[FIX] Fixes server config NamespaceFilters + Dependencies bump (#1581)

* [DOCS] - Hyperlinks
Updating the links to the documentation
* Update dependencies
---------

Co-authored-by: Rohith Jayawardene <[email protected]>

.github/workflows/ci.yaml

@@ -86,7 +86,7 @@ jobs:
           make shfmt
 
   helm:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     steps:
       - name: Checkout
         uses: actions/checkout@v4

README.md

@@ -12,12 +12,11 @@ The Terranetes Controller manages the lifecycle of an OpenTofu or Terraform reso
 
 There's a number of open source controllers you could use that will run OpenTofu or Terraform in Kubernetes. All of them deliver the developer outcome, however, none address the "consequences" of delivering that outcome in the first place; the risks, costs, security implications, the general lack of checks and balances. What sets the Terranetes controller apart is its opinion; we first enable the platform team to deliver the outcome in a safe environment before it can be self-served by developers. Providing platform engineers with all the knobs, dials and levers to control and mitigate those risks is the key differentiator for Terranetes controller.
 
-Documentation can be found at https://terranetes.io
+Documentation can be found at https://terranetes.appvia.io/
 
 ![Architecture](docs/images/terranetes-controller-arch.png)
 
-**FEATURES**
----
+## **FEATURES**
 
 ### DEVELOPERS
 
@@ -45,7 +44,6 @@ Documentation can be found at https://terranetes.io
   - Scan against Checkov security policies
 - [Version and publish Resource Plans](https://terranetes.appvia.io/terranetes-controller/admin/cloudresource/#what-are-revisions)
 
-**GETTING STARTED**
----
+## **GETTING STARTED**
 
 View the getting started guide at https://terranetes.io

cmd/controller/main.go

@@ -95,6 +95,7 @@ func main() {
 	flags.StringVar(&config.TLSDir, "tls-dir", "", "The directory the certificates are held")
 	flags.StringVar(&config.TLSKey, "tls-key", "tls-key.pem", "The name of the file containing the TLS key")
 	flags.StringVar(&config.TerraformImage, "terraform-image", "ghcr.io/opentofu/opentofu:latest", "The image to use for the terraform")
+	flags.StringSliceVar(&config.NamespaceFilters, "namespace-filter", []string{}, "A list of namespaces to filter on")
 
 	crFlags := flag.NewFlagSet("controller-runtime", flag.ContinueOnError)
 	zapOpts.BindFlags(crFlags)

go.mod

@@ -318,12 +318,12 @@ require (
 	go.uber.org/automaxprocs v1.5.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.30.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect

go.sum

@@ -1217,8 +1217,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
-golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY=
-golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1327,8 +1327,8 @@ golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

pkg/cmd/tnctl/verify/revision.go

@@ -92,7 +92,7 @@ type RevisionCommand struct {
 	// EnableTerraformPlan indicates we should use a terraform plan to verify the security policy.
 	// Note, this does require credentials to be configured
 	EnableTerraformPlan bool
-	// ShowGuidelines indicates we should show the guidelines in the output 
+	// ShowGuidelines indicates we should show the guidelines in the output
 	ShowGuidelines bool
 	// Contexts is a list of contexts from the cluster
 	Contexts *terraformv1alpha1.ContextList
@@ -643,7 +643,7 @@ func (o *RevisionCommand) checkSecurityPolicy(ctx context.Context) error {
 					if check.Get("resource").String() != "" {
 						v.Additional("Resource: %v", check.Get("resource"))
 					}
-		      if o.ShowGuidelines && check.Get("guideline").String() != "" {
+					if o.ShowGuidelines && check.Get("guideline").String() != "" {
 						v.Additional("Guideline: %v", check.Get("guideline"))
 					}
 				}

pkg/controller/configuration/controller.go

@@ -21,6 +21,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"strings"
 	"time"
 
 	pcache "github.com/patrickmn/go-cache"
@@ -72,8 +73,8 @@ type Controller struct {
 	// BackoffLimit is the amount of times we are allowing a job to failed before deeming
 	// it a failure
 	BackoffLimit int
-	// BinaryPath is the name of the binary to use to run the terraform commands 
-	BinaryPath string 
+	// BinaryPath is the name of the binary to use to run the terraform commands
+	BinaryPath string
 	// EnableContextInjection enables the injection of the context into the terraform configuration
 	// variables. This means we shall inject an number of default variables into the configuration
 	// such as namespace, name and labels
@@ -104,6 +105,8 @@ type Controller struct {
 	InfracostsImage string
 	// InfracostsSecretName is the name of the secret containing the api and token
 	InfracostsSecretName string
+	// NamespaceFilters is a list of namespaces we are responsible for; all other namespaces are ignored
+	NamespaceFilters []string
 	// ControllerJobLabels is a collection of labels to add to the job
 	ControllerJobLabels map[string]string
 	// JobTemplate is a custom override for the template to use
@@ -167,6 +170,7 @@ func (c *Controller) Add(mgr manager.Manager) error {
 		"backend":            c.BackendTemplate,
 		"enable_costs":       c.EnableInfracosts,
 		"enable_watchers":    c.EnableWatchers,
+		"filters":            strings.Join(c.NamespaceFilters, ","),
 		"namespace":          c.ControllerNamespace,
 		"policy_image":       c.PolicyImage,
 		"terraform_image":    c.TerraformImage,

pkg/controller/configuration/delete.go

@@ -107,7 +107,7 @@ func (c *Controller) ensureTerraformDestroy(configuration *terraformv1alpha1.Con
 			InfracostsSecret: c.InfracostsSecretName,
 			Namespace:        c.ControllerNamespace,
 			Template:         state.jobTemplate,
-			Image:   GetTerraformImage(configuration, c.TerraformImage),
+			Image:            GetTerraformImage(configuration, c.TerraformImage),
 		})
 		if err != nil {
 			cond.Failed(err, "Failed to create the terraform destroy job")

pkg/controller/configuration/ensure.go

@@ -1256,7 +1256,7 @@ func (c *Controller) ensureTerraformApply(configuration *terraformv1alpha1.Confi
 				},
 			),
 			BackoffLimit:                 c.BackoffLimit,
-			BinaryPath:         		c.BinaryPath,
+			BinaryPath:                   c.BinaryPath,
 			DefaultExecutorCPULimit:      c.DefaultExecutorCPULimit,
 			DefaultExecutorCPURequest:    c.DefaultExecutorCPURequest,
 			DefaultExecutorMemoryLimit:   c.DefaultExecutorMemoryLimit,
@@ -1269,7 +1269,7 @@ func (c *Controller) ensureTerraformApply(configuration *terraformv1alpha1.Confi
 			Namespace:                    c.ControllerNamespace,
 			SaveTerraformState:           saveState,
 			Template:                     state.jobTemplate,
-			Image:                       	GetTerraformImage(configuration, c.TerraformImage),
+			Image:                        GetTerraformImage(configuration, c.TerraformImage),
 		})
 		if err != nil {
 			cond.Failed(err, "Failed to create the terraform apply job")

pkg/controller/predicate.go

@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2022  Appvia Ltd <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package controller
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+
+	"github.com/appvia/terranetes-controller/pkg/utils"
+)
+
+// NamespacePredicate is a predicate that matches namespaces
+type NamespacePredicate struct {
+	// Namespaces is a list of namespaces to match
+	Namespaces []string
+}
+
+// NewNamespacePredicate creates a new namespace predicate
+func NewNamespacePredicate(namespaces []string) predicate.Funcs {
+	filter := func(object client.Object) bool {
+		if len(namespaces) == 0 {
+			return true
+		}
+
+		return utils.Contains(object.GetNamespace(), namespaces)
+	}
+
+	return predicate.NewPredicateFuncs(filter)
+}

pkg/controller/predicate_test.go

@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2022  Appvia Ltd <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package controller
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+)
+
+func TestNewNamespacePredicate(t *testing.T) {
+	assert.NotNil(t, NewNamespacePredicate([]string{"test"}))
+}
+
+func TestNewNamespacePredicateCreate(t *testing.T) {
+	filter := NewNamespacePredicate([]string{"test"})
+	assert.NotNil(t, filter)
+
+	pod := &v1.Pod{}
+	pod.Namespace = "test"
+
+	assert.True(t, filter.Create(event.TypedCreateEvent[client.Object]{Object: pod}))
+}

pkg/server/server.go

@@ -173,7 +173,7 @@ func New(cfg *rest.Config, config Config) (*Server, error) {
 	if err := (&configuration.Controller{
 		BackendTemplate:              config.BackendTemplate,
 		BackoffLimit:                 config.BackoffLimit,
-		BinaryPath:                   config.BinaryPath, 
+		BinaryPath:                   config.BinaryPath,
 		ControllerJobLabels:          jobLabels,
 		ControllerNamespace:          config.Namespace,
 		DefaultExecutorCPULimit:      config.ExecutorCPULimit,

pkg/server/types.go

@@ -29,7 +29,7 @@ type Config struct {
 	BackendTemplate string
 	// BackoffLimit is the number of times we are willing to allow a job to fail
 	BackoffLimit int
-	// BinaryPath is the name of the binary to use to run the terraform commands 
+	// BinaryPath is the name of the binary to use to run the terraform commands
 	BinaryPath string
 	// ConfigurationThreshold is the max number of configurations we are willing
 	// to run at the same time
@@ -86,6 +86,8 @@ type Config struct {
 	MetricsPort int
 	// Namespace is namespace the controller is running
 	Namespace string
+	// NamespaceFilters is the namespace/s to filter on
+	NamespaceFilters []string
 	// PolicyImage is the image to use for policy
 	PolicyImage string
 	// PreloadImage is the image to use for the preload job

pkg/utils/jobs/jobs.go

@@ -53,7 +53,7 @@ type Options struct {
 	// BackoffLimit is the number of times we are willing to allow a job to fail
 	// before we give up
 	BackoffLimit int
-	// BinaryPath is the name of the binary to use to run the terraform commands 
+	// BinaryPath is the name of the binary to use to run the terraform commands
 	BinaryPath string
 	// DefaultExecutorMemoryRequest is the default memory request for the executor
 	DefaultExecutorMemoryRequest string
@@ -216,7 +216,7 @@ func (r *Render) createTerraformFromTemplate(options Options, stage string) (*ba
 			terraformv1alpha1.ConfigurationStageLabel:      stage,
 			terraformv1alpha1.ConfigurationUIDLabel:        string(r.configuration.GetUID()),
 		}),
-		"BinaryPath":                  options.BinaryPath,
+		"BinaryPath":                   options.BinaryPath,
 		"DefaultExecutorMemoryRequest": options.DefaultExecutorMemoryRequest,
 		"DefaultExecutorMemoryLimit":   options.DefaultExecutorMemoryLimit,
 		"DefaultExecutorCPURequest":    options.DefaultExecutorCPURequest,
@@ -250,7 +250,7 @@ func (r *Render) createTerraformFromTemplate(options Options, stage string) (*ba
 		"Images": map[string]interface{}{
 			"Executor":   options.ExecutorImage,
 			"Infracosts": options.InfracostsImage,
-			"Image":  	  options.Image,
+			"Image":      options.Image,
 			"Policy":     options.PolicyImage,
 		},
 		"Secrets": map[string]interface{}{

vendor/modules.txt

@@ -1316,7 +1316,7 @@ go.uber.org/zap/internal/exit
 go.uber.org/zap/internal/pool
 go.uber.org/zap/internal/stacktrace
 go.uber.org/zap/zapcore
-# golang.org/x/crypto v0.30.0
+# golang.org/x/crypto v0.31.0
 ## explicit; go 1.20
 golang.org/x/crypto/bcrypt
 golang.org/x/crypto/blowfish
@@ -1354,7 +1354,7 @@ golang.org/x/mod/internal/lazyregexp
 golang.org/x/mod/modfile
 golang.org/x/mod/module
 golang.org/x/mod/semver
-# golang.org/x/net v0.32.0
+# golang.org/x/net v0.33.0
 ## explicit; go 1.18
 golang.org/x/net/context
 golang.org/x/net/html