diff --git a/packages/apps/ferretdb/templates/postgres.yaml b/packages/apps/ferretdb/templates/postgres.yaml index bbc13c72..273e2b4a 100644 --- a/packages/apps/ferretdb/templates/postgres.yaml +++ b/packages/apps/ferretdb/templates/postgres.yaml @@ -16,6 +16,10 @@ spec: storage: size: {{ required ".Values.size is required" .Values.size }} + inheritedMetadata: + labels: + policy.cozystack.io/allow-to-apiserver: "true" + {{- if .Values.users }} managed: roles: diff --git a/packages/apps/kafka/templates/kafka.yaml b/packages/apps/kafka/templates/kafka.yaml index 8cc9f019..8867178f 100644 --- a/packages/apps/kafka/templates/kafka.yaml +++ b/packages/apps/kafka/templates/kafka.yaml @@ -65,3 +65,8 @@ spec: entityOperator: topicOperator: {} userOperator: {} + template: + pod: + metadata: + labels: + policy.cozystack.io/allow-to-apiserver: "true" diff --git a/packages/apps/postgres/templates/db.yaml b/packages/apps/postgres/templates/db.yaml index 7c1483a1..2729fdf7 100644 --- a/packages/apps/postgres/templates/db.yaml +++ b/packages/apps/postgres/templates/db.yaml @@ -19,3 +19,7 @@ spec: storage: size: {{ required ".Values.size is required" .Values.size }} + + inheritedMetadata: + labels: + policy.cozystack.io/allow-to-apiserver: "true" diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml index 700952cf..f40c3a6e 100644 --- a/packages/apps/tenant/Chart.yaml +++ b/packages/apps/tenant/Chart.yaml @@ -4,4 +4,4 @@ description: Separated tenant namespace icon: /logos/tenant.svg type: application -version: 1.3.0 +version: 1.3.1 diff --git a/packages/apps/tenant/templates/namespace.yaml b/packages/apps/tenant/templates/namespace.yaml index 5aa6daae..9b20d514 100644 --- a/packages/apps/tenant/templates/namespace.yaml +++ b/packages/apps/tenant/templates/namespace.yaml @@ -1,3 +1,20 @@ +{{- define "cozystack.namespace-anotations" }} +{{- $context := index . 0 }} +{{- $existingNS := index . 1 }} +{{- range $x := list "etcd" "monitoring" "ingress" }} +{{- if (index $context.Values $x) }} +namespace.cozystack.io/{{ $x }}: "{{ include "tenant.name" $context }}" +{{- else }} +namespace.cozystack.io/{{ $x }}: "{{ index $existingNS.metadata.annotations (printf "namespace.cozystack.io/%s" $x) | required (printf "namespace %s has no namespace.cozystack.io/%s annotation" $context.Release.Namespace $x) }}" +{{- end }} +{{- end }} +{{- end }} + +{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }} +{{- if not $existingNS }} +{{- fail (printf "error lookup existing namespace: %s" .Release.Namespace) }} +{{- end }} + {{- if ne (include "tenant.name" .) "tenant-root" }} --- apiVersion: v1 @@ -5,22 +22,25 @@ kind: Namespace metadata: name: {{ include "tenant.name" . }} {{- if hasPrefix "tenant-" .Release.Namespace }} - {{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }} - {{- if $existingNS }} annotations: {{- if .Values.host }} namespace.cozystack.io/host: "{{ .Values.host }}" {{- else }} - {{ $parentHost := index $existingNS.metadata.annotations "namespace.cozystack.io/host" | required (printf "namespace %s has no namespace.cozystack.io/host annotation" $.Release.Namespace) }} + {{ $parentHost := index $existingNS.metadata.annotations "namespace.cozystack.io/host" | required (printf "namespace %s has no namespace.cozystack.io/host annotation" .Release.Namespace) }} namespace.cozystack.io/host: "{{ splitList "-" (include "tenant.name" .) | last }}.{{ $parentHost }}" {{- end }} - {{- range $x := list "etcd" "monitoring" "ingress" }} - {{- if (index $.Values $x) }} - namespace.cozystack.io/{{ $x }}: "{{ include "tenant.name" $ }}" - {{- else }} - namespace.cozystack.io/{{ $x }}: "{{ index $existingNS.metadata.annotations (printf "namespace.cozystack.io/%s" $x) | required (printf "namespace %s has no namespace.cozystack.io/%s annotation" $.Release.Namespace $x) }}" + {{- include "cozystack.namespace-anotations" (list . $existingNS) | nindent 4 }} + labels: + tenant.cozystack.io/{{ include "tenant.name" $ }}: "" + {{- if hasPrefix "tenant-" .Release.Namespace }} + {{- $parts := splitList "-" .Release.Namespace }} + {{- range $i, $v := $parts }} + {{- if ne $i 0 }} + tenant.cozystack.io/{{ join "-" (slice $parts 0 (add $i 1)) }}: "" {{- end }} {{- end }} + {{- end }} + {{- include "cozystack.namespace-anotations" (list $ $existingNS) | nindent 4 }} ownerReferences: - apiVersion: v1 blockOwnerDeletion: true @@ -28,8 +48,5 @@ metadata: kind: Namespace name: {{ .Release.Namespace }} uid: {{ $existingNS.metadata.uid }} - {{- else }} - {{- fail (printf "error lookup exiting namespace: %s" .Release.Namespace) }} - {{- end }} {{- end }} {{- end }} diff --git a/packages/apps/tenant/templates/networkpolicy.yaml b/packages/apps/tenant/templates/networkpolicy.yaml index 8b26e75a..3fa2d218 100644 --- a/packages/apps/tenant/templates/networkpolicy.yaml +++ b/packages/apps/tenant/templates/networkpolicy.yaml @@ -29,55 +29,75 @@ spec: - world --- apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy +kind: CiliumClusterwideNetworkPolicy metadata: - name: allow-from-system - namespace: {{ include "tenant.name" . }} + name: {{ include "tenant.name" . }}-egress spec: - endpointSelector: {} - ingress: - - fromEntities: - - cluster ---- -{{- if ne (include "tenant.name" .) "tenant-root" }} -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: allow-from-upper-tenants - namespace: {{ include "tenant.name" . }} -spec: - endpointSelector: {} - ingress: - - fromEndpoints: + endpointSelector: + matchLabels: + "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}" + egress: + - toEndpoints: - matchLabels: - "kubernetes.io/metadata.name": "tenant-root" + "k8s:io.cilium.k8s.namespace.labels.tenant.cozystack.io/{{ include "tenant.name" . }}": "" + {{- if ne (include "tenant.name" .) "tenant-root" }} + - toEndpoints: {{- if hasPrefix "tenant-" .Release.Namespace }} {{- $parts := splitList "-" .Release.Namespace }} {{- range $i, $v := $parts }} {{- if ne $i 0 }} - matchLabels: - "kubernetes.io/metadata.name": {{ join "-" (slice $parts 0 (add $i 1)) }} + "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }} {{- end }} {{- end }} {{- end }} -{{- end }} + {{- end }} --- -{{- if not .Values.etcd }} -{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }} apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy +kind: CiliumClusterwideNetworkPolicy metadata: - name: allow-to-etcd - namespace: {{ include "tenant.name" . }} + name: {{ include "tenant.name" . }}-ingress spec: endpointSelector: matchLabels: - policy.cozystack.io/allow-to-etcd: "true" - egress: - - toEndpoints: + "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}" + ingress: + - fromEntities: + - kube-apiserver + - fromEndpoints: + - matchLabels: + "k8s:io.cilium.k8s.namespace.labels.cozystack.io/system": "true" + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + {{- if ne (include "tenant.name" .) "tenant-root" }} + - fromEndpoints: + {{- if hasPrefix "tenant-" .Release.Namespace }} + {{- $parts := splitList "-" .Release.Namespace }} + {{- range $i, $v := $parts }} + {{- if ne $i 0 }} - matchLabels: - io.kubernetes.pod.namespace: "{{ index $existingNS.metadata.annotations "namespace.cozystack.io/etcd" }}" - cozystack.io/service: etcd + "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} +--- +{{- if .Values.etcd }} +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: {{ include "tenant.name" . }}-ingress-etcd +spec: + endpointSelector: + matchLabels: + "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}" + cozystack.io/service: etcd + ingress: + - fromEndpoints: + - matchLabels: + "k8s:io.cilium.k8s.namespace.labels.namespace.cozystack.io/etcd": "{{ include "tenant.name" . }}" + policy.cozystack.io/allow-to-etcd: "true" {{- end }} --- apiVersion: cilium.io/v2 @@ -107,7 +127,7 @@ spec: egress: - toEndpoints: - matchLabels: - io.kubernetes.pod.namespace: kube-system + "k8s:io.kubernetes.pod.namespace": kube-system k8s-app: kube-dns --- apiVersion: cilium.io/v2 @@ -120,7 +140,7 @@ spec: egress: - toEndpoints: - matchLabels: - io.kubernetes.pod.namespace: cozy-dashboard + "k8s:io.kubernetes.pod.namespace": cozy-dashboard --- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 65a1fd25..d763f504 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -39,7 +39,8 @@ tenant 0.1.5 e3ab858 tenant 1.0.0 7cd7de7 tenant 1.1.0 4da8ac3b tenant 1.2.0 15478a88 -tenant 1.3.0 HEAD +tenant 1.3.0 ceefae03 +tenant 1.3.1 HEAD virtual-machine 0.1.4 f2015d6 virtual-machine 0.1.5 7cd7de7 virtual-machine 0.2.0 HEAD diff --git a/packages/extra/monitoring/templates/grafana/db.yaml b/packages/extra/monitoring/templates/grafana/db.yaml index adf0a7e5..2489efc7 100644 --- a/packages/extra/monitoring/templates/grafana/db.yaml +++ b/packages/extra/monitoring/templates/grafana/db.yaml @@ -6,3 +6,7 @@ spec: instances: 2 storage: size: 10Gi + + inheritedMetadata: + labels: + policy.cozystack.io/allow-to-apiserver: "true" diff --git a/packages/extra/monitoring/templates/oncall/oncall-db.yaml b/packages/extra/monitoring/templates/oncall/oncall-db.yaml index 84a9419d..048ec173 100644 --- a/packages/extra/monitoring/templates/oncall/oncall-db.yaml +++ b/packages/extra/monitoring/templates/oncall/oncall-db.yaml @@ -8,4 +8,8 @@ spec: instances: 2 storage: size: 10Gi + + inheritedMetadata: + labels: + policy.cozystack.io/allow-to-apiserver: "true" {{- end }}