From f736b2c682eb943deb737a9722e81c01724d8d3f Mon Sep 17 00:00:00 2001 From: Ian Watts Date: Mon, 8 Jul 2024 16:40:40 -0400 Subject: [PATCH 1/8] Testing --- charts/tools/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/tools/values.yaml b/charts/tools/values.yaml index 0cd0cf4..545e84c 100644 --- a/charts/tools/values.yaml +++ b/charts/tools/values.yaml @@ -8,7 +8,7 @@ deployer: # Enable the provisioner service account which is used to deploy services to our other namespaces (dev/test/prod) # The tools namespace needs to be passed in so we know which namespace to install the service account in and the rolebindings get proper permissions provisioner: - namespace: #tools-namespace + namespace: e95e89-tools serviceAccount: enabled: true From 96ee5717a8cc444be0aab63280b940fcfb7c9743 Mon Sep 17 00:00:00 2001 From: Ian Watts Date: Fri, 26 Jul 2024 15:38:05 -0700 Subject: [PATCH 2/8] Testing postgres14 with PGO5.5 --- charts/crunchy-postgres/README.md | 3 +- .../crunchy-postgres/templates/_helpers.tpl | 3 ++ charts/crunchy-postgres/values.yaml | 8 ++++- charts/tools/README.md | 10 ++++++ .../templates/networking/networkPolicy.yaml | 20 +++++++++-- .../templates/networking/operatorPolicy.yaml | 33 +++++++++++++++++++ .../networking/podNetworkPolicy.yaml | 16 ++++++++- charts/tools/values.yaml | 4 ++- 8 files changed, 91 insertions(+), 6 deletions(-) create mode 100644 charts/tools/templates/networking/operatorPolicy.yaml diff --git a/charts/crunchy-postgres/README.md b/charts/crunchy-postgres/README.md index aee58b6..4e91698 100644 --- a/charts/crunchy-postgres/README.md +++ b/charts/crunchy-postgres/README.md @@ -10,7 +10,8 @@ A chart to provision a [Crunchy Postgres](https://www.crunchydata.com/) cluster. | ------------------ | ---------------------- | ------------------ | | `fullnameOverride` | Override release name | `crunchy-postgres` | | `crunchyImage` | Crunchy Postgres image | | -| `postgresVersion` | Postgres version | `14` | +| `postgresVersion` | Postgres version | `15` | +| `isNSX` | Cluster networking | `false` | --- diff --git a/charts/crunchy-postgres/templates/_helpers.tpl b/charts/crunchy-postgres/templates/_helpers.tpl index 584e9ad..fba50a6 100644 --- a/charts/crunchy-postgres/templates/_helpers.tpl +++ b/charts/crunchy-postgres/templates/_helpers.tpl @@ -40,6 +40,9 @@ helm.sh/chart: {{ include "crunchy-postgres.chart" . }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.isNSX }} +DataClass: Medium +{{- end }} {{- end }} {{/* diff --git a/charts/crunchy-postgres/values.yaml b/charts/crunchy-postgres/values.yaml index 6959ac5..14c0814 100644 --- a/charts/crunchy-postgres/values.yaml +++ b/charts/crunchy-postgres/values.yaml @@ -2,7 +2,11 @@ fullnameOverride: crunchy-postgres crunchyImage: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default #crunchyImage: artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-postgres-gis:ubi8-15.2-3.3-0 # use this image for POSTGIS +# If setting postgresVersion to 14, also uncomment the pgbackrest image at +# .pgBackRest.image below postgresVersion: 15 +# Set isNSX to true when deploying to an NSX cluster (Emerald, KLAB2) +isNSX: false #postGISVersion: '3.3' # use this version of POSTGIS. both crunchyImage and this property needs to have valid values for POSTGIS to be enabled. imagePullPolicy: IfNotPresent @@ -48,7 +52,9 @@ dataSource: stanza: db pgBackRest: - image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default + # If using Postgres 14 with version 5.5 of the Postgres Operator, uncomment + # the following image line, otherwise leave it commented out. + #image: "artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-pgbackrest:ubi8-2.49-0" retention: "2" # Ideally a larger number such as 30 backups/days # If retention-full-type set to 'count' then the oldest backups will expire when the number of backups reach the number defined in retention # If retention-full-type set to 'time' then the number defined in retention will take that many days worth of full backups before expiration diff --git a/charts/tools/README.md b/charts/tools/README.md index efc8191..b198384 100644 --- a/charts/tools/README.md +++ b/charts/tools/README.md @@ -61,6 +61,16 @@ Pod network policy to allow pods to accept traffic from other pods in this names --- +#### Additional network configuration for NSX clusters + +Set to 'true' to enable network configuration required in the NSX clusters (Emerald, KLAB2) + +| Parameter | Description | Default | +| -------------------| -------------------------------------------- | ------- | +| `networking.isNSX` | Enable operator ingress and DataClass labels | `false` | + +--- + #### Route OpenShift route whitch allows you to host your application at a public URL. diff --git a/charts/tools/templates/networking/networkPolicy.yaml b/charts/tools/templates/networking/networkPolicy.yaml index 56b5d77..56b2b22 100644 --- a/charts/tools/templates/networking/networkPolicy.yaml +++ b/charts/tools/templates/networking/networkPolicy.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.networking.networkPolicy.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} +{{- if .Values.networking.networkPolicy.enabled }} kind: NetworkPolicy apiVersion: networking.k8s.io/v1 @@ -11,6 +11,7 @@ spec: # to accept traffic from the OpenShift router pods. This is # required for things outside of OpenShift (like the Internet) # to reach your pods. +{{- if not .Values.networking.isNSX }} ingress: - from: - namespaceSelector: @@ -19,5 +20,20 @@ spec: podSelector: {} policyTypes: - Ingress - +{{- else }} + ingress: + - from: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress + egress: + - to: + - namespaceSelector: + matchLabels: + network.openshift.io/policy-group: ingress + podSelector: {} + policyTypes: + - Ingress + - Egress +{{- end -}} {{- end }} diff --git a/charts/tools/templates/networking/operatorPolicy.yaml b/charts/tools/templates/networking/operatorPolicy.yaml new file mode 100644 index 0000000..f760246 --- /dev/null +++ b/charts/tools/templates/networking/operatorPolicy.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.networking.networkPolicy.enabled .Values.networking.isNSX }} + +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ or .Values.deploymentName .Release.Name }}-operator + labels: +{{ include "crunchy-postgres-tools.labels" . | indent 4}} +spec: + # This policy allows the operator to reach the Crunchy pods + egress: + - ports: + - port: 8432 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-bcgov-crunchy + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-bcgov-crunchy + ports: + - port: 8432 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/name: crunchy-postgres + policyTypes: + - Egress + - Ingress +{{- end }} diff --git a/charts/tools/templates/networking/podNetworkPolicy.yaml b/charts/tools/templates/networking/podNetworkPolicy.yaml index b706a96..85862d2 100644 --- a/charts/tools/templates/networking/podNetworkPolicy.yaml +++ b/charts/tools/templates/networking/podNetworkPolicy.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.networking.podNetworkPolicy.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} +{{- if .Values.networking.podNetworkPolicy.enabled }} kind: NetworkPolicy apiVersion: networking.k8s.io/v1 @@ -7,10 +7,24 @@ metadata: labels: {{ include "crunchy-postgres-tools.labels" . | indent 4}} spec: +{{- if not .Values.networking.isNSX }} # This policy allows pods to accept traffic from other pods in this namespace ingress: - from: - podSelector: {} podSelector: {} +{{- else }} + # This policy allows pods to accept traffic from other pods in this namespace + egress: + - to: + - podSelector: {} + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress + - Egress +{{- end -}} {{ end }} diff --git a/charts/tools/values.yaml b/charts/tools/values.yaml index 545e84c..10215f3 100644 --- a/charts/tools/values.yaml +++ b/charts/tools/values.yaml @@ -8,7 +8,7 @@ deployer: # Enable the provisioner service account which is used to deploy services to our other namespaces (dev/test/prod) # The tools namespace needs to be passed in so we know which namespace to install the service account in and the rolebindings get proper permissions provisioner: - namespace: e95e89-tools + namespace: "" serviceAccount: enabled: true @@ -18,6 +18,8 @@ linter: enabled: true networking: + # Set isNSX to true if deploying to KLAB2 or Emerald, otherwise leave false + isNSX: false # Network policy to allow traffic from outside the namespace (like the internet) networkPolicy: enabled: true From 29e355478f9f2f86fe10a35973ab13758a69fe34 Mon Sep 17 00:00:00 2001 From: Ian Watts Date: Fri, 26 Jul 2024 15:58:40 -0700 Subject: [PATCH 3/8] Re-add template conditions for netpols --- charts/tools/templates/networking/networkPolicy.yaml | 2 +- charts/tools/templates/networking/operatorPolicy.yaml | 2 +- charts/tools/templates/networking/podNetworkPolicy.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/tools/templates/networking/networkPolicy.yaml b/charts/tools/templates/networking/networkPolicy.yaml index 56b2b22..c60c7de 100644 --- a/charts/tools/templates/networking/networkPolicy.yaml +++ b/charts/tools/templates/networking/networkPolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.networking.networkPolicy.enabled }} +{{- if and .Values.networking.networkPolicy.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} kind: NetworkPolicy apiVersion: networking.k8s.io/v1 diff --git a/charts/tools/templates/networking/operatorPolicy.yaml b/charts/tools/templates/networking/operatorPolicy.yaml index f760246..f0bc87b 100644 --- a/charts/tools/templates/networking/operatorPolicy.yaml +++ b/charts/tools/templates/networking/operatorPolicy.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.networking.networkPolicy.enabled .Values.networking.isNSX }} +{{- if and .Values.networking.networkPolicy.enabled .Values.networking.isNSX (ne .Release.Namespace .Values.provisioner.namespace) }} kind: NetworkPolicy apiVersion: networking.k8s.io/v1 diff --git a/charts/tools/templates/networking/podNetworkPolicy.yaml b/charts/tools/templates/networking/podNetworkPolicy.yaml index 85862d2..3374cab 100644 --- a/charts/tools/templates/networking/podNetworkPolicy.yaml +++ b/charts/tools/templates/networking/podNetworkPolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.networking.podNetworkPolicy.enabled }} +{{- if and .Values.networking.podNetworkPolicy.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} kind: NetworkPolicy apiVersion: networking.k8s.io/v1 From 25ec8a7765e7ecb36f3ae0ebc4cde96a56bc23eb Mon Sep 17 00:00:00 2001 From: Ian Watts Date: Fri, 26 Jul 2024 16:08:13 -0700 Subject: [PATCH 4/8] Troubleshooting --- charts/tools/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/tools/values.yaml b/charts/tools/values.yaml index 10215f3..2f26b46 100644 --- a/charts/tools/values.yaml +++ b/charts/tools/values.yaml @@ -8,7 +8,7 @@ deployer: # Enable the provisioner service account which is used to deploy services to our other namespaces (dev/test/prod) # The tools namespace needs to be passed in so we know which namespace to install the service account in and the rolebindings get proper permissions provisioner: - namespace: "" + namespace: # serviceAccount: enabled: true From 3376e1c0e3dcd4de342ad9e8d2a07ad8f4e7719f Mon Sep 17 00:00:00 2001 From: Ian Watts Date: Mon, 29 Jul 2024 10:41:58 -0700 Subject: [PATCH 5/8] Updates for readability --- charts/crunchy-postgres/values.yaml | 7 ++++++- charts/tools/templates/networking/podNetworkPolicy.yaml | 2 +- charts/tools/values.yaml | 2 ++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/charts/crunchy-postgres/values.yaml b/charts/crunchy-postgres/values.yaml index 14c0814..31123db 100644 --- a/charts/crunchy-postgres/values.yaml +++ b/charts/crunchy-postgres/values.yaml @@ -2,11 +2,14 @@ fullnameOverride: crunchy-postgres crunchyImage: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default #crunchyImage: artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-postgres-gis:ubi8-15.2-3.3-0 # use this image for POSTGIS +# # If setting postgresVersion to 14, also uncomment the pgbackrest image at # .pgBackRest.image below postgresVersion: 15 +# # Set isNSX to true when deploying to an NSX cluster (Emerald, KLAB2) isNSX: false +# #postGISVersion: '3.3' # use this version of POSTGIS. both crunchyImage and this property needs to have valid values for POSTGIS to be enabled. imagePullPolicy: IfNotPresent @@ -52,9 +55,11 @@ dataSource: stanza: db pgBackRest: - # If using Postgres 14 with version 5.5 of the Postgres Operator, uncomment + # + # If using Postgres 14 with version 5.5+ of the Postgres Operator, uncomment # the following image line, otherwise leave it commented out. #image: "artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-pgbackrest:ubi8-2.49-0" + # retention: "2" # Ideally a larger number such as 30 backups/days # If retention-full-type set to 'count' then the oldest backups will expire when the number of backups reach the number defined in retention # If retention-full-type set to 'time' then the number defined in retention will take that many days worth of full backups before expiration diff --git a/charts/tools/templates/networking/podNetworkPolicy.yaml b/charts/tools/templates/networking/podNetworkPolicy.yaml index 3374cab..b6eb316 100644 --- a/charts/tools/templates/networking/podNetworkPolicy.yaml +++ b/charts/tools/templates/networking/podNetworkPolicy.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.networking.podNetworkPolicy.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} +{{- if and .Values.networking.podNetworkPolicy.enabled (ne .Release.Namespace .Values.provisioner.namespace) }} kind: NetworkPolicy apiVersion: networking.k8s.io/v1 diff --git a/charts/tools/values.yaml b/charts/tools/values.yaml index 2f26b46..dc9e55b 100644 --- a/charts/tools/values.yaml +++ b/charts/tools/values.yaml @@ -18,8 +18,10 @@ linter: enabled: true networking: + # # Set isNSX to true if deploying to KLAB2 or Emerald, otherwise leave false isNSX: false + # # Network policy to allow traffic from outside the namespace (like the internet) networkPolicy: enabled: true From a440e5e378333894f250ecab0663124870140e34 Mon Sep 17 00:00:00 2001 From: Ian Watts Date: Thu, 29 Aug 2024 12:07:55 -0700 Subject: [PATCH 6/8] Undo pgbackrest image change - no longer needed --- charts/crunchy-postgres/values.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/charts/crunchy-postgres/values.yaml b/charts/crunchy-postgres/values.yaml index 31123db..34dbebd 100644 --- a/charts/crunchy-postgres/values.yaml +++ b/charts/crunchy-postgres/values.yaml @@ -55,11 +55,7 @@ dataSource: stanza: db pgBackRest: - # - # If using Postgres 14 with version 5.5+ of the Postgres Operator, uncomment - # the following image line, otherwise leave it commented out. - #image: "artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-pgbackrest:ubi8-2.49-0" - # + image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default retention: "2" # Ideally a larger number such as 30 backups/days # If retention-full-type set to 'count' then the oldest backups will expire when the number of backups reach the number defined in retention # If retention-full-type set to 'time' then the number defined in retention will take that many days worth of full backups before expiration From 89ebe73ca4e043ad8ef70167ff3cc13006d3ca31 Mon Sep 17 00:00:00 2001 From: Ian Watts Date: Thu, 29 Aug 2024 12:09:52 -0700 Subject: [PATCH 7/8] And remove pgbackrest comment --- charts/crunchy-postgres/values.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/charts/crunchy-postgres/values.yaml b/charts/crunchy-postgres/values.yaml index 34dbebd..4650053 100644 --- a/charts/crunchy-postgres/values.yaml +++ b/charts/crunchy-postgres/values.yaml @@ -2,9 +2,6 @@ fullnameOverride: crunchy-postgres crunchyImage: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default #crunchyImage: artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-postgres-gis:ubi8-15.2-3.3-0 # use this image for POSTGIS -# -# If setting postgresVersion to 14, also uncomment the pgbackrest image at -# .pgBackRest.image below postgresVersion: 15 # # Set isNSX to true when deploying to an NSX cluster (Emerald, KLAB2) From 4f2bd49a0408eaabe2ee393a942779c384512c85 Mon Sep 17 00:00:00 2001 From: Ian Watts Date: Thu, 29 Aug 2024 12:30:45 -0700 Subject: [PATCH 8/8] Trigger action --- charts/tools/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/tools/README.md b/charts/tools/README.md index b198384..38b5f0d 100644 --- a/charts/tools/README.md +++ b/charts/tools/README.md @@ -65,9 +65,9 @@ Pod network policy to allow pods to accept traffic from other pods in this names Set to 'true' to enable network configuration required in the NSX clusters (Emerald, KLAB2) -| Parameter | Description | Default | -| -------------------| -------------------------------------------- | ------- | -| `networking.isNSX` | Enable operator ingress and DataClass labels | `false` | +| Parameter | Description | Default | +| ------------------- | -------------------------------------------- | ------- | +| `networking.isNSX` | Enable operator ingress and DataClass labels | `false` | ---