diff --git a/test-app/templates/configmap.yaml b/test-app/templates/configmap.yaml
index db5ce1f..285ad79 100644
--- a/test-app/templates/configmap.yaml
+++ b/test-app/templates/configmap.yaml
@@ -5,52 +5,3 @@ metadata:
data:
index.html: |
{{ .Values.pageContent | indent 4 }}
-
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ .Release.Name }}-nginx-conf
-data:
- nginx.conf: |
- user nginx;
- worker_processes 1;
-
- error_log /var/log/nginx/error.log warn;
- pid /var/run/nginx.pid;
-
- events {
- worker_connections 1024;
- }
-
- http {
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
-
- log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
-
- access_log /var/log/nginx/access.log main;
-
- sendfile on;
- #tcp_nopush on;
-
- keepalive_timeout 65;
-
- # Custom server listening on port 8080
- server {
- listen {{ .Values.service.container_port }};
- server_name localhost;
-
- location / {
- root /usr/share/nginx/html;
- index index.html index.htm;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
- }
diff --git a/test-app/templates/deployment.yaml b/test-app/templates/deployment.yaml
index 3bd6cc9..ca34a54 100644
--- a/test-app/templates/deployment.yaml
+++ b/test-app/templates/deployment.yaml
@@ -29,7 +29,7 @@ spec:
{{- end }}
serviceAccountName: {{ include "test-app.serviceAccountName" . }}
securityContext:
- {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
diff --git a/test-app/templates/destination-rule.yaml b/test-app/templates/destination-rule.yaml
new file mode 100644
index 0000000..413d5c8
--- /dev/null
+++ b/test-app/templates/destination-rule.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.istio.egress_hosts }}
+apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+ name: {{ .Release.Name }}-destination-rule
+ namespace: {{ .Release.Namespace | quote }}
+spec:
+ exportTo:
+ - "."
+ host: {{ .Values.istio.egress_gateway }}.{{ .Values.istio.egress_namespace }}.svc.cluster.local
+ subsets:
+ - name: {{ .Release.Name }}-service-entry
+{{- end }}
diff --git a/test-app/templates/istio-auth-policy.yaml b/test-app/templates/istio-auth-policy.yaml
new file mode 100644
index 0000000..0a63e06
--- /dev/null
+++ b/test-app/templates/istio-auth-policy.yaml
@@ -0,0 +1,29 @@
+# Enable strict mTLS in the Release namespace
+{{- if .Values.istio.force_mtls }}
+apiVersion: security.istio.io/v1
+kind: PeerAuthentication
+metadata:
+ name: {{ .Release.Name }}-force-using-mtls
+ namespace: {{ .Release.Namespace | quote }}
+spec:
+ mtls:
+ mode: STRICT
+{{- end }}
+---
+# AuthorizationPolicy in the Release namespace
+{{- if and .Values.istio.force_mtls .Values.istio.auth_policy }}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+ name: {{ .Release.Name }}-allow-ingress
+ namespace: {{ .Release.Namespace | quote }}
+spec:
+ action: DENY
+ rules:
+ - from:
+ - source:
+ notNamespaces:
+ {{- range .Values.istio.auth_policy.deny.notNamespaces }}
+ - {{ . | quote }}
+ {{- end }}
+{{- end }}
diff --git a/test-app/templates/network-policy.yaml b/test-app/templates/network-policy.yaml
index 4933619..cfb4a8d 100644
--- a/test-app/templates/network-policy.yaml
+++ b/test-app/templates/network-policy.yaml
@@ -1,8 +1,7 @@
-{{- if .Values.networkpolicy }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
- name: {{ .Release.Name }}
+ name: {{ .Release.Name }}-network-policy
spec:
podSelector:
matchLabels:
@@ -10,21 +9,61 @@ spec:
policyTypes:
- Ingress
- Egress
-{{- if .Values.networkpolicy.ingress }}
ingress:
- {{- toYaml .Values.networkpolicy.ingress | nindent 4 }}
-{{- end }}
-{{- if .Values.networkpolicy.egress }}
+ {{- if .Values.additional_network_policy.ingress }}
+ - from:
+ {{- range .Values.additional_network_policy.ingress.namespaces }}
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: {{ .name | quote }}
+ {{- if .ports }}
+ ports:
+ {{- range .ports }}
+ - protocol: TCP
+ port: {{ . }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- else }}
+ - {} # Allow from anywhere
+ {{- end }}
egress:
- {{- toYaml .Values.networkpolicy.egress | nindent 4 }}
-{{- end }}
-{{- end }}
+ # Egress to kube-system namespace for DNS resolution
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ {{- if .Values.additional_network_policy.egress }}
+ # Additional Egress rules
+ - to:
+ {{- range .Values.additional_network_policy.egress.namespaces }}
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: {{ .name | quote }}
+ {{- if .ports }}
+ ports:
+ {{- range .ports }}
+ - protocol: TCP
+ port: {{ . }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
---
{{- if .Values.networkpolicy_istio_injection }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
- name: {{ .Release.Name }}-allow-istio-injection-and-mesh
+ name: {{ .Release.Name }}-network-policy-istio
spec:
podSelector:
matchLabels:
@@ -33,22 +72,13 @@ spec:
- from:
- namespaceSelector:
matchLabels:
- istio-injection: enabled # or select istio-system namespace
- ports:
- - protocol: TCP
- port: 443 # for webhook calls (sidecar injector)
- - protocol: TCP
- port: 15008 # Ambient mesh / sidecar proxy traffic port
- - protocol: TCP
- port: 15017 # Example Istio node port (adjust if used)
- - protocol: TCP
- port: 15090 # Istio telemetry (optional)
+ istio-injection: enabled # Select namespace with this label
+ - namespaceSelector:
+ matchLabels:
+ name: istio-system # Select namespace with deployed Istiod pod
egress:
- to:
- namespaceSelector:
matchLabels:
- istio-injection: enabled
- ports:
- - protocol: TCP
- port: 15008
+ name: istio-system # Select namespace with deployed Istiod pod
{{- end }}
diff --git a/test-app/templates/service-entry.yaml b/test-app/templates/service-entry.yaml
new file mode 100644
index 0000000..8c6d168
--- /dev/null
+++ b/test-app/templates/service-entry.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.istio.egress_hosts }}
+apiVersion: networking.istio.io/v1
+kind: ServiceEntry
+metadata:
+ name: {{ .Release.Name }}-service-entry
+ namespace: {{ .Release.Namespace | quote }}
+spec:
+ exportTo:
+ - "."
+ - {{ .Values.istio.egress_namespace }}
+ hosts:
+ {{- range .Values.istio.egress_hosts }}
+ - {{ . | quote }}
+ {{- end }}
+ ports:
+ - number: 80
+ name: http-port
+ protocol: HTTP
+ - number: 443
+ name: https
+ protocol: HTTPS
+ resolution: DNS
+ location: MESH_EXTERNAL
+{{- end }}
diff --git a/test-app/templates/virtual-service.yaml b/test-app/templates/virtual-service.yaml
new file mode 100644
index 0000000..b5d3ae9
--- /dev/null
+++ b/test-app/templates/virtual-service.yaml
@@ -0,0 +1,71 @@
+{{- if .Values.istio.egress_hosts }}
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+ name: {{ .Release.Name }}-virtual-service
+ namespace: {{ .Release.Namespace }}
+spec:
+ exportTo:
+ - "."
+ - {{ .Values.istio.egress_namespace }}
+ hosts:
+ {{- range .Values.istio.egress_hosts }}
+ - {{ . | quote }}
+ {{- end }}
+ gateways:
+ - mesh
+ - {{ .Values.istio.egress_namespace }}/{{ .Values.istio.egress_gateway }}
+ http:
+ - match:
+ - gateways:
+ - mesh
+ port: 80
+ route:
+ - destination:
+ host: {{ .Values.istio.egress_gateway }}.{{ .Values.istio.egress_namespace }}.svc.cluster.local
+ port:
+ number: 80
+ weight: 100
+ {{- range .Values.istio.egress_hosts }}
+ - match:
+ - gateways:
+ - {{ $.Values.istio.egress_namespace }}/{{ $.Values.istio.egress_gateway }}
+ port: 80
+ authority:
+ exact: {{ . | quote }}
+ route:
+ - destination:
+ host: {{ . | quote }}
+ port:
+ number: 80
+ weight: 100
+ {{- end }}
+ tls:
+ - match:
+ - gateways:
+ - mesh
+ port: 443
+ sniHosts:
+ {{- range .Values.istio.egress_hosts }}
+ - {{ . | quote }}
+ {{- end }}
+ route:
+ - destination:
+ host: {{ .Values.istio.egress_gateway }}.{{ .Values.istio.egress_namespace }}.svc.cluster.local
+ port:
+ number: 443
+ {{- range .Values.istio.egress_hosts }}
+ - match:
+ - gateways:
+ - {{ $.Values.istio.egress_namespace }}/{{ $.Values.istio.egress_gateway }}
+ port: 443
+ sniHosts:
+ - {{ . | quote }}
+ route:
+ - destination:
+ host: {{ . | quote }}
+ port:
+ number: 443
+ weight: 100
+ {{- end }}
+{{- end }}
diff --git a/test-app/values-app-1.yaml b/test-app/values-app-1.yaml
index 826b319..8735ea6 100644
--- a/test-app/values-app-1.yaml
+++ b/test-app/values-app-1.yaml
@@ -1,173 +1,34 @@
-# Default values for test_app.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
-image:
- repository: nginx
- pullPolicy: IfNotPresent
- # Overrides the image tag whose default is the chart appVersion.
- tag: "stable"
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-serviceAccount:
- # Specifies whether a service account should be created
- create: true
- # Automatically mount a ServiceAccount's API credentials?
- automount: true
- # Annotations to add to the service account
- annotations: {}
- # The name of the service account to use.
- # If not set and create is true, a name is generated using the fullname template
- name: ""
-
-podAnnotations: {}
-podLabels: {}
-
-podSecurityContext: {}
- # fsGroup: 2000
-
-securityContext: {}
- # capabilities:
- # drop:
- # - ALL
- # readOnlyRootFilesystem: true
- # runAsNonRoot: true
- # runAsUser: 1000
-
-service:
- type: ClusterIP
- port: 80
- container_port: 8080
+# Values to override default
ingress:
enabled: true
className: "nginx"
- annotations:
- # kubernetes.io/tls-acme: "true"
hosts:
- host: demo-app-1.maddevs.org
paths:
- path: /
pathType: Prefix
- tls: []
- # - secretName: chart-example-tls
- # hosts:
- # - chart-example.local
-
-resources: {}
- # We usually recommend not to specify default resources and to leave this as a conscious
- # choice for the user. This also increases chances charts run on environments with little
- # resources, such as Minikube. If you do want to specify resources, uncomment the following
- # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
- # limits:
- # cpu: 100m
- # memory: 128Mi
- # requests:
- # cpu: 100m
- # memory: 128Mi
-
-livenessProbe:
- httpGet:
- path: /
- port: http
-readinessProbe:
- httpGet:
- path: /
- port: http
-
-autoscaling:
- enabled: false
- minReplicas: 1
- maxReplicas: 100
- targetCPUUtilizationPercentage: 80
- # targetMemoryUtilizationPercentage: 80
-
-# VolumeMounts and Volumes of configmaps to the output Deployment definition.
-volumeMounts:
- - name: nginx-html
- mountPath: /usr/share/nginx/html
- readOnly: true
- - name: nginx-conf
- mountPath: /etc/nginx/nginx.conf
- subPath: nginx.conf
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
# Set true if needs networkpolicy for istio service mesh
networkpolicy_istio_injection: true
-# Define ingress\egress rule for the current deployment via networkpolicy
-networkpolicy:
- ingress:
- - from:
- # From monitoring namespace (all pods)
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: monitoring
- # From ingress-nginx pods in namespace ingress-nginx
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: ingress-nginx
- podSelector:
- matchLabels:
- app.kubernetes.io/instance: ingress-nginx
- # From app-2 pods in namespace app-2
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: app-2
- podSelector:
- matchLabels:
- app.kubernetes.io/instance: app-2
- egress:
- # Egress to maddevs.io IPs on port 443, 80
- - to:
- - ipBlock:
- cidr: 104.21.68.190/32
- ports:
- - protocol: TCP
- port: 443
- - protocol: TCP
- port: 80
- # Egress to maddevs.io IPs on port 443, 80
- - to:
- - ipBlock:
- cidr: 172.67.198.8/32
- ports:
- - protocol: TCP
- port: 443
- - protocol: TCP
- port: 80
- # Egress to kubernetes.io IPs on port 443, 80
- - to:
- - ipBlock:
- cidr: 147.75.40.148/32
- ports:
- - protocol: TCP
- port: 443
- - protocol: TCP
- port: 80
- # Egress to kube-system namespace for DNS resolution
- - to:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: kube-system
- podSelector:
- matchLabels:
- k8s-app: kube-dns
- ports:
- - protocol: TCP
- port: 53
- - protocol: UDP
- port: 53
+# Additional rules for network policy
+additional_network_policy:
+ # Ingress from list of namespaces
+ ingress:
+ namespaces:
+ - name: "monitoring"
+ - name: "ingress-nginx"
+ - name: "app-2"
+ - name: "egress-gateway"
pageContent: |
"Welcome to Application 1
"
+
+# Istio resources
+istio:
+ egress_namespace: istio-system
+ egress_gateway: istio-egressgateway
+ egress_hosts:
+ - "maddevs.io"
+ - "kubernetes.io"
diff --git a/test-app/values-app-2.yaml b/test-app/values-app-2.yaml
index f44934b..7619644 100644
--- a/test-app/values-app-2.yaml
+++ b/test-app/values-app-2.yaml
@@ -1,147 +1,30 @@
-# Default values for test_app.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
-image:
- repository: nginx
- pullPolicy: IfNotPresent
- # Overrides the image tag whose default is the chart appVersion.
- tag: "stable"
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-serviceAccount:
- # Specifies whether a service account should be created
- create: true
- # Automatically mount a ServiceAccount's API credentials?
- automount: true
- # Annotations to add to the service account
- annotations: {}
- # The name of the service account to use.
- # If not set and create is true, a name is generated using the fullname template
- name: ""
-
-podAnnotations: {}
-podLabels: {}
-
-podSecurityContext: {}
- # fsGroup: 2000
-
-securityContext: {}
- # capabilities:
- # drop:
- # - ALL
- # readOnlyRootFilesystem: true
- # runAsNonRoot: true
- # runAsUser: 1000
-
-service:
- type: ClusterIP
- port: 80
- container_port: 8080
+# Values to override default
ingress:
enabled: true
className: "nginx"
- annotations:
- # kubernetes.io/tls-acme: "true"
hosts:
- host: demo-app-2.maddevs.org
paths:
- path: /
pathType: Prefix
- tls: []
- # - secretName: chart-example-tls
- # hosts:
- # - chart-example.local
-
-resources: {}
- # We usually recommend not to specify default resources and to leave this as a conscious
- # choice for the user. This also increases chances charts run on environments with little
- # resources, such as Minikube. If you do want to specify resources, uncomment the following
- # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
- # limits:
- # cpu: 100m
- # memory: 128Mi
- # requests:
- # cpu: 100m
- # memory: 128Mi
-
-livenessProbe:
- httpGet:
- path: /
- port: http
-readinessProbe:
- httpGet:
- path: /
- port: http
-
-autoscaling:
- enabled: false
- minReplicas: 1
- maxReplicas: 100
- targetCPUUtilizationPercentage: 80
- # targetMemoryUtilizationPercentage: 80
-
-# VolumeMounts and Volumes of configmaps to the output Deployment definition.
-volumeMounts:
- - name: nginx-html
- mountPath: /usr/share/nginx/html
- readOnly: true
- - name: nginx-conf
- mountPath: /etc/nginx/nginx.conf
- subPath: nginx.conf
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
# Set true if needs networkpolicy for istio service mesh
networkpolicy_istio_injection: true
-# Define ingress\egress rule for the current deployment via networkpolicy
-networkpolicy:
+# Additional rules for network policy
+additional_network_policy:
+ # Ingress from list of namespaces
ingress:
- - from:
- # From monitoring namespace (all pods)
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: monitoring
- # From ingress-nginx pods in namespace ingress-nginx
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: ingress-nginx
- podSelector:
- matchLabels:
- app.kubernetes.io/instance: ingress-nginx
+ namespaces:
+ - name: monitoring
+ - name: ingress-nginx
+ # Egress
egress:
- # Egress to app-1 in the namespace app-1
- - to:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: app-1
- podSelector:
- matchLabels:
- app.kubernetes.io/instance: app-1
- # Egress to kube-system namespace for DNS resolution
- - to:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: kube-system
- podSelector:
- matchLabels:
- k8s-app: kube-dns
- ports:
- - protocol: TCP
- port: 53
- - protocol: UDP
- port: 53
+ namespaces:
+ - name: "app-1"
+ ports:
+ - 8080
pageContent: |
"Welcome to Application 2
"
diff --git a/test-app/values.yaml b/test-app/values.yaml
new file mode 100644
index 0000000..db3bd32
--- /dev/null
+++ b/test-app/values.yaml
@@ -0,0 +1,131 @@
+# Default values for test_app.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+ repository: nginxinc/nginx-unprivileged
+ pullPolicy: IfNotPresent
+ # Overrides the image tag whose default is the chart appVersion.
+ tag: "stable"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # Automatically mount a ServiceAccount's API credentials?
+ automount: true
+ # Annotations to add to the service account
+ annotations: {}
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ name: ""
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext:
+ runAsUser: 101
+ runAsGroup: 101
+ fsGroup: 101
+
+securityContext:
+ allowPrivilegeEscalation: false
+ runAsNonRoot: true
+ capabilities:
+ drop:
+ - ALL
+
+service:
+ type: ClusterIP
+ port: 80
+ container_port: 8080
+
+ingress:
+ enabled: false
+ className: "nginx"
+ annotations:
+ # kubernetes.io/tls-acme: "true"
+ hosts:
+ - host: demo-app-1.maddevs.org
+ paths:
+ - path: /
+ pathType: Prefix
+ tls: []
+ # - secretName: chart-example-tls
+ # hosts:
+ # - chart-example.local
+
+resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ limits:
+ cpu: 100m
+ memory: 128Mi
+
+livenessProbe:
+ httpGet:
+ path: /
+ port: http
+readinessProbe:
+ httpGet:
+ path: /
+ port: http
+
+autoscaling:
+ enabled: false
+ minReplicas: 1
+ maxReplicas: 100
+ targetCPUUtilizationPercentage: 80
+ # targetMemoryUtilizationPercentage: 80
+
+# VolumeMounts and Volumes of configmaps to the output Deployment definition.
+volumeMounts:
+ - name: nginx-html
+ mountPath: /usr/share/nginx/html
+ readOnly: true
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+# Set true if needs networkpolicy for istio service mesh
+networkpolicy_istio_injection: false
+
+# Define ingress\egress rule for the current deployment via networkpolicy
+additional_network_policy: {}
+ # Ingress from list of namespaces
+ # ingress:
+ # namespaces:
+ # - name: "monitoring"
+ # - name: "ingress-nginx"
+ # - name: "app-2"
+ # Egress
+ # egress:
+ # namespaces:
+ # - name: "istio-system"
+ # ports:
+ # - 8080
+ # - 8443
+
+pageContent: |
+ "Welcome to Test Application
"
+
+# Istio resources
+istio: {}
+ # force_mtls: true # Enable Strict mTLS mode for the Release namespace
+ # egress_namespace: "istio-system" # The namespace of istio-egressgateway
+ # egress_gateway: istio-egressgateway # The name of istio-egressgateway
+ # auth_policy: # Will create AuthorizationPolicy for the Release namespace with rules deny except namespaces
+ # deny:
+ # notNamespaces:
+ # - "app-2"
+ # egress_hosts: # Will create resources for access to external hosts
+ # - "example.com"