Allow Argo-CD to listen on public ingress, add argo-cd istio policy

This commit is contained in:
Stefan Reimer 2020-07-24 11:07:25 +00:00
parent 84b7be318d
commit 5b9d02db18
5 changed files with 27 additions and 2 deletions

View File

@ -1,7 +1,7 @@
apiVersion: v2
description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
name: kubezero-argo-cd
version: 0.3.2
version: 0.3.3
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:

View File

@ -0,0 +1,23 @@
{{- if index .Values "argo-cd" "istio" "enabled" }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: argocd-allow-only
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
rules:
{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
- from:
- source:
ipBlocks:
{{- with index .Values "argo-cd" "istio" "ipBlocks" }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}
to:
- operation:
hosts: ["{{ index .Values "argo-cd" "server" "config" "url" }}"]
{{- end }}

View File

@ -71,3 +71,4 @@ argo-cd:
enabled: false
# argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to
gateway: ingressgateway.istio-system.svc.cluster.local
ipBlocks: []

View File

@ -93,5 +93,5 @@ argo-cd:
{{- if and ( not .Values.bootstrap ) .Values.istio.enabled }}
istio:
enabled: {{ index .Values "argo-cd" "istio" "enabled" }}
gateway: private-ingressgateway.istio-system.svc.cluster.local
gateway: {{ index .Values "argo-cd" "istio" "gateway" }}
{{- end }}

View File

@ -28,3 +28,4 @@ prometheus:
argo-cd:
server: {}
gateway: private-ingressgateway.istio-system.svc.cluster.local