diff --git a/charts/sn-platform-slim/templates/detector/pulsar-detector-authorizationpolicy.yaml b/charts/sn-platform-slim/templates/detector/pulsar-detector-authorizationpolicy.yaml index 897ef6df9..e26da089f 100644 --- a/charts/sn-platform-slim/templates/detector/pulsar-detector-authorizationpolicy.yaml +++ b/charts/sn-platform-slim/templates/detector/pulsar-detector-authorizationpolicy.yaml @@ -10,12 +10,21 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if and .Values.pulsar_detector.authorizationPolicy .Values.pulsar_detector.authorizationPolicy.from }} + from: +{{ toYaml .Values.pulsar_detector.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.pulsar_detector.authorizationPolicy .Values.pulsar_detector.authorizationPolicy.to }} + to: +{{ toYaml .Values.pulsar_detector.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "{{ .Values.pulsar_detector.port }}" + {{- end }} action: ALLOW selector: matchLabels: component: {{ .Values.pulsar_detector.component }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/sn-platform-slim/templates/function-worker/function-worker-authorizationpolicy.yaml b/charts/sn-platform-slim/templates/function-worker/function-worker-authorizationpolicy.yaml index 8a2e5766e..4a41b7deb 100644 --- a/charts/sn-platform-slim/templates/function-worker/function-worker-authorizationpolicy.yaml +++ b/charts/sn-platform-slim/templates/function-worker/function-worker-authorizationpolicy.yaml @@ -11,13 +11,22 @@ metadata: spec: action: ALLOW rules: - - to: + - {{- if and .Values.functions.authorizationPolicy .Values.functions.authorizationPolicy.from }} + from: +{{ toYaml .Values.functions.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.functions.authorizationPolicy .Values.functions.authorizationPolicy.to }} + to: +{{ toYaml .Values.functions.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "{{ .Values.functions.ports.http }}" {{- if and .Values.tls.enabled .Values.tls.functions.enabled }} - "{{ .Values.functions.ports.https }}" {{- end }} + {{- end }} selector: matchLabels: {{- include "pulsar.template.labels" . | nindent 6 }} diff --git a/charts/sn-platform-slim/templates/grafana/grafana-authorizationpolicy.yaml b/charts/sn-platform-slim/templates/grafana/grafana-authorizationpolicy.yaml index 3eff29b5a..1486b1652 100644 --- a/charts/sn-platform-slim/templates/grafana/grafana-authorizationpolicy.yaml +++ b/charts/sn-platform-slim/templates/grafana/grafana-authorizationpolicy.yaml @@ -10,10 +10,19 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if and .Values.grafana.authorizationPolicy .Values.grafana.authorizationPolicy.from }} + from: +{{ toYaml .Values.grafana.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.grafana.authorizationPolicy .Values.grafana.authorizationPolicy.to }} + to: +{{ toYaml .Values.grafana.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "{{ .Values.grafana.port }}" + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform-slim/templates/prometheus/prometheus-authorizationpolicy.yaml b/charts/sn-platform-slim/templates/prometheus/prometheus-authorizationpolicy.yaml index 81483fe9d..39fb49a71 100644 --- a/charts/sn-platform-slim/templates/prometheus/prometheus-authorizationpolicy.yaml +++ b/charts/sn-platform-slim/templates/prometheus/prometheus-authorizationpolicy.yaml @@ -10,14 +10,24 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - from: + - {{- if and .Values.prometheus.authorizationPolicy .Values.prometheus.authorizationPolicy.from }} + from: +{{ toYaml .Values.prometheus.authorizationPolicy.from | indent 4 }} + {{- else }} + from: - source: namespaces: - {{ template "pulsar.namespace" . }} - - to: + {{- end }} + {{- if and .Values.prometheus.authorizationPolicy .Values.prometheus.authorizationPolicy.to }} + to: +{{ toYaml .Values.prometheus.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "{{ .Values.prometheus.port }}" + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform-slim/templates/proxy/proxy-authorizationpolicy.yaml b/charts/sn-platform-slim/templates/proxy/proxy-authorizationpolicy.yaml index 680b6ae01..d719231c8 100644 --- a/charts/sn-platform-slim/templates/proxy/proxy-authorizationpolicy.yaml +++ b/charts/sn-platform-slim/templates/proxy/proxy-authorizationpolicy.yaml @@ -11,7 +11,15 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if and .Values.proxy.authorizationPolicy .Values.proxy.authorizationPolicy.from }} + from: +{{ toYaml .Values.proxy.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.proxy.authorizationPolicy .Values.proxy.authorizationPolicy.to }} + to: +{{ toYaml .Values.proxy.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "6650" @@ -19,6 +27,7 @@ spec: {{- if .Values.proxy.websocket }} - "9090" {{- end }} + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform-slim/templates/toolset/toolset-authorizationpolicy.yaml b/charts/sn-platform-slim/templates/toolset/toolset-authorizationpolicy.yaml new file mode 100644 index 000000000..87e10d5f2 --- /dev/null +++ b/charts/sn-platform-slim/templates/toolset/toolset-authorizationpolicy.yaml @@ -0,0 +1,29 @@ +# +# Copyright (c) 2019 - 2024 StreamNative, Inc.. All Rights Reserved. +# + +{{- if and .Values.components.toolset .Values.istio.enabled }} +{{- if or (and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.from) (and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.to) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + rules: + - {{- if and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.from }} + from: +{{ toYaml .Values.toolset.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.to }} + to: +{{ toYaml .Values.toolset.authorizationPolicy.to | indent 4 }} + {{- end }} + action: ALLOW + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.toolset.component }} +{{- end }} +{{- end }} + diff --git a/charts/sn-platform-slim/values.yaml b/charts/sn-platform-slim/values.yaml index 1c2e4be0d..8b4f2de26 100644 --- a/charts/sn-platform-slim/values.yaml +++ b/charts/sn-platform-slim/values.yaml @@ -1411,6 +1411,26 @@ broker: ## templates/function-worker-configmap.yaml ## functions: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports (8080, 8443 for HTTPS) will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-broker"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["8080", "8443"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["function-worker.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + component: functions-worker enableCustomizerRuntime: false useDedicatedRunner: false @@ -1513,6 +1533,26 @@ functions: ## templates/pulsar-detector-statefulset.yaml ## pulsar_detector: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default port (9000) will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-admin"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["9000"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["pulsar-detector.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + component: pulsar-detector replicaCount: 1 labels: {} @@ -1586,6 +1626,26 @@ proxy: # The template field can totally change the log config of the component. The value is a string, which is the content of the log config file. template: {} + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports (6650, 8080, 9090) will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-client"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["6650", "8080", "9090"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["proxy.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + # use a component name that matches your grafana configuration # so the metrics are correctly rendered in grafana dashboard component: proxy @@ -1700,6 +1760,25 @@ proxy: ## templates/toolset-deployment.yaml ## toolset: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # Toolset is a headless service, no default 'to' ports are specified + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-admin"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["8080"] + # methods: ["GET", "POST"] + # hosts: ["toolset.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + component: toolset useProxy: false installBusybox: true @@ -1817,6 +1896,25 @@ configmapReload: ## templates/prometheus-deployment.yaml ## prometheus: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'from' is not specified, default will allow from the same namespace + # If 'to' is not specified, default port (9090) will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["9090"] + # methods: ["GET", "POST"] + # paths: ["/metrics", "/api/*"] + # hosts: ["prometheus.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + component: prometheus replicaCount: 1 scrape: @@ -1964,6 +2062,26 @@ datadog: ## templates/grafana-statefulset.yaml ## grafana: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default port (3000) will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/grafana-user"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["3000"] + # methods: ["GET", "POST"] + # paths: ["/api/*"] + # hosts: ["grafana.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + component: grafana grafana.ini: paths: diff --git a/charts/sn-platform/templates/detector/pulsar-detector-authorizationpolicy.yaml b/charts/sn-platform/templates/detector/pulsar-detector-authorizationpolicy.yaml index 897ef6df9..e26da089f 100644 --- a/charts/sn-platform/templates/detector/pulsar-detector-authorizationpolicy.yaml +++ b/charts/sn-platform/templates/detector/pulsar-detector-authorizationpolicy.yaml @@ -10,12 +10,21 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if and .Values.pulsar_detector.authorizationPolicy .Values.pulsar_detector.authorizationPolicy.from }} + from: +{{ toYaml .Values.pulsar_detector.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.pulsar_detector.authorizationPolicy .Values.pulsar_detector.authorizationPolicy.to }} + to: +{{ toYaml .Values.pulsar_detector.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "{{ .Values.pulsar_detector.port }}" + {{- end }} action: ALLOW selector: matchLabels: component: {{ .Values.pulsar_detector.component }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/sn-platform/templates/function-worker/function-worker-authorizationpolicy.yaml b/charts/sn-platform/templates/function-worker/function-worker-authorizationpolicy.yaml index 8a2e5766e..4a41b7deb 100644 --- a/charts/sn-platform/templates/function-worker/function-worker-authorizationpolicy.yaml +++ b/charts/sn-platform/templates/function-worker/function-worker-authorizationpolicy.yaml @@ -11,13 +11,22 @@ metadata: spec: action: ALLOW rules: - - to: + - {{- if and .Values.functions.authorizationPolicy .Values.functions.authorizationPolicy.from }} + from: +{{ toYaml .Values.functions.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.functions.authorizationPolicy .Values.functions.authorizationPolicy.to }} + to: +{{ toYaml .Values.functions.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "{{ .Values.functions.ports.http }}" {{- if and .Values.tls.enabled .Values.tls.functions.enabled }} - "{{ .Values.functions.ports.https }}" {{- end }} + {{- end }} selector: matchLabels: {{- include "pulsar.template.labels" . | nindent 6 }} diff --git a/charts/sn-platform/templates/grafana/grafana-authorizationpolicy.yaml b/charts/sn-platform/templates/grafana/grafana-authorizationpolicy.yaml index 3eff29b5a..1486b1652 100644 --- a/charts/sn-platform/templates/grafana/grafana-authorizationpolicy.yaml +++ b/charts/sn-platform/templates/grafana/grafana-authorizationpolicy.yaml @@ -10,10 +10,19 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if and .Values.grafana.authorizationPolicy .Values.grafana.authorizationPolicy.from }} + from: +{{ toYaml .Values.grafana.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.grafana.authorizationPolicy .Values.grafana.authorizationPolicy.to }} + to: +{{ toYaml .Values.grafana.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "{{ .Values.grafana.port }}" + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform/templates/grafana/loki-authorizationpolicy.yaml b/charts/sn-platform/templates/grafana/loki-authorizationpolicy.yaml index 12ab45853..c287d4cf9 100644 --- a/charts/sn-platform/templates/grafana/loki-authorizationpolicy.yaml +++ b/charts/sn-platform/templates/grafana/loki-authorizationpolicy.yaml @@ -10,14 +10,24 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - from: + - {{- if and .Values.loki.authorizationPolicy .Values.loki.authorizationPolicy.from }} + from: +{{ toYaml .Values.loki.authorizationPolicy.from | indent 4 }} + {{- else }} + from: - source: namespaces: - {{ template "pulsar.namespace" . }} - - to: + {{- end }} + {{- if and .Values.loki.authorizationPolicy .Values.loki.authorizationPolicy.to }} + to: +{{ toYaml .Values.loki.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "3100" + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform/templates/prometheus/prometheus-authorizationpolicy.yaml b/charts/sn-platform/templates/prometheus/prometheus-authorizationpolicy.yaml index 81483fe9d..39fb49a71 100644 --- a/charts/sn-platform/templates/prometheus/prometheus-authorizationpolicy.yaml +++ b/charts/sn-platform/templates/prometheus/prometheus-authorizationpolicy.yaml @@ -10,14 +10,24 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - from: + - {{- if and .Values.prometheus.authorizationPolicy .Values.prometheus.authorizationPolicy.from }} + from: +{{ toYaml .Values.prometheus.authorizationPolicy.from | indent 4 }} + {{- else }} + from: - source: namespaces: - {{ template "pulsar.namespace" . }} - - to: + {{- end }} + {{- if and .Values.prometheus.authorizationPolicy .Values.prometheus.authorizationPolicy.to }} + to: +{{ toYaml .Values.prometheus.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "{{ .Values.prometheus.port }}" + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform/templates/proxy/proxy-authorizationpolicy.yaml b/charts/sn-platform/templates/proxy/proxy-authorizationpolicy.yaml index 680b6ae01..d719231c8 100644 --- a/charts/sn-platform/templates/proxy/proxy-authorizationpolicy.yaml +++ b/charts/sn-platform/templates/proxy/proxy-authorizationpolicy.yaml @@ -11,7 +11,15 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if and .Values.proxy.authorizationPolicy .Values.proxy.authorizationPolicy.from }} + from: +{{ toYaml .Values.proxy.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.proxy.authorizationPolicy .Values.proxy.authorizationPolicy.to }} + to: +{{ toYaml .Values.proxy.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "6650" @@ -19,6 +27,7 @@ spec: {{- if .Values.proxy.websocket }} - "9090" {{- end }} + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform/templates/toolset/toolset-authorizationpolicy.yaml b/charts/sn-platform/templates/toolset/toolset-authorizationpolicy.yaml new file mode 100644 index 000000000..87e10d5f2 --- /dev/null +++ b/charts/sn-platform/templates/toolset/toolset-authorizationpolicy.yaml @@ -0,0 +1,29 @@ +# +# Copyright (c) 2019 - 2024 StreamNative, Inc.. All Rights Reserved. +# + +{{- if and .Values.components.toolset .Values.istio.enabled }} +{{- if or (and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.from) (and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.to) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + rules: + - {{- if and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.from }} + from: +{{ toYaml .Values.toolset.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.to }} + to: +{{ toYaml .Values.toolset.authorizationPolicy.to | indent 4 }} + {{- end }} + action: ALLOW + selector: + matchLabels: + {{- include "pulsar.matchLabels" . | nindent 6 }} + component: {{ .Values.toolset.component }} +{{- end }} +{{- end }} + diff --git a/charts/sn-platform/templates/vault/vault-authorizationpolicy.yaml b/charts/sn-platform/templates/vault/vault-authorizationpolicy.yaml index 3f74173ab..37b938c64 100644 --- a/charts/sn-platform/templates/vault/vault-authorizationpolicy.yaml +++ b/charts/sn-platform/templates/vault/vault-authorizationpolicy.yaml @@ -10,14 +10,24 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if and .Values.vault.authorizationPolicy .Values.vault.authorizationPolicy.from }} + from: +{{ toYaml .Values.vault.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.vault.authorizationPolicy .Values.vault.authorizationPolicy.to }} + to: +{{ toYaml .Values.vault.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "8200" - "8201" - "9091" + {{- end }} + action: ALLOW selector: matchLabels: app.kubernetes.io/name: vault vault_cr: "{{ template "pulsar.fullname" . }}-{{ .Values.vault.component }}" -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/sn-platform/values.yaml b/charts/sn-platform/values.yaml index 008be1b0c..c6de12481 100644 --- a/charts/sn-platform/values.yaml +++ b/charts/sn-platform/values.yaml @@ -1487,6 +1487,26 @@ broker: ## templates/function-worker-configmap.yaml ## functions: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports (8080, 8443 for HTTPS) will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-broker"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["8080", "8443"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["function-worker.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + component: functions-worker enableCustomizerRuntime: false useDedicatedRunner: false @@ -1589,6 +1609,26 @@ functions: ## templates/pulsar-detector-statefulset.yaml ## pulsar_detector: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default port (9000) will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-admin"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["9000"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["pulsar-detector.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + component: pulsar-detector replicaCount: 1 labels: {} @@ -1662,6 +1702,26 @@ proxy: # The template field can totally change the log config of the component. The value is a string, which is the content of the log config file. template: {} + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports (6650, 8080, 9090) will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-client"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["6650", "8080", "9090"] + # methods: ["GET", "POST"] + # paths: ["/metrics"] + # hosts: ["proxy.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + # use a component name that matches your grafana configuration # so the metrics are correctly rendered in grafana dashboard component: proxy @@ -1778,6 +1838,25 @@ proxy: ## templates/toolset-deployment.yaml ## toolset: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # Toolset is a headless service, no default 'to' ports are specified + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/pulsar-admin"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["8080"] + # methods: ["GET", "POST"] + # hosts: ["toolset.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + component: toolset useProxy: false installBusybox: true @@ -1897,6 +1976,25 @@ configmapReload: ## templates/prometheus-deployment.yaml ## prometheus: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'from' is not specified, default will allow from the same namespace + # If 'to' is not specified, default port (9090) will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["9090"] + # methods: ["GET", "POST"] + # paths: ["/metrics", "/api/*"] + # hosts: ["prometheus.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + component: prometheus replicaCount: 1 scrape: @@ -2052,6 +2150,26 @@ datadog: ## templates/grafana-statefulset.yaml ## grafana: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default port (3000) will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/default/sa/grafana-user"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["3000"] + # methods: ["GET", "POST"] + # paths: ["/api/*"] + # hosts: ["grafana.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + component: grafana grafana.ini: paths: @@ -2582,6 +2700,26 @@ presto: rules: [] vault: + # Istio AuthorizationPolicy configuration + # Configure the 'from' and 'to' sections to restrict sources and operations + # If 'to' is not specified, default ports (8200, 8201, 9091) will be used + # Example: + # authorizationPolicy: + # from: + # - source: + # principals: ["cluster.local/ns/pulsar/sa/pulsar-broker"] + # - source: + # namespaces: ["pulsar"] + # to: + # - operation: + # ports: ["8200", "8201", "9091"] + # methods: ["GET", "POST"] + # paths: ["/v1/*"] + # hosts: ["vault.pulsar.svc.cluster.local"] + authorizationPolicy: + from: [] + to: [] + component: "vault" # -- replicaCount indicates the number of vault pod replicaCount: 3