diff options
Diffstat (limited to 'deployments')
5 files changed, 107 insertions, 0 deletions
diff --git a/deployments/helm/servicemesh/policy/.helmignore b/deployments/helm/servicemesh/policy/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/deployments/helm/servicemesh/policy/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/deployments/helm/servicemesh/policy/Chart.yaml b/deployments/helm/servicemesh/policy/Chart.yaml new file mode 100644 index 00000000..cb940c08 --- /dev/null +++ b/deployments/helm/servicemesh/policy/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Istio Policy +name: policy +version: 0.1.0 diff --git a/deployments/helm/servicemesh/policy/templates/_helpers.tpl b/deployments/helm/servicemesh/policy/templates/_helpers.tpl new file mode 100644 index 00000000..5516ee45 --- /dev/null +++ b/deployments/helm/servicemesh/policy/templates/_helpers.tpl @@ -0,0 +1,25 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/deployments/helm/servicemesh/policy/templates/policy.yaml b/deployments/helm/servicemesh/policy/templates/policy.yaml new file mode 100644 index 00000000..fa51cedf --- /dev/null +++ b/deployments/helm/servicemesh/policy/templates/policy.yaml @@ -0,0 +1,33 @@ +{{/* +# Copyright 2019 Intel Corporation, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: "authentication.istio.io/v1alpha1" +kind: "Policy" +metadata: + name: {{ template "fullname" . }} + namespace: istio-system + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} +spec: + targets: + - name: {{ .Values.targetservice }} + peers: + - mtls: {} + origins: + - jwt: + issuer: {{ .Values.jwtissuer }} + jwksUri: {{ .Values.jwksUri }} + principalBinding: USE_ORIGIN diff --git a/deployments/helm/servicemesh/policy/values.yaml b/deployments/helm/servicemesh/policy/values.yaml new file mode 100644 index 00000000..03ccebb8 --- /dev/null +++ b/deployments/helm/servicemesh/policy/values.yaml @@ -0,0 +1,22 @@ +# Copyright @ 2019 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +######################################################################## +# NOTE - UPDATE THE IP ADDRESS AND PORT OF Keycloak AUTHENTICATION +# SERVER BEFORE DEPLOYING THIS CHART.IF YOU ARE USING OTHER +# AUTHENTICATION MECHANISM,UPDATE THE "issuer" and "jwksUri" ACCORDINGLY +######################################################################## +targetservice: istio-ingressgateway +jwtissuer: "http://<AuthenticationServerIP:Port>/auth/realms/istio" +jwksUri: "http://<AuthenticationServerIP:Port>/auth/realms/istio/protocol/openid-connect/certs" |