From 57932441419f795dc25e723d3fad93f8b76d122e Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Sun, 18 Feb 2024 21:09:09 +0100
Subject: [PATCH] fix: misc attempts at fixing UR loops in kyverno

---
 .../allow-atlantis-external-services.yaml     |  16 +++
 ...{cnp.yaml => allow-atlantis-services.yaml} |  17 ---
 .../host-manifests/sync-rabbitmq-secrets.yaml |   4 +-
 .../allow-namespace-traffic.yaml              |  15 ++
 .../sync-oceanbox-regcred.yaml                |  36 +++++
 .../allow-vcluster-atlantis-services.yaml     |  17 +--
 .../chart/templates/generate-cnp-rules.yaml   |  12 +-
 .../sync-vcluster-atlantis-secrets.yaml       | 132 +++++++++---------
 8 files changed, 148 insertions(+), 101 deletions(-)
 create mode 100644 resources/atlantis/host-manifests/allow-atlantis-external-services.yaml
 rename resources/atlantis/host-manifests/{cnp.yaml => allow-atlantis-services.yaml} (56%)
 create mode 100644 resources/oceanbox-cluster/allow-namespace-traffic.yaml
 create mode 100644 resources/oceanbox-cluster/sync-oceanbox-regcred.yaml

diff --git a/resources/atlantis/host-manifests/allow-atlantis-external-services.yaml b/resources/atlantis/host-manifests/allow-atlantis-external-services.yaml
new file mode 100644
index 00000000..14f7b9d0
--- /dev/null
+++ b/resources/atlantis/host-manifests/allow-atlantis-external-services.yaml
@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-atlantis-external-services
+  namespace: atlantis
+spec:
+  egress:
+  - toFQDNs:
+    - matchName: api.github.com
+    - matchName: dapr.github.io
+    - matchName: gitlab.com
+    - matchPattern: '*.gitlab.com'
+    - matchPattern: "*.k1.itpartner.no"
+    - matchName: analytics.loft.rocks
+  endpointSelector:
+    matchLabels: {}
diff --git a/resources/atlantis/host-manifests/cnp.yaml b/resources/atlantis/host-manifests/allow-atlantis-services.yaml
similarity index 56%
rename from resources/atlantis/host-manifests/cnp.yaml
rename to resources/atlantis/host-manifests/allow-atlantis-services.yaml
index 3d534c5d..93c72923 100644
--- a/resources/atlantis/host-manifests/cnp.yaml
+++ b/resources/atlantis/host-manifests/allow-atlantis-services.yaml
@@ -1,22 +1,5 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
-metadata:
-  name: allow-external-services
-  namespace: atlantis
-spec:
-  egress:
-  - toFQDNs:
-    - matchName: api.github.com
-    - matchName: dapr.github.io
-    - matchName: gitlab.com
-    - matchPattern: '*.gitlab.com'
-    - matchPattern: "*.k1.itpartner.no"
-    - matchName: analytics.loft.rocks
-  endpointSelector:
-    matchLabels: {}
----
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
 metadata:
   name: allow-atlantis-services
   namespace: atlantis
diff --git a/resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml b/resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml
index 6eb40961..6ce9a79c 100644
--- a/resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml
+++ b/resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml
@@ -1,12 +1,12 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: sync-rabbitmq-secret
+  name: sync-rabbitmq-secrets
 spec:
   background: true
   generateExisting: true
   rules:
-  - name: sync-rabbitmq-secret
+  - name: sync-prod-rabbitmq-secret
     generate:
       apiVersion: v1
       kind: Secret
diff --git a/resources/oceanbox-cluster/allow-namespace-traffic.yaml b/resources/oceanbox-cluster/allow-namespace-traffic.yaml
new file mode 100644
index 00000000..0e32a3a8
--- /dev/null
+++ b/resources/oceanbox-cluster/allow-namespace-traffic.yaml
@@ -0,0 +1,15 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: "allow-namespace-traffic"
+specs:
+  - endpointSelector:
+      matchLabels: {}
+    egress:
+    - toEndpoints:
+      - matchLabels:
+          "k8s:io.kubernetes.pod.namespace": argocd
+    ingress:
+    - fromEndpoints:
+      - matchLabels:
+          "k8s:io.kubernetes.pod.namespace": argocd
diff --git a/resources/oceanbox-cluster/sync-oceanbox-regcred.yaml b/resources/oceanbox-cluster/sync-oceanbox-regcred.yaml
new file mode 100644
index 00000000..1bb8b0d0
--- /dev/null
+++ b/resources/oceanbox-cluster/sync-oceanbox-regcred.yaml
@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Secrets like registry credentials often need
+      to exist in multiple Namespaces so Pods there have access. Manually duplicating
+      those Secrets is time consuming and error prone. This policy will copy a Secret
+      called `regcred` which exists in the `default` Namespace to new Namespaces when
+      they are created. It will also push updates to the copied Secrets should the
+      source Secret be changed.            '
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-oceanbox-regcred
+spec:
+  admission: true
+  background: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        # name: oceanbox-regcred
+        name: gitlab-pull-secret
+        namespace: default
+      kind: Secret
+      # name: oceanbox-regcred
+      name: gitlab-pull-secret
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    match:
+      resources:
+        kinds:
+        - Namespace
+    name: sync-image-pull-secret
+    # skipBackgroundRequests: true
+  # validationFailureAction: audit
+
diff --git a/vcluster/chart/templates/allow-vcluster-atlantis-services.yaml b/vcluster/chart/templates/allow-vcluster-atlantis-services.yaml
index 77edc569..565f8f5b 100644
--- a/vcluster/chart/templates/allow-vcluster-atlantis-services.yaml
+++ b/vcluster/chart/templates/allow-vcluster-atlantis-services.yaml
@@ -11,18 +11,19 @@ spec:
     generate:
       apiVersion: cilium.io/v2
       kind: CiliumNetworkPolicy
-      name: allow-atlantis-services
+      name: "allow-{{ $name }}-atlantis-services"
       namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
       synchronize: true
       clone:
         namespace: atlantis
         name: allow-atlantis-services
     match:
-      resources:
-        kinds:
-        - Namespace
-        names:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
           - "vcluster-009dba7e-*"
-        selector:
-          matchLabels:
-            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
+          selector:
+            matchLabels:
+              vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
diff --git a/vcluster/chart/templates/generate-cnp-rules.yaml b/vcluster/chart/templates/generate-cnp-rules.yaml
index f6a3b2b7..93d29740 100644
--- a/vcluster/chart/templates/generate-cnp-rules.yaml
+++ b/vcluster/chart/templates/generate-cnp-rules.yaml
@@ -1,5 +1,5 @@
 {{- $fullname := include "vCluster.fullname" . -}}
-{{- $name := include "vCluster.fullname" . -}}
+{{- $name := include "vCluster.releaseName" . -}}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@@ -9,23 +9,20 @@ metadata:
     policies.kyverno.io/minversion: 1.7.0
     policies.kyverno.io/subject: Namespace, NetworkPolicy
     policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
-  name: generate-vcluster-apiserver-networkpolicy
+  name: generate-{{ $name }}-vcluster-apiserver-networkpolicy
   namespace: {{ .Release.Namespace }}
 spec:
   background: true
   generateExisting: true
   rules:
-  - name: generate-vcluster-apiserver-networkpolicy
+  - name: generate-{{ $name }}-vcluster-apiserver-networkpolicy
     generate:
       apiVersion: cilium.io/v2
       kind: CiliumNetworkPolicy
-      name: allow-vcluster-apiserver-access
+      name: allow-{{ $name }}-vcluster-apiserver-access
       namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
       synchronize: true
       data:
-        metadata:
-          labels:
-            created-by: kyverno
         spec:
           description: Allow egress to vcluster kube-apiserver
           egress:
@@ -50,4 +47,3 @@ spec:
           selector:
             matchLabels:
               vcluster.loft.sh/vcluster-name: {{ $fullname }}
-
diff --git a/vcluster/chart/templates/sync-vcluster-atlantis-secrets.yaml b/vcluster/chart/templates/sync-vcluster-atlantis-secrets.yaml
index 28e8565d..4356b008 100644
--- a/vcluster/chart/templates/sync-vcluster-atlantis-secrets.yaml
+++ b/vcluster/chart/templates/sync-vcluster-atlantis-secrets.yaml
@@ -1,66 +1,66 @@
-{{- $name := include "vCluster.releaseName" . -}}
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: "sync-{{ $name }}-vcluster-secrets"
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: sync-rabbitmq-secrets
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: staging-rabbitmq
-      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
-      synchronize: true
-      clone:
-        namespace: rabbitmq
-        name: staging-rabbitmq
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-          - "vcluster-009dba7e-*"
-        selector:
-          matchLabels:
-            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
-  - name: sync-redis-secrets
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: staging-redis
-      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
-      synchronize: true
-      clone:
-        namespace: redis
-        name: staging-redis
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-          - "vcluster-009dba7e-*"
-        selector:
-          matchLabels:
-            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
-  - name: sync-archmeister-superuser
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ $name }}-archmeister-app'
-      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
-      synchronize: true
-      clone:
-        namespace: '{{ .Release.Namespace }}'
-        name: '{{ $name }}-archmeister-superuser'
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-          - "vcluster-009dba7e-*"
-        selector:
-          matchLabels:
-            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
+# {{- $name := include "vCluster.releaseName" . -}}
+# apiVersion: kyverno.io/v1
+# kind: ClusterPolicy
+# metadata:
+#   name: "sync-{{ $name }}-vcluster-secrets"
+# spec:
+#   background: true
+#   generateExisting: true
+#   rules:
+#   - name: sync-rabbitmq-secrets
+#     generate:
+#       apiVersion: v1
+#       kind: Secret
+#       name: staging-rabbitmq
+#       namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
+#       synchronize: true
+#       clone:
+#         namespace: rabbitmq
+#         name: staging-rabbitmq
+#     match:
+#       resources:
+#         kinds:
+#         - Namespace
+#         names:
+#           - "vcluster-009dba7e-*"
+#         selector:
+#           matchLabels:
+#             vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
+#   - name: sync-redis-secrets
+#     generate:
+#       apiVersion: v1
+#       kind: Secret
+#       name: staging-redis
+#       namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
+#       synchronize: true
+#       clone:
+#         namespace: redis
+#         name: staging-redis
+#     match:
+#       resources:
+#         kinds:
+#         - Namespace
+#         names:
+#           - "vcluster-009dba7e-*"
+#         selector:
+#           matchLabels:
+#             vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
+#   - name: sync-archmeister-superuser
+#     generate:
+#       apiVersion: v1
+#       kind: Secret
+#       name: '{{ $name }}-archmeister-app'
+#       namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
+#       synchronize: true
+#       clone:
+#         namespace: '{{ .Release.Namespace }}'
+#         name: '{{ $name }}-archmeister-superuser'
+#     match:
+#       resources:
+#         kinds:
+#         - Namespace
+#         names:
+#           - "vcluster-009dba7e-*"
+#         selector:
+#           matchLabels:
+#             vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'