ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 21 Packages Projects Releases Wiki Activity

Add optional istio ingress policies to metrics

Browse Source
This commit is contained in:
Stefan Reimer 2020-08-06 11:34:32 +00:00
parent 5a46bc784f
commit 2a6449a0b2
4 changed files with 55 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/kubezero-metrics/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-metrics name: kubezero-metrics
description: KubeZero Umbrella Chart for prometheus-operator description: KubeZero Umbrella Chart for prometheus-operator
type: application type: application
version: 0.1.1 version: 0.1.2
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

49
charts/kubezero-metrics/templates/istio-authorization-policy.yaml Normal file
View File

@ -0,0 +1,49 @@
{{- if .Values.grafana.istio.enabled }}
{{- if .Values.grafana.istio.ipBlocks }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: grafana-deny-not-in-ipblocks
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
notIpBlocks:
{{- with .Values.grafana.istio.ipBlocks }}
{{- . | toYaml | nindent 8 }}
{{- end }}
to:
- operation:
hosts: ["{{ .Values.grafana.istio.url }}"]
{{- end }}
{{- end }}
---
{{- if .Values.prometheus.istio.enabled }}
{{- if .Values.prometheus.istio.ipBlocks }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: prometheus-deny-not-in-ipblocks
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
notIpBlocks:
{{- with .Values.prometheus.istio.ipBlocks }}
{{- . | toYaml | nindent 8 }}
{{- end }}
to:
- operation:
hosts: ["{{ .Values.prometheus.istio.url }}"]
{{- end }}
{{- end }}

1
charts/kubezero-metrics/values.yaml
View File

@ -1,6 +1,7 @@
grafana: grafana:
istio: istio:
enabled: false enabled: false
ipBlocks: []
url: "" url: ""
gateway: ingressgateway.istio-system.svc.cluster.local gateway: ingressgateway.istio-system.svc.cluster.local

6
deploy/templates/values.yaml
View File

@ -116,9 +116,11 @@ kubezero:
{{- toYaml . | nindent 10 }} {{- toYaml . | nindent 10 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.metrics.prometheus-operator }} {{- if index .Values "metrics" "prometheus-operator" }}
prometheus-operator: prometheus-operator:
{{- toYaml .Values.metrics.prometheus-operator | nindent 8 }} {{- with index .Values "metrics" "prometheus-operator" }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }} {{- end }}
argo-cd: argo-cd: