diff options
author | Pramod <pramod.raghavendra.jayathirth@intel.com> | 2019-08-26 19:31:18 -0700 |
---|---|---|
committer | Pramod <pramod.raghavendra.jayathirth@intel.com> | 2019-09-23 17:13:55 -0700 |
commit | 70dd04d817b1505aca9aa38d87bddf210b6c8e54 (patch) | |
tree | 8829f4281b0ae899ef981fac559b7568be893de9 /deployments/helm/servicemesh/policy | |
parent | 7c1fb25948c06e4e0b572241ae292fc31a4f4af1 (diff) |
Add helm chart for Istio Policies
Issue-ID: MULTICLOUD-789
Signed-off-by: Pramod <pramod.raghavendra.jayathirth@intel.com>
Change-Id: I16d1c1df0e9d8955040c78f5e67e1dd50e761040
Diffstat (limited to 'deployments/helm/servicemesh/policy')
5 files changed, 107 insertions, 0 deletions
diff --git a/deployments/helm/servicemesh/policy/.helmignore b/deployments/helm/servicemesh/policy/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/deployments/helm/servicemesh/policy/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/deployments/helm/servicemesh/policy/Chart.yaml b/deployments/helm/servicemesh/policy/Chart.yaml new file mode 100644 index 00000000..cb940c08 --- /dev/null +++ b/deployments/helm/servicemesh/policy/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Istio Policy +name: policy +version: 0.1.0 diff --git a/deployments/helm/servicemesh/policy/templates/_helpers.tpl b/deployments/helm/servicemesh/policy/templates/_helpers.tpl new file mode 100644 index 00000000..5516ee45 --- /dev/null +++ b/deployments/helm/servicemesh/policy/templates/_helpers.tpl @@ -0,0 +1,25 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/deployments/helm/servicemesh/policy/templates/policy.yaml b/deployments/helm/servicemesh/policy/templates/policy.yaml new file mode 100644 index 00000000..fa51cedf --- /dev/null +++ b/deployments/helm/servicemesh/policy/templates/policy.yaml @@ -0,0 +1,33 @@ +{{/* +# Copyright 2019 Intel Corporation, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: "authentication.istio.io/v1alpha1" +kind: "Policy" +metadata: + name: {{ template "fullname" . }} + namespace: istio-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} +spec: + targets: + - name: {{ .Values.targetservice }} + peers: + - mtls: {} + origins: + - jwt: + issuer: {{ .Values.jwtissuer }} + jwksUri: {{ .Values.jwksUri }} + principalBinding: USE_ORIGIN diff --git a/deployments/helm/servicemesh/policy/values.yaml b/deployments/helm/servicemesh/policy/values.yaml new file mode 100644 index 00000000..03ccebb8 --- /dev/null +++ b/deployments/helm/servicemesh/policy/values.yaml @@ -0,0 +1,22 @@ +# Copyright @ 2019 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +######################################################################## +# NOTE - UPDATE THE IP ADDRESS AND PORT OF Keycloak AUTHENTICATION +# SERVER BEFORE DEPLOYING THIS CHART.IF YOU ARE USING OTHER +# AUTHENTICATION MECHANISM,UPDATE THE "issuer" and "jwksUri" ACCORDINGLY +######################################################################## +targetservice: istio-ingressgateway +jwtissuer: "http://<AuthenticationServerIP:Port>/auth/realms/istio" +jwksUri: "http://<AuthenticationServerIP:Port>/auth/realms/istio/protocol/openid-connect/certs" |