diff --git a/charts/crunchy-postgres/README.md b/charts/crunchy-postgres/README.md index aee58b6..4e91698 100644 --- a/charts/crunchy-postgres/README.md +++ b/charts/crunchy-postgres/README.md @@ -10,7 +10,8 @@ A chart to provision a [Crunchy Postgres](https://www.crunchydata.com/) cluster. | ------------------ | ---------------------- | ------------------ | | `fullnameOverride` | Override release name | `crunchy-postgres` | | `crunchyImage` | Crunchy Postgres image | | -| `postgresVersion` | Postgres version | `14` | +| `postgresVersion` | Postgres version | `15` | +| `isNSX` | Cluster networking | `false` | --- diff --git a/charts/crunchy-postgres/templates/_helpers.tpl b/charts/crunchy-postgres/templates/_helpers.tpl index 584e9ad..fba50a6 100644 --- a/charts/crunchy-postgres/templates/_helpers.tpl +++ b/charts/crunchy-postgres/templates/_helpers.tpl @@ -40,6 +40,9 @@ helm.sh/chart: {{ include "crunchy-postgres.chart" . }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.isNSX }} +DataClass: Medium +{{- end }} {{- end }} {{/* diff --git a/charts/crunchy-postgres/values.yaml b/charts/crunchy-postgres/values.yaml index 6959ac5..4650053 100644 --- a/charts/crunchy-postgres/values.yaml +++ b/charts/crunchy-postgres/values.yaml @@ -3,6 +3,10 @@ fullnameOverride: crunchy-postgres crunchyImage: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default #crunchyImage: artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-postgres-gis:ubi8-15.2-3.3-0 # use this image for POSTGIS postgresVersion: 15 +# +# Set isNSX to true when deploying to an NSX cluster (Emerald, KLAB2) +isNSX: false +# #postGISVersion: '3.3' # use this version of POSTGIS. both crunchyImage and this property needs to have valid values for POSTGIS to be enabled. imagePullPolicy: IfNotPresent diff --git a/charts/tools/README.md b/charts/tools/README.md index efc8191..38b5f0d 100644 --- a/charts/tools/README.md +++ b/charts/tools/README.md @@ -61,6 +61,16 @@ Pod network policy to allow pods to accept traffic from other pods in this names --- +#### Additional network configuration for NSX clusters + +Set to 'true' to enable network configuration required in the NSX clusters (Emerald, KLAB2) + +| Parameter | Description | Default | +| ------------------- | -------------------------------------------- | ------- | +| `networking.isNSX` | Enable operator ingress and DataClass labels | `false` | + +--- + #### Route OpenShift route whitch allows you to host your application at a public URL. diff --git a/charts/tools/templates/networking/networkPolicy.yaml b/charts/tools/templates/networking/networkPolicy.yaml index 56b5d77..c60c7de 100644 --- a/charts/tools/templates/networking/networkPolicy.yaml +++ b/charts/tools/templates/networking/networkPolicy.yaml @@ -11,6 +11,7 @@ spec: # to accept traffic from the OpenShift router pods. This is # required for things outside of OpenShift (like the Internet) # to reach your pods. +{{- if not .Values.networking.isNSX }} ingress: - from: - namespaceSelector: @@ -19,5 +20,20 @@ spec: podSelector: {} policyTypes: - Ingress - +{{- else }} + ingress: + - from: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress + egress: + - to: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress + podSelector: {} + policyTypes: + - Ingress + - Egress +{{- end -}} {{- end }} diff --git a/charts/tools/templates/networking/operatorPolicy.yaml b/charts/tools/templates/networking/operatorPolicy.yaml new file mode 100644 index 0000000..f0bc87b --- /dev/null +++ b/charts/tools/templates/networking/operatorPolicy.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.networking.networkPolicy.enabled .Values.networking.isNSX (ne .Release.Namespace .Values.provisioner.namespace) }} + +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-operator + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +spec: + # This policy allows the operator to reach the Crunchy pods + egress: + - ports: + - port: 8432 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-bcgov-crunchy + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-bcgov-crunchy + ports: + - port: 8432 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: crunchy-postgres + policyTypes: + - Egress + - Ingress +{{- end }} diff --git a/charts/tools/templates/networking/podNetworkPolicy.yaml b/charts/tools/templates/networking/podNetworkPolicy.yaml index b706a96..b6eb316 100644 --- a/charts/tools/templates/networking/podNetworkPolicy.yaml +++ b/charts/tools/templates/networking/podNetworkPolicy.yaml @@ -7,10 +7,24 @@ metadata: labels: {{ include "crunchy-postgres-tools.labels" . | indent 4}} spec: +{{- if not .Values.networking.isNSX }} # This policy allows pods to accept traffic from other pods in this namespace ingress: - from: - podSelector: {} podSelector: {} +{{- else }} + # This policy allows pods to accept traffic from other pods in this namespace + egress: + - to: + - podSelector: {} + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress + - Egress +{{- end -}} {{ end }} diff --git a/charts/tools/values.yaml b/charts/tools/values.yaml index 0cd0cf4..dc9e55b 100644 --- a/charts/tools/values.yaml +++ b/charts/tools/values.yaml @@ -8,7 +8,7 @@ deployer: # Enable the provisioner service account which is used to deploy services to our other namespaces (dev/test/prod) # The tools namespace needs to be passed in so we know which namespace to install the service account in and the rolebindings get proper permissions provisioner: - namespace: #tools-namespace + namespace: # serviceAccount: enabled: true @@ -18,6 +18,10 @@ linter: enabled: true networking: + # + # Set isNSX to true if deploying to KLAB2 or Emerald, otherwise leave false + isNSX: false + # # Network policy to allow traffic from outside the namespace (like the internet) networkPolicy: enabled: true