diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index cc76f5b7d..7f7824985 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -6,13 +6,13 @@ name: "Setup Environment" description: "UDS Environment Setup" inputs: ghToken: - description: 'GITHUB_TOKEN' + description: "GITHUB_TOKEN" required: true registry1Username: - description: 'IRON_BANK_ROBOT_USERNAME' + description: "IRON_BANK_ROBOT_USERNAME" required: true registry1Password: - description: 'IRON_BANK_ROBOT_PASSWORD' + description: "IRON_BANK_ROBOT_PASSWORD" required: true chainguardIdentity: description: "ID for Chainguard Identity" diff --git a/packages/base/zarf.yaml b/packages/base/zarf.yaml index 80126a7fd..3df978342 100644 --- a/packages/base/zarf.yaml +++ b/packages/base/zarf.yaml @@ -23,6 +23,12 @@ components: import: path: ../../src/prometheus-stack + # Pepr the world + - name: pepr-uds-core + required: true + import: + path: ../../src/pepr + # Istio - name: istio-controlplane required: true @@ -43,9 +49,3 @@ components: required: false import: path: ../../src/istio - - # Pepr the world - - name: pepr-uds-core - required: true - import: - path: ../../src/pepr diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index b8568b4c7..1c4d3fd78 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -22,6 +22,12 @@ components: import: path: ../base + # Pepr the world + - name: pepr-uds-core + required: true + import: + path: ../base + # Istio - name: istio-controlplane required: true @@ -43,12 +49,6 @@ components: import: path: ../base - # Pepr the world - - name: pepr-uds-core - required: true - import: - path: ../base - # Metrics Server - name: metrics-server required: false diff --git a/pepr.ts b/pepr.ts index 18493e612..083d76b92 100644 --- a/pepr.ts +++ b/pepr.ts @@ -16,7 +16,6 @@ import { Policy } from "./src/pepr/operator/crd"; import { registerCRDs } from "./src/pepr/operator/crd/register"; import { patches } from "./src/pepr/patches"; import { policies, startExemptionWatch } from "./src/pepr/policies"; -import { prometheus } from "./src/pepr/prometheus"; const log = setupLogger(Component.STARTUP); @@ -36,9 +35,6 @@ const log = setupLogger(Component.STARTUP); // Istio service mesh istio, - // Prometheus monitoring stack - prometheus, - // Patches for specific components patches, ]); diff --git a/src/authservice/chart/templates/uds-package.yaml b/src/authservice/chart/templates/uds-package.yaml index acf50b428..17c6cf281 100644 --- a/src/authservice/chart/templates/uds-package.yaml +++ b/src/authservice/chart/templates/uds-package.yaml @@ -7,6 +7,7 @@ metadata: name: authservice namespace: {{ .Release.Namespace }} spec: + istioAmbient: false network: allow: # Permit intra-namespace communication for multi-replica setup diff --git a/src/grafana/chart/templates/uds-package.yaml b/src/grafana/chart/templates/uds-package.yaml index be80115af..967c4f4c1 100644 --- a/src/grafana/chart/templates/uds-package.yaml +++ b/src/grafana/chart/templates/uds-package.yaml @@ -7,6 +7,7 @@ metadata: name: grafana namespace: {{ .Release.Namespace }} spec: + istioAmbient: true sso: - name: Grafana Dashboard clientId: uds-core-admin-grafana diff --git a/src/istio/Ambient.md b/src/istio/Ambient.md new file mode 100644 index 000000000..54b258b7d --- /dev/null +++ b/src/istio/Ambient.md @@ -0,0 +1,35 @@ +## Istio Ambient + +### TLDR + +Migrating applications to ambient was surprisingly painless and removed more complexity than it added. At least initially we were pessimistic about the pain to migrate but were impressed how much complexity fell out when many of the quirks of istio sidecars are removed. + +We came away more optimistic about ambient and would advocate that further engineer effort be devoted to pursuing it as viable future default. + +### Benefits + +- Our current pain points with Istio sidecars (job termination and init containers mTLS traffic) become non-issues with Ambient +- The prometheus stack setup with mTLS metrics can be simplified significantly with Ambient on prometheus, we no longer require mutations or certificate mounting to properly scape endpoints. +- Ambient is able to handle direct pod addressability in a way that sidecars weren't, allowing us to remove some workarounds previously required (headless services) +- By removing the sidecars from most workloads we are able to reduce the resource footprint, especially for large scale clusters with lots of workloads on top of core +- Speed of startup as well as pod communications is increased due to the removal of sidecars (there is no longer a bottleneck to communications and pods do not have to wait on sidecars during startup) + +### Interesting Notes + +- Traffic to keycloak from Pepr originated from a "different" host, requiring a new trusted host policy in Keycloak for `*.pepr-uds-core-watcher.pepr-system.svc.cluster.local` (better than the original 127.0.0.6) +- A number of PERMISSIVE peer authentications we used for "Kube API" -> svc traffic (webhooks and api services) seem to be unnecessary with ambient +- Switching to Ambient requires a few new Istio components which do not have (working) images in Ironbank or Chainguard +- Using L7 features in Ambient mode depends on adoption of K8s Gateway API specification + +### Future Work/Mysteries + +- Evaluate existing netpol L3/4, find comparable istio authorization policy implementations (also reevaluate default netpols for istiod, etc) + - Package CR support for authorization policies at L4/7 + - Can we map existing network.allow from netpol -> authpolicy +- Encountered odd behavior with kubeapi - unsure if actually fixed? +- How should we handle Istio needing exemptions now (reorder pepr/istio, exemption CRD deployed pre-core, etc) +- How do we handle mission apps with authservice (require sidecar OR figure out extAuthz with waypoint) +- Keycloak and Authservice "required" sidecars to get them functional - could this be addressed by waypoints or other config we were missing? +- Gateway API instead of Ingress Gateway + VirtualService - unsure if this is connected to some of the issues we encountered with authz +- Istio ambient may need some specific configuration depending on cluster type (we had to pass in certain values for the CNI to work on [k3s](https://istio.io/latest/docs/ambient/install/platform-prerequisites/#k3s)) +- Narrow down Istio CNI/Ztunnel exemption to what is strictly necessary diff --git a/src/istio/common/chart/templates/envoy-filters.yaml b/src/istio/common/chart/templates/envoy-filters.yaml index 455f364a8..9b9fb0944 100644 --- a/src/istio/common/chart/templates/envoy-filters.yaml +++ b/src/istio/common/chart/templates/envoy-filters.yaml @@ -40,7 +40,6 @@ spec: end end --- -# Source: istio/templates/envoyfilter.yaml apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: diff --git a/src/istio/common/chart/templates/exemptions.yaml b/src/istio/common/chart/templates/exemptions.yaml new file mode 100644 index 000000000..442e18501 --- /dev/null +++ b/src/istio/common/chart/templates/exemptions.yaml @@ -0,0 +1,29 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +apiVersion: uds.dev/v1alpha1 +kind: Exemption +metadata: + name: istio + namespace: uds-policy-exemptions +spec: + exemptions: + - policies: + - DisallowPrivileged + - RequireNonRootUser + - RestrictSELinuxType + - RestrictHostPathWrite + - RestrictVolumeTypes + - DisallowHostNamespaces + - DisallowSELinuxOptions + - DropAllCapabilities + - RestrictCapabilities + - RestrictHostPathWrite + - RestrictHostPorts + - RestrictProcMount + - RestrictSeccomp + matcher: + namespace: istio-system + name: "^.*" + title: "istio exemptions" + description: "Istio does some privileged things" diff --git a/src/istio/common/zarf.yaml b/src/istio/common/zarf.yaml index 9de933358..d1d51f29a 100644 --- a/src/istio/common/zarf.yaml +++ b/src/istio/common/zarf.yaml @@ -15,28 +15,41 @@ components: url: https://istio-release.storage.googleapis.com/charts version: 1.23.2 namespace: istio-system + - name: uds-global-istio-config + namespace: istio-system + version: 0.1.0 + localPath: chart - name: istiod url: https://istio-release.storage.googleapis.com/charts version: 1.23.2 namespace: istio-system valuesFiles: - - "../values/values.yaml" - - name: uds-global-istio-config + - "../values/base-istiod.yaml" + - name: cni + url: https://istio-release.storage.googleapis.com/charts + version: 1.23.2 + namespace: istio-system + valuesFiles: + - "../values/base-cni.yaml" # values for k3s/k3d cni + - name: ztunnel + url: https://istio-release.storage.googleapis.com/charts + version: 1.23.2 namespace: istio-system - version: 0.1.0 - localPath: chart actions: onDeploy: before: - - description: "Fix helm ownership if necessary for clean helm upgrade" + - description: "Fix helm ownership metadata on upgrade" mute: true cmd: | - ./zarf tools kubectl annotate EnvoyFilter misdirected-request -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true - ./zarf tools kubectl annotate EnvoyFilter remove-server-header -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true - ./zarf tools kubectl annotate PeerAuthentication default-istio-system -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true - ./zarf tools kubectl annotate PeerAuthentication permissive-pepr-webhook -n pepr-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true - ./zarf tools kubectl annotate PeerAuthentication permissive-pepr-webhook-watcher -n pepr-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true + ./zarf tools kubectl annotate envoyfilter -n istio-system misdirected-request meta.helm.sh/release-name=uds-global-istio-config --overwrite || true + ./zarf tools kubectl annotate envoyfilter -n istio-system remove-server-header meta.helm.sh/release-name=uds-global-istio-config --overwrite || true + ./zarf tools kubectl annotate peerauthentication -n istio-system default-istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true after: - - description: "Ensure istio-injection is enabled for Pepr" - mute: true - cmd: "./zarf tools kubectl label namespace pepr-system istio-injection=enabled --overwrite" + - description: "Ensure istio ambient is enabled for Pepr" + cmd: "./zarf tools kubectl label namespace pepr-system istio.io/dataplane-mode=ambient --overwrite" + - description: "Ensure istio-injection is disabled for Pepr" + cmd: "./zarf tools kubectl label namespace pepr-system istio-injection=disabled --overwrite" + - description: "Cycle Pepr to refresh connections post-ambient" + cmd: | + ./zarf tools kubectl rollout restart -n pepr-system deploy/pepr-uds-core-watcher + ./zarf tools kubectl rollout restart -n pepr-system deploy/pepr-uds-core diff --git a/src/istio/tasks.yaml b/src/istio/tasks.yaml index 0d696544e..df547bb87 100644 --- a/src/istio/tasks.yaml +++ b/src/istio/tasks.yaml @@ -7,21 +7,21 @@ tasks: - description: Validate the Istio Admin Gateway wait: cluster: - kind: Gateway + kind: gateways.networking.istio.io name: admin-gateway namespace: istio-admin-gateway - description: Validate the Istio Passthrough Gateway wait: cluster: - kind: Gateway + kind: gateways.networking.istio.io name: passthrough-gateway namespace: istio-passthrough-gateway - description: Validate the Istio Tenant Gateway wait: cluster: - kind: Gateway + kind: gateways.networking.istio.io name: tenant-gateway namespace: istio-tenant-gateway diff --git a/src/istio/values/base-cni.yaml b/src/istio/values/base-cni.yaml new file mode 100644 index 000000000..a02ae9e66 --- /dev/null +++ b/src/istio/values/base-cni.yaml @@ -0,0 +1,8 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +profile: ambient + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin/ diff --git a/src/istio/values/values.yaml b/src/istio/values/base-istiod.yaml similarity index 96% rename from src/istio/values/values.yaml rename to src/istio/values/base-istiod.yaml index 0e06a2f26..1e74fa0af 100644 --- a/src/istio/values/values.yaml +++ b/src/istio/values/base-istiod.yaml @@ -1,6 +1,8 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +profile: ambient + meshConfig: accessLogFile: /dev/stdout pathNormalization: diff --git a/src/istio/values/registry1/cni.yaml b/src/istio/values/registry1/cni.yaml new file mode 100644 index 000000000..22719e89b --- /dev/null +++ b/src/istio/values/registry1/cni.yaml @@ -0,0 +1,5 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +cni: + image: registry1.dso.mil/ironbank/opensource/istio/install-cni:1.23.3 diff --git a/src/istio/values/registry1-values.yaml b/src/istio/values/registry1/istiod.yaml similarity index 100% rename from src/istio/values/registry1-values.yaml rename to src/istio/values/registry1/istiod.yaml diff --git a/src/istio/values/registry1/ztunnel.yaml b/src/istio/values/registry1/ztunnel.yaml new file mode 100644 index 000000000..c719b11b6 --- /dev/null +++ b/src/istio/values/registry1/ztunnel.yaml @@ -0,0 +1,4 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +image: registry1.dso.mil/ironbank/tetrate/istio/ztunnel:1.23.2-tetratefips-v0 diff --git a/src/istio/values/unicorn/cni.yaml b/src/istio/values/unicorn/cni.yaml new file mode 100644 index 000000000..360b88039 --- /dev/null +++ b/src/istio/values/unicorn/cni.yaml @@ -0,0 +1,5 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +cni: + image: cgr.dev/du-uds-defenseunicorns/istio-install-cni:1.23.2 diff --git a/src/istio/values/unicorn-values.yaml b/src/istio/values/unicorn/istiod.yaml similarity index 100% rename from src/istio/values/unicorn-values.yaml rename to src/istio/values/unicorn/istiod.yaml diff --git a/src/istio/values/upstream/cni.yaml b/src/istio/values/upstream/cni.yaml new file mode 100644 index 000000000..b6401b06c --- /dev/null +++ b/src/istio/values/upstream/cni.yaml @@ -0,0 +1,5 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +cni: + image: docker.io/istio/install-cni:1.23.2-distroless diff --git a/src/istio/values/upstream/istiod.yaml b/src/istio/values/upstream/istiod.yaml new file mode 100644 index 000000000..800d39f62 --- /dev/null +++ b/src/istio/values/upstream/istiod.yaml @@ -0,0 +1,12 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pilot: + image: "docker.io/istio/pilot:1.23.2-distroless" +global: + proxy_init: + # renovate: image=docker.io/istio/proxyv2 + image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.2-distroless" + proxy: + # renovate: image=docker.io/istio/proxyv2 + image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.2-distroless" diff --git a/src/istio/values/upstream/ztunnel.yaml b/src/istio/values/upstream/ztunnel.yaml new file mode 100644 index 000000000..289759dd7 --- /dev/null +++ b/src/istio/values/upstream/ztunnel.yaml @@ -0,0 +1,4 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +image: docker.io/istio/ztunnel:1.23.2-distroless diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 21bae304e..82a4b902c 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -22,10 +22,18 @@ components: charts: - name: istiod valuesFiles: - - "values/upstream-values.yaml" + - "values/upstream/istiod.yaml" + - name: cni + valuesFiles: + - "values/upstream/cni.yaml" + - name: ztunnel + valuesFiles: + - "values/upstream/ztunnel.yaml" images: - "docker.io/istio/pilot:1.23.2-distroless" - "docker.io/istio/proxyv2:1.23.2-distroless" + - "docker.io/istio/install-cni:1.23.2-distroless" + - "docker.io/istio/ztunnel:1.23.2-distroless" - name: istio-controlplane required: true @@ -36,10 +44,20 @@ components: charts: - name: istiod valuesFiles: - - "values/registry1-values.yaml" + - "values/registry1/istiod.yaml" + - name: cni + valuesFiles: + - "values/registry1/cni.yaml" + - name: ztunnel + valuesFiles: + - "values/registry1/ztunnel.yaml" images: - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0 - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.2-tetratefips-v0 + - registry1.dso.mil/ironbank/tetrate/istio/ztunnel:1.23.2-tetratefips-v0 + # Tetrate's install-cni image is out of date currently in Ironbank but could be swapped in when updated + - registry1.dso.mil/ironbank/opensource/istio/install-cni:1.23.3 + # - registry1.dso.mil/ironbank/tetrate/istio/install-cni:1.22.6-tetratefips-v0 - name: istio-controlplane required: true @@ -50,10 +68,21 @@ components: charts: - name: istiod valuesFiles: - - "values/unicorn-values.yaml" + - "values/unicorn/istiod.yaml" + - name: cni + valuesFiles: + - "values/unicorn/cni.yaml" + - name: ztunnel + valuesFiles: + - "values/upstream/ztunnel.yaml" images: - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.2 - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.23.2 + # Chainguard's install-cni-fips is not working right now, issue submitted + - cgr.dev/du-uds-defenseunicorns/istio-install-cni:1.23.2 + # Chainguard does not have the ztunnel image currently, but upstream is 0 CVE + # It is not currently FIPS though, and the IB TID FIPS image is amd64 only + - docker.io/istio/ztunnel:1.23.2-distroless - name: istio-admin-gateway required: true diff --git a/src/keycloak/chart/templates/istio-admin.yaml b/src/keycloak/chart/templates/istio-admin.yaml index 612e53d68..5453a3b21 100644 --- a/src/keycloak/chart/templates/istio-admin.yaml +++ b/src/keycloak/chart/templates/istio-admin.yaml @@ -15,7 +15,7 @@ spec: rules: - to: - operation: - ports: + ports: - "8080" paths: - "/admin*" @@ -26,7 +26,7 @@ spec: - istio-admin-gateway - to: - operation: - ports: + ports: - "8080" paths: - /metrics* @@ -37,7 +37,7 @@ spec: - monitoring - to: - operation: - ports: + ports: - "8080" paths: # Never allow anonymous client registration except from the pepr-system namespace @@ -45,14 +45,14 @@ spec: - "/realms/{{ .Values.realm }}/clients-registrations/*" from: - source: - notNamespaces: + notNamespaces: - "pepr-system" - when: - key: request.headers[istio-mtls-client-certificate] values: ["*"] to: - operation: - ports: + ports: - "8080" from: - source: diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index 42bb8a9f5..bd51d7a54 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -7,6 +7,7 @@ metadata: name: keycloak namespace: {{ .Release.Namespace }} spec: + istioAmbient: false monitor: - selector: app.kubernetes.io/name: keycloak diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index bd1020069..1c4524fce 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -10,7 +10,7 @@ image: pullPolicy: IfNotPresent # renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver -configImage: ghcr.io/defenseunicorns/uds/identity-config:0.6.3 +configImage: rjferguson21/uds-core-config:ambient # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 037a18fa9..65bf24b6b 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -24,7 +24,7 @@ components: - "values/upstream-values.yaml" images: - quay.io/keycloak/keycloak:25.0.6 - - ghcr.io/defenseunicorns/uds/identity-config:0.6.3 + - rjferguson21/uds-core-config:ambient - name: keycloak required: true @@ -40,7 +40,7 @@ components: - "values/registry1-values.yaml" images: - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.6 - - ghcr.io/defenseunicorns/uds/identity-config:0.6.3 + - rjferguson21/uds-core-config:ambient - name: keycloak required: true @@ -54,4 +54,4 @@ components: - "values/unicorn-values.yaml" images: - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.6 # todo: switch to FIPS image - - ghcr.io/defenseunicorns/uds/identity-config:0.6.3 + - rjferguson21/uds-core-config:ambient diff --git a/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml b/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml deleted file mode 100644 index 12ac3e56b..000000000 --- a/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} -apiVersion: "security.istio.io/v1beta1" -kind: PeerAuthentication -metadata: - name: loki-simple-scalable - namespace: {{ .Release.Namespace }} -spec: - mtls: - mode: STRICT - selector: - matchLabels: - app.kubernetes.io/name: loki - portLevelMtls: - # GRPC exception to support Loki internal communication - "9095": - mode: PERMISSIVE -{{- end }} diff --git a/src/loki/chart/templates/uds-package.yaml b/src/loki/chart/templates/uds-package.yaml index 80b87d8eb..8e248b6f2 100644 --- a/src/loki/chart/templates/uds-package.yaml +++ b/src/loki/chart/templates/uds-package.yaml @@ -7,6 +7,7 @@ metadata: name: loki namespace: {{ .Release.Namespace }} spec: + istioAmbient: true network: allow: # Permit intra-namespace communication for gateway -> loki read/write diff --git a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml deleted file mode 100644 index 24e4ef61c..000000000 --- a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: metrics-server-api-exception - namespace: {{ .Release.Namespace }} -spec: - mtls: - mode: STRICT - selector: - matchLabels: - app.kubernetes.io/name: metrics-server - portLevelMtls: - # Allow api service calls to operate permissive since ingress originates from the nodes - "10250": - mode: PERMISSIVE -{{- end }} diff --git a/src/metrics-server/chart/templates/uds-package.yaml b/src/metrics-server/chart/templates/uds-package.yaml index dfe607dab..156bb12fb 100644 --- a/src/metrics-server/chart/templates/uds-package.yaml +++ b/src/metrics-server/chart/templates/uds-package.yaml @@ -7,6 +7,7 @@ metadata: name: metrics-server namespace: {{ .Release.Namespace }} spec: + istioAmbient: true network: allow: - direction: Egress diff --git a/src/neuvector/chart/templates/istio/headless-controller-service.yaml b/src/neuvector/chart/templates/istio/headless-controller-service.yaml deleted file mode 100644 index f4d5211df..000000000 --- a/src/neuvector/chart/templates/istio/headless-controller-service.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -apiVersion: v1 -kind: Service -metadata: - name: controller-headless - namespace: {{ .Release.Namespace }} -spec: - type: ClusterIP - clusterIP: None - selector: - app: neuvector-controller-pod - ports: - - name: tcp-gossip-18300 - port: 18300 - protocol: TCP - targetPort: 18300 - - name: tcp-gossip-18301 - port: 18301 - protocol: TCP - targetPort: 18301 - - name: tcp-controller-grpc - port: 18400 - protocol: TCP - targetPort: 18400 - - name: tcp-controller-api - port: 10443 - protocol: TCP - targetPort: 10443 - diff --git a/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml b/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml deleted file mode 100644 index 487f6c448..000000000 --- a/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - - -apiVersion: v1 -kind: Service -metadata: - name: enforcer-headless - namespace: {{ .Release.Namespace }} -spec: - type: ClusterIP - clusterIP: None - selector: - app: neuvector-enforcer-pod - ports: - - name: tcp-gossip - port: 18301 - protocol: TCP - targetPort: 18301 - - name: tcp-enforcer - port: 18401 - protocol: TCP - targetPort: 18401 - diff --git a/src/neuvector/chart/templates/istio/headless-scanner-service.yaml b/src/neuvector/chart/templates/istio/headless-scanner-service.yaml deleted file mode 100644 index 26ad3043e..000000000 --- a/src/neuvector/chart/templates/istio/headless-scanner-service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -apiVersion: v1 -kind: Service -metadata: - name: scanner-headless - namespace: {{ .Release.Namespace }} -spec: - type: ClusterIP - clusterIP: None - selector: - app: neuvector-scanner-pod - ports: - - name: tcp-scanner - port: 18402 - protocol: TCP - targetPort: 18402 diff --git a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml deleted file mode 100644 index 90d91096d..000000000 --- a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} -apiVersion: "security.istio.io/v1beta1" -kind: PeerAuthentication -metadata: - name: controller-neuvector - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: neuvector-controller-pod - mtls: - mode: STRICT - portLevelMtls: - "18300": - mode: PERMISSIVE - # Allow webhooks to operate permissive since ingress originates from the nodes - "30443": - mode: PERMISSIVE -{{- end }} diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index 484b6866e..5c457f33e 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -17,7 +17,7 @@ spec: # portName: metrics # targetPort: 8068 # description: "Metrics" - + istioAmbient: true sso: - name: Neuvector clientId: uds-core-admin-neuvector diff --git a/src/pepr/operator/controllers/istio/injection.ts b/src/pepr/operator/controllers/istio/injection.ts index 92147894a..acbcca19d 100644 --- a/src/pepr/operator/controllers/istio/injection.ts +++ b/src/pepr/operator/controllers/istio/injection.ts @@ -11,40 +11,77 @@ import { UDSPackage } from "../../crd"; // configure subproject logger const log = setupLogger(Component.OPERATOR_ISTIO); -const injectionLabel = "istio-injection"; -const injectionAnnotation = "uds.dev/original-istio-injection"; +const INJECTION_LABEL = "istio-injection"; +const AMBIENT_LABEL = "istio.io/dataplane-mode"; +const originalStateAnnotation = "uds.dev/original-istio-state"; + +enum IstioState { + Injected = "injected", + Ambient = "ambient", + None = "none", +} + +function getOriginalIstioState(ns: kind.Namespace): IstioState { + // Extract labels from the namespace + const labels = ns.metadata?.labels || {}; + + // Extract the relevant label values + const originalInjectionLabelValue = labels[INJECTION_LABEL]; + const originalAmbientLabelValue = labels[AMBIENT_LABEL]; + + // Determine the original Istio state based on specific label values + let istioState: IstioState; + + if (originalInjectionLabelValue === "enabled") { + istioState = IstioState.Injected; + } else if (originalAmbientLabelValue === "ambient") { + istioState = IstioState.Ambient; + } else { + istioState = IstioState.None; + } + + return istioState; +} + +function needsKill(originalIstioState: IstioState, desiredIstioState: IstioState): boolean { + return ( + (originalIstioState !== desiredIstioState && originalIstioState === IstioState.Injected) || + desiredIstioState === IstioState.Injected + ); +} /** - * Syncs the package namespace istio-injection label and adds a label for the package name + * Syncs the package namespace istio state and adds a label for the package name * * @param pkg */ -export async function enableInjection(pkg: UDSPackage) { +export async function enableIstio(pkg: UDSPackage) { if (!pkg.metadata?.namespace || !pkg.metadata.name) { throw new Error(`Invalid Package definition, missing namespace or name`); } const sourceNS = await K8s(kind.Namespace).Get(pkg.metadata.namespace); const labels = sourceNS.metadata?.labels || {}; - const originalInjectionLabel = labels[injectionLabel]; const annotations = sourceNS.metadata?.annotations || {}; const pkgKey = `uds.dev/pkg-${pkg.metadata.name}`; + const desiredIstioState = pkg.spec!.istioAmbient ? IstioState.Ambient : IstioState.Injected; // Mark the original namespace injection setting for if all packages are removed - if (!annotations[injectionAnnotation]) { - annotations[injectionAnnotation] = originalInjectionLabel || "non-existent"; + const originalIstioState = getOriginalIstioState(sourceNS); + if (!annotations[originalStateAnnotation]) { + annotations[originalStateAnnotation] = originalIstioState; } // Ensure the namespace is configured - if (!annotations[pkgKey] || originalInjectionLabel !== "enabled") { - // Ensure Istio injection is enabled - labels[injectionLabel] = "enabled"; - + if (!annotations[pkgKey] || originalIstioState !== desiredIstioState) { // Add the package annotation annotations[pkgKey] = "true"; + labels[AMBIENT_LABEL] = desiredIstioState === IstioState.Ambient ? "ambient" : "none"; + labels[INJECTION_LABEL] = desiredIstioState === IstioState.Ambient ? "disabled" : "enabled"; + // Apply the updated Namespace - log.debug(`Updating namespace ${pkg.metadata.namespace} with istio injection label`); + log.debug(`Updating namespace ${pkg.metadata.namespace} with istio labels`); await K8s(kind.Namespace).Apply( { metadata: { @@ -56,12 +93,10 @@ export async function enableInjection(pkg: UDSPackage) { { force: true }, ); - // Kill the pods if we changed the value of the istio-injection label - if (originalInjectionLabel !== labels[injectionLabel]) { - log.debug( - `Attempting pod restart in ${pkg.metadata.namespace} based on istio injection label change`, - ); - await killPods(pkg.metadata.namespace, true); + // Kill the pods if we are switching istio modes + if (needsKill(originalIstioState, desiredIstioState)) { + log.debug(`Attempting pod restart in ${pkg.metadata.namespace} based on istio state change`); + await killPods(pkg.metadata.namespace, desiredIstioState); } } } @@ -78,24 +113,34 @@ export async function cleanupNamespace(pkg: UDSPackage) { const sourceNS = await K8s(kind.Namespace).Get(pkg.metadata.namespace); const labels = sourceNS.metadata?.labels || {}; - const originalInjectionLabel = labels[injectionLabel]; const annotations = sourceNS.metadata?.annotations || {}; + const originalIstioState = getOriginalIstioState(sourceNS); // Remove the package annotation delete annotations[`uds.dev/pkg-${pkg.metadata.name}`]; // If there are no more UDS Package annotations, restore the original value of the istio-injection label + const desiredIstioState = annotations[originalStateAnnotation] as IstioState; if (!Object.keys(annotations).find(key => key.startsWith("uds.dev/pkg-"))) { - labels[injectionLabel] = annotations[injectionAnnotation]; - // If the original value was non-existent, remove the label - if (labels[injectionLabel] === "non-existent") { - delete labels[injectionLabel]; + switch (desiredIstioState) { + case IstioState.Ambient: + labels[AMBIENT_LABEL] = "ambient"; + labels[INJECTION_LABEL] = "disabled"; + break; + case IstioState.Injected: + labels[AMBIENT_LABEL] = "none"; + labels[INJECTION_LABEL] = "enabled"; + break; + case IstioState.None: + labels[AMBIENT_LABEL] = "none"; + labels[INJECTION_LABEL] = "disabled"; + break; } - delete annotations[injectionAnnotation]; + delete annotations[originalStateAnnotation]; } // Apply the updated Namespace - log.debug(`Updating namespace ${pkg.metadata.namespace}, removing istio injection labels.`); + log.debug(`Updating namespace ${pkg.metadata.namespace}, applying original istio state labels.`); await K8s(kind.Namespace).Apply( { metadata: { @@ -107,12 +152,10 @@ export async function cleanupNamespace(pkg: UDSPackage) { { force: true }, ); - // Kill the pods if we changed the value of the istio-injection label - if (originalInjectionLabel !== labels[injectionLabel]) { - log.debug( - `Attempting pod restart in ${pkg.metadata.namespace} based on istio injection label change`, - ); - await killPods(pkg.metadata.namespace, false); + // Kill the pods if we changed the istio state + if (needsKill(originalIstioState, desiredIstioState)) { + log.debug(`Attempting pod restart in ${pkg.metadata.namespace} based on istio state change`); + await killPods(pkg.metadata.namespace, desiredIstioState); } } @@ -122,7 +165,7 @@ export async function cleanupNamespace(pkg: UDSPackage) { * @param ns * @param enableInjection */ -async function killPods(ns: string, enableInjection: boolean) { +async function killPods(ns: string, desiredIstioState: string) { // Get all pods in the namespace const pods = await K8s(kind.Pod).InNamespace(ns).Get(); const groups: Record = {}; @@ -138,13 +181,13 @@ async function killPods(ns: string, enableInjection: boolean) { const foundSidecar = pod.spec?.containers?.find(c => c.name === "istio-proxy"); // If enabling injection, ignore pods that already have the istio sidecar - if (enableInjection && foundSidecar) { + if (desiredIstioState === IstioState.Injected && foundSidecar) { log.debug(`Ignoring Pod ${ns}/${pod.metadata?.name}, already has sidecar`); continue; } // If disabling injection, ignore pods that don't have the istio sidecar - if (!enableInjection && !foundSidecar) { + if (desiredIstioState !== IstioState.Injected && !foundSidecar) { log.debug(`Ignoring Pod ${ns}/${pod.metadata?.name}, injection disabled`); continue; } @@ -164,8 +207,7 @@ async function killPods(ns: string, enableInjection: boolean) { } for (const pod of group) { - const action = enableInjection ? "enable" : "remove"; - log.info(`Deleting pod ${ns}/${pod.metadata?.name} to ${action} the istio sidecar`); + log.info(`Deleting pod ${ns}/${pod.metadata?.name} to switch to ${desiredIstioState} mode`); await K8s(kind.Pod).Delete(pod); } } diff --git a/src/pepr/operator/controllers/network/defaults/allow-ztunnel.ts b/src/pepr/operator/controllers/network/defaults/allow-ztunnel.ts new file mode 100644 index 000000000..40a17cfdc --- /dev/null +++ b/src/pepr/operator/controllers/network/defaults/allow-ztunnel.ts @@ -0,0 +1,23 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + +import { Direction } from "../../../crd"; +import { generate } from "../generate"; + +export const allowIngressZtunnel = (namespace: string) => + generate(namespace, { + direction: Direction.Ingress, + description: "Ztunnel", + remoteNamespace: "*", + port: 15008, + }); + +export const allowEgressZtunnel = (namespace: string) => + generate(namespace, { + direction: Direction.Egress, + description: "Ztunnel", + remoteNamespace: "*", + port: 15008, + }); diff --git a/src/pepr/operator/controllers/network/policies.ts b/src/pepr/operator/controllers/network/policies.ts index 24a53cc88..dabcd5e89 100644 --- a/src/pepr/operator/controllers/network/policies.ts +++ b/src/pepr/operator/controllers/network/policies.ts @@ -11,6 +11,7 @@ import { getOwnerRef, purgeOrphans, sanitizeResourceName } from "../utils"; import { allowEgressDNS } from "./defaults/allow-egress-dns"; import { allowEgressIstiod } from "./defaults/allow-egress-istiod"; import { allowIngressSidecarMonitoring } from "./defaults/allow-ingress-sidecar-monitoring"; +import { allowEgressZtunnel, allowIngressZtunnel } from "./defaults/allow-ztunnel"; import { defaultDenyAll } from "./defaults/default-deny-all"; import { generate } from "./generate"; @@ -36,6 +37,8 @@ export async function networkPolicies(pkg: UDSPackage, namespace: string) { // Istio rules allowEgressIstiod(namespace), + allowIngressZtunnel(namespace), + allowEgressZtunnel(namespace), allowIngressSidecarMonitoring(namespace), ]; diff --git a/src/pepr/operator/crd/generated/package-v1alpha1.ts b/src/pepr/operator/crd/generated/package-v1alpha1.ts index 1bed25c65..d1e9c02dd 100644 --- a/src/pepr/operator/crd/generated/package-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/package-v1alpha1.ts @@ -11,6 +11,10 @@ export class Package extends GenericKind { } export interface Spec { + /** + * Whether or not to enable Istio Ambient mode, defaults to non-ambient (injected) + */ + istioAmbient?: boolean; /** * Create Service or Pod Monitor configurations */ diff --git a/src/pepr/operator/crd/sources/package/v1alpha1.ts b/src/pepr/operator/crd/sources/package/v1alpha1.ts index bac9b73c6..f8864ed6e 100644 --- a/src/pepr/operator/crd/sources/package/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/package/v1alpha1.ts @@ -531,6 +531,11 @@ export const v1alpha1: V1CustomResourceDefinitionVersion = { }, monitor, sso, + istioAmbient: { + type: "boolean", + description: + "Whether or not to enable Istio Ambient mode, defaults to non-ambient (injected)", + }, }, } as V1JSONSchemaProps, }, diff --git a/src/pepr/operator/reconcilers/package-reconciler.ts b/src/pepr/operator/reconcilers/package-reconciler.ts index a74a1ab38..25d39a50b 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.ts @@ -6,7 +6,7 @@ import { handleFailure, shouldSkip, updateStatus, writeEvent } from "."; import { UDSConfig } from "../../config"; import { Component, setupLogger } from "../../logger"; -import { cleanupNamespace, enableInjection } from "../controllers/istio/injection"; +import { cleanupNamespace, enableIstio } from "../controllers/istio/injection"; import { istioResources } from "../controllers/istio/istio-resources"; import { authservice, @@ -72,7 +72,7 @@ export async function packageReconciler(pkg: UDSPackage) { let endpoints: string[] = []; // Update the namespace to ensure the istio-injection label is set - await enableInjection(pkg); + await enableIstio(pkg); let ssoClients = new Map(); let authserviceClients: string[] = []; diff --git a/src/pepr/prometheus/index.ts b/src/pepr/prometheus/index.ts deleted file mode 100644 index cb06542b4..000000000 --- a/src/pepr/prometheus/index.ts +++ /dev/null @@ -1,113 +0,0 @@ -/** - * Copyright 2024 Defense Unicorns - * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - */ - -import { Capability, K8s, kind } from "pepr"; -import { Component, setupLogger } from "../logger"; -import { - PodMonitorEndpoint, - PodMonitorScheme, - PrometheusPodMonitor, - PrometheusServiceMonitor, - ServiceMonitorEndpoint, - ServiceMonitorScheme, -} from "../operator/crd"; -// configure subproject logger -const log = setupLogger(Component.PROMETHEUS); - -export const prometheus = new Capability({ - name: "prometheus", - description: "UDS Core Capability for the Prometheus stack.", -}); - -const { When } = prometheus; - -/** - * Mutate a service monitor to exclude it from mTLS metrics with `exempt` scrapeClass - */ -When(PrometheusServiceMonitor) - .IsCreatedOrUpdated() - .Mutate(async sm => { - if (sm.Raw.spec === undefined || sm.Raw.spec.scrapeClass != undefined) { - return; - } - - // Add an exempt scrape class if explicitly opted out via annotation OR targeting a non-istio-injected namespace - if ( - sm.Raw.metadata?.annotations?.["uds/skip-mutate"] || - sm.Raw.metadata?.annotations?.["uds/skip-sm-mutate"] || - !(await isIstioInjected(sm)) - ) { - log.info( - `Mutating scrapeClass to exempt ServiceMonitor ${sm.Raw.metadata?.name} from default scrapeClass mTLS config`, - ); - sm.Raw.spec.scrapeClass = "exempt"; - - return; - } else { - log.info(`Patching service monitor ${sm.Raw.metadata?.name} for mTLS metrics`); - // Note: this tlsConfig patch is deprecated in favor of a default scrape class for both service and pod monitors - const tlsConfig = { - caFile: "/etc/prom-certs/root-cert.pem", - certFile: "/etc/prom-certs/cert-chain.pem", - keyFile: "/etc/prom-certs/key.pem", - insecureSkipVerify: true, - }; - const endpoints: ServiceMonitorEndpoint[] = sm.Raw.spec.endpoints || []; - endpoints.forEach(endpoint => { - endpoint.scheme = ServiceMonitorScheme.HTTPS; - endpoint.tlsConfig = tlsConfig; - }); - sm.Raw.spec.endpoints = endpoints; - } - }); - -/** - * Mutate a pod monitor to exclude it from mTLS metrics with `exempt` scrapeClass - */ -When(PrometheusPodMonitor) - .IsCreatedOrUpdated() - .Mutate(async pm => { - if (pm.Raw.spec === undefined || pm.Raw.spec.scrapeClass != undefined) { - return; - } - - // Add an exempt scrape class if explicitly opted out via annotation OR targeting a non-istio-injected namespace - if (pm.Raw.metadata?.annotations?.["uds/skip-mutate"] || !(await isIstioInjected(pm))) { - log.info( - `Mutating scrapeClass to exempt PodMonitor ${pm.Raw.metadata?.name} from default scrapeClass mTLS config`, - ); - pm.Raw.spec.scrapeClass = "exempt"; - - return; - } else { - log.info(`Patching pod monitor ${pm.Raw.metadata?.name} for mTLS metrics`); - const endpoints: PodMonitorEndpoint[] = pm.Raw.spec.podMetricsEndpoints || []; - endpoints.forEach(endpoint => { - endpoint.scheme = PodMonitorScheme.HTTPS; - }); - pm.Raw.spec.podMetricsEndpoints = endpoints; - } - }); - -// This assumes istio-injection == strict mTLS due to complexity around mTLS lookup -async function isIstioInjected(monitor: PrometheusServiceMonitor | PrometheusPodMonitor) { - // If monitor allows any namespace assume istio injection - if (monitor.Raw.spec?.namespaceSelector?.any) { - return true; - } - - const namespaces = monitor.Raw.spec?.namespaceSelector?.matchNames || [ - monitor.Raw.metadata?.namespace, - ] || ["default"]; - - for (const ns of namespaces) { - const namespace = await K8s(kind.Namespace).Get(ns); - if (namespace.metadata?.labels && namespace.metadata.labels["istio-injection"] === "enabled") { - return true; - } - } - - return false; -} diff --git a/src/prometheus-stack/chart/templates/istio-monitor.yaml b/src/prometheus-stack/chart/templates/istio-monitor.yaml index 674346d35..e9da5f62a 100644 --- a/src/prometheus-stack/chart/templates/istio-monitor.yaml +++ b/src/prometheus-stack/chart/templates/istio-monitor.yaml @@ -7,8 +7,6 @@ kind: PodMonitor metadata: name: envoy-stats-monitor namespace: istio-system - annotations: - uds/skip-mutate: "true" spec: selector: matchExpressions: diff --git a/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml deleted file mode 100644 index 45b36d696..000000000 --- a/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} -apiVersion: "security.istio.io/v1beta1" -kind: PeerAuthentication -metadata: - name: prometheus-operator-webhook - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - app: kube-prometheus-stack-operator - mtls: - mode: STRICT - portLevelMtls: - # Allow webhooks to operate permissive since ingress originates from the nodes - "10250": - mode: PERMISSIVE -{{- end }} diff --git a/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml b/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml index e9ea8bb10..f3e88cdcd 100644 --- a/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml +++ b/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml @@ -7,8 +7,6 @@ kind: PodMonitor metadata: name: prometheus-pod-monitor namespace: monitoring - annotations: - uds/skip-mutate: "true" spec: selector: matchLabels: diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index fd049e994..ba6d22305 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -7,6 +7,7 @@ metadata: name: prometheus-stack namespace: {{ .Release.Namespace }} spec: + istioAmbient: true network: allow: # Permit intra-namespace communication diff --git a/src/prometheus-stack/values/values.yaml b/src/prometheus-stack/values/values.yaml index 216b6c78c..d2ccff2ca 100644 --- a/src/prometheus-stack/values/values.yaml +++ b/src/prometheus-stack/values/values.yaml @@ -27,23 +27,7 @@ prometheus: prometheusSpec: enableFeatures: - remote-write-receiver - additionalConfig: - scrapeClasses: - - name: istio-certs - default: true - tlsConfig: - caFile: /etc/prom-certs/root-cert.pem - certFile: /etc/prom-certs/cert-chain.pem - keyFile: /etc/prom-certs/key.pem - insecureSkipVerify: true - - name: exempt podMetadata: - annotations: - proxy.istio.io/config: | - proxyMetadata: - OUTPUT_CERTS: /etc/istio-output-certs - sidecar.istio.io/userVolumeMount: '[{"name": "istio-certs", "mountPath": "/etc/istio-output-certs"}]' - traffic.sidecar.istio.io/includeOutboundIPRanges: "" labels: app: prometheus podMonitorSelectorNilUsesHelmValues: false @@ -107,12 +91,3 @@ prometheusOperator: requests: cpu: 100m memory: 512Mi - -alertmanager: - alertmanagerSpec: - scheme: "https" - tlsConfig: - caFile: /etc/prom-certs/root-cert.pem - certFile: /etc/prom-certs/cert-chain.pem - insecureSkipVerify: true - keyFile: /etc/prom-certs/key.pem diff --git a/src/test/app-admin.yaml b/src/test/app-admin.yaml index 09e771b36..924364b01 100644 --- a/src/test/app-admin.yaml +++ b/src/test/app-admin.yaml @@ -5,6 +5,8 @@ apiVersion: v1 kind: Namespace metadata: name: test-admin-app + labels: + istio.io/dataplane-mode: ambient --- apiVersion: uds.dev/v1alpha1 kind: Package @@ -12,6 +14,7 @@ metadata: name: httpbin namespace: test-admin-app spec: + istioAmbient: true network: expose: - service: httpbin diff --git a/src/test/app-tenant.yaml b/src/test/app-tenant.yaml index e377cd25e..6be1033ca 100644 --- a/src/test/app-tenant.yaml +++ b/src/test/app-tenant.yaml @@ -5,6 +5,8 @@ apiVersion: v1 kind: Namespace metadata: name: test-tenant-app + labels: + istio.io/dataplane-mode: ambient --- apiVersion: uds.dev/v1alpha1 kind: Package @@ -12,6 +14,7 @@ metadata: name: test-tenant-app namespace: test-tenant-app spec: + istioAmbient: true network: expose: - service: test-tenant-app diff --git a/src/test/chart/templates/package.yaml b/src/test/chart/templates/package.yaml index c9fa7b778..6f33919c2 100644 --- a/src/test/chart/templates/package.yaml +++ b/src/test/chart/templates/package.yaml @@ -7,6 +7,7 @@ metadata: name: podinfo namespace: podinfo spec: + istioAmbient: true monitor: - selector: app.kubernetes.io/name: podinfo diff --git a/src/velero/chart/templates/uds-package.yaml b/src/velero/chart/templates/uds-package.yaml index c096f7222..31c6e7529 100644 --- a/src/velero/chart/templates/uds-package.yaml +++ b/src/velero/chart/templates/uds-package.yaml @@ -7,6 +7,7 @@ metadata: name: velero namespace: {{ .Release.Namespace }} spec: + istioAmbient: true network: allow: # Egress for S3 connections diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 3227c6f82..a9faf632a 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -1,7 +1,6 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - includes: - utils: utils.yaml