You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by wi...@apache.org on 2020/01/06 10:34:20 UTC

[couchdb-helm] 15/26: Add optional network policy

This is an automated email from the ASF dual-hosted git repository.

willholley pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/couchdb-helm.git

commit 17b38890805b3040333c8dfa4da9ab0a5597edf4
Author: Will Holley <wi...@gmail.com>
AuthorDate: Tue Oct 22 16:16:51 2019 +0100

    Add optional network policy
    
    Adds a NetworkPolicy to enable communication between CouchDB pods
    and external ingress on port 5984.
    
    This is required in environments (e.g. Red Hat OpenShift) which apply
    DenyAll network policies by default.
    
    ported from https://github.com/helm/charts/pull/17262
---
 couchdb/README.md                    |  1 +
 couchdb/templates/networkpolicy.yaml | 31 +++++++++++++++++++++++++++++++
 couchdb/values.yaml                  |  5 +++++
 3 files changed, 37 insertions(+)

diff --git a/couchdb/README.md b/couchdb/README.md
index 937c1d3..0d786e3 100644
--- a/couchdb/README.md
+++ b/couchdb/README.md
@@ -140,6 +140,7 @@ A variety of other parameters are also configurable. See the comments in the
 | `service.type`                    | ClusterIP                              |
 | `service.externalPort`            | 5984                                   |
 | `dns.clusterDomainSuffix`         | cluster.local                          |
+| `networkPolicy.enabled`           | true                                   |
 | `serviceAccount.enabled`          | true                                   |
 | `serviceAccount.create`           | true                                   |
 | `serviceAccount.imagePullSecrets` |                                        |
diff --git a/couchdb/templates/networkpolicy.yaml b/couchdb/templates/networkpolicy.yaml
new file mode 100644
index 0000000..2830708
--- /dev/null
+++ b/couchdb/templates/networkpolicy.yaml
@@ -0,0 +1,31 @@
+
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ template "couchdb.fullname" . }}
+  labels:
+    app: {{ template "couchdb.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  podSelector:
+    matchLabels:
+{{ include "couchdb.ss.selector" . | indent 6 }}
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 5984
+    - ports:
+        - protocol: TCP
+          port: 9100
+        - protocol: TCP
+          port: 4369
+      from:
+        - podSelector:
+            matchLabels:
+{{ include "couchdb.ss.selector" . | indent 14 }}
+  policyTypes:
+    - Ingress
+{{- end }}
diff --git a/couchdb/values.yaml b/couchdb/values.yaml
index 089f90b..f94faf7 100644
--- a/couchdb/values.yaml
+++ b/couchdb/values.yaml
@@ -25,6 +25,11 @@ adminUsername: admin
 # adminPassword: this_is_not_secure
 # cookieAuthSecret: neither_is_this
 
+## When enabled, will deploy a networkpolicy that allows CouchDB pods to
+## communicate with each other for clustering and ingress on port 5984
+networkPolicy:
+  enabled: true
+
 ## Use an alternate scheduler, e.g. "stork".
 ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
 ##