Remove shared auth policies for HAProxy

CHANGELOG.md

@@ -3,6 +3,10 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+## [1.19.3-bb.6] - 2024-06-21
+### Changed
+- Removed shared authorization policies
+
 ## [1.19.3-bb.5] - 2024-05-06
 ### Added
 - Updated HAProxy `v2.2.32` -> `v2.2.33`

README.md

 # haproxy
 
-![Version: 1.19.3-bb.5](https://img.shields.io/badge/Version-1.19.3--bb.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.2.33](https://img.shields.io/badge/AppVersion-2.2.33-informational?style=flat-square)
+![Version: 1.19.3-bb.6](https://img.shields.io/badge/Version-1.19.3--bb.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.2.33](https://img.shields.io/badge/AppVersion-2.2.33-informational?style=flat-square)
 
 A Helm chart for HAProxy on Kubernetes
 

chart/Chart.yaml

@@ -16,7 +16,7 @@ apiVersion: v2
 name: haproxy
 description: A Helm chart for HAProxy on Kubernetes
 type: application
-version: 1.19.3-bb.5
+version: 1.19.3-bb.6
 appVersion: 2.2.33
 kubeVersion: ">=1.17.0-0"
 keywords:

chart/templates/bigbang/istio/authorization-policies/allow-nothing-policy.yaml

-{{- /* the allow-nothing policy should eventually be provided by istio itself cluster-wide */ -}}
-{{- if and .Values.istio.enabled .Values.istio.hardened.enabled -}}
-apiVersion: security.istio.io/v1
-kind: AuthorizationPolicy
-metadata:
-  name: allow-nothing-policy-haproxy
-  namespace: {{ .Release.Namespace }}
-spec: {}
-{{- end }}

chart/templates/bigbang/istio/authorization-policies/monitoring-authz-policy.yaml

-{{- if and .Values.istio.enabled .Values.istio.hardened.enabled .Values.istio.hardened.monitoring.enabled -}}
-apiVersion: security.istio.io/v1
-kind: AuthorizationPolicy
-metadata:
-  name: monitoring-authz-policy-haproxy
-  namespace: {{ .Release.Namespace }}
-spec:
-  selector:
-    matchLabels:
-      {{ include "haproxy.selectorLabels" . | nindent 6 }}
-  action: ALLOW
-  rules:
-  - from:
-    - source:
-        namespaces: {{ .Values.istio.hardened.monitoring.namespaces | toYaml | nindent 10 }}
-        principals: {{ .Values.istio.hardened.monitoring.principals | toYaml | nindent 10 }}
-{{- end }}

chart/values.yaml

@@ -563,17 +563,6 @@ istio:
     # - name: "allow-nothing"
     #   enabled: true
     #   spec: {}
-    monitoring:
-      enabled: true
-      namespaces:
-        - monitoring
-      principals:
-        - cluster.local/ns/monitoring/sa/monitoring-grafana
-        - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-alertmanager
-        - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-operator
-        - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-prometheus
-        - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-state-metrics
-        - cluster.local/ns/monitoring/sa/monitoring-monitoring-prometheus-node-exporter
   mtls:
     # STRICT = Allow only mutual TLS traffic
     # PERMISSIVE = Allow both plain text and mutual TLS traffic

docs/IstioHardened.md

+See the [Big Bang Doc](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/docs/developer/IstioHardened.md?ref_type=heads).
\ No newline at end of file

tests/test-values.yml

@@ -24,9 +24,4 @@ containerPorts:
   stat: 10024
 
 imagePullSecrets:
-- name: private-registry
-
-# enable istio hardening
-istio:
-  hardened:
-    enabled: true
+- name: private-registry
\ No newline at end of file