Skip to content

Commit

Permalink
chore: auto-add istio ingress gateway namespace to AuthorizationPolicy
Browse files Browse the repository at this point in the history
  • Loading branch information
schahal committed Oct 30, 2024
1 parent ca85ca6 commit 9a18f19
Show file tree
Hide file tree
Showing 10 changed files with 40 additions and 16 deletions.
2 changes: 1 addition & 1 deletion charts/nd-common/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ apiVersion: v2
name: nd-common
description: A helper chart used by most of our other charts
type: library
version: 0.3.4
version: 0.3.5
appVersion: latest
2 changes: 1 addition & 1 deletion charts/nd-common/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

A helper chart used by most of our other charts

![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)

**This chart is a [Library Chart](https://helm.sh/docs/topics/library_charts/)** -
this means that the chart itself deploys no resources, and has no `.yaml`
Expand Down
23 changes: 21 additions & 2 deletions charts/nd-common/templates/_authorizationpolicy.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,22 @@ Via https://istio.io/latest/docs/concepts/security/#allow-nothing-deny-all-and-a
policy with the ALLOW action.
- */}}
{{- define "nd-common.allAllowedNamespaces" -}}
{{- $res := .Values.network.allowedNamespaces -}}
{{- /*
Start off with allowedNamespaces, then append istio
ingress gateway namespaces
*/}}
{{- if .Values.virtualService.enabled -}}
{{- range .Values.virtualService.gateways -}}
{{- $gwParts := splitList "/" . -}}
{{- $res = append $res (first $gwParts) -}}
{{- end -}}
{{- end -}}
{{- $res | uniq | toYaml -}}
{{- end -}}
{{- define "nd-common.authorizationPolicy" }}
{{- if and .Values.istio.enabled (.Capabilities.APIVersions.Has "security.istio.io/v1beta1") }}
---
Expand All @@ -32,11 +48,14 @@ spec:
- from:
- source:
namespaces: [{{ .Release.Namespace }}]
{{- if and .Values.ports (gt (len .Values.ports) 0) (gt (len .Values.network.allowedNamespaces) 0) }}
{{- if and
.Values.ports
(gt (len .Values.ports) 0)
(gt (len (fromYaml (include "nd-common.allAllowedNamespaces" .))) 0) }}
- from:
- source:
namespaces:
{{- toYaml .Values.network.allowedNamespaces | nindent 8 }}
{{- include "nd-common.allAllowedNamespaces" . | nindent 8 }}
to:
- operation:
ports:
Expand Down
4 changes: 2 additions & 2 deletions charts/rollout-app/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: rollout-app
description: Argo Rollout-based Application Helm Chart
type: application
version: 1.4.1
version: 1.4.2
appVersion: latest
maintainers:
- name: diranged
Expand All @@ -13,5 +13,5 @@ dependencies:
repository: https://k8s-charts.nextdoor.com
condition: istio-alerts.enabled
- name: nd-common
version: 0.3.4
version: 0.3.5
repository: file://../nd-common
4 changes: 2 additions & 2 deletions charts/rollout-app/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Argo Rollout-based Application Helm Chart

![Version: 1.4.1](https://img.shields.io/badge/Version-1.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
![Version: 1.4.2](https://img.shields.io/badge/Version-1.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)

[analysistemplate]: https://argoproj.github.io/argo-rollouts/features/analysis/?query=AnalysisTemplate#background-analysis
[argo_rollouts]: https://argoproj.github.io/argo-rollouts/
Expand Down Expand Up @@ -218,7 +218,7 @@ secretsEngine: sealed

| Repository | Name | Version |
|------------|------|---------|
| file://../nd-common | nd-common | 0.3.4 |
| file://../nd-common | nd-common | 0.3.5 |
| https://k8s-charts.nextdoor.com | istio-alerts | 0.5.2 |

## Values
Expand Down
4 changes: 2 additions & 2 deletions charts/simple-app/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: simple-app
description: Default Microservice Helm Chart
type: application
version: 1.12.1
version: 1.12.2
appVersion: latest
maintainers:
- name: diranged
Expand All @@ -13,5 +13,5 @@ dependencies:
repository: https://k8s-charts.nextdoor.com
condition: istio-alerts.enabled
- name: nd-common
version: 0.3.4
version: 0.3.5
repository: file://../nd-common
4 changes: 2 additions & 2 deletions charts/simple-app/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Default Microservice Helm Chart

![Version: 1.12.1](https://img.shields.io/badge/Version-1.12.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
![Version: 1.12.2](https://img.shields.io/badge/Version-1.12.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)

[deployments]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
[hpa]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
Expand Down Expand Up @@ -368,7 +368,7 @@ secretsEngine: sealed

| Repository | Name | Version |
|------------|------|---------|
| file://../nd-common | nd-common | 0.3.4 |
| file://../nd-common | nd-common | 0.3.5 |
| https://k8s-charts.nextdoor.com | istio-alerts | 0.5.2 |

## Values
Expand Down
5 changes: 5 additions & 0 deletions charts/simple-app/values.local.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -51,3 +51,8 @@ datadog:
network:
allowedNamespaces: [foo, bar]
allowAll: false

virtualService:
enabled: false
gateways:
- istio-gateways/foo-gateway
4 changes: 2 additions & 2 deletions charts/stateful-app/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: stateful-app
description: Default StatefulSet Helm Chart
type: application
version: 1.4.1
version: 1.4.2
appVersion: latest
maintainers:
- name: diranged
Expand All @@ -13,5 +13,5 @@ dependencies:
repository: https://k8s-charts.nextdoor.com
condition: istio-alerts.enabled
- name: nd-common
version: 0.3.4
version: 0.3.5
repository: file://../nd-common
4 changes: 2 additions & 2 deletions charts/stateful-app/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Default StatefulSet Helm Chart

![Version: 1.4.1](https://img.shields.io/badge/Version-1.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
![Version: 1.4.2](https://img.shields.io/badge/Version-1.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)

[statefulsets]: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
[hpa]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
Expand Down Expand Up @@ -309,7 +309,7 @@ secretsEngine: sealed

| Repository | Name | Version |
|------------|------|---------|
| file://../nd-common | nd-common | 0.3.4 |
| file://../nd-common | nd-common | 0.3.5 |
| https://k8s-charts.nextdoor.com | istio-alerts | 0.5.2 |

## Values
Expand Down

0 comments on commit 9a18f19

Please sign in to comment.