From a8bf092a77f495ce07c061d68dd71a371a622c0f Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Thu, 30 May 2024 16:09:17 +0800 Subject: [PATCH] feat: Add istio configuration for sn-operator (#72) --- modules/istio-operator/values.yaml.tftpl | 2 +- .../chart/templates/istio.yaml | 21 +++++++++++++++++++ .../chart/templates/sn-operator.yaml | 18 ++++++++++++++++ 3 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 modules/olm-subscriptions/chart/templates/istio.yaml diff --git a/modules/istio-operator/values.yaml.tftpl b/modules/istio-operator/values.yaml.tftpl index ef3867c..69ed018 100644 --- a/modules/istio-operator/values.yaml.tftpl +++ b/modules/istio-operator/values.yaml.tftpl @@ -34,7 +34,7 @@ controlPlane: # kube-prometheus-stack ## Admission Webhook jobs do not terminate as expected with istio-proxy - matchExpressions: - - {key: app, operator: In, values: [kube-prometheus-stack-admission-create,kube-prometheus-stack-admission-patch,kube-prometheus-stack-operator,sn-operator,flink-operator]} + - {key: app, operator: In, values: [kube-prometheus-stack-admission-create,kube-prometheus-stack-admission-patch,kube-prometheus-stack-operator]} meshConfig: trustDomain: ${trust_domain} diff --git a/modules/olm-subscriptions/chart/templates/istio.yaml b/modules/olm-subscriptions/chart/templates/istio.yaml new file mode 100644 index 0000000..ddaffa8 --- /dev/null +++ b/modules/olm-subscriptions/chart/templates/istio.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.istio.enabled }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ .Values.pulsar.name }} + namespace: {{ .Values.istio.rootNamespace }} +spec: + selector: + matchLabels: + # well-known labels + cloud.streamnative.io/app: pulsar + action: ALLOW + rules: + - from: + - source: + principals: + - "cluster.local/ns/{{ .Values.install_namespace }}/sa/sn-operator-controller-manager" + - "cluster.local/ns/{{ .Values.install_namespace }}/sa/zookeeper-operator-controller-manager" + - "cluster.local/ns/{{ .Values.install_namespace }}/sa/bookkeeper-operator-controller-manager" + - "cluster.local/ns/{{ .Values.install_namespace }}/sa/pulsar-operator-controller-manager" +{{- end }} \ No newline at end of file diff --git a/modules/olm-subscriptions/chart/templates/sn-operator.yaml b/modules/olm-subscriptions/chart/templates/sn-operator.yaml index 037971f..2e7dfdd 100644 --- a/modules/olm-subscriptions/chart/templates/sn-operator.yaml +++ b/modules/olm-subscriptions/chart/templates/sn-operator.yaml @@ -40,4 +40,22 @@ spec: envFrom: {{- toYaml .Values.sn_operator.config.envFrom | nindent 4 }} {{- end }} +--- +{{- if and .Values.istio.enabled }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ .Values.sn_operator.name }} + namespace: {{ .Values.istio.rootNamespace }} +spec: + selector: + matchLabels: + # well-known labels + cloud.streamnative.io/app: pulsar + action: ALLOW + rules: + - from: + - source: + principals: ["cluster.local/ns/{{ .Values.install_namespace }}/sa/sn-operator-controller-manager"] +{{- end }} {{- end }}