From 6831d56ee4ec58d579fbf0286dbb3bf1ec46f500 Mon Sep 17 00:00:00 2001 From: Kjeld Schouten-Lebbing Date: Thu, 2 Sep 2021 12:52:34 +0200 Subject: [PATCH] remove externalInterfaces + add RBAC and networkPolicy support (#882) * remove externalInterfaces + add RBAC and networkPolicy support * mistaken double end * cleanup values a bit * fix a small mistake * That was the wrong mistake --- charts/library/common/Chart.yaml | 2 +- .../_HorizontalPodAutoscaler.tpl | 2 +- charts/library/common/templates/_all.tpl | 12 +++-- .../common/templates/_networkPolicy.tpl | 38 ++++++++++++++ charts/library/common/templates/_rbac.tpl | 51 +++++++++++++++++++ .../templates/classes/_externalInterfaces.tpl | 15 ------ .../{classes => configmaps}/_portal.tpl | 2 +- .../{classes => jobs}/_mountPermissions.tpl | 2 +- charts/library/common/values.yaml | 46 +++++++++++++++++ charts/stable/authelia/SCALE/questions.yaml | 2 +- 10 files changed, 148 insertions(+), 24 deletions(-) rename charts/library/common/templates/{classes => }/_HorizontalPodAutoscaler.tpl (97%) create mode 100644 charts/library/common/templates/_networkPolicy.tpl create mode 100644 charts/library/common/templates/_rbac.tpl delete mode 100644 charts/library/common/templates/classes/_externalInterfaces.tpl rename charts/library/common/templates/{classes => configmaps}/_portal.tpl (98%) rename charts/library/common/templates/{classes => jobs}/_mountPermissions.tpl (98%) diff --git a/charts/library/common/Chart.yaml b/charts/library/common/Chart.yaml index 9384eb186f3..539a968122f 100644 --- a/charts/library/common/Chart.yaml +++ b/charts/library/common/Chart.yaml @@ -18,4 +18,4 @@ maintainers: name: common sources: null type: library -version: 6.12.5 +version: 6.13.0 diff --git a/charts/library/common/templates/classes/_HorizontalPodAutoscaler.tpl b/charts/library/common/templates/_HorizontalPodAutoscaler.tpl similarity index 97% rename from charts/library/common/templates/classes/_HorizontalPodAutoscaler.tpl rename to charts/library/common/templates/_HorizontalPodAutoscaler.tpl index 1c448acd758..c7cbbb4c164 100644 --- a/charts/library/common/templates/classes/_HorizontalPodAutoscaler.tpl +++ b/charts/library/common/templates/_HorizontalPodAutoscaler.tpl @@ -2,7 +2,7 @@ This template serves as a blueprint for horizontal pod autoscaler objects that are created using the common library. */}} -{{- define "common.classes.hpa" -}} +{{- define "common.hpa" -}} {{- if .Values.autoscaling.enabled -}} {{- $hpaName := include "common.names.fullname" . -}} {{- $targetName := include "common.names.fullname" . }} diff --git a/charts/library/common/templates/_all.tpl b/charts/library/common/templates/_all.tpl index bf9fcbbf686..6c0ad2e566e 100644 --- a/charts/library/common/templates/_all.tpl +++ b/charts/library/common/templates/_all.tpl @@ -24,7 +24,9 @@ Main entrypoint for the common library chart. It will render all underlying temp {{- end -}} {{- end -}} - {{ include "common.classes.hpa" . | nindent 0 }} + {{ include "common.rbac" . | nindent 0 }} + + {{ include "common.hpa" . | nindent 0 }} {{ include "common.service" . | nindent 0 }} @@ -33,9 +35,11 @@ Main entrypoint for the common library chart. It will render all underlying temp {{- if .Values.secret -}} {{ include "common.secret" . | nindent 0 }} {{- end -}} - {{ include "common.class.portal" . | nindent 0 }} - {{ include "common.class.mountPermissions" . | nindent 0 }} - {{ include "common.classes.externalInterfaces" . | nindent 0 }} + {{ include "common.configmap.portal" . | nindent 0 }} + + {{ include "common.job.mountPermissions" . | nindent 0 }} + + {{ include "common.networkpolicy" . | nindent 0 }} {{- end -}} diff --git a/charts/library/common/templates/_networkPolicy.tpl b/charts/library/common/templates/_networkPolicy.tpl new file mode 100644 index 00000000000..1db7f76ee6b --- /dev/null +++ b/charts/library/common/templates/_networkPolicy.tpl @@ -0,0 +1,38 @@ +{{/* +Blueprint for the NetworkPolicy object that can be included in the addon. +*/}} +{{- define "common.networkpolicy" -}} +{{- if .Values.networkPolicy.enabled }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ include "common.names.fullname" . }} +spec: + podSelector: + {{- if .Values.networkPolicy.podSelector }} + {{- with .Values.networkPolicy.podSelector }} + {{- . | toYaml | nindent 4 }} + {{- end -}} + {{- else }} + matchLabels: + {{- include "common.labels.selectorLabels" . | nindent 6 }} + {{- end }} + + {{- with .Values.networkPolicy.policyTypes }} + policyTypes: + {{- . | toYaml | nindent 4 }} + {{- end -}} + + {{- with .Values.networkPolicy.egress }} + egress: + {{- . | toYaml | nindent 4 }} + {{- end -}} + + {{- with .Values.networkPolicy.ingress }} + ingress: + {{- . | toYaml | nindent 4 }} + {{- end -}} + +{{- end -}} +{{- end -}} diff --git a/charts/library/common/templates/_rbac.tpl b/charts/library/common/templates/_rbac.tpl new file mode 100644 index 00000000000..f29f3e8fef8 --- /dev/null +++ b/charts/library/common/templates/_rbac.tpl @@ -0,0 +1,51 @@ +{{/* +This template serves as a blueprint for all PersistentVolumeClaim objects that are created +within the common library. +*/}} +{{- define "common.rbac" -}} +{{- if .Values.rbac.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "common.names.fullname" . -}} + labels: + {{- with .Values.rbac.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.rbac.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- with .Values.rbac.rules }} +rules: + {{- . | toYaml | nindent 4 }} +{{- end -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "common.names.fullname" . -}} + labels: + {{- with .Values.rbac.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.rbac.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "common.names.fullname" . -}} +subjects: + {{- if .Values.serviceAccount }} + - kind: ServiceAccount + name: {{ include "common.names.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + {{- end }} + {{- with .Values.rbac.subjects }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end -}} diff --git a/charts/library/common/templates/classes/_externalInterfaces.tpl b/charts/library/common/templates/classes/_externalInterfaces.tpl deleted file mode 100644 index 524b4f263b2..00000000000 --- a/charts/library/common/templates/classes/_externalInterfaces.tpl +++ /dev/null @@ -1,15 +0,0 @@ -{{/* -This template serves as a blueprint for External Interface objects that are created -using the SCALE GUI. -*/}} -{{- define "common.classes.externalInterfaces" -}} -{{- range $index, $iface := .Values.ixExternalInterfacesConfiguration }} ---- -apiVersion: "k8s.cni.cncf.io/v1" -kind: NetworkAttachmentDefinition -metadata: - name: ix-{{ $.Release.Name }}-{{ $index }} -spec: - config: '{{ $iface }}' -{{- end }} -{{- end -}} diff --git a/charts/library/common/templates/classes/_portal.tpl b/charts/library/common/templates/configmaps/_portal.tpl similarity index 98% rename from charts/library/common/templates/classes/_portal.tpl rename to charts/library/common/templates/configmaps/_portal.tpl index b626c14102f..f77d7804d17 100644 --- a/charts/library/common/templates/classes/_portal.tpl +++ b/charts/library/common/templates/configmaps/_portal.tpl @@ -1,4 +1,4 @@ -{{- define "common.class.portal" -}} +{{- define "common.configmap.portal" -}} {{- if .Values.portal }} {{- if .Values.portal.enabled }} diff --git a/charts/library/common/templates/classes/_mountPermissions.tpl b/charts/library/common/templates/jobs/_mountPermissions.tpl similarity index 98% rename from charts/library/common/templates/classes/_mountPermissions.tpl rename to charts/library/common/templates/jobs/_mountPermissions.tpl index 0f2e7d2ef4c..c861142fe19 100644 --- a/charts/library/common/templates/classes/_mountPermissions.tpl +++ b/charts/library/common/templates/jobs/_mountPermissions.tpl @@ -2,7 +2,7 @@ This template serves as the blueprint for the mountPermissions job that is run before chart installation. */}} -{{- define "common.class.mountPermissions" -}} +{{- define "common.job.mountPermissions" -}} {{- if .Values.persistence -}} {{- $jobName := include "common.names.fullname" . -}} {{- $group := 568 -}} diff --git a/charts/library/common/values.yaml b/charts/library/common/values.yaml index c6c0899cf2f..7f094edc0c5 100644 --- a/charts/library/common/values.yaml +++ b/charts/library/common/values.yaml @@ -79,6 +79,8 @@ autoscaling: targetCPUUtilizationPercentage: # 80 targetMemoryUtilizationPercentage: # 80 +# -- Create serviceaccount +# @default -- See below serviceAccount: # -- Specifies whether a service account should be created create: false @@ -90,6 +92,50 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" +# -- Create a ClusterRole and ClusterRoleBinding +# @default -- See below +rbac: + # -- Enables or disables the ClusterRole and ClusterRoleBinding + enabled: false + + # -- Set Annotations on the ClusterRole + clusterRoleLabels: {} + + # -- Set labels on the ClusterRole + clusterRoleAnnotations: {} + + # -- Set Annotations on the ClusterRoleBinding + + clusterRoleBindingLabels: {} + + # -- Set labels on the ClusterRoleBinding + clusterRoleBindingAnnotations: {} + + # -- Set Rules on the ClusterRole + rules: {} + + # -- Add subjects to the ClusterRoleBinding. + # includes the above created serviceaccount + subjects: {} + +# -- Configure networkPolicy for the chart here. +# @default -- See below +networkPolicy: + # -- Enables or disables the networkPolicy + enabled: false + + # customizes the podSelector (defaults to the helm-chart selector-labels + # podSelector: + + # -- add or remove Policy types + policyTypes: [] + + # -- add or remove egress policies + egress: [] + + # -- add or remove egress policies + ingress: [] + # -- Use this to populate a secret with the values you specify. # Be aware that these values are not encrypted by default, and could therefore visible # to anybody with access to the values.yaml file. diff --git a/charts/stable/authelia/SCALE/questions.yaml b/charts/stable/authelia/SCALE/questions.yaml index 2940c783577..ad62edadd5b 100644 --- a/charts/stable/authelia/SCALE/questions.yaml +++ b/charts/stable/authelia/SCALE/questions.yaml @@ -212,7 +212,7 @@ questions: type: dict attrs: - variable: name - label: "Name" + label: "Name" schema: type: string - variable: value