From 4f72fd9318d7ab3d2e4fc936242e2164c6bf03d1 Mon Sep 17 00:00:00 2001
From: "Nastassia Rabeichykava (EPAM)" <nastassia_rabeichykava@epam.com>
Date: Wed, 9 Mar 2022 09:32:15 +0000
Subject: [PATCH] GONRG-4306: istio policy for partition

---
 .../partition-authorization-policy.yml        | 52 +++++++++++++++++++
 .../partition-peer-authentication.yml         | 10 ++++
 devops/gcp/deploy/values.yaml                 | 11 ++++
 3 files changed, 73 insertions(+)
 create mode 100644 devops/gcp/deploy/templates/partition-authorization-policy.yml
 create mode 100644 devops/gcp/deploy/templates/partition-peer-authentication.yml

diff --git a/devops/gcp/deploy/templates/partition-authorization-policy.yml b/devops/gcp/deploy/templates/partition-authorization-policy.yml
new file mode 100644
index 000000000..8b7d4e9fe
--- /dev/null
+++ b/devops/gcp/deploy/templates/partition-authorization-policy.yml
@@ -0,0 +1,52 @@
+{{- if .Values.conf.on_prem_enabled }}
+{{- range $key, $spec := .Values.authorizations }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ (print $key "-default") | lower | quote }}
+  labels:
+    app.kubernetes.io/name: {{ $key | quote }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service | quote }}
+  namespace: {{ $.Release.Namespace | quote }}
+spec:
+  selector:
+    matchLabels:
+{{- toYaml $spec.matchLabels | nindent 6 }}
+  action: ALLOW
+  rules:
+  {{- range $rule := $spec.rules }}
+  - from:
+    - source:
+        principals: 
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/entitlements-k8s
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/search-k8s
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/storage-k8s
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/register-k8s
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/notification-k8s
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/indexer-k8s
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/indexer-queue-k8s
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/schema-k8s
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/legal-k8s
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/file-k8s
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/dataset-k8s
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/legal-k8s
+    to:
+    - operation:
+        methods:
+        - GET
+        paths:
+        - /api/partition/v1/*
+  - from:
+    - source:
+        principals: 
+         - cluster.local/ns/{{ $rule.bootstrap_namespace }}/sa/workload-gke-bootstrap-sa
+    to:
+    - operation:
+        methods:
+        - POST
+        - PATCH
+        paths:
+        - /api/partition/v1/*
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/devops/gcp/deploy/templates/partition-peer-authentication.yml b/devops/gcp/deploy/templates/partition-peer-authentication.yml
new file mode 100644
index 000000000..e245d8b30
--- /dev/null
+++ b/devops/gcp/deploy/templates/partition-peer-authentication.yml
@@ -0,0 +1,10 @@
+{{- if .Values.conf.on_prem_enabled }}
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: {{ (print .Release.Namespace "-peer-policy") | lower | quote }}
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  mtls:
+    mode: {{ .Values.namespacePolicy.mtlsMode | quote }}
+{{- end }}
diff --git a/devops/gcp/deploy/values.yaml b/devops/gcp/deploy/values.yaml
index 8d06527d0..091a20db8 100644
--- a/devops/gcp/deploy/values.yaml
+++ b/devops/gcp/deploy/values.yaml
@@ -14,3 +14,14 @@ data:
 conf:
   configmap: "partition-config"
   app_name: "partition"
+  on_prem_enabled: false
+
+namespacePolicy:
+  mtlsMode: STRICT
+
+authorizations:
+  partitionPolicy:
+    matchLabels:
+      app: partition
+    rules:
+    - bootstrap_namespace: config
-- 
GitLab