From 5b9d02db18b39630d11ab16d7b0878b5357b2f3e Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 24 Jul 2020 11:07:25 +0000 Subject: [PATCH] Allow Argo-CD to listen on public ingress, add argo-cd istio policy --- charts/kubezero-argo-cd/Chart.yaml | 2 +- .../templates/istio-authorization-policy.yaml | 23 +++++++++++++++++++ charts/kubezero-argo-cd/values.yaml | 1 + deploy/templates/values.yaml | 2 +- deploy/values.yaml | 1 + 5 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml diff --git a/charts/kubezero-argo-cd/Chart.yaml b/charts/kubezero-argo-cd/Chart.yaml index 6e920a41..1d0ca731 100644 --- a/charts/kubezero-argo-cd/Chart.yaml +++ b/charts/kubezero-argo-cd/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application name: kubezero-argo-cd -version: 0.3.2 +version: 0.3.3 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml b/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml new file mode 100644 index 00000000..c5e6a088 --- /dev/null +++ b/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml @@ -0,0 +1,23 @@ +{{- if index .Values "argo-cd" "istio" "enabled" }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: argocd-allow-only + namespace: istio-system +spec: + selector: + matchLabels: + app: istio-ingressgateway + rules: + {{- if index .Values "argo-cd" "istio" "ipBlocks" }} + - from: + - source: + ipBlocks: + {{- with index .Values "argo-cd" "istio" "ipBlocks" }} + {{- . | toYaml | nindent 8 }} + {{- end }} + {{- end }} + to: + - operation: + hosts: ["{{ index .Values "argo-cd" "server" "config" "url" }}"] +{{- end }} diff --git a/charts/kubezero-argo-cd/values.yaml b/charts/kubezero-argo-cd/values.yaml index 39e382be..749a5f27 100644 --- a/charts/kubezero-argo-cd/values.yaml +++ b/charts/kubezero-argo-cd/values.yaml @@ -71,3 +71,4 @@ argo-cd: enabled: false # argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to gateway: ingressgateway.istio-system.svc.cluster.local + ipBlocks: [] diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml index bf72adb0..3a36ca4e 100644 --- a/deploy/templates/values.yaml +++ b/deploy/templates/values.yaml @@ -93,5 +93,5 @@ argo-cd: {{- if and ( not .Values.bootstrap ) .Values.istio.enabled }} istio: enabled: {{ index .Values "argo-cd" "istio" "enabled" }} - gateway: private-ingressgateway.istio-system.svc.cluster.local + gateway: {{ index .Values "argo-cd" "istio" "gateway" }} {{- end }} diff --git a/deploy/values.yaml b/deploy/values.yaml index 705c1419..dceb6f71 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -28,3 +28,4 @@ prometheus: argo-cd: server: {} + gateway: private-ingressgateway.istio-system.svc.cluster.local