diff --git a/resources/atlantis/host-manifests/allow-atlantis-external-services.yaml b/resources/atlantis/manifests/allow-atlantis-external-services.yaml similarity index 100% rename from resources/atlantis/host-manifests/allow-atlantis-external-services.yaml rename to resources/atlantis/manifests/allow-atlantis-external-services.yaml diff --git a/resources/atlantis/host-manifests/allow-atlantis-services.yaml b/resources/atlantis/manifests/allow-atlantis-services.yaml similarity index 100% rename from resources/atlantis/host-manifests/allow-atlantis-services.yaml rename to resources/atlantis/manifests/allow-atlantis-services.yaml diff --git a/resources/atlantis/manifests/prod/dapr-tracing.yaml b/resources/atlantis/manifests/base/dapr-tracing.yaml similarity index 100% rename from resources/atlantis/manifests/prod/dapr-tracing.yaml rename to resources/atlantis/manifests/base/dapr-tracing.yaml diff --git a/resources/atlantis/manifests/staging/dapr-tracing.yaml b/resources/atlantis/manifests/staging/dapr-tracing.yaml deleted file mode 100644 index 004b98a2..00000000 --- a/resources/atlantis/manifests/staging/dapr-tracing.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: dapr.io/v1alpha1 -kind: Configuration -metadata: - name: tracing -spec: - tracing: - samplingRate: "1" - zipkin: - endpointAddress: "http://jaeger-collector:9411/api/v2/spans" - diff --git a/vcluster/chart/templates/allow-vcluster-atlantis-services.yaml b/vcluster/chart/templates/allow-vcluster-atlantis-services.yaml deleted file mode 100644 index 565f8f5b..00000000 --- a/vcluster/chart/templates/allow-vcluster-atlantis-services.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- $name := include "vCluster.releaseName" . -}} -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: "allow-{{ $name }}-vcluster-services" -spec: - background: true - generateExisting: true - rules: - - name: allow-atlantis-services - generate: - apiVersion: cilium.io/v2 - kind: CiliumNetworkPolicy - name: "allow-{{ $name }}-atlantis-services" - namespace: {{ printf "{{request.object.metadata.name}}" | quote }} - synchronize: true - clone: - namespace: atlantis - name: allow-atlantis-services - match: - any: - - resources: - kinds: - - Namespace - names: - - "vcluster-009dba7e-*" - selector: - matchLabels: - vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}' diff --git a/vcluster/chart/templates/cnp.yaml b/vcluster/chart/templates/cnp.yaml deleted file mode 100644 index 52139aa0..00000000 --- a/vcluster/chart/templates/cnp.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: allow-external-services - namespace: {{ .Release.Namespace }} -spec: - egress: - - toFQDNs: - - matchName: dapr.github.io - - matchPattern: "*.k1.itpartner.no" - - matchName: analytics.loft.rocks - endpointSelector: - matchLabels: {} diff --git a/vcluster/chart/templates/generate-cnp-rules.yaml b/vcluster/chart/templates/kyverno-policies/allow-vcluster-apiserver.yaml similarity index 91% rename from vcluster/chart/templates/generate-cnp-rules.yaml rename to vcluster/chart/templates/kyverno-policies/allow-vcluster-apiserver.yaml index 93d29740..cb883589 100644 --- a/vcluster/chart/templates/generate-cnp-rules.yaml +++ b/vcluster/chart/templates/kyverno-policies/allow-vcluster-apiserver.yaml @@ -9,13 +9,13 @@ metadata: policies.kyverno.io/minversion: 1.7.0 policies.kyverno.io/subject: Namespace, NetworkPolicy policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces - name: generate-{{ $name }}-vcluster-apiserver-networkpolicy + name: allow-{{ $name }}-vcluster-apiserver namespace: {{ .Release.Namespace }} spec: background: true generateExisting: true rules: - - name: generate-{{ $name }}-vcluster-apiserver-networkpolicy + - name: allow-{{ $name }}-vcluster-apiserver generate: apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy diff --git a/vcluster/chart/templates/kyverno-policies/sync-vcluster-atlantis-secrets.yaml b/vcluster/chart/templates/kyverno-policies/sync-vcluster-atlantis-secrets.yaml new file mode 100644 index 00000000..232699db --- /dev/null +++ b/vcluster/chart/templates/kyverno-policies/sync-vcluster-atlantis-secrets.yaml @@ -0,0 +1,66 @@ +{{- $name := include "vCluster.releaseName" . -}} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: "sync-{{ $name }}-vcluster-secrets" +spec: + background: true + generateExisting: true + rules: + - name: sync-rabbitmq-secrets + generate: + apiVersion: v1 + kind: Secret + name: staging-rabbitmq + namespace: {{ printf "{{request.object.metadata.name}}" | quote }} + synchronize: false + clone: + namespace: rabbitmq + name: staging-rabbitmq + match: + resources: + kinds: + - Namespace + names: + - "vcluster-009dba7e-*" + selector: + matchLabels: + vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}' + - name: sync-redis-secrets + generate: + apiVersion: v1 + kind: Secret + name: staging-redis + namespace: {{ printf "{{request.object.metadata.name}}" | quote }} + synchronize: false + clone: + namespace: redis + name: staging-redis + match: + resources: + kinds: + - Namespace + names: + - "vcluster-009dba7e-*" + selector: + matchLabels: + vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}' + - name: sync-archmeister-superuser + generate: + apiVersion: v1 + kind: Secret + name: '{{ $name }}-archmeister-app' + namespace: {{ printf "{{request.object.metadata.name}}" | quote }} + synchronize: false + clone: + namespace: '{{ .Release.Namespace }}' + name: '{{ $name }}-archmeister-superuser' + match: + resources: + kinds: + - Namespace + names: + - "vcluster-009dba7e-*" + selector: + matchLabels: + vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}' diff --git a/vcluster/chart/templates/kyverno-policies/sync-vcluster-oceanbox-regcred.yaml b/vcluster/chart/templates/kyverno-policies/sync-vcluster-oceanbox-regcred.yaml new file mode 100644 index 00000000..5df92400 --- /dev/null +++ b/vcluster/chart/templates/kyverno-policies/sync-vcluster-oceanbox-regcred.yaml @@ -0,0 +1,40 @@ +{{- $fullname := include "vCluster.fullname" . -}} +{{- $name := include "vCluster.releaseName" . -}} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Sample + policies.kyverno.io/description: 'Secrets like registry credentials often need + to exist in multiple Namespaces so Pods there have access. Manually duplicating + those Secrets is time consuming and error prone. This policy will copy a Secret + called `regcred` which exists in the `default` Namespace to new Namespaces when + they are created. It will also push updates to the copied Secrets should the + source Secret be changed. ' + creationTimestamp: "2024-01-15T11:58:24Z" + name: sync-{{ $name }}-vcluster-oceanbox-regcred +spec: + admission: true + background: true + generateExisting: true + rules: + - generate: + apiVersion: v1 + clone: + # name: oceanbox-regcred + name: gitlab-pull-secret + namespace: default + kind: Secret + # name: oceanbox-regcred + name: gitlab-pull-secret + namespace: {{ printf "{{request.object.metadata.name}}" | quote }} + synchronize: false + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + vcluster.loft.sh/vcluster-name: {{ $fullname }} + name: sync-vcluster-oceanbox-regcred diff --git a/vcluster/chart/templates/rbac.yaml b/vcluster/chart/templates/rbac.yaml index c4d02679..473eaa29 100644 --- a/vcluster/chart/templates/rbac.yaml +++ b/vcluster/chart/templates/rbac.yaml @@ -1,17 +1,5 @@ {{- $fullname := include "vCluster.fullname" . -}} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vcluster-create-cilium-networkpolicies -rules: -- apiGroups: - - cilium.io - resources: - - ciliumnetworkpolicies - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: vcluster-cilium @@ -25,18 +13,6 @@ subjects: name: {{ $fullname }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vcluster-jaegers -rules: -- apiGroups: - - jaegertracing.io - resources: - - jaegers - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: vcluster-jaegers diff --git a/vcluster/chart/templates/sync-vcluster-atlantis-secrets.yaml b/vcluster/chart/templates/sync-vcluster-atlantis-secrets.yaml deleted file mode 100644 index 4356b008..00000000 --- a/vcluster/chart/templates/sync-vcluster-atlantis-secrets.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# {{- $name := include "vCluster.releaseName" . -}} -# apiVersion: kyverno.io/v1 -# kind: ClusterPolicy -# metadata: -# name: "sync-{{ $name }}-vcluster-secrets" -# spec: -# background: true -# generateExisting: true -# rules: -# - name: sync-rabbitmq-secrets -# generate: -# apiVersion: v1 -# kind: Secret -# name: staging-rabbitmq -# namespace: {{ printf "{{request.object.metadata.name}}" | quote }} -# synchronize: true -# clone: -# namespace: rabbitmq -# name: staging-rabbitmq -# match: -# resources: -# kinds: -# - Namespace -# names: -# - "vcluster-009dba7e-*" -# selector: -# matchLabels: -# vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}' -# - name: sync-redis-secrets -# generate: -# apiVersion: v1 -# kind: Secret -# name: staging-redis -# namespace: {{ printf "{{request.object.metadata.name}}" | quote }} -# synchronize: true -# clone: -# namespace: redis -# name: staging-redis -# match: -# resources: -# kinds: -# - Namespace -# names: -# - "vcluster-009dba7e-*" -# selector: -# matchLabels: -# vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}' -# - name: sync-archmeister-superuser -# generate: -# apiVersion: v1 -# kind: Secret -# name: '{{ $name }}-archmeister-app' -# namespace: {{ printf "{{request.object.metadata.name}}" | quote }} -# synchronize: true -# clone: -# namespace: '{{ .Release.Namespace }}' -# name: '{{ $name }}-archmeister-superuser' -# match: -# resources: -# kinds: -# - Namespace -# names: -# - "vcluster-009dba7e-*" -# selector: -# matchLabels: -# vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}' diff --git a/vcluster/chart/templates/vcluster.yaml b/vcluster/chart/templates/vcluster.yaml index 9f9c9374..f319123f 100644 --- a/vcluster/chart/templates/vcluster.yaml +++ b/vcluster/chart/templates/vcluster.yaml @@ -92,16 +92,15 @@ spec: config: |- version: v1beta1 import: - - kind: CiliumNetworkPolicy - apiVersion: cilium.io/v2 - kind: Cluster apiVersion: postgresql.cnpg.io/v1 - kind: Secret apiVersion: v1 + # - kind: CiliumNetworkPolicy + # apiVersion: cilium.io/v2 export: - kind: CiliumNetworkPolicy apiVersion: cilium.io/v2 - init: manifests: |- ---