From 86c817065537579e60f86824057e81894c339972 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 28 Jan 2022 17:22:39 +0100 Subject: [PATCH] fix: Istio auth policy fixes --- charts/kubezero-argocd/Chart.yaml | 2 +- charts/kubezero-argocd/README.md | 4 ++-- .../templates/istio-authorization-policy.yaml | 6 +++++- charts/kubezero-ci/Chart.yaml | 2 +- charts/kubezero-ci/README.md | 2 +- .../gitea/istio-authorization-policy.yaml | 5 ++++- .../jenkins/istio-authorization-policy.yaml | 5 ++++- charts/kubezero-ci/values.yaml | 2 +- charts/kubezero-network/Chart.yaml | 2 +- .../templates/multus/daemonset.yaml | 20 +++---------------- charts/kubezero-network/values.yaml | 2 +- charts/kubezero/Chart.yaml | 2 +- charts/kubezero/values.yaml | 6 +++--- 13 files changed, 28 insertions(+), 32 deletions(-) diff --git a/charts/kubezero-argocd/Chart.yaml b/charts/kubezero-argocd/Chart.yaml index 2387ef5b..5ff65551 100644 --- a/charts/kubezero-argocd/Chart.yaml +++ b/charts/kubezero-argocd/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application name: kubezero-argocd -version: 0.9.3 +version: 0.9.4 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-argocd/README.md b/charts/kubezero-argocd/README.md index 1a1c5157..8f442fb0 100644 --- a/charts/kubezero-argocd/README.md +++ b/charts/kubezero-argocd/README.md @@ -1,6 +1,6 @@ # kubezero-argocd -![Version: 0.9.1](https://img.shields.io/badge/Version-0.9.1-informational?style=flat-square) +![Version: 0.9.4](https://img.shields.io/badge/Version-0.9.4-informational?style=flat-square) KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application @@ -26,7 +26,7 @@ Kubernetes: `>= 1.20.0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| argo-cd.configs.knownHosts.data.ssh_known_hosts | string | `"bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\ngitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=\ngitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf\ngitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9\n[git.zero-downtime.net]:22000 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6C8EjqbFGTU/HJhwed7CSVd5o4cusQk++GnQb4gZ9RGySsm/Gfi2VtcphMQcwzQYfjwlQAcMFikQYTD0XjEqmxQ17Q0+XRdLr6svWMXLuvqkWIvke+b1AAnJhNj9dZl7jSZcLgZedUEAMIMEd7dQC+ggrBF0dzMxf+PmMwtPtpkeZ53+JyHoswtolV4qrGJy7xgQZjyABtwe0Cy/J8gVonvzPYhyl2Eh5z4KXY7MumtBSCv79G4PHNaBI7d59GmnNQCcZaxHykHEDPPr+ymZlhSoe+OBkbr5m7zCRMHWuQuz4mR/4wd1kvVReRTLr8ZJQc0cyNHHVJGj05QkAeBBv\n[git.zero-downtime.net]:22000 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBytYYdGzh0Y9iwx4hxgjiEwbxLxBdIaMbfpkB6zqiDqmMtVDprjZfRlDTew25+p+Hki7/xJPQRYqB6RR0fuTwo=\n[git.zero-downtime.net]:22000 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHv6s7N5aiiP9yt2y5EpGZxENxUtUdbWyWJsAgjHBCZZ\n"` | | +| argo-cd.configs.knownHosts.data.ssh_known_hosts | string | `"bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\ngitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=\ngitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf\ngitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9\ngit.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8YdJ4YcOK7A0K7qOWsRjCS+wHTStXRcwBe7gjG43HPSNijiCKoGf/c+tfNsRhyouawg7Law6M6ahmS/jKWBpznRIM+OdOFVSuhnK/nr6h6wG3/ZfdLicyAPvx1/STGY/Fc6/zXA88i/9PV+g84gSVmhf3fGY92wokiASiu9DU4T9dT1gIkdyOX6fbMi1/mMKLSrHnAQcjyasYDvw9ISCJ95EoSwbj7O4c+7jo9fxYvdCfZZZAEZGozTRLAAO0AnjVcRah7bZV/jfHJuhOipV/TB7UVAhlVv1dfGV7hoTp9UKtKZFJF4cjIrSGxqQA/mdhSdLgkepK7yc4Jp2xGnaarhY29DfqsQqop+ugFpTbj7Xy5Rco07mXc6XssbAZhI1xtCOX20N4PufBuYippCK5AE6AiAyVtJmvfGQk4HP+TjOyhFo7PZm3wc9Hym7IBBVC0Sl30K8ddufkAgHwNGvvu1ZmD9ZWaMOXJDHBCZGMMr16QREZwVtZTwMEQalc7/yqmuqMhmcJIfs/GA2Lt91y+pq9C8XyeUL0VFPch0vkcLSRe3ghMZpRFJ/ht307xPcLzgTJqN6oQtNNDzSQglSEjwhge2K4GyWcIh+oGsWxWz5dHyk1iJmw90Y976BZIl/mYVgbTtZAJ81oGe/0k5rAe+LDL+Yq6tG28QFOg0QmiQ==\n"` | | | argo-cd.configs.secret.createSecret | bool | `false` | | | argo-cd.controller.args.appResyncPeriod | string | `"300"` | | | argo-cd.controller.args.operationProcessors | string | `"4"` | | diff --git a/charts/kubezero-argocd/templates/istio-authorization-policy.yaml b/charts/kubezero-argocd/templates/istio-authorization-policy.yaml index c5dd82c5..7cf4fa6a 100644 --- a/charts/kubezero-argocd/templates/istio-authorization-policy.yaml +++ b/charts/kubezero-argocd/templates/istio-authorization-policy.yaml @@ -17,8 +17,12 @@ spec: - source: notIpBlocks: {{- toYaml .Values.istio.ipBlocks | nindent 8 }} + to: + - operation: + hosts: [{{ index .Values "argo-cd" "server" "config" "url" | quote }}] when: - key: connection.sni - values: ["{{ index .Values "argo-cd" "server" "config" "url" }}"] + values: + - '*' {{- end }} {{- end }} diff --git a/charts/kubezero-ci/Chart.yaml b/charts/kubezero-ci/Chart.yaml index 0a495fc8..04fac169 100644 --- a/charts/kubezero-ci/Chart.yaml +++ b/charts/kubezero-ci/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-ci description: KubeZero umbrella chart for all things CI type: application -version: 0.4.23 +version: 0.4.25 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-ci/README.md b/charts/kubezero-ci/README.md index 0c51e8b3..021f6f96 100644 --- a/charts/kubezero-ci/README.md +++ b/charts/kubezero-ci/README.md @@ -1,6 +1,6 @@ # kubezero-ci -![Version: 0.4.23](https://img.shields.io/badge/Version-0.4.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.4.24](https://img.shields.io/badge/Version-0.4.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things CI diff --git a/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml b/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml index 2e183eb5..266cddd4 100644 --- a/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml +++ b/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml @@ -19,5 +19,8 @@ spec: to: - operation: hosts: ["{{ .Values.gitea.istio.url }}"] - ports: [ "443", "22" ] + when: + - key: connection.sni + values: + - '*' {{- end }} diff --git a/charts/kubezero-ci/templates/jenkins/istio-authorization-policy.yaml b/charts/kubezero-ci/templates/jenkins/istio-authorization-policy.yaml index 3d808ce1..7faf6b7d 100644 --- a/charts/kubezero-ci/templates/jenkins/istio-authorization-policy.yaml +++ b/charts/kubezero-ci/templates/jenkins/istio-authorization-policy.yaml @@ -19,5 +19,8 @@ spec: to: - operation: hosts: ["{{ .Values.jenkins.istio.url }}"] - ports: [ "443" ] + when: + - key: connection.sni + values: + - '*' {{- end }} diff --git a/charts/kubezero-ci/values.yaml b/charts/kubezero-ci/values.yaml index fcb556e5..67d9e986 100644 --- a/charts/kubezero-ci/values.yaml +++ b/charts/kubezero-ci/values.yaml @@ -130,7 +130,7 @@ jenkins: # Preconfigure agents to use zdt podman requires fuse/overlayfs agent: image: public.ecr.aws/zero-downtime/jenkins-podman - tag: v0.2.4-5 + tag: v0.2.4-6 resources: requests: cpu: "512m" diff --git a/charts/kubezero-network/Chart.yaml b/charts/kubezero-network/Chart.yaml index e78f7e55..8a05152f 100644 --- a/charts/kubezero-network/Chart.yaml +++ b/charts/kubezero-network/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-network description: KubeZero umbrella chart for all things network type: application -version: 0.1.3 +version: 0.1.7 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-network/templates/multus/daemonset.yaml b/charts/kubezero-network/templates/multus/daemonset.yaml index e9558bf6..3ed4dfe8 100644 --- a/charts/kubezero-network/templates/multus/daemonset.yaml +++ b/charts/kubezero-network/templates/multus/daemonset.yaml @@ -105,6 +105,8 @@ spec: tolerations: - operator: Exists effect: NoSchedule + - operator: Exists + effect: NoExecute serviceAccountName: multus containers: - name: kube-multus @@ -112,6 +114,7 @@ spec: command: ["/entrypoint.sh"] args: - "--multus-conf-file=auto" + - "--rename-conf-file=true" - "--cni-version=0.3.1" resources: requests: @@ -133,23 +136,6 @@ spec: mountPath: /host/opt/cni/bin - name: multus-cfg mountPath: /tmp/multus-conf - initContainers: - - name: install-multus-binary - image: ghcr.io/k8snetworkplumbingwg/multus-cni:{{ .Values.multus.tag }} - command: - - "cp" - - "/usr/src/multus-cni/bin/multus" - - "/host/opt/cni/bin/multus" - resources: - requests: - cpu: "10m" - memory: "15Mi" - securityContext: - privileged: true - volumeMounts: - - name: cnibin - mountPath: /host/opt/cni/bin - mountPropagation: Bidirectional terminationGracePeriodSeconds: 10 volumes: - name: run diff --git a/charts/kubezero-network/values.yaml b/charts/kubezero-network/values.yaml index ed8f4e8b..d54acaa6 100644 --- a/charts/kubezero-network/values.yaml +++ b/charts/kubezero-network/values.yaml @@ -19,7 +19,7 @@ metallb: multus: enabled: false - tag: "v3.8" + tag: "v3.8.1" cilium: enabled: false diff --git a/charts/kubezero/Chart.yaml b/charts/kubezero/Chart.yaml index d6ccd4bc..129cf191 100644 --- a/charts/kubezero/Chart.yaml +++ b/charts/kubezero/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero description: KubeZero - Root App of Apps chart type: application -version: 1.21.8-7 +version: 1.21.9 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 265a605a..976f5228 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -46,7 +46,7 @@ istio-ingress: metrics: enabled: false namespace: monitoring - targetRevision: 0.6.2 + targetRevision: 0.7.4 istio: grafana: {} prometheus: {} @@ -54,11 +54,11 @@ metrics: logging: enabled: false namespace: logging - targetRevision: 0.7.16 + targetRevision: 0.7.17 argocd: enabled: false namespace: argocd - targetRevision: 0.9.2 + targetRevision: 0.9.4 istio: enabled: false