remove istio exception

chart/dev-k3d-values.yaml

+# enables and configures gatekeeper to add an exception for the allowedDockerRegistries violations in the istio-system namespace (when using k3d)
+# this is required for development deployments to allow the istio loadbalancer daemonset to come up with rancher images rather than images from registry1.dso.mil or registry.dso.mil
+
+gatekeeper:
+  enabled: true
+  values:
+    violations:
+      allowedDockerRegistries:
+        match:
+          excludedNamespaces: 
+            - istio-system 
\ No newline at end of file

chart/templates/gatekeeper/values.yaml

@@ -18,18 +18,11 @@ networkPolicies:
   controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
 violations:  # Try to keep this in alpha order to make it easier to find keys
 
-  {{- if or .Values.istio.enabled .Values.addons.mattermost.enabled }}
+  {{- if .Values.addons.mattermost.enabled }}
   allowedDockerRegistries:
-    {{- if .Values.istio.enabled }}
-    match:
-      excludedNamespaces:
-        - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
-    {{- end }}
-    {{- if .Values.addons.mattermost.enabled }}
     parameters:
       exemptContainers:
         - init-check-database # mattermost needs postgres:13 image and cannot override the upstream
-    {{- end }}
   {{- end }}
 
   {{- if .Values.monitoring.enabled}}

charter/packages/opa-gatekeeper/Architecture.md

@@ -37,7 +37,17 @@ Gatekeeper doesn't have a database.
 
 ### Istio Configuration
 
-This package has no specific istio configuration.
+When deploying to k3d, istio-system should be added from `excludedNamespaces` under the `allowedDockerRegistries` violations. This can be done by modifying `chart/values.yaml` file or passing an override file with the values set as seen below. This is for development purposes only: production should not allow containers in the `istio-system` namespace to be pulled from outside of Registry1. 
+
+```yaml
+gatekeeper:
+  values:
+    violations:
+      allowedDockerRegistries:
+        match:
+          excludedNamespaces: 
+            - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
+```
 
 ## High Availability
 

docs/developer/development-environment.md

@@ -204,6 +204,18 @@ cd ./bigbang
 ./scripts/install_flux.sh -u your-user-name -p your-pull-secret
 ```
 
+**Note:** When deploying to k3d, istio-system should be added from `excludedNamespaces` under the `allowedDockerRegistries` violations for gatekeeper. This can be done by modifying `chart/values.yaml` file or passing an override file with the values set as seen below. This is for development purposes only: production should not allow containers in the `istio-system` namespace to be pulled from outside of Registry1. 
+
+```yaml
+gatekeeper:
+  values:
+    violations:
+      allowedDockerRegistries:
+        match:
+          excludedNamespaces: 
+            - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
+```
+
 ## Addendum
 
 ### More secure method with `sshuttle`

docs/production.md

@@ -7,8 +7,6 @@ Table of Contents
 
 ## Production Deployment
 
-Note: When deploying to production, istio-system should be removed from `excludedNamespaces` under the `allowedDockerRegistries` violations (see `chart/templates/gatekeeper/values.yaml` for reference). This can be done by modifying `chart/values.yaml` file or passing an override file with the values set as seen below. Production should not allow containers in the `istio-system` namespace to be pulled from outside of Registry1. 
-
 The gatekeeper `values` section should resemble below when deploying to production.
 ```
 # OPA Gatekeeper

tests/ci/k3d/values.yaml

@@ -104,6 +104,11 @@ gatekeeper:
         cpu: 100m
         memory: 256Mi
       limits: {}
+    violations:
+      allowedDockerRegistries:
+        match:
+          excludedNamespaces: 
+            - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
 
 twistlock:
   enabled: true