Skip to content

Commit

Permalink
add network policy that allows access from prometheus
Browse files Browse the repository at this point in the history
  • Loading branch information
laserb committed Aug 12, 2021
1 parent b3e12f6 commit 2d9c471
Show file tree
Hide file tree
Showing 2 changed files with 63 additions and 0 deletions.
4 changes: 4 additions & 0 deletions class/keycloak.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ parameters:
- keycloak/component/main.jsonnet
input_type: jsonnet
output_path: ${_instance}
- input_paths:
- keycloak/component/prometheus-netpol.jsonnet
input_type: jsonnet
output_path: ${_instance}
- output_path: ${_instance}/01_keycloak_helmchart
input_type: helm
output_type: yaml
Expand Down
59 changes: 59 additions & 0 deletions component/prometheus-netpol.jsonnet
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
local kap = import 'lib/kapitan.libjsonnet';
local kube = import 'lib/kube.libjsonnet';
local inv = kap.inventory();
local params = inv.parameters.keycloak;

local prometheus_namespace =
if std.objectHas(inv.parameters, 'rancher_monitoring') then
inv.parameters.rancher_monitoring.namespace
else
'syn-synsights';
local prometheus_name = 'prometheus';

local keycloak_namespace = params.namespace;
local keycloak_name = params.release_name;

local name = prometheus_name + '-' + prometheus_namespace + '-to-' + keycloak_name;

local netpol =
kube.NetworkPolicy(name) {
metadata+: {
namespace: keycloak_namespace,
},
spec+: {
ingress: [
{
from: [
{
namespaceSelector: {
matchLabels: {
name: prometheus_namespace,
},
},
podSelector: {
matchLabels: {
app: prometheus_name,
},
},
},
],
ports: [
{
port: 9990,
protocol: 'TCP',
},
],
},
],
podSelector: {
matchLabels: {
'app.kubernetes.io/instance': keycloak_name,
'app.kubernetes.io/name': keycloak_name,
},
},
},
};

{
'20_netpol': netpol,
}

0 comments on commit 2d9c471

Please sign in to comment.