2 # Copyright © 2023 Nordix Foundation
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
17 {{ include "common.authorizationPolicy" . }}
19 {{- $dot := default . .dot -}}
20 {{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
21 {{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
22 {{- $defaultOperationPorts := list "5432" -}}
23 {{- $relName := include "common.release" . -}}
24 {{- $postgresName := $dot.Values.postgres.service.name -}}
25 {{- if (include "common.useAuthorizationPolicies" .) }}
26 apiVersion: security.istio.io/v1beta1
27 kind: AuthorizationPolicy
29 name: {{ $relName }}-{{ $postgresName }}-authz
30 namespace: {{ include "common.namespace" . }}
34 app: {{ $postgresName }}
37 {{- if $authorizedPrincipalsPostgres }}
38 {{- range $principal := $authorizedPrincipalsPostgres }}
42 {{- $namespace := default "onap" $principal.namespace -}}
43 {{- if eq "onap" $namespace }}
44 - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
46 - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
51 {{- range $port := $defaultOperationPorts }}
58 {{- $dot := default . .dot -}}
59 {{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
60 {{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
61 {{- $defaultOperationPorts := list "5432" -}}
62 {{- $relName := include "common.release" . -}}
63 {{- $postgresName := $dot.Values.postgres.service.name -}}
64 {{- $pgHost := "primary" -}}
65 {{- if (include "common.useAuthorizationPolicies" .) }}
66 apiVersion: security.istio.io/v1beta1
67 kind: AuthorizationPolicy
69 name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
70 namespace: {{ include "common.namespace" . }}
74 app: {{ $postgresName }}-{{ $pgHost }}
77 {{- if $authorizedPrincipalsPostgres }}
78 {{- range $principal := $authorizedPrincipalsPostgres }}
82 {{- $namespace := default "onap" $principal.namespace -}}
83 {{- if eq "onap" $namespace }}
84 - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
86 - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
91 {{- range $port := $defaultOperationPorts }}
98 {{- $dot := default . .dot -}}
99 {{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
100 {{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}}
101 {{- $defaultOperationPorts := list "5432" -}}
102 {{- $relName := include "common.release" . -}}
103 {{- $postgresName := $dot.Values.postgres.service.name -}}
104 {{- $pgHost := "replica" -}}
105 {{- if (include "common.useAuthorizationPolicies" .) }}
106 apiVersion: security.istio.io/v1beta1
107 kind: AuthorizationPolicy
109 name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz
110 namespace: {{ include "common.namespace" . }}
114 app: {{ $postgresName }}-{{ $pgHost }}
117 {{- if $authorizedPrincipalsPostgres }}
118 {{- range $principal := $authorizedPrincipalsPostgres }}
122 {{- $namespace := default "onap" $principal.namespace -}}
123 {{- if eq "onap" $namespace }}
124 - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
126 - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
131 {{- range $port := $defaultOperationPorts }}