debugging and troubleshooting connectivity issues with auth policies

added to epic big-bang&159 (closed)

set weight to 2

changed iteration to Big Bang Iterations Oct 17, 2023 - Oct 30, 2023

changed milestone to %2.13.0

added kindchore minio priority6 statusdoing teambigbang labels

assigned to @andrewshoell

marked this issue as related to big-bang/bigbang#1668 (closed)

with minio being deployed with the branch at 51-create-minio-authorization-policy-for-tempo. Then turning on and off the tempo.enabled and istio.console.enabled to test that those will allow and disallow traffic. NOTE: for that to work you must have istion.hardening.enabled set to true for those to work, it is by default, but if you set that to false none of the policies will be created and everything will be allowed.

added statusreview label and removed statusdoing label

I did not copy any of this work over to the tempo branch, that will still have to be worked once it is approved

closed

just wanted to add some testing notes for minio specifically:

deploy all of the auth policies (default-disables.yaml is optional). Make sure to include the ingress-certs

default-disables.yaml

kiali:
  enabled: false

kyverno:
  enabled: false

kyvernoPolicies:
  enabled: false
  values:
    validationFailureAction: "audit"

kyvernoReporter:
  enabled: false

promtail:
  enabled: false

loki:
  enabled: false

neuvector:
  enabled: false
  values:
    k3s:
      enabled: true

tempo:
  enabled: false

monitoring:
  enabled: false

grafana:
  enabled: false

tempo.yaml

tempo:
  enabled: true
  sourceType: "git"
  git:
    repo: "https://repo1.dso.mil/big-bang/product/packages/tempo.git"
    path: "chart"

addons:
  minio:
    enabled: true
    git:
      repo: "https://repo1.dso.mil/big-bang/product/packages/minio.git"
      path: "chart"
      tag: null
      branch: "51-create-minio-authorization-policy-for-tempo"
    values:
      istio:
        enabled: true
        hardened:
          enabled: true
          tempo:
            enabled: true
  metricsServer:
    enabled: false

1. Modify your hosts and add minio-api.bigbang.dev to the bigbang entry.
2. Look for an XML response from curl -L minio-api.bigbang.dev.
3. Delete the public-ingressgateway-minio-authz-policy (this is simulating passing istio.console.enabled as false).
4. Look for an RBAC denied error from curl -L minio-api.bigbang.dev.
5. Get a pod shell for tempo-tempo-*
6. Look for an XML response from curl -L minio.minio.svc.
7. Delete the tempo-minio-authz-policy (this is simulating passing tempo.enabled as false).
8. Look for an RBAC denied error from curl -L minio.minio.svc.

reopened

added statusdoing label and removed statusreview label

we updated to not include the istio.hardening.ingressAuthorizationPoliciesEnabled and just base it on if a gateway was passed

mentioned in merge request !116 (merged)

closed

mentioned in issue harbor#38 (closed)

mentioned in issue metrics-server#25 (closed)

mentioned in issue vault#57 (closed)