replace kyverno with jspolicy

2023-10-06 22:15:27 +02:00 · 2023-10-06 22:15:27 +02:00 · 38a728f0f9
parent e4bb83854f
commit 38a728f0f9
9 changed files with 144 additions and 140 deletions
--- a/README.md
+++ b/README.md
@ -69,7 +69,7 @@ then https://localhost:8080/
 ### Kubernetes native - K8up

 K8up has a global configuration in `system/apps/k8up.yaml`.
-To access the storage destination which is only available in the tailnet, a Kyverno policy injects Tailscale into the backup Pods.
+To access the storage destination which is only available in the tailnet, a Jspolicy policy injects Tailscale into the backup Pods.
 See `system/k8up`.

 ### Host level
--- a/apps/headscale/clusterpolicy-copy-config.yaml
+++ b/apps/headscale/clusterpolicy-copy-config.yaml
@ -1,23 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: copy-headscale-config-to-webui
-spec:
-  rules:
-    - name: Clone Headscale Config to WebUI
-      match:
-        resources:
-          kinds:
-            - Deployment
-          selector:
-            matchLabels:
-              app: headscale-webui
-      generate:
-        kind: ConfigMap
-        apiVersion: v1
-        name: headscale-etc-copy
-        namespace: headscale-webui
-        synchronize: true
-        clone:
-          namespace: headscale
-          name: headscale-etc
--- a/apps/headscale/jspolicy-copy-headscale-config-to-webui.yaml
+++ b/apps/headscale/jspolicy-copy-headscale-config-to-webui.yaml
@ -0,0 +1,34 @@
+apiVersion: policy.jspolicy.com/v1beta1
+kind: JsPolicy
+metadata:
+  name: copy-headscale-config-to-webui.tbrnt.ch
+spec:
+  operations: ["CREATE"]
+  resources: ["deployments"]
+  scope: Namespaced
+  objectSelector:
+    matchLabels:
+      app: headscale-webui
+  type: Controller
+  javascript: |
+    const configmap = get("ConfigMap", "v1", "headscale/headscale-etc");
+
+    configmap.metadata.namespace = "headscale-webui"
+    configmap.metadata.name = "headscale-etc-copy"
+    delete configmap.metadata.uid
+    delete configmap.metadata.resourceVersion
+    delete configmap.metadata.annotations
+    delete configmap.metadata.labels
+    delete configmap.metadata.creationTimestamp
+
+    const result = create(configmap);
+    if (!result.ok) {
+      // check for a specific error type
+      if (result.reason === "AlreadyExists") {
+        warn(`ConfigMap already exists`);
+      } else {
+        warn(`Error creating ConfigMap (Reason ${result.reason}): ${result.message}`);
+      }
+    } else {
+      print("Created ConfigMap");
+    }
--- a/backup.yaml
+++ b/backup.yaml
@ -0,0 +1,8 @@
+apiVersion: k8up.io/v1
+kind: Backup
+metadata:
+  name: manual-backup
+  namespace: owntracks
+spec:
+  keepJobs: 1
+  resources: {}
--- a/system/apps/system/kyverno.yaml
+++ b/system/apps/system/kyverno.yaml
@ -1,34 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: kyverno
-  namespace: argocd
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  source:
-    chart: kyverno
-    repoURL: https://kyverno.github.io/kyverno/
-    targetRevision: 3.0.5
-    helm:
-      values: |
-        config:
-          features:
-            admissionReports:
-              enabled: false
-            aggregateReports:
-              enabled: false
-            policyReports:
-              enabled: false
-            backgroundScan:
-              enabled: false
-        admissionController:
-          replicas: 1
-  destination:
-    namespace: kyverno
-    server: https://kubernetes.default.svc
-  project: system
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
--- a/system/k8up/jspolicy-copy-tailscale-auth-for-backup.yaml
+++ b/system/k8up/jspolicy-copy-tailscale-auth-for-backup.yaml
@ -0,0 +1,40 @@
+apiVersion: policy.jspolicy.com/v1beta1
+kind: JsPolicy
+metadata:
+  name: copy-tailscale-auth-secret.tbrnt.ch
+spec:
+  operations: ["CREATE"]
+  resources: ["pods"]
+  scope: Namespaced
+  objectSelector:
+    matchLabels:
+      k8upjob: "true"
+  type: Controller
+  javascript: |
+    const authsecret = get("Secret", "v1", "k8up/tailscale-auth-backup");
+
+    authsecret.metadata.namespace = request.namespace
+    delete authsecret.metadata.uid
+    delete authsecret.metadata.resourceVersion
+    delete authsecret.metadata.annotations
+    delete authsecret.metadata.labels
+    delete authsecret.metadata.creationTimestamp
+
+    authsecret.metadata.ownerReferences = [{
+      apiVersion: "v1",
+      kind: "Pod",
+      name: request.name,
+      uid: request.object.metadata.uid
+    }]
+
+    const result = create(authsecret);
+    if (!result.ok) {
+      // check for a specific error type
+      if (result.reason === "AlreadyExists") {
+        warn(`Tailscale secret already exists`);
+      } else {
+        warn(`Error creating Secret (Reason ${result.reason}): ${result.message}`);
+      }
+    } else {
+      print("Created Tailscale secret", result.object);
+    }
--- a/system/k8up/jspolicy-tailscale-injector-clusterpolicy.yaml
+++ b/system/k8up/jspolicy-tailscale-injector-clusterpolicy.yaml
@ -0,0 +1,61 @@
+apiVersion: policy.jspolicy.com/v1beta1
+kind: JsPolicy
+metadata:
+  name: inject-tailscale-sidecar.tbrnt.ch
+spec:
+  type: Mutating
+  operations: ["CREATE"]
+  resources: ["pods"]
+  scope: Namespaced
+  objectSelector:
+    matchLabels:
+      k8upjob: "true"
+  javascript: |
+    let script = String.raw`
+    export PATH=$PATH:/tailscale/bin
+    set -e
+
+    if [[ ! -d /dev/net ]]; then
+      mkdir -p /dev/net
+    fi
+    if [[ ! -c /dev/net/tun ]]; then
+      mknod /dev/net/tun c 10 200
+    fi
+
+    echo "Starting tailscaled in background"
+    tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp &
+    TS_PID=$!
+
+    echo "Running tailscale up"
+    tailscale --socket=/tmp/tailscaled.sock up --authkey=\${TS_AUTH_KEY} --accept-dns=false --login-server https://headscale.tbrnt.ch
+
+    echo "Waiting for K8up to exit"
+    while pidof k8up > /dev/null; do sleep 1; done
+
+    echo "K8up ended - stopping tailscale"
+    kill -s SIGINT \$TS_PID
+    wait \${TS_PID}    
+    `
+
+    request.object.spec.shareProcessNamespace = true
+    request.object.spec.containers.push({
+      name: "ts-sidecar",
+      imagePullPolicy: "IfNotPresent",
+      image: "ghcr.io/tailscale/tailscale:v1.48.2",
+      command: ["/bin/sh", "-c", script],
+      env: [{
+        name: "TS_AUTH_KEY",
+        valueFrom: {
+          secretKeyRef: {
+            name: "tailscale-auth-backup",
+            key: "TS_AUTH_KEY"
+          }
+        }
+      }],
+      securityContext: {
+        capabilities: {
+          add: [ "NET_ADMIN" ]
+        }
+      }
+    });
+    mutate(request.object);
--- a/system/k8up/tailscale-auth-secret-copier-clusterpolicy.yaml
+++ b/system/k8up/tailscale-auth-secret-copier-clusterpolicy.yaml
@ -1,23 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: copy-tailscale-auth-for-backup
-spec:
-  rules:
-    - name: Clone tailscale Auth Secret
-      match:
-        resources:
-          kinds:
-            - Pod
-          selector:
-            matchLabels:
-              k8upjob: "true"
-      generate:
-        kind: Secret
-        apiVersion: v1
-        name: tailscale-auth-backup
-        namespace: "{{request.object.metadata.namespace}}"
-        synchronize: true
-        clone:
-          namespace: k8up
-          name: tailscale-auth-backup
--- a/system/k8up/tailscale-injector-clusterpolicy.yaml
+++ b/system/k8up/tailscale-injector-clusterpolicy.yaml
@ -1,59 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: inject-tailscale
-spec:
-  rules:
-    - name: inject-tailscale
-      match:
-        resources:
-          kinds:
-            - Pod
-          selector:
-            matchLabels:
-              k8upjob: "true"
-      mutate:
-        patchStrategicMerge:
-          spec:
-            shareProcessNamespace: true
-            containers:
-              - name: ts-sidecar
-                imagePullPolicy: IfNotPresent
-                image: ghcr.io/tailscale/tailscale:v1.50.0
-                command:
-                  - /bin/sh
-                  - -c
-                  - |
-                    export PATH=$PATH:/tailscale/bin
-                    set -e
-
-                    if [[ ! -d /dev/net ]]; then
-                      mkdir -p /dev/net
-                    fi
-                    if [[ ! -c /dev/net/tun ]]; then
-                      mknod /dev/net/tun c 10 200
-                    fi
-
-                    echo "Starting tailscaled in background"
-                    tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp &
-                    TS_PID=$!
-
-                    echo "Running tailscale up"
-                    tailscale --socket=/tmp/tailscaled.sock up --authkey=${TS_AUTH_KEY} --accept-dns=false --login-server https://headscale.tbrnt.ch
-
-                    echo "Waiting for K8up to exit"
-                    while pidof k8up > /dev/null; do sleep 1; done
-
-                    echo "K8up ended - stopping tailscale"
-                    kill -s SIGINT $TS_PID
-                    wait ${TS_PID}
-                env:
-                  - name: TS_AUTH_KEY
-                    valueFrom:
-                      secretKeyRef:
-                        name: tailscale-auth-backup
-                        key: TS_AUTH_KEY
-                securityContext:
-                  capabilities:
-                    add:
-                      - NET_ADMIN