Merge branch 'main' into jkroepke-patch-1

Author: jkroepke

.github/workflows/issue-triage.yaml

@@ -46,6 +46,11 @@ jobs:
         uses: redhat-plumbers-in-action/advanced-issue-labeler@b80ae64e3e156e9c111b075bfa04b295d54e8e2e # v3.2.4
         with:
           issue-form: ${{ steps.issue-parser.outputs.jsonString }}
+          template: >-
+            ${{
+              contains(github.event.issue.labels.*.name, 'bug')
+              && 'bug_report.yml' || 'feature_request.yml'
+            }}
           section: chart-name
           config-path: .github/advanced-issue-labeler.yml
           token: ${{ github.token }}

charts/grafana/README.md

@@ -243,14 +243,15 @@ The minimum required Kubernetes version is now 1.25. All references to deprecate
 | livenessProbe.initialDelaySeconds | int | `60` |  |
 | livenessProbe.timeoutSeconds | int | `30` |  |
 | namespaceOverride | string | `""` |  |
-| networkPolicy.allowExternal | bool | `true` |  |
-| networkPolicy.egress.blockDNSResolution | bool | `false` |  |
-| networkPolicy.egress.enabled | bool | `false` |  |
-| networkPolicy.egress.ports | list | `[]` |  |
-| networkPolicy.egress.to | list | `[]` |  |
-| networkPolicy.enabled | bool | `false` |  |
-| networkPolicy.explicitNamespacesSelector | object | `{}` |  |
-| networkPolicy.ingress | bool | `true` |  |
+| networkPolicy.allowExternal | bool | `true` | networkPolicy.ingress When true enables the creation an ingress network policy |
+| networkPolicy.egress.blockDNSResolution | bool | `false` | networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked for all pods in the grafana namespace. |
+| networkPolicy.egress.enabled | bool | `false` | networkPolicy.egress.enabled When enabled, an egress network policy will be created allowing grafana to connect to external data sources from kubernetes cluster. |
+| networkPolicy.egress.ports | list | `[]` | networkPolicy.egress.ports Add individual ports to be allowed by the egress |
+| networkPolicy.egress.to | list | `[]` | networkPolicy.egress.to Allow egress traffic to specific destinations |
+| networkPolicy.enabled | bool | `false` | networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. |
+| networkPolicy.explicitIpBlocks | list | `[]` | networkPolicy.explicitIpBlocks List of CIDR blocks allowed as ingress sources. Each entry must be a valid CIDR notation string (e.g. 10.0.0.0/8). When defined, the specified CIDR ranges are added to the ingress `from` rules using `ipBlock` entries and complement the other configured ingress sources. </br>  Example:  ``` explicitIpBlocks:   - 35.191.0.0/16   - 130.211.0.0/22 ```  |
+| networkPolicy.explicitNamespacesSelector | object | `{}` | networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace and that match other criteria, the ones that have the good label, can reach the grafana. But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. </br>  Example:  ``` explicitNamespacesSelector:   matchLabels:     role: frontend   matchExpressions:    - {key: role, operator: In, values: [frontend]} ``` |
+| networkPolicy.ingress | bool | `true` | networkPolicy.allowExternal Don't require client label for connections The Policy model to apply. When set to false, only pods with the correct client label will have network access to  grafana port defined. When true, grafana will accept connections from any source (with the correct destination port).  |
 | nodeSelector | object | `{}` |  |
 | notifiers | object | `{}` |  |
 | persistence.accessModes[0] | string | `"ReadWriteOnce"` |  |

charts/grafana/templates/networkpolicy.yaml

@@ -52,6 +52,10 @@ spec:
         - namespaceSelector:
             {{- toYaml . | nindent 12 }}
         {{- end }}
+        {{- range .Values.networkPolicy.explicitIpBlocks }}
+        - ipBlock:
+            cidr: {{ . | quote }}
+        {{- end }}
         - podSelector:
             matchLabels:
               {{- include "grafana.labels" . | nindent 14 }}

charts/grafana/values.yaml

@@ -1596,69 +1596,73 @@ imageRenderer:
   extraVolumes: []
 
 networkPolicy:
-  ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
-  ##
+  # -- networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
   enabled: false
-  ## @param networkPolicy.allowExternal Don't require client label for connections
-  ## The Policy model to apply. When set to false, only pods with the correct
-  ## client label will have network access to  grafana port defined.
-  ## When true, grafana will accept connections from any source
-  ## (with the correct destination port).
-  ##
+  # --networkPolicy.allowExternal Don't require client label for connections
+  # The Policy model to apply. When set to false, only pods with the correct
+  # client label will have network access to  grafana port defined.
+  # When true, grafana will accept connections from any source
+  # (with the correct destination port).
+  #
   ingress: true
-  ## @param networkPolicy.ingress When true enables the creation
-  ## an ingress network policy
-  ##
+  # -- networkPolicy.ingress When true enables the creation
+  # an ingress network policy
   allowExternal: true
-  ## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed
-  ## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
-  ## and that match other criteria, the ones that have the good label, can reach the grafana.
-  ## But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this
-  ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
-  ##
-  ## Example:
-  ## explicitNamespacesSelector:
-  ##   matchLabels:
-  ##     role: frontend
-  ##   matchExpressions:
-  ##    - {key: role, operator: In, values: [frontend]}
-  ##
+  # -- networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed
+  # If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
+  # and that match other criteria, the ones that have the good label, can reach the grafana.
+  # But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this
+  # LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
+  # </br>
+  #
+  # Example:
+  #
+  # ```
+  # explicitNamespacesSelector:
+  #   matchLabels:
+  #     role: frontend
+  #   matchExpressions:
+  #    - {key: role, operator: In, values: [frontend]}
+  # ```
   explicitNamespacesSelector: {}
-  ##
-  ##
-  ##
-  ##
-  ##
-  ##
+  # -- networkPolicy.explicitIpBlocks List of CIDR blocks allowed as ingress sources.
+  # Each entry must be a valid CIDR notation string (e.g. 10.0.0.0/8).
+  # When defined, the specified CIDR ranges are added to the ingress `from` rules
+  # using `ipBlock` entries and complement the other configured ingress sources.
+  # </br>
+  #
+  # Example:
+  #
+  # ```
+  # explicitIpBlocks:
+  #   - 35.191.0.0/16
+  #   - 130.211.0.0/22
+  # ```
+  #
+  explicitIpBlocks: []
+
   egress:
-    ## @param networkPolicy.egress.enabled When enabled, an egress network policy will be
-    ## created allowing grafana to connect to external data sources from kubernetes cluster.
+    # -- networkPolicy.egress.enabled When enabled, an egress network policy will be
+    # created allowing grafana to connect to external data sources from kubernetes cluster.
     enabled: false
-    ##
-    ## @param networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked
-    ## for all pods in the grafana namespace.
+    # -- networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked
+    # for all pods in the grafana namespace.
     blockDNSResolution: false
-    ##
-    ## @param networkPolicy.egress.ports Add individual ports to be allowed by the egress
+    # -- networkPolicy.egress.ports Add individual ports to be allowed by the egress
     ports: []
-    ## Add ports to the egress by specifying - port: <port number>
-    ## E.X.
-    ## - port: 80
-    ## - port: 443
-    ##
-    ## @param networkPolicy.egress.to Allow egress traffic to specific destinations
+    # Add ports to the egress by specifying - port: <port number>
+    # E.X.
+    # - port: 80
+    # - port: 443
+    #
+    # -- networkPolicy.egress.to Allow egress traffic to specific destinations
     to: []
-    ## Add destinations to the egress by specifying - ipBlock: <CIDR>
-    ## E.X.
-    ## to:
-    ##  - namespaceSelector:
-    ##    matchExpressions:
-  ##    - {key: role, operator: In, values: [grafana]}
-  ##
-  ##
-  ##
-  ##
-  ##
+    # -- destinations to the egress by specifying - ipBlock: <CIDR>
+    # E.X.
+    # to:
+    #  - namespaceSelector:
+    #    matchExpressions:
+    #    - {key: role, operator: In, values: [grafana]}
 
 # Enable backward compatibility of kubernetes where version below 1.13 doesn't have the enableServiceLinks option
 enableKubeBackwardCompatibility: false