From ea032807724af9bb4e909ea0e8d0a1469cca7656 Mon Sep 17 00:00:00 2001 From: QuantumEnigmaa Date: Thu, 23 Nov 2023 12:04:09 +0100 Subject: [PATCH 1/5] Helm: add ciliumnetworkpolicies Signed-off-by: QuantumEnigmaa --- production/helm/loki/CHANGELOG.md | 4 + production/helm/loki/Chart.yaml | 2 +- .../loki/templates/ciliumnetworkpolicy.yaml | 186 ++++++++++++++++++ .../helm/loki/templates/networkpolicy.yaml | 2 +- production/helm/loki/values.yaml | 1 + 5 files changed, 193 insertions(+), 2 deletions(-) create mode 100644 production/helm/loki/templates/ciliumnetworkpolicy.yaml diff --git a/production/helm/loki/CHANGELOG.md b/production/helm/loki/CHANGELOG.md index 51dd2deb2be54..ae48d7e336d3c 100644 --- a/production/helm/loki/CHANGELOG.md +++ b/production/helm/loki/CHANGELOG.md @@ -13,6 +13,10 @@ Entries should include a reference to the pull request that introduced the chang [//]: # ( : do not remove this line. This locator is used by the CI pipeline to automatically create a changelog entry for each new Loki release. Add other chart versions and respective changelog entries bellow this line.) +## 5.37.1 + +- [FEATURE] Add ciliumnetworkpolicies. + ## 5.37.0 - [FEATURE] Add support for enabling tracing. diff --git a/production/helm/loki/Chart.yaml b/production/helm/loki/Chart.yaml index 39e800d6193e0..2ca04d73878eb 100644 --- a/production/helm/loki/Chart.yaml +++ b/production/helm/loki/Chart.yaml @@ -3,7 +3,7 @@ name: loki description: Helm chart for Grafana Loki in simple, scalable mode type: application appVersion: 2.9.2 -version: 5.37.0 +version: 5.37.1 home: https://grafana.github.io/helm-charts sources: - https://github.com/grafana/loki diff --git a/production/helm/loki/templates/ciliumnetworkpolicy.yaml b/production/helm/loki/templates/ciliumnetworkpolicy.yaml new file mode 100644 index 0000000000000..2a16d974e295a --- /dev/null +++ b/production/helm/loki/templates/ciliumnetworkpolicy.yaml @@ -0,0 +1,186 @@ +{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "cilium") }} +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ include "loki.name" . }}-namespace-only + namespace: {{ $.Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +spec: + endpointSelector: {} + egress: + - toEndpoints: + - {} + ingress: + - fromEndpoints: + - {} + +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ include "loki.name" . }}-egress-dns + namespace: {{ $.Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +spec: + endpointSelector: + matchLabels: + {{- include "loki.selectorLabels" . | nindent 6 }} + egress: + - toPorts: + - ports: + - port: dns + protocol: UDP + toEndpoints: + - namespaceSelector: {} + +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ include "loki.name" . }}-ingress + namespace: {{ $.Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +spec: + endpointSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + {{- if .Values.gateway.enabled }} + - gateway + {{- else }} + - read + - write + {{- end }} + matchLabels: + {{- include "loki.selectorLabels" . | nindent 6 }} + ingress: + - toPorts: + - port: http + protocol: TCP + {{- if .Values.networkPolicy.ingress.namespaceSelector }} + fromEndpoints: + - matchLabels: + {{- toYaml .Values.networkPolicy.ingress.namespaceSelector | nindent 8 }} + {{- if .Values.networkPolicy.ingress.podSelector }} + {{- toYaml .Values.networkPolicy.ingress.podSelector | nindent 8 }} + {{- end }} + {{- end }} + +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ include "loki.name" . }}-ingress-metrics + namespace: {{ $.Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +spec: + endpointSelector: + matchLabels: + {{- include "loki.selectorLabels" . | nindent 6 }} + ingress: + - toPorts: + - port: http-metrics + protocol: TCP + {{- if .Values.networkPolicy.metrics.cidrs }} + {{- range $cidr := .Values.networkPolicy.metrics.cidrs }} + toCIDR: + - {{ $cidr }} + {{- end }} + {{- if .Values.networkPolicy.metrics.namespaceSelector }} + fromEndpoints: + - matchLabels: + {{- toYaml .Values.networkPolicy.metrics.namespaceSelector | nindent 8 }} + {{- if .Values.networkPolicy.metrics.podSelector }} + {{- toYaml .Values.networkPolicy.metrics.podSelector | nindent 8 }} + {{- end }} + {{- end }} + {{- end }} + +{{- if .Values.ruler.enabled }} +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ include "loki.name" . }}-egress-alertmanager + namespace: {{ $.Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +spec: + endpointSelector: + matchLabels: + {{- include "loki.rulerSelectorLabels" . | nindent 6 }} + egress: + - toPorts: + - port: {{ .Values.networkPolicy.alertmanager.port }} + protocol: TCP + {{- if .Values.networkPolicy.alertmanager.namespaceSelector }} + toEndpoints: + - matchLabels: + {{- toYaml .Values.networkPolicy.alertmanager.namespaceSelector | nindent 8 }} + {{- if .Values.networkPolicy.alertmanager.podSelector }} + {{- toYaml .Values.networkPolicy.alertmanager.podSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} + +{{- if .Values.networkPolicy.externalStorage.ports }} +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ include "loki.name" . }}-egress-external-storage + namespace: {{ $.Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +spec: + endpointSelector: + matchLabels: + {{- include "loki.selectorLabels" . | nindent 6 }} + egress: + - toPorts: + {{- range $port := .Values.networkPolicy.externalStorage.ports }} + - port: {{ $port }} + protocol: TCP + {{- end }} + {{- if .Values.networkPolicy.externalStorage.cidrs }} + {{- range $cidr := .Values.networkPolicy.externalStorage.cidrs }} + toCIDR: + - {{ $cidr }} + {{- end }} + {{- end }} +{{- end }} + +{{- end }} + +{{- if .Values.networkPolicy.discovery.port }} +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: {{ include "loki.name" . }}-egress-discovery + namespace: {{ $.Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +spec: + endpointSelector: + matchLabels: + {{- include "loki.selectorLabels" . | nindent 6 }} + egress: + - toPorts: + - port: {{ .Values.networkPolicy.discovery.port }} + protocol: TCP + {{- if .Values.networkPolicy.discovery.namespaceSelector }} + toEndpoints: + - matchLabels: + {{- toYaml .Values.networkPolicy.discovery.namespaceSelector | nindent 8 }} + {{- if .Values.networkPolicy.discovery.podSelector }} + {{- toYaml .Values.networkPolicy.discovery.podSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/production/helm/loki/templates/networkpolicy.yaml b/production/helm/loki/templates/networkpolicy.yaml index c6d5fa0264a41..12066dbc3d5f7 100644 --- a/production/helm/loki/templates/networkpolicy.yaml +++ b/production/helm/loki/templates/networkpolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.networkPolicy.enabled }} +{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "kubernetes") }} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy diff --git a/production/helm/loki/values.yaml b/production/helm/loki/values.yaml index 472882a226c8b..fbae8c1509219 100644 --- a/production/helm/loki/values.yaml +++ b/production/helm/loki/values.yaml @@ -1443,6 +1443,7 @@ gateway: networkPolicy: # -- Specifies whether Network Policies should be created enabled: false + flavor: kubernetes metrics: # -- Specifies the Pods which are allowed to access the metrics port. # As this is cross-namespace communication, you also need the namespaceSelector. From 22414f0435f07db555a57d06abcbef5001bd1d7d Mon Sep 17 00:00:00 2001 From: QuantumEnigmaa Date: Mon, 11 Dec 2023 10:29:09 +0100 Subject: [PATCH 2/5] remove ruler.enabled condition Signed-off-by: QuantumEnigmaa --- production/helm/loki/templates/ciliumnetworkpolicy.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/production/helm/loki/templates/ciliumnetworkpolicy.yaml b/production/helm/loki/templates/ciliumnetworkpolicy.yaml index 2a16d974e295a..b8652ad13a531 100644 --- a/production/helm/loki/templates/ciliumnetworkpolicy.yaml +++ b/production/helm/loki/templates/ciliumnetworkpolicy.yaml @@ -102,7 +102,6 @@ spec: {{- end }} {{- end }} -{{- if .Values.ruler.enabled }} --- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy @@ -127,7 +126,6 @@ spec: {{- toYaml .Values.networkPolicy.alertmanager.podSelector | nindent 8 }} {{- end }} {{- end }} -{{- end }} {{- if .Values.networkPolicy.externalStorage.ports }} --- From 93aa78788e37da8a24841e8881e4913dad30f061 Mon Sep 17 00:00:00 2001 From: QuantumEnigmaa Date: Mon, 11 Dec 2023 10:34:57 +0100 Subject: [PATCH 3/5] change label selector for egress-alertmanager cilium netpol Signed-off-by: QuantumEnigmaa --- production/helm/loki/templates/ciliumnetworkpolicy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/production/helm/loki/templates/ciliumnetworkpolicy.yaml b/production/helm/loki/templates/ciliumnetworkpolicy.yaml index b8652ad13a531..5633ae1945206 100644 --- a/production/helm/loki/templates/ciliumnetworkpolicy.yaml +++ b/production/helm/loki/templates/ciliumnetworkpolicy.yaml @@ -113,7 +113,7 @@ metadata: spec: endpointSelector: matchLabels: - {{- include "loki.rulerSelectorLabels" . | nindent 6 }} + {{- include "loki.backendSelectorLabels" . | nindent 6 }} egress: - toPorts: - port: {{ .Values.networkPolicy.alertmanager.port }} From ff7cd673a5f6ef2cfedf665722eac3d018d2cf0f Mon Sep 17 00:00:00 2001 From: QuantumEnigmaa Date: Mon, 11 Dec 2023 11:41:06 +0100 Subject: [PATCH 4/5] update chart version in readme Signed-off-by: QuantumEnigmaa --- production/helm/loki/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/production/helm/loki/README.md b/production/helm/loki/README.md index a95fd2cced7d0..805d699dde8be 100644 --- a/production/helm/loki/README.md +++ b/production/helm/loki/README.md @@ -1,6 +1,6 @@ # loki -![Version: 5.40.2](https://img.shields.io/badge/Version-5.40.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.2](https://img.shields.io/badge/AppVersion-2.9.2-informational?style=flat-square) +![Version: 5.40.2](https://img.shields.io/badge/Version-5.40.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.2](https://img.shields.io/badge/AppVersion-2.9.2-informational?style=flat-square) Helm chart for Grafana Loki in simple, scalable mode From 79a8ddbe601ed52b0283b310e00fd5f04e392dd7 Mon Sep 17 00:00:00 2001 From: QuantumEnigmaa Date: Tue, 12 Dec 2023 10:07:07 +0100 Subject: [PATCH 5/5] add comment to explain flavor field Signed-off-by: QuantumEnigmaa --- production/helm/loki/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/production/helm/loki/values.yaml b/production/helm/loki/values.yaml index ed7e1b69014b6..e82967a4efb3b 100644 --- a/production/helm/loki/values.yaml +++ b/production/helm/loki/values.yaml @@ -1465,6 +1465,8 @@ gateway: networkPolicy: # -- Specifies whether Network Policies should be created enabled: false + # -- Specifies whether the policies created will be standard Network Policies (flavor: kubernetes) + # or Cilium Network Policies (flavor: cilium) flavor: kubernetes metrics: # -- Specifies the Pods which are allowed to access the metrics port.