AKS Baseline regulated - OSM ingress new configuration applied. (#52)

* AKS - regulated fix for 'Alert rule payload cannot be empty' issue with new scheduledQueryRules API version * OSM Ingress config
mspnp · Dec 14, 2021 · 847831f · 847831f
1 parent 171777c
commit 847831f
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 5 deletions.
diff --git a/cluster-manifests/ingress-nginx/namespace.yaml b/cluster-manifests/ingress-nginx/namespace.yaml
@@ -4,4 +4,5 @@ metadata:
   name: ingress-nginx
   labels:
     app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    openservicemesh.io/monitored-by: osm
diff --git a/cluster-manifests/kube-system/osm-config.yaml b/cluster-manifests/kube-system/osm-config.yaml
@@ -2,12 +2,27 @@ apiVersion: config.openservicemesh.io/v1alpha1
 kind: MeshConfig
 metadata:
   name: osm-mesh-config
+  namespace: kube-system
 spec:
   certificate:
+    certKeyBitSize: 2048
     serviceCertValidityDuration: 24h
+    ingressGateway:
+      secret:
+        name: osm-nginx-client-cert
+        namespace: ingress-nginx
+      subjectAltNames: 
+        - ingress-nginx.ingress-nginx.cluster.local
+      validityDuration: 24h
   featureFlags:
     enableEgressPolicy: true
-    enableWASMStats: false
+    enableWASMStats: true
+    enableMulticlusterMode: false
+    enableSnapshotCacheMode: false
+    enableAsyncProxyServiceMapping: false
+    enableIngressBackendPolicy: true
+    enableEnvoyActiveHealthChecks: false
+    enableRetryPolicy: false
   observability:
     enableDebugServer: false
     osmLogLevel: info
@@ -16,11 +31,12 @@ spec:
   sidecar:
     enablePrivilegedInitContainer: false
     logLevel: error
+    maxDataPlaneConnections: 0
   traffic:
     enableEgress: true
     enablePermissiveTrafficPolicyMode: false
     outboundIPRangeExclusionList:
       - 169.254.169.254/32
       - 168.63.129.16/32
       - 10.240.12.4/32
-    useHTTPSIngress: true
+
diff --git a/workload/a0005-i/web-frontend/ingress.yaml b/workload/a0005-i/web-frontend/ingress.yaml
@@ -12,7 +12,7 @@ metadata:
     nginx.ingress.kubernetes.io/backend-protocol: HTTPS
     nginx.ingress.kubernetes.io/configuration-snippet: |
       proxy_ssl_name "web-frontend-sa.a0005-i.cluster.local";
-    nginx.ingress.kubernetes.io/proxy-ssl-secret: kube-system/osm-ca-bundle
+    nginx.ingress.kubernetes.io/proxy-ssl-secret: ingress-nginx/osm-nginx-client-cert
     nginx.ingress.kubernetes.io/proxy-ssl-server-name: "on"
     nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
     nginx.ingress.kubernetes.io/use-regex: "true"
@@ -31,4 +31,27 @@ spec:
           service:
             name: web-frontend
             port:
-              number: 8080
+              number: 8080
+---
+apiVersion: policy.openservicemesh.io/v1alpha1
+kind: IngressBackend
+metadata:
+  name: web-frontend
+  labels:
+    app.kubernetes.io/name: a0005
+    app.kubernetes.io/component: web-frontend
+    pci-scope: in-scope
+spec:
+  backends:
+  - name: web-frontend
+    port:
+      number: 8080
+      protocol: https
+    tls:
+      skipClientCertValidation: false
+  sources:
+  - kind: Service
+    namespace: ingress-nginx
+    name: ingress-nginx-controller
+  - kind: AuthenticatedPrincipal
+    name: ingress-nginx.ingress-nginx.cluster.local