WIP: Implementing Network Policy #207

Closed

safaG wants to merge 12 commits from network-policy into main

pull from: network-policy

merge into: lunny:main

lunny:main

lunny:renovate/postgresql-ha-15.x

lunny:renovate/postgresql-16.x

lunny:renovate/redis-20.x

lunny:renovate/redis-cluster-11.x

lunny:fix-674

lunny:app-ini-recreation

lunny:fix-env-to-ini

lunny:clean-app-ini

lunny:gitea-ha

Conversation 3 Commits 12 Files Changed 3 +927 -6845

safaG commented 2021-07-09 15:59:01 +00:00 (Migrated from gitea.com)

Copy Link

Hi All!

I have created network policy yaml file and adjusted helpers.tpl file in order to stop gitea pods from communicating outside of gitea pods. What I have is really basic as I am not a pro with helm charts. Maybe there is another way of doing it better but this is what I have. What I did was to add below to _helpers.tpl file:

{{/*
Network Policy labels
*/}}
{{- define "gitea.netpolLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}

I have added this file to pull the unique label that Gitea creates on all pods. Then I created the networkpolicy.yaml file and used the above label under matchLabels: in the networkpolicy.yaml file

I have tested this with a new deployment and everything seemed working fine. However not sure if it will be a breaking change with existing deployments, I have not tested that.

Hi All! I have created network policy yaml file and adjusted helpers.tpl file in order to stop gitea pods from communicating outside of gitea pods. What I have is really basic as I am not a pro with helm charts. Maybe there is another way of doing it better but this is what I have. What I did was to add below to _helpers.tpl file: ``` {{/* Network Policy labels */}} {{- define "gitea.netpolLabels" -}} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} ``` I have added this file to pull the unique label that Gitea creates on all pods. Then I created the networkpolicy.yaml file and used the above label under ```matchLabels:``` in the networkpolicy.yaml file I have tested this with a new deployment and everything seemed working fine. However not sure if it will be a breaking change with existing deployments, I have not tested that.

justusbunsi commented 2021-10-30 13:27:34 +00:00 (Migrated from gitea.com)

Copy Link

Thanks for your already invested time to provide that PR. Not sure if you like to have a review since the PR is marked as WIP.

Referring to your comment: to prevent such a breaking change the use of NetworkPolicy would need to be configurable with default value false. That way it wouldn't change existing installs. There are a few examples in the chart to see how this can be achieved. See this example.

Thanks for your already invested time to provide that PR. Not sure if you like to have a review since the PR is marked as WIP. Referring to your comment: to prevent such a breaking change the use of NetworkPolicy would need to be configurable with default value `false`. That way it wouldn't change existing installs. There are a few examples in the chart to see how this can be achieved. [See this example](https://gitea.com/gitea/helm-chart/src/branch/master/templates/gitea/statefulset.yaml#L156).

justusbunsi commented 2022-03-08 15:42:51 +00:00 (Migrated from gitea.com)

Copy Link

@safaG Do you want to continue your work on this pull request? There would be two things to do:

• Resolve conflicts
• Disable Network policies by default to prevent breaking changes on existing installations
• Wrap the template in conditions such as here
• At least allow customization for the CIDR value.

@safaG Do you want to continue your work on this pull request? There would be two things to do: - Resolve conflicts - Disable Network policies by default to prevent breaking changes on existing installations - Wrap the template in conditions such as [here](https://gitea.com/gitea/helm-chart/src/branch/master/templates/gitea/servicemonitor.yaml#L1) - At least allow customization for the `CIDR` value.

safaG commented 2022-03-12 04:48:37 +00:00 (Migrated from gitea.com)

Copy Link

@justusbunsi can we close this PR and move to pull request 306? I have made the neccessary changes there and tested it on my local cluster.

@justusbunsi can we close this PR and move to pull request [306](https://gitea.com/gitea/helm-chart/pulls/306)? I have made the neccessary changes there and tested it on my local cluster.

👍 1

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

has/backport

in progress

invalid

kind/breaking

kind/bug

kind/build

kind/dependency

kind/deployment

kind/docs

kind/enhancement

kind/feature

kind/lint

kind/proposal

kind/question

kind/refactor

kind/security

kind/testing

kind/translation

kind/ui

need/backport

priority/critical

priority/low

priority/maybe

priority/medium

reviewed/duplicate

reviewed/invalid

reviewed/wontfix

skip-changelog

status/blocked

status/needs-feedback

status/needs-reviews

status/wip

upstream/gitea

upstream/other

No Label

kind/security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

lunny

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lunny/helm-chart#207

No description provided.