Merge remote-tracking branch 'upstream/main' into 2025/add/fluentd

Author: mrnicegyu11

charts/.gitignore

@@ -2,3 +2,5 @@ values.yaml
 values.*.yaml
 k8s_hosts.ini
 helmfile.y?ml
+
+*.tgz

charts/adminer/templates/deployment.yaml

@@ -13,9 +13,9 @@ spec:
       {{- include "adminer.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
+      {{- if .Values.podAnnotations }}
       annotations:
-        {{- toYaml . | nindent 8 }}
+        {{- tpl (toYaml .Values.podAnnotations) . | nindent 8 }}
       {{- end }}
       labels:
         {{- include "adminer.labels" . | nindent 8 }}

charts/adminer/templates/networkpolicy.yaml

@@ -0,0 +1,20 @@
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: adminer-network-policy
+  labels:
+    {{- include "adminer.labels" . | nindent 4 }}
+spec:
+  selector: app.kubernetes.io/instance == "{{ .Release.Name }}"
+  ingress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ .Values.service.port }}
+  egress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - 5432

charts/adminer/values.yaml.gotmpl

@@ -25,7 +25,9 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
-podAnnotations: {}
+podAnnotations:
+  # automatically restart pod on network policy change (to be sure new rules are applied)
+  checksum/networkpolicy: '{{`{{ include (print $.Template.BasePath "/networkpolicy.yaml") . | sha256sum }}`}}'
 podLabels: {}
 
 podSecurityContext:

charts/calico-configuration/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/calico-configuration/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: calico-configuration
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "3.26.4"

charts/calico-configuration/README.md

@@ -0,0 +1,50 @@
+## How to add network policy (local deployment)
+
+How to discover ports / networks that are used by application
+* observe existing traffic (see `Debug network policies` below)
+* add staged policies to make sure all cases are included https://docs.tigera.io/calico/3.30/network-policy/staged-network-policies
+  - make sure deployed calico version supports it
+* based on observations, create a needed network policy
+
+## Debug network policies
+
+if calico version 3.30+ is installed
+* observe traffic and check `policies` field in whisker logs
+  - https://docs.tigera.io/calico/3.30/observability/enable-whisker
+  - https://docs.tigera.io/calico/3.30/observability/view-flow-logs
+
+if calico version <= 3.29
+* create network policy with action log (read more https://docs.tigera.io/calico/latest/network-policy/policy-rules/log-rules)
+  ```yaml
+  apiVersion: projectcalico.org/v3
+  kind: NetworkPolicy
+  metadata:
+    name: log ingress requests
+  spec:
+    selector: app == 'db'
+    ingress:
+    - action: Log
+  ```
+* apply policy and see logs via journalctl (you can grep with `calico-packet` on the node where the pod is running)
+* Note: one may implement policy step by step (allowing all traffic that is known and making last rule `Log` to see what traffic is still missing)
+
+## Known issues
+
+If network policy is created after pod, pod **MUST** be restarted for policy to take effect. Read more https://github.com/projectcalico/calico/issues/10753#issuecomment-3140717418
+* To automate this, we can add annotations with network policy checksum to pods (see https://stackoverflow.com/questions/58602311/will-helm-upgrade-restart-pods-even-if-they-are-not-affected-by-upgrade)
+
+## How to view existing policies
+
+via kubectl:
+* `kubectl get networkpolicies.crd.projectcalico.org -n adminer`
+* `kubectl describe networkpolicies.crd.projectcalico.org -n adminer default.adminer-network-policy`
+
+via calicoctl:
+* `calicoctl get networkpolicy -n adminer -o yaml`
+
+Note:
+* global network policies and network policies are separate resources for calico
+* To see all calico resources execute `kubectl get crd | grep calico` or `calicoctl get --help`
+
+Warning:
+* Network policies update are only applied to "new connections". To make them act, one may need to restart affected applications (pods)

charts/calico-configuration/templates/NOTES.txt

@@ -0,0 +1,3 @@
+This chart configures Calico but does not deploy Calico itself. Calico is deployed during the Kubernetes cluster creation.
+
+Note: to make sure network policies are applied correctly, you may need to restart targeted application pods.

charts/calico-configuration/templates/globalpolicy.yaml

@@ -0,0 +1,44 @@
+# Source: https://docs.tigera.io/calico/3.30/network-policy/get-started/kubernetes-default-deny
+apiVersion: projectcalico.org/v3
+kind: GlobalNetworkPolicy
+metadata:
+  name: default-global-deny-network-policy
+spec:
+  # "kube-public", "kube-system", "kube-node-lease" -- system namespaces
+  # "calico-system", "calico-apiserver", "tigera-operator" -- calico namespaces (when installed via scripts [local deployment])
+  # TODO: other namespaces are to be removed from this list (once appropriate network policies are created)
+  namespaceSelector:
+    kubernetes.io/metadata.name not in {"kube-public", "kube-system", "kube-node-lease", "calico-system", "calico-apiserver", "tigera-operator", "cert-manager", "reflector", "traefik", "victoria-logs", "csi-s3", "portainer", "topolvm", "local-path-storage", "longhorn"}
+  types:
+    - Ingress
+    - Egress
+  egress:
+    # allow all namespaces to communicate to DNS pods
+    # this will also apply to pods that have network policy defined
+    # so that we don't need to define DNS policy for each pod
+    - action: Allow
+      protocol: UDP
+      destination:
+        selector: 'k8s-app == "kube-dns"'
+        ports:
+          - 53
+    # nodelocaldns: https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/nodelocaldns/README.md#nodelocal-dns-cache
+    # IP from https://github.com/kubernetes-sigs/kubespray/blob/v2.24.1/roles/kubespray-defaults/defaults/main/main.yml#L108
+    - action: Allow
+      protocol: UDP
+      nets:
+        - 169.254.25.10/32
+      ports:
+        - 53
+    - action: Allow
+      protocol: TCP
+      destination:
+        selector: 'k8s-app == "kube-dns"'
+        ports:
+          - 53
+    - action: Allow
+      protocol: TCP
+      nets:
+        - 169.254.25.10/32
+      ports:
+        - 53

charts/portainer/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: portainer
+  repository: https://portainer.github.io/k8s/
+  version: 1.0.54
+digest: sha256:bafe4182881aee8c6df3d3c6f8c523a1bd7577bed04942ad3d9b857a5437d96f
+generated: "2025-07-29T11:07:15.39037387+02:00"