rancher-partner-charts/charts/cockroach-labs/cockroachdb/15.0.2/templates/networkpolicy.yaml

{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ template "cockroachdb.networkPolicy.apiVersion" . }}
metadata:
  name: {{ template "cockroachdb.serviceAccount.name" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    helm.sh/chart: {{ template "cockroachdb.chart" . }}
    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name | quote }}
    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
  {{- with .Values.labels }}
    {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name | quote }}
    {{- with .Values.statefulset.labels }}
      {{- toYaml . | nindent 6 }}
    {{- end }}
  ingress:
    - ports:
        - port: grpc
    {{- with .Values.networkPolicy.ingress.grpc }}
      from:
        # Allow connections via custom rules.
        {{- toYaml . | nindent 8 }}
        # Allow client connection via pre-considered label.
        - podSelector:
            matchLabels:
              {{ template "cockroachdb.fullname" . }}-client: "true"
        # Allow other CockroachDBs to connect to form a cluster.
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
              app.kubernetes.io/instance: {{ .Release.Name | quote }}
            {{- with .Values.statefulset.labels }}
              {{- toYaml . | nindent 14 }}
            {{- end }}
      {{- if gt (.Values.statefulset.replicas | int64) 1 }}
        # Allow init Job to connect to bootstrap a cluster.
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
              app.kubernetes.io/instance: {{ .Release.Name | quote }}
            {{- with .Values.init.labels }}
              {{- toYaml . | nindent 14 }}
            {{- end }}
      {{- end }}
    {{- end }}
    # Allow connections to admin UI and for Prometheus.
    - ports:
        - port: http
    {{- with .Values.networkPolicy.ingress.http }}
      from: {{- toYaml . | nindent 8 }}
    {{- end }}
{{- end }}
Added chart versions: airlock/microgateway: - 4.4.2 airlock/microgateway-cni: - 4.4.2 cockroach-labs/cockroachdb: - 15.0.2 redpanda/redpanda: - 5.9.18 speedscale/speedscale-operator: - 2.3.45 2024-12-22 00:05:57 +00:00			`{{- if .Values.networkPolicy.enabled }}`
			`kind: NetworkPolicy`
			`apiVersion: {{ template "cockroachdb.networkPolicy.apiVersion" . }}`
			`metadata:`
			`name: {{ template "cockroachdb.serviceAccount.name" . }}`
			`namespace: {{ .Release.Namespace \| quote }}`
			`labels:`
			`helm.sh/chart: {{ template "cockroachdb.chart" . }}`
			`app.kubernetes.io/name: {{ template "cockroachdb.name" . }}`
			`app.kubernetes.io/instance: {{ .Release.Name \| quote }}`
			`app.kubernetes.io/managed-by: {{ .Release.Service \| quote }}`
			`{{- with .Values.labels }}`
			`{{- toYaml . \| nindent 4 }}`
			`{{- end }}`
			`spec:`
			`podSelector:`
			`matchLabels:`
			`app.kubernetes.io/name: {{ template "cockroachdb.name" . }}`
			`app.kubernetes.io/instance: {{ .Release.Name \| quote }}`
			`{{- with .Values.statefulset.labels }}`
			`{{- toYaml . \| nindent 6 }}`
			`{{- end }}`
			`ingress:`
			`- ports:`
			`- port: grpc`
			`{{- with .Values.networkPolicy.ingress.grpc }}`
			`from:`
			`# Allow connections via custom rules.`
			`{{- toYaml . \| nindent 8 }}`
			`# Allow client connection via pre-considered label.`
			`- podSelector:`
			`matchLabels:`
			`{{ template "cockroachdb.fullname" . }}-client: "true"`
			`# Allow other CockroachDBs to connect to form a cluster.`
			`- podSelector:`
			`matchLabels:`
			`app.kubernetes.io/name: {{ template "cockroachdb.name" . }}`
			`app.kubernetes.io/instance: {{ .Release.Name \| quote }}`
			`{{- with .Values.statefulset.labels }}`
			`{{- toYaml . \| nindent 14 }}`
			`{{- end }}`
			`{{- if gt (.Values.statefulset.replicas \| int64) 1 }}`
			`# Allow init Job to connect to bootstrap a cluster.`
			`- podSelector:`
			`matchLabels:`
			`app.kubernetes.io/name: {{ template "cockroachdb.name" . }}`
			`app.kubernetes.io/instance: {{ .Release.Name \| quote }}`
			`{{- with .Values.init.labels }}`
			`{{- toYaml . \| nindent 14 }}`
			`{{- end }}`
			`{{- end }}`
			`{{- end }}`
			`# Allow connections to admin UI and for Prometheus.`
			`- ports:`
			`- port: http`
			`{{- with .Values.networkPolicy.ingress.http }}`
			`from: {{- toYaml . \| nindent 8 }}`
			`{{- end }}`
			`{{- end }}`