fixing the authorization policies SKIP UPGRADE CHECK

1ade21ba · Andrew Shoell · Michael Martin · c58e79f0 · 1ade21ba · 1ade21ba
Commit 1ade21ba authored 1 year ago by Andrew Shoell Committed by Michael Martin 1 year ago
--- a/chart/templates/grafana/values.yaml
+++ b/chart/templates/grafana/values.yaml
@@ -35,6 +35,12 @@ gitlabRunner:
 istio:
  {{- $grafanaInjection := dig "istio" "injection" "enabled" .Values.grafana }}
  enabled: {{ .Values.istio.enabled }}
+  hardened:
+    {{- if or (dig "values" "istio" "hardened" "enabled" false .Values.monitoring) (dig "values" "istio" "hardened" "enabled" false .Values.grafana) }}
+    enabled: true
+    {{- else }}
+    enabled: false
+    {{- end }}
  grafana:
    enabled: true
    gateways:

--- a/chart/templates/mattermost/values.yaml
+++ b/chart/templates/mattermost/values.yaml
@@ -21,6 +21,11 @@ istio:
    gateways:
    - istio-system/{{ default "public" .Values.addons.mattermost.ingress.gateway }}
  injection: {{ ternary "enabled" "disabled" $istioInjection }}
+  hardened:
+    clusterAuditor:
+      enabled: {{ .Values.clusterAuditor.enabled }}
+    kyvernoReporter:
+      enabled: {{ .Values.kyvernoReporter.enabled }}

 {{- if $istioInjection }}
 podAnnotations:

--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -36,6 +36,12 @@ gitlabRunner:
 istio:
  {{- $monitoringInjection := dig "istio" "injection" "enabled" .Values.monitoring }}
  enabled: {{ .Values.istio.enabled }}
+  hardened:
+    {{- if or (dig "values" "istio" "hardened" "enabled" false .Values.monitoring) (dig "values" "istio" "hardened" "enabled" false .Values.grafana) }}
+    enabled: true
+    {{- else }}
+    enabled: false
+    {{- end }}
  prometheus:
    enabled: true
    {{- if and .Values.monitoring.sso.enabled (eq $monitoringInjection "disabled") }}

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -869,11 +869,11 @@ monitoring:
  git:
    repo: https://repo1.dso.mil/big-bang/product/packages/monitoring.git
    path: "./chart"
-    tag: "56.2.1-bb.3"
+    tag: "56.2.1-bb.9"
  helmRepo:
    repoName: "registry1"
    chartName: "monitoring"
-    tag: "56.2.1-bb.3"
+    tag: "56.2.1-bb.9"

  # -- Flux reconciliation overrides specifically for the Monitoring Package
  flux:
@@ -1640,11 +1640,11 @@ addons:
    git:
      repo: https://repo1.dso.mil/big-bang/product/packages/mattermost.git
      path: "./chart"
-      tag: "9.5.1-bb.1"
+      tag: "9.5.1-bb.2"
    helmRepo:
      repoName: "registry1"
      chartName: "mattermost"
-      tag: "9.5.1-bb.1"
+      tag: "9.5.1-bb.2"

    # -- Flux reconciliation overrides specifically for the Mattermost Package
    flux: {}

--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -955,6 +955,9 @@ monitoring:
    alertmanager:
      client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_alertmanager
  values:
+    istio:
+      hardened:
+        enabled: true
    prometheus:
      prometheusSpec:
        replicas: 1
@@ -980,6 +983,7 @@ monitoring:
      enabled: true
      cypress:
        envs:
+          cypress_bigbang_integration: 'true'
          cypress_prometheus_url: 'https://prometheus.bigbang.dev'
          cypress_grafana_url: 'https://grafana.bigbang.dev'
          cypress_alertmanager_url: 'https://alertmanager.bigbang.dev'
@@ -996,6 +1000,45 @@ grafana:
      client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_grafana
      scopes: "openid Grafana"
  values:
+    istio:
+      hardened:
+        enabled: true
+        customServiceEntries:
+          - name: "allow-npm-for-cypress-tests"
+            enabled: true
+            spec:
+              hosts:
+                - 'registry.npmjs.org'
+                - 'download.cypress.io'
+                - 'cdn.cypress.io'
+              location: MESH_EXTERNAL
+              ports:
+                - number: 443
+                  protocol: TLS
+                  name: https
+              resolution: DNS
+          - name: "allow-repo1-for-cypress"
+            enabled: true
+            spec:
+              hosts:
+                - 'repo1.dso.mil'
+              location: MESH_EXTERNAL
+              ports:
+                - number: 443
+                  protocol: TLS
+                  name: https
+              resolution: DNS
+          - name: "allow-grafana-for-cypress"
+            enabled: true
+            spec:
+              hosts:
+                - 'grafana.bigbang.dev'
+              location: MESH_EXTERNAL
+              ports:
+                - number: 443
+                  protocol: TLS
+                  name: https
+              resolution: DNS
    dashboards:
      default:
        k8s-deployment:
@@ -1646,6 +1689,16 @@ addons:
      istio:
        hardened:
          enabled: true
+          customAuthorizationPolicies:
+            - name: "test-for-allowing-monitoring"
+              enabled: true
+              spec:
+                action: ALLOW
+                rules:
+                  - from:
+                    - source:
+                        namespaces:
+                          - monitoring
      postgresql:
        persistence:
          size: 256Mi