From 7215ded598e52f95e74f0f23d8882f7eb07d529f Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 30 Jan 2022 00:26:17 +0100
Subject: [PATCH] feat(postgres): Rework zalando-postgres-operator integration

---
 infrastructure/kustomization.yaml             |  1 +
 infrastructure/postgres/kustomization.yaml    |  4 +-
 infrastructure/postgres/namespace.yaml        |  5 ++-
 infrastructure/postgres/release.yaml          |  4 +-
 infrastructure/postgres/repository.yaml       |  1 +
 .../user-namespace-network-policy.yaml        | 42 -------------------
 .../networkpolicies/allow-from-database.yaml  | 23 ++++++++++
 7 files changed, 32 insertions(+), 48 deletions(-)
 delete mode 100644 infrastructure/postgres/user-namespace-network-policy.yaml
 create mode 100644 shared/networkpolicies/allow-from-database.yaml

diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml
index e304eed75..6da7799a1 100644
--- a/infrastructure/kustomization.yaml
+++ b/infrastructure/kustomization.yaml
@@ -12,3 +12,4 @@ resources:
   - longhorn
   - monitoring
   - k8up
+  - postgres
diff --git a/infrastructure/postgres/kustomization.yaml b/infrastructure/postgres/kustomization.yaml
index dd7e5f88d..df609e8f1 100644
--- a/infrastructure/postgres/kustomization.yaml
+++ b/infrastructure/postgres/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: zalando-postgres
+namespace: postgres-system
 resources:
   - namespace.yaml
+  - repository.yaml
   - release.yaml
-  - user-namespace-network-policy.yaml
diff --git a/infrastructure/postgres/namespace.yaml b/infrastructure/postgres/namespace.yaml
index 10d72f25e..f2b5639f2 100644
--- a/infrastructure/postgres/namespace.yaml
+++ b/infrastructure/postgres/namespace.yaml
@@ -1,7 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: zalando-postgres
+  name: postgres-system
   labels:
-    name: zalando-postgres
+    name: postgres-system
     kyverno.shivering-isles.com/class: "system"
+    database.shivering-isles.com/network-access-required: "true"
diff --git a/infrastructure/postgres/release.yaml b/infrastructure/postgres/release.yaml
index ff031b4e9..4100a3202 100644
--- a/infrastructure/postgres/release.yaml
+++ b/infrastructure/postgres/release.yaml
@@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: zalando-postgres-operator
-  namespace: zalando-postgres
+  namespace: postgres-system
 spec:
   releaseName: zalando-postgres-operator
   chart:
@@ -11,9 +11,9 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: zalando-postgres-operator
+        namespace: postgres-system
       valuesFiles:
         - values.yaml
-      # renovate: helmRepo=https://opensource.zalando.com/postgres-operator/charts/postgres-operator/ depName=postgres-operator
       version: 1.7.1
   interval: 5m
   values:
diff --git a/infrastructure/postgres/repository.yaml b/infrastructure/postgres/repository.yaml
index ade97c613..39f5e7bc9 100644
--- a/infrastructure/postgres/repository.yaml
+++ b/infrastructure/postgres/repository.yaml
@@ -2,6 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta1
 kind: HelmRepository
 metadata:
   name: zalando-postgres-operator
+  namespace: postgres-system
 spec:
   interval: 30m
   url: https://opensource.zalando.com/postgres-operator/charts/postgres-operator/
diff --git a/infrastructure/postgres/user-namespace-network-policy.yaml b/infrastructure/postgres/user-namespace-network-policy.yaml
deleted file mode 100644
index fabc183d0..000000000
--- a/infrastructure/postgres/user-namespace-network-policy.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: default
-spec:
-  rules:
-  - name: allow-from-zalando-postgres
-    match:
-      resources:
-        kinds:
-        - Namespace
-    exclude:
-      resources:
-        namespaces:
-        - *-system
-        - default
-        - kube-public
-        - kyverno
-    generate:
-      apiVersion: networking.k8s.io/v1
-      kind: NetworkPolicy
-      metadata:
-        name: allow-from-zalando-postgres-managed
-        namespace: "{{request.object.metadata.name}}"
-      spec:
-        ingress:
-        - from:
-          - namespaceSelector:
-              matchLabels:
-                name: zalando-postgres
-          ports:
-          - port: 8008
-            protocol: TCP
-          - port: 5432
-            protocol: TCP
-          - port: 8080
-            protocol: TCP
-        podSelector:
-          matchLabels:
-            application: spilo
-        policyTypes:
-        - Ingress
diff --git a/shared/networkpolicies/allow-from-database.yaml b/shared/networkpolicies/allow-from-database.yaml
new file mode 100644
index 000000000..e7a2e9cf8
--- /dev/null
+++ b/shared/networkpolicies/allow-from-database.yaml
@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-database
+  namespace: "{{request.object.metadata.name}}"
+spec:
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          database.shivering-isles.com/network-access-required: "true"
+    ports:
+    - port: 8008
+      protocol: TCP
+    - port: 5432
+      protocol: TCP
+    - port: 8080
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      application: spilo
-- 
GitLab