gitea/helm-chart
45
54
Fork 127
Code Issues 30 Pull Requests 8 Actions Releases 87 Activity

WIP: Implementing Network Policy #207

Closed
safaG wants to merge 12 commits from safaG/helm-chart:network-policy into main
pull from: safaG/helm-chart:network-policy
merge into: gitea:main
Conversation 3 Commits 12 Files Changed 3 +29 -1
safaG commented 2021-07-09 15:59:01 +00:00
First-time contributor
Copy Link

Hi All!

I have created network policy yaml file and adjusted helpers.tpl file in order to stop gitea pods from communicating outside of gitea pods. What I have is really basic as I am not a pro with helm charts. Maybe there is another way of doing it better but this is what I have. What I did was to add below to _helpers.tpl file:

{{/*
Network Policy labels
*/}}
{{- define "gitea.netpolLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}

I have added this file to pull the unique label that Gitea creates on all pods. Then I created the networkpolicy.yaml file and used the above label under matchLabels: in the networkpolicy.yaml file

I have tested this with a new deployment and everything seemed working fine. However not sure if it will be a breaking change with existing deployments, I have not tested that.

Hi All! I have created network policy yaml file and adjusted helpers.tpl file in order to stop gitea pods from communicating outside of gitea pods. What I have is really basic as I am not a pro with helm charts. Maybe there is another way of doing it better but this is what I have. What I did was to add below to _helpers.tpl file: ``` {{/* Network Policy labels */}} {{- define "gitea.netpolLabels" -}} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} ``` I have added this file to pull the unique label that Gitea creates on all pods. Then I created the networkpolicy.yaml file and used the above label under ```matchLabels:``` in the networkpolicy.yaml file I have tested this with a new deployment and everything seemed working fine. However not sure if it will be a breaking change with existing deployments, I have not tested that.
safaG added 2 commits 2021-07-09 15:59:01 +00:00
added network policy
All checks were successful
continuous-integration/drone/pr Build is passing
Details
1fa281bde4
justusbunsi commented 2021-10-30 13:27:34 +00:00
Member
Copy Link

Thanks for your already invested time to provide that PR. Not sure if you like to have a review since the PR is marked as WIP.

Referring to your comment: to prevent such a breaking change the use of NetworkPolicy would need to be configurable with default value false. That way it wouldn't change existing installs. There are a few examples in the chart to see how this can be achieved. See this example.

Thanks for your already invested time to provide that PR. Not sure if you like to have a review since the PR is marked as WIP. Referring to your comment: to prevent such a breaking change the use of NetworkPolicy would need to be configurable with default value `false`. That way it wouldn't change existing installs. There are a few examples in the chart to see how this can be achieved. [See this example](https://gitea.com/gitea/helm-chart/src/branch/master/templates/gitea/statefulset.yaml#L156).
justusbunsi added the
kind
security
 label 2021-11-13 11:49:20 +00:00
justusbunsi changed title from WIP: Security: Implementing Network-Policy to Gitea Pods. to WIP: Implementing Network Policy 2021-11-13 11:49:46 +00:00
justusbunsi commented 2022-03-08 15:42:51 +00:00
Member
Copy Link

@safaG Do you want to continue your work on this pull request? There would be two things to do:

  • Resolve conflicts
  • Disable Network policies by default to prevent breaking changes on existing installations
  • Wrap the template in conditions such as here
  • At least allow customization for the CIDR value.
@safaG Do you want to continue your work on this pull request? There would be two things to do: - Resolve conflicts - Disable Network policies by default to prevent breaking changes on existing installations - Wrap the template in conditions such as [here](https://gitea.com/gitea/helm-chart/src/branch/master/templates/gitea/servicemonitor.yaml#L1) - At least allow customization for the `CIDR` value.
safaG added 1 commit 2022-03-12 03:18:38 +00:00
adding network policy
Some checks failed
continuous-integration/drone/pr Build is failing
Details
e5b77d36ad
safaG added 1 commit 2022-03-12 03:19:12 +00:00
adding enabled statement & cidr to values
Some checks failed
continuous-integration/drone/pr Build is failing
Details
d3e32a0e60
safaG added 1 commit 2022-03-12 03:45:55 +00:00
adding ending
Some checks failed
continuous-integration/drone/pr Build is failing
Details
ef08cda6a7
safaG added 6 commits 2022-03-12 04:27:08 +00:00
Merge branch 'network-policy' of gitea.com:safaG/helm-chart into network-policy
All checks were successful
continuous-integration/drone/pr Build is passing
Details
0a2c0c20ad
safaG added 1 commit 2022-03-12 04:35:09 +00:00
updating helper gile
All checks were successful
continuous-integration/drone/pr Build is passing
Details
c48db96373
safaG commented 2022-03-12 04:48:37 +00:00
Author
First-time contributor
Copy Link

@justusbunsi can we close this PR and move to pull request 306? I have made the neccessary changes there and tested it on my local cluster.

@justusbunsi can we close this PR and move to pull request [306](https://gitea.com/gitea/helm-chart/pulls/306)? I have made the neccessary changes there and tested it on my local cluster.
👍 1
justusbunsi closed this pull request 2022-03-12 08:43:02 +00:00
Some checks are pending
continuous-integration/drone/pr Build is passing
Details
check-and-test / check-and-test (pull_request)
Required

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
has
backport

  
in progress

   
invalid
  
kind
breaking

  
kind
bug

  
kind
build

  
kind
dependency

  
kind
deployment

  
kind
docs

  
kind
enhancement

  
kind
feature

  
kind
lint

  
kind
proposal

  
kind
question

  
kind
refactor

  
kind
security

  
kind
testing

  
kind
translation

  
kind
ui

  
need
backport

  
priority
critical

  
priority
low

  
priority
maybe

  
priority
medium

  
reviewed
duplicate

  
reviewed
invalid

  
reviewed
wontfix

  
skip-changelog
  
status
blocked

  
status
needs-feedback

  
status
needs-reviews

  
status
wip

  
upstream
gitea

  
upstream
other

No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: gitea/helm-chart#207
No description provided.
Delete Branch "safaG/helm-chart:network-policy"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?