Add authorization policy to components (#1249)

<!--
### Contribution Checklist
  
- Name the pull request in the form "[charts/<chart-name>] Title of the
pull request".
Skip *[charts/<chart-name>]* if the PR doesn't change a specific chart.
E.g. `[docs] Fix typo in README`.

- Fill out the template below to describe the changes contributed by the
pull request. That will give reviewers the context they need to do the
review.
  
- Each pull request should address only one issue, not mix up code from
multiple issues.
  
  - Each commit in the pull request has a meaningful commit message

- Once all items of the checklist are addressed, remove the above text
and this checklist, leaving only the filled out template below.

**(The sections below can be removed for hotfixes of typos)**
-->

*(If this PR fixes a github issue, please add `Fixes #<xyz>`.)*

Fixes #<xyz>

*(or if this PR is one task of a github issue, please add `Master Issue:
#<xyz>` to link to the master issue.)*

Master Issue: #<xyz>

### Motivation

*Explain here the context, and why you're making that change. What is
the problem you're trying to solve.*

### Modifications

*Describe the modifications you've done.*

### Verifying this change

- [ ] Make sure that the change passes the CI checks.

*(Please pick either of the following options)*

This change is a trivial rework / code cleanup without any test
coverage.

*(or)*

This change is already covered by existing tests, such as *(please
describe tests)*.

*(or)*

This change added tests and can be verified as follows:

*(example:)*
- *Added integration tests for end-to-end deployment with large payloads
(10MB)*
  - *Extended integration test for recovery after broker failure*

### Documentation

Check the box below.

Need to update docs? 

- [ ] `doc-required` 
  
  (If you need help on updating docs, create a doc issue)
  
- [ ] `no-need-doc` 
  
  (Please explain why)
  
- [ ] `doc` 
  
  (If this PR contains doc changes)

Author: labuladong

charts/sn-platform-slim/templates/detector/pulsar-detector-authorizationpolicy.yaml

@@ -10,12 +10,21 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - to:
+  - {{- if and .Values.pulsar_detector.authorizationPolicy .Values.pulsar_detector.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.pulsar_detector.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.pulsar_detector.authorizationPolicy .Values.pulsar_detector.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.pulsar_detector.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.pulsar_detector.port }}"
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels:
       component: {{ .Values.pulsar_detector.component }}
-{{- end }}
+{{- end }}

charts/sn-platform-slim/templates/function-worker/function-worker-authorizationpolicy.yaml

@@ -11,13 +11,22 @@ metadata:
 spec:
   action: ALLOW
   rules:
-  - to:
+  - {{- if and .Values.functions.authorizationPolicy .Values.functions.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.functions.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.functions.authorizationPolicy .Values.functions.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.functions.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.functions.ports.http }}"
         {{- if and .Values.tls.enabled .Values.tls.functions.enabled }}
         - "{{ .Values.functions.ports.https }}"
         {{- end }}
+    {{- end }}
   selector:
     matchLabels:
       {{- include "pulsar.template.labels" . | nindent 6 }}

charts/sn-platform-slim/templates/grafana/grafana-authorizationpolicy.yaml

@@ -10,10 +10,19 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - to:
+  - {{- if and .Values.grafana.authorizationPolicy .Values.grafana.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.grafana.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.grafana.authorizationPolicy .Values.grafana.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.grafana.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.grafana.port }}"
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels:

charts/sn-platform-slim/templates/prometheus/prometheus-authorizationpolicy.yaml

@@ -10,14 +10,24 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - from:
+  - {{- if and .Values.prometheus.authorizationPolicy .Values.prometheus.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.prometheus.authorizationPolicy.from | indent 4 }}
+    {{- else }}
+    from:
     - source:
         namespaces:
         - {{ template "pulsar.namespace" . }}
-  - to:
+    {{- end }}
+    {{- if and .Values.prometheus.authorizationPolicy .Values.prometheus.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.prometheus.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.prometheus.port }}"
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels:

charts/sn-platform-slim/templates/proxy/proxy-authorizationpolicy.yaml

@@ -11,14 +11,23 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - to:
+  - {{- if and .Values.proxy.authorizationPolicy .Values.proxy.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.proxy.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.proxy.authorizationPolicy .Values.proxy.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.proxy.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "6650"
         - "8080"
         {{- if .Values.proxy.websocket }}
         - "9090"
         {{- end }}
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels:

charts/sn-platform-slim/templates/toolset/toolset-authorizationpolicy.yaml

@@ -0,0 +1,29 @@
+#
+# Copyright (c) 2019 - 2024 StreamNative, Inc.. All Rights Reserved.
+#
+
+{{- if and .Values.components.toolset .Values.istio.enabled }}
+{{- if or (and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.from) (and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.to) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
+  namespace: {{ template "pulsar.namespace" . }}
+spec:
+  rules:
+  - {{- if and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.toolset.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.toolset.authorizationPolicy.to | indent 4 }}
+    {{- end }}
+  action: ALLOW
+  selector:
+    matchLabels:
+      {{- include "pulsar.matchLabels" . | nindent 6 }}
+      component: {{ .Values.toolset.component }}
+{{- end }}
+{{- end }}
+

charts/sn-platform-slim/values.yaml

@@ -1411,6 +1411,26 @@ broker:
 ## templates/function-worker-configmap.yaml
 ##
 functions:
+  # Istio AuthorizationPolicy configuration
+  # Configure the 'from' and 'to' sections to restrict sources and operations
+  # If 'to' is not specified, default ports (8080, 8443 for HTTPS) will be used
+  # Example:
+  # authorizationPolicy:
+  #   from:
+  #   - source:
+  #       principals: ["cluster.local/ns/default/sa/pulsar-broker"]
+  #   - source:
+  #       namespaces: ["pulsar"]
+  #   to:
+  #   - operation:
+  #       ports: ["8080", "8443"]
+  #       methods: ["GET", "POST"]
+  #       paths: ["/metrics"]
+  #       hosts: ["function-worker.pulsar.svc.cluster.local"]
+  authorizationPolicy:
+    from: []
+    to: []
+
   component: functions-worker
   enableCustomizerRuntime: false
   useDedicatedRunner: false
@@ -1513,6 +1533,26 @@ functions:
 ## templates/pulsar-detector-statefulset.yaml
 ##
 pulsar_detector:
+  # Istio AuthorizationPolicy configuration
+  # Configure the 'from' and 'to' sections to restrict sources and operations
+  # If 'to' is not specified, default port (9000) will be used
+  # Example:
+  # authorizationPolicy:
+  #   from:
+  #   - source:
+  #       principals: ["cluster.local/ns/default/sa/pulsar-admin"]
+  #   - source:
+  #       namespaces: ["pulsar"]
+  #   to:
+  #   - operation:
+  #       ports: ["9000"]
+  #       methods: ["GET", "POST"]
+  #       paths: ["/metrics"]
+  #       hosts: ["pulsar-detector.pulsar.svc.cluster.local"]
+  authorizationPolicy:
+    from: []
+    to: []
+
   component: pulsar-detector
   replicaCount: 1
   labels: {}
@@ -1586,6 +1626,26 @@ proxy:
   # The template field can totally change the log config of the component. The value is a string, which is the content of the log config file.
     template: {}
 
+  # Istio AuthorizationPolicy configuration
+  # Configure the 'from' and 'to' sections to restrict sources and operations
+  # If 'to' is not specified, default ports (6650, 8080, 9090) will be used
+  # Example:
+  # authorizationPolicy:
+  #   from:
+  #   - source:
+  #       principals: ["cluster.local/ns/default/sa/pulsar-client"]
+  #   - source:
+  #       namespaces: ["pulsar"]
+  #   to:
+  #   - operation:
+  #       ports: ["6650", "8080", "9090"]
+  #       methods: ["GET", "POST"]
+  #       paths: ["/metrics"]
+  #       hosts: ["proxy.pulsar.svc.cluster.local"]
+  authorizationPolicy:
+    from: []
+    to: []
+
   # use a component name that matches your grafana configuration
   # so the metrics are correctly rendered in grafana dashboard
   component: proxy
@@ -1700,6 +1760,25 @@ proxy:
 ## templates/toolset-deployment.yaml
 ##
 toolset:
+  # Istio AuthorizationPolicy configuration
+  # Configure the 'from' and 'to' sections to restrict sources and operations
+  # Toolset is a headless service, no default 'to' ports are specified
+  # Example:
+  # authorizationPolicy:
+  #   from:
+  #   - source:
+  #       principals: ["cluster.local/ns/default/sa/pulsar-admin"]
+  #   - source:
+  #       namespaces: ["pulsar"]
+  #   to:
+  #   - operation:
+  #       ports: ["8080"]
+  #       methods: ["GET", "POST"]
+  #       hosts: ["toolset.pulsar.svc.cluster.local"]
+  authorizationPolicy:
+    from: []
+    to: []
+
   component: toolset
   useProxy: false
   installBusybox: true
@@ -1817,6 +1896,25 @@ configmapReload:
 ## templates/prometheus-deployment.yaml
 ##
 prometheus:
+  # Istio AuthorizationPolicy configuration
+  # Configure the 'from' and 'to' sections to restrict sources and operations
+  # If 'from' is not specified, default will allow from the same namespace
+  # If 'to' is not specified, default port (9090) will be used
+  # Example:
+  # authorizationPolicy:
+  #   from:
+  #   - source:
+  #       namespaces: ["pulsar"]
+  #   to:
+  #   - operation:
+  #       ports: ["9090"]
+  #       methods: ["GET", "POST"]
+  #       paths: ["/metrics", "/api/*"]
+  #       hosts: ["prometheus.pulsar.svc.cluster.local"]
+  authorizationPolicy:
+    from: []
+    to: []
+
   component: prometheus
   replicaCount: 1
   scrape:
@@ -1964,6 +2062,26 @@ datadog:
 ## templates/grafana-statefulset.yaml
 ##
 grafana:
+  # Istio AuthorizationPolicy configuration
+  # Configure the 'from' and 'to' sections to restrict sources and operations
+  # If 'to' is not specified, default port (3000) will be used
+  # Example:
+  # authorizationPolicy:
+  #   from:
+  #   - source:
+  #       principals: ["cluster.local/ns/default/sa/grafana-user"]
+  #   - source:
+  #       namespaces: ["pulsar"]
+  #   to:
+  #   - operation:
+  #       ports: ["3000"]
+  #       methods: ["GET", "POST"]
+  #       paths: ["/api/*"]
+  #       hosts: ["grafana.pulsar.svc.cluster.local"]
+  authorizationPolicy:
+    from: []
+    to: []
+
   component: grafana
   grafana.ini:
     paths:

charts/sn-platform/templates/detector/pulsar-detector-authorizationpolicy.yaml

@@ -10,12 +10,21 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - to:
+  - {{- if and .Values.pulsar_detector.authorizationPolicy .Values.pulsar_detector.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.pulsar_detector.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.pulsar_detector.authorizationPolicy .Values.pulsar_detector.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.pulsar_detector.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.pulsar_detector.port }}"
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels:
       component: {{ .Values.pulsar_detector.component }}
-{{- end }}
+{{- end }}

charts/sn-platform/templates/function-worker/function-worker-authorizationpolicy.yaml

@@ -11,13 +11,22 @@ metadata:
 spec:
   action: ALLOW
   rules:
-  - to:
+  - {{- if and .Values.functions.authorizationPolicy .Values.functions.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.functions.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.functions.authorizationPolicy .Values.functions.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.functions.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.functions.ports.http }}"
         {{- if and .Values.tls.enabled .Values.tls.functions.enabled }}
         - "{{ .Values.functions.ports.https }}"
         {{- end }}
+    {{- end }}
   selector:
     matchLabels:
       {{- include "pulsar.template.labels" . | nindent 6 }}

charts/sn-platform/templates/grafana/grafana-authorizationpolicy.yaml

@@ -10,10 +10,19 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - to:
+  - {{- if and .Values.grafana.authorizationPolicy .Values.grafana.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.grafana.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.grafana.authorizationPolicy .Values.grafana.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.grafana.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.grafana.port }}"
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels: