feat: Add istio configuration for sn-operator (#72)

streamnative · May 30, 2024 · a8bf092 · a8bf092
1 parent 9901a65
commit a8bf092
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 1 deletion.
diff --git a/modules/istio-operator/values.yaml.tftpl b/modules/istio-operator/values.yaml.tftpl
@@ -34,7 +34,7 @@ controlPlane:
           # kube-prometheus-stack
           ## Admission Webhook jobs do not terminate as expected with istio-proxy
           - matchExpressions:
-            - {key: app, operator: In, values: [kube-prometheus-stack-admission-create,kube-prometheus-stack-admission-patch,kube-prometheus-stack-operator,sn-operator,flink-operator]}
+            - {key: app, operator: In, values: [kube-prometheus-stack-admission-create,kube-prometheus-stack-admission-patch,kube-prometheus-stack-operator]}
 
     meshConfig:
       trustDomain: ${trust_domain}

diff --git a/modules/olm-subscriptions/chart/templates/istio.yaml b/modules/olm-subscriptions/chart/templates/istio.yaml
@@ -0,0 +1,21 @@
+{{- if and .Values.istio.enabled }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ .Values.pulsar.name }}
+  namespace: {{ .Values.istio.rootNamespace }}
+spec:
+  selector:
+    matchLabels:
+      # well-known labels
+      cloud.streamnative.io/app: pulsar
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            principals: 
+            - "cluster.local/ns/{{ .Values.install_namespace }}/sa/sn-operator-controller-manager"
+            - "cluster.local/ns/{{ .Values.install_namespace }}/sa/zookeeper-operator-controller-manager"
+            - "cluster.local/ns/{{ .Values.install_namespace }}/sa/bookkeeper-operator-controller-manager"
+            - "cluster.local/ns/{{ .Values.install_namespace }}/sa/pulsar-operator-controller-manager"
+{{- end }}
diff --git a/modules/olm-subscriptions/chart/templates/sn-operator.yaml b/modules/olm-subscriptions/chart/templates/sn-operator.yaml
@@ -40,4 +40,22 @@ spec:
     envFrom:
     {{- toYaml .Values.sn_operator.config.envFrom | nindent 4 }}
     {{- end }}
+---
+{{- if and .Values.istio.enabled }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ .Values.sn_operator.name }}
+  namespace: {{ .Values.istio.rootNamespace }}
+spec:
+  selector:
+    matchLabels:
+      # well-known labels
+      cloud.streamnative.io/app: pulsar
+  action: ALLOW
+  rules:
+    - from:
+        - source:
+            principals: ["cluster.local/ns/{{ .Values.install_namespace }}/sa/sn-operator-controller-manager"]
+{{- end }}
 {{- end }}