You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by wi...@apache.org on 2020/01/06 10:34:20 UTC
[couchdb-helm] 15/26: Add optional network policy
This is an automated email from the ASF dual-hosted git repository.
willholley pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/couchdb-helm.git
commit 17b38890805b3040333c8dfa4da9ab0a5597edf4
Author: Will Holley <wi...@gmail.com>
AuthorDate: Tue Oct 22 16:16:51 2019 +0100
Add optional network policy
Adds a NetworkPolicy to enable communication between CouchDB pods
and external ingress on port 5984.
This is required in environments (e.g. Red Hat OpenShift) which apply
DenyAll network policies by default.
ported from https://github.com/helm/charts/pull/17262
---
couchdb/README.md | 1 +
couchdb/templates/networkpolicy.yaml | 31 +++++++++++++++++++++++++++++++
couchdb/values.yaml | 5 +++++
3 files changed, 37 insertions(+)
diff --git a/couchdb/README.md b/couchdb/README.md
index 937c1d3..0d786e3 100644
--- a/couchdb/README.md
+++ b/couchdb/README.md
@@ -140,6 +140,7 @@ A variety of other parameters are also configurable. See the comments in the
| `service.type` | ClusterIP |
| `service.externalPort` | 5984 |
| `dns.clusterDomainSuffix` | cluster.local |
+| `networkPolicy.enabled` | true |
| `serviceAccount.enabled` | true |
| `serviceAccount.create` | true |
| `serviceAccount.imagePullSecrets` | |
diff --git a/couchdb/templates/networkpolicy.yaml b/couchdb/templates/networkpolicy.yaml
new file mode 100644
index 0000000..2830708
--- /dev/null
+++ b/couchdb/templates/networkpolicy.yaml
@@ -0,0 +1,31 @@
+
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+ name: {{ template "couchdb.fullname" . }}
+ labels:
+ app: {{ template "couchdb.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ podSelector:
+ matchLabels:
+{{ include "couchdb.ss.selector" . | indent 6 }}
+ ingress:
+ - ports:
+ - protocol: TCP
+ port: 5984
+ - ports:
+ - protocol: TCP
+ port: 9100
+ - protocol: TCP
+ port: 4369
+ from:
+ - podSelector:
+ matchLabels:
+{{ include "couchdb.ss.selector" . | indent 14 }}
+ policyTypes:
+ - Ingress
+{{- end }}
diff --git a/couchdb/values.yaml b/couchdb/values.yaml
index 089f90b..f94faf7 100644
--- a/couchdb/values.yaml
+++ b/couchdb/values.yaml
@@ -25,6 +25,11 @@ adminUsername: admin
# adminPassword: this_is_not_secure
# cookieAuthSecret: neither_is_this
+## When enabled, will deploy a networkpolicy that allows CouchDB pods to
+## communicate with each other for clustering and ingress on port 5984
+networkPolicy:
+ enabled: true
+
## Use an alternate scheduler, e.g. "stork".
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##