diff --git a/component/standalone.jsonnet b/component/standalone.jsonnet index 6957dcf..f67f3b8 100644 --- a/component/standalone.jsonnet +++ b/component/standalone.jsonnet @@ -98,10 +98,10 @@ local route(instance) = if std.get(params.instances[instance], 'url', '') != '' namespace: namespacedName(instance).namespace, }, spec: { - rules: [{ + rules: [ { host: params.instances[instance].url, http: { - paths: [{ + paths: [ { backend: { service: { name: 'splunk-%s-standalone-service' % namespacedName(instance).name, @@ -112,14 +112,42 @@ local route(instance) = if std.get(params.instances[instance], 'url', '') != '' }, path: '/', pathType: 'Prefix', - }], + } ], }, - }], + } ], // tls: [{ // hosts: [ 'splunk-traffic-vshn-tdr-infra-prod.apps.ocp4.acrevison.ch' ], // secretName: '%s-tls' % namespacedName(instance).name, // }] - } + }, +}; + +local netpol(instance) = if std.get(params.instances[instance], 'allowFrom', []) != [] then { + apiVersion: 'networking.k8s.io/v1', + kind: 'NetworkPolicy', + metadata: { + annotations: utils.commonAnnotations, + labels: utils.commonLabelsWithInstance(namespacedName(instance).name), + name: 'splunk-standalone-%s' % namespacedName(instance).name, + namespace: namespacedName(instance).namespace, + }, + spec: { + podSelector: {}, + policyTypes: [ 'Ingress' ], + ingress: [ + { + from: [ { + namespaceSelector: { + matchExpressions: [ { + operator: 'In', + key: 'kubernetes.io/metadata.name', + values: params.instances[instance].allowFrom, + } ], + }, + } ], + }, + ], + }, }; // RABC @@ -179,6 +207,7 @@ local namespace(instance) = if std.get(params.instances[instance], 'createNamesp namespace(instance), standalone(instance), route(instance), + netpol(instance), serviceAccount(instance), roleBinding(instance), ] + appConfigs(instance)) diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 94ab68e..8eaaba2 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -112,6 +112,24 @@ splunk_operator: Creates the `Namespace` for the Splunk instance. +=== `instances.{}.allowFrom` + +[horizontal] +type:: list +default:: [] +example:: ++ +[source] +---- +splunk_operator: + instances: + my-namespace/my-instance: + allowFrom: + - openshift-logging +---- + +Creates a `NetworkPolicy` allowing ingress from listed namespaces. + === `instances.{}.url` [horizontal] diff --git a/tests/forwarder.yml b/tests/forwarder.yml index c82d017..03837ff 100644 --- a/tests/forwarder.yml +++ b/tests/forwarder.yml @@ -14,6 +14,8 @@ parameters: instances: test1/heavyforwarder: createNamespace: true + allowFrom: + - openshift-logging url: my-splunk.example.com standalone: serviceAccount: splunk-forwarder diff --git a/tests/golden/forwarder/splunk-operator/splunk-operator/50_instance_test1_heavyforwarder.yaml b/tests/golden/forwarder/splunk-operator/splunk-operator/50_instance_test1_heavyforwarder.yaml index 5b77dbe..2c37a71 100644 --- a/tests/golden/forwarder/splunk-operator/splunk-operator/50_instance_test1_heavyforwarder.yaml +++ b/tests/golden/forwarder/splunk-operator/splunk-operator/50_instance_test1_heavyforwarder.yaml @@ -51,6 +51,31 @@ spec: path: / pathType: Prefix --- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + syn.tools/source: https://github.com/projectsyn/component-splunk-operator.git + labels: + app.kubernetes.io/component: splunk + app.kubernetes.io/instance: heavyforwarder + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/part-of: syn + name: splunk-standalone-heavyforwarder + namespace: test1 +spec: + ingress: + - from: + - namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - openshift-logging + podSelector: {} + policyTypes: + - Ingress +--- apiVersion: v1 kind: ServiceAccount metadata: