Convert argo-cd ACL to DENY policy

charts/kubezero-argo-cd/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
 name: kubezero-argo-cd
-version: 0.3.5
+version: 0.3.6
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml

@@ -1,25 +1,24 @@
 {{- if index .Values "argo-cd" "istio" "enabled" }}
+{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
-  name: argocd-allow-only
+  name: argocd-deny-not-in-ipblocks
   namespace: istio-system
 spec:
   selector:
     matchLabels:
       app: istio-ingressgateway
+  action: DENY
   rules:
-  {{- if index .Values "argo-cd" "istio" "ipBlocks" }}
   - from:
     - source:
-        ipBlocks:
+        notIpBlocks:
         {{- with index .Values "argo-cd" "istio" "ipBlocks" }}
         {{- . | toYaml | nindent 8 }}
         {{- end }}
     to:
     - operation:
         hosts: ["{{ index .Values "argo-cd" "server" "config" "url" }}"]
-  {{- else }}
-  - {}
 {{- end }}
 {{- end }}