From dea60584206a8a99c4e914ea8b44dc3fcffb3ebb Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Tue, 13 Feb 2024 19:32:25 +0100
Subject: [PATCH] fix: add atlantis services cnp

---
 resources/atlantis/host-manifests/cnp.yaml    | 23 ++++++++++++++-
 .../allow-vcluster-atlantis-services.yaml     | 28 +++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 vcluster/chart/templates/allow-vcluster-atlantis-services.yaml

diff --git a/resources/atlantis/host-manifests/cnp.yaml b/resources/atlantis/host-manifests/cnp.yaml
index cd818756..3d534c5d 100644
--- a/resources/atlantis/host-manifests/cnp.yaml
+++ b/resources/atlantis/host-manifests/cnp.yaml
@@ -14,4 +14,25 @@ spec:
     - matchName: analytics.loft.rocks
   endpointSelector:
     matchLabels: {}
-
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-atlantis-services
+  namespace: atlantis
+spec:
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: dapr-system
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: redis
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: rabbitmq
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: jaeger
+  endpointSelector:
+    matchLabels: {}
diff --git a/vcluster/chart/templates/allow-vcluster-atlantis-services.yaml b/vcluster/chart/templates/allow-vcluster-atlantis-services.yaml
new file mode 100644
index 00000000..933f967f
--- /dev/null
+++ b/vcluster/chart/templates/allow-vcluster-atlantis-services.yaml
@@ -0,0 +1,28 @@
+{{- $name := include "vCluster.releaseName" . -}}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: "allow-{{ $name }}-vcluster-services"
+spec:
+  background: true
+  generateExistingOnPolicyUpdate: true
+  rules:
+  - name: allow-atlantis-services
+    generate:
+      apiVersion: cilium.io/v2
+      kind: CiliumNetworkPolicy
+      name: allow-atlantis-services
+      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
+      synchronize: true
+      clone:
+        namespace: atlantis
+        name: allow-atlantis-services
+    match:
+      resources:
+        kinds:
+        - Namespace
+        names:
+          - "vcluster-009dba7e-*"
+        selector:
+          matchLabels:
+            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'