GONRG-4778: Reconfigure authorization policy for Partition

db873084 · Yauheni Rykhter (EPAM) · Oleksandr Kosse (EPAM) · 56c44804 · db873084 · db873084
Commit db873084 authored 2 years ago by Yauheni Rykhter (EPAM) Committed by Oleksandr Kosse (EPAM) 2 years ago
--- a/devops/gcp/deploy/templates/partition-authorization-policy.yml
+++ b/devops/gcp/deploy/templates/partition-authorization-policy.yml
@@ -14,22 +14,27 @@ spec:
 {{- toYaml $spec.matchLabels | nindent 6 }}
  action: ALLOW
  rules:
-  {{- range $rule := $spec.rules }}
  - from:
    - source:
-        principals: 
-        - cluster.local/ns/{{ $.Release.Namespace }}/sa/entitlements-k8s
-        - cluster.local/ns/{{ $.Release.Namespace }}/sa/search-k8s
-        - cluster.local/ns/{{ $.Release.Namespace }}/sa/storage-k8s
-        - cluster.local/ns/{{ $.Release.Namespace }}/sa/register-k8s
-        - cluster.local/ns/{{ $.Release.Namespace }}/sa/notification-k8s
-        - cluster.local/ns/{{ $.Release.Namespace }}/sa/indexer-k8s
-        - cluster.local/ns/{{ $.Release.Namespace }}/sa/indexer-queue-k8s
-        - cluster.local/ns/{{ $.Release.Namespace }}/sa/schema-k8s
-        - cluster.local/ns/{{ $.Release.Namespace }}/sa/legal-k8s
-        - cluster.local/ns/{{ $.Release.Namespace }}/sa/file-k8s
-        - cluster.local/ns/{{ $.Release.Namespace }}/sa/dataset-k8s
-        - cluster.local/ns/{{ $.Release.Namespace }}/sa/legal-k8s
+        principals:
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/crs-catalog
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/crs-conversion
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/dataset
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/entitlements
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/file
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/indexer
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/indexer-queue
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/legal
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/notification
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/register
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/schema
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/search
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/seismic-store
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/storage
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/unit
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/well-delivery
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/wks
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/workflow
    to:
    - operation:
        methods:
@@ -39,14 +44,15 @@ spec:
  - from:
    - source:
        principals: 
-         - cluster.local/ns/{{ $rule.bootstrap_namespace }}/sa/workload-gke-bootstrap-sa
+        - cluster.local/ns/{{ $.Release.Namespace }}/sa/bootstrap-sa
    to:
    - operation:
        methods:
        - POST
+        - PUT
        - PATCH
+        - GET
        paths:
        - /api/partition/v1/*
 {{- end }}
 {{- end }}
-{{- end }}
--- a/devops/gcp/deploy/values.yaml
+++ b/devops/gcp/deploy/values.yaml
@@ -25,5 +25,3 @@ authorizations:
  partitionPolicy:
    matchLabels:
      app: partition
-    rules:
-      - bootstrap_namespace: config