chore(airflow): add networkPolicy enabled

Author: jianxiaoguo

addons/airflow/2/chart/airflow/templates/_helpers.tpl

@@ -349,17 +349,17 @@ Add environment variables to configure redis values
 */}}
 {{- define "airflow.configure.redis" -}}
 {{- if (not (or (eq .Values.executor "KubernetesExecutor" ) (eq .Values.executor "LocalKubernetesExecutor" ))) }}
-- name: CELERY_BROKER_URL
+- name: AIRFLOW_CELERY_BROKER_URL
   valueFrom:
     secretKeyRef:
       name: {{ printf "%s-%s" .Release.Name "celerybroker"  }}
-      key: celeryBrokerUrl
+      key: celery-broker-url
 {{- if .Values.celeryBrokerTransportOption }}
-- name: CELERY_BROKER_TRANSPORT_OPTION
+- name: AIRFLOW_CELERY_BROKER_TRANSPORT_OPTIONS
   valueFrom:
     secretKeyRef:
       name: {{ printf "%s-%s" .Release.Name "celerybroker"  }}
-      key: celeryBrokerTransportOption
+      key: celery-broker-transport-option
 {{- end }}
 {{- end }}
 {{- end -}}

addons/airflow/2/chart/airflow/templates/config/secret-external-broker.yaml

@@ -15,8 +15,8 @@ metadata:
 type: Opaque
 data:
   {{- if .Values.celeryBrokerUrl }}  
-  celeryBrokerUrl: {{ .Values.celeryBrokerUrl | b64enc | quote }}
+  celery-broker-url: {{ .Values.celeryBrokerUrl | b64enc | quote }}
   {{- end }}  
   {{- if .Values.celeryBrokerTransportOption }}
-  celeryBrokerTransportOption: {{ .Values.celeryBrokerTransportOption | b64enc | quote }}
+  celery-broker-transport-option: {{ .Values.celeryBrokerTransportOption | b64enc | quote }}
   {{- end }}

addons/airflow/2/chart/airflow/templates/scheduler/networkpolicy-scheduler.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+  name: {{ printf "%s-scheduler" (include "common.names.fullname" .) }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: 
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+      app.kubernetes.io/component: scheduler
+  ingress:
+    {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
+    - from:
+      {{- if .Values.networkPolicy.allowCurrentNamespace }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      {{- end }}
+      {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+      {{- if $namespace }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ $namespace }}
+      {{- end }}
+      {{- end }}
+    {{- end }}
+{{- end }}

addons/airflow/2/chart/airflow/templates/web/networkpolicy-web.yaml

@@ -0,0 +1,35 @@
+{{- if or .Values.networkPolicy.enabled (eq .Values.service.type "ClusterIP" ) }}
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+  name: {{ printf "%s-web" (include "common.names.fullname" .) }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: 
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+      app.kubernetes.io/component: web
+  ingress:
+    {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
+    - from:
+      {{- if .Values.networkPolicy.allowCurrentNamespace }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      {{- end }}
+      {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+      {{- if $namespace }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ $namespace }}
+      {{- end }}
+      {{- end }}
+    {{- end }}
+{{- end }}

addons/airflow/2/chart/airflow/templates/worker/networkpolicy-worker.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+  name: {{ printf "%s-worker" (include "common.names.fullname" .) }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: worker
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+      app.kubernetes.io/component: worker
+  ingress:
+    {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
+    - from:
+      {{- if .Values.networkPolicy.allowCurrentNamespace }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      {{- end }}
+      {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+      {{- if $namespace }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ $namespace }}
+      {{- end }}
+      {{- end }}
+    {{- end }}
+{{- end }}

addons/airflow/2/chart/airflow/values.yaml

@@ -1440,6 +1440,15 @@ statsd:
   podAnnotations: {}
   env: []
 
+## Add networkpolicies
+##
+networkPolicy:
+  ## @param networkPolicy.enabled Enable network policies
+  ##
+  enabled: true
+  allowCurrentNamespace: true
+  allowNamespaces: []
+
 ## @section Airflow database parameters
 
 ## PostgreSQL chart configuration

addons/airflow/2/meta.yaml

@@ -42,6 +42,9 @@ allow_parameters:
 - name: "statsd.enable"
   required: false
   description: "statsd enable or not config for values.yaml"
+- name: "networkPolicy.allowNamespaces"
+  required: false
+  description: "networkPolicy allowNamespaces config for values.yaml"
 - name: "externalDatabase"
   required: true
   description: "externalDatabase config for values.yaml"