diff --git a/cmd/gotk/bootstrap.go b/cmd/gotk/bootstrap.go
index 9a0f7b78744cb37a31fd320594626d2ecd8f53b2..b82a704ee032f9b08d3d127d3ac96619d43e0c3b 100644
--- a/cmd/gotk/bootstrap.go
+++ b/cmd/gotk/bootstrap.go
@@ -52,6 +52,7 @@ var (
bootstrapArch string
bootstrapBranch string
bootstrapWatchAllNamespaces bool
+ bootstrapNetworkPolicy bool
bootstrapLogLevel string
bootstrapManifestsPath string
bootstrapRequiredComponents = []string{"source-controller", "kustomize-controller"}
@@ -80,6 +81,8 @@ func init() {
rootCmd.AddCommand(bootstrapCmd)
bootstrapCmd.PersistentFlags().BoolVar(&bootstrapWatchAllNamespaces, "watch-all-namespaces", true,
"watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed")
+ bootstrapCmd.PersistentFlags().BoolVar(&bootstrapNetworkPolicy, "network-policy", true,
+ "deny ingress access to the toolkit controllers from other namespaces using network policies")
bootstrapCmd.PersistentFlags().StringVar(&bootstrapLogLevel, "log-level", "info", "set the controllers log level")
bootstrapCmd.PersistentFlags().StringVar(&bootstrapManifestsPath, "manifests", "", "path to the manifest directory")
bootstrapCmd.PersistentFlags().MarkHidden("manifests")
@@ -126,7 +129,7 @@ func generateInstallManifests(targetPath, namespace, tmpDir string, localManifes
}
if err := genInstallManifests(bootstrapVersion, namespace, bootstrapComponents,
- bootstrapWatchAllNamespaces, bootstrapRegistry, bootstrapImagePullSecret,
+ bootstrapWatchAllNamespaces, bootstrapNetworkPolicy, bootstrapRegistry, bootstrapImagePullSecret,
bootstrapArch, bootstrapLogLevel, gotkDir); err != nil {
return "", fmt.Errorf("generating manifests failed: %w", err)
}
diff --git a/cmd/gotk/install.go b/cmd/gotk/install.go
index bf2a51333612e1d9773573551110bf0494aac086..5ecc3b596a3d61e6dc6050b3b5418b10fcbaf99b 100644
--- a/cmd/gotk/install.go
+++ b/cmd/gotk/install.go
@@ -64,6 +64,7 @@ var (
installImagePullSecret string
installArch string
installWatchAllNamespaces bool
+ installNetworkPolicy bool
installLogLevel string
)
@@ -87,6 +88,8 @@ func init() {
installCmd.Flags().BoolVar(&installWatchAllNamespaces, "watch-all-namespaces", true,
"watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed")
installCmd.Flags().StringVar(&installLogLevel, "log-level", "info", "set the controllers log level")
+ installCmd.Flags().BoolVar(&installNetworkPolicy, "network-policy", true,
+ "deny ingress access to the toolkit controllers from other namespaces using network policies")
rootCmd.AddCommand(installCmd)
}
@@ -113,7 +116,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
}
if installManifestsPath == "" {
err = genInstallManifests(installVersion, namespace, installComponents,
- installWatchAllNamespaces, installRegistry, installImagePullSecret,
+ installWatchAllNamespaces, installNetworkPolicy, installRegistry, installImagePullSecret,
installArch, installLogLevel, tmpDir)
if err != nil {
return fmt.Errorf("install failed: %w", err)
@@ -215,7 +218,9 @@ transformers:
resources:
- namespace.yaml
+{{- if .NetworkPolicy }}
- policies.yaml
+{{- end }}
- roles
{{- range .Components }}
- {{.}}.yaml
@@ -333,7 +338,7 @@ func downloadManifests(version string, tmpDir string) error {
}
func genInstallManifests(version string, namespace string, components []string,
- watchAllNamespaces bool, registry, imagePullSecret, arch, logLevel, tmpDir string) error {
+ watchAllNamespaces, networkPolicy bool, registry, imagePullSecret, arch, logLevel, tmpDir string) error {
eventsAddr := ""
if utils.containsItemString(components, defaultNotification) {
eventsAddr = fmt.Sprintf("http://%s/", defaultNotification)
@@ -348,6 +353,7 @@ func genInstallManifests(version string, namespace string, components []string,
ImagePullSecret string
Arch string
WatchAllNamespaces bool
+ NetworkPolicy bool
LogLevel string
}{
Version: version,
@@ -358,6 +364,7 @@ func genInstallManifests(version string, namespace string, components []string,
ImagePullSecret: imagePullSecret,
Arch: arch,
WatchAllNamespaces: watchAllNamespaces,
+ NetworkPolicy: networkPolicy,
LogLevel: logLevel,
}
diff --git a/docs/cmd/gotk_bootstrap.md b/docs/cmd/gotk_bootstrap.md
index 4bc26be38222540daaccd044ea21a137b477d758..c47802650576334db39026030e62a637ddddf784 100644
--- a/docs/cmd/gotk_bootstrap.md
+++ b/docs/cmd/gotk_bootstrap.md
@@ -15,6 +15,7 @@ The bootstrap sub-commands bootstrap the toolkit components on the targeted Git
-h, --help help for bootstrap
--image-pull-secret string Kubernetes secret name used for pulling the toolkit images from a private registry
--log-level string set the controllers log level (default "info")
+ --network-policy deny ingress access to the toolkit controllers from other namespaces using network policies (default true)
--registry string container registry where the toolkit images are published (default "ghcr.io/fluxcd")
-v, --version string toolkit version (default "latest")
--watch-all-namespaces watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed (default true)
diff --git a/docs/cmd/gotk_bootstrap_github.md b/docs/cmd/gotk_bootstrap_github.md
index 71e2b1bba2ebe6feb5b4cada6f683c3a618c4559..bce9c09b1e51c2752c6b2d9bf3decff0f93d040d 100644
--- a/docs/cmd/gotk_bootstrap_github.md
+++ b/docs/cmd/gotk_bootstrap_github.md
@@ -64,6 +64,7 @@ gotk bootstrap github [flags]
--kubeconfig string path to the kubeconfig file (default "~/.kube/config")
--log-level string set the controllers log level (default "info")
-n, --namespace string the namespace scope for this operation (default "gotk-system")
+ --network-policy deny ingress access to the toolkit controllers from other namespaces using network policies (default true)
--registry string container registry where the toolkit images are published (default "ghcr.io/fluxcd")
--timeout duration timeout for this operation (default 5m0s)
--verbose print generated objects
diff --git a/docs/cmd/gotk_bootstrap_gitlab.md b/docs/cmd/gotk_bootstrap_gitlab.md
index b3671fa39a8ee3f720b54eda1367216060d57583..34cdd2c13c82a5a02c39a330e9ac6685692d346c 100644
--- a/docs/cmd/gotk_bootstrap_gitlab.md
+++ b/docs/cmd/gotk_bootstrap_gitlab.md
@@ -61,6 +61,7 @@ gotk bootstrap gitlab [flags]
--kubeconfig string path to the kubeconfig file (default "~/.kube/config")
--log-level string set the controllers log level (default "info")
-n, --namespace string the namespace scope for this operation (default "gotk-system")
+ --network-policy deny ingress access to the toolkit controllers from other namespaces using network policies (default true)
--registry string container registry where the toolkit images are published (default "ghcr.io/fluxcd")
--timeout duration timeout for this operation (default 5m0s)
--verbose print generated objects
diff --git a/docs/cmd/gotk_install.md b/docs/cmd/gotk_install.md
index e719a2196ea43aa57df385cab2469909b80fb3ce..afc6c2c6b555c6e8c68957787d6940d70c55e5b0 100644
--- a/docs/cmd/gotk_install.md
+++ b/docs/cmd/gotk_install.md
@@ -38,6 +38,7 @@ gotk install [flags]
-h, --help help for install
--image-pull-secret string Kubernetes secret name used for pulling the toolkit images from a private registry
--log-level string set the controllers log level (default "info")
+ --network-policy deny ingress access to the toolkit controllers from other namespaces using network policies (default true)
--registry string container registry where the toolkit images are published (default "ghcr.io/fluxcd")
-v, --version string toolkit version (default "latest")
--watch-all-namespaces watch for custom resources in all namespaces, if set to false it will only watch the namespace where the toolkit is installed (default true)