[bitnami/postgresql] Add a NetworkPolicy to allow backup pods to access primary nodes (#24363)

* [bitnami/postgresql] Add a NetworkPolicy to allow backup pods to access primary node

Signed-off-by: Axel FAUVEL <axel.fauvel@orange.com>

* [bitnami/postgresql] Bump chart version

Signed-off-by: Axel FAUVEL <axel.fauvel@orange.com>

* [bitnami/postgresql] Remove duplicated key

Signed-off-by: Axel FAUVEL <axel.fauvel@orange.com>

---------

Signed-off-by: Axel FAUVEL <axel.fauvel@orange.com>

Author: axelfauvel

bitnami/postgresql/Chart.yaml

@@ -35,4 +35,4 @@ maintainers:
 name: postgresql
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/postgresql
-version: 15.0.0
+version: 15.1.0

bitnami/postgresql/README.md

@@ -638,6 +638,7 @@ If you already have data in it, you will fail to sync to standby nodes for all c
 | `backup.cronjob.nodeSelector`                                      | Node labels for PostgreSQL backup CronJob pod assignment                                                                                                                                                                                 | `{}`                                                                                                                                                                                 |
 | `backup.cronjob.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `nano`                                                                                                                                                                               |
 | `backup.cronjob.resources`                                         | Set container requests and limits for different resources like CPU or memory                                                                                                                                                             | `{}`                                                                                                                                                                                 |
+| `backup.cronjob.networkPolicy.enabled`                             | Specifies whether a NetworkPolicy should be created                                                                                                                                                                                      | `true`                                                                                                                                                                               |
 | `backup.cronjob.storage.existingClaim`                             | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`)                                                                                                                                                        | `""`                                                                                                                                                                                 |
 | `backup.cronjob.storage.resourcePolicy`                            | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted                                                                                                    | `""`                                                                                                                                                                                 |
 | `backup.cronjob.storage.storageClass`                              | PVC Storage Class for the backup data volume                                                                                                                                                                                             | `""`                                                                                                                                                                                 |

bitnami/postgresql/templates/backup/networkpolicy.yaml

@@ -0,0 +1,28 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.backup.cronjob.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: pg_dumpall
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.podLabels .Values.commonLabels ) "context" . ) }}
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: pg_dumpall
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - port: 5432
+          protocol: TCP
+{{- end }}

bitnami/postgresql/values.yaml

@@ -1319,6 +1319,10 @@ backup:
     ##   limits:
     ##     cpu: 2
     ##     memory: 1024Mi
+    networkPolicy:
+      ## @param backup.cronjob.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
+      ##
+      enabled: true
     storage:
       ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`)
       ## If defined, PVC must be created manually before volume will be bound