feat!: enable istio and netpols for everything (#37)

## Description This PR enables Istio and adds netpols for everything. > [!IMPORTANT] > ⚠️ **BREAKING CHANGES** > > - `postgres.ingress` within the `uds-postgres-config` chart is now an array of objects instead of a single entry - please update accordingly (single objects will still function but this is now deprecated). > - _All_ clients must be behind Istio now. This should already be happening for clients built as UDS packages but may not be for others. ## Related Issue Fixes #N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [X] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-postgres-operator/blob/main/CONTRIBUTING.md#developer-workflow) followed
defenseunicorns · Jun 12, 2024 · 642a38d · 642a38d
1 parent 1c55b70
commit 642a38d
Show file tree

Hide file tree

Showing 16 changed files with 144 additions and 52 deletions.
diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml
@@ -7,9 +7,11 @@ metadata:
   # x-release-please-end
 
 packages:
+  # this sets up the namespaces that we will need in order to configure the default databases (and corresponding secrets) that are setup below
   - name: dev-namespaces
     path: ../
     ref: 0.1.0
+
   - name: postgres-operator
     path: ../
     # x-release-please-start-version
@@ -22,3 +24,31 @@ packages:
             - name: POSTGRESQL
               description: "Configure postgres using CRs via the uds-postgres-config chart"
               path: postgresql
+              default:
+                enabled: true  # Set to false to not create the PostgreSQL resource
+                teamId: "uds"
+                volume:
+                  size: "10Gi"
+                numberOfInstances: 2
+                users:
+                  gitlab.gitlab: []  # database owner
+                  sonarqube.sonarqube: []  # database owner
+                  mattermost.mattermost: []  # database owner
+                databases:
+                  gitlabdb: gitlab.gitlab
+                  mattermostdb: mattermost.mattermost
+                  sonarqubedb: sonarqube.sonarqube
+                version: "13"
+                ingress:
+                  remoteGenerated: Anywhere
+            - name: ACID_PG_CLUSTER_NETWORKING
+              description: "Allow connectivity to the acid pg cluster for testing (see tests/ folder)"
+              path: custom
+              default:
+                - direction: Egress
+                  selector:
+                    app.kubernetes.io/name: postgres-operator
+                  remoteNamespace: acid
+                  remoteSelector:
+                    cluster-name: pg-cluster
+                  description: "Egress to a non-default pg cluster"
diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml
@@ -1,19 +0,0 @@
-variables:
-  postgres-operator:
-    postgresql:
-      enabled: true  # Set to false to not create the PostgreSQL resource
-      teamId: "uds"
-      volume:
-        size: "10Gi"
-      numberOfInstances: 2
-      users:
-        gitlab.gitlab: []  # database owner
-        sonarqube.sonarqube: []  # database owner
-        mattermost.mattermost: []  # database owner
-      databases:
-        gitlabdb: gitlab.gitlab
-        mattermostdb: mattermost.mattermost
-        sonarqubedb: sonarqube.sonarqube
-      version: "13"
-      ingress:
-        remoteGenerated: Anywhere

diff --git a/chart/templates/peer-auth-exception.yaml b/chart/templates/peer-auth-exception.yaml
diff --git a/chart/templates/postgres-minimal.yaml b/chart/templates/postgres-minimal.yaml
@@ -3,7 +3,7 @@ apiVersion: acid.zalan.do/v1
 kind: postgresql
 metadata:
   name: pg-cluster
-  namespace: {{ .Release.Namespace }}
+  namespace: postgres
 spec:
   teamId: {{ .Values.postgresql.teamId | quote }}
   volume:

diff --git a/chart/templates/postgres-svc.yaml b/chart/templates/postgres-svc.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: pg-cluster-headless
-  namespace: {{ .Release.Namespace }}
+  namespace: postgres
 spec:
   clusterIP: None
   ports:

diff --git a/chart/templates/uds-package-postgres.yaml b/chart/templates/uds-package-postgres.yaml
@@ -0,0 +1,41 @@
+{{- if .Values.postgresql.enabled }}
+apiVersion: uds.dev/v1alpha1
+kind: Package
+metadata:
+  name: postgres
+  namespace: postgres
+spec:
+  network:
+    allow:
+      - direction: Ingress
+        remoteGenerated: IntraNamespace
+
+      - direction: Egress
+        remoteGenerated: IntraNamespace
+
+    {{- if kindIs "slice" .Values.postgresql.ingress -}}
+      {{- range .Values.postgresql.ingress }}
+      - direction: Ingress
+        selector:
+          cluster-name: pg-cluster
+        {{ . | toYaml | nindent 8 }}
+      {{- end }}
+    {{- else }}
+      - direction: Ingress
+        selector:
+          cluster-name: pg-cluster
+        {{- .Values.postgresql.ingress | toYaml | nindent 8 }}
+    {{- end }}
+
+      - direction: Ingress
+        selector:
+          app.kubernetes.io/name: postgres-operator
+        remoteNamespace: {{ .Release.Namespace }}
+        remoteSelector:
+          app.kubernetes.io/name: postgres-operator
+
+      - direction: Egress
+        selector:
+          cluster-name: pg-cluster
+        remoteGenerated: KubeAPI
+{{- end }}
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
@@ -1,24 +1,37 @@
-{{- if .Values.postgresql.enabled }}
 apiVersion: uds.dev/v1alpha1
 kind: Package
 metadata:
-  name: postgres
+  name: postgres-operator
   namespace: {{ .Release.Namespace }}
 spec:
   network:
     allow:
-      - direction: Ingress
-        remoteGenerated: IntraNamespace
+      {{- if .Values.postgresql.enabled }}
       - direction: Egress
-        remoteGenerated: IntraNamespace
-      {{- if .Values.postgresql.ingress }}
-      - direction: Ingress
         selector:
+          app.kubernetes.io/name: postgres-operator
+        remoteNamespace: postgres
+        remoteSelector:
           cluster-name: pg-cluster
-        {{- .Values.postgresql.ingress | toYaml | nindent 8 }}
       {{- end }}
+
       - direction: Egress
         selector:
-          cluster-name: pg-cluster  
+          app.kubernetes.io/name: postgres-operator
         remoteGenerated: KubeAPI
-{{- end }}
+
+      # Custom rules for other scenarios (such as connecting to a non-default pg cluster)
+      {{- range .Values.custom }}
+      - direction: {{ .direction }}
+        selector:
+          {{ .selector | toYaml | nindent 10 }}
+        {{- if not .remoteGenerated }}
+        remoteNamespace: {{ .remoteNamespace }}
+        remoteSelector:
+          {{ .remoteSelector | toYaml | nindent 10 }}
+        port: {{ .port }}
+        {{- else }}
+        remoteGenerated: {{ .remoteGenerated }}
+        {{- end }}
+        description: {{ .description }}
+      {{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -1,5 +1,6 @@
 postgresql:
   enabled: false
+  ingress: []
 
 #   teamId: "uds"
 #   volume:
@@ -13,9 +14,18 @@ postgresql:
 #     yourdb: youruser
 #   version: "13"
 #   ingress:
-#     remoteGenerated: Anywhere
+#     - remoteGenerated: Anywhere
 # or
 #   ingress:
-#     remoteNamespace: tempo
-#     remoteSelector:
-#      app.kubernetes.io/name: tempo
+#     - remoteNamespace: tempo
+#       remoteSelector:
+#         app.kubernetes.io/name: tempo
+
+custom: []
+  # - direction: Egress
+  #   selector:
+  #     app.kubernetes.io/name: postgres-operator
+  #   remoteNamespace: acid
+  #   remoteSelector:
+  #     cluster-name: pg-cluster
+  #   description: "Egress to a non-default pg cluster"
diff --git a/common/zarf.yaml b/common/zarf.yaml
@@ -9,7 +9,7 @@ components:
     required: true
     charts:
       - name: uds-postgres-config
-        namespace: postgres
+        namespace: postgres-operator
         version: 0.1.0
         localPath: ../chart
       - name: postgres-operator
@@ -20,6 +20,11 @@ components:
           - ../values/values.yaml
     actions:
       onDeploy:
+        before:
+          # this shims postgres operator versions v0.11.1-uds.1 and below to the new config chart namespace layout
+          - cmd: ./zarf tools kubectl annotate --overwrite postgresql -n postgres pg-cluster meta.helm.sh/release-namespace=postgres-operator || true
+          - cmd: ./zarf tools kubectl annotate --overwrite service -n postgres pg-cluster-headless meta.helm.sh/release-namespace=postgres-operator || true
+          - cmd: ./zarf tools kubectl annotate --overwrite package -n postgres postgres meta.helm.sh/release-namespace=postgres-operator || true
         after:
           - description: Validate Postgres Operator Package
             maxTotalSeconds: 300

diff --git a/src/namespace/gitlab-ns.yaml b/src/namespace/gitlab-ns.yaml
@@ -2,3 +2,7 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: gitlab
+  # This label is only needed for testing!
+  # In a real deployment this namespace would be controlled by a UDS Package / the UDS Operator
+  labels:
+    istio-injection: enabled
diff --git a/src/namespace/mattermost-ns.yaml b/src/namespace/mattermost-ns.yaml
@@ -2,3 +2,7 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: mattermost
+  # This label is only needed for testing!
+  # In a real deployment this namespace would be controlled by a UDS Package / the UDS Operator
+  labels:
+    istio-injection: enabled
diff --git a/src/namespace/sonarqube-ns.yaml b/src/namespace/sonarqube-ns.yaml
@@ -2,3 +2,7 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: sonarqube
+  # This label is only needed for testing!
+  # In a real deployment this namespace would be controlled by a UDS Package / the UDS Operator
+  labels:
+    istio-injection: enabled
diff --git a/tasks.yaml b/tasks.yaml
@@ -38,6 +38,14 @@ tasks:
       - task: dependencies:create
       - task: create:test-bundle
 
+  - name: dev
+    description: Deploy Postgres Operator on existing cluster
+    actions:
+      - task: create-pg-package
+      - task: dependencies:create
+      - task: create-pg-test-bundle
+      - task: deploy:test-bundle
+
 # CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names
 
   - name: test-package

diff --git a/tests/postgres/db-seed-cross-namespace.yaml b/tests/postgres/db-seed-cross-namespace.yaml
@@ -16,6 +16,8 @@ kind: Job
 metadata:
   name: db-seed-job
   namespace: gitlab
+  labels:
+    app: gitlab
 spec:
   template:
     spec:

diff --git a/tests/postgres/db-seed.yaml b/tests/postgres/db-seed.yaml
@@ -16,6 +16,8 @@ kind: Job
 metadata:
   name: db-seed-job
   namespace: acid
+  labels:
+    app: acid
 spec:
   template:
     spec:

diff --git a/tests/postgres/postgres-minimal.yaml b/tests/postgres/postgres-minimal.yaml
@@ -2,6 +2,10 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: acid
+  # This label is only needed for testing!
+  # In a real deployment this namespace would be controlled by a UDS Package / the UDS Operator
+  labels:
+    istio-injection: enabled
 ---
 apiVersion: acid.zalan.do/v1
 kind: postgresql