Release 10.0.16

charts/knowage/CHANGELOG.md

@@ -5,6 +5,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.0.16] - 2023-11-13
+
+### Added
+
+- Network policies between KNOWAGE components
+
+### Changed
+
+### Fixed
+
+- Explicitly specify volumeMode in knowage-main PVC
+
 ## [1.0.15] - 2023-11-06
 
 ### Added

charts/knowage/Chart.yaml

@@ -18,7 +18,7 @@
 
 apiVersion: v2
 name: knowage
-version: 1.0.15
+version: 1.0.16
 kubeVersion: ">= 1.22.0-0"
 description: A Helm chart for Kubernetes Suite
 type: application

charts/knowage/templates/_helpers.tpl

@@ -509,7 +509,6 @@ tls.key: {{ $tlsProxyCert.Key | b64enc }}
 {{- end -}}
 {{- end -}}
 
-
 {{/*
 Priority class
 */}}
@@ -527,3 +526,29 @@ Secondary services.
 {{- define "knowage.priorityclass.secondary" -}}
 {{ printf "%s-%s" (include "knowage.fullname" .) "secondary" }}
 {{- end }}
+
+{{/*
+Network policies.
+*/}}
+
+{{/*
+Deny all.
+*/}}
+{{- define "knowage.networkpolicy.deny-all" -}}
+{{ printf "%s-%s" (include "knowage.fullname" .) "deny-all" }}
+{{- end }}
+
+{{/*
+For Python.
+*/}}
+{{- define "knowage.networkpolicy.python" -}}
+{{ printf "%s-%s" (include "knowage.fullname" .) "python" }}
+{{- end }}
+
+{{/*
+For R.
+*/}}
+{{- define "knowage.networkpolicy.r" -}}
+{{ printf "%s-%s" (include "knowage.fullname" .) "r" }}
+{{- end }}
+

charts/knowage/templates/network-policy.yaml

@@ -0,0 +1,146 @@
+#
+# Knowage, Open Source Business Intelligence suite
+# Copyright (C) 2023 Engineering Ingegneria Informatica S.p.A.
+# 
+# Knowage is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Knowage is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+# 
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "knowage.networkpolicy.deny-all" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "knowage.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Ingress
+  - Egress
+
+{{ if or (eq ( default .Values.knowage.deployPython false ) true) (eq ( default .Values.knowage.python.deploy false ) true) }}
+---
+#  _______     _________ _    _  ____  _   _ 
+# |  __ \ \   / /__   __| |  | |/ __ \| \ | |
+# | |__) \ \_/ /   | |  | |__| | |  | |  \| |
+# |  ___/ \   /    | |  |  __  | |  | | . ` |
+# | |      | |     | |  | |  | | |__| | |\  |
+# |_|      |_|     |_|  |_|  |_|\____/|_| \_|
+#                                            
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "knowage.networkpolicy.python" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      knowage-suite.com/app: knowage-python
+      {{- include "knowage.selectorLabels" . | nindent 6 }}
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          knowage-suite.com/app: knowage
+          {{- include "knowage.selectorLabels" . | nindent 10 }}
+    ports:
+      - port: http
+        protocol: TCP
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          knowage-suite.com/app: knowage
+          {{- include "knowage.selectorLabels" . | nindent 10 }}
+  # Allow communication to Kubernetes DNS service
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    - podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - protocol: UDP
+      port: 53
+  # Allow internet access
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16
+  policyTypes:
+  - Ingress
+  - Egress
+{{ end }}
+
+{{ if or (eq ( default .Values.knowage.deployR false ) true) (eq ( default .Values.knowage.r.deploy false ) true) }}
+---
+#  _____  
+# |  __ \ 
+# | |__) |
+# |  _  / 
+# | | \ \ 
+# |_|  \_\
+#         
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "knowage.networkpolicy.r" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      knowage-suite.com/app: knowage-r
+      {{- include "knowage.selectorLabels" . | nindent 6 }}
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          knowage-suite.com/app: knowage
+          {{- include "knowage.selectorLabels" . | nindent 10 }}
+    ports:
+      - port: http
+        protocol: TCP
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          knowage-suite.com/app: knowage
+          {{- include "knowage.selectorLabels" . | nindent 10 }}
+  # Allow communication to Kubernetes DNS service
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    - podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - protocol: UDP
+      port: 53
+  # Allow internet access
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16
+  policyTypes:
+  - Ingress
+  - Egress
+{{ end }}

charts/knowage/templates/pvc.yaml

@@ -105,4 +105,5 @@ spec:
 {{- else }}
   volumeName: {{ include "knowage.cache.volume" . }}
 {{- end }}
+  volumeMode: Filesystem
 {{- end }}