Implement Istio Authorization Policies

See this MR for an example implementation and this comment for testing notes.

added to epic big-bang&159 (closed)

changed the description

added kindfeature priority5 teambigbang labels

set weight to 1

changed iteration to Big Bang Iterations Oct 31, 2023 - Nov 13, 2023

changed iteration to Big Bang Iterations Nov 14, 2023 - Nov 27, 2023

changed iteration to Big Bang Iterations Nov 28, 2023 - Dec 11, 2023

set weight to 2

removed iteration Big Bang Iterations Nov 28, 2023 - Dec 11, 2023

changed iteration to Big Bang Iterations Dec 12, 2023 - Dec 25, 2023

set weight to 3

this one may be able to be removed, i'm not sure if we are continuing to maintain this or not

removed iteration Big Bang Iterations Dec 12, 2023 - Dec 25, 2023

@andrewshoell can you clarify what may be able to removed exactly?

assigned to @seanthomas007

added statusdoing label

I've added the allow-nothing-policy.yaml and template.yaml as described here in the epic: big-bang&159 (closed)

@andrewshoell the next step is: redeploy and see whats broken, then add what policies are needed

How do I redploy this one?

I think I just found it:

helm install nexus-repository-manager chart/

I got this error

Error: INSTALLATION FAILED: 1 error occurred:
        * admission webhook "validate.kyverno.svc-fail" denied the request: 

resource Deployment/default/nexus-repository-manager was blocked due to the following policies 

disallow-namespaces:
  validate-namespace: 'validation error: The namespace used for this resource is not
    allowed. rule validate-namespace failed at path /metadata/namespace/'

i've found that it's easiest to deploy with all of bigbang, so basically what is in /docs/DEVELOPMENT_MAINTENANCE.md. Just make sure that you update git to point at your branch. I'm actually having a hard time getting nexus to deploy at all, but others were able to with just what's in there.

Can you explain what you mean by update git to point at your branch?

@andrewshoell

i was able to get it to work, and i updated the DEVELOPMENT_MAINTENANCE.md with my notes.

Sure so here is my current overrides file, you'd need to update the addons.nexusRepositoryManager.git object (ensure to include the tag:null otherwise it will still just pull the tag listed in the BB values file):

clusterAuditor:
  enabled: false

gatekeeper:
  enabled: false

istioOperator:
  enabled: true

istio:
  enabled: true

jaeger:
  enabled: false

kiali:
  enabled: false

eckOperator:
  enabled: false

fluentbit:
  enabled: false

monitoring:
  enabled: true

neuvector:
  enabled: false

twistlock:
  enabled: false

addons:
  nexusRepositoryManager:
    enabled: true
    git:
      tag: null
      branch: "name-of-your-development-branch"
    values:
      nexus:
        docker:
          enabled: true
          registries:
            - host: containers.bigbang.dev
              port: 5000
        repository:
          enabled: true
          repo:
            - name: "containers"
              format: "docker"
              type: "hosted"
              repo_data:
                name: "containers"
                online: true
                storage:
                  blobStoreName: "default"
                  strictContentTypeValidation: true
                  writePolicy: "allow_once"
                cleanup:
                  policyNames:
                    - "string"
                component:
                  proprietaryComponents: true
                docker:
                  v1Enabled: false
                  forceBasicAuth: true
                  httpPort: 5000

@seanthomas007

set weight to 5

I'm getting pulled off of Istio Authorization Policies Epic, hopefully the work here done by @andrewshoell can be continued.

unassigned @seanthomas007