chore(addons): modify networkpolicy config

jianxiaoguo · jianxiaoguo · commit a04d63029f02 · 2023-08-18T09:43:52.000+08:00
diff --git a/addons/mariadb-1.1.0/chart/mariadb/templates/primary/networkpolicy-ingress.yaml b/addons/mariadb-1.1.0/chart/mariadb/templates/primary/networkpolicy-ingress.yaml
@@ -16,6 +16,21 @@ spec:
       app.kubernetes.io/component: primary
       {{- include "common.labels.standard" . | nindent 6 }}
   ingress:
+    {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
+    - from:
+    {{- if .Values.networkPolicy.allowCurrentNamespace }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+    {{- end }}
+    {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+    {{- if $namespace }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ $namespace }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
     {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }}
     - from:
         {{- if .Values.networkPolicy.metrics.namespaceSelector }}
diff --git a/addons/mariadb-1.1.0/chart/mariadb/templates/secondary/networkpolicy-ingress.yaml b/addons/mariadb-1.1.0/chart/mariadb/templates/secondary/networkpolicy-ingress.yaml
@@ -16,6 +16,21 @@ spec:
       app.kubernetes.io/component: secondary
       {{- include "common.labels.standard" . | nindent 6 }}
   ingress:
+    {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
+    - from:
+    {{- if .Values.networkPolicy.allowCurrentNamespace }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+    {{- end }}
+    {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+    {{- if $namespace }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ $namespace }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
     {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }}
     - from:
         {{- if .Values.networkPolicy.metrics.namespaceSelector }}
diff --git a/addons/mariadb-1.1.0/chart/mariadb/values.yaml b/addons/mariadb-1.1.0/chart/mariadb/values.yaml
@@ -1166,11 +1166,13 @@ metrics:
 networkPolicy:
   ## @param networkPolicy.enabled Enable network policies
   ##
-  enabled: false
+  enabled: true
   ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus)
   ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace.
   ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods.
   ##
+  allowCurrentNamespace: true
+  allowNamespaces: []
   metrics:
     enabled: false
     ## e.g:
diff --git a/addons/minio-1.1.0/chart/minio/templates/networkpolicy.yaml b/addons/minio-1.1.0/chart/minio/templates/networkpolicy.yaml
@@ -26,7 +26,18 @@ spec:
               {{ include "common.names.fullname" . }}-client: "true"
         - podSelector:
             matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }}
-
+        {{- if .Values.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        {{- end }}
+        {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+        {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+        {{- end }}
+        {{- end }}
         {{- if .Values.networkPolicy.extraFromClauses }}
         {{- toYaml .Values.networkPolicy.extraFromClauses | nindent 8 }}
         {{- end }}
diff --git a/addons/minio-1.1.0/chart/minio/values.yaml b/addons/minio-1.1.0/chart/minio/values.yaml
@@ -837,12 +837,14 @@ apiIngress:
 networkPolicy:
   ## @param networkPolicy.enabled Enable the default NetworkPolicy policy
   ##
-  enabled: false
+  enabled: true
   ## @param networkPolicy.allowExternal Don't require client label for connections
   ## When set to false, only pods with the correct client label will have network access to the port MinIO&reg; is
   ## listening on. When true, MinIO&reg; will accept connections from any source (with the correct destination port).
   ##
-  allowExternal: true
+  allowExternal: false
+  allowLocalNamespace: true
+  allowNamespaces: []
   ## @param networkPolicy.extraFromClauses Allows to add extra 'from' clauses to the NetworkPolicy
   extraFromClauses: {}
   ## Example
diff --git a/addons/postgresql-1.1.0/chart/postgresql/templates/primary/networkpolicy.yaml b/addons/postgresql-1.1.0/chart/postgresql/templates/primary/networkpolicy.yaml
@@ -17,6 +17,21 @@ spec:
     matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
       app.kubernetes.io/component: primary
   ingress:
+    {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
+    - from:
+      {{- if .Values.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      {{- end }}
+      {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+      {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+      {{- end }}
+      {{- end }}
+    {{- end }}
     {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }}
     - from:
         {{- if .Values.networkPolicy.metrics.namespaceSelector }}
diff --git a/addons/postgresql-1.1.0/chart/postgresql/templates/read/networkpolicy.yaml b/addons/postgresql-1.1.0/chart/postgresql/templates/read/networkpolicy.yaml
@@ -17,6 +17,21 @@ spec:
     matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
       app.kubernetes.io/component: read
   ingress:
+    {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
+    - from:
+      {{- if .Values.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      {{- end }}
+      {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+      {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+      {{- end }}
+      {{- end }}
+    {{- end }}
     {{- if and .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector) }}
     - from:
         {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector }}
diff --git a/addons/postgresql-1.1.0/chart/postgresql/values.yaml b/addons/postgresql-1.1.0/chart/postgresql/values.yaml
@@ -954,7 +954,9 @@ readReplicas:
 networkPolicy:
   ## @param networkPolicy.enabled Enable network policies
   ##
-  enabled: false
+  enabled: true
+  allowLocalNamespace: true
+  allowNamespaces: []
   ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus)
   ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace.
   ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods.
diff --git a/addons/rabbitmq-1.1.0/chart/rabbitmq/templates/networkpolicy.yaml b/addons/rabbitmq-1.1.0/chart/rabbitmq/templates/networkpolicy.yaml
@@ -30,6 +30,20 @@ spec:
         - podSelector:
             matchLabels:
               {{- include "common.labels.matchLabels" . | nindent 14 }}
+        {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
+        {{- if .Values.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        {{- end }}
+        {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+        {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
         {{- if .Values.networkPolicy.additionalRules }}
         {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.additionalRules "context" $) | nindent 8 }}
         {{- end }}
diff --git a/addons/rabbitmq-1.1.0/chart/rabbitmq/templates/statefulset.yaml b/addons/rabbitmq-1.1.0/chart/rabbitmq/templates/statefulset.yaml
@@ -145,6 +145,7 @@ spec:
             preStop:
               exec:
                 command:
+                  - init-stack
                   - /bin/bash
                   - -ec
                   - |
@@ -277,6 +278,7 @@ spec:
           livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }}
             exec:
               command:
+                - init-stack
                 - /bin/bash
                 - -ec
                 - rabbitmq-diagnostics -q ping
@@ -287,6 +289,7 @@ spec:
           readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }}
             exec:
               command:
+                - init-stack
                 - /bin/bash
                 - -ec
                 - rabbitmq-diagnostics -q check_running && rabbitmq-diagnostics -q check_local_alarms
diff --git a/addons/rabbitmq-1.1.0/chart/rabbitmq/values.yaml b/addons/rabbitmq-1.1.0/chart/rabbitmq/values.yaml
@@ -1067,14 +1067,17 @@ ingress:
 networkPolicy:
   ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
   ##
-  enabled: false
+  enabled: true
   ## @param networkPolicy.allowExternal Don't require client label for connections
   ## The Policy model to apply. When set to false, only pods with the correct
   ## client label will have network access to the ports RabbitMQ is listening
   ## on. When true, RabbitMQ will accept connections from any source
   ## (with the correct destination port).
   ##
   allowExternal: true
+  
+  allowCurrentNamespace: true
+  allowNamespaces: []
   ## @param networkPolicy.additionalRules Additional NetworkPolicy Ingress "from" rules to set. Note that all rules are OR-ed.
   ## e.g:
   ## additionalRules:
diff --git a/addons/redis-1.1.0/chart/redis/templates/networkpolicy.yaml b/addons/redis-1.1.0/chart/redis/templates/networkpolicy.yaml
@@ -52,6 +52,18 @@ spec:
               {{ template "common.names.fullname" . }}-client: "true"
         - podSelector:
             matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }}
+        {{- if .Values.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        {{- end }}
+        {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+        {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+        {{- end }}
+        {{- end }}
         {{- if .Values.networkPolicy.ingressNSMatchLabels }}
         - namespaceSelector:
             matchLabels:
diff --git a/addons/redis-1.1.0/chart/redis/values.yaml b/addons/redis-1.1.0/chart/redis/values.yaml
@@ -1137,13 +1137,15 @@ sentinel:
 networkPolicy:
   ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
   ##
-  enabled: false
+  enabled: true
   ## @param networkPolicy.allowExternal Don't require client label for connections
   ## When set to false, only pods with the correct client label will have network access to the ports
   ## Redis&trade; is listening on. When true, Redis&trade; will accept connections from any source
   ## (with the correct destination port).
   ##
-  allowExternal: true
+  allowExternal: false
+  allowCurrentNamespace: true
+  allowNamespaces: []
   ## @param networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy
   ## e.g:
   ## extraIngress:
diff --git a/addons/redis-cluster-1.1.0/chart/redis-cluster/templates/networkpolicy.yaml b/addons/redis-cluster-1.1.0/chart/redis-cluster/templates/networkpolicy.yaml
@@ -37,6 +37,18 @@ spec:
         - port: {{ .Values.redis.containerPorts.redis }}
         - port: {{ .Values.redis.containerPorts.bus }}
       from:
+        {{- if .Values.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        {{- end }}
+        {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+        {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+        {{- end }}
+        {{- end }}
         {{- if not .Values.networkPolicy.allowExternal }}
         - podSelector:
             matchLabels:
diff --git a/addons/redis-cluster-1.1.0/chart/redis-cluster/templates/redis-statefulset.yaml b/addons/redis-cluster-1.1.0/chart/redis-cluster/templates/redis-statefulset.yaml
@@ -92,7 +92,7 @@ spec:
           {{- else if .Values.redis.command }}
           command: {{- include "common.tplvalues.render" (dict "value" .Values.redis.command "context" $) | nindent 12 }}
           {{- else }}
-          command: ['/bin/bash', '-c']
+          command: ['init-stack', '/bin/bash', '-c']
           {{- end }}
           {{- if .Values.diagnosticMode.enabled }}
           args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
@@ -222,6 +222,7 @@ spec:
             failureThreshold: {{ .Values.redis.livenessProbe.failureThreshold }}
             exec:
               command:
+                - init-stack
                 - sh
                 - -c
                 - /scripts/ping_liveness_local.sh {{ .Values.redis.livenessProbe.timeoutSeconds }}
@@ -238,6 +239,7 @@ spec:
             failureThreshold: {{ .Values.redis.readinessProbe.failureThreshold }}
             exec:
               command:
+                - init-stack
                 - sh
                 - -c
                 - /scripts/ping_readiness_local.sh {{ .Values.redis.readinessProbe.timeoutSeconds }}
@@ -297,6 +299,7 @@ spec:
           args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
           {{- else }}
           command:
+            - init-stack
             - /bin/bash
             - -c
             - |
diff --git a/addons/redis-cluster-1.1.0/chart/redis-cluster/values.yaml b/addons/redis-cluster-1.1.0/chart/redis-cluster/values.yaml
@@ -98,13 +98,15 @@ image:
 ## @param networkPolicy.ingressNSPodMatchLabels For other namespaces match by pod labels and namespace labels
 ##
 networkPolicy:
-  enabled: false
+  enabled: true
   ## When set to false, only pods with the correct
   ## client label will have network access to the port Redis&reg; is listening
   ## on. When true, Redis&reg; will accept connections from any source
   ## (with the correct destination port).
   ##
-  allowExternal: true
+  allowExternal: false
+  allowCurrentNamespace: true
+  allowNamespaces: []
   ingressNSMatchLabels: {}
   ingressNSPodMatchLabels: {}
 
diff --git a/addons/zookeeper-1.1.0/chart/zookeeper/templates/networkpolicy.yaml b/addons/zookeeper-1.1.0/chart/zookeeper/templates/networkpolicy.yaml
@@ -30,6 +30,18 @@ spec:
               {{ include "common.names.fullname" . }}-client: "true"
         - podSelector:
             matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }}
+      {{- if .Values.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      {{- end }}
+      {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+      {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+      {{- end }}
+      {{- end }}
       {{- end }}
     # Allow internal communications between nodes
     - ports:
diff --git a/addons/zookeeper-1.1.0/chart/zookeeper/templates/statefulset.yaml b/addons/zookeeper-1.1.0/chart/zookeeper/templates/statefulset.yaml
@@ -114,6 +114,7 @@ spec:
           securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
           {{- end }}
           command:
+            - init-stack
             - /scripts/init-certs.sh
           env:
             - name: MY_POD_NAME
@@ -372,11 +373,11 @@ spec:
           livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled" "probeCommandTimeout") "context" $) | nindent 12 }}
             exec:
               {{- if not .Values.service.disableBaseClientPort }}
-              command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} nc -w {{ .Values.livenessProbe.probeCommandTimeout }} localhost {{ .Values.containerPorts.client }} | grep imok']
+              command: ['init-stack', '/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} nc -w {{ .Values.livenessProbe.probeCommandTimeout }} localhost {{ .Values.containerPorts.client }} | grep imok']
               {{- else if not .Values.tls.client.enabled }}
-              command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} | grep imok']
+              command: ['init-stack', '/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} | grep imok']
               {{- else }}
-              command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} -cert {{ .Values.service.tls.client_cert_pem_path }} -key {{ .Values.service.tls.client_key_pem_path }} | grep imok']
+              command: ['init-stack', '/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} -cert {{ .Values.service.tls.client_cert_pem_path }} -key {{ .Values.service.tls.client_key_pem_path }} | grep imok']
               {{- end }}
           {{- end }}
           {{- if .Values.customReadinessProbe }}
@@ -385,11 +386,11 @@ spec:
           readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled" "probeCommandTimeout") "context" $) | nindent 12 }}
             exec:
               {{- if not .Values.service.disableBaseClientPort }}
-              command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} nc -w {{ .Values.readinessProbe.probeCommandTimeout }} localhost {{ .Values.containerPorts.client }} | grep imok']
+              command: ['init-stack', '/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} nc -w {{ .Values.readinessProbe.probeCommandTimeout }} localhost {{ .Values.containerPorts.client }} | grep imok']
               {{- else if not .Values.tls.client.enabled }}
-              command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} | grep imok']
+              command: ['init-stack', '/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} | grep imok']
               {{- else }}
-              command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} -cert {{ .Values.service.tls.client_cert_pem_path }} -key {{ .Values.service.tls.client_key_pem_path }} | grep imok']
+              command: ['init-stack', '/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} -cert {{ .Values.service.tls.client_cert_pem_path }} -key {{ .Values.service.tls.client_key_pem_path }} | grep imok']
               {{- end }}
           {{- end }}
           {{- if .Values.customStartupProbe }}
diff --git a/addons/zookeeper-1.1.0/chart/zookeeper/values.yaml b/addons/zookeeper-1.1.0/chart/zookeeper/values.yaml
@@ -549,12 +549,14 @@ service:
 networkPolicy:
   ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
   ##
-  enabled: false
+  enabled: true
   ## @param networkPolicy.allowExternal Don't require client label for connections
   ## When set to false, only pods with the correct client label will have network access to the port Redis&reg; is
   ## listening on. When true, zookeeper accept connections from any source (with the correct destination port).
   ##
-  allowExternal: true
+  allowExternal: false
+  allowCurrentNamespace: true
+  allowNamespaces: []
 
 ## @section Other Parameters
 
