From 5f4bff4c9b0165caf6bfa7a1e177bff81edbb415 Mon Sep 17 00:00:00 2001
From: Daniel Scholl <daniel.scholl@microsoft.com>
Date: Wed, 18 Nov 2020 00:31:01 -0500
Subject: [PATCH] Azure Only - Helm Chart Updates

---
 devops/azure/chart/templates/deployment.yaml  |  2 +-
 .../chart/templates/istio-auth-policy.yaml    | 37 +++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 devops/azure/chart/templates/istio-auth-policy.yaml

diff --git a/devops/azure/chart/templates/deployment.yaml b/devops/azure/chart/templates/deployment.yaml
index 5a9677845..92ec4a61d 100644
--- a/devops/azure/chart/templates/deployment.yaml
+++ b/devops/azure/chart/templates/deployment.yaml
@@ -48,7 +48,7 @@ spec:
             cpu: "300m"
         readinessProbe:
           httpGet:
-            path: /api/legal/v1/actuator/health
+            path: /api/legal/v1/swagger-ui.html
             port: 80
         volumeMounts:
         - name: azure-keyvault
diff --git a/devops/azure/chart/templates/istio-auth-policy.yaml b/devops/azure/chart/templates/istio-auth-policy.yaml
new file mode 100644
index 000000000..c74fcb629
--- /dev/null
+++ b/devops/azure/chart/templates/istio-auth-policy.yaml
@@ -0,0 +1,37 @@
+#  Copyright © Microsoft Corporation
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ .Chart.Name }}-jwt-authz
+  namespace: osdu
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Chart.Name }}
+  action: DENY
+  rules:
+    - from:
+        - source:
+            notRequestPrincipals: ["*"]
+      to:
+        - operation:
+            notPaths: ["/","*/index.html",
+                       "*/v2/api-docs",
+                       "*/configuration/ui","*/configuration/security",
+                       "*/swagger","*/swagger-ui.html","*/swagger-resources",
+                       "*/actuator/health", "*/_ah/readiness_check", "*/_ah/liveness_check",
+                       "/api/{{ .Chart.Name }}/v1/swagger-resources/*",
+                       "/api/{{ .Chart.Name }}/v1/webjars/*"]
-- 
GitLab