From 16f25de8bdd8eb946f802b1b719ab165db5232df Mon Sep 17 00:00:00 2001
From: Ryan Daily <rdaily@bridgephase.com>
Date: Thu, 20 Mar 2025 11:41:00 -0400
Subject: [PATCH] Adds Istio custom authorization policies template to work
 with Istio hardening configurations

---
 CHANGELOG.md                                  |  7 ++++++
 README.md                                     | 23 +++++++++++++++++--
 chart/Chart.yaml                              |  2 +-
 .../istio/authorizationPolicies/template.yaml | 16 +++++++++++++
 4 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 chart/templates/bigbang/istio/authorizationPolicies/template.yaml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6a2ebda..48cbaf7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [1.0.0-bb.2] - 2025-03-20
+
+### Changed
+
+- Added Istio custom authorization policies template to work with Istio hardening configurations
+- Updated README to include the new istio field value descriptions
+
 ## [1.0.0-bb.1] - 2025-03-13
 
 ### Changed
diff --git a/README.md b/README.md
index 265ba47..ca978dc 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 <!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
 # bbctl
 
-![Version: 1.0.0-bb.0](https://img.shields.io/badge/Version-1.0.0--bb.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) ![Maintenance Track: bb_integrated](https://img.shields.io/badge/Maintenance_Track-bb_integrated-green?style=flat-square)
+![Version: 1.0.0-bb.2](https://img.shields.io/badge/Version-1.0.0--bb.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) ![Maintenance Track: bb_integrated](https://img.shields.io/badge/Maintenance_Track-bb_integrated-green?style=flat-square)
 
 bbctl as a helm chart for partial automated management of Big Bang.
 
@@ -63,7 +63,26 @@ helm install bbctl chart/
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| bigbang | object | `{"addons":{"authservice":{"enabled":false,"values":{"selector":{"key":"protect","value":"keycloak"}}}},"domain":"bigbang.dev","istio":{"enabled":false,"hardened":{"enabled":false}},"monitoring":{"enabled":false},"networkPolicies":{"controlPlaneCidr":"0.0.0.0/0","controlPlaneNode":null,"enabled":false},"openshift":false}` | Passdown values from Big Bang |
+| domain | string | `"dev.bigbang.mil"` | Passdown values from Big Bang These values are for the BigBang overrides |
+| networkPolicies.enabled | bool | `false` |  |
+| networkPolicies.controlPlaneCidr | string | `"0.0.0.0/0"` |  |
+| networkPolicies.ingressLabels.app | string | `"istio-ingressgateway"` |  |
+| networkPolicies.ingressLabels.istio | string | `"ingressgateway"` |  |
+| networkPolicies.additionalPolicies | list | `[]` |  |
+| istio.enabled | bool | `false` |  |
+| istio.hardened.enabled | bool | `false` |  |
+| istio.hardened.outboundTrafficPolicyMode | string | `"REGISTRY_ONLY"` |  |
+| istio.hardened.customServiceEntries[0].name | string | `"external-service-entries-bbctl"` |  |
+| istio.hardened.customServiceEntries[0].enabled | bool | `true` |  |
+| istio.hardened.customServiceEntries[0].spec.hosts[0] | string | `"repo1.dso.mil"` |  |
+| istio.hardened.customServiceEntries[0].spec.location | string | `"MESH_EXTERNAL"` |  |
+| istio.hardened.customServiceEntries[0].spec.ports[0].number | int | `443` |  |
+| istio.hardened.customServiceEntries[0].spec.ports[0].protocol | string | `"TLS"` |  |
+| istio.hardened.customServiceEntries[0].spec.ports[0].name | string | `"https"` |  |
+| istio.hardened.customServiceEntries[0].spec.resolution | string | `"DNS"` |  |
+| istio.hardened.customAuthorizationPolicies | list | `[]` |  |
+| istio.hardened.clusterWideHardenedEnabled | bool | `false` |  |
+| monitoring.enabled | bool | `false` |  |
 | bbtests.enabled | bool | `false` |  |
 | image.repository | string | `"registry1.dso.mil/ironbank/big-bang/bbctl"` |  |
 | image.pullPolicy | string | `"Always"` |  |
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index a89d214..90515ff 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -24,7 +24,7 @@ description: |
   `bbctl` is currently used both inside and outside the Big Bang team as a fully open source project.
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
-version: 1.0.0-bb.1
+version: 1.0.0-bb.2
 # This is the version number of the application being deployed.
 appVersion: "1.0.0"
 keywords:
diff --git a/chart/templates/bigbang/istio/authorizationPolicies/template.yaml b/chart/templates/bigbang/istio/authorizationPolicies/template.yaml
new file mode 100644
index 0000000..6f2a73e
--- /dev/null
+++ b/chart/templates/bigbang/istio/authorizationPolicies/template.yaml
@@ -0,0 +1,16 @@
+{{- /* Render Istio Auth policies */ -}}
+{{- if and $.Values.istio.enabled $.Values.istio.hardened.enabled -}}
+{{- range $.Values.istio.hardened.customAuthorizationPolicies -}}
+{{- if .enabled -}}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ .name }}
+  namespace: {{ $.Release.Namespace }}
+
+spec:
+  {{- toYaml .spec | nindent 2 }}
+---
+{{ end -}}
+{{ end -}}
+{{- end -}}
-- 
GitLab