Merge branch '19-create-istio-authorization-policies-and-service-entry-for-mimir' into 'main'

Resolve "Create Istio authorization policies and Service Entry for mimir"

Closes #19

See merge request big-bang/apps/sandbox/mimir!20

CHANGELOG.md

@@ -3,6 +3,12 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+## [ 5.5.0-bb.8] 2024-12-11
+
+### Added
+
+- Added Istio monitoring auth policy, auth policy template, sidecar, and service entry
+
 ## [ 5.5.0-bb.7] 2024-12-11
 
 ### Added 

README.md

 <!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
 # mimir
 
-![Version: 5.5.0-bb.7](https://img.shields.io/badge/Version-5.5.0--bb.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.14.0](https://img.shields.io/badge/AppVersion-2.14.0-informational?style=flat-square) ![Maintenance Track: unknown](https://img.shields.io/badge/Maintenance_Track-unknown-red?style=flat-square)
+![Version: 5.5.0-bb.8](https://img.shields.io/badge/Version-5.5.0--bb.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.14.0](https://img.shields.io/badge/AppVersion-2.14.0-informational?style=flat-square) ![Maintenance Track: unknown](https://img.shields.io/badge/Maintenance_Track-unknown-red?style=flat-square)
 
 Grafana Mimir
 
@@ -48,7 +48,7 @@ helm install mimir chart/
 | networkPolicies.additionalPolicies | list | `[]` |  |
 | networkPolicies.egress | object | `{}` |  |
 | istio.enabled | bool | `false` | Toggle istio configuration |
-| istio.hardened | object | `{"customServiceEntries":[],"enabled":false,"outboundTrafficPolicyMode":"REGISTRY_ONLY"}` | Default peer authentication values |
+| istio.hardened | object | `{"alloy":{"enabled":true,"namespaces":["monitoring"],"principals":["cluster.local/ns/monitoring/sa/monitoring-alloy"]},"customAuthorizationPolicies":[],"customServiceEntries":[],"enabled":false,"grafana":{"enabled":true,"namespaces":["monitoring"],"principals":["cluster.local/ns/monitoring/sa/monitoring-grafana"]},"outboundTrafficPolicyMode":"REGISTRY_ONLY","prometheus":{"enabled":true,"namespaces":["monitoring"],"principals":["cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-prometheus"]}}` | Default peer authentication values |
 | istio.mtls.mode | string | `"STRICT"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
 
 ## Contributing

chart/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: mimir
 description: Grafana Mimir
 type: application
-version: 5.5.0-bb.7
+version: 5.5.0-bb.8
 appVersion: 2.14.0
 icon: https://raw.githubusercontent.com/grafana/grafana/main/public/img/grafana_icon.svg
 sources:

chart/templates/bigbang/istio/authorizationPolicies/mimir-allow-alloy-authz-policy.yaml

+{{- if and .Values.istio.enabled .Values.istio.hardened.enabled .Values.istio.hardened.alloy.enabled -}}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: mimir-allow-alloy-authz-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        namespaces: {{ .Values.istio.hardened.alloy.namespaces }}
+        principals: {{ .Values.istio.hardened.alloy.principals }}
+{{- end }}

chart/templates/bigbang/istio/authorizationPolicies/mimir-allow-grafana-authz-policy.yaml

+{{- if and .Values.istio.enabled .Values.istio.hardened.enabled .Values.istio.hardened.grafana.enabled -}}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: mimir-allow-grafana-authz-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        namespaces: {{ .Values.istio.hardened.grafana.namespaces }}
+        principals: {{ .Values.istio.hardened.grafana.principals }}
+{{- end }}

chart/templates/bigbang/istio/authorizationPolicies/mimir-allow-namespace-authz-policy.yaml

+{{- if and .Values.istio.enabled .Values.istio.hardened.enabled -}}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: mimir-allow-namespace-authz-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        namespaces: [{{ .Release.Namespace | quote }}]
+{{- end }}

chart/templates/bigbang/istio/authorizationPolicies/mimir-allow-prometheus-authz-policy.yaml

+{{- if and .Values.istio.enabled .Values.istio.hardened.enabled .Values.istio.hardened.prometheus.enabled -}}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: mimir-allow-prometheus-authz-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+        namespaces: {{ .Values.istio.hardened.prometheus.namespaces }}
+        principals: {{ .Values.istio.hardened.prometheus.principals }}
+{{- end }}

chart/templates/bigbang/istio/authorizationPolicies/template.yaml

+{{- /* Render Istio Auth policies */ -}}
+{{- if and $.Values.istio.enabled $.Values.istio.hardened.enabled -}}
+{{- range $.Values.istio.hardened.customAuthorizationPolicies -}}
+{{- if .enabled -}}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ .name }}
+  namespace: {{ $.Release.Namespace }}
+
+spec:
+  {{- toYaml .spec | nindent 2 }}
+---
+{{ end -}}
+{{ end -}}
+{{- end -}}

chart/templates/bigbang/istio/serviceEntry.yaml

+{{- /* Render Istio ServiceEntries */ -}}
+{{- if and .Values.istio.enabled .Values.istio.hardened.enabled -}}
+{{- range .Values.istio.hardened.customServiceEntries -}}
+{{- if .enabled -}}
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: {{ .name }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  {{- toYaml .spec | nindent 2 }}
+---
+{{ end -}}
+{{ end -}}
+{{- end -}}

chart/templates/bigbang/istio/sidecar.yaml

+{{- /* Render Istio Sidecar */ -}}
+{{- if and .Values.istio.enabled .Values.istio.hardened.enabled -}}
+apiVersion: networking.istio.io/v1beta1
+kind: Sidecar
+metadata:
+  name: {{ .Release.Name }}-sidecar
+  namespace: {{.Release.Namespace}}
+  labels:
+    name: mimir
+spec:
+  outboundTrafficPolicy:
+    mode: {{ .Values.istio.hardened.outboundTrafficPolicyMode }}
+{{- end }}

chart/values.yaml

@@ -106,6 +106,16 @@ istio:
   hardened:
     enabled: false
     outboundTrafficPolicyMode: "REGISTRY_ONLY"
+    customAuthorizationPolicies: []
+      # - name: "allow-some-namespace"
+      #   enabled: true
+      #   spec:
+      #     action: ALLOW
+      #     rules:
+      #     - from:
+      #       - source:
+      #         namespaces:
+      #         - some
     customServiceEntries: []
       # - name: "allow-google"
       #   enabled: true
@@ -118,6 +128,24 @@ istio:
       #         protocol: TLS
       #         name: https
       #     resolution: DNS
+    alloy:
+      enabled: true
+      namespaces:
+        - monitoring
+      principals:
+        - cluster.local/ns/monitoring/sa/monitoring-alloy
+    grafana:
+      enabled: true
+      namespaces:
+        - monitoring
+      principals:
+        - cluster.local/ns/monitoring/sa/monitoring-grafana
+    prometheus:
+      enabled: true
+      namespaces:
+        - monitoring
+      principals:
+        - cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-prometheus
 
   mtls:
     # -- STRICT = Allow only mutual TLS traffic,