Merge branch '13-implement-istio-authorization-policies' into 'main'

Resolve "Implement Istio Authorization Policies" See merge request !35

Merge branch '13-implement-istio-authorization-policies' into 'main'
5bdbad64 · Blane Staskiewicz · 4bfe4250 · d1ddd05d · 5bdbad64 · 5bdbad64
Commit 5bdbad64 authored 1 year ago by Blane Staskiewicz
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,19 +3,24 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ---
-## [7.2.1-bb.3] - 2023-01-23
+
+## [7.2.1-bb.4] - 2024-01-29
+### Added
+- Added support for Istio Authorization Policies
+
+## [7.2.1-bb.3] - 2024-01-23
 ### Added
 - Updated cypress health test to use coreDNS for testing

-## [7.2.1-bb.2] - 2023-01-22
+## [7.2.1-bb.2] - 2024-01-22
 ### Added
 - Stopped exposing `/metrics` via virtual services

-## [7.2.1-bb.1] - 2023-01-19
+## [7.2.1-bb.1] - 2024-01-19
 ### Added
 - Updated cypress health test

-## [7.2.1-bb.0] - 2023-01-18
+## [7.2.1-bb.0] - 2024-01-18
 ### Added
 - Updated grafana to 10.1.5 -> 10.2.3
 - Updated grafana-plugins 10.1.5 -> 10.2.3

--- a/README.md
+++ b/README.md
 # grafana

-![Version: 7.2.1-bb.3](https://img.shields.io/badge/Version-7.2.1--bb.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 10.2.3](https://img.shields.io/badge/AppVersion-10.2.3-informational?style=flat-square)
+![Version: 7.2.1-bb.4](https://img.shields.io/badge/Version-7.2.1--bb.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 10.2.3](https://img.shields.io/badge/AppVersion-10.2.3-informational?style=flat-square)

 The leading tool for querying and visualizing time series and metrics.

@@ -384,6 +384,7 @@ helm install grafana chart/
 | networkPolicies.ingressLabels.istio | string | `"ingressgateway"` |  |
 | domain | string | `"bigbang.dev"` |  |
 | istio.enabled | bool | `false` |  |
+| istio.hardened.enabled | bool | `false` |  |
 | istio.grafana.enabled | bool | `true` |  |
 | istio.grafana.annotations | object | `{}` |  |
 | istio.grafana.labels | object | `{}` |  |

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: grafana
-version: 7.2.1-bb.3
+version: 7.2.1-bb.4
 appVersion: 10.2.3
 kubeVersion: "^1.8.0-0"
 description: The leading tool for querying and visualizing time series and metrics.

--- a/chart/templates/bigbang/auth-policies/allow-namespace.yaml
+++ b/chart/templates/bigbang/auth-policies/allow-namespace.yaml
+{{- if and .Values.istio.enabled .Values.istio.hardened.enabled -}}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+ name: allow-all-in-namespace
+ namespace: {{ .Release.Namespace }}
+spec:
+ rules:
+ - {}
+{{- end }}
+
--- a/chart/templates/bigbang/auth-policies/allow-nothing.yaml
+++ b/chart/templates/bigbang/auth-policies/allow-nothing.yaml
+{{- /* the allow-nothing policy should eventually be provided by istio itself cluster-wide */ -}}
+{{- if and .Values.istio.enabled .Values.istio.hardened.enabled -}}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-nothing-policy
+  namespace: {{ .Release.Namespace }}
+spec: {}
+{{- end }}
--- a/chart/templates/bigbang/auth-policies/ingressgateway-authz-policy.yaml
+++ b/chart/templates/bigbang/auth-policies/ingressgateway-authz-policy.yaml
+{{- if and .Values.istio.enabled .Values.istio.hardened.enabled -}}
+{{- range .Values.istio.grafana.gateways -}}
+{{- $gatewayParts := split "/" . }}
+{{- $namespace := $gatewayParts._0 }}
+{{- $name := $gatewayParts._1 }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $name }}-ingressgateway-authz-policy
+  namespace: {{ $.Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app: metrics
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        namespaces:
+        - {{ $namespace }}
+        principals:
+        - "cluster.local/ns/{{ $namespace }}/sa/{{ $name }}-ingressgateway-service-account"
+---
+{{ end -}}
+{{- end }}
\ No newline at end of file
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1364,6 +1364,8 @@ domain: bigbang.dev

 istio:
  enabled: false
+  hardened:
+    enabled: false
  grafana:
    # Toggle vs creation
    enabled: true

--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -38,4 +38,7 @@ dashboardProviders:
      disableDeletion: false
      editable: true
      options:
-        path: /var/lib/grafana/dashboards
\ No newline at end of file
+        path: /var/lib/grafana/dashboards
+istio:
+  hardened: 
+    enabled: true
\ No newline at end of file