add teams chart

Signed-off-by: Carlos Santana <csantana23@gmail.com>

Author: csantanapr

charts/teams/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/teams/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: team
+description: A Helm Chart to bootstrap a Namespace in a Multi-Tenancy setup
+version: 1.0.0
+type: application
+

charts/teams/README.md

@@ -0,0 +1,3 @@
+# team
+
+A Helm Chart to bootstrap a Namespace in a Multi-Tenancy setup

charts/teams/templates/_helpers.tpl

@@ -0,0 +1,80 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "team.name" -}}
+{{- default .Chart.Name .Values.name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "team.fullname" -}}
+{{- if .Values.name }}
+{{- .Values.name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "team.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common Helm and Kubernetes labels
+*/}}
+{{- define "team.labels" -}}
+helm.sh/chart: {{ include "team.chart" . }}
+app.kubernetes.io/name: {{ include "team.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.labels }}
+{{ toYaml .Values.labels }}
+{{- end }}
+{{- end }}
+
+{{/*
+Common Helm and Kubernetes labels
+*/}}
+{{- define "team.annotations" -}}
+helm.sh/chart: {{ include "team.chart" . }}
+{{- if .Values.annotations }}
+{{ toYaml .Values.annotations }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+Create the name of the NetworkPolicy to deny all outgoing traffic
+*/}}
+{{- define "team.networkPolicy.egress.deny.all.name" }}
+{{- printf "%s-%s" ((include "team.fullname" .) | trunc 47 | trimSuffix "-") "egress-deny-all" }}
+{{- end }}
+
+{{/*
+Create the name of the NetworkPolicy to allow outgoing traffic to the Kubernetes DNS
+*/}}
+{{- define "team.networkPolicy.egress.allow.dns.name" }}
+{{- printf "%s-%s" ((include "team.fullname" .) | trunc 47 | trimSuffix "-") "egress-allow-dns" }}
+{{- end }}
+
+{{/*
+Create the name of the NetworkPolicy to deny all incoming traffic
+*/}}
+{{- define "team.networkPolicy.ingress.deny.all.name" }}
+{{- printf "%s-%s" ((include "team.fullname" .) | trunc 46 | trimSuffix "-") "ingress-deny-all" }}
+{{- end }}
+

charts/teams/templates/limitrange/limitrange.yaml

@@ -0,0 +1,27 @@
+{{- range $name, $tenant := .Values.namespaces }}
+{{- range $tenant.limitRanges }}
+---
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: {{ .name }}
+  namespace: {{ $name }}
+  annotations:
+    {{- include "team.annotations" $ | nindent 4 }}
+    {{- if .annotations }}
+    {{- with .annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+  labels:
+    {{- include "team.labels" $ | nindent 4 }}
+    {{- if .labels }}
+    {{- with .labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+spec:
+  limits:
+  {{- toYaml .limits | nindent 4}}
+{{- end }}
+{{- end }}

charts/teams/templates/namespace/namespace.yaml

@@ -0,0 +1,59 @@
+{{- range $name, $tenant := .Values.namespaces }}
+{{- with $tenant }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ $name }}
+  annotations:
+    {{- include "team.annotations" $ | nindent 4 }}
+    {{- if and .annotations .annotations.additionalAnnotations }}
+    {{- with .annotations.additionalAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+    {{- if and .annotations .annotations.scheduler }}
+    {{- with .annotations.scheduler }}
+    {{- if .defaultTolerations }}
+    scheduler.alpha.kubernetes.io/defaultTolerations: {{ toJson .defaultTolerations | quote }}
+    {{- end }}
+    {{- end }}
+    {{- if .nodeSelector }}
+    scheduler.alpha.kubernetes.io/node-selector: {{ .nodeSelector | quote }}
+    {{- end }}
+    {{- if .tolerationsWhitelist }}
+    scheduler.alpha.kubernetes.io/tolerationsWhitelist: {{ toJson .tolerationsWhitelist | quote }}
+    {{- end }}
+    {{- end }}
+  labels:
+    {{- include "team.labels" $ | nindent 4 }}
+    {{- if and .labels .labels.additionalLabels }}
+    {{- with .labels.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+    {{- if and .labels .labels.podSecurityAdmission }}
+    {{- with .labels.podSecurityAdmission }}
+    {{- if and .audit .audit.standard }}
+    pod-security.kubernetes.io/audit: {{ toJson .audit.standard }}
+    {{- end }}
+    {{- if and .audit .audit.version }}
+    pod-security.kubernetes.io/audit-version: {{ toJson .audit.version }}
+    {{- end }}
+    {{- if and .enforce .enforce.standard }}
+    pod-security.kubernetes.io/enforce: {{ toJson .enforce.standard }}
+    {{- end }}
+    {{- if and .enforce .enforce.version }}
+    pod-security.kubernetes.io/enforce-version: {{ toJson .enforce.version }}
+    {{- end }}
+    {{- if and .audit .warn.standard }}
+    pod-security.kubernetes.io/warn: {{ toJson .warn.standard }}
+    {{- end }}
+    {{- if and .audit .warn.version }}
+    pod-security.kubernetes.io/warn-version: {{ toJson .warn.version }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+{{- end }}
+{{- end }}
+

charts/teams/templates/networkpolicy/egress/allow-dns.yaml

@@ -0,0 +1,54 @@
+{{- if and (.Values.networkPolicies.enabled) (.Values.networkPolicies.egress.allow.dns.enabled) }}
+{{- range $name, $tenant := .Values.namespaces }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    {{- include "team.annotations" $ | nindent 4 }}
+    {{- if $.Values.networkPolicies.annotations }}
+    {{- with $.Values.networkPolicies.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+  labels:
+    {{- include "team.labels" $ | nindent 4 }}
+    {{- if $.Values.networkPolicies.labels }}
+    {{- with $.Values.networkPolicies.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+  name: {{ include "team.networkPolicy.egress.allow.dns.name" $ | quote }}
+  namespace: {{ $name }}
+spec:
+  {{- if $.Values.networkPolicies.egress.allow.dns.podSelector }}
+  podSelector:
+    {{- toYaml $.Values.networkPolicies.egress.allow.dns.podSelector | nindent 4 }}
+  {{- else }}
+  podSelector: {}
+  {{- end }}
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        {{- if $.Values.networkPolicies.egress.allow.dns.namespace }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $.Values.networkPolicies.egress.allow.dns.namespace | quote }}
+        {{- else }}
+        - namespaceSelector: {}
+        {{- end }}
+          podSelector:
+            matchLabels:
+              {{- if $.Values.networkPolicies.egress.allow.dns.podLabels }}
+              {{- toYaml $.Values.networkPolicies.egress.allow.dns.podLabels | nindent 14 }}
+              {{- else }}
+              k8s-app: kube-dns
+              {{- end }}
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+{{- end }}
+{{- end }}

charts/teams/templates/networkpolicy/egress/deny-all.yaml

@@ -0,0 +1,34 @@
+{{- if and (.Values.networkPolicies.enabled) (.Values.networkPolicies.egress.deny.all) }}
+{{- range $name, $tenant := .Values.namespaces }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    {{- include "team.annotations" $ | nindent 4 }}
+    {{- if $.Values.networkPolicies.annotations }}
+    {{- with $.Values.networkPolicies.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+  labels:
+    {{- include "team.labels" $ | nindent 4 }}
+    {{- if $.Values.networkPolicies.labels }}
+    {{- with $.Values.networkPolicies.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+  name: {{ include "team.networkPolicy.egress.deny.all.name" $ | quote }}
+  namespace: {{ $name }}
+spec:
+  {{- if $.Values.networkPolicies.egress.deny.all.podSelector }}
+  podSelector:
+    {{- toYaml $.Values.networkPolicies.egress.deny.all.podSelector | nindent 4 }}
+  {{- else }}
+  podSelector: {}
+  {{- end }}
+  policyTypes:
+    - Egress
+  egress: []
+{{- end }}
+{{- end }}

charts/teams/templates/networkpolicy/ingress/deny-all.yaml

@@ -0,0 +1,34 @@
+{{- if and (.Values.networkPolicies.enabled) (.Values.networkPolicies.ingress.deny.all) }}
+{{- range $name, $tenant := .Values.namespaces }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    {{- include "team.annotations" $ | nindent 4 }}
+    {{- if $.Values.networkPolicies.annotations }}
+    {{- with $.Values.networkPolicies.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+  labels:
+    {{- include "team.labels" $ | nindent 4 }}
+    {{- if $.Values.networkPolicies.labels }}
+    {{- with $.Values.networkPolicies.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+  name: {{ include "team.networkPolicy.ingress.deny.all.name" $ | quote }}
+  namespace: {{ $name }}
+spec:
+  {{- if $.Values.networkPolicies.ingress.deny.all.podSelector }}
+  podSelector:
+    {{- toYaml $.Values.networkPolicies.ingress.deny.all.podSelector | nindent 4 }}
+  {{- else }}
+  podSelector: {}
+  {{- end }}
+  policyTypes:
+    - Ingress
+  ingress: []
+{{- end }}
+{{- end }}

charts/teams/templates/networkpolicy/networkpolicy.yaml

@@ -0,0 +1,27 @@
+{{- range $name, $tenant := .Values.namespaces }}
+{{- range $tenant.networkPolicies }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .name }}
+  namespace: {{ $name }}
+  annotations:
+    {{- include "team.annotations" $ | nindent 4 }}
+    {{- if .annotations }}
+    {{- with .annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+  labels:
+    {{- include "team.labels" $ | nindent 4 }}
+    {{- if .labels }}
+    {{- with .labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+spec:
+  {{- toYaml .spec | nindent 2 }}
+{{- end }}
+{{- end }}
+