-
Notifications
You must be signed in to change notification settings - Fork 4
/
create-workspace-platform-app.yaml
256 lines (232 loc) · 9.67 KB
/
create-workspace-platform-app.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
APIVersion: 1
label: recipe:create-workspace-platform-app
data:
recipes:
- name: 1) Prepare an enforcer deployment
description: Define a namespace hierarchy where the enforcer will be deployed.
label: recipe:create-workspace-platform-app
deploymentMode: Unrestricted
metadata:
- "@aporeto:author=aporeto"
associatedTags:
- "aporeto:recipe:placement=getting-started"
targetIdentities:
- namespaces
longDescription: |-
## Create a namespace hierarchy before registering your enforcers
---
### This wizard allows you to establish a repeatable structure to organize your workloads into apps
* It creates a highly recommended fixed 3-tier Microsegmentation namespace hierarchy tree in your account namespace.
> > /{account}/**{workspace}**/**{platform}**/**{app}**
* All processing units (PU) will receive 3 tags corresponding to the 3 levels in the hierarchy you are about to create to aid in policy creation to simplify the consumption of the Microsegmentation solution.
> > 1. @org:**workspace** =
> > 1. @org:**platform** =
> > 1. @org:**app** =
* Hosts, Docker Hosts, and Container Clusters should each be in their own Platform groups.
* Processing Units will appear in the user defined **"app"** tier after enforcers are registered.
* **The default behavior for the app tiers will be to automatically enable Discovery Mode to allow all communication**
* For K8s/OpenShift the app tier automatically corresponds the cluster namespace and requires no user input in this wizard
---
_**After running the wizard:**_
> > - [ ] Note the namespace and provide it to the enforcer registration
> > - [ ] Navigate to the Microsegmentation app tier namespace to visualize your application connectivity
> > - [ ] Start the policy creation process
---
_**Re-run this wizard to:**_
> > - [ ] Add to an existing namespace hierarchy
> > > or
> > - [ ] Create an entirely new namespace hierarchy
#### For more information please refer to the documentation.
template: |-
{{`
APIVersion: 1
label: recipe:create-workspace-platform-app
data:
{{- $pattern := cat "^" .Aporeto.Namespace "(/[a-zA-Z0-9-_]+){0,2}$" | nospace }}
{{- if (regexMatch $pattern .Values.existing_namespace) }}
{{- $existing_ns := .Values.existing_namespace | trimPrefix .Aporeto.Namespace }}
{{- $workspace := "" }}
{{- $platform := "" }}
{{- $app := "" }}
namespaces:
{{- if (regexMatch "^(/[a-zA-Z0-9-_]+){0,1}(/)?$" .Values.existing_namespace) }}
{{- $workspace = required "Workspace name is required" .Values.workspace }}
{{- if not (regexMatch "^[a-zA-Z0-9-_]+$" $workspace) }}
{{- fail "workspace name must only contain alpha numerical characters, '-' or '_'"}}
{{- end }}
- name: {{ $workspace }}
{{- end }}
{{- if (regexMatch "^(/[a-zA-Z0-9-_]+){0,2}(/)?$" .Values.existing_namespace) }}
{{- $platform = required "Platform name is required" .Values.platform }}
{{- if not (regexMatch "^[a-zA-Z0-9-_]+$" $platform) }}
{{- fail "platform name must only contain alpha numerical characters, '-' or '_'"}}
{{- end }}
- name: {{ $platform }}
namespace: {{ regexReplaceAll "\\s+" (cat $existing_ns $workspace) "/" | trimSuffix "/"}}
{{- end }}
{{- if and (regexMatch "^^(/[a-zA-Z0-9-_]+){0,3}(/)?$" .Values.existing_namespace) (ne .Values.mode "kubernetes") }}
{{- $app = required "Application name is required" .Values.app}}
{{- if not (regexMatch "^[a-zA-Z0-9-_]+$" $app) }}
{{- fail "application name must only contain alpha numerical characters, '-' or '_'"}}
{{- end }}
- name: {{ $app }}
namespace: {{ regexReplaceAll "\\s+" (cat $existing_ns $workspace $platform) "/" | trimSuffix "/"}}
{{- end }}
{{- else }}
{{- fail "Invalid starting namespace pattern" }}
{{- end }}
`}}
steps:
- name: Namespaces
parameters:
- key: existing_namespace
name: Provide your account namespace or provide an existing namespace
description: Leave the default (i.e. /{account} ) to create a new hierarchy or provide an existing namespace (e.g. /{account}/{workspace} ) to continue building on an existing hierarchy
type: Namespace
defaultValue: {{ .Aporeto.Namespace }}
- key: starting_ns_warning
name: Incorrect namespace
type: WarningMessage
defaultValue: The namespace provided is not valid
visibilityCondition:
- - key: existing_namespace
operator: NotMatch
value: "^[a-zA-Z0-9-_/]+$"
- key: workspace
name: Workspace name
description: Examples are a Cloud Region (us-central-1), An Environment (dev, prod, test, pci), a business unit, or a combination
type: String
optional: true
visibilityCondition:
- - key: existing_namespace
operator: Match
value: "^(/[a-zA-Z0-9-_]+){0,1}$"
- key: mode
name: Platform type
description: Select the option that applies to your platform
type: Enum
defaultValue: hosts
allowedChoices:
hosts: Hosts(Bare Metal, VMs)
docker: Non-Orchestrated containers (Standalone Docker)
kubernetes: Orchestrated containers (OpenShift, Kubernetes)
visibilityCondition:
- - key: existing_namespace
operator: Match
value: "^(/[a-zA-Z0-9-_]+){0,2}$"
- key: platform
name: Platform name
description: Provide a name for your Kubernetes/Openshift Cluster, Host or DockerHost group name
type: String
optional: true
visibilityCondition:
- - key: existing_namespace
operator: Match
value: "^(/[a-zA-Z0-9-_]+){0,2}$"
- key: app
name: Application name
description: Provide a name for your app tier
type: String
optional: true
visibilityCondition:
- - key: existing_namespace
operator: Match
value: "^(/[a-zA-Z0-9-_]+){0,3}$"
- key: mode
operator: NotEqual
value: kubernetes
- key: kubernetes_warning
name: Warning
type: WarningMessage
defaultValue: Selected namespace should be an account, workspace or platform level.
visibilityCondition:
- - key: existing_namespace
operator: Match
value: "^(/[a-zA-Z0-9-_]+){4,}$"
- key: sucess_message_nok8s1
name: Details
type: InfoMessage
defaultValue: "Copy the following namespace for your enforcer deployment: **.Values.existing_namespace/.Values.workspace/.Values.platform/.Values.app**"
visibilityCondition:
- - key: existing_namespace
operator: Match
value: "^(/[a-zA-Z0-9-_]+){1}$"
- key: mode
operator: NotEqual
value: kubernetes
- key: app
operator: Defined
- key: sucess_message_nok8s2
name: Details
type: InfoMessage
defaultValue: "Copy the following namespace for your enforcer deployment: **.Values.existing_namespace/.Values.platform/.Values.app**"
visibilityCondition:
- - key: existing_namespace
operator: Match
value: "^(/[a-zA-Z0-9-_]+){2}$"
- key: mode
operator: NotEqual
value: kubernetes
- key: app
operator: Defined
- key: sucess_message_nok8s3
name: Details
type: InfoMessage
defaultValue: "Copy the following namespace for your enforcer deployment: **.Values.existing_namespace/.Values.app**"
visibilityCondition:
- - key: existing_namespace
operator: Match
value: "^(/[a-zA-Z0-9-_]+){3}$"
- key: mode
operator: NotEqual
value: kubernetes
- key: app
operator: Defined
- key: sucess_message_k8s1
name: Details
type: InfoMessage
defaultValue: "Copy the following namespace for your enforcer deployment: **.Values.existing_namespace/.Values.workspace/.Values.platform**"
visibilityCondition:
- - key: existing_namespace
operator: Match
value: "^(/[a-zA-Z0-9-_]+){1}$"
- key: mode
operator: Equal
value: kubernetes
- key: platform
operator: Defined
- key: sucess_message_k8s2
name: Details
type: InfoMessage
defaultValue: "Copy the following namespace for your enforcer deployment: **.Values.existing_namespace/.Values.platform**"
visibilityCondition:
- - key: existing_namespace
operator: Match
value: "^(/[a-zA-Z0-9-_]+){2}$"
- key: mode
operator: Equal
value: kubernetes
- key: platform
operator: Defined
- key: msgcopy
name: I have copied my namespace
description: I have copied my namespace.
type: Checkbox
defaultValue: false
validationFunction: |-
function validate(value) {
if (value !== true) {
throw "Please confirm you have copied your namespace";
};
}
visibilityCondition:
- - key: mode
operator: Equal
value: kubernetes
- key: platform
operator: Defined
- - key: mode
operator: NotEqual
value: kubernetes
- key: app
operator: Defined