Merge pull request #182 from DisyInformationssysteme/slb/disy/network…

…-policies Add network policies to Uptime Kuma
dirsigler · Dec 10, 2024 · e7e3cc7 · e7e3cc7
2 parents 1e70146 + bc0044c
commit e7e3cc7
Show file tree

Hide file tree

Showing 8 changed files with 84 additions and 14 deletions.
diff --git a/charts/uptime-kuma/Chart.yaml b/charts/uptime-kuma/Chart.yaml
@@ -11,4 +11,4 @@ name: uptime-kuma
 sources:
   - https://github.com/louislam/uptime-kuma
 type: application
-version: 2.20.0
+version: 2.21.0
diff --git a/charts/uptime-kuma/README.md b/charts/uptime-kuma/README.md
@@ -1,6 +1,6 @@
 # uptime-kuma
 
-![Version: 2.19.4](https://img.shields.io/badge/Version-2.19.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.23.13](https://img.shields.io/badge/AppVersion-1.23.13-informational?style=flat-square)
+![Version: 2.21.0](https://img.shields.io/badge/Version-2.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.23.13](https://img.shields.io/badge/AppVersion-1.23.13-informational?style=flat-square)
 
 A self-hosted Monitoring tool like "Uptime-Robot".
 
@@ -47,13 +47,18 @@ A self-hosted Monitoring tool like "Uptime-Robot".
 | livenessProbe.successThreshold | int | `1` |  |
 | livenessProbe.timeoutSeconds | int | `2` |  |
 | nameOverride | string | `""` |  |
+| networkPolicy | object | `{"allowExternal":true,"egress":true,"enabled":false,"ingress":true,"namespaceSelector":{}}` | Create a NetworkPolicy |
+| networkPolicy.allowExternal | bool | `true` | Allow incoming connections only from specific Pods When set to true, the geoserver will accept connections from any source. When false, only Pods with the label {{ include "geoserver.fullname" . }}-client=true will have network access |
+| networkPolicy.egress | bool | `true` | Enable/disable Egress policy type |
+| networkPolicy.enabled | bool | `false` | Enable/disable Network Policy |
+| networkPolicy.ingress | bool | `true` | Enable/disable Ingress policy type |
+| networkPolicy.namespaceSelector | object | `{}` | Selects particular namespaces for which all Pods are allowed as ingress sources |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
-| podEnv[0].name | string | `"UPTIME_KUMA_PORT"` |  |
-| podEnv[0].value | string | `"3001"` |  |
+| podEnv | list | `[]` |  |
 | podLabels | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
-| priorityClassName | string | `""` | Use this option to set custom PriorityClass to the created deployment |
+| priorityClassName | string | `""` | Use this option to set custom PriorityClass to the created deployment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass |
 | readinessProbe.enabled | bool | `true` |  |
 | readinessProbe.exec.command | list | `[]` |  |
 | readinessProbe.failureThreshold | int | `3` |  |

diff --git a/charts/uptime-kuma/templates/_helpers.tpl b/charts/uptime-kuma/templates/_helpers.tpl
@@ -50,6 +50,13 @@ app.kubernetes.io/name: {{ include "uptime-kuma.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Port of the Uptime Kuma container
+*/}}
+{{- define "uptime-kuma.port" -}}
+3001
+{{- end }}
+
 {{/*
 Create the name of the service account to use
 */}}

diff --git a/charts/uptime-kuma/templates/deployment.yaml b/charts/uptime-kuma/templates/deployment.yaml
@@ -59,7 +59,7 @@ spec:
           {{- end }}
           ports:
             - name: http
-              containerPort: 3001
+              containerPort: {{ include "uptime-kuma.port" . }}
               protocol: TCP
           {{ if or .Values.volume.enabled .Values.additionalVolumeMounts -}}
           volumeMounts:

diff --git a/charts/uptime-kuma/templates/netpol.yaml b/charts/uptime-kuma/templates/netpol.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "uptime-kuma.fullname" . }}
+  labels:
+    {{- include "uptime-kuma.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "uptime-kuma.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    {{- if .Values.networkPolicy.ingress }}
+    - Ingress
+    {{- end }}
+    {{- if .Values.networkPolicy.egress }}
+    - Egress
+    {{- end }}
+  egress:
+  - {}
+  {{- if .Values.networkPolicy.ingress }}
+  ingress:
+  - ports:
+    - port: {{ include "uptime-kuma.port" . }}
+      protocol: TCP
+    {{- if not .Values.networkPolicy.allowExternal }}
+    from:
+      - podSelector:
+          matchLabels:
+            {{ include "uptime-kuma.fullname" . }}-client: "true"
+      {{- with .Values.networkPolicy.namespaceSelector }}
+      - namespaceSelector:
+          {{- toYaml . | nindent 10 }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/uptime-kuma/templates/service.yaml b/charts/uptime-kuma/templates/service.yaml
@@ -12,7 +12,7 @@ spec:
   type: {{ .Values.service.type }}
   ports:
     - port: {{ .Values.service.port }}
-      targetPort: 3001
+      targetPort: {{ include "uptime-kuma.port" . }}
       protocol: TCP
       {{- with .Values.service.nodePort }}
       nodePort: {{ . }}

diff --git a/charts/uptime-kuma/templates/statefulset.yaml b/charts/uptime-kuma/templates/statefulset.yaml
@@ -51,13 +51,15 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- with .Values.podEnv }}
           env:
+            - name: "UPTIME_KUMA_PORT"
+              value: {{ include "uptime-kuma.port" . }}
+          {{- with .Values.podEnv }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
           ports:
             - name: http
-              containerPort: 3001
+              containerPort: {{ include "uptime-kuma.port" . }}
               protocol: TCP
           {{ if or .Values.volume.enabled .Values.additionalVolumeMounts -}}
           volumeMounts:
@@ -81,7 +83,7 @@ spec:
           readinessProbe:
             httpGet:
               path: /
-              port: 3001
+              port: {{ include "uptime-kuma.port" . }}
               scheme: HTTP
             initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds}}
           {{- end }}

diff --git a/charts/uptime-kuma/values.yaml b/charts/uptime-kuma/values.yaml
@@ -28,10 +28,10 @@ podAnnotations: {}
 podLabels:
   {}
   # app: uptime-kuma
-podEnv:
-  # a default port must be set. required by container
-  - name: "UPTIME_KUMA_PORT"
-    value: "3001"
+podEnv: []
+  # optional additional environment variables
+  # - name: "A_VARIABLE"
+  #   value: "a-value"
 
 podSecurityContext:
   {}
@@ -207,3 +207,22 @@ dnsConfig: {}
 # -- Use this option to set custom PriorityClass to the created deployment
 # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass
 priorityClassName: ""
+
+# -- Create a NetworkPolicy
+networkPolicy:
+  # -- Enable/disable Network Policy
+  enabled: false
+  # -- Enable/disable Ingress policy type
+  ingress: true
+  # -- Enable/disable Egress policy type
+  egress: true
+  # -- Allow incoming connections only from specific Pods
+  # When set to true, the geoserver will accept connections from any source.
+  # When false, only Pods with the label {{ include "geoserver.fullname" . }}-client=true will have network access
+  allowExternal: true
+  # -- Selects particular namespaces for which all Pods are allowed as ingress sources
+  namespaceSelector: {}
+  #  matchLabels:
+  #    role: frontend
+  #  matchExpressions:
+  #   - {key: role, operator: In, values: [frontend]}