Convert argo-cd ACL to DENY policy

This commit is contained in:
Stefan Reimer 2020-07-29 18:02:18 +01:00
parent 826d1ff187
commit b6775e1ef5
2 changed files with 6 additions and 7 deletions

View File

@ -1,7 +1,7 @@
apiVersion: v2 apiVersion: v2
description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
name: kubezero-argo-cd name: kubezero-argo-cd
version: 0.3.5 version: 0.3.6
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

View File

@ -1,25 +1,24 @@
{{- if index .Values "argo-cd" "istio" "enabled" }} {{- if index .Values "argo-cd" "istio" "enabled" }}
{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
apiVersion: security.istio.io/v1beta1 apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy kind: AuthorizationPolicy
metadata: metadata:
name: argocd-allow-only name: argocd-deny-not-in-ipblocks
namespace: istio-system namespace: istio-system
spec: spec:
selector: selector:
matchLabels: matchLabels:
app: istio-ingressgateway app: istio-ingressgateway
action: DENY
rules: rules:
{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
- from: - from:
- source: - source:
ipBlocks: notIpBlocks:
{{- with index .Values "argo-cd" "istio" "ipBlocks" }} {{- with index .Values "argo-cd" "istio" "ipBlocks" }}
{{- . | toYaml | nindent 8 }} {{- . | toYaml | nindent 8 }}
{{- end }} {{- end }}
to: to:
- operation: - operation:
hosts: ["{{ index .Values "argo-cd" "server" "config" "url" }}"] hosts: ["{{ index .Values "argo-cd" "server" "config" "url" }}"]
{{- else }}
- {}
{{- end }} {{- end }}
{{- end }} {{- end }}