diff --git a/charts/podinfo/README.md b/charts/podinfo/README.md index e06420842..ff4b642f0 100644 --- a/charts/podinfo/README.md +++ b/charts/podinfo/README.md @@ -62,6 +62,9 @@ The following tables lists the configurable parameters of the podinfo chart and | `redis.enabled` | `false` | Create Redis deployment for caching purposes | | `redis.repository` | `docker.io/redis` | Redis image repository | | `redis.tag` | `` | Redis image tag | +| `redis.securityContext` | `{}` | The security context to be set on the redis pod | +| `redis.containerSecurityContext` | `{}` | The security context to be set on the redis container | +| `redis.persistence.enabled ` | `false` | Enabled the PVC for redis cache | | `redis.imagePullSecrets` | `[]` | Redis image pull secrets | | `ui.color` | `#34577c` | UI color | | `ui.message` | `None` | UI greetings message | @@ -122,6 +125,7 @@ The following tables lists the configurable parameters of the podinfo chart and | `resources.requests.memory` | `16Mi` | Pod memory request | | `resources.limits.cpu` | `None` | Pod CPU limit | | `resources.limits.memory` | `None` | Pod memory limit | +| `networkPolicy.enabled` | `false` | Whether network policies between podinfo and redis should be created | | `nodeSelector` | `{}` | Node labels for pod assignment | | `tolerations` | `[]` | List of node taints to tolerate | | `affinity` | `None` | Node/pod affinities | diff --git a/charts/podinfo/templates/deployment.yaml b/charts/podinfo/templates/deployment.yaml index 177b0573c..1b2f870e9 100644 --- a/charts/podinfo/templates/deployment.yaml +++ b/charts/podinfo/templates/deployment.yaml @@ -5,6 +5,7 @@ metadata: namespace: {{ include "podinfo.namespace" . }} labels: {{- include "podinfo.labels" . | nindent 4 }} + app.kubernetes.io/component: server spec: {{- if not .Values.hpa.enabled }} replicas: {{ .Values.replicaCount }} @@ -20,6 +21,7 @@ spec: metadata: labels: {{- include "podinfo.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: server annotations: prometheus.io/scrape: "true" prometheus.io/port: "{{ .Values.service.httpPort }}" diff --git a/charts/podinfo/templates/network-policies.yaml b/charts/podinfo/templates/network-policies.yaml new file mode 100644 index 000000000..a3a9f6021 --- /dev/null +++ b/charts/podinfo/templates/network-policies.yaml @@ -0,0 +1,51 @@ +{{- if .Values.networkPolicies.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "podinfo.fullname" . }}-egress + labels: + {{- include "podinfo.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "podinfo.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: server + egress: + - to: + - podSelector: + matchLabels: + {{- include "podinfo.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: cache + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + ports: + - port: redis + protocol: TCP + policyTypes: + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "podinfo.fullname" . }}-ingress +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: cache + {{- include "podinfo.selectorLabels" . | nindent 6 }} + ingress: + - from: + - podSelector: + matchLabels: + {{- include "podinfo.selectorLabels" . | nindent 14 }} + app.kubernetes.io/component: server + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} + ports: + - port: redis + protocol: TCP + policyTypes: + - Ingress +{{- end -}} diff --git a/charts/podinfo/templates/redis/config.yaml b/charts/podinfo/templates/redis/config.yaml index cd63785c8..22243ce31 100644 --- a/charts/podinfo/templates/redis/config.yaml +++ b/charts/podinfo/templates/redis/config.yaml @@ -8,5 +8,9 @@ data: maxmemory 64mb maxmemory-policy allkeys-lru save "" + {{- if .Values.redis.persistence.enabled }} + appendonly yes + {{- else }} appendonly no + {{- end }} {{- end }} diff --git a/charts/podinfo/templates/redis/deployment.yaml b/charts/podinfo/templates/redis/deployment.yaml index 829562eb5..004c12a02 100644 --- a/charts/podinfo/templates/redis/deployment.yaml +++ b/charts/podinfo/templates/redis/deployment.yaml @@ -5,6 +5,8 @@ metadata: name: {{ template "podinfo.fullname" . }}-redis labels: app: {{ template "podinfo.fullname" . }}-redis + {{- include "podinfo.labels" . | nindent 4 }} + app.kubernetes.io/component: cache spec: strategy: type: Recreate @@ -15,9 +17,15 @@ spec: metadata: labels: app: {{ template "podinfo.fullname" . }}-redis + {{- include "podinfo.labels" . | nindent 8 }} + app.kubernetes.io/component: cache annotations: checksum/config: {{ include (print $.Template.BasePath "/redis/config.yaml") . | sha256sum | quote }} spec: + {{- if .Values.redis.securityContext }} + securityContext: + {{- toYaml .Values.redis.securityContext | nindent 8 }} + {{- end }} {{- if .Values.serviceAccount.enabled }} serviceAccountName: {{ template "podinfo.serviceAccountName" . }} {{- end }} @@ -28,6 +36,10 @@ spec: - name: redis image: "{{ .Values.redis.repository }}:{{ .Values.redis.tag }}" imagePullPolicy: IfNotPresent + {{- if .Values.redis.containerSecurityContext }} + securityContext: + {{- toYaml .Values.redis.containerSecurityContext | nindent 12 }} + {{- end }} command: - redis-server - "/redis-master/redis.conf" @@ -56,11 +68,13 @@ spec: memory: 32Mi volumeMounts: - mountPath: /var/lib/redis - name: data + name: redis-system - mountPath: /redis-master name: config + - mountPath: /data + name: data volumes: - - name: data + - name: redis-system emptyDir: {} - name: config configMap: @@ -68,4 +82,9 @@ spec: items: - key: redis.conf path: redis.conf -{{- end }} + {{- if .Values.redis.persistence.enabled }} + - name: data + persistentVolumeClaim: + claimName: {{ template "podinfo.fullname" . }} + {{- end }} +{{- end -}} diff --git a/charts/podinfo/templates/redis/pvc.yaml b/charts/podinfo/templates/redis/pvc.yaml new file mode 100644 index 000000000..de921a041 --- /dev/null +++ b/charts/podinfo/templates/redis/pvc.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.redis.enabled .Values.redis.persistence.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "podinfo.fullname" . }} + labels: + {{- include "podinfo.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.redis.persistence.size | default "1Gi" }} + {{- if .Values.redis.persistence.storageClassName }} + storageClassName: {{ .Values.redis.persistence.storageClassName }} + {{- end }} +{{- end }} diff --git a/charts/podinfo/values-prod.yaml b/charts/podinfo/values-prod.yaml index 03ab62221..76befc17c 100644 --- a/charts/podinfo/values-prod.yaml +++ b/charts/podinfo/values-prod.yaml @@ -94,6 +94,10 @@ redis: enabled: true repository: redis tag: 8.4.0 + securityContext: {} + containerSecurityContext: {} + persistence: + enabled: true serviceAccount: # Specifies whether a service account should be created @@ -172,6 +176,8 @@ resources: cpu: 100m memory: 64Mi +networkPolicies: + enabled: false # Extra environment variables for the podinfo container extraEnvs: [] # Example on how to configure extraEnvs diff --git a/charts/podinfo/values.yaml b/charts/podinfo/values.yaml index fc3653fdb..070fb2831 100644 --- a/charts/podinfo/values.yaml +++ b/charts/podinfo/values.yaml @@ -111,6 +111,10 @@ redis: repository: docker.io/redis tag: 8.4.0 imagePullSecrets: [] + securityContext: {} + containerSecurityContext: {} + persistence: + enabled: false serviceAccount: # Specifies whether a service account should be created @@ -188,6 +192,17 @@ resources: cpu: 1m memory: 16Mi +networkPolicies: + enabled: false + +# Extra environment variables for the podinfo container +extraEnvs: [] +# Example on how to configure extraEnvs +# - name: OTEL_EXPORTER_OTLP_TRACES_ENDPOINT +# value: "http://otel:4317" +# - name: MULTIPLE_VALUES +# value: TEST + nodeSelector: {} tolerations: []