Merge branch 'bb-1019' into 'main'

mTLS added and exception for defenders See merge request platform-one/big-bang/apps/security-tools/twistlock!51

Merge branch 'bb-1019' into 'main'
f16f7fb0 · Micah Nagel · c1bad8cd · 65b466b9 · f16f7fb0 · f16f7fb0
Commit f16f7fb0 authored 3 years ago by Micah Nagel
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,11 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ---
+## [0.4.0-bb.1] - 2022-02-28
+### Added
+- Added mTLS PeerAuthentication
+- Added mTLS exception for defenders
 ## [0.3.0-bb.0] - 2022-01-31
 ### Changed
 - Updated to 22.01.840 image versions

--- a/README.md
+++ b/README.md
 # twistlock
-![Version: 0.4.0-bb.0](https://img.shields.io/badge/Version-0.4.0--bb.0-informational?style=flat-square) ![AppVersion: 22.01.840](https://img.shields.io/badge/AppVersion-22.01.840-informational?style=flat-square)
+![Version: 0.4.0-bb.1](https://img.shields.io/badge/Version-0.4.0--bb.1-informational?style=flat-square) ![AppVersion: 22.01.840](https://img.shields.io/badge/AppVersion-22.01.840-informational?style=flat-square)
 ## Learn More
 * [Application Overview](docs/overview.md)
@@ -31,6 +31,7 @@ helm install twistlock chart/
 | domain | string | `"bigbang.dev"` |  |
 | monitoring.enabled | bool | `false` |  |
 | istio.enabled | bool | `false` |  |
+| istio.mtls.mode | string | `"STRICT"` |  |
 | istio.console.enabled | bool | `true` |  |
 | istio.console.annotations | object | `{}` |  |
 | istio.console.labels | object | `{}` |  |

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: twistlock
-version: 0.4.0-bb.0
+version: 0.4.0-bb.1
 appVersion: 22.01.840
 dependencies:
  - name: gluon

--- a/chart/templates/bigbang/consolePeerAuthentication.yaml
+++ b/chart/templates/bigbang/consolePeerAuthentication.yaml
+{{- if and .Values.istio.enabled (eq .Values.istio.mtls.mode "STRICT") }}
+apiVersion: "security.istio.io/v1beta1"
+kind: PeerAuthentication
+metadata:
+  name: twistlock-console-exception
+  namespace: {{ .Release.Namespace }}
+spec:
+  mtls:
+    mode: {{ .Values.istio.mtls.mode }}
+  selector:
+    matchLabels:
+      name: twistlock-console
+  portLevelMtls:
+    "8084":
+      mode: PERMISSIVE
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/defenderPeerAuthentication.yaml
+++ b/chart/templates/bigbang/defenderPeerAuthentication.yaml
+{{- if and .Values.istio.enabled (eq .Values.istio.mtls.mode "STRICT") }}
+apiVersion: "security.istio.io/v1beta1"
+kind: PeerAuthentication
+metadata:
+  name: twistlock-defender-exception
+  namespace: {{ .Release.Namespace }}
+spec:
+  mtls:
+    mode: PERMISSIVE
+  selector:
+    matchLabels:
+      app: twistlock-defender
+{{- end }}
--- a/chart/templates/bigbang/peerauthentication.yaml
+++ b/chart/templates/bigbang/peerauthentication.yaml
+{{- if .Values.istio.enabled }}
+apiVersion: "security.istio.io/v1beta1"
+kind: PeerAuthentication
+metadata:
+  name: default-twistlock
+  namespace: {{ .Release.Namespace }}
+spec:
+  mtls:
+    mode: {{ .Values.istio.mtls.mode }}
+{{- end }}
\ No newline at end of file
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -6,6 +6,11 @@ monitoring:
 istio:
  # Toggle istio integration
  enabled: false
+  # -- Default twistlock peer authentication
+  mtls:
+    # -- STRICT = Allow only mutual TLS traffic,
+    # PERMISSIVE = Allow both plain text and mutual TLS traffic
+    mode: STRICT
  console:
    # Toggle vs creation
    enabled: true