Add ingress4netpol-knocking

bmalynovytch · bmalynovytch · commit 3ddeddb0eb8a · 2025-06-03T14:12:46.000+02:00
diff --git a/charts/ingress4netpol-knocking/.helmignore b/charts/ingress4netpol-knocking/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/ingress4netpol-knocking/Chart.yaml b/charts/ingress4netpol-knocking/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v2
+name: ingress4netpol-knocking
+description: Knock the ingress to open the ports on Kubernetes with NetworkPolicies
+version: 0.1.0
diff --git a/charts/ingress4netpol-knocking/templates/_helpers.tpl b/charts/ingress4netpol-knocking/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ingress4netpol-knocking.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ingress4netpol-knocking.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ingress4netpol-knocking.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ingress4netpol-knocking.labels" -}}
+helm.sh/chart: {{ include "ingress4netpol-knocking.chart" . }}
+{{ include "ingress4netpol-knocking.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ingress4netpol-knocking.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ingress4netpol-knocking.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "ingress4netpol-knocking.serviceAccountName" -}}
+{{- if .Values.rbac.create }}
+{{- default (include "ingress4netpol-knocking.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/ingress4netpol-knocking/templates/deployment.yaml b/charts/ingress4netpol-knocking/templates/deployment.yaml
@@ -0,0 +1,91 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ingress4netpol-knocking.fullname" . }}
+  labels:
+    {{- include "ingress4netpol-knocking.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "ingress4netpol-knocking.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "ingress4netpol-knocking.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "ingress4netpol-knocking.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          lifecycle:
+            preStop:
+              exec:
+                command: ["/bin/sh","-c","pkill -ef apache2 ; while pgrep -f apache2 ; do sleep 1 ; done ; /cleanup-network-policies.sh 9999999999"]
+          env:
+          - name: NETPOL_TARGET_LABELS
+            value: {{ range $k, $v := .Values.networkPolicies.targetLabels }}{{ $k }}={{ $v }},{{ end }}
+          - name: NETPOL_OPERATOR_LABELS
+            value: {{ range $k, $v := fromYaml (include "ingress4netpol-knocking.labels" .) }}{{ $k }}={{ $v }},{{ end }}{{ with .Values.podLabels }},{{ range $k, $v := . }},{{ end }}{{ end }}
+          - name: NETPOL_ALLOW_PORTS
+            value: {{ join "," .Values.networkPolicies.allowPorts }}
+          - name: NETPOL_NAME
+            value: {{ .Release.Name }}-{{ .Values.networkPolicies.namePrefix }}
+          - name: NETPOL_DURATION
+            value: {{ .Values.networkPolicies.allowDuration | quote }}
+          - name: NETPOL_NAMESPACE
+            value: {{ .Release.Namespace }}
+          {{- with .Values.networkPolicies.proxyHeader }}
+          - name: NETPOL_PROXY_HEADER
+            value: {{ . }}
+          {{- end }}
+          {{- with .Values.networkPolicies.trustedProxies }}
+          - name: NETPOL_TRUSTED_PROXIES
+            value: {{ join "," . | quote }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/ingress4netpol-knocking/templates/ingress.yaml b/charts/ingress4netpol-knocking/templates/ingress.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "ingress4netpol-knocking.fullname" . }}
+  labels:
+    {{- include "ingress4netpol-knocking.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.ingress.className }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- with .pathType }}
+            pathType: {{ . }}
+            {{- end }}
+            backend:
+              service:
+                name: {{ include "ingress4netpol-knocking.fullname" $ }}
+                port:
+                  number: {{ $.Values.service.port }}
+          {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/charts/ingress4netpol-knocking/templates/rbac.yaml b/charts/ingress4netpol-knocking/templates/rbac.yaml
@@ -0,0 +1,30 @@
+{{- if .Values.rbac.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "ingress4netpol-knocking.serviceAccountName" . }}
+  labels:
+    {{- include "ingress4netpol-knocking.labels" . | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "ingress4netpol-knocking.fullname" . }}
+rules:
+- apiGroups: ["networking.k8s.io"]
+  resources: ["networkpolicies"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "ingress4netpol-knocking.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name:  {{ include "ingress4netpol-knocking.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "ingress4netpol-knocking.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/ingress4netpol-knocking/templates/service.yaml b/charts/ingress4netpol-knocking/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "ingress4netpol-knocking.fullname" . }}
+  labels:
+    {{- include "ingress4netpol-knocking.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "ingress4netpol-knocking.selectorLabels" . | nindent 4 }}
diff --git a/charts/ingress4netpol-knocking/values.yaml b/charts/ingress4netpol-knocking/values.yaml
@@ -0,0 +1,71 @@
+image:
+  repository: admantic/k8s-ingress4netpol-knocking
+  pullPolicy: IfNotPresent
+  tag: v0.1.6
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+rbac:
+  create: true
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts: []
+    # - host: chart-example.local
+    #   paths:
+    #     - path: /CHANGEME-BY-A-RANDOM-STRING
+    #       pathType: Prefix
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+networkPolicies:
+  namePrefix: ingress4netpol-knocking
+  targetLabels: {}
+    # app.kubernetes.io/name: myApp
+    # app.kubernetes.io/managed-by: Helm
+    # release: myRelease
+  allowPorts: []
+  # - 30000/TCP
+  allowDuration: 60 # minutes
+  proxyHeader: ~
+  trustedProxies: [] # single IPs, PHP lib doesn't support CIDR
+
+service:
+  type: ClusterIP
+  port: 80
+
+serviceAccount:
+  annotations: {}
+  name: ""
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext:
+  runAsUser: 0
+  readOnlyRootFilesystem: false
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+tolerations: []
