github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 10:18:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

[controller, api] Select ingresses and services

Browse Source 
This patch extends the resource-selecting function of the webhook to
also apply selectors to ingresses and services, like has been already
done for secrets. The Cozystack resource definitions have been upgraded
to contain two more fields: `ingresses` and `services` and populated
with counterparts of the legacy selectors from the dashboard roles.

```release-note
[controller, api] Enable marking ingresses and services as user-facing
and implement selectors for existing CozystackResourceDefinitions.
```

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
This commit is contained in:
Timofei Larkin
2025-10-03 18:04:31 +03:00
parent da0eb7a829
commit 9b0f919052
24 changed files with 478 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
api/v1alpha1/cozystackresourcedefinitions_types.go
View File

@@ -52,6 +52,10 @@ type CozystackResourceDefinitionSpec struct {
// Secret selectors
Secrets CozystackResourceDefinitionResources `json:"secrets,omitempty"`
// Service selectors
Services CozystackResourceDefinitionResources `json:"services,omitempty"`
// Ingress selectors
Ingresses CozystackResourceDefinitionResources `json:"ingresses,omitempty"`
// Dashboard configuration for this resource
Dashboard *CozystackResourceDefinitionDashboard `json:"dashboard,omitempty"`

2
api/v1alpha1/zz_generated.deepcopy.go
View File

@@ -237,6 +237,8 @@ func (in *CozystackResourceDefinitionSpec) DeepCopyInto(out *CozystackResourceDe
out.Application = in.Application
in.Release.DeepCopyInto(&out.Release)
in.Secrets.DeepCopyInto(&out.Secrets)
in.Services.DeepCopyInto(&out.Services)
in.Ingresses.DeepCopyInto(&out.Ingresses)
if in.Dashboard != nil {
in, out := &in.Dashboard, &out.Dashboard
*out = new(CozystackResourceDefinitionDashboard)

10
internal/lineagecontrollerwebhook/matcher.go
View File

@@ -62,12 +62,12 @@ func matchResourceToSelectorArray(ctx context.Context, name string, templateCont
return false
}
func matchResourceToExcludeInclude(ctx context.Context, name string, templateContext, l map[string]string, ex, in []*cozyv1alpha1.CozystackResourceDefinitionResourceSelector) bool {
if matchResourceToSelectorArray(ctx, name, templateContext, l, ex) {
func matchResourceToExcludeInclude(ctx context.Context, name string, templateContext, l map[string]string, resources *cozyv1alpha1.CozystackResourceDefinitionResources) bool {
if resources == nil {
return false
}
if matchResourceToSelectorArray(ctx, name, templateContext, l, in) {
return true
if matchResourceToSelectorArray(ctx, name, templateContext, l, resources.Exclude) {
return false
}
return false
return matchResourceToSelectorArray(ctx, name, templateContext, l, resources.Include)
}

22
internal/lineagecontrollerwebhook/webhook.go
View File

@@ -19,6 +19,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
corev1alpha1 "github.com/cozystack/cozystack/pkg/apis/core/v1alpha1"
)
@@ -27,6 +28,20 @@ var (
AncestryAmbiguous = fmt.Errorf("object ancestry is ambiguous")
)
// getResourceSelectors returns the appropriate CozystackResourceDefinitionResources for a given GroupKind
func (h *LineageControllerWebhook) getResourceSelectors(gk schema.GroupKind, crd *cozyv1alpha1.CozystackResourceDefinition) *cozyv1alpha1.CozystackResourceDefinitionResources {
switch {
case gk.Group == "" && gk.Kind == "Secret":
return &crd.Spec.Secrets
case gk.Group == "" && gk.Kind == "Service":
return &crd.Spec.Services
case gk.Group == "networking.k8s.io" && gk.Kind == "Ingress":
return &crd.Spec.Ingresses
default:
return nil
}
}
// SetupWithManager registers the handler with the webhook server.
func (h *LineageControllerWebhook) SetupWithManagerAsWebhook(mgr ctrl.Manager) error {
cfg := rest.CopyConfig(mgr.GetConfig())
@@ -138,19 +153,16 @@ func (h *LineageControllerWebhook) computeLabels(ctx context.Context, o *unstruc
"name": obj.GetName(),
"namespace": o.GetNamespace(),
}
if o.GetAPIVersion() != "v1" || o.GetKind() != "Secret" {
return labels, err
}
cfg := h.config.Load().(*runtimeConfig)
crd := cfg.appCRDMap[appRef{gv.Group, obj.GetKind()}]
resourceSelectors := h.getResourceSelectors(o.GroupVersionKind().GroupKind(), crd)
// TODO: expand this to work with other resources than Secrets
labels[corev1alpha1.TenantResourceLabelKey] = func(b bool) string {
if b {
return corev1alpha1.TenantResourceLabelValue
}
return "false"
}(matchResourceToExcludeInclude(ctx, o.GetName(), templateLabels, o.GetLabels(), crd.Spec.Secrets.Exclude, crd.Spec.Secrets.Include))
}(matchResourceToExcludeInclude(ctx, o.GetName(), templateLabels, o.GetLabels(), resourceSelectors))
return labels, err
}

1
packages/apps/virtual-machine/templates/service.yaml
View File

@@ -5,6 +5,7 @@ kind: Service
metadata:
name: {{ include "virtual-machine.fullname" . }}
labels:
apps.cozystack.io/user-service: "true"
{{- include "virtual-machine.labels" . | nindent 4 }}
annotations:
networking.cozystack.io/wholeIP: "true"

1
packages/apps/vm-instance/templates/service.yaml
View File

@@ -5,6 +5,7 @@ kind: Service
metadata:
name: {{ include "virtual-machine.fullname" . }}
labels:
apps.cozystack.io/user-service: "true"
{{- include "virtual-machine.labels" . | nindent 4 }}
annotations:
networking.cozystack.io/wholeIP: "true"

10
packages/system/cozystack-api/cozyrds/bootbox.yaml
View File

@@ -31,3 +31,13 @@ spec:
secrets:
exclude: []
include: []
services:
exclude: []
include:
- resourceNames:
- bootbox
ingresses:
exclude: []
include:
- resourceNames:
- bootbox

5
packages/system/cozystack-api/cozyrds/bucket.yaml
View File

@@ -35,3 +35,8 @@ spec:
- resourceNames:
- bucket-{{ .name }}
- bucket-{{ .name }}-credentials
ingresses:
exclude: []
include:
- resourceNames:
- bucket-{{ .name }}-ui

5
packages/system/cozystack-api/cozyrds/clickhouse.yaml
View File

@@ -32,3 +32,8 @@ spec:
include:
- resourceNames:
- clickhouse-{{ .name }}-credentials
services:
exclude: []
include:
- resourceNames:
- chendpoint-clickhouse-{{ .name }}

5
packages/system/cozystack-api/cozyrds/etcd.yaml
View File

@@ -32,3 +32,8 @@ spec:
secrets:
exclude: []
include: []
services:
exclude: []
include:
- resourceNames:
- etcd

5
packages/system/cozystack-api/cozyrds/ferretdb.yaml
View File

@@ -33,3 +33,8 @@ spec:
include:
- resourceNames:
- ferretdb-{{ .name }}-credentials
services:
exclude: []
include:
- resourceNames:
- ferretdb-{{ .name }}

5
packages/system/cozystack-api/cozyrds/ingress.yaml
View File

@@ -32,3 +32,8 @@ spec:
secrets:
exclude: []
include: []
services:
exclude: []
include:
- resourceNames:
- "{{ slice .namespace 7 }}-ingress-controller"

5
packages/system/cozystack-api/cozyrds/kafka.yaml
View File

@@ -33,3 +33,8 @@ spec:
include:
- resourceNames:
- kafka-{{ .name }}-clients-ca
services:
exclude: []
include:
- resourceNames:
- kafka-{{ .name }}-kafka-bootstrap

10
packages/system/cozystack-api/cozyrds/kubernetes.yaml
View File

@@ -34,3 +34,13 @@ spec:
include:
- resourceNames:
- kubernetes-{{ .name }}-admin-kubeconfig
services:
exclude: []
include:
- resourceNames:
- kubernetes-{{ .name }}
ingresses:
exclude: []
include:
- resourceNames:
- kubernetes-{{ .name }}

12
packages/system/cozystack-api/cozyrds/monitoring.yaml
View File

@@ -34,3 +34,15 @@ spec:
include:
- resourceNames:
- grafana-admin-password
services:
exclude: []
include:
- resourceNames:
- grafana-service
- alerta
ingresses:
exclude: []
include:
- resourceNames:
- grafana-ingress
- alerta

6
packages/system/cozystack-api/cozyrds/mysql.yaml
View File

@@ -33,3 +33,9 @@ spec:
include:
- resourceNames:
- mysql-{{ .name }}-credentials
services:
exclude: []
include:
- resourceNames:
- mysql-{{ .name }}-primary
- mysql-{{ .name }}-secondary

5
packages/system/cozystack-api/cozyrds/nats.yaml
View File

@@ -33,3 +33,8 @@ spec:
include:
- resourceNames:
- nats-{{ .name }}-credentials
services:
exclude: []
include:
- resourceNames:
- nats-{{ .name }}

8
packages/system/cozystack-api/cozyrds/postgres.yaml
View File

@@ -41,3 +41,11 @@ spec:
include:
- resourceNames:
- postgres-{{ .name }}-credentials
services:
exclude: []
include:
- resourceNames:
- postgres-{{ .name }}-r
- postgres-{{ .name }}-ro
- postgres-{{ .name }}-rw
- postgres-{{ .name }}-external-write

5
packages/system/cozystack-api/cozyrds/rabbitmq.yaml
View File

@@ -35,3 +35,8 @@ spec:
- rabbitmq-{{ .name }}-default-user
- matchLabels:
apps.cozystack.io/user-secret: "true"
services:
exclude: []
include:
- resourceNames:
- rabbitmq-{{ .name }}

8
packages/system/cozystack-api/cozyrds/redis.yaml
View File

@@ -33,3 +33,11 @@ spec:
include:
- resourceNames:
- redis-{{ .name }}-auth
services:
exclude: []
include:
- resourceNames:
- rfs-redis-{{ .name }}
- rfrm-redis-{{ .name }}
- rfrs-redis-{{ .name }}
- redis-{{ .name }}-external-lb

10
packages/system/cozystack-api/cozyrds/seaweedfs.yaml
View File

@@ -32,3 +32,13 @@ spec:
secrets:
exclude: []
include: []
services:
exclude: []
include:
- resourceNames:
- seaweedfs-{{ .name }}-s3
ingresses:
exclude: []
include:
- resourceNames:
- ingress-seaweedfs-{{ .name }}-s3

5
packages/system/cozystack-api/cozyrds/vm-instance.yaml
View File

@@ -32,3 +32,8 @@ spec:
secrets:
exclude: []
include: []
services:
exclude: []
include:
- matchLabels:
apps.cozystack.io/user-service: "true"

5
packages/system/cozystack-api/cozyrds/vpn.yaml
View File

@@ -33,3 +33,8 @@ spec:
include:
- resourceNames:
- vpn-{{ .name }}-urls
services:
exclude: []
include:
- resourceNames:
- vpn-{{ .name }}-vpn

334
packages/system/cozystack-controller/crds/cozystack.io_cozystackresourcedefinitions.yaml
View File

@@ -126,6 +126,173 @@ spec:
- plural
- singular
type: object
ingresses:
description: Ingress selectors
properties:
exclude:
description: |-
Exclude contains an array of resource selectors that target resources.
If a resource matches the selector in any of the elements in the array, it is
hidden from the user, regardless of the matches in the include array.
items:
description: |-
CozystackResourceDefinitionResourceSelector extends metav1.LabelSelector with resourceNames support.
A resource matches this selector only if it satisfies ALL criteria:
- Label selector conditions (matchExpressions and matchLabels)
- AND has a name that matches one of the names in resourceNames (if specified)
The resourceNames field supports Go templates with the following variables available:
- {{ .name }}: The name of the managing application (from apps.cozystack.io/application.name)
- {{ .kind }}: The lowercased kind of the managing application (from apps.cozystack.io/application.kind)
- {{ .namespace }}: The namespace of the resource being processed
Example YAML:
secrets:
include:
- matchExpressions:
- key: badlabel
operator: DoesNotExist
matchLabels:
goodlabel: goodvalue
resourceNames:
- "{{ .name }}-secret"
- "{{ .kind }}-{{ .name }}-tls"
- "specificname"
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
resourceNames:
description: |-
ResourceNames is a list of resource names to match
If specified, the resource must have one of these exact names to match the selector
items:
type: string
type: array
type: object
x-kubernetes-map-type: atomic
type: array
include:
description: |-
Include contains an array of resource selectors that target resources.
If a resource matches the selector in any of the elements in the array, and
matches none of the selectors in the exclude array that resource is marked
as a tenant resource and is visible to users.
items:
description: |-
CozystackResourceDefinitionResourceSelector extends metav1.LabelSelector with resourceNames support.
A resource matches this selector only if it satisfies ALL criteria:
- Label selector conditions (matchExpressions and matchLabels)
- AND has a name that matches one of the names in resourceNames (if specified)
The resourceNames field supports Go templates with the following variables available:
- {{ .name }}: The name of the managing application (from apps.cozystack.io/application.name)
- {{ .kind }}: The lowercased kind of the managing application (from apps.cozystack.io/application.kind)
- {{ .namespace }}: The namespace of the resource being processed
Example YAML:
secrets:
include:
- matchExpressions:
- key: badlabel
operator: DoesNotExist
matchLabels:
goodlabel: goodvalue
resourceNames:
- "{{ .name }}-secret"
- "{{ .kind }}-{{ .name }}-tls"
- "specificname"
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
resourceNames:
description: |-
ResourceNames is a list of resource names to match
If specified, the resource must have one of these exact names to match the selector
items:
type: string
type: array
type: object
x-kubernetes-map-type: atomic
type: array
type: object
release:
description: Release configuration
properties:
@@ -337,6 +504,173 @@ spec:
x-kubernetes-map-type: atomic
type: array
type: object
services:
description: Service selectors
properties:
exclude:
description: |-
Exclude contains an array of resource selectors that target resources.
If a resource matches the selector in any of the elements in the array, it is
hidden from the user, regardless of the matches in the include array.
items:
description: |-
CozystackResourceDefinitionResourceSelector extends metav1.LabelSelector with resourceNames support.
A resource matches this selector only if it satisfies ALL criteria:
- Label selector conditions (matchExpressions and matchLabels)
- AND has a name that matches one of the names in resourceNames (if specified)
The resourceNames field supports Go templates with the following variables available:
- {{ .name }}: The name of the managing application (from apps.cozystack.io/application.name)
- {{ .kind }}: The lowercased kind of the managing application (from apps.cozystack.io/application.kind)
- {{ .namespace }}: The namespace of the resource being processed
Example YAML:
secrets:
include:
- matchExpressions:
- key: badlabel
operator: DoesNotExist
matchLabels:
goodlabel: goodvalue
resourceNames:
- "{{ .name }}-secret"
- "{{ .kind }}-{{ .name }}-tls"
- "specificname"
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
resourceNames:
description: |-
ResourceNames is a list of resource names to match
If specified, the resource must have one of these exact names to match the selector
items:
type: string
type: array
type: object
x-kubernetes-map-type: atomic
type: array
include:
description: |-
Include contains an array of resource selectors that target resources.
If a resource matches the selector in any of the elements in the array, and
matches none of the selectors in the exclude array that resource is marked
as a tenant resource and is visible to users.
items:
description: |-
CozystackResourceDefinitionResourceSelector extends metav1.LabelSelector with resourceNames support.
A resource matches this selector only if it satisfies ALL criteria:
- Label selector conditions (matchExpressions and matchLabels)
- AND has a name that matches one of the names in resourceNames (if specified)
The resourceNames field supports Go templates with the following variables available:
- {{ .name }}: The name of the managing application (from apps.cozystack.io/application.name)
- {{ .kind }}: The lowercased kind of the managing application (from apps.cozystack.io/application.kind)
- {{ .namespace }}: The namespace of the resource being processed
Example YAML:
secrets:
include:
- matchExpressions:
- key: badlabel
operator: DoesNotExist
matchLabels:
goodlabel: goodvalue
resourceNames:
- "{{ .name }}-secret"
- "{{ .kind }}-{{ .name }}-tls"
- "specificname"
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
resourceNames:
description: |-
ResourceNames is a list of resource names to match
If specified, the resource must have one of these exact names to match the selector
items:
type: string
type: array
type: object
x-kubernetes-map-type: atomic
type: array
type: object
required:
- application
- release