[bitnami/kafka] * Allow podSelector from any namespaceSelector

[tbotnz]

Description of the change

Allow podSelector from any namespaceSelector to make kafka network policy behave like #12607 in the kafka chart

Benefits

Possible drawbacks

Applicable issues

#12607 #28720

Additional information

Checklist

• Chart version bumped in Chart.yaml according to semver. This is not necessary when the changes only affect README.md files.
• Variables are documented in the values.yaml and added to the README.md using readme-generator-for-helm
• Title of the pull request follows this pattern [bitnami/<name_of_the_chart>] Descriptive title
• All commits signed off and in agreement of Developer Certificate of Origin (DCO)

[carrodher]

Thank you for initiating this pull request. We appreciate your effort. Just a friendly reminder that it's important to sign your commits. Adding your signature certifies that you either authored the patch or have the necessary rights to contribute the changes. You can find detailed information on how to do this in the “Sign your work” section of our contributing guidelines.

Feel free to reach out if you have any questions or need assistance with the signing process.

[tbotnz]

Thanks @carrodher, i've signed the commit as per below but the DCO check still fails.. does it need a newline after or something?

[carrodher]

Following the instructions from the failing action should be enough, it is not needed to add new code. See https://github.com/bitnami/charts/pull/28719/checks?check_run_id=28440524888

[tbotnz]

Thanks @carrodher. Fixed - should be ready for your review now

[tbotnz]

Just wondering if good to merge?

[fmulero]

Hi @tbotnz Thanks a lot for your contibution.

What do you think about applying these changes instead? #26597 Will they cover your needs?

Those changes are in our template (new charts should follow them) and we could apply them here

[tbotnz]

@fmulero i'm trying to move away from having to explicitly label namespaces instead, having a cluster wide pod label only that permits access, in line with how the redis chart works. It does not look like #26597 supports this

[fmulero]

If we apply the #26597 changes here I think you can cover your needs using the value ingressPodMatchLabels (without NS) That value is used to configure a podSelector based on pod labels, no namespace is needed. I think is worth a try.

[tbotnz]

Ok, thanks! when are you targeting release of #26597

[fmulero]

Ok, thanks! when are you targeting release of #26597

Sorry, maybe I didn't explain it very well. #26597 is in our template but that's not mean that we will apply those changes in short term to all our charts. Taking the advantage that you are changing the NetworkPolicy, Do those changes fit your needs? If that the case, Could you apply those changes here instead the solution you adopted?

[tbotnz]

@fmulero have tested this just now and it works, happy to close the PR if you wan't.

In general it'd be good to strive for consistency across charts for this type of thing (ie Redis's netpol still works in line with this PR)

[fmulero]

Hi @tbotnz, I've just created the PR #29274 with the changes I mentioned. Sorry for being so picky but I prefer having those changes instead of these to avoid changing the behaviour in a short period of time mainly when the same value (networkPolicy.ingressNSPodMatchLabels) will be treated in different ways.