diff options
| author |   Andreas Geissler <andreas-geissler@telekom.de> | 2024-04-24 15:38:24 +0200 |
|---|---|---|
| committer | Andreas Geissler <andreas-geissler@telekom.de> | 2024-06-05 13:49:50 +0200 |
| commit | e9f67624d1f5e25d24c951e385661341baa21830 (patch) | |
| tree | 5c76da9347276454bee590369905b5b35b0489dc /kubernetes/authentication/templates/authorizationpolicy.yaml | |
| parent | 53fe20dc15c0e23c27bee5c1450340e454b8945b (diff) | |
[AUTHENTICATION] Restructured keycloak and Oauth2-proxy
Changed keycloak-init to "authentication"
and moved as root chart
Moved oauth2-proxy to onap-authentication and updated
to version 7.5.4
Use TCL proposal for REALM creation.
Update keycloak-config-cli version to 5.12.0.
Ingress AuthorizationPolicy creation for all defined accessRoles
in the configured realms
Issue-ID: OOM-3292
Issue-ID: OOM-3268
Change-Id: I0901cd416ca5da871931d7cf084cd35c55f804f1
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
Diffstat (limited to 'kubernetes/authentication/templates/authorizationpolicy.yaml')
| -rw-r--r-- | kubernetes/authentication/templates/authorizationpolicy.yaml | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/kubernetes/authentication/templates/authorizationpolicy.yaml b/kubernetes/authentication/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..f4857bdbac --- /dev/null +++ b/kubernetes/authentication/templates/authorizationpolicy.yaml @@ -0,0 +1,90 @@ +{{/* +# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.ingressAuthentication.enabled }} +--- +{{- $dot := . }} +{{- range $index, $realm := .Values.realmSettings }} +{{- range $key, $accessRole := $realm.accessControl.accessRoles }} +{{- range $index, $role := get $realm.accessControl.accessRoles $key }} +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ $key }}-{{ $role.name }}-jwt + namespace: istio-ingress +spec: + action: ALLOW + rules: + - to: + - operation: + hosts: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $role.servicePrefix) }} + methods: + {{- range $role.methodsAllowed }} + - {{ . }} + {{- end }} + when: + - key: request.auth.claims[onap_roles] + values: + - {{ $role.name }} + selector: + matchLabels: + istio: ingress +--- +{{- end }} +{{- end }} +{{- end }} +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ .Release.Name }}-custom-action + namespace: istio-ingress +spec: + action: CUSTOM + provider: + name: oauth2-proxy + rules: + - to: + - operation: + notHosts: + {{- if .Values.ingressAuthentication.exceptions }} + {{- range $index, $url := .Values.ingressAuthentication.exceptions }} + - {{ tpl $url $dot }} + {{- end }} + {{- end }} + selector: + matchLabels: + istio: ingress +--- +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ .Release.Name }}-allowed-exceptions + namespace: istio-ingress +spec: + action: ALLOW + rules: + - to: + - operation: + hosts: + {{- if .Values.ingressAuthentication.exceptions }} + {{- range $index, $url := .Values.ingressAuthentication.exceptions }} + - {{ tpl $url $dot }} + {{- end }} + {{- end }} + selector: + matchLabels: + istio: ingress +{{- end }}
\ No newline at end of file |