From 9a18f19dc6e1833654ab86bec178f6e6c1d303a1 Mon Sep 17 00:00:00 2001
From: Satbir Chahal <schahal@nextdoor.com>
Date: Tue, 29 Oct 2024 19:47:51 -0700
Subject: [PATCH 1/3] chore: auto-add istio ingress gateway namespace to
 AuthorizationPolicy

---
 charts/nd-common/Chart.yaml                   |  2 +-
 charts/nd-common/README.md                    |  2 +-
 .../templates/_authorizationpolicy.tpl        | 23 +++++++++++++++++--
 charts/rollout-app/Chart.yaml                 |  4 ++--
 charts/rollout-app/README.md                  |  4 ++--
 charts/simple-app/Chart.yaml                  |  4 ++--
 charts/simple-app/README.md                   |  4 ++--
 charts/simple-app/values.local.yaml           |  5 ++++
 charts/stateful-app/Chart.yaml                |  4 ++--
 charts/stateful-app/README.md                 |  4 ++--
 10 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/charts/nd-common/Chart.yaml b/charts/nd-common/Chart.yaml
index ca3a06e..046686e 100644
--- a/charts/nd-common/Chart.yaml
+++ b/charts/nd-common/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: nd-common
 description: A helper chart used by most of our other charts
 type: library
-version: 0.3.4
+version: 0.3.5
 appVersion: latest
diff --git a/charts/nd-common/README.md b/charts/nd-common/README.md
index fc7bfa4..a1976f5 100644
--- a/charts/nd-common/README.md
+++ b/charts/nd-common/README.md
@@ -2,7 +2,7 @@
 
 A helper chart used by most of our other charts
 
-![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 **This chart is a [Library Chart](https://helm.sh/docs/topics/library_charts/)** -
 this means that the chart itself deploys no resources, and has no `.yaml`
diff --git a/charts/nd-common/templates/_authorizationpolicy.tpl b/charts/nd-common/templates/_authorizationpolicy.tpl
index b917d55..0960dfc 100644
--- a/charts/nd-common/templates/_authorizationpolicy.tpl
+++ b/charts/nd-common/templates/_authorizationpolicy.tpl
@@ -16,6 +16,22 @@ Via https://istio.io/latest/docs/concepts/security/#allow-nothing-deny-all-and-a
 policy with the ALLOW action.
 
 - */}}
+
+{{- define "nd-common.allAllowedNamespaces" -}}
+  {{- $res := .Values.network.allowedNamespaces -}}
+  {{- /*
+    Start off with allowedNamespaces, then append istio
+    ingress gateway namespaces
+  */}}
+  {{- if .Values.virtualService.enabled -}}
+    {{- range .Values.virtualService.gateways -}}
+      {{- $gwParts := splitList "/" .  -}}
+      {{- $res = append $res (first $gwParts) -}}
+    {{- end -}}
+  {{- end -}}
+{{- $res | uniq | toYaml -}}
+{{- end -}}
+
 {{- define "nd-common.authorizationPolicy" }}
 {{- if and .Values.istio.enabled (.Capabilities.APIVersions.Has "security.istio.io/v1beta1") }}
 ---
@@ -32,11 +48,14 @@ spec:
   - from:
     - source:
         namespaces: [{{ .Release.Namespace }}]
-  {{- if and .Values.ports (gt (len .Values.ports) 0) (gt (len .Values.network.allowedNamespaces) 0) }}
+  {{- if and
+    .Values.ports
+    (gt (len .Values.ports) 0)
+    (gt (len (fromYaml (include "nd-common.allAllowedNamespaces" .))) 0) }}
   - from:
     - source:
         namespaces:
-        {{- toYaml .Values.network.allowedNamespaces | nindent 8 }}
+        {{- include "nd-common.allAllowedNamespaces" . | nindent 8 }}
     to:
     - operation:
         ports:
diff --git a/charts/rollout-app/Chart.yaml b/charts/rollout-app/Chart.yaml
index ee48499..6a8a7f3 100644
--- a/charts/rollout-app/Chart.yaml
+++ b/charts/rollout-app/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: rollout-app
 description: Argo Rollout-based Application Helm Chart
 type: application
-version: 1.4.1
+version: 1.4.2
 appVersion: latest
 maintainers:
   - name: diranged
@@ -13,5 +13,5 @@ dependencies:
     repository: https://k8s-charts.nextdoor.com
     condition: istio-alerts.enabled
   - name: nd-common
-    version: 0.3.4
+    version: 0.3.5
     repository: file://../nd-common
diff --git a/charts/rollout-app/README.md b/charts/rollout-app/README.md
index e7121a4..2b555ed 100644
--- a/charts/rollout-app/README.md
+++ b/charts/rollout-app/README.md
@@ -2,7 +2,7 @@
 
 Argo Rollout-based Application Helm Chart
 
-![Version: 1.4.1](https://img.shields.io/badge/Version-1.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 1.4.2](https://img.shields.io/badge/Version-1.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 [analysistemplate]: https://argoproj.github.io/argo-rollouts/features/analysis/?query=AnalysisTemplate#background-analysis
 [argo_rollouts]: https://argoproj.github.io/argo-rollouts/
@@ -218,7 +218,7 @@ secretsEngine: sealed
 
 | Repository | Name | Version |
 |------------|------|---------|
-| file://../nd-common | nd-common | 0.3.4 |
+| file://../nd-common | nd-common | 0.3.5 |
 | https://k8s-charts.nextdoor.com | istio-alerts | 0.5.2 |
 
 ## Values
diff --git a/charts/simple-app/Chart.yaml b/charts/simple-app/Chart.yaml
index a970e88..7bd667b 100644
--- a/charts/simple-app/Chart.yaml
+++ b/charts/simple-app/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: simple-app
 description: Default Microservice Helm Chart
 type: application
-version: 1.12.1
+version: 1.12.2
 appVersion: latest
 maintainers:
   - name: diranged
@@ -13,5 +13,5 @@ dependencies:
     repository: https://k8s-charts.nextdoor.com
     condition: istio-alerts.enabled
   - name: nd-common
-    version: 0.3.4
+    version: 0.3.5
     repository: file://../nd-common
diff --git a/charts/simple-app/README.md b/charts/simple-app/README.md
index cd9db61..8c98ed4 100644
--- a/charts/simple-app/README.md
+++ b/charts/simple-app/README.md
@@ -2,7 +2,7 @@
 
 Default Microservice Helm Chart
 
-![Version: 1.12.1](https://img.shields.io/badge/Version-1.12.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 1.12.2](https://img.shields.io/badge/Version-1.12.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 [deployments]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
 [hpa]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
@@ -368,7 +368,7 @@ secretsEngine: sealed
 
 | Repository | Name | Version |
 |------------|------|---------|
-| file://../nd-common | nd-common | 0.3.4 |
+| file://../nd-common | nd-common | 0.3.5 |
 | https://k8s-charts.nextdoor.com | istio-alerts | 0.5.2 |
 
 ## Values
diff --git a/charts/simple-app/values.local.yaml b/charts/simple-app/values.local.yaml
index a4f0486..55a50aa 100644
--- a/charts/simple-app/values.local.yaml
+++ b/charts/simple-app/values.local.yaml
@@ -51,3 +51,8 @@ datadog:
 network:
   allowedNamespaces: [foo, bar]
   allowAll: false
+
+virtualService:
+  enabled: false
+  gateways:
+    - istio-gateways/foo-gateway
diff --git a/charts/stateful-app/Chart.yaml b/charts/stateful-app/Chart.yaml
index 79d4a6d..b10fd38 100644
--- a/charts/stateful-app/Chart.yaml
+++ b/charts/stateful-app/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: stateful-app
 description: Default StatefulSet Helm Chart
 type: application
-version: 1.4.1
+version: 1.4.2
 appVersion: latest
 maintainers:
   - name: diranged
@@ -13,5 +13,5 @@ dependencies:
     repository: https://k8s-charts.nextdoor.com
     condition: istio-alerts.enabled
   - name: nd-common
-    version: 0.3.4
+    version: 0.3.5
     repository: file://../nd-common
diff --git a/charts/stateful-app/README.md b/charts/stateful-app/README.md
index c7332ad..5f0016d 100644
--- a/charts/stateful-app/README.md
+++ b/charts/stateful-app/README.md
@@ -2,7 +2,7 @@
 
 Default StatefulSet Helm Chart
 
-![Version: 1.4.1](https://img.shields.io/badge/Version-1.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 1.4.2](https://img.shields.io/badge/Version-1.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 [statefulsets]: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
 [hpa]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
@@ -309,7 +309,7 @@ secretsEngine: sealed
 
 | Repository | Name | Version |
 |------------|------|---------|
-| file://../nd-common | nd-common | 0.3.4 |
+| file://../nd-common | nd-common | 0.3.5 |
 | https://k8s-charts.nextdoor.com | istio-alerts | 0.5.2 |
 
 ## Values

From 069aa52d538f649379e85d86cf014af2977110b6 Mon Sep 17 00:00:00 2001
From: Satbir Chahal <schahal@nextdoor.com>
Date: Tue, 29 Oct 2024 21:03:02 -0700
Subject: [PATCH 2/3] Add gw namespaces as separate rule instead

---
 .../templates/_authorizationpolicy.tpl        | 39 +++++++++----------
 1 file changed, 19 insertions(+), 20 deletions(-)

diff --git a/charts/nd-common/templates/_authorizationpolicy.tpl b/charts/nd-common/templates/_authorizationpolicy.tpl
index 0960dfc..547cf7d 100644
--- a/charts/nd-common/templates/_authorizationpolicy.tpl
+++ b/charts/nd-common/templates/_authorizationpolicy.tpl
@@ -17,21 +17,6 @@ policy with the ALLOW action.
 
 - */}}
 
-{{- define "nd-common.allAllowedNamespaces" -}}
-  {{- $res := .Values.network.allowedNamespaces -}}
-  {{- /*
-    Start off with allowedNamespaces, then append istio
-    ingress gateway namespaces
-  */}}
-  {{- if .Values.virtualService.enabled -}}
-    {{- range .Values.virtualService.gateways -}}
-      {{- $gwParts := splitList "/" .  -}}
-      {{- $res = append $res (first $gwParts) -}}
-    {{- end -}}
-  {{- end -}}
-{{- $res | uniq | toYaml -}}
-{{- end -}}
-
 {{- define "nd-common.authorizationPolicy" }}
 {{- if and .Values.istio.enabled (.Capabilities.APIVersions.Has "security.istio.io/v1beta1") }}
 ---
@@ -48,20 +33,34 @@ spec:
   - from:
     - source:
         namespaces: [{{ .Release.Namespace }}]
-  {{- if and
-    .Values.ports
-    (gt (len .Values.ports) 0)
-    (gt (len (fromYaml (include "nd-common.allAllowedNamespaces" .))) 0) }}
+  {{- if and .Values.ports (gt (len .Values.ports) 0) }}
+  {{- if gt (len .Values.network.allowedNamespaces) 0 }}
   - from:
     - source:
         namespaces:
-        {{- include "nd-common.allAllowedNamespaces" . | nindent 8 }}
+        {{- toYaml .Values.network.allowedNamespaces | nindent 8 }}
     to:
     - operation:
         ports:
         {{- range $port := .Values.ports }}
         - {{ $port.containerPort | quote }}
         {{- end }}
+  {{- if and .Values.virtualService.enabled (gt (len .Values.virtualService.gateways) 0) }}
+  - from:
+    - source:
+        namespaces:
+        {{- range .Values.virtualService.gateways }}
+        {{- $gwNamespace := first (splitList "/" .)  }}
+        - {{ $gwNamespace | quote }}
+        {{- end }}
+    to:
+    - operation:
+        ports:
+        {{- range $port := .Values.ports }}
+        - {{ $port.containerPort | quote }}
+        {{- end }}
+  {{- end }}
+  {{- end }}
   {{- end }}
 {{- end }}
 {{- end }}

From 5f2eeae9fa9a10083f0a1a3004c926bba37d6b74 Mon Sep 17 00:00:00 2001
From: Satbir Chahal <schahal@nextdoor.com>
Date: Tue, 29 Oct 2024 21:10:41 -0700
Subject: [PATCH 3/3] Remove newline

---
 charts/nd-common/templates/_authorizationpolicy.tpl | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/charts/nd-common/templates/_authorizationpolicy.tpl b/charts/nd-common/templates/_authorizationpolicy.tpl
index 547cf7d..ed04f81 100644
--- a/charts/nd-common/templates/_authorizationpolicy.tpl
+++ b/charts/nd-common/templates/_authorizationpolicy.tpl
@@ -16,7 +16,6 @@ Via https://istio.io/latest/docs/concepts/security/#allow-nothing-deny-all-and-a
 policy with the ALLOW action.
 
 - */}}
-
 {{- define "nd-common.authorizationPolicy" }}
 {{- if and .Values.istio.enabled (.Capabilities.APIVersions.Has "security.istio.io/v1beta1") }}
 ---
@@ -45,6 +44,7 @@ spec:
         {{- range $port := .Values.ports }}
         - {{ $port.containerPort | quote }}
         {{- end }}
+  {{- end }}
   {{- if and .Values.virtualService.enabled (gt (len .Values.virtualService.gateways) 0) }}
   - from:
     - source:
@@ -61,6 +61,5 @@ spec:
         {{- end }}
   {{- end }}
   {{- end }}
-  {{- end }}
 {{- end }}
 {{- end }}