Egress Whitelist - Holocron

General MR

Summary

This MR introduces a Sidecar and a set of ServiceEntries for Holocron when istio.enabled: true and istio.hardened.enabled: true. This is in support of big-bang&160.

Relevant logs/screenshots

Bigbang testing MR: big-bang/bigbang!4292 (closed)

Linked Issue

#13 (closed)

Upgrade Notices

A Sidecar resource has been added to the holocron namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true.

Additional custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.

changed milestone to %2.27.0

added kindfeature priority6 statusdoing teamService Mesh labels

assigned to @sarnowski-unicorn

changed the description

added 1 commit

• 8dd3df6a - IstioHardened.md

Compare with previous version

added statusblocked label and removed statusdoing label

changed milestone to %2.28.0

changed the description

changed milestone to %2.29.0

added 5 commits

• 8dd3df6a...2c9e92fd - 4 commits from branch main
• b8b81286 - Merge branch 'main' of...

Compare with previous version

added 1 commit

• eba3c85a - Update IstioHardened.md with SSO note

Compare with previous version

Decision was made to move forward without explicit serviceEntry support for SSO at this time, since SSO does not currently function, irrespective of istio hardening.

The following note was added to IstioHardened.md:

## Note on SSO functionality within Bigbang
As of 29 May 2024, per Mark Howard, as currently implemented, if SSO is enabled Holocron expects an `Authorization` header containing the SSO JWT info to be passed in every call to the api pod, which apparently is the case in the Party Bus deployment. In Bigbang, this prevents the app from even reconciling, as the Holocron api pod readiness and liveness probes fail. Removing those allows the pod to get "healthy", but this doesn't seem like the right direction. He agreed something needs to be updated to address this either on the BigbangB side, the Holocron side, or maybe both.

He is going to create an issue and investigate this on his side.

This means there is currently no specific ServiceEntry for SSO, but if later required one can easily be added via `customServiceEntries` override as detailed below.

added statusreview label and removed statusblocked label

marked this merge request as ready

requested review from @cschaefer, @daniel.stocum, @jtwidt, @dpritchettrm, @colin.mcguigan.ctr, @alfredodiaz53, @matt.vasquez, and @nbazzeghin

changed the description

@sarnowski-unicorn - I added the below to my holocron-values-overrides.yaml file for testing on my dev-cluster. I was thinking I would be seeing a new resource for the new serviceentries. What am I missing?

addons:
  holocron:
  # -- Toggle deployment of Holocron.
    enabled: true
    
  # # -- Choose source type of "git" or "helmRepo"
    sourceType: "git"

    git:
      repo: "https://repo1.dso.mil/big-bang/product/packages/holocron.git"
      tag: null
     # branch: "10-renovate-upgrade-holocron-dashboard-3.5.0"
      branch: "13-holocron-sidecar"
      path: "./chart"
    
    values:
      istio:
        enabled: true
        hardened:
          enabled: true

values used.

values:
      istio:
        enabled: true
        hardened:
          enabled: true
          customServiceEntries:
            - name: "allow-google"
              enabled: true
              spec:
                exportTo:
                  - "."
                hosts:
                  - google.com
                location: MESH_EXTERNAL
                ports:
                  - number: 443
                    protocol: TLS
                    name: https
              resolution: DNS

approved this merge request

serviceentries resource

mentioned in commit f0567cf5

merged

mentioned in merge request big-bang/bigbang!4422 (merged)