Integrated bb-common
General MR
Summary
- Integrated bb-common and replaced static resources with dynamically generated resources
Relevant logs/screenshots
Before Upgrade
kubectl get netpol -n vault
NAME POD-SELECTOR AGE
allow-from-custom-selector app.kubernetes.io/name=vault 2m50s
allow-helm-test-egress helm-test=enabled 2m50s
allow-in-ns <none> 2m50s
allow-istio <none> 2m50s
allow-prometheus-ingress <none> 2m50s
allow-tempo-egress <none> 2m50s
default-deny-all <none> 2m50s
egress-allow-https app.kubernetes.io/name=vault 2m50s
egress-aws-endpoints-vault app.kubernetes.io/name=vault 2m50s
egress-kube-api-agent-injector app.kubernetes.io/name=vault-agent-injector 2m50s
egress-kube-api-job-init app.kubernetes.io/name=vault-job-init 2m50s
egress-kube-dns <none> 2m50s
ingress-webhook <none> 2m50skubectl get ap -n vault
NAME ACTION AGE
allow-egress-instance-metadata ALLOW 2m54s
allow-intranamespace ALLOW 2m54s
api-access-authz-policy ALLOW 2m54s
monitoring-authz-policy ALLOW 2m54s
passthrough-ingressgateway-ingressgateway-authz-policy ALLOW 2m54skubectl get se -n vault
NAME HOSTS LOCATION RESOLUTION AGE
vault-se ["vault.dev.bigbang.mil"] MESH_INTERNAL DNS 3m18skubectl get pa -n vault
NAME MODE AGE
vault STRICT 3m22s
vault-access-exception STRICT 3m22s
vault-webhook-exception STRICT 3m22skubectl get vs -n vault
NAME GATEWAYS HOSTS AGE
vault ["istio-gateway/passthrough-ingressgateway"] ["vault.dev.bigbang.mil"] 4m38sAfter Bb-common Integration:
kubectl get netpol -n vault
NAME POD-SELECTOR AGE
allow-egress-from-vault-agent-injector-to-kubeapi app.kubernetes.io/name=vault-agent-injector 2m22s
allow-egress-from-vault-autoinit-to-kubeapi batch.kubernetes.io/job-name=vault-vault-job-init 2m22s
allow-egress-from-vault-autoinit-to-ns-istio-gateway-pod-passthrough-ingressgateway-tcp-port-8443 batch.kubernetes.io/job-name=vault-vault-job-init 2m22s
allow-egress-from-vault-to-cidr-169-254-169-254-32-any-port app.kubernetes.io/name=vault 2m22s
allow-egress-from-vault-to-kms app.kubernetes.io/name=vault 2m22s
allow-egress-from-vault-to-kubeapi app.kubernetes.io/name=vault 2m22s
allow-egress-from-vault-to-ns-tempo-pod-tempo-tcp-port-9411 app.kubernetes.io/name=vault 2m22s
allow-ingress-to-vault-8200-from-ns-istio-gateway-pod-passthrough-ingressgateway app.kubernetes.io/name=vault 2m22s
allow-ingress-to-vault-agent-injector-tcp-port-8080-from-anywhere app.kubernetes.io/name=vault-agent-injector 2m22s
allow-ingress-to-vault-port-8200-from-custom-app-ingress app.kubernetes.io/name=vault 2m22s
allow-ingress-to-vault-tcp-port-8200-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=vault 2m22s
default-egress-allow-all-in-ns <none> 2m22s
default-egress-allow-istiod <none> 2m22s
default-egress-allow-kube-dns <none> 2m22s
default-egress-deny-all <none> 2m22s
default-ingress-allow-all-in-ns <none> 2m22s
default-ingress-allow-prometheus-to-istio-sidecar <none> 2m22s
default-ingress-deny-all <none> 2m22skubectl get ap -n vault
NAME ACTION AGE
allow-egress-instance-metadata ALLOW 2m26s
allow-ingress-to-vault-agent-injector-tcp-port-8080-from-anywhere ALLOW 2m26s
allow-ingress-to-vault-tcp-port-8200-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 2m26s
default-authz-allow-all-in-ns ALLOW 2m26s
default-authz-allow-nothing 2m26s
vault-passthrough-ingressgateway-authz-policy ALLOW 2m26skubectl get se -n vault
NAME HOSTS LOCATION RESOLUTION AGE
aws-kms-external ["kms.us-gov-west-1.amazonaws.com"] MESH_EXTERNAL DNS 2m31s
vault-internal ["vault.dev.bigbang.mil"] MESH_EXTERNAL DNS 2m31skubectl get pa -n vault
NAME MODE AGE
default-peer-auth STRICT 2m47skubectl get vs -n vault
NAME GATEWAYS HOSTS AGE
vault ["istio-gateway/passthrough-ingressgateway"] ["vault.dev.bigbang.mil"] 45mVerified Prometheus Target:
Verified Grafana Dashboard:
Validated SSO Authentication:
Linked Issue
Upgrade Notices
Vault is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.
Vault now has a new definition called kms which is intended to allow egress access to the KMS service it is using. Please note that some of the network policies that were previously in place were too lenient resulting in KMS traffic working even when it should not have. For that reason it is recommended to start using this new definition instead of the original networkPolicies.vpcCidr as that value will eventually be deprecated, however, it will continue to work for the time being if specified. For more details on this please refer to our documentation on setting up KMS access for Vault.
Additionally, the tls section no longer exists under the istio section. If you are using the Values.addons.vault.ingress.cert and Values.addons.vault.ingress.key values from the umbrella chart, then this change should have no impact as it is still being mapped from that location. However, if you are using those package values directly please make sure they are updated to allow TLS termination to continue functioning as expected.
Umbrella Branch
vault-bb-common