diff --git a/bitnami/prometheus/Chart.yaml b/bitnami/prometheus/Chart.yaml index c38279bbe46152..bd66c7ac79102e 100644 --- a/bitnami/prometheus/Chart.yaml +++ b/bitnami/prometheus/Chart.yaml @@ -35,4 +35,4 @@ sources: - https://github.com/bitnami/containers/tree/main/bitnami/prometheus - https://github.com/prometheus/prometheus - https://github.com/prometheus-community/helm-charts -version: 1.0.12 +version: 1.2.0 diff --git a/bitnami/prometheus/README.md b/bitnami/prometheus/README.md index 1cc218205bb306..98bde0646380f6 100644 --- a/bitnami/prometheus/README.md +++ b/bitnami/prometheus/README.md @@ -433,10 +433,12 @@ server: | `alertmanager.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `alertmanager.networkPolicy.allowExternal` | Don't require alertmanager label for connections | `true` | | `alertmanager.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `alertmanager.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `alertmanager.networkPolicy.allowExternal` is true. | `true` | | `alertmanager.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `alertmanager.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `alertmanager.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `alertmanager.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `alertmanager.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `alertmanager.networkPolicy.allowExternal` is true. | `{}` | +| `alertmanager.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `alertmanager.networkPolicy.allowExternal` is true. | `{}` | +| `alertmanager.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `alertmanager.networkPolicy.allowExternal` is true. | `{}` | | `alertmanager.service.type` | Alertmanager service type | `LoadBalancer` | | `alertmanager.service.ports.http` | Alertmanager service HTTP port | `80` | | `alertmanager.service.ports.cluster` | Alertmanager cluster HA port | `9094` | @@ -640,10 +642,12 @@ server: | `server.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `server.networkPolicy.allowExternal` | Don't require server label for connections | `true` | | `server.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `server.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `server.networkPolicy.allowExternal` is true. | `true` | | `server.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `server.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `server.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `server.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `server.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `server.networkPolicy.allowExternal` is true. | `{}` | +| `server.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `server.networkPolicy.allowExternal` is true. | `{}` | +| `server.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `server.networkPolicy.allowExternal` is true. | `{}` | | `server.service.type` | Prometheus service type | `LoadBalancer` | | `server.service.ports.http` | Prometheus service HTTP port | `80` | | `server.service.nodePorts.http` | Node port for HTTP | `""` | diff --git a/bitnami/prometheus/templates/alertmanager/networkpolicy.yaml b/bitnami/prometheus/templates/alertmanager/networkpolicy.yaml index 223e931e807c2e..47c3cf25121985 100644 --- a/bitnami/prometheus/templates/alertmanager/networkpolicy.yaml +++ b/bitnami/prometheus/templates/alertmanager/networkpolicy.yaml @@ -46,21 +46,21 @@ spec: from: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.alertmanager.networkPolicy.addExternalClientAccess }} - podSelector: - matchLabels: - {{ template "prometheus.alertmanager.fullname" . }}-client: "true" + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- end }} + {{- if .Values.alertmanager.networkPolicy.ingressPodMatchLabels }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.alertmanager.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} {{- if .Values.alertmanager.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.alertmanager.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }} {{- if .Values.alertmanager.networkPolicy.ingressNSPodMatchLabels }} podSelector: - matchLabels: - {{- range $key, $value := .Values.alertmanager.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }} {{- end }} {{- end }} {{- end }} diff --git a/bitnami/prometheus/templates/server/networkpolicy.yaml b/bitnami/prometheus/templates/server/networkpolicy.yaml index 1bb99245ae65a1..3fa4fbb9dc8e3f 100644 --- a/bitnami/prometheus/templates/server/networkpolicy.yaml +++ b/bitnami/prometheus/templates/server/networkpolicy.yaml @@ -51,21 +51,21 @@ spec: from: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.server.networkPolicy.addExternalClientAccess }} - podSelector: - matchLabels: - {{ template "prometheus.server.fullname" . }}-client: "true" + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- end }} + {{- if .Values.server.networkPolicy.ingressPodMatchLabels }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.server.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} {{- if .Values.server.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.server.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }} {{- if .Values.server.networkPolicy.ingressNSPodMatchLabels }} podSelector: - matchLabels: - {{- range $key, $value := .Values.server.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }} {{- end }} {{- end }} {{- end }} diff --git a/bitnami/prometheus/values.yaml b/bitnami/prometheus/values.yaml index e6b3d830a96319..7f4547feeb24f9 100644 --- a/bitnami/prometheus/values.yaml +++ b/bitnami/prometheus/values.yaml @@ -520,6 +520,9 @@ alertmanager: ## @param alertmanager.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## allowExternalEgress: true + ## @param alertmanager.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `alertmanager.networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true ## @param alertmanager.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -553,8 +556,14 @@ alertmanager: ## - frontend ## extraEgress: [] - ## @param alertmanager.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param alertmanager.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## @param alertmanager.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `alertmanager.networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param alertmanager.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `alertmanager.networkPolicy.allowExternal` is true. + ## @param alertmanager.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `alertmanager.networkPolicy.allowExternal` is true. ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} @@ -1476,6 +1485,9 @@ server: ## @param server.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## allowExternalEgress: true + ## @param server.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `server.networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true ## @param server.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -1509,8 +1521,14 @@ server: ## - frontend ## extraEgress: [] - ## @param server.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param server.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## @param server.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `server.networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param server.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `server.networkPolicy.allowExternal` is true. + ## @param server.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `server.networkPolicy.allowExternal` is true. ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {}