UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Commit f0ef2f81 authored by mr-bot's avatar mr-bot Committed by Christopher O'Connell
Browse files

enable vault hardening

parent 6d3f4bfb
No related branches found
No related tags found
1 merge request!4121enable vault hardening
......@@ -81,7 +81,6 @@ jaeger:
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_jaeger
values:
istio:
enabled: true
hardened:
enabled: true
customAuthorizationPolicies:
......@@ -1204,7 +1203,6 @@ twistlock:
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_twistlock-saml
values:
istio:
enabled: true
hardened:
enabled: true
customServiceEntries:
......@@ -1360,7 +1358,7 @@ addons:
values:
istio:
hardened:
enabled: true
enabled: true
storage:
volume: 5Gi
jvmMaxRAMPercentage: 85
......@@ -1823,6 +1821,25 @@ addons:
namespaces:
- minio
- minio-operator
customServiceEntries:
- name: "cypress-service-entries-minio"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
- 'repo1.dso.mil'
- 'minio.dev.bigbang.mil'
- 'minio-api.dev.bigbang.mil'
location: MESH_EXTERNAL
exportTo:
- "."
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
tenant:
pools:
- servers: 3
......@@ -1860,28 +1877,6 @@ addons:
envs:
MINIO_PORT: ''
MINIO_HOST: 'https://minio-api.dev.bigbang.mil'
istio:
hardened:
enabled: true
customServiceEntries:
- name: "cypress-service-entries-minio"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
- 'repo1.dso.mil'
- 'minio.dev.bigbang.mil'
- 'minio-api.dev.bigbang.mil'
location: MESH_EXTERNAL
exportTo:
- "."
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
mattermostOperator:
enabled: false
......@@ -2304,12 +2299,50 @@ addons:
prometheus_retention_time = "24h"
disable_hostname = true
}
service_registration "kubernetes" {}
istio:
hardened:
enabled: true
customAuthorizationPolicies:
- name: allow-egress-instance-metadata
enabled: true
spec:
action: ALLOW
rules:
- from:
- source:
ipBlocks:
- 169.254.169.254/32
customServiceEntries:
- name: "allow-egress-cypress-tests"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
- 'vault.dev.bigbang.mil'
- 'repo1.dso.mil'
- 'kms.us-gov-west-1.amazonaws.com'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
# - name: "allow-egress-instance-metadata"
# enabled: true
# spec:
# addresses:
# - 169.254.169.254/32
# ports:
# - number: 80
# name: http
# protocol: HTTP
# location: MESH_EXTERNAL
# resolution: STATIC
# endpoints:
# - address: 169.254.169.254
bbtests:
enabled: true
cypress:
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment