Skip to content

Commit f95608f

Browse files
mbaldessarimbaldessari
authored
Merge pull request #19 from mbaldessari/fix-acm-policies-without-clustergroup-label
fix acm policies without clustergroup label
2 parents 24442a1 + 2d41306 commit f95608f

File tree

8 files changed

+359
-163
lines changed

8 files changed

+359
-163
lines changed

templates/_helpers.tpl

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,3 +57,55 @@ Default always defined valueFiles to be included when pushing the cluster wide a
5757
- name: global.experimentalCapabilities
5858
value: {{ $.Values.global.experimentalCapabilities }}
5959
{{- end }} {{- /*acm.app.policies.helmparameters */}}
60+
61+
{{- define "acm.app.clusterSelector" -}}
62+
{{- $cs := .clusterSelector -}}
63+
{{- $g := default (dict) .group -}}
64+
{{- $rawLabels := get $g "acmlabels" -}}
65+
{{- $isSlice := kindIs "slice" $rawLabels -}}
66+
{{- $isMap := kindIs "map" $rawLabels -}}
67+
{{- $hasAny := and $rawLabels (gt (len $rawLabels) 0) -}}
68+
{{- if $cs -}}
69+
clusterSelector: {{ $cs | toPrettyJson }}
70+
{{- else if not $hasAny -}}
71+
clusterSelector:
72+
matchExpressions:
73+
- key: local-cluster
74+
operator: NotIn
75+
values:
76+
- 'true'
77+
matchLabels:
78+
clusterGroup: {{ $g.name }}
79+
{{- else if $isSlice -}}
80+
clusterSelector:
81+
matchExpressions:
82+
- key: local-cluster
83+
operator: NotIn
84+
values:
85+
- 'true'
86+
matchLabels:
87+
{{- range $rawLabels }}
88+
{{ .name }}: {{ .value }}
89+
{{- end }}
90+
{{- else if $isMap -}}
91+
clusterSelector:
92+
matchExpressions:
93+
- key: local-cluster
94+
operator: NotIn
95+
values:
96+
- 'true'
97+
matchLabels:
98+
{{- range $k, $v := $rawLabels }}
99+
{{ $k }}: {{ $v }}
100+
{{- end }}
101+
{{- else -}} {{- /* Fallback: unknown acmlabels shape then default to group */}}
102+
clusterSelector:
103+
matchExpressions:
104+
- key: local-cluster
105+
operator: NotIn
106+
values:
107+
- 'true'
108+
matchLabels:
109+
clusterGroup: {{ $g.name }}
110+
{{- end -}}
111+
{{- end -}} {{- /*acm.app.clusterSelector */}}

templates/policies/acm-hub-ca-policy.yaml

Lines changed: 49 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
# This pushes out the HUB's Certificate Authorities on to the imported clusters
22
{{- if .Values.clusterGroup.isHubCluster }}
3-
{{- if (eq (((.Values.global).secretStore).backend) "vault") }}
3+
{{- range .Values.clusterGroup.managedClusterGroups }}
4+
{{- $group := . }}
45
---
56
apiVersion: policy.open-cluster-management.io/v1
67
kind: Policy
78
metadata:
8-
name: acm-hub-ca-policy
9+
name: hub-argo-ca-{{ .name }}-policy
910
annotations:
1011
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
1112
argocd.argoproj.io/compare-options: IgnoreExtraneous
@@ -17,32 +18,21 @@ spec:
1718
apiVersion: policy.open-cluster-management.io/v1
1819
kind: ConfigurationPolicy
1920
metadata:
20-
name: acm-hub-ca-config-policy
21+
name: hub-argo-ca-{{ .name }}-config
2122
spec:
2223
remediationAction: enforce
2324
severity: medium
2425
namespaceSelector:
2526
include:
2627
- default
2728
object-templates:
28-
- complianceType: mustonlyhave
29-
objectDefinition:
30-
kind: Secret
31-
apiVersion: v1
32-
type: Opaque
33-
metadata:
34-
name: hub-ca
35-
namespace: golang-external-secrets
36-
data:
37-
hub-kube-root-ca.crt: '{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}` }}'
38-
hub-openshift-service-ca.crt: '{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}` }}'
3929
- complianceType: mustonlyhave
4030
objectDefinition:
4131
kind: ConfigMap
4232
apiVersion: v1
4333
metadata:
4434
name: trusted-hub-bundle
45-
namespace: imperative
35+
namespace: {{ $.Values.global.pattern }}-{{ .name }}
4636
data:
4737
hub-kube-root-ca.crt: |
4838
{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }}
@@ -52,39 +42,38 @@ spec:
5242
apiVersion: policy.open-cluster-management.io/v1
5343
kind: PlacementBinding
5444
metadata:
55-
name: acm-hub-ca-policy-placement-binding
45+
name: hub-argo-ca-{{ .name }}-placement-binding
5646
annotations:
5747
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
5848
placementRef:
59-
name: acm-hub-ca-policy-placement
49+
name: hub-argo-ca-{{ .name }}-placement
6050
kind: PlacementRule
6151
apiGroup: apps.open-cluster-management.io
6252
subjects:
63-
- name: acm-hub-ca-policy
53+
- name: hub-argo-ca-{{ .name }}-policy
6454
kind: Policy
6555
apiGroup: policy.open-cluster-management.io
6656
---
6757
apiVersion: apps.open-cluster-management.io/v1
6858
kind: PlacementRule
6959
metadata:
70-
name: acm-hub-ca-policy-placement
60+
name: hub-argo-ca-{{ .name }}-placement
7161
annotations:
7262
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
7363
spec:
7464
clusterConditions:
7565
- status: 'True'
7666
type: ManagedClusterConditionAvailable
77-
clusterSelector:
78-
matchExpressions:
79-
- key: local-cluster
80-
operator: NotIn
81-
values:
82-
- 'true'
67+
{{- include "acm.app.clusterSelector" (dict
68+
"clusterSelector" .clusterSelector
69+
"group" $group
70+
) | nindent 2 }}
71+
{{- if (eq ((($.Values.global).secretStore).backend) "vault") }}
8372
---
8473
apiVersion: policy.open-cluster-management.io/v1
8574
kind: Policy
8675
metadata:
87-
name: hub-argo-ca-openshift-gitops-policy
76+
name: {{ .name }}-acm-hub-ca-policy
8877
annotations:
8978
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
9079
argocd.argoproj.io/compare-options: IgnoreExtraneous
@@ -96,21 +85,32 @@ spec:
9685
apiVersion: policy.open-cluster-management.io/v1
9786
kind: ConfigurationPolicy
9887
metadata:
99-
name: hub-argo-ca-openshift-gitops-config
88+
name: {{ .name }}-acm-hub-ca-config-policy
10089
spec:
10190
remediationAction: enforce
10291
severity: medium
10392
namespaceSelector:
10493
include:
10594
- default
10695
object-templates:
96+
- complianceType: mustonlyhave
97+
objectDefinition:
98+
kind: Secret
99+
apiVersion: v1
100+
type: Opaque
101+
metadata:
102+
name: hub-ca
103+
namespace: golang-external-secrets
104+
data:
105+
hub-kube-root-ca.crt: '{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}` }}'
106+
hub-openshift-service-ca.crt: '{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}` }}'
107107
- complianceType: mustonlyhave
108108
objectDefinition:
109109
kind: ConfigMap
110110
apiVersion: v1
111111
metadata:
112112
name: trusted-hub-bundle
113-
namespace: openshift-gitops
113+
namespace: imperative
114114
data:
115115
hub-kube-root-ca.crt: |
116116
{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }}
@@ -120,43 +120,37 @@ spec:
120120
apiVersion: policy.open-cluster-management.io/v1
121121
kind: PlacementBinding
122122
metadata:
123-
name: hub-argo-ca-openshift-gitops-policy-binding
123+
name: {{ .name }}-acm-hub-ca-policy-placement-binding
124124
annotations:
125125
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
126126
placementRef:
127-
name: hub-argo-ca-openshift-gitops-policy-placement
127+
name: {{ .name }}-acm-hub-ca-policy-placement
128128
kind: PlacementRule
129129
apiGroup: apps.open-cluster-management.io
130130
subjects:
131-
- name: hub-argo-ca-openshift-gitops-policy
131+
- name: {{ .name }}-acm-hub-ca-policy
132132
kind: Policy
133133
apiGroup: policy.open-cluster-management.io
134134
---
135135
apiVersion: apps.open-cluster-management.io/v1
136136
kind: PlacementRule
137137
metadata:
138-
name: hub-argo-ca-openshift-gitops-policy-placement
138+
name: {{ .name }}-acm-hub-ca-policy-placement
139139
annotations:
140140
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
141141
spec:
142142
clusterConditions:
143143
- status: 'True'
144144
type: ManagedClusterConditionAvailable
145-
clusterSelector:
146-
matchExpressions:
147-
- key: local-cluster
148-
operator: NotIn
149-
values:
150-
- 'true'
151-
152-
{{- end }}{{/* if (eq (((.Values.global).secretStore).backend) "vault") */}}
153-
{{- range .Values.clusterGroup.managedClusterGroups }}
154-
{{- $group := . }}
145+
{{- include "acm.app.clusterSelector" (dict
146+
"clusterSelector" .clusterSelector
147+
"group" $group
148+
) | nindent 2 }}
155149
---
156150
apiVersion: policy.open-cluster-management.io/v1
157151
kind: Policy
158152
metadata:
159-
name: hub-argo-ca-{{ .name }}-policy
153+
name: {{ .name }}-hub-argo-ca-gitops-policy
160154
annotations:
161155
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
162156
argocd.argoproj.io/compare-options: IgnoreExtraneous
@@ -168,7 +162,7 @@ spec:
168162
apiVersion: policy.open-cluster-management.io/v1
169163
kind: ConfigurationPolicy
170164
metadata:
171-
name: hub-argo-ca-{{ .name }}-config
165+
name: {{ .name }}-hub-argo-ca-gitops-config
172166
spec:
173167
remediationAction: enforce
174168
severity: medium
@@ -182,7 +176,7 @@ spec:
182176
apiVersion: v1
183177
metadata:
184178
name: trusted-hub-bundle
185-
namespace: {{ $.Values.global.pattern }}-{{ .name }}
179+
namespace: openshift-gitops
186180
data:
187181
hub-kube-root-ca.crt: |
188182
{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }}
@@ -192,33 +186,33 @@ spec:
192186
apiVersion: policy.open-cluster-management.io/v1
193187
kind: PlacementBinding
194188
metadata:
195-
name: hub-argo-ca-{{ .name }}-placement-binding
189+
name: {{ .name }}-hub-argo-ca-gitops-policy-binding
196190
annotations:
197191
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
198192
placementRef:
199-
name: hub-argo-ca-{{ .name }}-placement
193+
name: {{ .name }}-hub-argo-ca-gitops-policy-placement
200194
kind: PlacementRule
201195
apiGroup: apps.open-cluster-management.io
202196
subjects:
203-
- name: hub-argo-ca-{{ .name }}-policy
197+
- name: {{ .name }}-hub-argo-ca-gitops-policy
204198
kind: Policy
205199
apiGroup: policy.open-cluster-management.io
206200
---
207201
apiVersion: apps.open-cluster-management.io/v1
208202
kind: PlacementRule
209203
metadata:
210-
name: hub-argo-ca-{{ .name }}-placement
204+
name: {{ .name }}-hub-argo-ca-gitops-policy-placement
211205
annotations:
212206
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
213207
spec:
214208
clusterConditions:
215209
- status: 'True'
216210
type: ManagedClusterConditionAvailable
217-
clusterSelector:
218-
matchExpressions:
219-
- key: local-cluster
220-
operator: NotIn
221-
values:
222-
- 'true'
211+
{{- include "acm.app.clusterSelector" (dict
212+
"clusterSelector" .clusterSelector
213+
"group" $group
214+
) | nindent 2 }}
215+
216+
{{- end }}{{/* if (eq ((($.Values.global).secretStore).backend) "vault") */}}
223217
{{- end }}{{/* range .Values.clusterGroup.managedClusterGroups */}}
224218
{{- end }}{{/* isHubCluster */}}

templates/policies/application-policies.yaml

Lines changed: 4 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -156,22 +156,9 @@ spec:
156156
clusterConditions:
157157
- status: 'True'
158158
type: ManagedClusterConditionAvailable
159-
{{- if .clusterSelector }}
160-
clusterSelector: {{ .clusterSelector | toPrettyJson }}
161-
{{- else if (not $group.acmlabels) }}
162-
clusterSelector:
163-
matchLabels:
164-
clusterGroup: {{ $group.name }}
165-
{{- else if eq (len $group.acmlabels) 0 }}
166-
clusterSelector:
167-
matchLabels:
168-
clusterGroup: {{ $group.name }}
169-
{{- else }}
170-
clusterSelector:
171-
matchLabels:
172-
{{- range .acmlabels }}
173-
{{ .name }}: {{ .value }}
174-
{{- end }}
175-
{{- end }}
159+
{{- include "acm.app.clusterSelector" (dict
160+
"clusterSelector" .clusterSelector
161+
"group" $group
162+
) | nindent 2 }}
176163
---
177164
{{- end }}

0 commit comments

Comments
 (0)