From 416ec330ade62ab852b960a8d54886226193a702 Mon Sep 17 00:00:00 2001 From: heidmann Date: Mon, 9 Dec 2024 17:53:19 +0100 Subject: [PATCH 1/3] Feature: enable automatic creation of network policies from the chart Signed-off-by: stranljip --- charts/uptime-kuma/templates/_helpers.tpl | 7 +++ charts/uptime-kuma/templates/deployment.yaml | 2 +- charts/uptime-kuma/templates/netpol.yaml | 32 +++++++++++++ charts/uptime-kuma/templates/oidc-tables.sql | 47 +++++++++++++++++++ charts/uptime-kuma/templates/service.yaml | 2 +- charts/uptime-kuma/templates/statefulset.yaml | 8 ++-- charts/uptime-kuma/values.yaml | 24 ++++++++-- 7 files changed, 113 insertions(+), 9 deletions(-) create mode 100644 charts/uptime-kuma/templates/netpol.yaml create mode 100644 charts/uptime-kuma/templates/oidc-tables.sql diff --git a/charts/uptime-kuma/templates/_helpers.tpl b/charts/uptime-kuma/templates/_helpers.tpl index c37be21..0d21ee2 100644 --- a/charts/uptime-kuma/templates/_helpers.tpl +++ b/charts/uptime-kuma/templates/_helpers.tpl @@ -50,6 +50,13 @@ app.kubernetes.io/name: {{ include "uptime-kuma.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} +{{/* +Port of the Uptime Kuma container +*/}} +{{- define "uptime-kuma.port" -}} +3001 +{{- end }} + {{/* Create the name of the service account to use */}} diff --git a/charts/uptime-kuma/templates/deployment.yaml b/charts/uptime-kuma/templates/deployment.yaml index aa990c9..f426cfc 100644 --- a/charts/uptime-kuma/templates/deployment.yaml +++ b/charts/uptime-kuma/templates/deployment.yaml @@ -59,7 +59,7 @@ spec: {{- end }} ports: - name: http - containerPort: 3001 + containerPort: {{ include "uptime-kuma.port" . }} protocol: TCP {{ if or .Values.volume.enabled .Values.additionalVolumeMounts -}} volumeMounts: diff --git a/charts/uptime-kuma/templates/netpol.yaml b/charts/uptime-kuma/templates/netpol.yaml new file mode 100644 index 0000000..f7459a0 --- /dev/null +++ b/charts/uptime-kuma/templates/netpol.yaml @@ -0,0 +1,32 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "uptime-kuma.fullname" . }} + labels: + {{- include "uptime-kuma.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "uptime-kuma.selectorLabels" . | nindent 6 }} + policyTypes: + {{- if .Values.networkPolicy.ingress }} + - Ingress + {{- end }} + {{- if .Values.networkPolicy.ingress }} + ingress: + - ports: + - port: {{ include "uptime-kuma.port" . }} + protocol: TCP + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ include "uptime-kuma.fullname" . }}-client: "true" + {{- with .Values.networkPolicy.namespaceSelector }} + - namespaceSelector: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/uptime-kuma/templates/oidc-tables.sql b/charts/uptime-kuma/templates/oidc-tables.sql new file mode 100644 index 0000000..45312bd --- /dev/null +++ b/charts/uptime-kuma/templates/oidc-tables.sql @@ -0,0 +1,47 @@ +-- oidc_clients definition + +-- Drop table + +-- DROP TABLE oidc_clients; + +CREATE TABLE oidc_clients ( + id bigserial NOT NULL, + "label" varchar NOT NULL, + discovery_endpoint varchar NULL, + jwks text NULL, + authorization_endpoint varchar NULL, + token_endpoint varchar NULL, + client_id varchar NULL, + client_secret varchar NULL, + signature_allgorithm varchar NULL, + signature_public_key text NULL, + CONSTRAINT oidc_clients_pkey1 PRIMARY KEY (id) +); +CREATE UNIQUE INDEX index_oidc_clients_on_label ON oidc_clients USING btree (label); + + +-- oidc_sessions definition + +-- Drop table + +-- DROP TABLE oidc_sessions; + +CREATE TABLE oidc_sessions ( + id bigserial NOT NULL, + redirect_uri varchar NULL, + access_token text NULL, + id_token text NULL, + refresh_token text NULL, + session_cookie_value varchar NULL, + state varchar NULL, + nonce varchar NULL, + client_id int4 NULL, + created_at timestamp NOT NULL, + updated_at timestamp NOT NULL, + CONSTRAINT oidc_sessions_pkey1 PRIMARY KEY (id) +); +CREATE INDEX index_oidc_sessions_on_oidc_client_id ON oidc_sessions USING btree (client_id); + +INSERT INTO oidc_clients ("label",discovery_endpoint,jwks,authorization_endpoint,token_endpoint,client_id,client_secret,signature_allgorithm,signature_public_key) VALUES + ('Config with env variables',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL); + diff --git a/charts/uptime-kuma/templates/service.yaml b/charts/uptime-kuma/templates/service.yaml index dd067cc..2d5950a 100644 --- a/charts/uptime-kuma/templates/service.yaml +++ b/charts/uptime-kuma/templates/service.yaml @@ -12,7 +12,7 @@ spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: 3001 + targetPort: {{ include "uptime-kuma.port" . }} protocol: TCP {{- with .Values.service.nodePort }} nodePort: {{ . }} diff --git a/charts/uptime-kuma/templates/statefulset.yaml b/charts/uptime-kuma/templates/statefulset.yaml index 5bf1a5b..2237ba1 100644 --- a/charts/uptime-kuma/templates/statefulset.yaml +++ b/charts/uptime-kuma/templates/statefulset.yaml @@ -51,13 +51,15 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.podEnv }} env: + - name: "UPTIME_KUMA_PORT" + value: {{ include "uptime-kuma.port" . }} + {{- with .Values.podEnv }} {{- toYaml . | nindent 12 }} {{- end }} ports: - name: http - containerPort: 3001 + containerPort: {{ include "uptime-kuma.port" . }} protocol: TCP {{ if or .Values.volume.enabled .Values.additionalVolumeMounts -}} volumeMounts: @@ -81,7 +83,7 @@ spec: readinessProbe: httpGet: path: / - port: 3001 + port: {{ include "uptime-kuma.port" . }} scheme: HTTP initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds}} {{- end }} diff --git a/charts/uptime-kuma/values.yaml b/charts/uptime-kuma/values.yaml index 1aa1acd..d606ec1 100644 --- a/charts/uptime-kuma/values.yaml +++ b/charts/uptime-kuma/values.yaml @@ -28,10 +28,10 @@ podAnnotations: {} podLabels: {} # app: uptime-kuma -podEnv: - # a default port must be set. required by container - - name: "UPTIME_KUMA_PORT" - value: "3001" +podEnv: [] + # optional additional environment variables + # - name: "A_VARIABLE" + # value: "a-value" podSecurityContext: {} @@ -207,3 +207,19 @@ dnsConfig: {} # -- Use this option to set custom PriorityClass to the created deployment # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass priorityClassName: "" + +networkPolicy: + # -- Enable/disable Network Policy + enabled: false + # -- Enable/disable Ingress policy type + ingress: true + # -- Allow incoming connections only from specific Pods + # When set to true, the geoserver will accept connections from any source. + # When false, only Pods with the label {{ include "geoserver.fullname" . }}-client=true will have network access + allowExternal: true + # -- Selects particular namespaces for which all Pods are allowed as ingress sources + namespaceSelector: {} + # matchLabels: + # role: frontend + # matchExpressions: + # - {key: role, operator: In, values: [frontend]} From ffdb1cf9181ea17fca2d2071164b4e5e824d8f98 Mon Sep 17 00:00:00 2001 From: heidmann Date: Mon, 9 Dec 2024 20:27:37 +0100 Subject: [PATCH 2/3] add egress rules Signed-off-by: stranljip --- charts/uptime-kuma/templates/netpol.yaml | 5 +++ charts/uptime-kuma/templates/oidc-tables.sql | 47 -------------------- charts/uptime-kuma/values.yaml | 2 + 3 files changed, 7 insertions(+), 47 deletions(-) delete mode 100644 charts/uptime-kuma/templates/oidc-tables.sql diff --git a/charts/uptime-kuma/templates/netpol.yaml b/charts/uptime-kuma/templates/netpol.yaml index f7459a0..db4b153 100644 --- a/charts/uptime-kuma/templates/netpol.yaml +++ b/charts/uptime-kuma/templates/netpol.yaml @@ -13,6 +13,11 @@ spec: {{- if .Values.networkPolicy.ingress }} - Ingress {{- end }} + {{- if .Values.networkPolicy.egress }} + - Egress + {{- end }} + egress: + - {} {{- if .Values.networkPolicy.ingress }} ingress: - ports: diff --git a/charts/uptime-kuma/templates/oidc-tables.sql b/charts/uptime-kuma/templates/oidc-tables.sql deleted file mode 100644 index 45312bd..0000000 --- a/charts/uptime-kuma/templates/oidc-tables.sql +++ /dev/null @@ -1,47 +0,0 @@ --- oidc_clients definition - --- Drop table - --- DROP TABLE oidc_clients; - -CREATE TABLE oidc_clients ( - id bigserial NOT NULL, - "label" varchar NOT NULL, - discovery_endpoint varchar NULL, - jwks text NULL, - authorization_endpoint varchar NULL, - token_endpoint varchar NULL, - client_id varchar NULL, - client_secret varchar NULL, - signature_allgorithm varchar NULL, - signature_public_key text NULL, - CONSTRAINT oidc_clients_pkey1 PRIMARY KEY (id) -); -CREATE UNIQUE INDEX index_oidc_clients_on_label ON oidc_clients USING btree (label); - - --- oidc_sessions definition - --- Drop table - --- DROP TABLE oidc_sessions; - -CREATE TABLE oidc_sessions ( - id bigserial NOT NULL, - redirect_uri varchar NULL, - access_token text NULL, - id_token text NULL, - refresh_token text NULL, - session_cookie_value varchar NULL, - state varchar NULL, - nonce varchar NULL, - client_id int4 NULL, - created_at timestamp NOT NULL, - updated_at timestamp NOT NULL, - CONSTRAINT oidc_sessions_pkey1 PRIMARY KEY (id) -); -CREATE INDEX index_oidc_sessions_on_oidc_client_id ON oidc_sessions USING btree (client_id); - -INSERT INTO oidc_clients ("label",discovery_endpoint,jwks,authorization_endpoint,token_endpoint,client_id,client_secret,signature_allgorithm,signature_public_key) VALUES - ('Config with env variables',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL); - diff --git a/charts/uptime-kuma/values.yaml b/charts/uptime-kuma/values.yaml index d606ec1..3000c20 100644 --- a/charts/uptime-kuma/values.yaml +++ b/charts/uptime-kuma/values.yaml @@ -213,6 +213,8 @@ networkPolicy: enabled: false # -- Enable/disable Ingress policy type ingress: true + # -- Enable/disable Egress policy type + egress: true # -- Allow incoming connections only from specific Pods # When set to true, the geoserver will accept connections from any source. # When false, only Pods with the label {{ include "geoserver.fullname" . }}-client=true will have network access From bc0044c4c36f54ae633d28d587d8726f83d9d3d0 Mon Sep 17 00:00:00 2001 From: stranljip Date: Mon, 9 Dec 2024 20:37:17 +0100 Subject: [PATCH 3/3] add documentation and bum chart version Signed-off-by: stranljip --- charts/uptime-kuma/Chart.yaml | 2 +- charts/uptime-kuma/README.md | 13 +++++++++---- charts/uptime-kuma/values.yaml | 1 + 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/charts/uptime-kuma/Chart.yaml b/charts/uptime-kuma/Chart.yaml index 4b5c3bf..083cf4f 100644 --- a/charts/uptime-kuma/Chart.yaml +++ b/charts/uptime-kuma/Chart.yaml @@ -11,4 +11,4 @@ name: uptime-kuma sources: - https://github.com/louislam/uptime-kuma type: application -version: 2.20.0 +version: 2.21.0 diff --git a/charts/uptime-kuma/README.md b/charts/uptime-kuma/README.md index 018cc74..68301c0 100644 --- a/charts/uptime-kuma/README.md +++ b/charts/uptime-kuma/README.md @@ -1,6 +1,6 @@ # uptime-kuma -![Version: 2.19.4](https://img.shields.io/badge/Version-2.19.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.23.13](https://img.shields.io/badge/AppVersion-1.23.13-informational?style=flat-square) +![Version: 2.21.0](https://img.shields.io/badge/Version-2.21.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.23.13](https://img.shields.io/badge/AppVersion-1.23.13-informational?style=flat-square) A self-hosted Monitoring tool like "Uptime-Robot". @@ -47,13 +47,18 @@ A self-hosted Monitoring tool like "Uptime-Robot". | livenessProbe.successThreshold | int | `1` | | | livenessProbe.timeoutSeconds | int | `2` | | | nameOverride | string | `""` | | +| networkPolicy | object | `{"allowExternal":true,"egress":true,"enabled":false,"ingress":true,"namespaceSelector":{}}` | Create a NetworkPolicy | +| networkPolicy.allowExternal | bool | `true` | Allow incoming connections only from specific Pods When set to true, the geoserver will accept connections from any source. When false, only Pods with the label {{ include "geoserver.fullname" . }}-client=true will have network access | +| networkPolicy.egress | bool | `true` | Enable/disable Egress policy type | +| networkPolicy.enabled | bool | `false` | Enable/disable Network Policy | +| networkPolicy.ingress | bool | `true` | Enable/disable Ingress policy type | +| networkPolicy.namespaceSelector | object | `{}` | Selects particular namespaces for which all Pods are allowed as ingress sources | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | | -| podEnv[0].name | string | `"UPTIME_KUMA_PORT"` | | -| podEnv[0].value | string | `"3001"` | | +| podEnv | list | `[]` | | | podLabels | object | `{}` | | | podSecurityContext | object | `{}` | | -| priorityClassName | string | `""` | Use this option to set custom PriorityClass to the created deployment | +| priorityClassName | string | `""` | Use this option to set custom PriorityClass to the created deployment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass | | readinessProbe.enabled | bool | `true` | | | readinessProbe.exec.command | list | `[]` | | | readinessProbe.failureThreshold | int | `3` | | diff --git a/charts/uptime-kuma/values.yaml b/charts/uptime-kuma/values.yaml index 3000c20..9f381b4 100644 --- a/charts/uptime-kuma/values.yaml +++ b/charts/uptime-kuma/values.yaml @@ -208,6 +208,7 @@ dnsConfig: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass priorityClassName: "" +# -- Create a NetworkPolicy networkPolicy: # -- Enable/disable Network Policy enabled: false