refactor all yamls; change network policy; add sec context on deployments; add Istio resources

test-app/templates/configmap.yaml

@@ -5,52 +5,3 @@ metadata:
 data:
   index.html: |
     {{ .Values.pageContent | indent 4 }}
-
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ .Release.Name }}-nginx-conf
-data:
-  nginx.conf: |
-    user  nginx;
-    worker_processes  1;
-
-    error_log  /var/log/nginx/error.log warn;
-    pid        /var/run/nginx.pid;
-
-    events {
-        worker_connections  1024;
-    }
-
-    http {
-        include       /etc/nginx/mime.types;
-        default_type  application/octet-stream;
-
-        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                          '$status $body_bytes_sent "$http_referer" '
-                          '"$http_user_agent" "$http_x_forwarded_for"';
-
-        access_log  /var/log/nginx/access.log  main;
-
-        sendfile        on;
-        #tcp_nopush     on;
-
-        keepalive_timeout  65;
-
-        # Custom server listening on port 8080
-        server {
-            listen       {{ .Values.service.container_port }};
-            server_name  localhost;
-
-            location / {
-                root   /usr/share/nginx/html;
-                index  index.html index.htm;
-            }
-
-            error_page   500 502 503 504  /50x.html;
-            location = /50x.html {
-                root   /usr/share/nginx/html;
-            }
-        }
-    }

test-app/templates/deployment.yaml

@@ -29,7 +29,7 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "test-app.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:

test-app/templates/destination-rule.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.istio.egress_hosts }}
+apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: {{ .Release.Name }}-destination-rule
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  exportTo:
+  - "."
+  host: {{ .Values.istio.egress_gateway }}.{{ .Values.istio.egress_namespace }}.svc.cluster.local
+  subsets:
+  - name: {{ .Release.Name }}-service-entry
+{{- end }}

test-app/templates/istio-auth-policy.yaml

@@ -0,0 +1,29 @@
+# Enable strict mTLS in the Release namespace
+{{- if .Values.istio.force_mtls }}
+apiVersion: security.istio.io/v1
+kind: PeerAuthentication
+metadata:
+  name: {{ .Release.Name }}-force-using-mtls
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  mtls:
+    mode: STRICT
+{{- end }}
+---
+# AuthorizationPolicy in the Release namespace
+{{- if and .Values.istio.force_mtls .Values.istio.auth_policy }}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ .Release.Name }}-allow-ingress
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  action: DENY
+  rules:
+  - from:
+    - source:
+        notNamespaces:
+        {{- range .Values.istio.auth_policy.deny.notNamespaces }}
+        - {{ . | quote }}
+        {{- end }}
+{{- end }}

test-app/templates/network-policy.yaml

@@ -1,30 +1,69 @@
-{{- if .Values.networkpolicy }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ .Release.Name }}
+  name: {{ .Release.Name }}-network-policy
 spec:
   podSelector:
     matchLabels:
       {{- include "test-app.selectorLabels" . | nindent 6 }}
   policyTypes:
   - Ingress
   - Egress
-{{- if .Values.networkpolicy.ingress }}
   ingress:
-  {{- toYaml .Values.networkpolicy.ingress | nindent 4 }}
-{{- end }}
-{{- if .Values.networkpolicy.egress }}
+  {{- if .Values.additional_network_policy.ingress }}
+    - from:
+      {{- range .Values.additional_network_policy.ingress.namespaces }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .name | quote }}
+      {{- if .ports }}
+      ports:
+      {{- range .ports }}
+        - protocol: TCP
+          port: {{ . }}
+      {{- end }}
+      {{- end }}
+      {{- end }}
+  {{- else }}
+    - {}  # Allow from anywhere
+  {{- end }}
   egress:
-  {{- toYaml .Values.networkpolicy.egress | nindent 4 }}
-{{- end }}
-{{- end }}
+    # Egress to kube-system namespace for DNS resolution
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: kube-system
+        podSelector:
+          matchLabels:
+            k8s-app: kube-dns
+      ports:
+      - protocol: TCP
+        port: 53
+      - protocol: UDP
+        port: 53
+    {{- if .Values.additional_network_policy.egress }}
+    # Additional Egress rules
+    - to:
+      {{- range .Values.additional_network_policy.egress.namespaces }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .name | quote }}
+      {{- if .ports }}
+      ports:
+      {{- range .ports }}
+        - protocol: TCP
+          port: {{ . }}
+      {{- end }}
+      {{- end }}
+      {{- end }}
+    {{- end }}
+
 ---
 {{- if .Values.networkpolicy_istio_injection }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ .Release.Name }}-allow-istio-injection-and-mesh
+  name: {{ .Release.Name }}-network-policy-istio
 spec:
   podSelector:
     matchLabels:
@@ -33,22 +72,13 @@ spec:
   - from:
     - namespaceSelector:
         matchLabels:
-          istio-injection: enabled  # or select istio-system namespace
-    ports:
-    - protocol: TCP
-      port: 443     # for webhook calls (sidecar injector)
-    - protocol: TCP
-      port: 15008   # Ambient mesh / sidecar proxy traffic port
-    - protocol: TCP
-      port: 15017   # Example Istio node port (adjust if used)
-    - protocol: TCP
-      port: 15090   # Istio telemetry (optional)
+          istio-injection: enabled  # Select namespace with this label
+    - namespaceSelector:
+        matchLabels:
+          name: istio-system        # Select namespace with deployed Istiod pod
   egress:
   - to:
     - namespaceSelector:
         matchLabels:
-          istio-injection: enabled
-    ports:
-    - protocol: TCP
-      port: 15008
+          name: istio-system        # Select namespace with deployed Istiod pod
 {{- end }}

test-app/templates/service-entry.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.istio.egress_hosts }}
+apiVersion: networking.istio.io/v1
+kind: ServiceEntry
+metadata:
+  name: {{ .Release.Name }}-service-entry
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  exportTo:
+  - "."
+  - {{ .Values.istio.egress_namespace }}
+  hosts:
+  {{- range .Values.istio.egress_hosts }}
+  - {{ . | quote }}
+  {{- end }}
+  ports:
+  - number: 80
+    name: http-port
+    protocol: HTTP
+  - number: 443
+    name: https
+    protocol: HTTPS
+  resolution: DNS
+  location: MESH_EXTERNAL
+{{- end }}

test-app/templates/virtual-service.yaml

@@ -0,0 +1,71 @@
+{{- if .Values.istio.egress_hosts }}
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: {{ .Release.Name }}-virtual-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  exportTo:
+  - "."
+  - {{ .Values.istio.egress_namespace }}
+  hosts:
+  {{- range .Values.istio.egress_hosts }}
+  - {{ . | quote }}
+  {{- end }}
+  gateways:
+  - mesh
+  - {{ .Values.istio.egress_namespace }}/{{ .Values.istio.egress_gateway }}
+  http:
+  - match:
+    - gateways:
+      - mesh
+      port: 80
+    route:
+    - destination:
+        host: {{ .Values.istio.egress_gateway }}.{{ .Values.istio.egress_namespace }}.svc.cluster.local
+        port:
+          number: 80
+      weight: 100
+  {{- range .Values.istio.egress_hosts }}
+  - match:
+    - gateways:
+      - {{ $.Values.istio.egress_namespace }}/{{ $.Values.istio.egress_gateway }}
+      port: 80
+      authority:
+        exact: {{ . | quote }}
+    route:
+    - destination:
+        host: {{ . | quote }}
+        port:
+          number: 80
+      weight: 100
+  {{- end }}
+  tls:
+  - match:
+    - gateways:
+      - mesh
+      port: 443
+      sniHosts:
+      {{- range .Values.istio.egress_hosts }}
+      - {{ . | quote }}
+      {{- end }}
+    route:
+    - destination:
+        host: {{ .Values.istio.egress_gateway }}.{{ .Values.istio.egress_namespace }}.svc.cluster.local
+        port:
+          number: 443
+  {{- range .Values.istio.egress_hosts }}
+  - match:
+    - gateways:
+      - {{ $.Values.istio.egress_namespace }}/{{ $.Values.istio.egress_gateway }}
+      port: 443
+      sniHosts:
+      - {{ . | quote }}
+    route:
+    - destination:
+        host: {{ . | quote }}
+        port:
+          number: 443
+      weight: 100
+  {{- end }}
+{{- end }}