Add a pod to properly hide the metrics view

sbrunner · sbrunner · commit da23d5af516b · 2024-09-26T18:11:35.000+02:00
diff --git a/tests/expected.yaml b/tests/expected.yaml
@@ -2,6 +2,26 @@
 # Source: mapfish-print/charts/print/templates/pdb.yaml
 apiVersion: policy/v1
 kind: PodDisruptionBudget
+metadata:
+  name: example-print-not-allowed
+  labels:
+    helm.sh/chart: print
+    app.kubernetes.io/version: "1.0"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: print
+    app.kubernetes.io/instance: example
+    app.kubernetes.io/component: not-allowed
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: print
+      app.kubernetes.io/instance: example
+      app.kubernetes.io/component: not-allowed
+---
+# Source: mapfish-print/charts/print/templates/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
 metadata:
   name: example-print-print
   labels:
@@ -51,6 +71,8 @@ data:
   CHART_NAME: print
   RELEASE_NAME: example
   RELEASE_NAMESPACE: default
+  SERVICE_NOT-ALLOWED_NAME: example-print-not-allowed
+  SERVICE_NOT-ALLOWED_CONTAINER_NOT-ALLOWED_IMAGE_TAG: "master"
   SERVICE_PRINT_NAME: example-print-print
   SERVICE_PRINT_CONTAINER_JMX-EXPORTER_IMAGE_TAG: "0.18.0"
   SERVICE_PRINT_CONTAINER_PRINT_IMAGE_TAG: "3.30"
@@ -92,6 +114,30 @@ data:
 # Source: mapfish-print/charts/print/templates/service.yaml
 apiVersion: v1
 kind: Service
+metadata:
+  name: example-print-not-allowed
+  labels:
+    helm.sh/chart: print
+    app.kubernetes.io/version: "1.0"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: print
+    app.kubernetes.io/instance: example
+    app.kubernetes.io/component: not-allowed
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
+  selector:
+    app.kubernetes.io/name: print
+    app.kubernetes.io/instance: example
+    app.kubernetes.io/component: not-allowed
+---
+# Source: mapfish-print/charts/print/templates/service.yaml
+apiVersion: v1
+kind: Service
 metadata:
   name: example-print-print
   labels:
@@ -105,7 +151,7 @@ spec:
   type: ClusterIP
   ports:
     - name: http
-      port: 8080
+      port: 80
       protocol: TCP
       targetPort: http
   selector:
@@ -116,6 +162,79 @@ spec:
 # Source: mapfish-print/charts/print/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
+metadata:
+  name: example-print-not-allowed
+  labels:
+    helm.sh/chart: print
+    app.kubernetes.io/version: "1.0"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: print
+    app.kubernetes.io/instance: example
+    app.kubernetes.io/component: not-allowed
+spec:
+  revisionHistoryLimit: 3
+  strategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: print
+      app.kubernetes.io/instance: example
+      app.kubernetes.io/component: not-allowed
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: print
+        app.kubernetes.io/instance: example
+        app.kubernetes.io/component: not-allowed
+    spec:
+      imagePullSecrets:
+        - name: example-print-docker-registry
+      serviceAccountName: default
+      securityContext:
+        {}
+      containers:
+        - name: not-allowed
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 33
+          image: "camptocamp/maintenance@sha256:7cbddc1e17e422abc9d98781e9194a45f2c76f00dd8e4950c59bfc45f616f4a0"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: "HEADLINE"
+              value: Not allowed
+            - name: "MESSAGE"
+              value: You are not allowed to see the metrics
+            - name: "RESPONSE_CODE"
+              value: 403 Forbidden
+            - name: "TITLE"
+              value: Not allowed
+          terminationMessagePolicy: FallbackToLogsOnError
+          resources:
+            limits:
+              cpu: 0.2
+              ephemeral-storage: 2Mi
+              memory: 5Mi
+            requests:
+              cpu: 0.1
+              ephemeral-storage: 1Mi
+              memory: 500Ki
+          volumeMounts:
+            - mountPath: /data
+              name: data
+
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+
+
+      volumes:
+        - name: data
+          emptyDir: {}
+---
+# Source: mapfish-print/charts/print/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
 metadata:
   name: example-print-print
   labels:
@@ -351,6 +470,13 @@ spec:
     - host: "print.example.com"
       http:
         paths:
+          - path: "/metrics"
+            pathType: Prefix
+            backend:
+              service:
+                name: example-print-not-allowed
+                port:
+                  number: 80
           - path: "/"
             pathType: Prefix
             backend:
@@ -381,6 +507,13 @@ spec:
     - host: "my-technical-url.example.com"
       http:
         paths:
+          - path: "/metrics"
+            pathType: Prefix
+            backend:
+              service:
+                name: example-print-not-allowed
+                port:
+                  number: 80
           - path: "/"
             pathType: Prefix
             backend:
diff --git a/values.yaml b/values.yaml
@@ -62,7 +62,7 @@ print:
         servicePort: 80
         ports:
           - name: http
-            port: 8080
+            port: 80
             protocol: TCP
             targetPort: http
 
@@ -272,3 +272,55 @@ print:
               memory: 2Gi
               cpu: '2'
               ephemeral-storage: 256Mi
+
+    not-allowed:
+      enabled: true
+
+      service:
+        type: ClusterIP
+        servicePort: 80
+        ports:
+          - name: http
+            port: 80
+            protocol: TCP
+            targetPort: http
+
+      ingress:
+        enabled: true
+        path: /metrics
+
+      containers:
+        not-allowed:
+          image:
+            repository: camptocamp/maintenance
+            tag: master
+            sha: 7cbddc1e17e422abc9d98781e9194a45f2c76f00dd8e4950c59bfc45f616f4a0 # Managed by update-image-hash script
+
+          env:
+            RESPONSE_CODE:
+              value: 403 Forbidden
+            TITLE:
+              value: Not allowed
+            HEADLINE:
+              value: Not allowed
+            MESSAGE:
+              value: You are not allowed to see the metrics
+          ports:
+            http:
+              containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            /data:
+              name: data
+          resources:
+            requests:
+              ephemeral-storage: 1Mi
+              memory: 500Ki
+              cpu: 0.1
+            limits:
+              ephemeral-storage: 2Mi
+              memory: 5Mi
+              cpu: 0.2
+      volumes:
+        data:
+          emptyDir: {}
