From e825b76c123e2c1396038b71b99f2e6e3e81e86a Mon Sep 17 00:00:00 2001 From: Ben Foster Date: Wed, 15 May 2024 08:43:08 -0400 Subject: [PATCH] [bitnami/grafana-tempo] Network policy review Apply the same changes made in PR #25519 to the Tempo chart Signed-off-by: Ben Foster --- bitnami/grafana-tempo/Chart.yaml | 2 +- bitnami/grafana-tempo/README.md | 316 +++++++++--------- .../templates/compactor/networkpolicy.yaml | 16 +- .../templates/distributor/networkpolicy.yaml | 16 +- .../templates/ingester/networkpolicy.yaml | 16 +- .../metrics-generator/networkpolicy.yaml | 16 +- .../templates/querier/networkpolicy.yaml | 16 +- .../query-frontend/networkpolicy.yaml | 16 +- .../templates/vulture/networkpolicy.yaml | 16 +- bitnami/grafana-tempo/values.yaml | 91 ++++- 10 files changed, 299 insertions(+), 222 deletions(-) diff --git a/bitnami/grafana-tempo/Chart.yaml b/bitnami/grafana-tempo/Chart.yaml index 0d011da6b77430..532cd80649b567 100644 --- a/bitnami/grafana-tempo/Chart.yaml +++ b/bitnami/grafana-tempo/Chart.yaml @@ -39,4 +39,4 @@ maintainers: name: grafana-tempo sources: - https://github.com/bitnami/charts/tree/main/bitnami/grafana-tempo -version: 3.2.0 +version: 3.3.0 diff --git a/bitnami/grafana-tempo/README.md b/bitnami/grafana-tempo/README.md index 8ed89cd696ed60..a746975f0034a8 100644 --- a/bitnami/grafana-tempo/README.md +++ b/bitnami/grafana-tempo/README.md @@ -290,27 +290,29 @@ The [Bitnami grafana-tempo](https://github.com/bitnami/containers/tree/main/bitn ### Compactor Traffic Exposure Parameters -| Name | Description | Value | -| ------------------------------------------------- | ---------------------------------------------------------------- | ----------- | -| `compactor.service.type` | Compactor service type | `ClusterIP` | -| `compactor.service.ports.http` | Compactor HTTP service port | `3200` | -| `compactor.service.ports.grpc` | Compactor GRPC service port | `9095` | -| `compactor.service.nodePorts.http` | Node port for HTTP | `""` | -| `compactor.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `compactor.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `compactor.service.clusterIP` | Compactor service Cluster IP | `""` | -| `compactor.service.loadBalancerIP` | Compactor service Load Balancer IP | `""` | -| `compactor.service.loadBalancerSourceRanges` | Compactor service Load Balancer sources | `[]` | -| `compactor.service.externalTrafficPolicy` | Compactor service external traffic policy | `Cluster` | -| `compactor.service.annotations` | Additional custom annotations for Compactor service | `{}` | -| `compactor.service.extraPorts` | Extra ports to expose in the Compactor service | `[]` | -| `compactor.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `compactor.networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `compactor.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `compactor.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `compactor.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `compactor.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `compactor.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| Name | Description | Value | +| ------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ----------- | +| `compactor.service.type` | Compactor service type | `ClusterIP` | +| `compactor.service.ports.http` | Compactor HTTP service port | `3200` | +| `compactor.service.ports.grpc` | Compactor GRPC service port | `9095` | +| `compactor.service.nodePorts.http` | Node port for HTTP | `""` | +| `compactor.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `compactor.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `compactor.service.clusterIP` | Compactor service Cluster IP | `""` | +| `compactor.service.loadBalancerIP` | Compactor service Load Balancer IP | `""` | +| `compactor.service.loadBalancerSourceRanges` | Compactor service Load Balancer sources | `[]` | +| `compactor.service.externalTrafficPolicy` | Compactor service external traffic policy | `Cluster` | +| `compactor.service.annotations` | Additional custom annotations for Compactor service | `{}` | +| `compactor.service.extraPorts` | Extra ports to expose in the Compactor service | `[]` | +| `compactor.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `compactor.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `compactor.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `compactor.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `compactor.networkPolicy.allowExternal` is true. | `true` | +| `compactor.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `compactor.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `compactor.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `compactor.networkPolicy.allowExternal` is true. | `{}` | +| `compactor.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `compactor.networkPolicy.allowExternal` is true. | `{}` | +| `compactor.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `compactor.networkPolicy.allowExternal` is true. | `{}` | ### Distributor Deployment Parameters @@ -386,28 +388,30 @@ The [Bitnami grafana-tempo](https://github.com/bitnami/containers/tree/main/bitn ### Distributor Traffic Exposure Parameters -| Name | Description | Value | -| --------------------------------------------------- | ---------------------------------------------------------------- | ----------- | -| `distributor.service.type` | Distributor service type | `ClusterIP` | -| `distributor.service.ports.http` | Distributor HTTP service port | `3200` | -| `distributor.service.ports.grpc` | Distributor GRPC service port | `9095` | -| `distributor.service.nodePorts.http` | Node port for HTTP | `""` | -| `distributor.service.nodePorts.grpc` | Node port for GRPC | `""` | -| `distributor.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `distributor.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `distributor.service.clusterIP` | Distributor service Cluster IP | `""` | -| `distributor.service.loadBalancerIP` | Distributor service Load Balancer IP | `""` | -| `distributor.service.loadBalancerSourceRanges` | Distributor service Load Balancer sources | `[]` | -| `distributor.service.externalTrafficPolicy` | Distributor service external traffic policy | `Cluster` | -| `distributor.service.annotations` | Additional custom annotations for Distributor service | `{}` | -| `distributor.service.extraPorts` | Extra ports to expose in the Distributor service | `[]` | -| `distributor.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `distributor.networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `distributor.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `distributor.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `distributor.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `distributor.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `distributor.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| Name | Description | Value | +| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `distributor.service.type` | Distributor service type | `ClusterIP` | +| `distributor.service.ports.http` | Distributor HTTP service port | `3200` | +| `distributor.service.ports.grpc` | Distributor GRPC service port | `9095` | +| `distributor.service.nodePorts.http` | Node port for HTTP | `""` | +| `distributor.service.nodePorts.grpc` | Node port for GRPC | `""` | +| `distributor.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `distributor.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `distributor.service.clusterIP` | Distributor service Cluster IP | `""` | +| `distributor.service.loadBalancerIP` | Distributor service Load Balancer IP | `""` | +| `distributor.service.loadBalancerSourceRanges` | Distributor service Load Balancer sources | `[]` | +| `distributor.service.externalTrafficPolicy` | Distributor service external traffic policy | `Cluster` | +| `distributor.service.annotations` | Additional custom annotations for Distributor service | `{}` | +| `distributor.service.extraPorts` | Extra ports to expose in the Distributor service | `[]` | +| `distributor.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `distributor.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `distributor.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `distributor.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `distributor.networkPolicy.allowExternal` is true. | `true` | +| `distributor.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `distributor.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `distributor.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `distributor.networkPolicy.allowExternal` is true. | `{}` | +| `distributor.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `distributor.networkPolicy.allowExternal` is true. | `{}` | +| `distributor.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `distributor.networkPolicy.allowExternal` is true. | `{}` | ### Metrics Generator Deployment Parameters @@ -484,27 +488,29 @@ The [Bitnami grafana-tempo](https://github.com/bitnami/containers/tree/main/bitn ### Metrics Generator Traffic Exposure Parameters -| Name | Description | Value | -| -------------------------------------------------------- | ---------------------------------------------------------------- | ----------- | -| `metricsGenerator.service.type` | metricsGenerator service type | `ClusterIP` | -| `metricsGenerator.service.ports.http` | metricsGenerator HTTP service port | `3200` | -| `metricsGenerator.service.ports.grpc` | metricsGenerator GRPC service port | `9095` | -| `metricsGenerator.service.nodePorts.http` | Node port for HTTP | `""` | -| `metricsGenerator.service.nodePorts.grpc` | Node port for GRPC | `""` | -| `metricsGenerator.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `metricsGenerator.service.clusterIP` | metricsGenerator service Cluster IP | `""` | -| `metricsGenerator.service.loadBalancerIP` | metricsGenerator service Load Balancer IP | `""` | -| `metricsGenerator.service.loadBalancerSourceRanges` | metricsGenerator service Load Balancer sources | `[]` | -| `metricsGenerator.service.externalTrafficPolicy` | metricsGenerator service external traffic policy | `Cluster` | -| `metricsGenerator.service.annotations` | Additional custom annotations for metricsGenerator service | `{}` | -| `metricsGenerator.service.extraPorts` | Extra ports to expose in the metricsGenerator service | `[]` | -| `metricsGenerator.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `metricsGenerator.networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `metricsGenerator.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `metricsGenerator.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `metricsGenerator.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `metricsGenerator.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `metricsGenerator.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| Name | Description | Value | +| -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | ----------- | +| `metricsGenerator.service.type` | metricsGenerator service type | `ClusterIP` | +| `metricsGenerator.service.ports.http` | metricsGenerator HTTP service port | `3200` | +| `metricsGenerator.service.ports.grpc` | metricsGenerator GRPC service port | `9095` | +| `metricsGenerator.service.nodePorts.http` | Node port for HTTP | `""` | +| `metricsGenerator.service.nodePorts.grpc` | Node port for GRPC | `""` | +| `metricsGenerator.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `metricsGenerator.service.clusterIP` | metricsGenerator service Cluster IP | `""` | +| `metricsGenerator.service.loadBalancerIP` | metricsGenerator service Load Balancer IP | `""` | +| `metricsGenerator.service.loadBalancerSourceRanges` | metricsGenerator service Load Balancer sources | `[]` | +| `metricsGenerator.service.externalTrafficPolicy` | metricsGenerator service external traffic policy | `Cluster` | +| `metricsGenerator.service.annotations` | Additional custom annotations for metricsGenerator service | `{}` | +| `metricsGenerator.service.extraPorts` | Extra ports to expose in the metricsGenerator service | `[]` | +| `metricsGenerator.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `metricsGenerator.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `metricsGenerator.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `metricsGenerator.networkPolicy.allowExternal` is true. | `true` | +| `metricsGenerator.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `metricsGenerator.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `metricsGenerator.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `metricsGenerator.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `metricsGenerator.networkPolicy.allowExternal` is true. | `{}` | +| `metricsGenerator.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `metricsGenerator.networkPolicy.allowExternal` is true. | `{}` | +| `metricsGenerator.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `metricsGenerator.networkPolicy.allowExternal` is true. | `{}` | ### Ingester Deployment Parameters @@ -593,28 +599,30 @@ The [Bitnami grafana-tempo](https://github.com/bitnami/containers/tree/main/bitn ### Ingester Traffic Exposure Parameters -| Name | Description | Value | -| ------------------------------------------------ | ---------------------------------------------------------------- | ----------- | -| `ingester.service.type` | Ingester service type | `ClusterIP` | -| `ingester.service.ports.http` | Ingester HTTP service port | `3200` | -| `ingester.service.ports.grpc` | Ingester GRPC service port | `9095` | -| `ingester.service.nodePorts.http` | Node port for HTTP | `""` | -| `ingester.service.nodePorts.grpc` | Node port for GRPC | `""` | -| `ingester.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `ingester.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `ingester.service.clusterIP` | Ingester service Cluster IP | `""` | -| `ingester.service.loadBalancerIP` | Ingester service Load Balancer IP | `""` | -| `ingester.service.loadBalancerSourceRanges` | Ingester service Load Balancer sources | `[]` | -| `ingester.service.externalTrafficPolicy` | Ingester service external traffic policy | `Cluster` | -| `ingester.service.annotations` | Additional custom annotations for Ingester service | `{}` | -| `ingester.service.extraPorts` | Extra ports to expose in the Ingester service | `[]` | -| `ingester.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `ingester.networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `ingester.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `ingester.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `ingester.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `ingester.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `ingester.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| Name | Description | Value | +| ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------- | ----------- | +| `ingester.service.type` | Ingester service type | `ClusterIP` | +| `ingester.service.ports.http` | Ingester HTTP service port | `3200` | +| `ingester.service.ports.grpc` | Ingester GRPC service port | `9095` | +| `ingester.service.nodePorts.http` | Node port for HTTP | `""` | +| `ingester.service.nodePorts.grpc` | Node port for GRPC | `""` | +| `ingester.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `ingester.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `ingester.service.clusterIP` | Ingester service Cluster IP | `""` | +| `ingester.service.loadBalancerIP` | Ingester service Load Balancer IP | `""` | +| `ingester.service.loadBalancerSourceRanges` | Ingester service Load Balancer sources | `[]` | +| `ingester.service.externalTrafficPolicy` | Ingester service external traffic policy | `Cluster` | +| `ingester.service.annotations` | Additional custom annotations for Ingester service | `{}` | +| `ingester.service.extraPorts` | Extra ports to expose in the Ingester service | `[]` | +| `ingester.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `ingester.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `ingester.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `ingester.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `ingester.networkPolicy.allowExternal` is true. | `true` | +| `ingester.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `ingester.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `ingester.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `ingester.networkPolicy.allowExternal` is true. | `{}` | +| `ingester.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `ingester.networkPolicy.allowExternal` is true. | `{}` | +| `ingester.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `ingester.networkPolicy.allowExternal` is true. | `{}` | ### Querier Deployment Parameters @@ -690,28 +698,30 @@ The [Bitnami grafana-tempo](https://github.com/bitnami/containers/tree/main/bitn ### Querier Traffic Exposure Parameters -| Name | Description | Value | -| ----------------------------------------------- | ---------------------------------------------------------------- | ----------- | -| `querier.service.type` | Querier service type | `ClusterIP` | -| `querier.service.ports.http` | Querier HTTP service port | `3200` | -| `querier.service.ports.grpc` | Querier GRPC service port | `9095` | -| `querier.service.nodePorts.http` | Node port for HTTP | `""` | -| `querier.service.nodePorts.grpc` | Node port for GRPC | `""` | -| `querier.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `querier.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `querier.service.clusterIP` | Querier service Cluster IP | `""` | -| `querier.service.loadBalancerIP` | Querier service Load Balancer IP | `""` | -| `querier.service.loadBalancerSourceRanges` | Querier service Load Balancer sources | `[]` | -| `querier.service.externalTrafficPolicy` | Querier service external traffic policy | `Cluster` | -| `querier.service.annotations` | Additional custom annotations for Querier service | `{}` | -| `querier.service.extraPorts` | Extra ports to expose in the Querier service | `[]` | -| `querier.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `querier.networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `querier.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `querier.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `querier.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `querier.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `querier.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| Name | Description | Value | +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ----------- | +| `querier.service.type` | Querier service type | `ClusterIP` | +| `querier.service.ports.http` | Querier HTTP service port | `3200` | +| `querier.service.ports.grpc` | Querier GRPC service port | `9095` | +| `querier.service.nodePorts.http` | Node port for HTTP | `""` | +| `querier.service.nodePorts.grpc` | Node port for GRPC | `""` | +| `querier.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `querier.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `querier.service.clusterIP` | Querier service Cluster IP | `""` | +| `querier.service.loadBalancerIP` | Querier service Load Balancer IP | `""` | +| `querier.service.loadBalancerSourceRanges` | Querier service Load Balancer sources | `[]` | +| `querier.service.externalTrafficPolicy` | Querier service external traffic policy | `Cluster` | +| `querier.service.annotations` | Additional custom annotations for Querier service | `{}` | +| `querier.service.extraPorts` | Extra ports to expose in the Querier service | `[]` | +| `querier.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `querier.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `querier.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `querier.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `querier.networkPolicy.allowExternal` is true. | `true` | +| `querier.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `querier.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `querier.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `querier.networkPolicy.allowExternal` is true. | `{}` | +| `querier.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `querier.networkPolicy.allowExternal` is true. | `{}` | +| `querier.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `querier.networkPolicy.allowExternal` is true. | `{}` | ### Query Frontend Deployment Parameters @@ -837,29 +847,31 @@ The [Bitnami grafana-tempo](https://github.com/bitnami/containers/tree/main/bitn ### Query Frontend Traffic Exposure Parameters -| Name | Description | Value | -| ----------------------------------------------------- | ---------------------------------------------------------------- | ----------- | -| `queryFrontend.service.type` | queryFrontend service type | `ClusterIP` | -| `queryFrontend.service.ports.http` | queryFrontend HTTP service port | `3200` | -| `queryFrontend.service.ports.grpc` | queryFrontend GRPC service port | `9095` | -| `queryFrontend.service.nodePorts.http` | Node port for HTTP | `""` | -| `queryFrontend.service.nodePorts.grpc` | Node port for GRPC | `""` | -| `queryFrontend.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `queryFrontend.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `queryFrontend.service.clusterIP` | queryFrontend service Cluster IP | `""` | -| `queryFrontend.service.loadBalancerIP` | queryFrontend service Load Balancer IP | `""` | -| `queryFrontend.service.loadBalancerSourceRanges` | queryFrontend service Load Balancer sources | `[]` | -| `queryFrontend.service.externalTrafficPolicy` | queryFrontend service external traffic policy | `Cluster` | -| `queryFrontend.service.annotations` | Additional custom annotations for queryFrontend service | `{}` | -| `queryFrontend.service.extraPorts` | Extra ports to expose in the queryFrontend service | `[]` | -| `queryFrontend.service.headless.annotations` | Annotations for the headless service. | `{}` | -| `queryFrontend.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `queryFrontend.networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `queryFrontend.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `queryFrontend.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `queryFrontend.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `queryFrontend.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `queryFrontend.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| Name | Description | Value | +| ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `queryFrontend.service.type` | queryFrontend service type | `ClusterIP` | +| `queryFrontend.service.ports.http` | queryFrontend HTTP service port | `3200` | +| `queryFrontend.service.ports.grpc` | queryFrontend GRPC service port | `9095` | +| `queryFrontend.service.nodePorts.http` | Node port for HTTP | `""` | +| `queryFrontend.service.nodePorts.grpc` | Node port for GRPC | `""` | +| `queryFrontend.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `queryFrontend.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `queryFrontend.service.clusterIP` | queryFrontend service Cluster IP | `""` | +| `queryFrontend.service.loadBalancerIP` | queryFrontend service Load Balancer IP | `""` | +| `queryFrontend.service.loadBalancerSourceRanges` | queryFrontend service Load Balancer sources | `[]` | +| `queryFrontend.service.externalTrafficPolicy` | queryFrontend service external traffic policy | `Cluster` | +| `queryFrontend.service.annotations` | Additional custom annotations for queryFrontend service | `{}` | +| `queryFrontend.service.extraPorts` | Extra ports to expose in the queryFrontend service | `[]` | +| `queryFrontend.service.headless.annotations` | Annotations for the headless service. | `{}` | +| `queryFrontend.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `queryFrontend.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `queryFrontend.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `queryFrontend.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `queryFrontend.networkPolicy.allowExternal` is true. | `true` | +| `queryFrontend.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `queryFrontend.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `queryFrontend.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `queryFrontend.networkPolicy.allowExternal` is true. | `{}` | +| `queryFrontend.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `queryFrontend.networkPolicy.allowExternal` is true. | `{}` | +| `queryFrontend.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `queryFrontend.networkPolicy.allowExternal` is true. | `{}` | ### Vulture Deployment Parameters @@ -942,26 +954,28 @@ The [Bitnami grafana-tempo](https://github.com/bitnami/containers/tree/main/bitn ### Vulture Traffic Exposure Parameters -| Name | Description | Value | -| ----------------------------------------------- | ---------------------------------------------------------------- | ----------- | -| `vulture.service.type` | Vulture service type | `ClusterIP` | -| `vulture.service.ports.http` | Vulture HTTP service port | `3200` | -| `vulture.service.nodePorts.http` | Node port for HTTP | `""` | -| `vulture.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `vulture.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `vulture.service.clusterIP` | Vulture service Cluster IP | `""` | -| `vulture.service.loadBalancerIP` | Vulture service Load Balancer IP | `""` | -| `vulture.service.loadBalancerSourceRanges` | Vulture service Load Balancer sources | `[]` | -| `vulture.service.externalTrafficPolicy` | Vulture service external traffic policy | `Cluster` | -| `vulture.service.annotations` | Additional custom annotations for Vulture service | `{}` | -| `vulture.service.extraPorts` | Extra ports to expose in the Vulture service | `[]` | -| `vulture.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `vulture.networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `vulture.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `vulture.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `vulture.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `vulture.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `vulture.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| Name | Description | Value | +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ----------- | +| `vulture.service.type` | Vulture service type | `ClusterIP` | +| `vulture.service.ports.http` | Vulture HTTP service port | `3200` | +| `vulture.service.nodePorts.http` | Node port for HTTP | `""` | +| `vulture.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `vulture.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `vulture.service.clusterIP` | Vulture service Cluster IP | `""` | +| `vulture.service.loadBalancerIP` | Vulture service Load Balancer IP | `""` | +| `vulture.service.loadBalancerSourceRanges` | Vulture service Load Balancer sources | `[]` | +| `vulture.service.externalTrafficPolicy` | Vulture service external traffic policy | `Cluster` | +| `vulture.service.annotations` | Additional custom annotations for Vulture service | `{}` | +| `vulture.service.extraPorts` | Extra ports to expose in the Vulture service | `[]` | +| `vulture.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `vulture.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `vulture.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `vulture.networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `vulture.networkPolicy.allowExternal` is true. | `true` | +| `vulture.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `vulture.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `vulture.networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `vulture.networkPolicy.allowExternal` is true. | `{}` | +| `vulture.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `vulture.networkPolicy.allowExternal` is true. | `{}` | +| `vulture.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `vulture.networkPolicy.allowExternal` is true. | `{}` | ### Init Container Parameters diff --git a/bitnami/grafana-tempo/templates/compactor/networkpolicy.yaml b/bitnami/grafana-tempo/templates/compactor/networkpolicy.yaml index 376323fa3e5395..8636ef2e67bfb1 100644 --- a/bitnami/grafana-tempo/templates/compactor/networkpolicy.yaml +++ b/bitnami/grafana-tempo/templates/compactor/networkpolicy.yaml @@ -100,21 +100,21 @@ spec: - port: {{ .Values.tempo.containerPorts.grpc }} {{- if not .Values.compactor.networkPolicy.allowExternal }} from: + {{- if .Values.compactor.networkPolicy.addExternalClientAccess }} - podSelector: matchLabels: {{ template "grafana-tempo.compactor.fullname" . }}-compactor: "true" + {{- end }} + {{- if .Values.compactor.networkPolicy.ingressPodMatchLabels }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.compactor.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} {{- if .Values.compactor.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.compactor.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }} {{- if .Values.compactor.networkPolicy.ingressNSPodMatchLabels }} podSelector: - matchLabels: - {{- range $key, $value := .Values.compactor.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }} {{- end }} {{- end }} {{- end }} diff --git a/bitnami/grafana-tempo/templates/distributor/networkpolicy.yaml b/bitnami/grafana-tempo/templates/distributor/networkpolicy.yaml index 001332fce325fd..c6a19d36ebacfd 100644 --- a/bitnami/grafana-tempo/templates/distributor/networkpolicy.yaml +++ b/bitnami/grafana-tempo/templates/distributor/networkpolicy.yaml @@ -127,21 +127,21 @@ spec: {{- end }} {{- if not .Values.distributor.networkPolicy.allowExternal }} from: + {{- if .Values.distributor.networkPolicy.addExternalClientAccess }} - podSelector: matchLabels: {{ template "grafana-tempo.distributor.fullname" . }}-distributor: "true" + {{- end }} + {{- if .Values.distributor.networkPolicy.ingressPodMatchLabels }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.distributor.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} {{- if .Values.distributor.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.distributor.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }} {{- if .Values.distributor.networkPolicy.ingressNSPodMatchLabels }} podSelector: - matchLabels: - {{- range $key, $value := .Values.distributor.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }} {{- end }} {{- end }} {{- end }} diff --git a/bitnami/grafana-tempo/templates/ingester/networkpolicy.yaml b/bitnami/grafana-tempo/templates/ingester/networkpolicy.yaml index 238c197f42315f..a0ca4fb1d23b8d 100644 --- a/bitnami/grafana-tempo/templates/ingester/networkpolicy.yaml +++ b/bitnami/grafana-tempo/templates/ingester/networkpolicy.yaml @@ -100,21 +100,21 @@ spec: - port: {{ .Values.tempo.containerPorts.grpc }} {{- if not .Values.ingester.networkPolicy.allowExternal }} from: + {{- if .Values.ingester.networkPolicy.addExternalClientAccess }} - podSelector: matchLabels: {{ template "grafana-tempo.ingester.fullname" . }}-ingester: "true" + {{- end }} + {{- if .Values.ingester.networkPolicy.ingressPodMatchLabels }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.ingester.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} {{- if .Values.ingester.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.ingester.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }} {{- if .Values.ingester.networkPolicy.ingressNSPodMatchLabels }} podSelector: - matchLabels: - {{- range $key, $value := .Values.ingester.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }} {{- end }} {{- end }} {{- end }} diff --git a/bitnami/grafana-tempo/templates/metrics-generator/networkpolicy.yaml b/bitnami/grafana-tempo/templates/metrics-generator/networkpolicy.yaml index 784beafaa5b01f..f1aaaae399c868 100644 --- a/bitnami/grafana-tempo/templates/metrics-generator/networkpolicy.yaml +++ b/bitnami/grafana-tempo/templates/metrics-generator/networkpolicy.yaml @@ -100,21 +100,21 @@ spec: - port: {{ .Values.tempo.containerPorts.grpc }} {{- if not .Values.metricsGenerator.networkPolicy.allowExternal }} from: + {{- if .Values.metricsGenerator.networkPolicy.addExternalClientAccess }} - podSelector: matchLabels: {{ template "grafana-tempo.metrics-generator.fullname" . }}-metrics-generator: "true" + {{- end }} + {{- if .Values.metricsGenerator.networkPolicy.ingressPodMatchLabels }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.metricsGenerator.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} {{- if .Values.metricsGenerator.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.metricsGenerator.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }} {{- if .Values.metricsGenerator.networkPolicy.ingressNSPodMatchLabels }} podSelector: - matchLabels: - {{- range $key, $value := .Values.metricsGenerator.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }} {{- end }} {{- end }} {{- end }} diff --git a/bitnami/grafana-tempo/templates/querier/networkpolicy.yaml b/bitnami/grafana-tempo/templates/querier/networkpolicy.yaml index 7854a446e759dc..94bb64bad5ed1c 100644 --- a/bitnami/grafana-tempo/templates/querier/networkpolicy.yaml +++ b/bitnami/grafana-tempo/templates/querier/networkpolicy.yaml @@ -100,21 +100,21 @@ spec: - port: {{ .Values.tempo.containerPorts.grpc }} {{- if not .Values.querier.networkPolicy.allowExternal }} from: + {{- if .Values.querier.networkPolicy.addExternalClientAccess }} - podSelector: matchLabels: {{ template "grafana-tempo.querier.fullname" . }}-querier: "true" + {{- end }} + {{- if .Values.querier.networkPolicy.ingressPodMatchLabels }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.querier.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} {{- if .Values.querier.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.querier.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }} {{- if .Values.querier.networkPolicy.ingressNSPodMatchLabels }} podSelector: - matchLabels: - {{- range $key, $value := .Values.querier.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }} {{- end }} {{- end }} {{- end }} diff --git a/bitnami/grafana-tempo/templates/query-frontend/networkpolicy.yaml b/bitnami/grafana-tempo/templates/query-frontend/networkpolicy.yaml index 6a7eec1a97d3ef..96ccaef4ccae00 100644 --- a/bitnami/grafana-tempo/templates/query-frontend/networkpolicy.yaml +++ b/bitnami/grafana-tempo/templates/query-frontend/networkpolicy.yaml @@ -110,21 +110,21 @@ spec: - port: {{ .Values.queryFrontend.query.containerPorts.jaegerMetrics }} {{- if not .Values.queryFrontend.networkPolicy.allowExternal }} from: + {{- if .Values.queryFrontend.networkPolicy.addExternalClientAccess }} - podSelector: matchLabels: {{ template "grafana-tempo.query-frontend.fullname" . }}-query-frontend: "true" + {{- end }} + {{- if .Values.queryFrontend.networkPolicy.ingressPodMatchLabels }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.queryFrontend.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} {{- if .Values.queryFrontend.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.queryFrontend.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }} {{- if .Values.queryFrontend.networkPolicy.ingressNSPodMatchLabels }} podSelector: - matchLabels: - {{- range $key, $value := .Values.queryFrontend.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }} {{- end }} {{- end }} {{- end }} diff --git a/bitnami/grafana-tempo/templates/vulture/networkpolicy.yaml b/bitnami/grafana-tempo/templates/vulture/networkpolicy.yaml index 112c0d25d486f6..a4e45cdc702771 100644 --- a/bitnami/grafana-tempo/templates/vulture/networkpolicy.yaml +++ b/bitnami/grafana-tempo/templates/vulture/networkpolicy.yaml @@ -98,21 +98,21 @@ spec: - port: {{ .Values.vulture.containerPorts.http }} {{- if not .Values.vulture.networkPolicy.allowExternal }} from: + {{- if .Values.vulture.networkPolicy.addExternalClientAccess }} - podSelector: matchLabels: {{ template "grafana-tempo.vulture.fullname" . }}-vulture: "true" + {{- end }} + {{- if .Values.vulture.networkPolicy.ingressPodMatchLabels }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.vulture.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} {{- if .Values.vulture.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.vulture.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }} {{- if .Values.vulture.networkPolicy.ingressNSPodMatchLabels }} podSelector: - matchLabels: - {{- range $key, $value := .Values.vulture.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }} {{- end }} {{- end }} {{- end }} diff --git a/bitnami/grafana-tempo/values.yaml b/bitnami/grafana-tempo/values.yaml index 020a82b020e378..f749b22e5ff1bc 100644 --- a/bitnami/grafana-tempo/values.yaml +++ b/bitnami/grafana-tempo/values.yaml @@ -578,6 +578,9 @@ compactor: ## @param compactor.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## allowExternalEgress: true + ## @param compactor.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `compactor.networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true ## @param compactor.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -611,8 +614,14 @@ compactor: ## - frontend ## extraEgress: [] - ## @param compactor.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param compactor.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## @param compactor.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `compactor.networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param compactor.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `compactor.networkPolicy.allowExternal` is true. + ## @param compactor.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `compactor.networkPolicy.allowExternal` is true. ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} @@ -933,6 +942,9 @@ distributor: ## @param distributor.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## allowExternalEgress: true + ## @param distributor.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `distributor.networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true ## @param distributor.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -966,8 +978,14 @@ distributor: ## - frontend ## extraEgress: [] - ## @param distributor.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param distributor.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## @param distributor.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `distributor.networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param distributor.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `distributor.networkPolicy.allowExternal` is true. + ## @param distributor.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `distributor.networkPolicy.allowExternal` is true. ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} @@ -1282,6 +1300,9 @@ metricsGenerator: ## (with the correct destination port). ## allowExternal: true + ## @param metricsGenerator.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `metricsGenerator.networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true ## @param metricsGenerator.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## allowExternalEgress: true @@ -1318,8 +1339,14 @@ metricsGenerator: ## - frontend ## extraEgress: [] - ## @param metricsGenerator.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param metricsGenerator.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## @param metricsGenerator.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `metricsGenerator.networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param metricsGenerator.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `metricsGenerator.networkPolicy.allowExternal` is true. + ## @param metricsGenerator.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `metricsGenerator.networkPolicy.allowExternal` is true. ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} @@ -1682,6 +1709,9 @@ ingester: ## @param ingester.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## allowExternalEgress: true + ## @param ingester.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `ingester.networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true ## @param ingester.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -1715,8 +1745,14 @@ ingester: ## - frontend ## extraEgress: [] - ## @param ingester.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param ingester.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## @param ingester.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `ingester.networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param ingester.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `ingester.networkPolicy.allowExternal` is true. + ## @param ingester.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `ingester.networkPolicy.allowExternal` is true. ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} @@ -2037,6 +2073,9 @@ querier: ## @param querier.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## allowExternalEgress: true + ## @param querier.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `querier.networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true ## @param querier.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -2070,8 +2109,14 @@ querier: ## - frontend ## extraEgress: [] - ## @param querier.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param querier.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## @param querier.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `querier.networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param querier.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `querier.networkPolicy.allowExternal` is true. + ## @param querier.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `querier.networkPolicy.allowExternal` is true. ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} @@ -2566,6 +2611,9 @@ queryFrontend: ## @param queryFrontend.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## allowExternalEgress: true + ## @param queryFrontend.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `queryFrontend.networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true ## @param queryFrontend.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -2599,8 +2647,14 @@ queryFrontend: ## - frontend ## extraEgress: [] - ## @param queryFrontend.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param queryFrontend.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## @param queryFrontend.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `queryFrontend.networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param queryFrontend.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `queryFrontend.networkPolicy.allowExternal` is true. + ## @param queryFrontend.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `queryFrontend.networkPolicy.allowExternal` is true. ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} @@ -2952,6 +3006,9 @@ vulture: ## @param vulture.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## allowExternalEgress: true + ## @param vulture.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `vulture.networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true ## @param vulture.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -2985,8 +3042,14 @@ vulture: ## - frontend ## extraEgress: [] - ## @param vulture.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param vulture.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## @param vulture.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `vulture.networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param vulture.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `vulture.networkPolicy.allowExternal` is true. + ## @param vulture.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `vulture.networkPolicy.allowExternal` is true. ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {}