diff --git a/cmd/gotk/bootstrap.go b/cmd/gotk/bootstrap.go index 9a0f7b78..b82a704e 100644 --- a/cmd/gotk/bootstrap.go +++ b/cmd/gotk/bootstrap.go @@ -52,6 +52,7 @@ var ( bootstrapArch string bootstrapBranch string bootstrapWatchAllNamespaces bool + bootstrapNetworkPolicy bool bootstrapLogLevel string bootstrapManifestsPath string bootstrapRequiredComponents = []string{"source-controller", "kustomize-controller"} @@ -80,6 +81,8 @@ func init() { rootCmd.AddCommand(bootstrapCmd) bootstrapCmd.PersistentFlags().BoolVar(&bootstrapWatchAllNamespaces, "watch-all-namespaces", true, "watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed") + bootstrapCmd.PersistentFlags().BoolVar(&bootstrapNetworkPolicy, "network-policy", true, + "deny ingress access to the toolkit controllers from other namespaces using network policies") bootstrapCmd.PersistentFlags().StringVar(&bootstrapLogLevel, "log-level", "info", "set the controllers log level") bootstrapCmd.PersistentFlags().StringVar(&bootstrapManifestsPath, "manifests", "", "path to the manifest directory") bootstrapCmd.PersistentFlags().MarkHidden("manifests") @@ -126,7 +129,7 @@ func generateInstallManifests(targetPath, namespace, tmpDir string, localManifes } if err := genInstallManifests(bootstrapVersion, namespace, bootstrapComponents, - bootstrapWatchAllNamespaces, bootstrapRegistry, bootstrapImagePullSecret, + bootstrapWatchAllNamespaces, bootstrapNetworkPolicy, bootstrapRegistry, bootstrapImagePullSecret, bootstrapArch, bootstrapLogLevel, gotkDir); err != nil { return "", fmt.Errorf("generating manifests failed: %w", err) } diff --git a/cmd/gotk/install.go b/cmd/gotk/install.go index bf2a5133..5ecc3b59 100644 --- a/cmd/gotk/install.go +++ b/cmd/gotk/install.go @@ -64,6 +64,7 @@ var ( installImagePullSecret string installArch string installWatchAllNamespaces bool + installNetworkPolicy bool installLogLevel string ) @@ -87,6 +88,8 @@ func init() { installCmd.Flags().BoolVar(&installWatchAllNamespaces, "watch-all-namespaces", true, "watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed") installCmd.Flags().StringVar(&installLogLevel, "log-level", "info", "set the controllers log level") + installCmd.Flags().BoolVar(&installNetworkPolicy, "network-policy", true, + "deny ingress access to the toolkit controllers from other namespaces using network policies") rootCmd.AddCommand(installCmd) } @@ -113,7 +116,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error { } if installManifestsPath == "" { err = genInstallManifests(installVersion, namespace, installComponents, - installWatchAllNamespaces, installRegistry, installImagePullSecret, + installWatchAllNamespaces, installNetworkPolicy, installRegistry, installImagePullSecret, installArch, installLogLevel, tmpDir) if err != nil { return fmt.Errorf("install failed: %w", err) @@ -215,7 +218,9 @@ transformers: resources: - namespace.yaml +{{- if .NetworkPolicy }} - policies.yaml +{{- end }} - roles {{- range .Components }} - {{.}}.yaml @@ -333,7 +338,7 @@ func downloadManifests(version string, tmpDir string) error { } func genInstallManifests(version string, namespace string, components []string, - watchAllNamespaces bool, registry, imagePullSecret, arch, logLevel, tmpDir string) error { + watchAllNamespaces, networkPolicy bool, registry, imagePullSecret, arch, logLevel, tmpDir string) error { eventsAddr := "" if utils.containsItemString(components, defaultNotification) { eventsAddr = fmt.Sprintf("http://%s/", defaultNotification) @@ -348,6 +353,7 @@ func genInstallManifests(version string, namespace string, components []string, ImagePullSecret string Arch string WatchAllNamespaces bool + NetworkPolicy bool LogLevel string }{ Version: version, @@ -358,6 +364,7 @@ func genInstallManifests(version string, namespace string, components []string, ImagePullSecret: imagePullSecret, Arch: arch, WatchAllNamespaces: watchAllNamespaces, + NetworkPolicy: networkPolicy, LogLevel: logLevel, } diff --git a/docs/cmd/gotk_bootstrap.md b/docs/cmd/gotk_bootstrap.md index 4bc26be3..c4780265 100644 --- a/docs/cmd/gotk_bootstrap.md +++ b/docs/cmd/gotk_bootstrap.md @@ -15,6 +15,7 @@ The bootstrap sub-commands bootstrap the toolkit components on the targeted Git -h, --help help for bootstrap --image-pull-secret string Kubernetes secret name used for pulling the toolkit images from a private registry --log-level string set the controllers log level (default "info") + --network-policy deny ingress access to the toolkit controllers from other namespaces using network policies (default true) --registry string container registry where the toolkit images are published (default "ghcr.io/fluxcd") -v, --version string toolkit version (default "latest") --watch-all-namespaces watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed (default true) diff --git a/docs/cmd/gotk_bootstrap_github.md b/docs/cmd/gotk_bootstrap_github.md index 71e2b1bb..bce9c09b 100644 --- a/docs/cmd/gotk_bootstrap_github.md +++ b/docs/cmd/gotk_bootstrap_github.md @@ -64,6 +64,7 @@ gotk bootstrap github [flags] --kubeconfig string path to the kubeconfig file (default "~/.kube/config") --log-level string set the controllers log level (default "info") -n, --namespace string the namespace scope for this operation (default "gotk-system") + --network-policy deny ingress access to the toolkit controllers from other namespaces using network policies (default true) --registry string container registry where the toolkit images are published (default "ghcr.io/fluxcd") --timeout duration timeout for this operation (default 5m0s) --verbose print generated objects diff --git a/docs/cmd/gotk_bootstrap_gitlab.md b/docs/cmd/gotk_bootstrap_gitlab.md index b3671fa3..34cdd2c1 100644 --- a/docs/cmd/gotk_bootstrap_gitlab.md +++ b/docs/cmd/gotk_bootstrap_gitlab.md @@ -61,6 +61,7 @@ gotk bootstrap gitlab [flags] --kubeconfig string path to the kubeconfig file (default "~/.kube/config") --log-level string set the controllers log level (default "info") -n, --namespace string the namespace scope for this operation (default "gotk-system") + --network-policy deny ingress access to the toolkit controllers from other namespaces using network policies (default true) --registry string container registry where the toolkit images are published (default "ghcr.io/fluxcd") --timeout duration timeout for this operation (default 5m0s) --verbose print generated objects diff --git a/docs/cmd/gotk_install.md b/docs/cmd/gotk_install.md index e719a219..afc6c2c6 100644 --- a/docs/cmd/gotk_install.md +++ b/docs/cmd/gotk_install.md @@ -38,6 +38,7 @@ gotk install [flags] -h, --help help for install --image-pull-secret string Kubernetes secret name used for pulling the toolkit images from a private registry --log-level string set the controllers log level (default "info") + --network-policy deny ingress access to the toolkit controllers from other namespaces using network policies (default true) --registry string container registry where the toolkit images are published (default "ghcr.io/fluxcd") -v, --version string toolkit version (default "latest") --watch-all-namespaces watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed (default true)