Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[stable/redis-ha] Add Haproxy network policies #262

Merged
merged 2 commits into from
Feb 5, 2024
+107 −1
Merged

[stable/redis-ha] Add Haproxy network policies #262

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
78dad6a
Add Haproxy network policies
metajiji Oct 15, 2023
0cf0059
Always allow redis ports in ingressRule for haproxy network policies
metajiji Feb 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/redis-ha/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ keywords:
- redis
- keyvalue
- database
version: 4.25.1
version: 4.25.2
appVersion: 7.0.9
description: This Helm chart provides a highly available Redis implementation with a master/slave configuration and uses Sentinel sidecars for failover management
icon: https://upload.wikimedia.org/wikipedia/en/thumb/6/6b/Redis_Logo.svg/1200px-Redis_Logo.svg.png
Expand Down
7 changes: 7 additions & 0 deletions charts/redis-ha/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,13 @@ The following table lists the configurable parameters of the Redis chart and the
| `haproxy.additionalAffinities` | Additional affinities to add to the haproxy server pods. | `{}` |
| `haproxy.tests.resources` | Pod resources for the tests against HAProxy. | `{}` |
| `haproxy.IPv6.enabled` | Disables certain binding options to support non-IPv6 environments. | `true` |
| `networkPolicy.enabled` | Create NetworkPolicy for Haproxy pods |`false`|
| `networkPolicy.labels` | Labels for Haproxy NetworkPolicy |`{}`|
| `networkPolicy.annotations` | Annotations for Haproxy NetworkPolicy |`{}`|
| `networkPolicy.ingressRules[].selectors` | Label selector query to define resources for this ingress rule |`[]`|
| `networkPolicy.ingressRules[].ports` | The destination ports for the ingress rule |`[{port: redis.port, protocol: TCP}, {port: sentinel.port, protocol: TCP}]`|
| `networkPolicy.egressRules[].selectors` | Label selector query to define resources for this egress rule |`[]`|
| `networkPolicy.egressRules[].ports` | The destination ports for the egress rule |``|
| `podDisruptionBudget` | Pod Disruption Budget rules | `{}` |
| `nameOverride` | Override the chart name | `""` |
| `fullnameOverride` | Fully override the release name and chart name | `""` |
Expand Down
74 changes: 74 additions & 0 deletions charts/redis-ha/templates/redis-haproxy-network-policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
{{- if and .Values.haproxy.enabled .Values.haproxy.networkPolicy.enabled }}
{{- $root := . }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ template "redis-ha.fullname" . }}-haproxy-network-policy
namespace: {{ .Release.Namespace | quote }}
{{- if .Values.haproxy.networkPolicy.annotations }}
annotations:
{{- range $key, $value := .Values.haproxy.networkPolicy.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "labels.standard" . | nindent 4 }}
{{- range $key, $value := .Values.haproxy.networkPolicy.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
podSelector:
matchLabels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}-haproxy
policyTypes:
- Ingress
- Egress
egress:
- to:
- podSelector:
matchLabels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}
ports:
- port: {{ .Values.redis.port }}
protocol: TCP
- port: {{ .Values.sentinel.port }}
protocol: TCP
- to:
- namespaceSelector: {}
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
{{- range $rule := .Values.haproxy.networkPolicy.egressRules }}
- to:
{{- (tpl (toYaml $rule.selectors) $) | nindent 8 }}
ports:
{{- toYaml $rule.ports | nindent 8 }}
{{- end }}
ingress:
- from:
- podSelector:
matchLabels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}
ports:
- port: {{ .Values.redis.port }}
protocol: TCP
- port: {{ .Values.sentinel.port }}
protocol: TCP
{{- range $rule := .Values.haproxy.networkPolicy.ingressRules }}
- from:
{{- (tpl (toYaml $rule.selectors) $) | nindent 8 }}
ports:
{{- if $rule.ports }}
{{- toYaml $rule.ports | nindent 8 }}
{{- end }}
- port: {{ $root.Values.redis.port }}
protocol: TCP
- port: {{ $root.Values.sentinel.port }}
protocol: TCP
metajiji marked this conversation as resolved.
Show resolved Hide resolved
{{- end }}
{{- end }}
25 changes: 25 additions & 0 deletions charts/redis-ha/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,31 @@ haproxy:
IPv6:
enabled: true

networkPolicy:
## whether NetworkPolicy for Haproxy should be created
enabled: false
annotations: {}
labels: {}
## user defines ingress rules that Haproxy should permit into
## uses the format defined in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
ingressRules: []
# - selectors:
# - namespaceSelector:
# matchLabels:
# name: my-redis-client-namespace
# podSelector:
# matchLabels:
# application: redis-client
## if ports is not defined then it defaults to the ports defined for enabled services (redis, sentinel)
# ports:
# - port: 6379
# protocol: TCP
# - port: 26379
# protocol: TCP

## user can define egress rules too, uses the same structure as ingressRules
egressRules: []

## Role Based Access
## Ref: https://kubernetes.io/docs/admin/authorization/rbac/
##
Expand Down
Loading