chore(prometheus): add networkpolicy

EamonZhang · EamonZhang · commit f333fe78dd17 · 2023-10-16T15:03:23.000+08:00
diff --git a/addons/prometheus/2/chart/prometheus/templates/bind.yaml b/addons/prometheus/2/chart/prometheus/templates/bind.yaml
@@ -0,0 +1,34 @@
+credential:
+  {{- if (eq .Values.server.service.type "LoadBalancer") }}
+  - name: host
+    valueFrom:
+      serviceRef:
+        name: {{ printf "%s" (include "common.names.fullname" .) }}
+        jsonpath: '{ .status.loadBalancer.ingress[*].ip }'
+  - name: database
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
+        jsonpath: '{ .data.database }' 
+  - name: password
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
+        jsonpath: '{ .data.username }' 
+  - name: username
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
+        jsonpath: '{ .data.username }' 
+  - name: portrw
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
+        jsonpath: '{ .data.portrw }' 
+  - name: portro
+    valueFrom:
+      secretKeyRef:
+        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
+        jsonpath: '{ .data.portro }' 
+  {{- end }}
+
diff --git a/addons/prometheus/2/chart/prometheus/templates/networkpolicy.yaml b/addons/prometheus/2/chart/prometheus/templates/networkpolicy.yaml
@@ -0,0 +1,47 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ template "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ template "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "common.labels.matchLabels" . | nindent 6 }}
+  ingress:
+    # Allow inbound connections
+    - ports:
+      - port: {{ .Values.alertmanager.service.ports.http }} 
+      - port: {{ .Values.alertmanager.service.ports.cluster }} 
+      - port: {{ .Values.alertmanager.containerPorts.http }} 
+      - port: {{ .Values.alertmanager.containerPorts.cluster }} 
+      - port: {{ .Values.server.containerPorts.http }}
+      - port: {{ .Values.server.service.ports.http }}
+      {{- if or .Values.networkPolicy.allowCurrentNamespace .Values.networkPolicy.allowNamespaces }}
+      from:
+      {{- if .Values.networkPolicy.allowCurrentNamespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+      {{- end }}
+      {{- range $namespace := .Values.networkPolicy.allowNamespaces }}
+      {{- if $namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $namespace }}
+      {{- end }}
+      {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/addons/prometheus/2/chart/prometheus/values.yaml b/addons/prometheus/2/chart/prometheus/values.yaml
@@ -360,7 +360,7 @@ alertmanager:
   ingress:
     ## @param alertmanager.ingress.enabled Enable ingress record generation for Alertmanager
     ##
-    enabled: false
+    enabled: true
     ## @param alertmanager.ingress.pathType Ingress path type
     ##
     pathType: ImplementationSpecific
@@ -1225,7 +1225,7 @@ server:
   ingress:
     ## @param server.ingress.enabled Enable ingress record generation for Prometheus
     ##
-    enabled: false
+    enabled: true
     ## @param server.ingress.pathType Ingress path type
     ##
     pathType: ImplementationSpecific
@@ -1460,6 +1460,20 @@ server:
     ##
     rules: []
 
+## Prometheus Nework Policy configuration
+##
+networkPolicy:
+  ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
+  ##
+  enabled: true
+  ## @param networkPolicy.allowExternal The Policy model to apply.
+  ## When set to false, only pods with the correct
+  ## client label will have network access to the port MySQL is listening
+  ## on. When true, MySQL will accept connections from any source
+  ## (with the correct destination port).
+  ##
+  allowCurrentNamespace: true
+  allowNamespaces: []
 ## @section Init Container Parameters
 ##
 
diff --git a/addons/prometheus/2/plans/standard-10/bind.yaml b/addons/prometheus/2/plans/standard-10/bind.yaml
@@ -1,34 +1,28 @@
 credential:
-  {{- if (eq .Values.router.service.type "LoadBalancer") }}
+  {{- if (eq .Values.server.service.type "LoadBalancer") }}
   - name: host
     valueFrom:
       serviceRef:
-        name: {{ printf "%s-router" (include "common.names.fullname" .) }}
+        name: {{ printf "%s" (include "common.names.fullname" .) }}
         jsonpath: '{ .status.loadBalancer.ingress[*].ip }'
-  - name: database
+  - name: port
     valueFrom:
       secretKeyRef:
-        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
-        jsonpath: '{ .data.database }' 
-  - name: password
-    valueFrom:
-      secretKeyRef:
-        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
-        jsonpath: '{ .data.username }' 
-  - name: username
-    valueFrom:
-      secretKeyRef:
-        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
-        jsonpath: '{ .data.username }' 
-  - name: portrw
+        name: {{ template "common.names.fullname" . }}
+        jsonpath: '{ .spec.ports.port }' 
+  {{- end }}
+
+alertmanager
+
+  {{- if (eq .Values.alertmanager.service.type "LoadBalancer") }}
+  - name: host
     valueFrom:
-      secretKeyRef:
-        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
-        jsonpath: '{ .data.portrw }' 
-  - name: portro
+      serviceRef:
+        name: {{ printf "%s" (include "common.names.fullname" .) }}
+        jsonpath: '{ .status.loadBalancer.ingress[*].ip }'
+  - name: port
     valueFrom:
       secretKeyRef:
-        name: {{ template "common.names.fullname" . }}-svcbind-custom-user
-        jsonpath: '{ .data.portro }' 
-  {{- end }}
-
+        name: {{ template "common.names.fullname" . }}
+        jsonpath: '{ .spec.ports.port }' 
+  {{- end }}
diff --git a/addons/prometheus/2/plans/standard-50/bind.yaml b/addons/prometheus/2/plans/standard-50/bind.yaml
@@ -1,9 +1,9 @@
 credential:
-  {{- if (eq .Values.router.service.type "LoadBalancer") }}
+  {{- if (eq .Values.service.type "LoadBalancer") }}
   - name: host
     valueFrom:
       serviceRef:
-        name: {{ printf "%s-router" (include "common.names.fullname" .) }}
+        name: {{ printf "%s" (include "common.names.fullname" .) }}
         jsonpath: '{ .status.loadBalancer.ingress[*].ip }'
   - name: database
     valueFrom:
