From 651b9a9c9875d59487417e1da5271d7d4a6dc9e0 Mon Sep 17 00:00:00 2001
From: Pierre Ozoux <pierre@ozoux.net>
Date: Mon, 11 Apr 2022 18:25:46 +0200
Subject: [PATCH] Fixes networkploicies.

---
 migrations/2022-03-25-label-ns-with-name.sh   |  6 ++++
 .../2022-03-28-label-hedgedoc-pods-and-rs.sh  |  7 ++++
 migrations/2022-04-11-apply-last-np.sh        |  6 ++++
 .../2022-04-11-label-system-and-user-ns.sh    | 10 ++++++
 networkpolicies.yml                           | 33 ++++++++++++++++---
 scripts/functions.sh                          |  4 ++-
 6 files changed, 61 insertions(+), 5 deletions(-)
 create mode 100755 migrations/2022-03-25-label-ns-with-name.sh
 create mode 100755 migrations/2022-03-28-label-hedgedoc-pods-and-rs.sh
 create mode 100755 migrations/2022-04-11-apply-last-np.sh
 create mode 100755 migrations/2022-04-11-label-system-and-user-ns.sh

diff --git a/migrations/2022-03-25-label-ns-with-name.sh b/migrations/2022-03-25-label-ns-with-name.sh
new file mode 100755
index 0000000..5c63e7e
--- /dev/null
+++ b/migrations/2022-03-25-label-ns-with-name.sh
@@ -0,0 +1,6 @@
+#!/bin/bash -eu
+
+for NS in `kubectl get ns -A --no-headers -o custom-columns=":metadata.name"`; do
+  echo $NS
+  kubectl label --overwrite ns/$NS name=$NS
+done
diff --git a/migrations/2022-03-28-label-hedgedoc-pods-and-rs.sh b/migrations/2022-03-28-label-hedgedoc-pods-and-rs.sh
new file mode 100755
index 0000000..c10d0d2
--- /dev/null
+++ b/migrations/2022-03-28-label-hedgedoc-pods-and-rs.sh
@@ -0,0 +1,7 @@
+#!/bin/bash -eu
+
+for NS in `kubectl get ns -A --no-headers -o custom-columns=":metadata.name"`; do
+  echo $NS
+  kubectl -n $NS label --overwrite rs  -l app.kubernetes.io/name=hedgedoc app.kubernetes.io/component=app
+  kubectl -n $NS label --overwrite po  -l app.kubernetes.io/name=hedgedoc app.kubernetes.io/component=app
+done
diff --git a/migrations/2022-04-11-apply-last-np.sh b/migrations/2022-04-11-apply-last-np.sh
new file mode 100755
index 0000000..c27a604
--- /dev/null
+++ b/migrations/2022-04-11-apply-last-np.sh
@@ -0,0 +1,6 @@
+#!/bin/bash -eux
+
+for NS in `kubectl get ns --no-headers -o custom-columns=":metadata.name" -l libre.sh/scope=user`; do
+  kubctl -n ${NS} delete networkpolicies allow-from-ingress-namespace
+  cat "/root/domains/common/networkpolicies.yml" | envsubst '$NS' | kubectl -n ${NS} diff -f -
+done
diff --git a/migrations/2022-04-11-label-system-and-user-ns.sh b/migrations/2022-04-11-label-system-and-user-ns.sh
new file mode 100755
index 0000000..5894a17
--- /dev/null
+++ b/migrations/2022-04-11-label-system-and-user-ns.sh
@@ -0,0 +1,10 @@
+#!/bin/bash -eux
+
+for NS in `kubectl get ns --no-headers -o custom-columns=":metadata.name" | grep -v "cert-manager\|default\|kube\|flux-system\|ingress\|operator\|monitoring"`; do
+  kubectl label ns $NS libre.sh/scope=user
+done
+
+
+for NS in `kubectl get ns --no-headers -o custom-columns=":metadata.name" | grep "cert-manager\|default\|kube\|flux-system\|ingress\|operator\|monitoring"`; do
+  kubectl label ns $NS libre.sh/scope=system
+done
diff --git a/networkpolicies.yml b/networkpolicies.yml
index c86a322..02ba72a 100644
--- a/networkpolicies.yml
+++ b/networkpolicies.yml
@@ -1,16 +1,38 @@
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
-  name: allow-from-ingress-namespace
+  name: allow-from-pg-operator-to-pg
 spec:
   podSelector:
     matchLabels:
-      app.kubernetes.io/component: web
+      application: spilo
   ingress:
   - from:
     - namespaceSelector:
         matchLabels:
-          name: ingress
+          name: postgres-operator
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-to-web-pods
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: app
+  ingress:
+  - {}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-to-app-pods
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: web
+  ingress:
+  - {}
 ---
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
@@ -19,7 +41,10 @@ metadata:
 spec:
   podSelector: {}
   ingress:
-  - {}
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: ${NS}
   policyTypes:
   - Ingress
 ---
diff --git a/scripts/functions.sh b/scripts/functions.sh
index 6ca74b5..d194d30 100644
--- a/scripts/functions.sh
+++ b/scripts/functions.sh
@@ -19,7 +19,9 @@ function create_buckets_for_gitlab() {
 function create_ns() {
   mkdir -p /root/domains/${NS}
   kubectl create ns ${NS} || true
-  kubectl -n ${NS} apply -f /root/domains/common/networkpolicies.yml
+  kubectl label ns $NS libre.sh/scope=user
+  kubectl label ns/$NS name=$NS
+  cat "/root/domains/common/networkpolicies.yml" | envsubst '$NS' | kubectl -n ${NS} apply -f -
 }
 
 function pg_zero_lag() {
-- 
GitLab