Namespace isolation: Specify Prometheus NamespaceSelectors (#247)

* removed obsolete namespace lists from Argo and Prometheus. Adding active namespaces to Config. Getting active namespaces from all features with own namespace.

* fixing tests

* fixing tests

Author: nihussmann

applications/cluster-resources/monitoring/prometheus-stack-helm-values.ftl.yaml

@@ -83,9 +83,11 @@ prometheusOperator:
     releaseNamespace: false
     additional:
     <#-- Note that the quotes in the final YAML here are created by groovy, not Freemarker-->
+    <#if namespaces?has_content>
     <#list namespaces as namespace>
-      - ${namespace}
+    - ${namespace}
     </#list>
+    </#if>
 </#if>
 <#if podResources == true>
   resources:
@@ -272,8 +274,17 @@ prometheus:
     </#if>
     # Find podMonitors, serviceMonitor, etc. in all namespaces
     serviceMonitorNamespaceSelector:
-      matchLabels: {}
-    # With this, we don't need the label "release: kube-prometheus-stack" on the service monitor
+      matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: In
+          values:
+          <#if namespaces?has_content>
+            <#list namespaces as namespace>
+            - ${namespace}
+            </#list>
+            <#else>
+            {}
+          </#if>
     serviceMonitorSelectorNilUsesHelmValues: false
     podMonitorNamespaceSelector:
       matchLabels: {}

src/main/groovy/com/cloudogu/gitops/Application.groovy

@@ -1,6 +1,6 @@
 package com.cloudogu.gitops
 
-
+import com.cloudogu.gitops.config.Config
 import groovy.util.logging.Slf4j
 import jakarta.inject.Singleton
 
@@ -9,16 +9,21 @@ import jakarta.inject.Singleton
 class Application {
 
     final List<Feature> features
+    final Config config
 
-    Application(
+    Application(Config config,
             List<Feature> features
     ) {
+        this.config=config
         // Order is important. Enforced by @Order-Annotation on the Singletons
         this.features = features
+
     }
 
     def start() {
         log.debug("Starting Application")
+
+        setNamespaceListToConfig(config)
         features.forEach(feature -> {
             feature.install()
         })
@@ -28,4 +33,31 @@ class Application {
     List<Feature> getFeatures() {
         return features
     }
+
+    void setNamespaceListToConfig(Config config) {
+        List<String> namespaces = []
+        String namePrefix = config.application.namePrefix;
+
+        if(config.registry.internal || config.scmm.internal || config.jenkins.internal){
+            namespaces.add(namePrefix + "default")
+        }
+        
+        if (config.features.argocd.active) {
+            namespaces.addAll(Arrays.asList(
+                    namePrefix + "argocd",
+                    namePrefix + "example-apps-staging",
+                    namePrefix + "example-apps-production"
+            ))
+        }
+
+        //iterates over all FeatureWithImages and gets their namespaces
+        namespaces.addAll(this.features
+                .collect { it.activeNamespaceFromFeature }
+                .findAll { it }
+                .unique()
+                .collect { "${namePrefix}${it}".toString() })
+
+        log.debug("Active namespaces retrieved: {}", namespaces);
+        config.application.activeNamespaces = namespaces
+    }
 }

src/main/groovy/com/cloudogu/gitops/Feature.groovy

@@ -46,7 +46,15 @@ abstract class Feature {
             return false
         }
     }
-    
+
+    String getActiveNamespaceFromFeature() {
+        //using reflection to get all subclasses implementing a own namespace
+        if (this.metaClass.hasProperty(this, 'namespace'))  {
+            return isEnabled() ? this.getProperty('namespace') : null
+        }
+        return null
+    }
+
     abstract boolean isEnabled()
 
     /*

src/main/groovy/com/cloudogu/gitops/FeatureWithImage.groovy

@@ -24,7 +24,7 @@ trait FeatureWithImage {
             k8sClient.createImagePullSecret('proxy-registry', namespace, url, user, password)
         }
     }
-    
+
     abstract String getNamespace()
     abstract K8sClient getK8sClient()
     abstract Config getConfig()

src/main/groovy/com/cloudogu/gitops/cli/GitopsPlaygroundCli.groovy

@@ -17,6 +17,7 @@ import com.cloudogu.gitops.utils.K8sClient
 import groovy.util.logging.Slf4j
 import groovy.yaml.YamlSlurper
 import io.micronaut.context.ApplicationContext
+import jakarta.inject.Provider
 import org.slf4j.LoggerFactory
 import picocli.CommandLine
 

src/main/groovy/com/cloudogu/gitops/cli/GitopsPlaygroundCliMainScripted.groovy

@@ -86,7 +86,7 @@ class GitopsPlaygroundCliMainScripted {
 
                 def airGappedUtils = new AirGappedUtils(config, scmmRepoProvider, repoApi, fileSystemUtils, helmClient)
 
-                context.registerSingleton(new Application([
+                context.registerSingleton(new Application(config,[
                         new Registry(config, fileSystemUtils, k8sClient, helmStrategy),
                         new ScmManager(config, executor, fileSystemUtils, helmStrategy),
                         new Jenkins(config, executor, fileSystemUtils, new GlobalPropertyManager(jenkinsApiClient),

src/main/groovy/com/cloudogu/gitops/config/Config.groovy

@@ -249,6 +249,7 @@ class Config {
     static class ApplicationSchema {
         Boolean runningInsideK8s = false
         String namePrefixForEnvVars = ''
+        List<String> activeNamespaces = []
         String internalKubernetesApiUrl = ''
         String localHelmChartFolder = System.getenv('LOCAL_HELM_CHART_FOLDER')
 

src/main/groovy/com/cloudogu/gitops/features/PrometheusStack.groovy

@@ -75,7 +75,7 @@ class PrometheusStack extends Feature implements FeatureWithImage {
                 remote: config.application.remote,
                 skipCrds          : config.application.skipCrds,
                 namespaceIsolation: config.application.namespaceIsolation,
-                namespaces        : namespaceList,
+                namespaces        : config.application.activeNamespaces,
                 mail              : [
                         active      : config.features.mail.active,
                         smtpAddress : config.features.mail.smtpAddress,
@@ -97,22 +97,22 @@ class PrometheusStack extends Feature implements FeatureWithImage {
         k8sClient.createSecret(
                 'generic',
                 'prometheus-metrics-creds-scmm',
-                'monitoring',
+                namespace,
                 new Tuple2('password', config.application.password)
         )
 
         k8sClient.createSecret(
                 'generic',
                 'prometheus-metrics-creds-jenkins',
-                'monitoring',
+                namespace,
                 new Tuple2('password', config.jenkins.metricsPassword),
         )
 
         if (config.features.mail.smtpUser || config.features.mail.smtpPassword) {
             k8sClient.createSecret(
                     'generic',
                     'grafana-email-secret',
-                    'monitoring',
+                    namespace,
                     new Tuple2('user', config.features.mail.smtpUser),
                     new Tuple2('password', config.features.mail.smtpPassword)
             )
@@ -121,7 +121,7 @@ class PrometheusStack extends Feature implements FeatureWithImage {
         if (config.application.namespaceIsolation || config.application.netpols) {
             ScmmRepo clusterResourcesRepo = scmmRepoProvider.getRepo('argocd/cluster-resources')
             clusterResourcesRepo.cloneRepo()
-            for (String currentNamespace : namespaceList) {
+            for (String currentNamespace : config.application.activeNamespaces) {
 
                 if(config.application.namespaceIsolation) {
                     def rbacYaml = new TemplatingEngine().template(new File(RBAC_NAMESPACE_ISOLATION_TEMPLATE),
@@ -175,27 +175,6 @@ class PrometheusStack extends Feature implements FeatureWithImage {
         }
     }
 
-    protected List getNamespaceList() {
-        def namespaces = []
-        def namePrefix = config.application.namePrefix
-        if (config.features.argocd.active) {
-            namespaces.addAll("${namePrefix}argocd", "${namePrefix}example-apps-staging", "${namePrefix}example-apps-production")
-        }
-        if (config.features.monitoring.active) { // Ignore mailhog here, because it does not expose metrics
-            namespaces.addAll("${namePrefix}monitoring")
-        }
-        if (config.features.secrets.active) {
-            namespaces.addAll("${namePrefix}secrets")
-        }
-        if (config.features.ingressNginx.active) {
-            namespaces.addAll("${namePrefix}ingress-nginx")
-        }
-        if (config.registry.internal || config.scmm.internal || config.jenkins.internal) {
-            namespaces.addAll("${namePrefix}default")
-        }
-        return namespaces
-    }
-
     private Map getScmmConfiguration() {
         // Note that URI.resolve() seems to throw away the existing path. So we create a new URI object.
         URI uri = new URI("${scmmUri}/api/v2/metrics/prometheus")

src/main/groovy/com/cloudogu/gitops/utils/K8sClient.groovy

@@ -1,8 +1,8 @@
 package com.cloudogu.gitops.utils
 
+import com.cloudogu.gitops.config.Config
 import groovy.json.JsonBuilder
 import groovy.json.JsonSlurper
-import com.cloudogu.gitops.config.Config
 import groovy.transform.Immutable
 import groovy.util.logging.Slf4j
 import jakarta.inject.Provider
@@ -24,7 +24,7 @@ class K8sClient {
     ) {
         this.fileSystemUtils = fileSystemUtils
         this.commandExecutor = commandExecutor
-        this.configProvider = configProvider;
+        this.configProvider = configProvider
     }
 
     String getInternalNodeIp() {
@@ -417,7 +417,7 @@ class K8sClient {
 
         Kubectl namespace(String namespace) {
             if (namespace) {
-                this.command += ['-n', configProvider.get().application.namePrefix + namespace]
+                this.command += ['-n', K8sClient.this.configProvider.get().application.namePrefix + namespace]
             }
             return this
         }