2020-11-24 14:44:57 +00:00
|
|
|
{{- if .Values.istio.enabled }}
|
|
|
|
{{- if .Values.istio.ipBlocks }}
|
2020-07-24 11:07:25 +00:00
|
|
|
apiVersion: security.istio.io/v1beta1
|
|
|
|
kind: AuthorizationPolicy
|
|
|
|
metadata:
|
2020-07-29 17:02:18 +00:00
|
|
|
name: argocd-deny-not-in-ipblocks
|
2021-11-11 15:58:58 +00:00
|
|
|
namespace: istio-system
|
2020-08-06 17:15:20 +00:00
|
|
|
labels:
|
2021-11-11 15:58:58 +00:00
|
|
|
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
2020-07-24 11:07:25 +00:00
|
|
|
spec:
|
|
|
|
selector:
|
|
|
|
matchLabels:
|
|
|
|
app: istio-ingressgateway
|
2020-07-29 17:02:18 +00:00
|
|
|
action: DENY
|
2020-07-24 11:07:25 +00:00
|
|
|
rules:
|
|
|
|
- from:
|
|
|
|
- source:
|
2020-07-29 17:02:18 +00:00
|
|
|
notIpBlocks:
|
2021-11-11 15:58:58 +00:00
|
|
|
{{- toYaml .Values.istio.ipBlocks | nindent 8 }}
|
2022-01-07 14:19:50 +00:00
|
|
|
when:
|
|
|
|
- key: connection.sni
|
|
|
|
values: ["{{ index .Values "argo-cd" "server" "config" "url" }}"]
|
2020-07-29 17:02:18 +00:00
|
|
|
{{- end }}
|
2020-07-24 11:07:25 +00:00
|
|
|
{{- end }}
|