Fixes networkploicies.

651b9a9c · Pierre Ozoux · 64db0f8e · 651b9a9c · 651b9a9c · 651b9a9c
Commit 651b9a9c authored 2 years ago by Pierre Ozoux
--- a/migrations/2022-03-25-label-ns-with-name.sh
+++ b/migrations/2022-03-25-label-ns-with-name.sh
+#!/bin/bash -eu
+
+for NS in `kubectl get ns -A --no-headers -o custom-columns=":metadata.name"`; do
+  echo $NS
+  kubectl label --overwrite ns/$NS name=$NS
+done
--- a/migrations/2022-03-28-label-hedgedoc-pods-and-rs.sh
+++ b/migrations/2022-03-28-label-hedgedoc-pods-and-rs.sh
+#!/bin/bash -eu
+
+for NS in `kubectl get ns -A --no-headers -o custom-columns=":metadata.name"`; do
+  echo $NS
+  kubectl -n $NS label --overwrite rs  -l app.kubernetes.io/name=hedgedoc app.kubernetes.io/component=app
+  kubectl -n $NS label --overwrite po  -l app.kubernetes.io/name=hedgedoc app.kubernetes.io/component=app
+done
--- a/migrations/2022-04-11-apply-last-np.sh
+++ b/migrations/2022-04-11-apply-last-np.sh
+#!/bin/bash -eux
+
+for NS in `kubectl get ns --no-headers -o custom-columns=":metadata.name" -l libre.sh/scope=user`; do
+  kubctl -n ${NS} delete networkpolicies allow-from-ingress-namespace
+  cat "/root/domains/common/networkpolicies.yml" | envsubst '$NS' | kubectl -n ${NS} diff -f -
+done
--- a/migrations/2022-04-11-label-system-and-user-ns.sh
+++ b/migrations/2022-04-11-label-system-and-user-ns.sh
+#!/bin/bash -eux
+
+for NS in `kubectl get ns --no-headers -o custom-columns=":metadata.name" | grep -v "cert-manager\|default\|kube\|flux-system\|ingress\|operator\|monitoring"`; do
+  kubectl label ns $NS libre.sh/scope=user
+done
+
+
+for NS in `kubectl get ns --no-headers -o custom-columns=":metadata.name" | grep "cert-manager\|default\|kube\|flux-system\|ingress\|operator\|monitoring"`; do
+  kubectl label ns $NS libre.sh/scope=system
+done
--- a/networkpolicies.yml
+++ b/networkpolicies.yml
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: allow-from-ingress-namespace
+  name: allow-from-pg-operator-to-pg
 spec:
  podSelector:
    matchLabels:
-      app.kubernetes.io/component: web
+      application: spilo
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
-          name: ingress
+          name: postgres-operator
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-to-web-pods
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: app
+  ingress:
+  - {}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-to-app-pods
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: web
+  ingress:
+  - {}
 ---
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
@@ -19,7 +41,10 @@ metadata:
 spec:
  podSelector: {}
  ingress:
-  - {}
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: ${NS}
  policyTypes:
  - Ingress
 ---

--- a/scripts/functions.sh
+++ b/scripts/functions.sh
@@ -19,7 +19,9 @@ function create_buckets_for_gitlab() {
 function create_ns() {
  mkdir -p /root/domains/${NS}
  kubectl create ns ${NS} || true
-  kubectl -n ${NS} apply -f /root/domains/common/networkpolicies.yml
+  kubectl label ns $NS libre.sh/scope=user
+  kubectl label ns/$NS name=$NS
+  cat "/root/domains/common/networkpolicies.yml" | envsubst '$NS' | kubectl -n ${NS} apply -f -
 }

 function pg_zero_lag() {