diff --git a/charts/podinfo/README.md b/charts/podinfo/README.md index 4546bab9..3e2440c3 100644 --- a/charts/podinfo/README.md +++ b/charts/podinfo/README.md @@ -58,6 +58,9 @@ The following tables lists the configurable parameters of the podinfo chart and | `backends` | `[]` | Array of echo backend URLs | | `cache` | `None` | Redis address in the format `tcp://:` | | `redis.enabled` | `false` | Create Redis deployment for caching purposes | +| `redis.securityContext` | `{}` | The security context to be set on the redis pod | +| `redis.containerSecurityContext` | `{}` | The security context to be set on the redis container | +| `redis.persistence.enabled ` | `false` | Enabled the PVC for redis cache | | `ui.color` | `#34577c` | UI color | | `ui.message` | `None` | UI greetings message | | `ui.logo` | `None` | UI logo | @@ -106,6 +109,7 @@ The following tables lists the configurable parameters of the podinfo chart and | `resources.requests.memory` | `16Mi` | Pod memory request | | `resources.limits.cpu` | `None` | Pod CPU limit | | `resources.limits.memory` | `None` | Pod memory limit | +| `networkPolicy.enabled` | `false` | Whether network policies between podinfo and redis should be created | | `nodeSelector` | `{}` | Node labels for pod assignment | | `tolerations` | `[]` | List of node taints to tolerate | | `affinity` | `None` | Node/pod affinities | diff --git a/charts/podinfo/templates/deployment.yaml b/charts/podinfo/templates/deployment.yaml index 2e9e54dc..1b97d3bb 100644 --- a/charts/podinfo/templates/deployment.yaml +++ b/charts/podinfo/templates/deployment.yaml @@ -4,6 +4,7 @@ metadata: name: {{ template "podinfo.fullname" . }} labels: {{- include "podinfo.labels" . | nindent 4 }} + app.kubernetes.io/component: server spec: {{- if not .Values.hpa.enabled }} replicas: {{ .Values.replicaCount }} @@ -19,6 +20,7 @@ spec: metadata: labels: {{- include "podinfo.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: server annotations: prometheus.io/scrape: "true" prometheus.io/port: "{{ .Values.service.httpPort }}" @@ -218,4 +220,4 @@ spec: {{- with .Values.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml . | nindent 8 }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/charts/podinfo/templates/network-policies.yaml b/charts/podinfo/templates/network-policies.yaml new file mode 100644 index 00000000..a3a9f602 --- /dev/null +++ b/charts/podinfo/templates/network-policies.yaml @@ -0,0 +1,51 @@ +{{- if .Values.networkPolicies.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "podinfo.fullname" . }}-egress + labels: + {{- include "podinfo.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "podinfo.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: server + egress: + - to: + - podSelector: + matchLabels: + {{- include "podinfo.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: cache + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + ports: + - port: redis + protocol: TCP + policyTypes: + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "podinfo.fullname" . }}-ingress +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: cache + {{- include "podinfo.selectorLabels" . | nindent 6 }} + ingress: + - from: + - podSelector: + matchLabels: + {{- include "podinfo.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: server + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + ports: + - port: redis + protocol: TCP + policyTypes: + - Ingress +{{- end -}} diff --git a/charts/podinfo/templates/redis/config.yaml b/charts/podinfo/templates/redis/config.yaml index cd63785c..22243ce3 100644 --- a/charts/podinfo/templates/redis/config.yaml +++ b/charts/podinfo/templates/redis/config.yaml @@ -8,5 +8,9 @@ data: maxmemory 64mb maxmemory-policy allkeys-lru save "" + {{- if .Values.redis.persistence.enabled }} + appendonly yes + {{- else }} appendonly no + {{- end }} {{- end }} diff --git a/charts/podinfo/templates/redis/deployment.yaml b/charts/podinfo/templates/redis/deployment.yaml index 78888555..e1985332 100644 --- a/charts/podinfo/templates/redis/deployment.yaml +++ b/charts/podinfo/templates/redis/deployment.yaml @@ -5,6 +5,8 @@ metadata: name: {{ template "podinfo.fullname" . }}-redis labels: app: {{ template "podinfo.fullname" . }}-redis + {{- include "podinfo.labels" . | nindent 4 }} + app.kubernetes.io/component: cache spec: strategy: type: Recreate @@ -15,9 +17,15 @@ spec: metadata: labels: app: {{ template "podinfo.fullname" . }}-redis + {{- include "podinfo.labels" . | nindent 8 }} + app.kubernetes.io/component: cache annotations: checksum/config: {{ include (print $.Template.BasePath "/redis/config.yaml") . | sha256sum | quote }} spec: + {{- if .Values.redis.securityContext }} + securityContext: + {{- toYaml .Values.redis.securityContext | nindent 8 }} + {{- end }} {{- if .Values.serviceAccount.enabled }} serviceAccountName: {{ template "podinfo.serviceAccountName" . }} {{- end }} @@ -25,6 +33,10 @@ spec: - name: redis image: "{{ .Values.redis.repository }}:{{ .Values.redis.tag }}" imagePullPolicy: IfNotPresent + {{- if .Values.redis.containerSecurityContext }} + securityContext: + {{- toYaml .Values.redis.containerSecurityContext | nindent 12 }} + {{- end }} command: - redis-server - "/redis-master/redis.conf" @@ -53,11 +65,13 @@ spec: memory: 32Mi volumeMounts: - mountPath: /var/lib/redis - name: data + name: redis-system - mountPath: /redis-master name: config + - mountPath: /data + name: data volumes: - - name: data + - name: redis-system emptyDir: {} - name: config configMap: @@ -65,4 +79,9 @@ spec: items: - key: redis.conf path: redis.conf -{{- end }} + {{- if .Values.redis.persistence.enabled }} + - name: data + persistentVolumeClaim: + claimName: {{ template "podinfo.fullname" . }} + {{- end }} +{{- end -}} diff --git a/charts/podinfo/templates/redis/pvc.yaml b/charts/podinfo/templates/redis/pvc.yaml new file mode 100644 index 00000000..4d1df0ac --- /dev/null +++ b/charts/podinfo/templates/redis/pvc.yaml @@ -0,0 +1,17 @@ +{{- if .Values.redis.persistence.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "podinfo.fullname" . }} + labels: + {{- include "podinfo.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.redis.persistence.size | default "1Gi" }} + {{- if .Values.redis.persistence.storageClassName }} + storageClassName: {{ .Values.redis.persistence.storageClassName }} + {{- end }} +{{- end }} diff --git a/charts/podinfo/values-prod.yaml b/charts/podinfo/values-prod.yaml index 250f18b7..c55445e5 100644 --- a/charts/podinfo/values-prod.yaml +++ b/charts/podinfo/values-prod.yaml @@ -94,6 +94,10 @@ redis: enabled: true repository: redis tag: 7.0.7 + securityContext: {} + containerSecurityContext: {} + persistence: + enabled: true serviceAccount: # Specifies whether a service account should be created @@ -141,6 +145,8 @@ resources: cpu: 100m memory: 64Mi +networkPolicies: + enabled: false # Extra environment variables for the podinfo container extraEnvs: [] # Example on how to configure extraEnvs diff --git a/charts/podinfo/values.yaml b/charts/podinfo/values.yaml index 301c0428..4f118bd7 100644 --- a/charts/podinfo/values.yaml +++ b/charts/podinfo/values.yaml @@ -98,6 +98,10 @@ redis: enabled: false repository: redis tag: 7.0.7 + securityContext: {} + containerSecurityContext: {} + persistence: + enabled: false serviceAccount: # Specifies whether a service account should be created @@ -144,6 +148,9 @@ resources: cpu: 1m memory: 16Mi +networkPolicies: + enabled: false + # Extra environment variables for the podinfo container extraEnvs: [] # Example on how to configure extraEnvs