Support label namespaces based on prefixes

class/defaults.yml

@@ -10,3 +10,13 @@ parameters:
       - syn
 
     namespaces: {}
+
+    labelSync:
+      ignoreNames: []
+      ignorePrefixes:
+        - cilium
+        - kube
+        - openshift
+        - appuio
+        - syn
+      applyOnPrefix: {}

class/namespaces.yml

@@ -7,5 +7,6 @@ parameters:
         output_path: .
       - input_paths:
           - ${_base_directory}/component/main.jsonnet
+          - ${_base_directory}/component/espejote.jsonnet
         input_type: jsonnet
         output_path: ${_instance}/

component/espejote-templates/label-sync.jsonnet

@@ -0,0 +1,68 @@
+local esp = import 'espejote.libsonnet';
+local context = esp.context();
+
+local ignoreNamespace(namespace) =
+  if std.member(config.ignoreNames, namespace.metadata.name) then
+    true
+  else if std.length(std.filter(
+    function(prefix) std.startsWith(namespace.metadata.name, prefix),
+    config.ignorePrefixes
+  )) > 0 then
+    true
+  else false;
+
+// Get the labels from a namespace name prefix by
+// first finding the prefixes that match with the namespace name
+// then return the labels defined for that prefix.
+local labelsFromPrefix(namespace) =
+  local prefixes = std.filter(
+    function(prefix) std.startsWith(namespace.metadata.name, prefix),
+    std.objectFields(config.applyOnPrefix)
+  );
+
+  if std.length(prefixes) > 0 then prefixLabels[prefixes[0]] else {};
+
+// Reconcile the given namespace.
+local reconcileNamespace(namespace) =
+  // Check if the namespace can be ignored
+  if ignoreNamespace(namespace) then []
+  // Apply labels if the namespace name contains 'carema'
+  else if labelsFromContains(namespace) != {} then [
+    namespace {
+      metadata+: {
+        labels+: labelsFromContains(namespace),
+      },
+    },
+  ]
+  // Apply labels if the namespace name starts with defined prefix
+  else if labelsFromPrefix(namespace) != {} then [
+    namespace {
+      metadata+: {
+        labels+: labelsFromPrefix(namespace),
+      },
+    },
+  ]
+  else [];
+
+// check if the object is getting deleted by checking if it has
+// `metadata.deletionTimestamp`.
+local inDelete(obj) = std.get(obj.metadata, 'deletionTimestamp', '') != '';
+
+// Do the thing
+if esp.triggerName() == 'namespace' then (
+  // Handle single namespace update on namespace trigger
+  local nsTrigger = esp.triggerData();
+  // nsTrigger.resource can be null if we're called when the namespace is getting
+  // deleted. If it's not null, we still don't want to do anything when the
+  // namespace is getting deleted.
+  if nsTrigger.resource != null && !inDelete(nsTrigger.resource) then
+    reconcileNamespace(nsTrigger.resource)
+) else (
+  // Reconcile all namespaces for managedresource reconcile.
+  local namespaces = context.namespaces;
+  std.flattenArrays([
+    reconcileNamespace(ns)
+    for ns in namespaces
+    if !inDelete(ns)
+  ])
+)

component/espejote.jsonnet

@@ -0,0 +1,135 @@
+local com = import 'lib/commodore.libjsonnet';
+local esp = import 'lib/espejote.libsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+local utils = import 'utils.libsonnet';
+
+// The hiera parameters for the component
+local inv = kap.inventory();
+local params = inv.parameters.namespaces;
+local instanceName = inv.parameters._instance;
+
+local espNamespace = inv.parameters.espejote.namespace;
+local mrName = '%s-label-sync' % instanceName;
+local rbacName = 'managedresource-%s-label-sync' % instanceName;
+
+// Check if there are overlapping prefixes in applyOnPrefix
+local overlappingPrefixes = std.filter(
+  function(prefix)
+    std.length(std.filter(
+      function(other) other != prefix && std.startsWith(other, prefix),
+      std.objectFields(params.labelSync.applyOnPrefix)
+    )) > 0,
+  std.objectFields(params.labelSync.applyOnPrefix)
+);
+assert std.length(overlappingPrefixes) < 1 : 'overlapping prefixes in parameters.%s.labelSync.applyOnPrefix' % instanceName;
+
+// RBAC for Espejote
+local espejoteRBAC = [
+  {
+    apiVersion: 'v1',
+    kind: 'ServiceAccount',
+    metadata: {
+      labels: {
+        'app.kubernetes.io/component': 'rbac',
+        'app.kubernetes.io/name': mrName,
+      },
+      name: mrName,
+      namespace: espNamespace,
+    },
+  },
+  {
+    apiVersion: 'v1',
+    kind: 'ClusterRole',
+    metadata: {
+      labels: {
+        'app.kubernetes.io/component': 'rbac',
+        'app.kubernetes.io/name': rbacName,
+      },
+      name: rbacName,
+    },
+    rules: [
+      {
+        apiGroups: [ '' ],
+        resources: [ 'namespaces' ],
+        verbs: [ 'get', 'list', 'watch', 'patch' ],
+      },
+    ],
+  },
+  {
+    apiVersion: 'rbac.authorization.k8s.io/v1',
+    kind: 'ClusterRoleBinding',
+    metadata: {
+      labels: {
+        'app.kubernetes.io/component': 'rbac',
+        'app.kubernetes.io/name': rbacName,
+      },
+      name: rbacName,
+    },
+    roleRef: {
+      apiGroup: 'rbac.authorization.k8s.io',
+      kind: 'ClusterRole',
+      name: rbacName,
+    },
+    subjects: [
+      {
+        kind: 'ServiceAccount',
+        name: mrName,
+        namespace: espNamespace,
+      },
+    ],
+  },
+];
+
+// Espejote resources
+
+local managedResource = esp.managedResource(mrName, espNamespace) {
+  metadata+: {
+    annotations: {
+      'syn.tools/description': |||
+        Manages labels of namespaces based on namespace prefixes.
+        See https://hub.syn.tools/namespaces/index.html for details.
+      |||,
+    },
+  },
+  spec: {
+    context: [
+      {
+        name: 'namespaces',
+        resource: {
+          apiVersion: 'v1',
+          kind: 'Namespace',
+        },
+      },
+    ],
+    triggers: [
+      {
+        name: 'namespace',
+        watchContextResource: {
+          name: 'namespaces',
+        },
+      },
+    ],
+    serviceAccountRef: {
+      name: espejoteRBAC[0].metadata.name,
+    },
+    template: ('local config = %s;\n' % std.manifestJson(params.labelSync)) + (importstr 'espejote-templates/label-sync.jsonnet'),
+  },
+};
+
+// Check if espejote is installed and resources are configured
+local hasEspejote = std.member(inv.applications, 'espejote');
+local hasDynamicLabels = std.length(params.labelSync.applyOnPrefix) > 0;
+
+// Define outputs below
+if hasDynamicLabels && hasEspejote then
+  {
+    '00_espejote_rbac': espejoteRBAC,
+    '00_espejote_mr': managedResource,
+  }
+else if hasDynamicLabels then
+  std.trace(
+    'espejote must be installed',
+    {}
+  )
+else {}

docs/modules/ROOT/pages/references/parameters.adoc

@@ -21,6 +21,63 @@ default:: {}
 Contains a list of namespaces to create.
 
 
+== `labelSync`
+
+Configures dynamic Roles and RoleBindings managed by Espejote.
+
+=== `labelSync.ignoredNames`
+
+[horizontal]
+type:: list of strings
+default:: empty list
+
+A list of namespace names where no labels will be applied.
+Entries in the list can be removed by adding the entry prefixed with a `~`.
+
+=== `labelSync.ignoredPrefixes`
+
+[horizontal]
+type:: list of strings
+default::
++
+[source,yaml]
+----
+labelSync:
+  ignoredPrefixes:
+    - kube
+    - openshift
+    - appuio
+    - syn
+----
+
+A list of namespace name-prefixes where no labels will be applied.
+Entries in the list can be removed by adding the entry prefixed with a `~`.
+
+=== `labelSync.applyOnPrefix`
+
+[horizontal]
+type:: dict
+default:: `{}`
+example::
++
+[source,yaml]
+----
+labelSync:
+  applyOnPrefix:
+    'vshn-postgres': <1>
+      'set.rbac.syn.tools/allow-team1': '' <2>
+----
+<1> Matches all namespaces that start with `vshn-postgres`.
+<2> Applies the label `set.rbac.syn.tools/allow-team1=''` to the matching namespace.
+
+Custom set of namespace prefixes, where the listed labels will be applied.
+
+[IMPORTANT]
+====
+Using this with too broad settings can have unintended sideeffects!
+====
+
+
 == Example
 
 [source,yaml]