From b0f2efc71446db3fb7586f874dbd73d07fce1930 Mon Sep 17 00:00:00 2001
From: Andrew Shoell <andrew.shoell.ctr@us.af.mil>
Date: Tue, 9 Apr 2024 19:24:50 +0000
Subject: [PATCH] Resolve "Ensure that istio.hardened.enabled is turned on for
all packages in test-values.yaml for packages that support it"
---
chart/values.yaml | 16 ++--
docs/developer/test-package-against-bb.md | 2 +-
tests/test-values.yaml | 110 +++++++++++++++++++---
3 files changed, 104 insertions(+), 24 deletions(-)
diff --git a/chart/values.yaml b/chart/values.yaml
index 532350a3b8..b8261c7d90 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -341,11 +341,11 @@ jaeger:
git:
repo: https://repo1.dso.mil/big-bang/product/packages/jaeger.git
path: "./chart"
- tag: "2.50.1-bb.0"
+ tag: "2.50.1-bb.2"
helmRepo:
repoName: "registry1"
chartName: "jaeger"
- tag: "2.50.1-bb.0"
+ tag: "2.50.1-bb.2"
# -- Flux reconciliation overrides specifically for the Jaeger Package
flux:
@@ -801,11 +801,11 @@ tempo:
git:
repo: https://repo1.dso.mil/big-bang/product/packages/tempo.git
path: "./chart"
- tag: "1.7.1-bb.3"
+ tag: "1.7.1-bb.5"
helmRepo:
repoName: "registry1"
chartName: "tempo"
- tag: "1.7.1-bb.3"
+ tag: "1.7.1-bb.5"
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
@@ -1389,11 +1389,11 @@ addons:
git:
repo: https://repo1.dso.mil/big-bang/product/packages/sonarqube.git
path: "./chart"
- tag: "8.0.4-bb.0"
+ tag: "8.0.4-bb.1"
helmRepo:
repoName: "registry1"
chartName: "sonarqube"
- tag: "8.0.4-bb.0"
+ tag: "8.0.4-bb.1"
# -- Flux reconciliation overrides specifically for the Sonarqube Package
flux: {}
@@ -1891,12 +1891,12 @@ addons:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/harbor.git
- tag: "1.14.0-bb.6"
+ tag: "1.14.0-bb.7"
path: "./chart"
helmRepo:
repoName: "registry1"
chartName: "harbor"
- tag: "1.14.0-bb.6"
+ tag: "1.14.0-bb.7"
# -- Flux reconciliation overrides specifically for the Jaeger Package
flux: {}
diff --git a/docs/developer/test-package-against-bb.md b/docs/developer/test-package-against-bb.md
index 7f361905cb..9425acf3da 100644
--- a/docs/developer/test-package-against-bb.md
+++ b/docs/developer/test-package-against-bb.md
@@ -19,7 +19,7 @@ As part of your MR that modifies istio you will need to run bigbang tests agains
1. Stage your changes `git add -A`
1. Commit your changes `git commit -m "prepping for test"`
1. Push your changes `git push -u origin my-bigbang-branch-for-testing`
-1. Create the bigbang MR as a draft with `TEST ONLY DO NOT MERGE` in the title
+1. Create the bigbang MR as a draft with `TEST ONLY DO NOT MERGE` in the title, and add the label of the package to test, e.g. `monitoring`
1. Wait for tests to finish, and do fixes on your package branch as needed until they pass
1. Close the bigbang MR by deleting the bigbang branch `git push -d origin my-bigbang-branch-for-testing`
1. Link the bigbang MR on your package MR as evidence of your package working in bigbang
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index 31e5723841..2f71e3d736 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -81,6 +81,18 @@ jaeger:
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_jaeger
values:
istio:
+ hardened:
+ enabled: true
+ customAuthorizationPolicies:
+ - name: "allow-intranamespace-jaeger"
+ enabled: true
+ spec:
+ action: ALLOW
+ rules:
+ - from:
+ - source:
+ namespaces:
+ - jaeger
jaeger:
enabled: true
bbtests:
@@ -782,7 +794,7 @@ elasticsearchKibana:
enabled: true
spec:
hosts:
- - 'kibana.dev.bigbang.mil'
+ - 'kibana.dev.bigbang.mil'
location: MESH_EXTERNAL
ports:
- number: 443
@@ -822,6 +834,12 @@ elasticsearchKibana:
cypress_expect_logs: "true"
cypress_kibana_url: "https://kibana.dev.bigbang.mil"
+eckOperator:
+ values:
+ istio:
+ hardened:
+ enabled: true
+
fluentbit:
enabled: false
values:
@@ -864,7 +882,7 @@ loki:
- 'download.cypress.io'
- 'cdn.cypress.io'
- 'repo1.dso.mil'
- - 'grafana.dev.bigbang.mil'
+ - 'grafana.dev.bigbang.mil'
location: MESH_EXTERNAL
ports:
- number: 443
@@ -928,6 +946,28 @@ tempo:
tempoQuery:
hosts:
- "tempo.{{ .Values.domain }}"
+ enabled: true
+ hardened:
+ enabled: true
+ customServiceEntries:
+ - name: "cypress-service-entries-tempo"
+ enabled: true
+ spec:
+ hosts:
+ - 'registry.npmjs.org'
+ - 'download.cypress.io'
+ - 'cdn.cypress.io'
+ - 'repo1.dso.mil'
+ - 'tempo.dev.bigbang.mil'
+ - 'grafana.dev.bigbang.mil'
+ - 'grafana.com'
+ location: MESH_EXTERNAL
+ ports:
+ - number: 443
+ protocol: TLS
+ name: https
+ resolution: DNS
+
tempo:
resources:
limits: null
@@ -990,14 +1030,6 @@ monitoring:
alertmanager:
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_alertmanager
values:
- prometheus:
- prometheusSpec:
- replicas: 1
- resources:
- requests:
- cpu: 100m
- memory: 200Mi
- limits: {}
istio:
hardened:
enabled: true
@@ -1255,7 +1287,6 @@ addons:
requests:
cpu: 2
memory: 2Gi
- istio:
sidecar:
resources:
cpu:
@@ -1264,6 +1295,9 @@ addons:
memory:
requests: 512Mi
limits: 2048Mi
+ istio:
+ hardened:
+ enabled: false
authservice:
enabled: false
@@ -1664,6 +1698,19 @@ addons:
name: name
email: email
values:
+ istio:
+ hardened:
+ enabled: true
+ customAuthorizationPolicies:
+ - name: "allow-intranamespace-sonarqube"
+ enabled: true
+ spec:
+ action: ALLOW
+ rules:
+ - from:
+ - source:
+ namespaces:
+ - sonarqube
plugins:
install: []
resources:
@@ -1698,17 +1745,43 @@ addons:
minioOperator:
enabled: true # Minio Operator is required for Loki in default core
values:
- istio:
- console:
- enabled: false
console:
enabled: true
bbtests:
enabled: true
+ istio:
+ console:
+ enabled: false
+ hardened:
+ enabled: true
+ customAuthorizationPolicies:
+ - name: "allow-intranamespace-minio-operator"
+ enabled: true
+ spec:
+ action: ALLOW
+ rules:
+ - from:
+ - source:
+ namespaces:
+ - minio-operator
minio:
enabled: false
values:
+ istio:
+ hardened:
+ enabled: true
+ customAuthorizationPolicies:
+ - name: "allow-intranamespace-minio"
+ enabled: true
+ spec:
+ action: ALLOW
+ rules:
+ - from:
+ - source:
+ namespaces:
+ - minio
+ - minio-operator
tenant:
pools:
- servers: 3
@@ -1730,6 +1803,10 @@ addons:
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
+ capabilities:
+ drop:
+ - ALL
+
bbtests:
# There have been intermittent failures of the tests in the past. The issue is tracked in the below issue.
# https://repo1.dso.mil/big-bang/product/packages/minio/-/issues/7
@@ -2200,6 +2277,9 @@ addons:
# -- Values to pass through to Habor chart: https://repo1.dso.mil/big-bang/product/packages/harbor.git
values:
+ istio:
+ hardened:
+ enabled: true
expose:
type: clusterIP
tls:
@@ -2415,7 +2495,7 @@ addons:
values:
istio:
hardened:
- enabled: true
+ enabled: true
bbtests:
enabled: true
cypress:
--
GitLab