diff --git a/charts/sn-platform-slim/templates/bookkeeper/bookkeeper-authorizationpolicy.yaml b/charts/sn-platform-slim/templates/bookkeeper/bookkeeper-authorizationpolicy.yaml index 463e36dd0..e78e4a895 100644 --- a/charts/sn-platform-slim/templates/bookkeeper/bookkeeper-authorizationpolicy.yaml +++ b/charts/sn-platform-slim/templates/bookkeeper/bookkeeper-authorizationpolicy.yaml @@ -10,11 +10,20 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if .Values.bookkeeper.authorizationPolicy.from }} + from: +{{ toYaml .Values.bookkeeper.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if .Values.bookkeeper.authorizationPolicy.to }} + to: +{{ toYaml .Values.bookkeeper.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "3181" - "8000" + {{- end }} action: ALLOW selector: matchLabels: @@ -30,10 +39,19 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if .Values.autorecovery.authorizationPolicy.from }} + from: +{{ toYaml .Values.autorecovery.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if .Values.autorecovery.authorizationPolicy.to }} + to: +{{ toYaml .Values.autorecovery.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "{{ .Values.autorecovery.ports.http }}" + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform-slim/templates/broker/broker-authorizationpolicy.yaml b/charts/sn-platform-slim/templates/broker/broker-authorizationpolicy.yaml index 8426c9cd4..bda6b7694 100644 --- a/charts/sn-platform-slim/templates/broker/broker-authorizationpolicy.yaml +++ b/charts/sn-platform-slim/templates/broker/broker-authorizationpolicy.yaml @@ -10,7 +10,15 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if .Values.broker.authorizationPolicy.from }} + from: +{{ toYaml .Values.broker.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if .Values.broker.authorizationPolicy.to }} + to: +{{ toYaml .Values.broker.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "6650" @@ -41,6 +49,7 @@ spec: - "9095" {{- end }} {{- end }} + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform-slim/templates/zookeeper/zookeeper-authorizationpolicy.yaml b/charts/sn-platform-slim/templates/zookeeper/zookeeper-authorizationpolicy.yaml index cc7bc9c64..2b72cdbd1 100644 --- a/charts/sn-platform-slim/templates/zookeeper/zookeeper-authorizationpolicy.yaml +++ b/charts/sn-platform-slim/templates/zookeeper/zookeeper-authorizationpolicy.yaml @@ -10,7 +10,15 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if .Values.zookeeper.authorizationPolicy.from }} + from: +{{ toYaml .Values.zookeeper.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if .Values.zookeeper.authorizationPolicy.to }} + to: +{{ toYaml .Values.zookeeper.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "2181" @@ -18,6 +26,7 @@ spec: - "2888" - "3888" - "{{ .Values.zookeeper.ports.metrics }}" + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform-slim/values.yaml b/charts/sn-platform-slim/values.yaml index 1cf60f616..f5bb3c0ab 100644 --- a/charts/sn-platform-slim/values.yaml +++ b/charts/sn-platform-slim/values.yaml @@ -561,6 +561,26 @@ zookeeper: # The template field can totally change the log config of the component. The value is a string, which is the content of the log config file. template: {} + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-broker"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["2181", "9990"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["zookeeper.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + # use a component name that matches your grafana configuration # so the metrics are correctly rendered in grafana dashboard component: zookeeper @@ -815,6 +835,26 @@ bookkeeper: # The template field can totally change the log config of the component. The value is a string, which is the content of the log config file. template: {} + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-broker"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["3181", "8000"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["bookie.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + # use a component name that matches your grafana configuration # so the metrics are correctly rendered in grafana dashboard component: bookie @@ -980,6 +1020,26 @@ bookkeeper: ## templates/autorecovery-statefulset.yaml ## autorecovery: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-broker"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["8000"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["recovery.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + # use a component name that matches your grafana configuration # so the metrics are correctly rendered in grafana dashboard component: recovery @@ -1084,6 +1144,26 @@ broker: # The template field can totally change the log config of the component. The value is a string, which is the content of the log config file. template: {} + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-proxy"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["6650", "8080"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["broker.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + # use a component name that matches your grafana configuration # so the metrics are correctly rendered in grafana dashboard component: broker diff --git a/charts/sn-platform/templates/bookkeeper/bookkeeper-authorizationpolicy.yaml b/charts/sn-platform/templates/bookkeeper/bookkeeper-authorizationpolicy.yaml index 463e36dd0..e78e4a895 100644 --- a/charts/sn-platform/templates/bookkeeper/bookkeeper-authorizationpolicy.yaml +++ b/charts/sn-platform/templates/bookkeeper/bookkeeper-authorizationpolicy.yaml @@ -10,11 +10,20 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if .Values.bookkeeper.authorizationPolicy.from }} + from: +{{ toYaml .Values.bookkeeper.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if .Values.bookkeeper.authorizationPolicy.to }} + to: +{{ toYaml .Values.bookkeeper.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "3181" - "8000" + {{- end }} action: ALLOW selector: matchLabels: @@ -30,10 +39,19 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if .Values.autorecovery.authorizationPolicy.from }} + from: +{{ toYaml .Values.autorecovery.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if .Values.autorecovery.authorizationPolicy.to }} + to: +{{ toYaml .Values.autorecovery.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "{{ .Values.autorecovery.ports.http }}" + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform/templates/broker/broker-authorizationpolicy.yaml b/charts/sn-platform/templates/broker/broker-authorizationpolicy.yaml index 8426c9cd4..bda6b7694 100644 --- a/charts/sn-platform/templates/broker/broker-authorizationpolicy.yaml +++ b/charts/sn-platform/templates/broker/broker-authorizationpolicy.yaml @@ -10,7 +10,15 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if .Values.broker.authorizationPolicy.from }} + from: +{{ toYaml .Values.broker.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if .Values.broker.authorizationPolicy.to }} + to: +{{ toYaml .Values.broker.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "6650" @@ -41,6 +49,7 @@ spec: - "9095" {{- end }} {{- end }} + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform/templates/zookeeper/zookeeper-authorizationpolicy.yaml b/charts/sn-platform/templates/zookeeper/zookeeper-authorizationpolicy.yaml index cc7bc9c64..2b72cdbd1 100644 --- a/charts/sn-platform/templates/zookeeper/zookeeper-authorizationpolicy.yaml +++ b/charts/sn-platform/templates/zookeeper/zookeeper-authorizationpolicy.yaml @@ -10,7 +10,15 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if .Values.zookeeper.authorizationPolicy.from }} + from: +{{ toYaml .Values.zookeeper.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if .Values.zookeeper.authorizationPolicy.to }} + to: +{{ toYaml .Values.zookeeper.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "2181" @@ -18,6 +26,7 @@ spec: - "2888" - "3888" - "{{ .Values.zookeeper.ports.metrics }}" + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform/values.yaml b/charts/sn-platform/values.yaml index 9646aecce..d8bac3f22 100644 --- a/charts/sn-platform/values.yaml +++ b/charts/sn-platform/values.yaml @@ -636,6 +636,26 @@ zookeeper: # The template field can totally change the log config of the component. The value is a string, which is the content of the log config file. template: {} + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-broker"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["2181", "9990"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["zookeeper.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + # use a component name that matches your grafana configuration # so the metrics are correctly rendered in grafana dashboard component: zookeeper @@ -890,6 +910,26 @@ bookkeeper: # The template field can totally change the log config of the component. The value is a string, which is the content of the log config file. template: {} + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-broker"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["3181", "8000"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["bookie.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + # use a component name that matches your grafana configuration # so the metrics are correctly rendered in grafana dashboard component: bookie @@ -1055,6 +1095,26 @@ bookkeeper: ## templates/autorecovery-statefulset.yaml ## autorecovery: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-broker"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["8000"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["recovery.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + # use a component name that matches your grafana configuration # so the metrics are correctly rendered in grafana dashboard component: recovery @@ -1160,6 +1220,26 @@ broker: # The template field can totally change the log config of the component. The value is a string, which is the content of the log config file. template: {} + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-proxy"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["6650", "8080"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["broker.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + # use a component name that matches your grafana configuration # so the metrics are correctly rendered in grafana dashboard component: broker