From 660a65f7c987b5fc38288734640e96cc874e8d61 Mon Sep 17 00:00:00 2001 From: hicwic Date: Thu, 2 Dec 2021 12:59:08 +0100 Subject: [PATCH 1/3] [chart/grafana] Add networkpolicy support Signed-off-by: hicwic --- charts/grafana/Chart.yaml | 2 +- charts/grafana/README.md | 11 ++++-- charts/grafana/templates/networkpolicy.yaml | 37 +++++++++++++++++++++ charts/grafana/values.yaml | 26 +++++++++++++++ 4 files changed, 72 insertions(+), 4 deletions(-) create mode 100644 charts/grafana/templates/networkpolicy.yaml diff --git a/charts/grafana/Chart.yaml b/charts/grafana/Chart.yaml index fe83ae2720..c761ff378d 100644 --- a/charts/grafana/Chart.yaml +++ b/charts/grafana/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: grafana -version: 6.17.10 +version: 6.18.0 appVersion: 8.2.5 kubeVersion: "^1.8.0-0" description: The leading tool for querying and visualizing time series and metrics. diff --git a/charts/grafana/README.md b/charts/grafana/README.md index 8b09875c41..96dc902900 100644 --- a/charts/grafana/README.md +++ b/charts/grafana/README.md @@ -234,6 +234,11 @@ This version requires Helm >= 3.1.0. | `imageRenderer.networkPolicy.limitIngress` | Enable a NetworkPolicy to limit inbound traffic from only the created grafana pods | `true` | | `imageRenderer.networkPolicy.limitEgress` | Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods | `false` | | `imageRenderer.resources` | Set resource limits for image-renderer pdos | `{}` | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` | + + ### Example ingress with path @@ -533,12 +538,12 @@ By default the image-renderer pods will have a network policy which only allows ### High Availability for unified alerting -If you want to run Grafana in a high availability cluster you need to enable +If you want to run Grafana in a high availability cluster you need to enable the headless service by setting `headlessService: true` in your `values.yaml` file. -As next step you have to setup the `grafana.ini` in your `values.yaml` in a way -that it will make use of the headless service to obtain all the IPs of the +As next step you have to setup the `grafana.ini` in your `values.yaml` in a way +that it will make use of the headless service to obtain all the IPs of the cluster. You should replace ``{{ Name }}`` with the name of your helm deployment. ```yaml diff --git a/charts/grafana/templates/networkpolicy.yaml b/charts/grafana/templates/networkpolicy.yaml new file mode 100644 index 0000000000..fc243828e0 --- /dev/null +++ b/charts/grafana/templates/networkpolicy.yaml @@ -0,0 +1,37 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + podSelector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} + ingress: + - ports: + - port: {{ .Values.service.targetPort }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "grafana.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.explicitNamespacesSelector }} + namespaceSelector: + {{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }} + {{- end }} + - podSelector: + matchLabels: + {{- include "grafana.labels" . | nindent 14 }} + role: read + {{- end }} +{{- end }} diff --git a/charts/grafana/values.yaml b/charts/grafana/values.yaml index 595723ee66..50a082d081 100644 --- a/charts/grafana/values.yaml +++ b/charts/grafana/values.yaml @@ -760,3 +760,29 @@ imageRenderer: # requests: # cpu: 50m # memory: 50Mi + +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to grafana port defined. + ## When true, grafana will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed + ## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the grafana. + ## But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + ## + explicitNamespacesSelector: {} \ No newline at end of file From 6c3ebc14d5845772e273e650aff2f55e7b93382b Mon Sep 17 00:00:00 2001 From: hicwic Date: Fri, 3 Dec 2021 08:18:45 +0100 Subject: [PATCH 2/3] [chart/grafana] Add networkpolicy support Signed-off-by: hicwic --- charts/grafana/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/grafana/values.yaml b/charts/grafana/values.yaml index 50a082d081..de0b85b1e4 100644 --- a/charts/grafana/values.yaml +++ b/charts/grafana/values.yaml @@ -785,4 +785,4 @@ networkPolicy: ## matchExpressions: ## - {key: role, operator: In, values: [frontend]} ## - explicitNamespacesSelector: {} \ No newline at end of file + explicitNamespacesSelector: {} From c0b582c61bb6407d65cfd63c9ae203b57f88caa4 Mon Sep 17 00:00:00 2001 From: Gabriel Olivieri Date: Wed, 1 Dec 2021 18:46:19 +0100 Subject: [PATCH 3/3] Add overrides to Tempo Fix docs for PR version bump Generate Docs Lint Signed-off-by: Annanay Agarwal --- charts/tempo/Chart.yaml | 2 +- charts/tempo/README.md | 3 ++- charts/tempo/templates/configmap-tempo.yaml | 1 + charts/tempo/values.yaml | 1 + 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/tempo/Chart.yaml b/charts/tempo/Chart.yaml index 64677efd0d..d6550762e1 100644 --- a/charts/tempo/Chart.yaml +++ b/charts/tempo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: tempo description: Grafana Tempo Single Binary Mode type: application -version: 0.12.0 +version: 0.12.1 appVersion: 1.2.1 engine: gotpl home: https://grafana.net diff --git a/charts/tempo/README.md b/charts/tempo/README.md index 4e695b7454..1fabe07af3 100644 --- a/charts/tempo/README.md +++ b/charts/tempo/README.md @@ -1,6 +1,6 @@ # tempo -![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square) +![Version: 0.12.1](https://img.shields.io/badge/Version-0.12.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square) Grafana Tempo Single Binary Mode @@ -40,6 +40,7 @@ Grafana Tempo Single Binary Mode | tempo.extraVolumeMounts | list | `[]` | Volume mounts to add | | tempo.ingester | object | `{}` | | | tempo.memBallastSizeMbs | int | `1024` | | +| tempo.overrides | object | `{}` | | | tempo.pullPolicy | string | `"IfNotPresent"` | | | tempo.receivers.jaeger.protocols.grpc.endpoint | string | `"0.0.0.0:14250"` | | | tempo.receivers.jaeger.protocols.thrift_binary.endpoint | string | `"0.0.0.0:6832"` | | diff --git a/charts/tempo/templates/configmap-tempo.yaml b/charts/tempo/templates/configmap-tempo.yaml index 19d4f1b56c..979deda151 100644 --- a/charts/tempo/templates/configmap-tempo.yaml +++ b/charts/tempo/templates/configmap-tempo.yaml @@ -8,6 +8,7 @@ metadata: data: overrides.yaml: | overrides: + {{- toYaml .Values.tempo.overrides | nindent 6 }} tempo.yaml: | auth_enabled: {{ .Values.tempo.authEnabled }} search_enabled: {{ .Values.tempo.searchEnabled }} diff --git a/charts/tempo/values.yaml b/charts/tempo/values.yaml index 22d4c56a03..4e121f2538 100644 --- a/charts/tempo/values.yaml +++ b/charts/tempo/values.yaml @@ -31,6 +31,7 @@ tempo: searchEnabled: false ingester: {} retention: 24h + overrides: {} # Tempo server configuration # Refers to https://grafana.com/docs/tempo/latest/configuration/#server