Merge pull request #49 from anthosz/netpol

Version 1.9.0

SECURITY.md

@@ -0,0 +1,180 @@
+# Security Policy
+
+Adapted from the [Gotenberg Security Policy](https://github.com/gotenberg/gotenberg/blob/main/SECURITY.md).
+
+## Supported Versions
+
+Please ensure to keep your environment up-to-date and use only the latest version of charts and images.
+
+Supported Kubernetes versions are listed in test workflow file [here](.github/workflows/test.yaml).
+
+## Reporting a Vulnerability
+
+We take all reports regarding security seriously.
+
+If you discover a security vulnerability, please refrain from publishing it publicly.
+Instead, kindly send us the details via email to _helm [at] maikumori [dot] com_.
+
+In the subject of your email, please indicate that it's a security vulnerability report for specific chart.
+In your message, please include:
+
+- A detailed description of the vulnerability.
+- The steps to reproduce the issue.
+- Any potential impact of the vulnerability on the users or system.
+
+If you wish to encrypt your message, you can use the following PGP key:
+
+```
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFPrhtIBEAC7opwKK/MqMS18Um2qlOl47jlNce/JqjkDV1Ctj3nxtXm/+5fe
+Wh2xmL63nOW8RjR/+TvleuEGu0PgtnsqtKP4W8ZJ/1dzrCgohM+w8Muhc50Vq3du
+gjIp1mhd7AA1JYAt2DxDGHFN3LiEsqkyVoqzknlw6Z7uEdHaqcs3Wf+3SLdIep8P
+jJGKsjB5n8PECefNyR/PyXRC1fj04F8p3OgMXnkaEP+mIceT4cTjt5h1wA/QL+OJ
+3P8zN2Zo2IJvCt3oLkP3+f3En74o1QZQVzvuZBM1nsW1LE2PeXw+77OG8//DBVCj
+OHNGR1Es+OLCFX1yYOsfJxOIfk7Cuc7sfqOjAA7GJ07+OvUep28VlZIiLi924agc
+pXRaJqV/D+X8LTpVX9qFcvf2FcuxIChIm+Lm0TWXlHdidilLay3ZOlcpd4COCA4V
+aW6Lisnowt0DUYZbq4D45euBrPEXTFeP4EKZYPLOmIioZspPAIWgaeLmgt3it3Qv
+j+kZLW2kI27BcpePqd+yaT5Hpt1BTwSutNjOY9q8vhsEC4bL4Ss6xZUG1ZYiJ+As
+OhRstXImQtClsaWYgSRp89mN2xYSZoQ6CV/Dz0c8dM4jnpGC1MBqFnLt+ION+Mbp
+VlWQgWSms2SV3IhTlrPX4MGmULaO1oVsIaUscrXQDajhG2ubBT6eXcj6nwARAQAB
+tDdNaWtzIEthbG5pxYbFoSAoTWFpa3UgTW9yaSkgPE1pa3NLYWxuaW5zQE1haWt1
+TW9yaS5jb20+iQI3BBMBCgAhBQJT64bSAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4B
+AheAAAoJEDFLsC8kSBv6DT8P/i2gR1SoplHPEBQUlqq5/JZrc4Ju0FKHxxmH0chj
+AQx1r5dCzHKuZGrS+olu9+w7elxTENb2de2U5+EJfOavXtE2NAJ4W8/h5ov9ELWn
+5vBktvp/DhpFpRQNd7mgYh/x9ocGCFmcc+ZjHF96U2WR2yBWlShVGarvQPxIWMVu
+s8kG+xu9exm7LFW//zZ6DJ5Jqq1LkFz82UrNs8er7q0DRJ1IHOusI0K1a17tz7lt
+LdcafXwUnSsJjovPEf2XeqFGBGc/bHfYD8uMNNDPWNfgbZgd3Rkx/Pm2lBvRvPOl
+2mOHvhj1Oi0hcc7D2cI0K5GF9Hj6QVALsdabuyyWaJ/aiLDtKmS+OY6jPRQbxRdu
+WBR2bg8sUbRZj0hSvm1+zVhXy0G1e6S8rzU3l4LTMM6cdOmCsVHT/Y8JCar8dCOW
+sAJJ07ZTbdiFt3FxbK2/48Vz5CvcnvP8sk9fExBmgU2cQf8/kRzKo3a1H9qYkBhT
+9QOpoEWGMAvPduMsq+PsK7sHiO3aLTeQz7jnhpGw7qGh9pvd25cSAXeVgNFz00pP
+MhHGzF8ulP9oU+D+8DRLifDlTwCjP4nwrpfR06+rLt9yiUdJTLkYy2Vfl9bUS/Xg
+ZYEeMKE34zK32syWt+70e93B8+AA9qk8I3hAR5yoo8YWXexVnI/y0rbJutetDXiu
+vVayuQINBFPrhtIBEADY1BJOdNQ0kcILRt4uDKkG8KG1RnFRPoQJN4RuWjmynxIO
+0UzNFH0zoIEa5pDTA05n1qPhPMtcvYVn6FJEhulQ0ZMp8iisYFp0X+XSw49EoBZG
+vSLPICeuhHtQzvlyKmOwFm+cd9uSTpMvHeeu13o4Xf8rPi93gzNkj+4eFSWdqkx+
+psOf313s8+YtvIRLmRZxuq+lAPUQj9DBg+WLwrQrX2AvyQ692WmCAvCinawSKeB+
+709oRx5Gq/rz7f26uixRuoGTjzl/1y5nDW/vIyS2uLPyUsrk5nRL4Qk/fkGoxGE1
+gMIpbzjs+vb1Pyevb5QC3X/arP4STeicb216zCtnKgKWOntwj+cYA9CkMtQcri8c
+250PqM8nddjw0gvY2IZW9jNyi6d83C0zlgPmbc+6tK+gu3ipkDXsAsm2Uh/GRxr+
+5xVoeYyMPxtExVimEwUplOmXr+0xThC+pzCBmQy6vNuDt78CD6+nwqRGMZdSj2ry
+O+UiGfE0g/Kichbhce/wh2PazrKAbChxiH7C4QmRION27Krh5c42am+/Pl9+9aeS
+VMvT7aSJC4R30i1nX+sCyn4vds0sggN8B3mZh98r/lL1aH/JuTEhNyhgSNi1KmXF
+ps0cbs5/92eymH5pCMvyv2H2hYbWN8cEx+iO8/y/aU9YdPgjdDgFTE/jAOUuEQAR
+AQABiQIfBBgBCgAJBQJT64bSAhsMAAoJEDFLsC8kSBv6WbIQALToz9/VVpVosM77
+f9NsxtGeUrO/qIXQHGDQAdplE1Bk8dSfv3j7Z1eC9m/Fs+AhlQ/NG6Fa0hu/RKU/
+SY0gMlh8vplqPiouwErXiRH1cYAHNhBtxlQiZM/ZjFANNCGL05bB/NPICqNhGYx9
+eI2JQd1xobv+ycANrhoxwm52NCg4ghTONoA0d9gPsUUOkpwvjb4hdJO3A6Rs2PBY
+EANUMEkr74pbuoDwLVRWrslXKEHVZpXOS9qzBJQ3/6/Mk0fl7+cIXrX663tWV4L3
+x3+eECXq2OyWyALzyhiY7lGrNENFBaf+c4DwEY+w1OskDUjw9XeHZIlCuFErsCtr
+ueq7wrKaTU8hgRxwjbU8MV68v068bn0XGvEG7jYeDTo/GgRh09jRKuXMb4v9SnIY
+DRLJfjWau4ggxwErsA+9Nc8g3zYrUYsEHESoBHMVbAM+csJdcnbYAaHobBmLQF5Y
+8WJat3cwXmb+Fot8mUmv8SAYjZm3MvHNBEHbypPdKezSJzUQr055LL5OQIGJAV76
+TyCgBsT3x4xM4AH4zo2HD7iDDmnexL6+izPDu3DYdfspA1+tGjCDbBotMCGZvY2s
+q+M8u2RK6As7kn00351xR/7wWn+qWUbEfqzlcT6w7wt/N4TeY4np84IRUKDaCy92
+5gAEHx3uZWf4GYnEYPi7weyOTBYquQINBFnV6o8BEAC4JQxQfP0Np6vBAbrjLhQt
+/B0F3To5YLqtg3o8h8GxGduT0TLMVhV+ahD8YGJCMABV9F7Y0MUted3sPWCA3BH2
+FJn3MqmRYo7RQ0MlvTtCQjMv/ASZEyD2cQZ3EGCBzvavkfmNiXD7N5XSHkPTCM2t
+xTXoVmdVRhEtGQkctajl2z9jsOEAivpN9083doVLoVd0NQ5o7L/2jrZESyi/3pvJ
+7o41Zcbu0VMztM3YT3sgp7WJQrVhEkzgZ+imB0TWbNAGI35IyPVDMxKKc98Hp28u
+jru6OQIJEHwgAsc3wHkbPI0UsRWAQkDDQtMHHmpQFE/XcX5QY9149dgtYibWsbRQ
+jxQm0EILpbXZxkAXk8bIWBnw8mlwV7bawFoW7PW8SgeP7UmAIf/0QXn44WLf1U2w
+uLCoBvtqG2D3tGnJdXR3LYzV7hj6+9jFKjGuPZcP2n2FZQZRQxQDE00CHTF5fzIX
+V3kSKFFIicF0b7iHY189zgkcsL44k4lDD2tucB3hIG+fKkmmyGnxcGqCs1qM5BKJ
+XwHjWAbkmfG7YRrWWBq+98hq/Twa8fqyGKQ954bU9/IjpxzzoTVFp1j8meWaw2OC
+sPS4pZWFASq6I4Tfne+eByULf0Kg3NpQrDhhtKNiOqXXV7kMg8sP5qfTjA+Bhft8
+YtOonXNe3/Y6yf90sxmQaQARAQABiQI2BCgBCAAgFiEEd1GhYiZFWhpcMCTPMUuw
+LyRIG/oFAlnWBvsCHQMACgkQMUuwLyRIG/qD0A/+PywocDkxaM+UKZdpN1FPIb7r
+cdh3/89JonWcBOBrMz8GDq+DXn9agLRQhtNuSOVvMAlS2XnSfgSUCpKPObKT4yYk
+lyJRYvr6CnmHIgGSbZSl9CLnqs4+lW0vLauheSstwqrdGMMdO5ncefqqiGfuMcDl
+oTrorpt86Jk+uAg6lE8CWbbNDALJ2Gm/yneQHAnj9SO5xZGXlpp9ed4F/DqXwllE
+302y16HDv70huLDs5NKeVMoxZSWPcgOJFu87JViq+IuAibGKdLVsdntPmgxVQCS0
++25b73N6TBmcMfNyoRx1pvjBVedxFh0o1vgmChfPWv2UefmIoGN1cmpumw0Iu+uq
+R6QSHaA2nyswmDpaw+v1St2A76TZ/XtMTJsxYr62mbcMVFE/k8VEtnq8CDAWmyAB
+JhToMy7UptuUNWw/h7Tu283W4kIJpDALB6p7c4A927pfF3+NRbPlELPx+pLFBTea
+nsLjDViBVGl8UAocQHMsM+TgPgLcVtRfMaoUnkmTrGHxNwAIfPR8Z92bbVUSGYu8
+9l+M0mV0ObWiuBCWE0Aw4yEQe0FdGDtu5QWtztvL7z8cpkptPQjdeIoLPVujLXNM
+ukPZCo/IlawFzWXKEV15W7Wb2p6V49RgN3CgTQQjPoDVaF0mwRAbf1/ij/jEaeOZ
+ZM9wsHdvRPziMVDIuNOJBHIEGAEIACYWIQR3UaFiJkVaGlwwJM8xS7AvJEgb+gUC
+WdXqjwIbAgUJAeEzgAJACRAxS7AvJEgb+sF0IAQZAQgAHRYhBPdyIzev3P27+VPY
+1sAP0hvqg0OqBQJZ1eqPAAoJEMAP0hvqg0Oq+XIP/jpPQQ62XaL2RN5/Jb+EDFGC
+gSY0zCM1YiJhnw5JIxi3QVMBQvcuLesMn1Sr6HSnWms8CFWUzqe4Z+jhGrRxO5xP
+SyOiQe9ndlQUwvfDHA/rGXQ6AhB3SuBFX0yFHPjZgNpGowoTIHWxS62wmQW5XCoE
+ui38hJnvJmZmDNcyHaYkFjegDOUwVubXzf0jZ3IMDhqZurx2NXYBDfScw4tKbH1l
+Yp36YhLjNSybXlTlBckmELqTd2ocxu2d/kzlq99DMSoOZPTFm4evp/+5j73hs0QR
+oa0eS5mRwa0mWkx6dJN9zE0yFPHtcJftLKcmwgo3wIXMpz7+niMfzEZEECMyBy4b
+O/o9niWeUQft7AaNW5O1kykOvIxDxeHiLEH6JGy03YxV+bsBT6RTq1xPZHF7FoTi
+C5Vr1cHunalfL7lNgxjIPdnuKkfN6Q0yvdAI1WRoSU9ARPuQEmQS8gvb3atI8fxl
+jaCjgOAZK5P3UU5cXf+BgIrIrJfZuCMRil3A9uEzqk34UD4nYXpSfIqaOI/6imCR
+SHAjrQhaT4PJ5RG2ONbmEYgkju/gi7LWFlDZ5vMDiXhRweJ5FtIWDCF+eZ5qWSKB
+PE44jtK2+Qqd93iLR97BB1JhgI72uwoqqpYBXsKd0f75J4H/v9rAVcsGMnMOO1+w
+FbtNRGy6O9O6ZBTnfMkf06YQAIIpcl+5TXqrRn97NfoJjn8OcP2GN1HZ+B8rMsho
+v4ZEvRULrCi31yOIU3OmAqtLW8BFRwlWCfZCA70G4Sn8jI/R+/nKgq7j03Mwt5v/
+NFWsYtTDFsrfq5x0EuaUWj7brFvvUAVZwYL9uBoANZyA0jMVb9wJyAo6h8t94hms
+unEYQDVXonToaBJAtSf+MmoxBHv7w1+dRj9g3u8Rm2bc7GinqL47cx4Meg6BGPqS
+FmDUkitW1H8pYI2jnfM7y1Kist+iHJs0X1at5Jqow+0VYq/UIB6k4/mJ4AFyj4A1
+TQIzNMbdMnKLi1MyNfD9hGZQhKEdsl9saIrmRDzuVeHZresVkhla5f5WJ4c0gl5u
+uNXHB8QXbDBzAwpg0i/VthZ3A8ecWCXvNF/diCEt1PEVt2mvcrwVNAdFIvq5sExs
+CfQI/zQTumAy6fYOFZ7n3Z2VVmQYTfwhl4KaRCKxcHGKmtuuOWPjHQzHNr0Ejrw8
+npdXAWxDJ8uwIZcJKVFEU8xAsDXgqoAS8Pz2MmNW7PLPAjNIsPLlZmxXP67U10sX
+tZXhNhk9tL6o90HZXw6fJ/hrrBLxQ7XSYit+qJLWe9k1VxJagMBEc1WLO31v74yR
+wB5vQgwDGaB+f7wCBmrPFSQS2TZ2vt9y3M/8Fv6DjUVODBeCE8x5rkVt3ocAsZ9P
+9QykuQINBFnV6IABEADEwcNJYmwLt2wqfUVchHrSTFMIKyN2L7202DK6bGApSeMU
+aISMlc+r+ETy8I1nmkqekc7peLs01MQwuPSxlTnYrIBZdSQMDXw856Z00xZO2BFI
+h9+VYxzD2WdS5oVHj/VyvmLX/jFVw1V3A4OVTPMWVLq5d5FZau0J1KgIbm243BTX
+RfhNAp5zs6zC6OcfQ+s8C9wXC5opKc9On2Z6JHXfAh7mOkucKaM7SM4W/6c6IAsW
+u4YayJLLiLMv2lbk7cUdf/SDN2/r9gQhrBNMOhHYX40L8lnPS/0Gbb2XQ7AURIvi
+DmIChFn/QNI/Flx8nM6KAwEwmaqmMhxPQmHILDeHbxsQgTd6Pp9K4GZocgUnhYw9
+b0linJcmx687ZoQFGgxNKrxNaJtnJ8W8LqIPa78qWFy3v5NCILsa2gOdwuk2kUzE
+beC29TYJOR+UstE0A2QEzRJFbrQGE/Bxun0sVmVHmSqAWkF5+k4cpbH4iifHeoV4
+T7+PFSXuDJ4At/PgsqvFTvZroL164UKsiOBuGfNknttAt94ys5XOKtoZtrd6r1Yv
+LCNkvpkLd8X0WeWhB+x0GyEn/8/+ngMslF+clIgq79OhiRdn5MbZ+ZD/OCa/B/qb
+XAI8xCX0UQk+qaeQLggunxgSYrrYZ461sqhrgD2grLlRx9ALZwB1Fm509VwGFwAR
+AQABiQI2BCgBCAAgFiEEd1GhYiZFWhpcMCTPMUuwLyRIG/oFAlnWBtwCHQMACgkQ
+MUuwLyRIG/ptcw//bIYykRf18DolYHPcYbmliKHUz575mgZKVuVRxd0kIJS7+enA
+L7geLVDI0BThKweMr2GWsQqcogWvYVYt+KXHe7zSECePB3HIw1w9CDbEBOhdQ+4s
+gy0xr0uC3MZVqcj1IL0cRGlMsNNarR7b6DiX0f45ad9Sw1rkzsC+O7sOSgZ+hxsJ
+OPX8Wej0exVn96g9fqQoztgRxUCMeTpXu2yNexdpob7B4vfa2zraY+FssrfZIpwj
+CNIQEsOusyr0g+gHrF5KdZ51ux2ZmH3lZ7+NwNylzOWtz2mmNtOBjBad6KpQdmXP
+y2q8TPbLpzy8G76gf3tbF2ZUXZ9KLUz3CW/+i5fbYEaBiAjmMyq5zEPQMQ3EliZ+
+HnRtxceW4weCJ7A4K18AIssMx3OechoPHOwPHFtPlrVk7RGbcmp9RZX8H5SPikD7
+/9Sim9eSc7tfcpXDY88BCMEGsXrWIGNrMNTZmhHmapd+gJKeybt8aq3MyVOEpdFH
+AZW42NsY/lGR7yU9cAHmBTqj2MfCgfehH517NoY3AUFets48S7jSGkU8qPig7ZzD
+msFtECSoyXoeTHzaNBWtTWnkjxOQ2mEMLSx0CYXsn/yPV+N5mBiyGip8/rNtrzar
+xIAWv73D/l8wvdNQyTgrFXsZewFz8xuFaTkHxii5nHk4KxYizjSngIpm9n2JAjwE
+GAEIACYWIQR3UaFiJkVaGlwwJM8xS7AvJEgb+gUCWdXogAIbDAUJAeEzgAAKCRAx
+S7AvJEgb+gFOD/9xvtXQXpEJlvpQYsq5tSyNEb8ZxwutsDnKKXLnbsgV0eQ6UwRq
+/Qdh28YUOJk8iNmlxQJhGH3hBKJBN5nM6Q2JPQCJDisqX0rVASIbTFW8hdKlZO2w
+GdjAU+AY60+UKJeLeGn10qse7f+TrQt3px/owvf1TCuy0xjUg2LxZLTkWCFqzXRg
+ip3IENN5qpNl5mhjuiOD27lOuNqF7QGTI9E7JakMK8w5yJ20XYHbAl9+HInQyjHJ
+XY01/vftWLFokulo4BP+mDOtBax27hN9tPtYCFP2mLHnRe018Ee9mn7FOYHUHpM5
+lxPCII7hI2jPGQfMDRVQEs1ieeum90gxfU9aT+wu0bT9afpE1q2Mh3FJUs3bsIoi
+p9zv20SEsKZ1h3OIBZfmc4ddtm60PHfPIDbUVSWYmAK7Lt3yQpZU9U6mmrCWktmr
+ka5Vu4rzuJmJmhQdhVe3A4OZWbUuzWePNs2XX4G20d1nr6K7TO1h/qNXvNZYD9EF
+HRInXT5PxDJOcPoekrXVrRJfmUtkdodhQWTous19ISis8E0NeAoHLSbI/jAeWo6D
+wfjkPcAvMrVYN+jDDq3HbfYIt5b5SFMxKlCt/5hCxLlwNrwfMStBMH1gNw6vie1W
+X12iC+N/xiBDy2lHW7VdolYEUJF2ap9JvyHPd727h8u+QaiOKeSkb4eLFw==
+=hTGE
+-----END PGP PUBLIC KEY BLOCK-----
+```
+
+Please remember that this process is done in a _'best-effort'_ manner.
+This means we strive to respond and act as quickly as possible, but the speed may vary depending on the severity of
+the issue and our resources.
+
+Thank you in advance for helping to keep our project safe!
+
+## Disclosure Policy
+
+Once we have received your vulnerability report, we will work to validate and reproduce the issue.
+If we can confirm the vulnerability, we will proceed to:
+
+- Work on a fix and a release timeline.
+- Notify you when the fix has been implemented and released.
+- Credit you for discovering the vulnerability (unless you request anonymity).
+- Please note that we will do our best to keep you informed about the progress towards resolving the issue.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved, please submit a pull request.

charts/gotenberg/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 1.9.0
+
+- Add ability to create and configure `networkPolicy` (Thanks to Anthony | [@anthosz](https://github.com/anthosz))
+- Add [SECURITY.md](../../SECURITY.md).
+- Add `testPodAnnotations` (Thanks to Anthony | [@anthosz](https://github.com/anthosz))
+
 ## 1.8.0
 
 - Bump `gotenberg` version `8.9.11` -> `8.12.0`.

charts/gotenberg/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "1.8.0"
+version: "1.9.0"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/gotenberg/README.md

@@ -1,7 +1,7 @@
 # Gotenberg
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/gotenberg)](https://artifacthub.io/packages/helm/maikumori/gotenberg)
-![Version: 1.8.0](https://img.shields.io/badge/Version-1.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 8.12.0](https://img.shields.io/badge/AppVersion-8.12.0-informational?style=flat-square)
+![Version: 1.9.0](https://img.shields.io/badge/Version-1.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 8.12.0](https://img.shields.io/badge/AppVersion-8.12.0-informational?style=flat-square)
 
 This is a HELM chart for Gotenberg.
 
@@ -115,6 +115,11 @@ helm upgrade my-release maikumori/gotenberg --install
 | metrics.serviceMonitor.relabelings | list | `[]` | List of relabel configs to apply to samples before scraping |
 | metrics.serviceMonitor.scrapeTimeout | string | `nil` | Timeout after which the scrape is ended |
 | nameOverride | string | `""` |  |
+| networkPolicy.allowEgress | bool | `true` |  |
+| networkPolicy.allowIngress | bool | `true` |  |
+| networkPolicy.enabled | bool | `false` |  |
+| networkPolicy.extraEgress | list | `[]` |  |
+| networkPolicy.extraIngress | list | `[]` |  |
 | nodeSelector | object | `{}` |  |
 | pdb.create | bool | `false` |  |
 | pdb.maxUnavailable | string | `""` |  |

charts/gotenberg/templates/networkpolicy.yaml

@@ -0,0 +1,27 @@
+{{- if and .Values.networkPolicy .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "gotenberg.fullname" . }}
+  labels:
+    {{- include "gotenberg.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "gotenberg.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+{{- if .Values.networkPolicy.allowIngress }}
+  - {}
+{{- else }}
+  {{- toYaml .Values.networkPolicy.extraIngress | nindent 2 }}
+{{- end }}
+  egress:
+{{- if .Values.networkPolicy.allowEgress }}
+  - {}
+{{- else }}
+  {{- toYaml .Values.networkPolicy.extraEgress | nindent 2 }}
+{{- end }}
+{{- end }}

charts/gotenberg/templates/tests/test-connection.yaml

@@ -6,6 +6,9 @@ metadata:
     {{- include "gotenberg.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": test
+    {{- with .Values.testPodAnnotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   containers:
     - name: wget

charts/gotenberg/values.schema.json

@@ -50,6 +50,9 @@
         "nameOverride": {
           "$ref": "#/$defs/helm-values.nameOverride"
         },
+        "networkPolicy": {
+          "$ref": "#/$defs/helm-values.networkPolicy"
+        },
         "nodeSelector": {
           "$ref": "#/$defs/helm-values.nodeSelector"
         },
@@ -92,6 +95,9 @@
         "strategy": {
           "$ref": "#/$defs/helm-values.strategy"
         },
+        "testPodAnnotations": {
+          "$ref": "#/$defs/helm-values.testPodAnnotations"
+        },
         "tolerations": {
           "$ref": "#/$defs/helm-values.tolerations"
         },
@@ -686,6 +692,53 @@
       "type": "string",
       "default": ""
     },
+    "helm-values.networkPolicy": {
+      "type": "object",
+      "properties": {
+        "allowEgress": {
+          "$ref": "#/$defs/helm-values.networkPolicy.allowEgress"
+        },
+        "allowIngress": {
+          "$ref": "#/$defs/helm-values.networkPolicy.allowIngress"
+        },
+        "enabled": {
+          "$ref": "#/$defs/helm-values.networkPolicy.enabled"
+        },
+        "extraEgress": {
+          "$ref": "#/$defs/helm-values.networkPolicy.extraEgress"
+        },
+        "extraIngress": {
+          "$ref": "#/$defs/helm-values.networkPolicy.extraIngress"
+        }
+      },
+      "additionalProperties": false
+    },
+    "helm-values.networkPolicy.allowEgress": {
+      "description": "Allow all connections to any destinations. To be set to false if extraEgress is used.",
+      "type": "boolean",
+      "default": true
+    },
+    "helm-values.networkPolicy.allowIngress": {
+      "description": "Allow all connections from any source. To be set to false if extraIngress is used.",
+      "type": "boolean",
+      "default": true
+    },
+    "helm-values.networkPolicy.enabled": {
+      "type": "boolean",
+      "default": false
+    },
+    "helm-values.networkPolicy.extraEgress": {
+      "description": "extraIngress:\n  - from:\n    - podSelector:\n        matchLabels:\n          component: apache\n    ports:\n    - port: 8080\n      protocol: TCP\nConfig custom egress rules to the NetworkPolicy.",
+      "type": "array",
+      "default": [],
+      "items": {}
+    },
+    "helm-values.networkPolicy.extraIngress": {
+      "description": "Config custom ingress rules to the NetworkPolicy.",
+      "type": "array",
+      "default": [],
+      "items": {}
+    },
     "helm-values.nodeSelector": {
       "type": "object",
       "default": {}
@@ -876,6 +929,11 @@
       "type": "object",
       "default": {}
     },
+    "helm-values.testPodAnnotations": {
+      "description": "-- Set annotations for the helm test pods (for example to disable certain kube-score checks)",
+      "type": "object",
+      "default": {}
+    },
     "helm-values.tolerations": {
       "type": "array",
       "default": [],

charts/gotenberg/values.yaml

@@ -25,6 +25,9 @@ serviceAccount:
 
 podAnnotations: {}
 
+# -- Set annotations for the helm test pods (for example to disable certain kube-score checks)
+testPodAnnotations: {}
+
 # -- List of additional pod labels
 podLabels: {}
 
@@ -286,3 +289,34 @@ metrics:
     annotations: {}
     # -- Additional labels for the service monitor
     labels: {}
+
+# Enable or Disable Network Policy.
+# See also: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+networkPolicy:
+  enabled: false
+
+  # Allow all connections from any source. To be set to false if extraIngress is used.
+  allowIngress: true
+
+  # Allow all connections to any destinations. To be set to false if extraEgress is used.
+  allowEgress: true
+  # Config custom ingress rules to the NetworkPolicy.
+  extraIngress: []
+  # extraIngress:
+  #   - from:
+  #     - podSelector:
+  #         matchLabels:
+  #           component: apache
+  #     ports:
+  #     - port: 8080
+  #       protocol: TCP
+  # Config custom egress rules to the NetworkPolicy.
+  extraEgress: []
+  # extraEgress:
+  #   - to:
+  #     - podSelector:
+  #         matchLabels:
+  #           component: apache
+  #     ports:
+  #     - port: 80
+  #       protocol: TCP