Internal flag

api/v1alpha1/application_types.go

@@ -67,7 +67,7 @@ type ApplicationSpec struct {
 	// They can optionally be suffixed with a plus and name of a custom TLS secret located in the istio-gateways namespace.
 	// E.g. "foo.atkv3-dev.kartverket-intern.cloud+env-wildcard-cert"
 	//+kubebuilder:validation:Optional
-	Ingresses []string `json:"ingresses,omitempty"`
+	Ingresses *apiextensionsv1.JSON `json:"ingresses,omitempty"`
 
 	// An optional priority. Supported values are 'low', 'medium' and 'high'.
 	// The default value is 'medium'.
@@ -432,15 +432,53 @@ func (a *Application) GetCommonSpec() *CommonSpec {
 	}
 }
 
+type Ingresses struct {
+	Hostname string
+	Internal bool
+}
+
+func MarshalledIngresses(Ingresses interface{}) *apiextensionsv1.JSON {
+	IngressesJSON := &apiextensionsv1.JSON{}
+	var err error
+
+	IngressesJSON.Raw, err = json.Marshal(Ingresses)
+	if err == nil {
+		return IngressesJSON
+	}
+
+	return nil
+}
+
 func (s *ApplicationSpec) Hosts() (HostCollection, error) {
+	var resultString []string
+	var resultObject []Ingresses
+	var errorsFound []error
 	hosts := NewCollection()
 
-	var errorsFound []error
-	for _, ingress := range s.Ingresses {
-		err := hosts.Add(ingress)
+	ingresses := MarshalledIngresses(s.Ingresses)
+	err := json.Unmarshal(ingresses.Raw, &resultString)
+
+	if err != nil {
+		err := json.Unmarshal(ingresses.Raw, &resultObject)
+		if err != nil {
+			errorsFound = append(errorsFound, err)
+			return NewCollection(), errors.Join(errorsFound...)
+		}
+
+		for _, ingress := range resultObject {
+			err := hosts.AddObject(ingress.Hostname, ingress.Internal)
+			if err != nil {
+				errorsFound = append(errorsFound, err)
+				return NewCollection(), errors.Join(errorsFound...)
+			}
+		}
+		return hosts, nil
+	}
+
+	for _, ingress := range resultString {
+		err := hosts.AddObject(ingress, IsInternal(ingress))
 		if err != nil {
 			errorsFound = append(errorsFound, err)
-			continue
 		}
 	}
 

api/v1alpha1/hosts.go

@@ -3,16 +3,20 @@ package v1alpha1
 import (
 	"fmt"
 	"github.com/chmike/domain"
+	"regexp"
 	"strings"
 )
 
 const hostnameSecretSeparator = "+"
 
+var internalPattern = regexp.MustCompile(`[^.]\.skip\.statkart\.no|[^.]\.kartverket-intern.cloud`)
+
 // TODO: Add a mechanism for validating that the
 // hostname is covered by the CustomCertificateSecret if present
 type Host struct {
 	Hostname                string
 	CustomCertificateSecret *string
+	Internal                bool
 }
 
 type HostCollection struct {
@@ -25,6 +29,7 @@ func NewHost(hostname string) (*Host, error) {
 	}
 
 	var h Host
+
 	// If hostname is separated by +, the user wants to use a custom certificate
 	results := strings.Split(hostname, hostnameSecretSeparator)
 
@@ -49,7 +54,7 @@ func NewHost(hostname string) (*Host, error) {
 	if err := domain.Check(h.Hostname); err != nil {
 		return nil, fmt.Errorf("%s: failed validation: %w", h.Hostname, err)
 	}
-
+	h.Internal = IsInternal(hostname)
 	return &h, nil
 }
 
@@ -63,14 +68,14 @@ func NewCollection() HostCollection {
 	}
 }
 
-func (hs *HostCollection) Add(hostname string) error {
+func (hs *HostCollection) AddObject(hostname string, internal bool) error {
 	h, err := NewHost(hostname)
 	if err != nil {
 		return err
 	}
 
+	h.Internal = internal
 	existingValue, alreadyPresent := hs.hosts[h.Hostname]
-
 	switch alreadyPresent {
 	case true:
 		if existingValue.UsesCustomCert() {
@@ -105,3 +110,7 @@ func (hs *HostCollection) Hostnames() []string {
 func (hs *HostCollection) Count() int {
 	return len(hs.hosts)
 }
+
+func IsInternal(hostname string) bool {
+	return internalPattern.MatchString(hostname)
+}

api/v1alpha1/routing_types.go

@@ -41,6 +41,9 @@ type RoutingSpec struct {
 	//+kubebuilder:validation:Optional
 	//+kubebuilder:default:=true
 	RedirectToHTTPS *bool `json:"redirectToHTTPS,omitempty"`
+
+	//+kubebuilder:validation:Optional
+	Internal *bool `json:"internal,omitempty"`
 }
 
 // +kubebuilder:object:generate=true

config/crd/skiperator.kartverket.no_applications.yaml

@@ -646,9 +646,7 @@ spec:
                   Ingresses must be lowercase, contain no spaces, be a non-empty string, and have a hostname/domain separated by a period
                   They can optionally be suffixed with a plus and name of a custom TLS secret located in the istio-gateways namespace.
                   E.g. "foo.atkv3-dev.kartverket-intern.cloud+env-wildcard-cert"
-                items:
-                  type: string
-                type: array
+                x-kubernetes-preserve-unknown-fields: true
               labels:
                 additionalProperties:
                   type: string

config/crd/skiperator.kartverket.no_routings.yaml

@@ -45,6 +45,8 @@ spec:
             properties:
               hostname:
                 type: string
+              internal:
+                type: boolean
               redirectToHTTPS:
                 default: true
                 type: boolean

pkg/resourcegenerator/deployment/deployment.go

@@ -204,11 +204,16 @@ func Generate(r reconciliation.Reconciliation) error {
 	}
 
 	// add an external link to argocd
-	ingresses := application.Spec.Ingresses
+	hosts, err := application.Spec.Hosts()
+	if err != nil {
+		ctxLog.Error(err, "could not get hosts from application")
+	}
 	if deployment.Annotations == nil {
 		deployment.Annotations = make(map[string]string)
 	}
 
+	var ingresses = hosts.Hostnames()
+
 	if len(ingresses) > 0 {
 		deployment.Annotations[AnnotationKeyLinkPrefix] = fmt.Sprintf("https://%s", ingresses[0])
 	}

pkg/resourcegenerator/istio/gateway/application.go

@@ -2,7 +2,6 @@ package gateway
 
 import (
 	"fmt"
-
 	skiperatorv1alpha1 "github.com/kartverket/skiperator/api/v1alpha1"
 	"github.com/kartverket/skiperator/pkg/reconciliation"
 	"github.com/kartverket/skiperator/pkg/util"
@@ -38,7 +37,7 @@ func generateForApplication(r reconciliation.Reconciliation) error {
 		name := fmt.Sprintf("%s-ingress-%x", application.Name, util.GenerateHashFromName(h.Hostname))
 		gateway := networkingv1beta1.Gateway{ObjectMeta: metav1.ObjectMeta{Namespace: application.Namespace, Name: name}}
 
-		gateway.Spec.Selector = util.GetIstioGatewayLabelSelector(h.Hostname)
+		gateway.Spec.Selector = util.GetIstioGatewayLabelSelector(h)
 
 		gatewayServersToAdd := []*networkingv1beta1api.Server{}
 

pkg/resourcegenerator/istio/gateway/routing.go

@@ -28,6 +28,9 @@ func generateForRouting(r reconciliation.Reconciliation) error {
 	}
 
 	h, err := routing.Spec.GetHost()
+	if routing.Spec.Internal != nil {
+		h.Internal = *routing.Spec.Internal
+	}
 	if err != nil {
 		return err
 	}
@@ -44,7 +47,7 @@ func generateForRouting(r reconciliation.Reconciliation) error {
 		}
 	}
 
-	gateway.Spec.Selector = util.GetIstioGatewayLabelSelector(h.Hostname)
+	gateway.Spec.Selector = util.GetIstioGatewayLabelSelector(h)
 	gateway.Spec.Servers = []*networkingv1beta1api.Server{
 		{
 			Hosts: []string{h.Hostname},

pkg/resourcegenerator/networkpolicy/dynamic/common.go

@@ -35,14 +35,20 @@ func generateForCommon(r reconciliation.Reconciliation) error {
 	}
 
 	accessPolicy := object.GetCommonSpec().AccessPolicy
-	var ingresses []string
+	var hosts = skiperatorv1alpha1.NewCollection()
 	var inboundPort int32
+
 	if r.GetType() == reconciliation.ApplicationType {
-		ingresses = object.(*skiperatorv1alpha1.Application).Spec.Ingresses
+		var err error
+		hosts, err = object.(*skiperatorv1alpha1.Application).Spec.Hosts()
+		if err != nil {
+			ctxLog.Error(err, "Failed to get hosts for networkpolicy", "type", r.GetType(), "namespace", namespace)
+			return err
+		}
 		inboundPort = int32(object.(*skiperatorv1alpha1.Application).Spec.Port)
 	}
 
-	ingressRules := getIngressRules(accessPolicy, ingresses, r.IsIstioEnabled(), namespace, inboundPort)
+	ingressRules := getIngressRules(accessPolicy, hosts, r.IsIstioEnabled(), namespace, inboundPort)
 	egressRules := getEgressRules(accessPolicy, namespace)
 
 	netpolSpec := networkingv1.NetworkPolicySpec{
@@ -110,20 +116,14 @@ func getEgressRule(outboundRule podtypes.InternalRule, namespace string) network
 }
 
 // TODO Clean up better
-func getIngressRules(accessPolicy *podtypes.AccessPolicy, ingresses []string, istioEnabled bool, namespace string, port int32) []networkingv1.NetworkPolicyIngressRule {
+func getIngressRules(accessPolicy *podtypes.AccessPolicy, hostCollection skiperatorv1alpha1.HostCollection, istioEnabled bool, namespace string, port int32) []networkingv1.NetworkPolicyIngressRule {
 	var ingressRules []networkingv1.NetworkPolicyIngressRule
 
-	if ingresses != nil && len(ingresses) > 0 {
-		if hasInternalIngress(ingresses) {
-			ingressRules = append(ingressRules, getGatewayIngressRule(true, port))
-		}
-
-		if hasExternalIngress(ingresses) {
-			ingressRules = append(ingressRules, getGatewayIngressRule(false, port))
-		}
+	for _, host := range hostCollection.AllHosts() {
+		ingressRules = append(ingressRules, getGatewayIngressRule(host.Internal, port))
 	}
 
-	// Allow grafana-agent to scrape
+	// Allow grafana-agent and Alloy to scrape
 	if istioEnabled {
 		promScrapeRuleGrafana := networkingv1.NetworkPolicyIngressRule{
 			From: []networkingv1.NetworkPolicyPeer{
@@ -223,26 +223,6 @@ func getNamespaceSelector(rule podtypes.InternalRule, appNamespace string) *meta
 	}
 }
 
-func hasExternalIngress(ingresses []string) bool {
-	for _, hostname := range ingresses {
-		if !util.IsInternal(hostname) {
-			return true
-		}
-	}
-
-	return false
-}
-
-func hasInternalIngress(ingresses []string) bool {
-	for _, hostname := range ingresses {
-		if util.IsInternal(hostname) {
-			return true
-		}
-	}
-
-	return false
-}
-
 func getGatewayIngressRule(isInternal bool, port int32) networkingv1.NetworkPolicyIngressRule {
 	ingressRule := networkingv1.NetworkPolicyIngressRule{
 		From: []networkingv1.NetworkPolicyPeer{
@@ -251,6 +231,7 @@ func getGatewayIngressRule(isInternal bool, port int32) networkingv1.NetworkPoli
 					MatchLabels: map[string]string{"kubernetes.io/metadata.name": "istio-gateways"},
 				},
 				PodSelector: &metav1.LabelSelector{
+
 					MatchLabels: getIngressGatewayLabel(isInternal),
 				},
 			},

pkg/resourcegenerator/networkpolicy/dynamic/routing.go

@@ -27,7 +27,13 @@ func generateForRouting(r reconciliation.Reconciliation) error {
 	for _, route := range routing.Spec.Routes {
 		uniqueTargetApps[getNetworkPolicyName(routing, route.TargetApp)] = route
 	}
-
+	h, err := routing.Spec.GetHost()
+	if routing.Spec.Internal != nil {
+		h.Internal = *routing.Spec.Internal
+	}
+	if err != nil {
+		return err
+	}
 	for netpolName, route := range uniqueTargetApps {
 		networkPolicy := networkingv1.NetworkPolicy{
 			ObjectMeta: metav1.ObjectMeta{
@@ -50,7 +56,7 @@ func generateForRouting(r reconciliation.Reconciliation) error {
 								MatchLabels: util.GetIstioGatewaySelector(),
 							},
 							PodSelector: &metav1.LabelSelector{
-								MatchLabels: util.GetIstioGatewayLabelSelector(routing.Spec.Hostname),
+								MatchLabels: util.GetIstioGatewayLabelSelector(h),
 							},
 						},
 					},