feat: add networkpolicy and pdb

* fixes #53 #54
devops-ia · Sep 4, 2024 · 8f1fed6 · 8f1fed6
1 parent 61e7c00
commit 8f1fed6
Show file tree

Hide file tree

Showing 15 changed files with 319 additions and 201 deletions.
diff --git a/.github/ct.yaml b/.github/ct.yaml
@@ -8,3 +8,5 @@ upgrade: true
 validate-chart-schema: true
 validate-maintainers: false
 validate-yaml: true
+chart-repos:
+- opensearch=https://opensearch-project.github.io/helm-charts/
diff --git a/charts/opencti/README.md b/charts/opencti/README.md
diff --git a/charts/opencti/ci/ci-common-values.yaml b/charts/opencti/ci/ci-common-values.yaml
@@ -65,15 +65,24 @@ connectors:
       name: opencti-ci-credentials
       key: APP__ADMIN__TOKEN
 
-serviceMonitor:
-  enabled: false
+networkPolicy:
+  enabled: true
+
+podDisruptionBudget:
+  enabled: true
 
 autoscaling:
   enabled: true
 
 worker:
   enabled: true
 
+  podDisruptionBudget:
+    enabled: true
+
+  networkPolicy:
+    enabled: true
+
   autoscaling:
     enabled: true
 

diff --git a/charts/opencti/templates/server/hpa.yaml b/charts/opencti/templates/server/hpa.yaml
@@ -4,6 +4,7 @@ kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "opencti.fullname" . }}-server
   labels:
+    opencti.component: server
     {{- include "opencti.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:

diff --git a/charts/opencti/templates/server/ingress.yaml b/charts/opencti/templates/server/ingress.yaml
@@ -17,6 +17,7 @@ kind: Ingress
 metadata:
   name: {{ $fullName }}
   labels:
+    opencti.component: server
     {{- include "opencti.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
   annotations:

diff --git a/charts/opencti/templates/server/networkpolicy.yaml b/charts/opencti/templates/server/networkpolicy.yaml
@@ -0,0 +1,46 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "opencti.fullname" . }}-server
+  labels:
+    opencti.component: server
+    {{- include "opencti.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      opencti.component: server
+      {{- include "opencti.selectorLabels" . | nindent 6 }}
+
+  {{- if .Values.networkPolicy.policyTypes }}
+  {{- with .Values.networkPolicy.policyTypes }}
+  policyTypes:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else }}
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- end }}
+
+  {{- if .Values.networkPolicy.ingress }}
+  {{- with .Values.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else }}
+  ingress:
+  - {}
+  {{- end }}
+
+  {{- if .Values.networkPolicy.egress }}
+  {{- with .Values.networkPolicy.egress }}
+  egress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else }}
+  egress:
+  - {}
+  {{- end }}
+
+{{- end }}
diff --git a/charts/opencti/templates/server/poddisruptionbudget.yaml b/charts/opencti/templates/server/poddisruptionbudget.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.podDisruptionBudget.enabled -}}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "opencti.fullname" . }}-server
+  labels:
+    opencti.component: server
+    {{- include "opencti.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      opencti.component: server
+      {{- include "opencti.selectorLabels" . | nindent 6 }}
+  {{- if .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end -}}
diff --git a/charts/opencti/templates/server/secret.yaml b/charts/opencti/templates/server/secret.yaml
@@ -5,6 +5,7 @@ type: Opaque
 metadata:
   name: {{ include "opencti.fullname" . }}-credentials
   labels:
+    opencti.component: server
     {{- include "opencti.labels" . | nindent 4 }}
   annotations:
     helm.sh/hook: "pre-install,pre-upgrade"

diff --git a/charts/opencti/templates/server/serviceaccount.yaml b/charts/opencti/templates/server/serviceaccount.yaml
@@ -4,6 +4,7 @@ kind: ServiceAccount
 metadata:
   name: {{ include "opencti.serviceAccountName" . }}
   labels:
+    opencti.component: server
     {{- include "opencti.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:

diff --git a/charts/opencti/templates/server/servicemonitor.yaml b/charts/opencti/templates/server/servicemonitor.yaml
@@ -4,10 +4,12 @@ kind: ServiceMonitor
 metadata:
   name: {{ include "opencti.fullname" . }}-server
   labels:
+    opencti.component: server
     {{- include "opencti.labels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:
+      opencti.component: server
       {{- include "opencti.selectorLabels" . | nindent 8 }}
   endpoints:
   - port: metrics

diff --git a/charts/opencti/templates/worker/hpa.yaml b/charts/opencti/templates/worker/hpa.yaml
@@ -4,6 +4,7 @@ kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "opencti.fullname" . }}-worker
   labels:
+    opencti.component: worker
     {{- include "opencti.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:

diff --git a/charts/opencti/templates/worker/networkpolicy.yaml b/charts/opencti/templates/worker/networkpolicy.yaml
@@ -0,0 +1,46 @@
+{{- if .Values.worker.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "opencti.fullname" . }}-worker
+  labels:
+    opencti.component: worker
+    {{- include "opencti.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      opencti.component: worker
+      {{- include "opencti.selectorLabels" . | nindent 6 }}
+
+  {{- if .Values.worker.networkPolicy.policyTypes }}
+  {{- with .Values.worker.networkPolicy.policyTypes }}
+  policyTypes:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else }}
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- end }}
+
+  {{- if .Values.worker.networkPolicy.ingress }}
+  {{- with .Values.worker.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else }}
+  ingress:
+  - {}
+  {{- end }}
+
+  {{- if .Values.worker.networkPolicy.egress }}
+  {{- with .Values.worker.networkPolicy.egress }}
+  egress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else }}
+  egress:
+  - {}
+  {{- end }}
+
+{{- end }}
diff --git a/charts/opencti/templates/worker/poddisruptionbudget.yaml b/charts/opencti/templates/worker/poddisruptionbudget.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.worker.podDisruptionBudget.enabled -}}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "opencti.fullname" . }}-worker
+  labels:
+    opencti.component: worker
+    {{- include "opencti.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      opencti.component: worker
+      {{- include "opencti.selectorLabels" . | nindent 6 }}
+  {{- if .Values.worker.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.worker.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if .Values.worker.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.worker.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end -}}
diff --git a/charts/opencti/templates/worker/servicemonitor.yaml b/charts/opencti/templates/worker/servicemonitor.yaml
@@ -4,10 +4,12 @@ kind: ServiceMonitor
 metadata:
   name: {{ include "opencti.fullname" . }}-worker
   labels:
+    opencti.component: worker
     {{- include "opencti.labels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:
+      opencti.component: worker
       {{- include "opencti.selectorLabels" . | nindent 8 }}
   endpoints:
   - port: metrics