specklesystems
/
speckle-server
зеркало из https://github.com/specklesystems/speckle-server.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

fix(helm chart): allow egress from server to email server (#966) 

Network Policies omitted to allow egress to email.  This commit allows egress to email.
This commit is contained in:
Iain Sproat 2022-08-25 16:00:34 +01:00 коммит произвёл GitHub
Родитель ab0c60ec57
Коммит 5aa00784a6
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
5 изменённых файлов: 155 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

45
utils/helm/speckle-server/templates/_helpers.tpl
Просмотреть файл

@ -184,6 +184,35 @@ Creates a Cilium Network Policy egress definition for connecting to S3 compatibl
{{- end -}}
{{- end }}
{{/*
Creates a Kubernetes Network Policy egress definition for connecting to the email server
Params:
- context - Required, global context should be provided
*/}}
{{- define "speckle.networkpolicy.egress.email" -}}
{{- $port := (default "443" .Values.server.email.port ) -}}
{{- if .Values.server.email.networkPolicy.inCluster.enabled -}}
{{ include "speckle.networkpolicy.egress.internal" (dict "podSelector" .Values.server.email.networkPolicy.inCluster.kubernetes.podSelector "namespaceSelector" .Values.server.email.networkPolicy.inCluster.kubernetes.namespaceSelector "port" $port) }}
{{- else if .Values.server.email.networkPolicy.externalToCluster.enabled -}}
{{ include "speckle.networkpolicy.egress.external" (dict "ip" .Values.server.email.host "port" $port) }}
{{- end -}}
{{- end }}
{{/*
Creates a Cilium Network Policy egress definition for connecting to an email server
Expects the global context "$" to be passed as the parameter
*/}}
{{- define "speckle.networkpolicy.egress.email.cilium" -}}
{{- $port := (default "443" .Values.server.email.port ) -}}
{{- if .Values.server.email.networkPolicy.inCluster.enabled -}}
{{ include "speckle.networkpolicy.egress.internal.cilium" (dict "endpointSelector" .Values.server.email.networkPolicy.inCluster.cilium.endpointSelector "serviceSelector" .Values.server.email.networkPolicy.inCluster.cilium.serviceSelector "port" $port) }}
{{- else if .Values.server.email.networkPolicy.externalToCluster.enabled -}}
{{ include "speckle.networkpolicy.egress.external.cilium" (dict "ip" .Values.server.email.host "port" $port) }}
{{- end -}}
{{- end }}
{{/*
Creates a DNS match pattern for discovering the postgres IP
@ -228,6 +257,22 @@ Creates a DNS match pattern for discovering blob storage IP
{{- end }}
{{- end }}
{{/*
Creates a DNS match pattern for discovering email server IP
Usage:
{{ include "speckle.networkpolicy.dns.email.cilium" $ }}
Params:
- context - Required, global context should be provided.
*/}}
{{- define "speckle.networkpolicy.dns.email.cilium" -}}
{{- $domain := .Values.server.email.host -}}
{{- if (and .Values.server.email.networkPolicy.externalToCluster.enabled ( ne ( include "speckle.isIPv4" $domain ) "true" ) ) -}}
{{ include "speckle.networkpolicy.matchNameOrPattern" $domain }}
{{- end }}
{{- end }}
{{/*
Creates a network policy egress definition for connecting to an external url:port or ip:port

8
utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml
Просмотреть файл

@ -56,6 +56,10 @@ spec:
# DNS lookup for sentry
- matchPattern: "*.ingest.sentry.io"
{{- end }}
{{- if .Values.server.email.enabled }}
# email server
{{ include "speckle.networkpolicy.dns.email.cilium" $ | indent 14 }}
{{- end }}
{{ include "speckle.networkpolicy.dns.postgres.cilium" $ | indent 14 }}
{{ include "speckle.networkpolicy.dns.redis.cilium" $ | indent 14 }}
{{ include "speckle.networkpolicy.dns.blob_storage.cilium" $ | indent 14 }}
@ -75,6 +79,10 @@ spec:
- ports:
- port: "443"
protocol: TCP
{{- end }}
{{- if .Values.server.email.enabled }}
# email server
{{ include "speckle.networkpolicy.egress.email.cilium" $ | indent 4 }}
{{- end }}
# postgres
{{ include "speckle.networkpolicy.egress.postgres.cilium" $ | indent 4 }}

4
utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml
Просмотреть файл

@ -40,6 +40,10 @@ spec:
cidr: 34.120.195.249/32
ports:
- port: 443
{{- end }}
{{- if .Values.server.email.enabled }}
# email server
{{ include "speckle.networkpolicy.egress.email" $ | indent 4 }}
{{- end }}
# redis
{{ include "speckle.networkpolicy.egress.redis" $ | indent 4 }}

55
utils/helm/speckle-server/values.schema.json
Просмотреть файл

@ -437,6 +437,61 @@
"type": "string",
"description": "The username with which Speckle will authenticate with the email service.",
"default": ""
},
"networkPolicy": {
"type": "object",
"properties": {
"externalToCluster": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "If enabled, indicates that the email server is hosted externally to the Kubernetes cluster",
"default": true
}
}
},
"inCluster": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "If enabled, indicates that the email server is hosted withing the same Kubernetes cluster in which Speckle will be deployed",
"default": false
},
"kubernetes": {
"type": "object",
"properties": {
"podSelector": {
"type": "object",
"description": "(Kubernetes Network Policy only) The pod Selector yaml object used to uniquely select the email server pods within the cluster and given namespace",
"default": {}
},
"namespaceSelector": {
"type": "object",
"description": "(Kubernetes Network Policy only) The namespace selector yaml object used to uniquely select the namespace in which the email server pods are deployed",
"default": {}
}
}
},
"cilium": {
"type": "object",
"properties": {
"endpointSelector": {
"type": "object",
"description": "(Cilium Network Policy only) The endpoint selector yaml object used to uniquely select the in-cluster endpoint in which the email server pods are deployed",
"default": {}
},
"serviceSelector": {
"type": "object",
"description": "(Cilium Network Policy only) The service selector yaml object used to uniquely select the in-cluster service providing the email server",
"default": {}
}
}
}
}
}
}
}
}
},

43
utils/helm/speckle-server/values.yaml
Просмотреть файл

@ -388,6 +388,49 @@ server:
## Note that the `email_password` is expected to be provided in the Kubernetes Secret with the name provided in the `secretName` parameter.
##
username: ''
## @extra server.email.networkPolicy If networkPolicy is enabled for Speckle server, this provides the Network Policy with the necessary details to allow egress connections to the email server
##
networkPolicy:
## @extra server.email.networkPolicy.externalToCluster Only required if the Redis store is not hosted within the Kubernetes cluster in which Speckle will be deployed.
##
externalToCluster:
## @param server.email.networkPolicy.externalToCluster.enabled If enabled, indicates that the email server is hosted externally to the Kubernetes cluster
## Only one of externalToCluster or inCluster should be enabled. If both are enabled then inCluster takes precedence and is the only one deployed
##
enabled: true
## @extra server.email.networkPolicy.inCluster is only required if the email server is hosted within the Kubernetes cluster in which Speckle will be deployed.
##
inCluster:
## @param server.email.networkPolicy.inCluster.enabled If enabled, indicates that the email server is hosted withing the same Kubernetes cluster in which Speckle will be deployed
## Only one of externalToCluster or inCluster should be enabled. If both are enabled then inCluster takes precedence and is the only set of egress network policy rules deployed.
##
enabled: false
kubernetes:
## @param server.email.networkPolicy.inCluster.kubernetes.podSelector (Kubernetes Network Policy only) The pod Selector yaml object used to uniquely select the email server pods within the cluster and given namespace
## For Kubernetes Network Policies this is a podSelector object.
## For Cilium Network Policies this is ignored.
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podSelector: {}
## @param server.email.networkPolicy.inCluster.kubernetes.namespaceSelector (Kubernetes Network Policy only) The namespace selector yaml object used to uniquely select the namespace in which the email server pods are deployed
## This is a Kubernetes namespaceSelector object.
## For Cilium Network Policies, this is ignored
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
namespaceSelector: {}
cilium:
## @param server.email.networkPolicy.inCluster.cilium.endpointSelector (Cilium Network Policy only) The endpoint selector yaml object used to uniquely select the in-cluster endpoint in which the email server pods are deployed
## For Kubernetes Network Policies, this is ignored.
## ref: https://docs.cilium.io/en/v1.9/policy/language/#egress
## ref: https://github.com/cilium/cilium/blob/master/pkg/policy/api/selector.go
endpointSelector: {}
## @param server.email.networkPolicy.inCluster.cilium.serviceSelector (Cilium Network Policy only) The service selector yaml object used to uniquely select the in-cluster service providing the email server
## For Kubernetes Network Policies this is ignored.
## ref: https://docs.cilium.io/en/v1.9/policy/language/#egress
## ref: https://github.com/cilium/cilium/blob/master/pkg/policy/api/service.go
serviceSelector: {}
requests:
## @param server.requests.cpu The CPU that should be available on a node when scheduling this pod.
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/