[zookeeper] add networkpolicy and poddisruptionbudget (#2) (CloudPirates-io#155)

* [zookeeper] add networkpolicy and poddisruptionbudget (#2)

* Fix typos and remove quotes from namespace
* Add a networkpolicy to zookeeper
* Add poddisruptionbudget to zookeeper helm charts
* Fix typos in labels
* Bump chart version
* Update CHANGELOG.md
Signed-off-by: pascalfreundsrf <[email protected]>
* Fix accessModes templating for zookeeper
* Update CHANGELOG.md
Signed-off-by: pascalfreundsrf <[email protected]>
* Add revisionHistoryLimit
* Update securityContext and add revisionHistoryLimit
* fix lint / mountpath / podsecuritycontext
* fix podsecuritycontext and zookeper-myid
* fix formatting
* Add networkpolicy and poddisruptionbudget to values.yaml
* Update CHANGELOG.md
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* update zookeeper commandsWhitelist default
* Update readme description

---------

Signed-off-by: pascalfreundsrf <[email protected]>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Pascal Freund <[email protected]>
Co-authored-by: pascalfreundsrf <[email protected]>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

* Bump zookeeper appVersion to 3.9.3

---------

Signed-off-by: pascalfreundsrf <[email protected]>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Pascal Freund <[email protected]>
Co-authored-by: pascalfreundsrf <[email protected]>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: 3 people

charts/zookeeper/CHANGELOG.md

@@ -0,0 +1,5 @@
+# Changelog
+
+## 0.1.1 (2025-09-25)
+
+* [zookeeper] add networkpolicy and poddisruptionbudget ([#2](https://github.com/mmz-srf/cloudpirates-helm-charts/pull/2))

charts/zookeeper/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: zookeeper
 description: Apache ZooKeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services.
 type: application
-version: 0.1.0
-appVersion: "3.9.2"
+version: 0.1.1
+appVersion: "3.9.3"
 keywords:
   - zookeeper
   - distributed

charts/zookeeper/README.md

@@ -23,6 +23,19 @@ To install with custom values:
 helm install my-zookeeper ./charts/zookeeper -f values.yaml
 ```
 
+#### Example config for OpenShift Clusters
+To run this chart in an OpenShift cluster, the following security values must be empty:
+```yaml
+zookeeper:
+  containerSecurityContext:
+    runAsUser:
+    runAsGroup:
+    seLinuxOptions:
+  podSecurityContext:
+    fsGroup:
+```
+
+
 ### Getting Started
 
 1. Connect to ZooKeeper from inside the cluster:
@@ -51,20 +64,21 @@ zkCli.sh -server my-zookeeper:2181
 
 ### Common Parameters
 
-| Parameter | Description | Default |
-|-----------|-------------|---------|
-| `nameOverride` | String to partially override fullname | `""` |
-| `fullnameOverride` | String to fully override fullname | `""` |
-| `commonLabels` | Labels to add to all deployed objects | `{}` |
-| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
-| `replicaCount` | Number of ZooKeeper replicas to deploy | `3` |
+| Parameter                   | Description                                                                 | Default |
+|-----------------------------|-----------------------------------------------------------------------------|---------|
+| `nameOverride`              | String to partially override fullname                                       | `""`    |
+| `fullnameOverride`          | String to fully override fullname                                           | `""`    |
+| `commonLabels`              | Labels to add to all deployed objects                                       | `{}`    |
+| `commonAnnotations`         | Annotations to add to all deployed objects                                  | `{}`    |
+| `replicaCount`              | Number of ZooKeeper replicas to deploy                                      | `3`     |
+| `podDisruptionBudget.enabled` | Create a Pod Disruption Budget to ensure high availability during voluntary disruptions | `true`  |
+| `networkPolicy.enabled`     | Enable network policies                                                     | `true`  |
 
 ### ZooKeeper Configuration
 
 | Parameter | Description | Default |
 |-----------|-------------|---------|
 | `zookeeperConfig.tickTime` | ZooKeeper tick time | `2000` |
-| `zookeeperConfig.dataDir` | ZooKeeper data directory | `/var/lib/zookeeper/data` |
 | `zookeeperConfig.initLimit` | ZooKeeper init limit | `10` |
 | `zookeeperConfig.syncLimit` | ZooKeeper sync limit | `5` |
 | `zookeeperConfig.electionPortBindRetry` | ZooKeeper election port bind retry | `10` |
@@ -122,12 +136,19 @@ zkCli.sh -server my-zookeeper:2181
 
 ### Security Context
 
-| Parameter | Description | Default |
-|-----------|-------------|---------|
-| `containerSecurityContext.runAsUser` | Set container's Security Context runAsUser | `1000` |
-| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
-| `containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` |
-| `podSecurityContext.fsGroup` | Group ID for the volumes of the pod | `1000` |
+| Parameter                                 | Description                                               | Default |
+|-------------------------------------------|-----------------------------------------------------------|---------|
+| `containerSecurityContext.runAsUser`      | User ID to run the container process                      | `1000`  |
+| `containerSecurityContext.runAsGroup`     | Group ID to run the container process                     | `1000`  |
+| `containerSecurityContext.seLinuxOptions` | SELinux options for the container                         | `{}`    |
+| `containerSecurityContext.runAsNonRoot`   | Require the container to run as a non-root user           | `true`  |
+| `containerSecurityContext.allowPrivilegeEscalation` | Whether to allow privilege escalation for the container | `false` |
+| `containerSecurityContext.privileged`     | Set container's privileged mode                           | `false` |
+| `containerSecurityContext.readOnlyRootFilesystem` | Mount container root filesystem as read-only           | `false` |
+| `containerSecurityContext.capabilities`   | Linux capabilities to drop or add for the container        | `{}`    |
+| `containerSecurityContext.seccompProfile` | Seccomp profile for the container                         | `{}`    |
+| `podSecurityContext.fsGroup`              | Group ID for the volumes of the pod                        | `1000`  |
+
 
 ### Health Checks
 

charts/zookeeper/templates/configmap.yaml

@@ -2,13 +2,13 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ include "zookeeper.fullname" . }}-config
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "zookeeper.labels" . | nindent 4 }}
 data:
   zoo.cfg: |
     tickTime={{ .Values.zookeeperConfig.tickTime | default 2000 }}
-    dataDir={{ .Values.zookeeperConfig.dataDir | default "/var/lib/zookeeper/data" }}
+    dataDir={{ .Values.persistence.mountPath | default "/data" }}
     initLimit={{ .Values.zookeeperConfig.initLimit | default 10 }}
     syncLimit={{ .Values.zookeeperConfig.syncLimit | default 5 }}
     clientPort={{ .Values.service.ports.client | default 2181 }}
@@ -27,4 +27,4 @@ data:
     metricsProvider.exportJvmInfo=true
     {{- end }}
     {{- /* Add a line for each server in the ensemble */}}
-    {{- include "zookeeper.servers" . | nindent 4 }}
+    {{- include "zookeeper.servers" . | nindent 4 }}

charts/zookeeper/templates/networkpolicy.yaml

@@ -0,0 +1,32 @@
+{{- if not .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "zookeeper.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "zookeeper.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: release-name
+      app.kubernetes.io/name: zookeeper
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    # Allow inbound connections to ZooKeeper
+    - ports:
+        - port: {{ .Values.service.ports.client | default 2181 }}
+    # Allow internal communications between nodes
+    - ports:
+        - port: {{ .Values.service.ports.quorum | default 2888 }}
+        - port: {{ .Values.service.ports.leaderElection | default 3888 }}
+      from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: release-name
+              app.kubernetes.io/name: zookeeper
+{{- end }}

charts/zookeeper/templates/poddisruptionbudget.yaml

@@ -0,0 +1,15 @@
+{{- if and .Values.podDisruptionBudget.enabled (gt (int .Values.replicaCount) 1) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "zookeeper.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "zookeeper.labels" . | nindent 4 }}
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: release-name
+      app.kubernetes.io/name: zookeeper
+{{- end }}

charts/zookeeper/templates/service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "zookeeper.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "zookeeper.labels" . | nindent 4 }}
 spec:
@@ -23,7 +23,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "zookeeper.fullname" . }}-headless
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "zookeeper.labels" . | nindent 4 }}
 spec:

charts/zookeeper/templates/statefulset.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
   name: {{ include "zookeeper.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "zookeeper.labels" . | nindent 4 }}
   {{- with (include "zookeeper.annotations" .) }}
@@ -12,6 +12,7 @@ metadata:
 spec:
   serviceName: {{ include "zookeeper.fullname" . }}-headless
   replicas: {{ .Values.replicaCount }}
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit | default 10 }}
   updateStrategy:
     type: RollingUpdate
   podManagementPolicy: Parallel
@@ -56,6 +57,10 @@ spec:
             - name: {{ .name }}
               value: {{ .value | quote }}
           {{- end }}
+            - name: ZOO_MY_ID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.labels['apps.kubernetes.io/pod-index']
           livenessProbe:
             tcpSocket:
               port: client
@@ -118,7 +123,9 @@ spec:
         {{- end }}
       spec:
         accessModes:
-          - {{ .Values.persistence.accessMode | quote }}
+        {{- with .Values.persistence.accessModes }}
+          {{- toYaml . | nindent 10 }}
+        {{- end}}
         {{- if .Values.persistence.storageClass }}
         storageClassName: {{ .Values.persistence.storageClass | quote }}
         {{- end }}

charts/zookeeper/values.schema.json

@@ -49,16 +49,76 @@
     },
     "containerSecurityContext": {
       "type": "object",
+      "description": "Container-level security context settings",
       "properties": {
-        "runAsUser": { "type": "integer", "minimum": 0 },
-        "runAsNonRoot": { "type": "boolean" },
-        "allowPrivilegeEscalation": { "type": "boolean" }
+        "runAsUser": {
+          "type": "integer",
+          "description": "User ID to run the container process"
+        },
+        "runAsGroup": {
+          "type": "integer",
+          "description": "Group ID to run the container process"
+        },
+        "seLinuxOptions": {
+          "type": "object",
+          "description": "Set container's Security Context seLinuxOptions"
+        },
+        "runAsNonRoot": {
+          "type": "boolean",
+          "description": "Require the container to run as a non-root user"
+        },
+        "allowPrivilegeEscalation": {
+          "type": "boolean",
+          "description": "Whether to allow privilege escalation for the container"
+        },
+        "privileged": {
+          "type": "boolean",
+          "description": "Set container's privileged mode"
+        },
+        "readOnlyRootFilesystem": {
+          "type": "boolean",
+          "description": "Mount container root filesystem as read-only"
+        },
+        "capabilities": {
+          "type": "object",
+          "description": "Linux capabilities to drop or add for the container",
+          "properties": {
+            "drop": {
+              "type": "array",
+              "items": { "type": "string" },
+              "description": "List of Linux capabilities to drop (e.g., ALL)"
+            },
+            "add": {
+              "type": "array",
+              "items": { "type": "string" },
+              "description": "List of Linux capabilities to add"
+            }
+          }
+        },
+        "seccompProfile": {
+          "type": "object",
+          "description": "Seccomp profile configuration for the container",
+          "properties": {
+            "type": {
+              "type": "string",
+              "description": "Type of seccomp profile to use (e.g., RuntimeDefault, Localhost)"
+            },
+            "localhostProfile": {
+              "type": "string",
+              "description": "Path to a localhost seccomp profile (if type is Localhost)"
+            }
+          }
+        }
       }
     },
     "podSecurityContext": {
       "type": "object",
+      "description": "Pod-level security context settings",
       "properties": {
-        "fsGroup": { "type": "integer", "minimum": 0 }
+        "fsGroup": {
+          "type": "integer",
+          "description": "Group ID for the volumes of the pod"
+        }
       }
     },
     "service": {
@@ -113,14 +173,15 @@
     "affinity": { "type": "object" },
     "persistence": {
       "type": "object",
+      "description": "Persistence configuration",
       "properties": {
-        "enabled": { "type": "boolean" },
-        "storageClass": { "type": "string" },
-        "annotations": { "type": "object", "additionalProperties": { "type": "string" } },
-        "size": { "type": "string", "pattern": "^\\d+(Ei|Pi|Ti|Gi|Mi|Ki|E|P|T|G|M|K)?$" },
-        "accessModes": { "type": "array", "items": { "type": "string" } },
-        "existingClaim": { "type": "string" },
-        "mountPath": { "type": "string" }
+        "enabled": { "type": "boolean", "description": "Enable persistence using Persistent Volume Claims" },
+        "storageClass": { "type": "string", "description": "Persistent Volume storage class" },
+        "annotations": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Persistent Volume Claim annotations" },
+        "size": { "type": "string", "description": "Persistent Volume size" },
+        "accessModes": { "type": "array", "items": { "type": "string" }, "description": "Persistent Volume access modes" },
+        "existingClaim": { "type": "string", "description": "The name of an existing PVC to use for persistence" },
+        "mountPath": { "type": "string", "description": "The path where to mount the data volume" }
       }
     },
     "livenessProbe": {
@@ -169,6 +230,26 @@
     },
     "extraVolumes": { "type": "array", "items": { "type": "object" } },
     "extraVolumeMounts": { "type": "array", "items": { "type": "object" } },
-    "extraObjects": { "type": "array", "items": { "type": "object" } }
+    "extraObjects": { "type": "array", "items": { "type": "object" } },
+    "podDisruptionBudget": {
+      "type": "object",
+      "description": "Pod Disruption Budget configuration",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "description": "Create a Pod Disruption Budget to ensure high availability during voluntary disruptions"
+        }
+      }
+    },
+    "networkPolicy": {
+      "type": "object",
+      "description": "Network Policy configuration",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "description": "Enable network policies"
+        }
+      }
+    }
   }
 }