From f0ef2f81f6607cb86d7e945b0b7f739335c53cab Mon Sep 17 00:00:00 2001
From: mr-bot <project2872_bot1@noreply.repo1.dso.mil>
Date: Thu, 25 Apr 2024 19:13:40 +0000
Subject: [PATCH] enable vault hardening
---
tests/test-values.yaml | 87 +++++++++++++++++++++++++++++-------------
1 file changed, 60 insertions(+), 27 deletions(-)
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index 100fe1f57c..eabf690134 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -81,7 +81,6 @@ jaeger:
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_jaeger
values:
istio:
- enabled: true
hardened:
enabled: true
customAuthorizationPolicies:
@@ -1204,7 +1203,6 @@ twistlock:
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_twistlock-saml
values:
istio:
- enabled: true
hardened:
enabled: true
customServiceEntries:
@@ -1360,7 +1358,7 @@ addons:
values:
istio:
hardened:
- enabled: true
+ enabled: true
storage:
volume: 5Gi
jvmMaxRAMPercentage: 85
@@ -1823,6 +1821,25 @@ addons:
namespaces:
- minio
- minio-operator
+ customServiceEntries:
+ - name: "cypress-service-entries-minio"
+ enabled: true
+ spec:
+ hosts:
+ - 'registry.npmjs.org'
+ - 'download.cypress.io'
+ - 'cdn.cypress.io'
+ - 'repo1.dso.mil'
+ - 'minio.dev.bigbang.mil'
+ - 'minio-api.dev.bigbang.mil'
+ location: MESH_EXTERNAL
+ exportTo:
+ - "."
+ ports:
+ - number: 443
+ protocol: TLS
+ name: https
+ resolution: DNS
tenant:
pools:
- servers: 3
@@ -1860,28 +1877,6 @@ addons:
envs:
MINIO_PORT: ''
MINIO_HOST: 'https://minio-api.dev.bigbang.mil'
- istio:
- hardened:
- enabled: true
- customServiceEntries:
- - name: "cypress-service-entries-minio"
- enabled: true
- spec:
- hosts:
- - 'registry.npmjs.org'
- - 'download.cypress.io'
- - 'cdn.cypress.io'
- - 'repo1.dso.mil'
- - 'minio.dev.bigbang.mil'
- - 'minio-api.dev.bigbang.mil'
- location: MESH_EXTERNAL
- exportTo:
- - "."
- ports:
- - number: 443
- protocol: TLS
- name: https
- resolution: DNS
mattermostOperator:
enabled: false
@@ -2304,12 +2299,50 @@ addons:
prometheus_retention_time = "24h"
disable_hostname = true
}
-
service_registration "kubernetes" {}
-
istio:
hardened:
enabled: true
+ customAuthorizationPolicies:
+ - name: allow-egress-instance-metadata
+ enabled: true
+ spec:
+ action: ALLOW
+ rules:
+ - from:
+ - source:
+ ipBlocks:
+ - 169.254.169.254/32
+ customServiceEntries:
+ - name: "allow-egress-cypress-tests"
+ enabled: true
+ spec:
+ hosts:
+ - 'registry.npmjs.org'
+ - 'download.cypress.io'
+ - 'cdn.cypress.io'
+ - 'vault.dev.bigbang.mil'
+ - 'repo1.dso.mil'
+ - 'kms.us-gov-west-1.amazonaws.com'
+ location: MESH_EXTERNAL
+ ports:
+ - number: 443
+ protocol: TLS
+ name: https
+ resolution: DNS
+ # - name: "allow-egress-instance-metadata"
+ # enabled: true
+ # spec:
+ # addresses:
+ # - 169.254.169.254/32
+ # ports:
+ # - number: 80
+ # name: http
+ # protocol: HTTP
+ # location: MESH_EXTERNAL
+ # resolution: STATIC
+ # endpoints:
+ # - address: 169.254.169.254
bbtests:
enabled: true
cypress:
--
GitLab