From 61379ad66584a5ec3bbf00f6f8339a2bc879414e Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Wed, 9 Oct 2024 14:07:23 +0200 Subject: [PATCH] fix: update vcluster adn remove kyverno policies --- .../templates/allow-external-services.yaml | 4 +- charts/vcluster/templates/cnpg.yaml | 4 +- .../allow-vcluster-apiserver.yaml | 49 -------------- .../sync-vcluster-atlantis-secrets.yaml | 66 ------------------- .../sync-vcluster-oceanbox-regcred.yaml | 40 ----------- charts/vcluster/templates/vcluster.yaml | 22 ++----- .../add-ingress-whitelist.yaml | 0 .../remove-argocd-tracking-id.yaml | 0 .../sync-atlantis-secrets.yaml | 0 .../network-policies}/allow-ceph-egress.yaml | 0 .../allow-idp-external-access.yaml | 0 11 files changed, 9 insertions(+), 176 deletions(-) delete mode 100644 charts/vcluster/templates/kyverno-policies/allow-vcluster-apiserver.yaml delete mode 100644 charts/vcluster/templates/kyverno-policies/sync-vcluster-atlantis-secrets.yaml delete mode 100644 charts/vcluster/templates/kyverno-policies/sync-vcluster-oceanbox-regcred.yaml rename resources/{atlantis => oceanbox-cluster/kyverno-policies}/add-ingress-whitelist.yaml (100%) rename resources/{atlantis => oceanbox-cluster/kyverno-policies}/remove-argocd-tracking-id.yaml (100%) rename resources/{atlantis => oceanbox-cluster/kyverno-policies}/sync-atlantis-secrets.yaml (100%) rename resources/{ => oceanbox-cluster/network-policies}/allow-ceph-egress.yaml (100%) rename resources/{atlantis => oceanbox-cluster/network-policies}/allow-idp-external-access.yaml (100%) diff --git a/charts/vcluster/templates/allow-external-services.yaml b/charts/vcluster/templates/allow-external-services.yaml index 8f5e3a4f..71ae08cd 100644 --- a/charts/vcluster/templates/allow-external-services.yaml +++ b/charts/vcluster/templates/allow-external-services.yaml @@ -6,9 +6,9 @@ metadata: spec: egress: - toFQDNs: - - matchName: api.github.com - matchName: dapr.github.io - - matchName: gitlab.com - matchName: analytics.loft.rocks + # - matchName: gitlab.com + # - matchName: api.github.com endpointSelector: matchLabels: {} diff --git a/charts/vcluster/templates/cnpg.yaml b/charts/vcluster/templates/cnpg.yaml index 02c0e5d0..f497170c 100644 --- a/charts/vcluster/templates/cnpg.yaml +++ b/charts/vcluster/templates/cnpg.yaml @@ -24,7 +24,7 @@ spec: apiVersion: postgresql.cnpg.io/v1 kind: Cluster metadata: - name: staging-archmeister + name: {{ $name }}-archmaester namespace: {{ .Release.Namespace }} annotations: linkerd.io/inject: disabled @@ -54,7 +54,7 @@ spec: externalClusters: - name: prod-archmeister connectionParameters: - host: prod-archmeister-rw.atlantis.svc + host: prod-archmeister-rw.atlantis user: streaming_replica sslmode: verify-full sslKey: diff --git a/charts/vcluster/templates/kyverno-policies/allow-vcluster-apiserver.yaml b/charts/vcluster/templates/kyverno-policies/allow-vcluster-apiserver.yaml deleted file mode 100644 index cb883589..00000000 --- a/charts/vcluster/templates/kyverno-policies/allow-vcluster-apiserver.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{- $fullname := include "vCluster.fullname" . -}} -{{- $name := include "vCluster.releaseName" . -}} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - annotations: - kyverno.io/kyverno-version: 1.7.0 - policies.kyverno.io/description: Allow egress to vcluster kube-apiserver - policies.kyverno.io/minversion: 1.7.0 - policies.kyverno.io/subject: Namespace, NetworkPolicy - policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces - name: allow-{{ $name }}-vcluster-apiserver - namespace: {{ .Release.Namespace }} -spec: - background: true - generateExisting: true - rules: - - name: allow-{{ $name }}-vcluster-apiserver - generate: - apiVersion: cilium.io/v2 - kind: CiliumNetworkPolicy - name: allow-{{ $name }}-vcluster-apiserver-access - namespace: {{ printf "{{request.object.metadata.name}}" | quote }} - synchronize: true - data: - spec: - description: Allow egress to vcluster kube-apiserver - egress: - - toEndpoints: - - matchLabels: - app: vcluster - toPorts: - - ports: - - port: "443" - protocol: TCP - endpointSelector: {} - match: - any: - - resources: - kinds: - - Namespace - names: - - {{ $fullname }} - - resources: - kinds: - - Namespace - selector: - matchLabels: - vcluster.loft.sh/vcluster-name: {{ $fullname }} diff --git a/charts/vcluster/templates/kyverno-policies/sync-vcluster-atlantis-secrets.yaml b/charts/vcluster/templates/kyverno-policies/sync-vcluster-atlantis-secrets.yaml deleted file mode 100644 index d8e17da8..00000000 --- a/charts/vcluster/templates/kyverno-policies/sync-vcluster-atlantis-secrets.yaml +++ /dev/null @@ -1,66 +0,0 @@ -{{- $name := include "vCluster.releaseName" . -}} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: "sync-{{ $name }}-vcluster-secrets" -spec: - background: true - generateExisting: true - rules: - - name: sync-rabbitmq-secrets - generate: - apiVersion: v1 - kind: Secret - name: staging-rabbitmq - namespace: {{ printf "{{request.object.metadata.name}}" | quote }} - synchronize: false - clone: - namespace: rabbitmq - name: staging-rabbitmq - match: - resources: - kinds: - - Namespace - names: - - "vcluster-009dba7e-*" - selector: - matchLabels: - vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}' - - name: sync-redis-secrets - generate: - apiVersion: v1 - kind: Secret - name: staging-redis - namespace: {{ printf "{{request.object.metadata.name}}" | quote }} - synchronize: false - clone: - namespace: redis - name: staging-redis - match: - resources: - kinds: - - Namespace - names: - - "vcluster-009dba7e-*" - selector: - matchLabels: - vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}' - - name: sync-archmeister-app-secret - generate: - apiVersion: v1 - kind: Secret - name: staging-archmeister-app - namespace: {{ printf "{{request.object.metadata.name}}" | quote }} - synchronize: false - clone: - namespace: '{{ .Release.Namespace }}' - name: staging-archmeister-superuser - match: - resources: - kinds: - - Namespace - names: - - "vcluster-009dba7e-*" - selector: - matchLabels: - vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}' diff --git a/charts/vcluster/templates/kyverno-policies/sync-vcluster-oceanbox-regcred.yaml b/charts/vcluster/templates/kyverno-policies/sync-vcluster-oceanbox-regcred.yaml deleted file mode 100644 index 5df92400..00000000 --- a/charts/vcluster/templates/kyverno-policies/sync-vcluster-oceanbox-regcred.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- $fullname := include "vCluster.fullname" . -}} -{{- $name := include "vCluster.releaseName" . -}} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - annotations: - policies.kyverno.io/category: Sample - policies.kyverno.io/description: 'Secrets like registry credentials often need - to exist in multiple Namespaces so Pods there have access. Manually duplicating - those Secrets is time consuming and error prone. This policy will copy a Secret - called `regcred` which exists in the `default` Namespace to new Namespaces when - they are created. It will also push updates to the copied Secrets should the - source Secret be changed. ' - creationTimestamp: "2024-01-15T11:58:24Z" - name: sync-{{ $name }}-vcluster-oceanbox-regcred -spec: - admission: true - background: true - generateExisting: true - rules: - - generate: - apiVersion: v1 - clone: - # name: oceanbox-regcred - name: gitlab-pull-secret - namespace: default - kind: Secret - # name: oceanbox-regcred - name: gitlab-pull-secret - namespace: {{ printf "{{request.object.metadata.name}}" | quote }} - synchronize: false - match: - any: - - resources: - kinds: - - Namespace - selector: - matchLabels: - vcluster.loft.sh/vcluster-name: {{ $fullname }} - name: sync-vcluster-oceanbox-regcred diff --git a/charts/vcluster/templates/vcluster.yaml b/charts/vcluster/templates/vcluster.yaml index ae6d02e1..b3520d7a 100644 --- a/charts/vcluster/templates/vcluster.yaml +++ b/charts/vcluster/templates/vcluster.yaml @@ -16,7 +16,7 @@ spec: namespace: {{ .Release.Namespace }} source: repoURL: https://charts.loft.sh - targetRevision: 0.19.5 + targetRevision: 0.20.1 chart: vcluster helm: values: |- @@ -63,12 +63,10 @@ spec: mapServices: fromHost: - - from: "redis/{{ .Values.environment }}-redis-master" - to: "redis/{{ .Values.environment }}-redis-master" - from: "rabbitmq/{{ .Values.environment }}-rabbitmq" to: "rabbitmq/{{ .Values.environment }}-rabbitmq" - - from: "{{ .Release.Namespace }}/staging-archmeister-rw" - to: "atlantis/staging-archmeister-rw" + - from: "{{ .Release.Namespace }}/{{ $name }}-archmaester-rw" + to: "atlantis/{{ $name }}-archmaester-rw" - from: "idp/{{ .Values.environment }}-openfga" to: "idp/{{ .Values.environment }}-openfga" - from: "otel/opentelemetry-collector" @@ -99,21 +97,11 @@ spec: config: |- version: v1beta1 import: - - kind: Cluster - apiVersion: postgresql.cnpg.io/v1 - kind: Secret apiVersion: v1 - # - kind: Component - # apiVersion: dapr.io/v1alpha1 - # - kind: Configuration - # apiVersion: dapr.io/v1alpha1 - # - kind: Subscription - # apiVersion: dapr.io/v1alpha1 - # - kind: CiliumNetworkPolicy - # apiVersion: cilium.io/v2 export: - - kind: CiliumNetworkPolicy - apiVersion: cilium.io/v2 + - kind: Cluster + apiVersion: postgresql.cnpg.io/v1 init: manifests: |- --- diff --git a/resources/atlantis/add-ingress-whitelist.yaml b/resources/oceanbox-cluster/kyverno-policies/add-ingress-whitelist.yaml similarity index 100% rename from resources/atlantis/add-ingress-whitelist.yaml rename to resources/oceanbox-cluster/kyverno-policies/add-ingress-whitelist.yaml diff --git a/resources/atlantis/remove-argocd-tracking-id.yaml b/resources/oceanbox-cluster/kyverno-policies/remove-argocd-tracking-id.yaml similarity index 100% rename from resources/atlantis/remove-argocd-tracking-id.yaml rename to resources/oceanbox-cluster/kyverno-policies/remove-argocd-tracking-id.yaml diff --git a/resources/atlantis/sync-atlantis-secrets.yaml b/resources/oceanbox-cluster/kyverno-policies/sync-atlantis-secrets.yaml similarity index 100% rename from resources/atlantis/sync-atlantis-secrets.yaml rename to resources/oceanbox-cluster/kyverno-policies/sync-atlantis-secrets.yaml diff --git a/resources/allow-ceph-egress.yaml b/resources/oceanbox-cluster/network-policies/allow-ceph-egress.yaml similarity index 100% rename from resources/allow-ceph-egress.yaml rename to resources/oceanbox-cluster/network-policies/allow-ceph-egress.yaml diff --git a/resources/atlantis/allow-idp-external-access.yaml b/resources/oceanbox-cluster/network-policies/allow-idp-external-access.yaml similarity index 100% rename from resources/atlantis/allow-idp-external-access.yaml rename to resources/oceanbox-cluster/network-policies/allow-idp-external-access.yaml