fix(ocrserver): networkpolicy (prepare fetch of language)

2025-02-21 23:15:11 +01:00 · 2025-02-21 23:15:11 +01:00 · c6c1b4a04c
commit c6c1b4a04c
parent 16d0e48121
4 changed files with 100 additions and 3 deletions
--- a/ocrserver/Chart.yaml
+++ b/ocrserver/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: ocrserver
 description: Run OCR-Server
 type: application
-version: "0.0.2"
+version: "0.1.0"
 # renovate: image=otiai10/ocrserver
 appVersion: "1.1.0"
 maintainers:
--- a/ocrserver/README.md
+++ b/ocrserver/README.md
@ -7,7 +7,7 @@ description: "Run OCR-Server"

 # ocrserver

-![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.0](https://img.shields.io/badge/AppVersion-1.1.0-informational?style=flat-square)
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.0](https://img.shields.io/badge/AppVersion-1.1.0-informational?style=flat-square)

 Run OCR-Server

@ -41,6 +41,18 @@ helm uninstall ocrserver-release

 ## Values

+### NetworkPolicy
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| networkPolicy.egress.dns | list | `[{"namespaceSelector":{"matchLabels":{"kubernetes.io/metadata.name":"kube-system"}},"podSelector":{"matchLabels":{"k8s-app":"kube-dns"}}}]` | rule to access DNS |
+| networkPolicy.egress.enabled | bool | `true` | activate egress no networkpolicy |
+| networkPolicy.egress.http | list | `[]` | allow to http ports for fetch language |
+| networkPolicy.enabled | bool | `false` | deploy networkpolicy |
+| networkPolicy.ingress.http | list | `[]` | allow to http ports should be your ingress-controller |
+
+### Other Values
+
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
@ -86,7 +98,7 @@ helm uninstall ocrserver-release
 Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)
 # ocrserver

-![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.0](https://img.shields.io/badge/AppVersion-1.1.0-informational?style=flat-square)
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.0](https://img.shields.io/badge/AppVersion-1.1.0-informational?style=flat-square)

 Run OCR-Server

@ -98,6 +110,18 @@ Run OCR-Server

 ## Values

+### NetworkPolicy
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| networkPolicy.egress.dns | list | `[{"namespaceSelector":{"matchLabels":{"kubernetes.io/metadata.name":"kube-system"}},"podSelector":{"matchLabels":{"k8s-app":"kube-dns"}}}]` | rule to access DNS |
+| networkPolicy.egress.enabled | bool | `true` | activate egress no networkpolicy |
+| networkPolicy.egress.http | list | `[]` | allow to http ports for fetch language |
+| networkPolicy.enabled | bool | `false` | deploy networkpolicy |
+| networkPolicy.ingress.http | list | `[]` | allow to http ports should be your ingress-controller |
+
+### Other Values
+
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
--- a/ocrserver/templates/networkpolicy.yaml
+++ b/ocrserver/templates/networkpolicy.yaml
@ -0,0 +1,47 @@
+{{- with .Values.networkPolicy }}
+{{- if .enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "ocrserver.fullname" $ }}
+  labels:
+    {{- include "ocrserver.labels" $ | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "ocrserver.selectorLabels" $ | nindent 6 }}
+  policyTypes:
+    - Ingress
+    {{- if .egress.enabled }}
+    - Egress
+    {{- end }}
+  ingress:
+    {{- with .ingress.http }}
+    - ports:
+        - port: 8080
+          protocol: TCP
+      from:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}{{/* end-with .ingress.http */}}
+
+  {{- with .egress }}
+  {{- if .enabled }}
+  egress:
+    {{- with .dns }}
+    - ports:
+        - port: 53
+          protocol: UDP
+      to:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .http }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .extra }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}{{/* end-if egress.enabled */}}
+  {{- end }}{{/* end-with .egress */}}
+{{- end }}
+{{- end }}
--- a/ocrserver/values.yaml
+++ b/ocrserver/values.yaml
@ -88,6 +88,32 @@ readinessProbe:
    path: /status
    port: http

+networkPolicy:
+  # -- deploy networkpolicy
+  # @section -- NetworkPolicy
+  enabled: false
+  ingress:
+    # -- allow to http ports
+    # should be your ingress-controller
+    # @section -- NetworkPolicy
+    http: []
+  egress:
+    # -- activate egress no networkpolicy
+    # @section -- NetworkPolicy
+    enabled: true
+    # -- allow to http ports for fetch language
+    # @section -- NetworkPolicy
+    http: []
+    # -- rule to access DNS
+    # @section -- NetworkPolicy
+    dns:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: kube-system
+        podSelector:
+          matchLabels:
+            k8s-app: kube-dns
+
 # This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
 autoscaling:
  enabled: false