diff options
Diffstat (limited to 'kubernetes/common')
| -rw-r--r-- | kubernetes/common/common/templates/_labels.tpl | 1 | ||||
| -rw-r--r-- | kubernetes/common/common/templates/_serviceMesh.tpl | 79 | ||||
| -rw-r--r-- | kubernetes/common/network-name-gen/Chart.yaml | 2 | ||||
| -rw-r--r-- | kubernetes/common/network-name-gen/values.yaml | 3 |
4 files changed, 84 insertions, 1 deletions
diff --git a/kubernetes/common/common/templates/_labels.tpl b/kubernetes/common/common/templates/_labels.tpl index 993fb7dfac..f2bd1a1141 100644 --- a/kubernetes/common/common/templates/_labels.tpl +++ b/kubernetes/common/common/templates/_labels.tpl @@ -26,6 +26,7 @@ The function takes several arguments (inside a dictionary): {{- define "common.labels" -}} {{- $dot := default . .dot -}} app.kubernetes.io/name: {{ include "common.name" $dot }} +app: {{ include "common.name" $dot }} {{ if not .ignoreHelmChart }} helm.sh/chart: {{ include "common.chart" $dot }} {{- end }} diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index a685a73627..3ba945ee8b 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Amdocs, Bell Canada, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -66,3 +67,81 @@ exit "$RCODE" fieldPath: metadata.namespace {{- end }} {{- end }} + +{{/* + Use Authorization Policies or not. +*/}} +{{- define "common.useAuthorizationPolicies" -}} +{{- if (include "common.onServiceMesh" .) }} +{{- if .Values.global.authorizationPolicies -}} +{{- if (default false .Values.global.authorizationPolicies.enabled) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Create Authorization Policy template. + If common.useAuthorizationPolicies returns true: + Will create authorization policy, provided with array of authorized principals in .Values.serviceMesh.authorizationPolicy.authorizedPrincipals + in the format: + authorizedPrincipals: + - serviceAccount: <serviceaccount name> (Mandatory) + namespace: <namespace name> (Optional, will default to onap) + allowedOperationMethods: <list of allowed HTTP operations (Optional, will default to ["GET", "POST", "PUT", "PATCH", "DELETE"]) + + If no authorizedPrincipals provided, will default to denying all requests to the app matched under the + spec: + selector: + matchLabels: + app.kubernetes.io/name: <app-to-match> ("app.kubernetes.io/name" corresponds to key defined in "common.labels", which is included in "common.service") + + If common.useAuthorizationPolicies returns false: + Will not create an authorization policy +*/}} +{{- define "common.authorizationPolicy" -}} +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}} +{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}} +{{- $relName := include "common.release" . -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}} + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ include "common.servicename" . }} + action: ALLOW + rules: +{{- if $authorizedPrincipals }} +{{- range $principal := $authorizedPrincipals }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/kubernetes/common/network-name-gen/Chart.yaml b/kubernetes/common/network-name-gen/Chart.yaml index 17eaa684d8..08d50145ec 100644 --- a/kubernetes/common/network-name-gen/Chart.yaml +++ b/kubernetes/common/network-name-gen/Chart.yaml @@ -33,4 +33,4 @@ dependencies: - name: mariadb-init
version: ~12.x-0
repository: 'file://../mariadb-init'
- condition: not global.mariadbGalera.localCluster
\ No newline at end of file + condition: global.mariadbGalera.globalCluster
\ No newline at end of file diff --git a/kubernetes/common/network-name-gen/values.yaml b/kubernetes/common/network-name-gen/values.yaml index dcf85fee39..8b8848b8aa 100644 --- a/kubernetes/common/network-name-gen/values.yaml +++ b/kubernetes/common/network-name-gen/values.yaml @@ -26,7 +26,10 @@ global: mariadbGalera: &mariadbGalera #This flag allows SO to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) localCluster: false + globalCluster: true service: mariadb-galera internalPort: 3306 nameOverride: mariadb-galera |