Allow Argo-CD to listen on public ingress, add argo-cd istio policy

charts/kubezero-argo-cd/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
 name: kubezero-argo-cd
-version: 0.3.2
+version: 0.3.3
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml

@@ -0,0 +1,23 @@
+{{- if index .Values "argo-cd" "istio" "enabled" }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: argocd-allow-only
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      app: istio-ingressgateway
+  rules:
+  {{- if index .Values "argo-cd" "istio" "ipBlocks" }}
+  - from:
+    - source:
+        ipBlocks:
+        {{- with index .Values "argo-cd" "istio" "ipBlocks" }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}
+  {{- end }}
+    to:
+    - operation:
+        hosts: ["{{ index .Values "argo-cd" "server" "config" "url" }}"]
+{{- end }}

charts/kubezero-argo-cd/values.yaml

@@ -71,3 +71,4 @@ argo-cd:
     enabled: false
     # argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to
     gateway: ingressgateway.istio-system.svc.cluster.local
+    ipBlocks: []

deploy/templates/values.yaml

@@ -93,5 +93,5 @@ argo-cd:
   {{- if and ( not .Values.bootstrap ) .Values.istio.enabled }}
   istio:
     enabled: {{ index .Values "argo-cd" "istio" "enabled" }}
-    gateway: private-ingressgateway.istio-system.svc.cluster.local
+    gateway: {{ index .Values "argo-cd" "istio" "gateway" }}
   {{- end }}

deploy/values.yaml

@@ -28,3 +28,4 @@ prometheus:
 
 argo-cd:
   server: {}
+  gateway: private-ingressgateway.istio-system.svc.cluster.local