aboutsummaryrefslogtreecommitdiffstats
path: root/deployments
diff options
context:
space:
mode:
Diffstat (limited to 'deployments')
-rw-r--r--deployments/helm/servicemesh/policy/.helmignore22
-rw-r--r--deployments/helm/servicemesh/policy/Chart.yaml5
-rw-r--r--deployments/helm/servicemesh/policy/templates/_helpers.tpl25
-rw-r--r--deployments/helm/servicemesh/policy/templates/policy.yaml33
-rw-r--r--deployments/helm/servicemesh/policy/values.yaml22
5 files changed, 107 insertions, 0 deletions
diff --git a/deployments/helm/servicemesh/policy/.helmignore b/deployments/helm/servicemesh/policy/.helmignore
new file mode 100644
index 00000000..50af0317
--- /dev/null
+++ b/deployments/helm/servicemesh/policy/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/deployments/helm/servicemesh/policy/Chart.yaml b/deployments/helm/servicemesh/policy/Chart.yaml
new file mode 100644
index 00000000..cb940c08
--- /dev/null
+++ b/deployments/helm/servicemesh/policy/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Istio Policy
+name: policy
+version: 0.1.0
diff --git a/deployments/helm/servicemesh/policy/templates/_helpers.tpl b/deployments/helm/servicemesh/policy/templates/_helpers.tpl
new file mode 100644
index 00000000..5516ee45
--- /dev/null
+++ b/deployments/helm/servicemesh/policy/templates/_helpers.tpl
@@ -0,0 +1,25 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/deployments/helm/servicemesh/policy/templates/policy.yaml b/deployments/helm/servicemesh/policy/templates/policy.yaml
new file mode 100644
index 00000000..fa51cedf
--- /dev/null
+++ b/deployments/helm/servicemesh/policy/templates/policy.yaml
@@ -0,0 +1,33 @@
+{{/*
+# Copyright 2019 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+apiVersion: "authentication.istio.io/v1alpha1"
+kind: "Policy"
+metadata:
+ name: {{ template "fullname" . }}
+ namespace: istio-system
+ labels:
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+spec:
+ targets:
+ - name: {{ .Values.targetservice }}
+ peers:
+ - mtls: {}
+ origins:
+ - jwt:
+ issuer: {{ .Values.jwtissuer }}
+ jwksUri: {{ .Values.jwksUri }}
+ principalBinding: USE_ORIGIN
diff --git a/deployments/helm/servicemesh/policy/values.yaml b/deployments/helm/servicemesh/policy/values.yaml
new file mode 100644
index 00000000..03ccebb8
--- /dev/null
+++ b/deployments/helm/servicemesh/policy/values.yaml
@@ -0,0 +1,22 @@
+# Copyright @ 2019 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+########################################################################
+# NOTE - UPDATE THE IP ADDRESS AND PORT OF Keycloak AUTHENTICATION
+# SERVER BEFORE DEPLOYING THIS CHART.IF YOU ARE USING OTHER
+# AUTHENTICATION MECHANISM,UPDATE THE "issuer" and "jwksUri" ACCORDINGLY
+########################################################################
+targetservice: istio-ingressgateway
+jwtissuer: "http://<AuthenticationServerIP:Port>/auth/realms/istio"
+jwksUri: "http://<AuthenticationServerIP:Port>/auth/realms/istio/protocol/openid-connect/certs"