Added network policy;Updated to Zabbix 5.2;Zabbix Server now stateful…

…set (#12)

* Added network policy;Updated to Zabbix 5.2;Zabbix Server now statefulset

.github/workflows/blank.yml

@@ -4,9 +4,9 @@ name: CI
 
 on:
   push:
-    branches: [ master ]
+    branches: [master]
   pull_request:
-    branches: [ master ]
+    branches: [master]
 
 jobs:
   build:
@@ -16,18 +16,18 @@ jobs:
     - uses: actions/checkout@v2
 
     # Runs a single command using the runners shell
-    - name: "Download and install HELM"
+    - name: Download and install HELM
       run: |
         curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
         chmod 700 get_helm.sh
         ./get_helm.sh
 
     # Runs a set of commands using the runners shell
-    - name: "Run HELM lint"
+    - name: Run HELM lint
       run: helm lint .
 
-    - name: "Install unittest plugin"
+    - name: Install unittest plugin
       run: helm plugin install https://github.com/quintush/helm-unittest
 
-    - name: "Run unit tests"
+    - name: Run unit tests
       run: helm unittest -3 .

.github/workflows/main.yml

@@ -5,8 +5,8 @@ name: MasterRun
 on:
   push:
     branches:
-      - master
-      - main
+    - master
+    - main
 
   workflow_dispatch:
 
@@ -15,35 +15,35 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout dj-wasabi-release repo
-        uses: actions/checkout@v2
-        with:
-          repository: dj-wasabi/dj-wasabi-release
-          path: dj-wasabi-release
-
-      - name: Checkout current repo
-        uses: actions/checkout@v2
-        with:
-          path: main
-
-      - name: Commit Changelog file
-        run: |
-          # We are cloned in the 'main' directory and the dj-wasabi-release
-          # repository is the 'dj-wasabi-release' next to 'main'
-          cd main
-
-          # Generate CHANGELOG.md file
-          ../dj-wasabi-release/release.sh -d
-
-          # Let commit the changes if there are any? (Well there should be!)
-          if [[ $(git status | grep -c 'CHANGELOG.md' || true) -gt 0 ]]
-            then  echo "Committing file"
-                  git config --global user.name 'Werner Dijkerman [GH bot]'
-                  git config --global user.email '[email protected]'
-
-                  git add CHANGELOG.md
-                  git commit -m "Updated CHANGELOG.md on \"$(date "+%Y-%m-%d %H:%M:%S")\"" CHANGELOG.md
-                  git push
-          fi
-        env:
-          CHANGELOG_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Checkout dj-wasabi-release repo
+      uses: actions/checkout@v2
+      with:
+        repository: dj-wasabi/dj-wasabi-release
+        path: dj-wasabi-release
+
+    - name: Checkout current repo
+      uses: actions/checkout@v2
+      with:
+        path: main
+
+    - name: Commit Changelog file
+      run: |
+        # We are cloned in the 'main' directory and the dj-wasabi-release
+        # repository is the 'dj-wasabi-release' next to 'main'
+        cd main
+
+        # Generate CHANGELOG.md file
+        ../dj-wasabi-release/release.sh -d
+
+        # Let commit the changes if there are any? (Well there should be!)
+        if [[ $(git status | grep -c 'CHANGELOG.md' || true) -gt 0 ]]
+          then  echo "Committing file"
+                git config --global user.name 'Werner Dijkerman [GH bot]'
+                git config --global user.email '[email protected]'
+
+                git add CHANGELOG.md
+                git commit -m "Updated CHANGELOG.md on \"$(date "+%Y-%m-%d %H:%M:%S")\"" CHANGELOG.md
+                git push
+        fi
+      env:
+        CHANGELOG_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.pre-commit-config.yaml

@@ -1,8 +1,7 @@
----
 repos:
 - repo: https://github.com/dj-wasabi/pre-commit-hooks
-  rev: d84bb1806ddb7572f38e80a8778f6d13540554d9
+  rev: master
   hooks:
-    - id: helm-lint
-    - id: helm-unittest
-
+  - id: helm-lint
+  - id: helm-unittest
+  - id: markdown-toc

README.md

@@ -4,27 +4,35 @@
 ![GitHub Release Date](https://img.shields.io/github/release-date/dj-wasabi/helm-zabbix)
 ![GitHub release (latest by date)](https://img.shields.io/github/v/release/dj-wasabi/helm-zabbix)
 [![MIT license](https://img.shields.io/badge/License-MIT-blue.svg)](https://lbesson.mit-license.org/)
+[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/dj-wasabi/pre-commit-hooks)
 
 
 Table of content:
+<!--TOC-->
 
 - [HELM-ZABBIX](#helm-zabbix)
-  * [Prerequisites](#prerequisites)
-  * [Dependencies](#dependencies)
+- [Introduction](#introduction)
+  - [Prerequisites](#prerequisites)
+  - [Dependencies](#dependencies)
 - [Installation](#installation)
-  * [server-db-secret](#server-db-secret)
-  * [www.example.com](#wwwexamplecom)
-  * [proxy-db-secret](#proxy-db-secret)
-  * [Install the HELM Chart](#install-the-helm-chart)
+  - [server-db-secret](#server-db-secret)
+  - [www.example.com](#wwwexamplecom)
+  - [proxy-db-secret](#proxy-db-secret)
+  - [Install the HELM Chart](#install-the-helm-chart)
 - [Configuration](#configuration)
-  * [Zabbix overal](#zabbix-overal)
-  * [Zabbix Server](#zabbix-server)
-  * [Zabbix Web](#zabbix-web)
-  * [Zabbix Agent](#zabbix-agent)
-    + [agent.volumes_host](#-agentvolumes-host-)
-    + [agent.volumes](#-agentvolumes)
-  * [Zabbix Proxy](#zabbix-proxy)
-  * [Zabbix JavaGateway](#zabbix-javagateway)
+  - [Zabbix overal](#zabbix-overal)
+  - [Zabbix Server](#zabbix-server)
+  - [Zabbix Web](#zabbix-web)
+  - [Zabbix Agent](#zabbix-agent)
+    - [`agent.volumes_host`](#agentvolumes_host)
+    - [`agent.volumes`](#agentvolumes)
+  - [Zabbix Proxy](#zabbix-proxy)
+  - [Zabbix JavaGateway](#zabbix-javagateway)
+  - [Network Policies](#network-policies)
+
+<!--TOC-->
+
+# Introduction
 
 [WIP] Work in Progress (I've started a puppet module (owned by vox-populi now), have created several Ansible roles (Now part of the collection.zabbix) so why not starting a HELM Chart for Zabbix.)
 
@@ -156,6 +164,8 @@ Parameter | Description | Default
 `zabbix.database.type`|The type of database to be used.|`mysql`
 `zabbix.database.name`|The name of the database.| `zabbix`
 `zabbix.database.host`|The host of the database.| `zabbix`
+`zabbix.namespace`|The namespace on which Zabbix is running..| `zabbix`
+`zabbix.networkPolicy.enabled`|If the network policies are enabled.| `true`
 
 ## Zabbix Server
 
@@ -231,3 +241,19 @@ Parameter | Description | Default
 Parameter | Description | Default
 --------- | ----------- | -------
 `javagateway.enabled`|If the Zabbix Java Gateway needs to be deployed or not.|`false`
+
+## Network Policies
+
+When `zabbix.networkPolicy.enabled` is set to `true` (Which is default), 3 networkpolicies are installed:
+
+```sh
+$ kubectl -n zabbix get networkpolicies
+NAME            POD-SELECTOR        AGE
+zabbix-agent    app=zabbix-agent    32m
+zabbix-server   app=zabbix-server   32m
+zabbix-web      app=zabbix-web      32m
+```
+
+The Zabbix Server only allows connections from and to both the Zabbix Web on port 10051 and the Zabbix Agent. The Zabbix Server also allows connections to be made to either port 3306 (MySQL) or 5432 (PostGreSQL), depending on the database type.
+
+The Zabbix Agent only allows connections from and to the Zabbix Server on port 10050. Both the Zabbix Server and Agent will allow DNS request made to `kube-dns`.

templates/NOTES.txt

@@ -9,7 +9,9 @@ The following Zabbix components are installed:
 {{ if .Values.web.enabled -}}
 * Zabbix Web
 {{- end }}
-
+{{ if and .Values.zabbix.networkPolicy.enabled }}
+Network policies are enabled.
+{{- end }}
 {{ if .Values.ingress.enabled -}}
 {{- range .Values.ingress.hosts }}
 Zabbix web interface is available on: {{ .host | quote }}

templates/networkpolicy-agent.yaml

@@ -0,0 +1,33 @@
+{{- if and .Values.zabbix.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: zabbix-agent
+  namespace: "{{ .Values.zabbix.namespace }}"
+spec:
+  podSelector:
+    matchLabels:
+      app: zabbix-agent
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: zabbix-server
+      ports:
+        - port: 10050
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: zabbix-server
+      ports:
+        - port: 10051
+    - to:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+{{- end }}

templates/networkpolicy-server.yaml

@@ -0,0 +1,46 @@
+{{- if and .Values.zabbix.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: zabbix-server
+  namespace: "{{ .Values.zabbix.namespace }}"
+spec:
+  podSelector:
+    matchLabels:
+      app: zabbix-server
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: zabbix-agent
+      ports:
+        - port: 10051
+    - from:
+        - podSelector:
+            matchLabels:
+              app: zabbix-web
+      ports:
+        - port: 10051
+  egress:
+    - ports:
+{{- if eq .Values.zabbix.database.type "mysql" }}
+        - port: 3306
+{{- end }}
+{{- if eq .Values.zabbix.database.type "pgsql" }}
+        - port: 5432
+{{- end }}
+    - to:
+        - podSelector:
+            matchLabels:
+              app: zabbix-agent
+      ports:
+        - port: 10050
+    - to:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+{{- end }}

templates/networkpolicy-web.yaml

@@ -0,0 +1,15 @@
+{{- if and .Values.zabbix.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: zabbix-web
+  namespace: "{{ .Values.zabbix.namespace }}"
+spec:
+  podSelector:
+    matchLabels:
+      app: zabbix-web
+  ingress:
+  - {}
+  egress:
+  - {}
+{{- end }}

templates/zabbix-agent.yaml

@@ -3,23 +3,24 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: zabbix-agent
+  namespace: "{{ .Values.zabbix.namespace }}"
   labels:
-    app: zabbix
-    tier: agent
+    app: zabbix-agent
 spec:
   updateStrategy:
    type: RollingUpdate
    rollingUpdate:
     maxUnavailable: 1
   selector:
     matchLabels:
-      app: zabbix
+      app: zabbix-agent
   template:
     metadata:
       labels:
         name: zabbix-agent
-        app: zabbix
+        app: zabbix-agent
     spec:
+      # hostNetwork: true
       containers:
         - name: zabbix-agent
           {{ if .Values.agent.image }}
@@ -43,7 +44,7 @@ spec:
           {{- if .Values.agent.server.host }}
             value: "{{ .Values.agent.server.host }}"
           {{- else }}
-            value: "zabbix-server.{{ .Release.Namespace }}.svc"
+            value: "0.0.0.0/0,zabbix-server-0.{{ .Release.Namespace }}.svc"
           {{- end }}
           - name: ZBX_PASSIVE_ALLOW
             value: "{{ .Values.agent.passiveagent }}"

templates/zabbix-server.service.yaml

@@ -2,24 +2,25 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: zabbix-server
+  name: "zabbix-server"
   labels:
     app: zabbix
   namespace: zabbix
 spec:
+  clusterIP: None
   ports:
   - port: 10051
     targetPort: 10051
     protocol: TCP
-    name: zabbix-trapper
+    name: "zabbix-trapper"
   {{- if .Values.server.snmptraps.enabled }}
   - port: 162
     targetPort: 1162
     protocol: UDP
-    name: snmp-trap
+    name: "snmp-trap"
   {{- end }}
   selector:
-    app: zabbix-server
+    app: "zabbix-server"
 {{- if .Values.server.externalIPs }}
   externalIPs:
   {{- toYaml .Values.server.externalIPs | nindent 8 }}