Resolve "Egress Whitelist - Jira"
General MR
Summary
As part of big-bang&160, we will want to enable users to configure setting REGISTRY_ONLY traffic policy on a per-package basis, in addition to allowing for it to be set globally in the meshConfig (see #1886). Creating Sidecars in each package will also allow us to focus on individual packages as we define what whitelists will need to be created per application.
Relevant logs/screenshots
Bigbang testing MR: big-bang/bigbang!4309 (closed)
Network policies block egress to google, so they were removed for this testing.
With sidecar, but without service entry present:
curl --head https://www.google.com
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443istio-proxy logs:
[2024-05-08T17:18:59.888Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" BlackHoleCluster - 142.251.46.196:443 10.42.0.6:44118 - -With sidecar and google ServiceEntry:
curl --head https://www.google.com
HTTP/2 200
...istio-proxy logs:
[2024-05-08T17:03:22.798Z] "- - -" 0 - - - "-" 888 5845 149 - "-" "-" "-" "-" "142.251.46.196:443" outbound|443||www.google.com 10.42.0.6:42492 142.251.46.196:443 10.42.0.6:42484 www.google.com -Linked Issue
Upgrade Notices
A Sidecar resource has been added to the jira namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true.
Additional custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.
Closes #70 (closed) (In this case this is correct as there will be no corresponding BB MR)