Merge branch '590-remove-exception' into 'master'

remove istio exception Closes #590 See merge request platform-one/big-bang/bigbang!735

Merge branch '590-remove-exception' into 'master'
d908af12 · Michael McLeroy · 71463f9f · 2bca8f30 · d908af12 · d908af12
Commit d908af12 authored 3 years ago by Michael McLeroy
--- a/chart/dev-k3d-values.yaml
+++ b/chart/dev-k3d-values.yaml
+# enables and configures gatekeeper to add an exception for the allowedDockerRegistries violations in the istio-system namespace (when using k3d)
+# this is required for development deployments to allow the istio loadbalancer daemonset to come up with rancher images rather than images from registry1.dso.mil or registry.dso.mil
+
+gatekeeper:
+  enabled: true
+  values:
+    violations:
+      allowedDockerRegistries:
+        match:
+          excludedNamespaces: 
+            - istio-system 
\ No newline at end of file
--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -18,18 +18,11 @@ networkPolicies:
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
 violations:  # Try to keep this in alpha order to make it easier to find keys

-  {{- if or .Values.istio.enabled .Values.addons.mattermost.enabled }}
+  {{- if .Values.addons.mattermost.enabled }}
  allowedDockerRegistries:
-    {{- if .Values.istio.enabled }}
-    match:
-      excludedNamespaces:
-        - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
-    {{- end }}
-    {{- if .Values.addons.mattermost.enabled }}
    parameters:
      exemptContainers:
        - init-check-database # mattermost needs postgres:13 image and cannot override the upstream
-    {{- end }}
  {{- end }}

  {{- if .Values.monitoring.enabled}}

--- a/charter/packages/opa-gatekeeper/Architecture.md
+++ b/charter/packages/opa-gatekeeper/Architecture.md
@@ -37,7 +37,17 @@ Gatekeeper doesn't have a database.

 ### Istio Configuration

-This package has no specific istio configuration.
+When deploying to k3d, istio-system should be added from `excludedNamespaces` under the `allowedDockerRegistries` violations. This can be done by modifying `chart/values.yaml` file or passing an override file with the values set as seen below. This is for development purposes only: production should not allow containers in the `istio-system` namespace to be pulled from outside of Registry1. 
+
+```yaml
+gatekeeper:
+  values:
+    violations:
+      allowedDockerRegistries:
+        match:
+          excludedNamespaces: 
+            - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
+```

 ## High Availability


--- a/docs/developer/development-environment.md
+++ b/docs/developer/development-environment.md
@@ -204,6 +204,18 @@ cd ./bigbang
 ./scripts/install_flux.sh -u your-user-name -p your-pull-secret
 ```

+**Note:** When deploying to k3d, istio-system should be added from `excludedNamespaces` under the `allowedDockerRegistries` violations for gatekeeper. This can be done by modifying `chart/values.yaml` file or passing an override file with the values set as seen below. This is for development purposes only: production should not allow containers in the `istio-system` namespace to be pulled from outside of Registry1. 
+
+```yaml
+gatekeeper:
+  values:
+    violations:
+      allowedDockerRegistries:
+        match:
+          excludedNamespaces: 
+            - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
+```
+
 ## Addendum

 ### More secure method with `sshuttle`

--- a/docs/production.md
+++ b/docs/production.md
@@ -7,8 +7,6 @@ Table of Contents

 ## Production Deployment

-Note: When deploying to production, istio-system should be removed from `excludedNamespaces` under the `allowedDockerRegistries` violations (see `chart/templates/gatekeeper/values.yaml` for reference). This can be done by modifying `chart/values.yaml` file or passing an override file with the values set as seen below. Production should not allow containers in the `istio-system` namespace to be pulled from outside of Registry1. 
-
 The gatekeeper `values` section should resemble below when deploying to production.
 ```
 # OPA Gatekeeper

--- a/tests/ci/k3d/values.yaml
+++ b/tests/ci/k3d/values.yaml
@@ -104,6 +104,11 @@ gatekeeper:
        cpu: 100m
        memory: 256Mi
      limits: {}
+    violations:
+      allowedDockerRegistries:
+        match:
+          excludedNamespaces: 
+            - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers

 twistlock:
  enabled: true