Add optional istio ingress policies to metrics

2020-08-06 11:34:32 +00:00 · 2020-08-06 11:34:32 +00:00 · 2a6449a0b2
commit 2a6449a0b2
parent 5a46bc784f
4 changed files with 55 additions and 3 deletions
--- a/charts/kubezero-metrics/Chart.yaml
+++ b/charts/kubezero-metrics/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-metrics
 description: KubeZero Umbrella Chart for prometheus-operator
 type: application
-version: 0.1.1
+version: 0.1.2
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
--- a/charts/kubezero-metrics/templates/istio-authorization-policy.yaml
+++ b/charts/kubezero-metrics/templates/istio-authorization-policy.yaml
@ -0,0 +1,49 @@
+{{- if .Values.grafana.istio.enabled }}
+{{- if .Values.grafana.istio.ipBlocks }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: grafana-deny-not-in-ipblocks
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      app: istio-ingressgateway
+  action: DENY
+  rules:
+  - from:
+    - source:
+        notIpBlocks:
+        {{- with .Values.grafana.istio.ipBlocks }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}
+    to:
+    - operation:
+        hosts: ["{{ .Values.grafana.istio.url }}"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.prometheus.istio.enabled }}
+{{- if .Values.prometheus.istio.ipBlocks }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: prometheus-deny-not-in-ipblocks
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      app: istio-ingressgateway
+  action: DENY
+  rules:
+  - from:
+    - source:
+        notIpBlocks:
+        {{- with .Values.prometheus.istio.ipBlocks }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}
+    to:
+    - operation:
+        hosts: ["{{ .Values.prometheus.istio.url }}"]
+{{- end }}
+{{- end }}
--- a/charts/kubezero-metrics/values.yaml
+++ b/charts/kubezero-metrics/values.yaml
@ -1,6 +1,7 @@
 grafana:
  istio:
    enabled: false
+    ipBlocks: []
    url: ""
    gateway: ingressgateway.istio-system.svc.cluster.local

--- a/deploy/templates/values.yaml
+++ b/deploy/templates/values.yaml
@ -116,9 +116,11 @@ kubezero:
          {{- toYaml . | nindent 10 }}
          {{- end }}
      {{- end }}
-      {{- if .Values.metrics.prometheus-operator }}
+      {{- if index .Values "metrics" "prometheus-operator" }}
      prometheus-operator:
-      {{- toYaml .Values.metrics.prometheus-operator | nindent 8 }}
+        {{- with index .Values "metrics" "prometheus-operator" }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
      {{- end }}

 argo-cd: