fix: Local path provisioner instance separation, PG SQL operator netw…

…ork policies (#27)
homecentr · Nov 9, 2023 · 8e49a24 · 8e49a24
1 parent b4b8d1d
commit 8e49a24
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 22 deletions.
diff --git a/apps/common/templates/_network-policies.tpl b/apps/common/templates/_network-policies.tpl
@@ -34,6 +34,24 @@
  - 192.168.0.0/16
 {{- end }}
 
+{{- define "common.ingress-kubeapi" }}
+- from:
+ {{- range $node := .Values.networkPolicy.kubeApiNodes }}
+ - ipBlock:
+ cidr: {{ $node }}/32
+ {{- end }}
+ ports:
+ - protocol: {{ .protocol | default "TCP" }}
+ port: {{ .port }}
+
+- from:
+ - ipBlock:
+ cidr: {{ .Values.networkPolicy.kubeApiService }}/32
+ ports:
+ - protocol: {{ .protocol | default "TCP" }}
+ port: {{ .port }}
+{{- end }}
+
 {{- define "common.egress-kubeapi" }}
 - to:
  {{- range $node := .Values.networkPolicy.kubeApiNodes }}
@@ -76,22 +94,3 @@
  matchLabels:
  app.kubernetes.io/instance: kube-dns
 {{- end }}
-
-{{- define "common.pg-cluster-init" }}
-- ports:
- - protocol: TCP
- port: 53
- - protocol: UDP
- port: 53
- - protocol: TCP
- port: 5353
- - protocol: UDP
- port: 5353
- to:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: kube-system
- podSelector:
- matchLabels:
- app.kubernetes.io/instance: kube-dns
-{{- end }}
diff --git a/apps/local-path-provisioner/templates/deployment.yml b/apps/local-path-provisioner/templates/deployment.yml
@@ -49,6 +49,8 @@ spec:
  - /etc/config/config.json
  - --configmap-name
  - local-path-provisioner-{{ $volume.name }}
+ - --provisioner-name
+ - cluster.local/{{ $volume.name }}
  - --service-account-name
  - local-path-provisioner
  volumeMounts:

diff --git a/apps/local-path-provisioner/templates/storage-class.yml b/apps/local-path-provisioner/templates/storage-class.yml
@@ -6,7 +6,7 @@ metadata:
  name: local-path-provisioner-{{ $volume.name }}
  labels:
  {{- include "common.resource-labels" $ | indent 4 }}
-provisioner: rancher.io/local-path
-volumeBindingMode: {{ $volume.bindingMode | default "WaitForFirstConsumer" }}
+provisioner: cluster.local/{{ $volume.name }}
+# volumeBindingMode: {{ $volume.bindingMode | default "WaitForFirstConsumer" }}
 reclaimPolicy: {{ $volume.reclaimPolicy | default "Retain" }}
-{{ end }}
+{{ end }} 
diff --git a/apps/postgresql-operator/Chart.yaml b/apps/postgresql-operator/Chart.yaml
@@ -6,6 +6,7 @@ dependencies:
  - name: common
  version: 1.0.0
  repository: file:https://../common
+
  - name: cloudnative-pg
  repository: https://cloudnative-pg.github.io/charts
  version: 0.19.1
diff --git a/apps/postgresql-operator/templates/network-policy.yml b/apps/postgresql-operator/templates/network-policy.yml
@@ -10,6 +10,9 @@ spec:
  matchLabels:
  app.kubernetes.io/name: cloudnative-pg
  app.kubernetes.io/instance: {{ $.Release.Namespace }}
+ ingress:
+ # Accept webhooks from Kube API
+ {{- include "common.ingress-kubeapi" (dict "port" 9443 "Values" $.Values) | nindent 4 }}
  egress:
  {{- include "common.egress-kubeapi" . | nindent 4 }}
  # Allow egress to all managed cluster pods across all namespaces
@@ -27,4 +30,5 @@ spec:
  - protocol: TCP
  port: 8000
  policyTypes:
+ - Ingress
  - Egress