istioGateway update to 1.27.1-bb.1

Package Merge Request

Package Changes

https://repo1.dso.mil/big-bang/product/packages/istio-gateway/-/blob/1.27.1-bb.1/CHANGELOG.md

Package MR

big-bang/product/packages/istio-gateway!59 (merged)

For Issue

Closes big-bang/product/packages/istio-gateway#56 (closed)

Upgrade Notices

Preview of upcoming bb-common implementation

This release of istio-gateway incorporates the new bb-common network policy implementation. For customers using Big Bang's default gateway configuration, this will require no changes. For customers deploying their own gateways or modifying port configurations of the default gateways, see the note below.

This new functionality allows big bang package maintainers and customers alike to more easily define the network policies that are applied to their packages. This implementation has been added to istio-gateway as a sort of "trial run." There may be changes to how this implementation works in the future, so consider it in an "alpha" state as far as stability guarantees go. Still, we encourage you to read the docs, become familiar with the pattern, and provide us feedback.

Automatic NetworkPolicy generation

For gateways that are configured as part of Big Bang's istioGateway values, whether by default or by the user, the gateway configuration is introspected to generate baseline network policy configurations that should function widely in most use cases. This means that all gateways are configured to allow connections from any known private subnet range (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and are configured to allow outbound connections to any k8s workload.

This baseline configuration is set up as a default value for the gateway's HelmRelease, meaning the user's values configuration is always able to override it. If you want to override the CIDRs to scope to your actual load balancer subnets/IPs or limit the connectivity a particular gateway has with the rest of the cluster, see below.

Modifying the global load-balancer-subnets ingress definition

Let's assume you have two subnets in your environment where your layer-4 load balancers are deployed. We'll call these lb-subnet-a and lb-subnet-b with CIDRs 10.100.101.0/24 and 10.100.102.0/24 respectively. Apply the following values to set these as your load-balancer-subnets globally:

# top-level `networkPolicies` in big bang values; NOT `istioGateway.values.<gateway-name>.networkPolicies`
networkPolicies:
  ingress:
    definitions:
      load-balancer-subnets:
        from:
          - ipBlock:
              cidr: 10.100.101.0/24 # lb-subnet-a's CIDR range
          - ipBlock:
              cidr: 10.100.102.0/24 # lb-subnet-b's CIDR range

This will lock down your gateways so they can only receive traffic from these subnets instead of all private IP ranges.

Modifying the load-balancer-subnets ingress definition on a per-gateway basis

Let's assume you have some regular gateways that you want to receive the global load-balancer-subnets definition, but you also have just a single gateway we'll call special that you want to only be accessible from some other subnets, special-subnet-x and special-subnet-y with CIDRs 10.200.201.0/24 and 10.200.202.0/24 respectively. You can override this definition for the single special gateway with the following:

istioGateway:
  values:
    gateways:
      special:
        networkPolicies:
          ingress:
            definitions:
              load-balancer-subnets:
                from:
                  - ipBlock:
                      cidr: 10.200.201.0/24 # special-subnet-x's CIDR range
                  - ipBlock:
                      cidr: 10.200.202.0/24 # special-subnet-y's CIDR range

Disabling the generated ingress policy entirely

If you want to manage an individual gateway's ingress policy entirely on your own, you can disable the generated ingress policy that uses the load-balancer-subnets definition like so:

istioGateway:
  values:
    gateways:
      <gateway-name>:
        gateway:
          servers:
            - hosts:
                - "*.my.domain"
              port:
                name: http
                number: 80
                protocol: HTTP
              tls:
                httpsRedirect: true
            - hosts:
                - "*.my.domain"
              port:
                name: https
                number: 443
                protocol: HTTPS
              tls:
                credentialName: myspecial-cert
                mode: SIMPLE
        networkPolicies:
          ingress:
            to:
              # This key is generated based on the gateway's name (<gateway-name>-ingressgateway)
              # and server port configuration. Adjust accordingly if your gateway's name or ports
              # are different. The ports will be a JSON array of all the ports the gateway
              # listens on in the order they are defined.
              <gateway-name>-ingressgateway:[80,443]:
                from:
                  definition:
                    # Setting this to false disables the generated ingress policy
                    load-balancer-subnets: false

Modifying the gateway's egress policy

By default, all gateways are configured to allow outbound connections to any k8s workload. If you want to restrict this connectivity, you can modify the egress policy like so:

istioGateway:
  values:
    gateways:
      <gateway-name>:
        networkPolicies:
          egress:
            from:
              <gateway-name>-ingressgateway:
                to:
                  k8s:
                    # Setting this to `false` removes the default egress policy
                    # allowing egress to all k8s workloads
                    "*": false

Additional support options

If you have any questions or need help with this new functionality, please reach out to the Big Bang team via our community slack or open an issue in the Big Bang repo.