Convert argo-cd ACL to DENY policy

2020-07-29 18:02:18 +01:00 · 2020-07-29 18:02:18 +01:00 · 19b1fd61c9
parent 8f334fdb10
commit 19b1fd61c9
2 changed files with 6 additions and 7 deletions
--- a/charts/kubezero-argo-cd/Chart.yaml
+++ b/charts/kubezero-argo-cd/Chart.yaml
@ -1,7 +1,7 @@
 apiVersion: v2
 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
 name: kubezero-argo-cd
-version: 0.3.5
+version: 0.3.6
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
--- a/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml
+++ b/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml
@ -1,25 +1,24 @@
 {{- if index .Values "argo-cd" "istio" "enabled" }}
+{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
-  name: argocd-allow-only
+  name: argocd-deny-not-in-ipblocks
  namespace: istio-system
 spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
+  action: DENY
  rules:
-  {{- if index .Values "argo-cd" "istio" "ipBlocks" }}
  - from:
    - source:
-        ipBlocks:
+        notIpBlocks:
        {{- with index .Values "argo-cd" "istio" "ipBlocks" }}
        {{- . | toYaml | nindent 8 }}
        {{- end }}
    to:
    - operation:
        hosts: ["{{ index .Values "argo-cd" "server" "config" "url" }}"]
-  {{- else }}
-  - {}
-  {{- end }}
+{{- end }}
 {{- end }}