Skip to content

Commit 153184f

Browse files
mblaschkeBitnami Containers
mblaschke
and
Bitnami Containers
authoredSep 22, 2023
[bitnami/redis] add customization of metrics networkpolicy (#19468)
* Update values.yaml Signed-off-by: Markus Blaschke <mblaschke82@gmail.com> * Update networkpolicy.yaml Signed-off-by: Markus Blaschke <mblaschke82@gmail.com> * Update Chart.yaml Signed-off-by: Markus Blaschke <mblaschke82@gmail.com> * Update README.md Signed-off-by: Markus Blaschke <mblaschke82@gmail.com> * Update values.yaml Signed-off-by: Markus Blaschke <mblaschke82@gmail.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Markus Blaschke <mblaschke82@gmail.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
·
zookeeper/13.7.4airflow/15.0.7
1 parent 2ab2ab9 commit 153184f

File tree

4 files changed

+67
-31
lines changed

4 files changed

+67
-31
lines changed
 

‎bitnami/redis/Chart.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -34,4 +34,4 @@ maintainers:
3434
name: redis
3535
sources:
3636
- https://github.com/bitnami/charts/tree/main/bitnami/redis
37-
version: 18.0.4
37+
version: 18.1.0

‎bitnami/redis/README.md

+33-30
Original file line numberDiff line numberDiff line change
@@ -434,35 +434,38 @@ The command removes all the Kubernetes components associated with the chart and
434434

435435
### Other Parameters
436436

437-
| Name | Description | Value |
438-
| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
439-
| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` |
440-
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` |
441-
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
442-
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
443-
| `networkPolicy.extraEgress` | Add extra egress rules to the NetworkPolicy | `[]` |
444-
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
445-
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
446-
| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
447-
| `podSecurityPolicy.enabled` | Enable PodSecurityPolicy's RBAC rules | `false` |
448-
| `rbac.create` | Specifies whether RBAC resources should be created | `false` |
449-
| `rbac.rules` | Custom RBAC rules to set | `[]` |
450-
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
451-
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
452-
| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` |
453-
| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
454-
| `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` |
455-
| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` |
456-
| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `""` |
457-
| `tls.enabled` | Enable TLS traffic | `false` |
458-
| `tls.authClients` | Require clients to authenticate | `true` |
459-
| `tls.autoGenerated` | Enable autogenerated certificates | `false` |
460-
| `tls.existingSecret` | The name of the existing secret that contains the TLS certificates | `""` |
461-
| `tls.certificatesSecret` | DEPRECATED. Use existingSecret instead. | `""` |
462-
| `tls.certFilename` | Certificate filename | `""` |
463-
| `tls.certKeyFilename` | Certificate Key filename | `""` |
464-
| `tls.certCAFilename` | CA Certificate filename | `""` |
465-
| `tls.dhParamsFilename` | File containing DH params (in order to support DH based ciphers) | `""` |
437+
| Name | Description | Value |
438+
| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
439+
| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` |
440+
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` |
441+
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
442+
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
443+
| `networkPolicy.extraEgress` | Add extra egress rules to the NetworkPolicy | `[]` |
444+
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
445+
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
446+
| `networkPolicy.metrics.allowExternal` | Don't require client label for connections for metrics endpoint | `true` |
447+
| `networkPolicy.metrics.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces to metrics endpoint | `{}` |
448+
| `networkPolicy.metrics.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces to metrics endpoint | `{}` |
449+
| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
450+
| `podSecurityPolicy.enabled` | Enable PodSecurityPolicy's RBAC rules | `false` |
451+
| `rbac.create` | Specifies whether RBAC resources should be created | `false` |
452+
| `rbac.rules` | Custom RBAC rules to set | `[]` |
453+
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
454+
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
455+
| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` |
456+
| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
457+
| `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` |
458+
| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` |
459+
| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `""` |
460+
| `tls.enabled` | Enable TLS traffic | `false` |
461+
| `tls.authClients` | Require clients to authenticate | `true` |
462+
| `tls.autoGenerated` | Enable autogenerated certificates | `false` |
463+
| `tls.existingSecret` | The name of the existing secret that contains the TLS certificates | `""` |
464+
| `tls.certificatesSecret` | DEPRECATED. Use existingSecret instead. | `""` |
465+
| `tls.certFilename` | Certificate filename | `""` |
466+
| `tls.certKeyFilename` | Certificate Key filename | `""` |
467+
| `tls.certCAFilename` | CA Certificate filename | `""` |
468+
| `tls.dhParamsFilename` | File containing DH params (in order to support DH based ciphers) | `""` |
466469

467470
### Metrics Parameters
468471

@@ -982,4 +985,4 @@ Unless required by applicable law or agreed to in writing, software
982985
distributed under the License is distributed on an "AS IS" BASIS,
983986
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
984987
See the License for the specific language governing permissions and
985-
limitations under the License.
988+
limitations under the License.

‎bitnami/redis/templates/networkpolicy.yaml

+21
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,27 @@ spec:
7777
# Allow prometheus scrapes for metrics
7878
- ports:
7979
- port: 9121
80+
{{- if not .Values.networkPolicy.metrics.allowExternal }}
81+
from:
82+
{{- if or .Values.networkPolicy.metrics.ingressNSMatchLabels .Values.networkPolicy.metrics.ingressNSPodMatchLabels }}
83+
- namespaceSelector:
84+
matchLabels:
85+
{{- if .Values.networkPolicy.metrics.ingressNSMatchLabels }}
86+
{{- range $key, $value := .Values.networkPolicy.metrics.ingressNSMatchLabels }}
87+
{{ $key | quote }}: {{ $value | quote }}
88+
{{- end }}
89+
{{ else }}
90+
{}
91+
{{- end }}
92+
{{- if .Values.networkPolicy.metrics.ingressNSPodMatchLabels }}
93+
podSelector:
94+
matchLabels:
95+
{{- range $key, $value := .Values.networkPolicy.metrics.ingressNSPodMatchLabels }}
96+
{{ $key | quote }}: {{ $value | quote }}
97+
{{- end }}
98+
{{- end }}
99+
{{- end }}
100+
{{- end }}
80101
{{- end }}
81102
{{- if .Values.networkPolicy.extraIngress }}
82103
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}

‎bitnami/redis/values.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -1385,6 +1385,18 @@ networkPolicy:
13851385
##
13861386
ingressNSMatchLabels: {}
13871387
ingressNSPodMatchLabels: {}
1388+
1389+
metrics:
1390+
## @param networkPolicy.metrics.allowExternal Don't require client label for connections for metrics endpoint
1391+
## When set to false, only pods with the correct client label will have network access to the metrics port
1392+
##
1393+
allowExternal: true
1394+
## @param networkPolicy.metrics.ingressNSMatchLabels Labels to match to allow traffic from other namespaces to metrics endpoint
1395+
## @param networkPolicy.metrics.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces to metrics endpoint
1396+
##
1397+
ingressNSMatchLabels: {}
1398+
ingressNSPodMatchLabels: {}
1399+
13881400
## PodSecurityPolicy configuration
13891401
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
13901402
##

0 commit comments

Comments
 (0)
Please sign in to comment.