clusterIP` | haproxy service Cluster IP | `""` |
88+
| `service.loadBalancerIP` | haproxy service Load Balancer IP | `""` |
89+
| `service.loadBalancerSourceRanges` | haproxy service Load Balancer sources | `[]` |
90+
| `service.externalTrafficPolicy` | haproxy service external traffic policy | `Cluster` |
91+
| `service.annotations` | Additional custom annotations for haproxy service | `{}` |
92+
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
93+
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
94+
| `service.labels` | Additional custom labels for haproxy service | `{}` |
95+
| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
96+
| `networkPolicy.allowExternal` | Don't require server label for connections | `true` |
97+
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
98+
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
99+
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
100+
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
101+
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
102+
| `ingress.enabled` | Enable ingress record generation for haproxy | `false` |
103+
| `ingress.pathType` | Ingress path type | `ImplementationSpecific` |
104+
| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
105+
| `ingress.hostname` | Default host for the ingress record | `haproxy.local` |
106+
| `ingress.path` | Default path for the ingress record | `/` |
107+
| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
108+
| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` |
109+
| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
110+
| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` |
111+
| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
112+
| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
113+
| `ingress.secrets` | Custom TLS certificates as secrets | `[]` |
114+
| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
115+
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
116+
| `terminationGracePeriodSeconds` | Seconds HAProxy pod needs to terminate gracefully | `""` |
110117

111118
### HAProxy Parameters
112119

bitnami/haproxy/templates/networkpolicy.yaml

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
{{- /*
2+
Copyright VMware, Inc.
3+
SPDX-License-Identifier: APACHE-2.0
4+
*/}}
5+
6+
{{- if .Values.networkPolicy.enabled }}
7+
kind: NetworkPolicy
8+
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
9+
metadata:
10+
name: {{ template "common.names.fullname" . }}
11+
namespace: {{ include "common.names.namespace" . | quote }}
12+
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
13+
{{- if .Values.commonAnnotations }}
14+
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
15+
{{- end }}
16+
spec:
17+
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
18+
podSelector:
19+
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
20+
policyTypes:
21+
- Ingress
22+
- Egress
23+
egress:
24+
{{- if .Values.networkPolicy.allowExternalEgress }}
25+
- {}
26+
{{- else }}
27+
- ports:
28+
# Allow dns resolution
29+
- port: 53
30+
protocol: UDP
31+
- port: 53
32+
protocol: TCP
33+
{{- if .Values.networkPolicy.extraEgress }}
34+
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
35+
{{- end }}
36+
{{- end }}
37+
ingress:
38+
- ports:
39+
{{- range .Values.containerPorts }}
40+
- port: {{ .containerPort }}
41+
{{- end }}
42+
{{- if not .Values.networkPolicy.allowExternal }}
43+
from:
44+
- podSelector:
45+
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
46+
- podSelector:
47+
matchLabels:
48+
{{ template "common.names.fullname" . }}-client: "true"
49+
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
50+
- namespaceSelector:
51+
matchLabels:
52+
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
53+
{{ $key | quote }}: {{ $value | quote }}
54+
{{- end }}
55+
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
56+
podSelector:
57+
matchLabels:
58+
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
59+
{{ $key | quote }}: {{ $value | quote }}
60+
{{- end }}
61+
{{- end }}
62+
{{- end }}
63+
{{- end }}
64+
{{- if .Values.networkPolicy.extraIngress }}
65+
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
66+
{{- end }}
67+
{{- end }}

bitnami/haproxy/values.yaml

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,62 @@ service:
114114
##
115115
labels: {}
116116

117+
## Network Policies
118+
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
119+
##
120+
networkPolicy:
121+
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
122+
##
123+
enabled: true
124+
## @param networkPolicy.allowExternal Don't require server label for connections
125+
## The Policy model to apply. When set to false, only pods with the correct
126+
## server label will have network access to the ports server is listening
127+
## on. When true, server will accept connections from any source
128+
## (with the correct destination port).
129+
##
130+
allowExternal: true
131+
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
132+
##
133+
allowExternalEgress: true
134+
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
135+
## e.g:
136+
## extraIngress:
137+
## - ports:
138+
## - port: 1234
139+
## from:
140+
## - podSelector:
141+
## - matchLabels:
142+
## - role: frontend
143+
## - podSelector:
144+
## - matchExpressions:
145+
## - key: role
146+
## operator: In
147+
## values:
148+
## - frontend
149+
extraIngress: []
150+
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
151+
## e.g:
152+
## extraEgress:
153+
## - ports:
154+
## - port: 1234
155+
## to:
156+
## - podSelector:
157+
## - matchLabels:
158+
## - role: frontend
159+
## - podSelector:
160+
## - matchExpressions:
161+
## - key: role
162+
## operator: In
163+
## values:
164+
## - frontend
165+
##
166+
extraEgress: []
167+
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
168+
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
169+
##
170+
ingressNSMatchLabels: {}
171+
ingressNSPodMatchLabels: {}
172+
117173
## Configure the ingress resource that allows you to access the haproxy installation
118174
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
119175
##

0 commit comments

Comments
 (0)