diff --git a/charts/platform-service/Chart.yaml b/charts/platform-service/Chart.yaml index c150191..aea3747 100755 --- a/charts/platform-service/Chart.yaml +++ b/charts/platform-service/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.0" description: Platform service chart name: platform-service -version: 1.0.42 +version: 1.0.43 diff --git a/charts/platform-service/templates/deployment.yaml b/charts/platform-service/templates/deployment.yaml index 37a0f12..dc0feb3 100755 --- a/charts/platform-service/templates/deployment.yaml +++ b/charts/platform-service/templates/deployment.yaml @@ -43,6 +43,13 @@ spec: {{- if .Values.opa.enabled }} sidecar.opa-istio.io/inject: "true" {{- end }} + {{- if .Values.sessionManagement.enabled }} + {{- if .Values.sessionManagement.redirectToLogin }} + {{ .Values.sessionManagement.enabledWithRedirectLabel }} + {{- else }} + {{ .Values.sessionManagement.enabledWithoutRedirectLabel }} + {{- end }} + {{- end }} {{- if .Values.additionalPodLabels }} {{- with .Values.additionalPodLabels }} {{ tpl . $ | indent 8 }} diff --git a/charts/platform-service/values.yaml b/charts/platform-service/values.yaml index bf2c6cb..051f24e 100755 --- a/charts/platform-service/values.yaml +++ b/charts/platform-service/values.yaml @@ -156,6 +156,12 @@ requestAuthentication: - 22b9c23f-4a41-4729-8a5d-793f7601dfdb - fe494c14-85d2-4bfa-bb43-92b0ab0a4f72 +sessionManagement: + enabled: true + redirectToLogin: false + enabledWithRedirectLabel: "session-management: frontend" + enabledWithoutRedirectLabel: "session-management: backend" + authorizationPolicy: # Generate default authorization policy enabled: true diff --git a/testing/cors-policy-values.yaml b/testing/cors-policy-values.yaml new file mode 100644 index 0000000..504025a --- /dev/null +++ b/testing/cors-policy-values.yaml @@ -0,0 +1,6 @@ +defaultRouting: + corsPolicy: + allowOrigins: + - exact: app://. + allowMethods: + - GET diff --git a/testing/generate-results.sh b/testing/generate-results.sh new file mode 100755 index 0000000..11b3756 --- /dev/null +++ b/testing/generate-results.sh @@ -0,0 +1,75 @@ +rm results/*.yaml +echo `date` > results/run-date.txt + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + > results/base-case.yaml + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + --set gateway.exposeService=false \ + > results/not-exposed.yaml + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + --set sessionManagement.enabled=false \ + --show-only templates/deployment.yaml \ + > results/no-sessman.yaml + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + --set sessionManagement.redirectToLogin=true \ + --show-only templates/deployment.yaml \ + > results/sessman-with-redirect.yaml + + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + --set deploymentOnly=true \ + > results/deployment-only.yaml + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + --set defaultRouting.enabled=false \ + > results/vs-default-routing-disabled.yaml + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + --set defaultRouting.retries.enabled=true \ + --show-only templates/virtualservice.yaml \ + > results/vs-with-retries.yaml + + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + --set defaultRouting.allHosts=true \ + --show-only templates/virtualservice.yaml \ + > results/vs-all-hosts.yaml + + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + --set defaultRouting.urlPrefixes= \ + --show-only templates/virtualservice.yaml \ + > results/vs-no-urlPrefixes.yaml + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + --set defaultRouting.rewriteUrlPrefix.enabled=false \ + --show-only templates/virtualservice.yaml \ + > results/vs-rewriteUrlPrefix-disabled.yaml + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + --set defaultRouting.redirectOnNoTrailingSlash=false \ + --show-only templates/virtualservice.yaml \ + > results/vs-no-slash-redirect.yaml + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + -f cors-policy-values.yaml \ + --show-only templates/virtualservice.yaml \ + > results/vs-cors-policy.yaml + +helm template test-release ../charts/platform-service -n test-ns -f values.yaml \ + --set defaultRouting.urlExactMatches[0]="url1",defaultRouting.urlExactMatches[0]="url2" \ + --show-only templates/virtualservice.yaml \ + > results/vs-exact-matches.yaml + + +echo " *** kubeval results ***" +kubeval --ignore-missing-schemas results/*.yaml +echo " *** istioctl validation results ***" +for f in $(ls results/*.yaml); +do + echo istioctl validating $f; + cat $f | istioctl validate -f - +done; diff --git a/testing/results/base-case.yaml b/testing/results/base-case.yaml new file mode 100644 index 0000000..03ad3ec --- /dev/null +++ b/testing/results/base-case.yaml @@ -0,0 +1,260 @@ +--- +# Source: platform-service/templates/network-policy.yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: test-release-network-policy +spec: + podSelector: + matchLabels: + app: test + version: v1 + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + istio: pilot + namespaceSelector: + matchLabels: + istio-operator-managed: Reconcile + - from: + - podSelector: + matchLabels: + istio: ingressgateway + namespaceSelector: + matchLabels: + istio-operator-managed: Reconcile + - from: + - podSelector: + matchLabels: + app: consumer + ports: + - protocol: TCP + port: 80 +--- +# Source: platform-service/templates/service-account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test +--- +# Source: platform-service/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: test + labels: + app.kubernetes.io/name: test + helm.sh/chart: platform-service-1.0.43 + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm +spec: + type: + ports: + - port: 8000 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: test + app: test +--- +# Source: platform-service/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-release + labels: + app.kubernetes.io/name: test + helm.sh/chart: platform-service-1.0.43 + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app: test + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: test + app.kubernetes.io/instance: test-release + template: + metadata: + labels: + app.kubernetes.io/name: test + app.kubernetes.io/instance: test-release + app: test + version: v1 + session-management: backend + annotations: + spec: + serviceAccountName: test + initContainers: + containers: + + - name: test + image: "test.io/some/repository:latest" + imagePullPolicy: IfNotPresent + + env: + - name: baseLevel + value: "only set at base" + - name: definedInBaseAndDuplicatedInOverride + value: "sharedValue" + - name: definedInBaseAndOverridden + value: "baseValue" + - name: definedInBaseAndOverriddenValue + valueFrom: + secretKeyRef: + key: username + name: base-secret + - name: onlyDefinedInBaseValue + valueFrom: + secretKeyRef: + key: username + name: base-secret + + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 80 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + readinessProbe: + httpGet: + path: /ready + port: 80 + successThreshold: 3 + startupProbe: + failureThreshold: 30 + httpGet: + path: /health/startup + port: 80 + periodSeconds: 10 + volumeMounts: + - name: service-secrets + mountPath: /secrets + + resources: + {} + volumes: + + - name: service-secrets + secret: + secretName: test-secrets +--- +# Source: platform-service/templates/authorizationPolicy.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: test-release +spec: + selector: + matchLabels: + app: test + version: v1 + action: ALLOW + rules: + - from: + - source: + principals: ["cluster.local/ns/myns/sa/consumersp"] + - from: + - source: + principals: ["cluster.local/ns/test-ns/sa/testsp"] + requestPrincipals: ["*"] + - from: + - source: + namespaces: ["istio-system"] + requestPrincipals: ["*"] +--- +# Source: platform-service/templates/destinationrules.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: test-release-destinationrule +spec: + host: test + trafficPolicy: + loadBalancer: + simple: RANDOM + tls: + mode: ISTIO_MUTUAL +--- +# Source: platform-service/templates/requestAuthentication.yaml +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: test-release +spec: + selector: + matchLabels: + app: test + version: v1 + jwtRules: + - audiences: + - test-audience + forwardOriginalToken: true + issuer: https://login.microsoftonline.com/abcd/v2.0/ + jwksUri: https://jwksuri/discovery/v2.0/keys +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test +spec: + hosts: + - test + gateways: + - mesh + http: + - route: + - destination: + host: "test" +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test-external +spec: + hosts: + - "mysubdomain1.mydomain.com" + - "mysubdomain2.mydomain.com" + gateways: + - gateway/one-gateway + http: + # redirect on prefixes without trailing slashes + - match: + - uri: + exact: /prefix1 + redirect: + uri: /prefix1/ + - match: + - uri: + exact: /prefix2 + redirect: + uri: /prefix2/ + # routes to service + - route: + - destination: + host: "test" + match: + - uri: + prefix: /prefix1/ + - uri: + prefix: /prefix2/ + rewrite: + uri: / + # deprecated + headers: + request: + add: + x-appname: prefix1 diff --git a/testing/results/deployment-only.yaml b/testing/results/deployment-only.yaml new file mode 100644 index 0000000..968ff18 --- /dev/null +++ b/testing/results/deployment-only.yaml @@ -0,0 +1,178 @@ +--- +# Source: platform-service/templates/network-policy.yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: test-release-network-policy +spec: + podSelector: + matchLabels: + app: test + version: v1 + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + istio: pilot + namespaceSelector: + matchLabels: + istio-operator-managed: Reconcile + - from: + - podSelector: + matchLabels: + istio: ingressgateway + namespaceSelector: + matchLabels: + istio-operator-managed: Reconcile + - from: + - podSelector: + matchLabels: + app: consumer + ports: + - protocol: TCP + port: 80 +--- +# Source: platform-service/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-release + labels: + app.kubernetes.io/name: test + helm.sh/chart: platform-service-1.0.43 + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app: test + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: test + app.kubernetes.io/instance: test-release + template: + metadata: + labels: + app.kubernetes.io/name: test + app.kubernetes.io/instance: test-release + app: test + version: v1 + session-management: backend + annotations: + spec: + serviceAccountName: test + initContainers: + containers: + + - name: test + image: "test.io/some/repository:latest" + imagePullPolicy: IfNotPresent + + env: + - name: baseLevel + value: "only set at base" + - name: definedInBaseAndDuplicatedInOverride + value: "sharedValue" + - name: definedInBaseAndOverridden + value: "baseValue" + - name: definedInBaseAndOverriddenValue + valueFrom: + secretKeyRef: + key: username + name: base-secret + - name: onlyDefinedInBaseValue + valueFrom: + secretKeyRef: + key: username + name: base-secret + + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 80 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + readinessProbe: + httpGet: + path: /ready + port: 80 + successThreshold: 3 + startupProbe: + failureThreshold: 30 + httpGet: + path: /health/startup + port: 80 + periodSeconds: 10 + volumeMounts: + - name: service-secrets + mountPath: /secrets + + resources: + {} + volumes: + + - name: service-secrets + secret: + secretName: test-secrets +--- +# Source: platform-service/templates/authorizationPolicy.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: test-release +spec: + selector: + matchLabels: + app: test + version: v1 + action: ALLOW + rules: + - from: + - source: + principals: ["cluster.local/ns/myns/sa/consumersp"] + - from: + - source: + principals: ["cluster.local/ns/test-ns/sa/testsp"] + requestPrincipals: ["*"] + - from: + - source: + namespaces: ["istio-system"] + requestPrincipals: ["*"] +--- +# Source: platform-service/templates/destinationrules.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: test-release-destinationrule +spec: + host: test + trafficPolicy: + loadBalancer: + simple: RANDOM + tls: + mode: ISTIO_MUTUAL +--- +# Source: platform-service/templates/requestAuthentication.yaml +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: test-release +spec: + selector: + matchLabels: + app: test + version: v1 + jwtRules: + - audiences: + - test-audience + forwardOriginalToken: true + issuer: https://login.microsoftonline.com/abcd/v2.0/ + jwksUri: https://jwksuri/discovery/v2.0/keys diff --git a/testing/results/no-sessman.yaml b/testing/results/no-sessman.yaml new file mode 100644 index 0000000..0c5a2fc --- /dev/null +++ b/testing/results/no-sessman.yaml @@ -0,0 +1,88 @@ +--- +# Source: platform-service/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-release + labels: + app.kubernetes.io/name: test + helm.sh/chart: platform-service-1.0.43 + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app: test + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: test + app.kubernetes.io/instance: test-release + template: + metadata: + labels: + app.kubernetes.io/name: test + app.kubernetes.io/instance: test-release + app: test + version: v1 + annotations: + spec: + serviceAccountName: test + initContainers: + containers: + + - name: test + image: "test.io/some/repository:latest" + imagePullPolicy: IfNotPresent + + env: + - name: baseLevel + value: "only set at base" + - name: definedInBaseAndDuplicatedInOverride + value: "sharedValue" + - name: definedInBaseAndOverridden + value: "baseValue" + - name: definedInBaseAndOverriddenValue + valueFrom: + secretKeyRef: + key: username + name: base-secret + - name: onlyDefinedInBaseValue + valueFrom: + secretKeyRef: + key: username + name: base-secret + + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 80 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + readinessProbe: + httpGet: + path: /ready + port: 80 + successThreshold: 3 + startupProbe: + failureThreshold: 30 + httpGet: + path: /health/startup + port: 80 + periodSeconds: 10 + volumeMounts: + - name: service-secrets + mountPath: /secrets + + resources: + {} + volumes: + + - name: service-secrets + secret: + secretName: test-secrets diff --git a/testing/results/not-exposed.yaml b/testing/results/not-exposed.yaml new file mode 100644 index 0000000..ea0b019 --- /dev/null +++ b/testing/results/not-exposed.yaml @@ -0,0 +1,213 @@ +--- +# Source: platform-service/templates/network-policy.yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: test-release-network-policy +spec: + podSelector: + matchLabels: + app: test + version: v1 + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + istio: pilot + namespaceSelector: + matchLabels: + istio-operator-managed: Reconcile + - from: + - podSelector: + matchLabels: + app: consumer + ports: + - protocol: TCP + port: 80 +--- +# Source: platform-service/templates/service-account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test +--- +# Source: platform-service/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: test + labels: + app.kubernetes.io/name: test + helm.sh/chart: platform-service-1.0.43 + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm +spec: + type: + ports: + - port: 8000 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: test + app: test +--- +# Source: platform-service/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-release + labels: + app.kubernetes.io/name: test + helm.sh/chart: platform-service-1.0.43 + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app: test + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: test + app.kubernetes.io/instance: test-release + template: + metadata: + labels: + app.kubernetes.io/name: test + app.kubernetes.io/instance: test-release + app: test + version: v1 + session-management: backend + annotations: + spec: + serviceAccountName: test + initContainers: + containers: + + - name: test + image: "test.io/some/repository:latest" + imagePullPolicy: IfNotPresent + + env: + - name: baseLevel + value: "only set at base" + - name: definedInBaseAndDuplicatedInOverride + value: "sharedValue" + - name: definedInBaseAndOverridden + value: "baseValue" + - name: definedInBaseAndOverriddenValue + valueFrom: + secretKeyRef: + key: username + name: base-secret + - name: onlyDefinedInBaseValue + valueFrom: + secretKeyRef: + key: username + name: base-secret + + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 80 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + readinessProbe: + httpGet: + path: /ready + port: 80 + successThreshold: 3 + startupProbe: + failureThreshold: 30 + httpGet: + path: /health/startup + port: 80 + periodSeconds: 10 + volumeMounts: + - name: service-secrets + mountPath: /secrets + + resources: + {} + volumes: + + - name: service-secrets + secret: + secretName: test-secrets +--- +# Source: platform-service/templates/authorizationPolicy.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: test-release +spec: + selector: + matchLabels: + app: test + version: v1 + action: ALLOW + rules: + - from: + - source: + principals: ["cluster.local/ns/myns/sa/consumersp"] + - from: + - source: + principals: ["cluster.local/ns/test-ns/sa/testsp"] + requestPrincipals: ["*"] + - from: + - source: + namespaces: ["istio-system"] + requestPrincipals: ["*"] +--- +# Source: platform-service/templates/destinationrules.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: test-release-destinationrule +spec: + host: test + trafficPolicy: + loadBalancer: + simple: RANDOM + tls: + mode: ISTIO_MUTUAL +--- +# Source: platform-service/templates/requestAuthentication.yaml +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: test-release +spec: + selector: + matchLabels: + app: test + version: v1 + jwtRules: + - audiences: + - test-audience + forwardOriginalToken: true + issuer: https://login.microsoftonline.com/abcd/v2.0/ + jwksUri: https://jwksuri/discovery/v2.0/keys +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test +spec: + hosts: + - test + gateways: + - mesh + http: + - route: + - destination: + host: "test" diff --git a/testing/results/run-date.txt b/testing/results/run-date.txt new file mode 100644 index 0000000..3d4d801 --- /dev/null +++ b/testing/results/run-date.txt @@ -0,0 +1 @@ +Fri Feb 11 15:26:16 PST 2022 diff --git a/testing/results/sessman-with-redirect.yaml b/testing/results/sessman-with-redirect.yaml new file mode 100644 index 0000000..a835f1f --- /dev/null +++ b/testing/results/sessman-with-redirect.yaml @@ -0,0 +1,89 @@ +--- +# Source: platform-service/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-release + labels: + app.kubernetes.io/name: test + helm.sh/chart: platform-service-1.0.43 + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app: test + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: test + app.kubernetes.io/instance: test-release + template: + metadata: + labels: + app.kubernetes.io/name: test + app.kubernetes.io/instance: test-release + app: test + version: v1 + session-management: frontend + annotations: + spec: + serviceAccountName: test + initContainers: + containers: + + - name: test + image: "test.io/some/repository:latest" + imagePullPolicy: IfNotPresent + + env: + - name: baseLevel + value: "only set at base" + - name: definedInBaseAndDuplicatedInOverride + value: "sharedValue" + - name: definedInBaseAndOverridden + value: "baseValue" + - name: definedInBaseAndOverriddenValue + valueFrom: + secretKeyRef: + key: username + name: base-secret + - name: onlyDefinedInBaseValue + valueFrom: + secretKeyRef: + key: username + name: base-secret + + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 80 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + readinessProbe: + httpGet: + path: /ready + port: 80 + successThreshold: 3 + startupProbe: + failureThreshold: 30 + httpGet: + path: /health/startup + port: 80 + periodSeconds: 10 + volumeMounts: + - name: service-secrets + mountPath: /secrets + + resources: + {} + volumes: + + - name: service-secrets + secret: + secretName: test-secrets diff --git a/testing/results/vs-all-hosts.yaml b/testing/results/vs-all-hosts.yaml new file mode 100644 index 0000000..b3147d3 --- /dev/null +++ b/testing/results/vs-all-hosts.yaml @@ -0,0 +1,54 @@ +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test +spec: + hosts: + - test + gateways: + - mesh + http: + - route: + - destination: + host: "test" +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test-external +spec: + hosts: + - "*" + gateways: + - gateway/one-gateway + http: + # redirect on prefixes without trailing slashes + - match: + - uri: + exact: /prefix1 + redirect: + uri: /prefix1/ + - match: + - uri: + exact: /prefix2 + redirect: + uri: /prefix2/ + # routes to service + - route: + - destination: + host: "test" + match: + - uri: + prefix: /prefix1/ + - uri: + prefix: /prefix2/ + rewrite: + uri: / + # deprecated + headers: + request: + add: + x-appname: prefix1 diff --git a/testing/results/vs-cors-policy.yaml b/testing/results/vs-cors-policy.yaml new file mode 100644 index 0000000..6f4287d --- /dev/null +++ b/testing/results/vs-cors-policy.yaml @@ -0,0 +1,60 @@ +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test +spec: + hosts: + - test + gateways: + - mesh + http: + - route: + - destination: + host: "test" +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test-external +spec: + hosts: + - "mysubdomain1.mydomain.com" + - "mysubdomain2.mydomain.com" + gateways: + - gateway/one-gateway + http: + # redirect on prefixes without trailing slashes + - match: + - uri: + exact: /prefix1 + redirect: + uri: /prefix1/ + - match: + - uri: + exact: /prefix2 + redirect: + uri: /prefix2/ + # routes to service + - route: + - destination: + host: "test" + corsPolicy: + allowMethods: + - GET + allowOrigins: + - exact: app://. + match: + - uri: + prefix: /prefix1/ + - uri: + prefix: /prefix2/ + rewrite: + uri: / + # deprecated + headers: + request: + add: + x-appname: prefix1 diff --git a/testing/results/vs-default-routing-disabled.yaml b/testing/results/vs-default-routing-disabled.yaml new file mode 100644 index 0000000..b016b60 --- /dev/null +++ b/testing/results/vs-default-routing-disabled.yaml @@ -0,0 +1,192 @@ +--- +# Source: platform-service/templates/network-policy.yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: test-release-network-policy +spec: + podSelector: + matchLabels: + app: test + version: v1 + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + istio: pilot + namespaceSelector: + matchLabels: + istio-operator-managed: Reconcile + - from: + - podSelector: + matchLabels: + istio: ingressgateway + namespaceSelector: + matchLabels: + istio-operator-managed: Reconcile + - from: + - podSelector: + matchLabels: + app: consumer + ports: + - protocol: TCP + port: 80 +--- +# Source: platform-service/templates/service-account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test +--- +# Source: platform-service/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: test + labels: + app.kubernetes.io/name: test + helm.sh/chart: platform-service-1.0.43 + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm +spec: + type: + ports: + - port: 8000 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: test + app: test +--- +# Source: platform-service/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-release + labels: + app.kubernetes.io/name: test + helm.sh/chart: platform-service-1.0.43 + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app: test + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: test + app.kubernetes.io/instance: test-release + template: + metadata: + labels: + app.kubernetes.io/name: test + app.kubernetes.io/instance: test-release + app: test + version: v1 + session-management: backend + annotations: + spec: + serviceAccountName: test + initContainers: + containers: + + - name: test + image: "test.io/some/repository:latest" + imagePullPolicy: IfNotPresent + + env: + - name: baseLevel + value: "only set at base" + - name: definedInBaseAndDuplicatedInOverride + value: "sharedValue" + - name: definedInBaseAndOverridden + value: "baseValue" + - name: definedInBaseAndOverriddenValue + valueFrom: + secretKeyRef: + key: username + name: base-secret + - name: onlyDefinedInBaseValue + valueFrom: + secretKeyRef: + key: username + name: base-secret + + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 80 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + readinessProbe: + httpGet: + path: /ready + port: 80 + successThreshold: 3 + startupProbe: + failureThreshold: 30 + httpGet: + path: /health/startup + port: 80 + periodSeconds: 10 + volumeMounts: + - name: service-secrets + mountPath: /secrets + + resources: + {} + volumes: + + - name: service-secrets + secret: + secretName: test-secrets +--- +# Source: platform-service/templates/authorizationPolicy.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: test-release +spec: + selector: + matchLabels: + app: test + version: v1 + action: ALLOW + rules: + - from: + - source: + principals: ["cluster.local/ns/myns/sa/consumersp"] + - from: + - source: + principals: ["cluster.local/ns/test-ns/sa/testsp"] + requestPrincipals: ["*"] + - from: + - source: + namespaces: ["istio-system"] + requestPrincipals: ["*"] +--- +# Source: platform-service/templates/requestAuthentication.yaml +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: test-release +spec: + selector: + matchLabels: + app: test + version: v1 + jwtRules: + - audiences: + - test-audience + forwardOriginalToken: true + issuer: https://login.microsoftonline.com/abcd/v2.0/ + jwksUri: https://jwksuri/discovery/v2.0/keys diff --git a/testing/results/vs-exact-matches.yaml b/testing/results/vs-exact-matches.yaml new file mode 100644 index 0000000..2c85f9e --- /dev/null +++ b/testing/results/vs-exact-matches.yaml @@ -0,0 +1,64 @@ +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test +spec: + hosts: + - test + gateways: + - mesh + http: + - route: + - destination: + host: "test" +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test-external +spec: + hosts: + - "mysubdomain1.mydomain.com" + - "mysubdomain2.mydomain.com" + gateways: + - gateway/one-gateway + http: + - match: + - uri: + exact: /url2 + - uri: + prefix: /url2/ + # routes to service + route: + - destination: + host: "test" + # redirect on prefixes without trailing slashes + - match: + - uri: + exact: /prefix1 + redirect: + uri: /prefix1/ + - match: + - uri: + exact: /prefix2 + redirect: + uri: /prefix2/ + # routes to service + - route: + - destination: + host: "test" + match: + - uri: + prefix: /prefix1/ + - uri: + prefix: /prefix2/ + rewrite: + uri: / + # deprecated + headers: + request: + add: + x-appname: prefix1 diff --git a/testing/results/vs-no-slash-redirect.yaml b/testing/results/vs-no-slash-redirect.yaml new file mode 100644 index 0000000..820f1a4 --- /dev/null +++ b/testing/results/vs-no-slash-redirect.yaml @@ -0,0 +1,44 @@ +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test +spec: + hosts: + - test + gateways: + - mesh + http: + - route: + - destination: + host: "test" +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test-external +spec: + hosts: + - "mysubdomain1.mydomain.com" + - "mysubdomain2.mydomain.com" + gateways: + - gateway/one-gateway + http: + # routes to service + - route: + - destination: + host: "test" + match: + - uri: + prefix: /prefix1/ + - uri: + prefix: /prefix2/ + rewrite: + uri: / + # deprecated + headers: + request: + add: + x-appname: prefix1 diff --git a/testing/results/vs-no-urlPrefixes.yaml b/testing/results/vs-no-urlPrefixes.yaml new file mode 100644 index 0000000..47860d6 --- /dev/null +++ b/testing/results/vs-no-urlPrefixes.yaml @@ -0,0 +1,48 @@ +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test +spec: + hosts: + - test + gateways: + - mesh + http: + - route: + - destination: + host: "test" +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test-external +spec: + hosts: + - "mysubdomain1.mydomain.com" + - "mysubdomain2.mydomain.com" + gateways: + - gateway/one-gateway + http: + # redirect on prefixes without trailing slashes + - match: + - uri: + exact: /test + redirect: + uri: /test/ + # routes to service + - route: + - destination: + host: "test" + match: + - uri: + prefix: /test/ + rewrite: + uri: / + # deprecated + headers: + request: + add: + x-appname: test diff --git a/testing/results/vs-rewriteUrlPrefix-disabled.yaml b/testing/results/vs-rewriteUrlPrefix-disabled.yaml new file mode 100644 index 0000000..d912594 --- /dev/null +++ b/testing/results/vs-rewriteUrlPrefix-disabled.yaml @@ -0,0 +1,53 @@ +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test +spec: + hosts: + - test + gateways: + - mesh + http: + - route: + - destination: + host: "test" +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test-external +spec: + hosts: + - "mysubdomain1.mydomain.com" + - "mysubdomain2.mydomain.com" + gateways: + - gateway/one-gateway + http: + # redirect on prefixes without trailing slashes + - match: + - uri: + exact: /prefix1 + redirect: + uri: /prefix1/ + - match: + - uri: + exact: /prefix2 + redirect: + uri: /prefix2/ + # routes to service + - route: + - destination: + host: "test" + match: + - uri: + prefix: /prefix1/ + - uri: + prefix: /prefix2/ + # deprecated + headers: + request: + add: + x-appname: prefix1 diff --git a/testing/results/vs-with-retries.yaml b/testing/results/vs-with-retries.yaml new file mode 100644 index 0000000..7fab56c --- /dev/null +++ b/testing/results/vs-with-retries.yaml @@ -0,0 +1,59 @@ +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test +spec: + hosts: + - test + gateways: + - mesh + http: + - route: + - destination: + host: "test" + retries: + attempts: 3 +--- +# Source: platform-service/templates/virtualservice.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: test-external +spec: + hosts: + - "mysubdomain1.mydomain.com" + - "mysubdomain2.mydomain.com" + gateways: + - gateway/one-gateway + http: + # redirect on prefixes without trailing slashes + - match: + - uri: + exact: /prefix1 + redirect: + uri: /prefix1/ + - match: + - uri: + exact: /prefix2 + redirect: + uri: /prefix2/ + # routes to service + - route: + - destination: + host: "test" + match: + - uri: + prefix: /prefix1/ + - uri: + prefix: /prefix2/ + rewrite: + uri: / + # deprecated + headers: + request: + add: + x-appname: prefix1 + retries: + attempts: 3 diff --git a/testing/values.yaml b/testing/values.yaml new file mode 100644 index 0000000..7c68ba0 --- /dev/null +++ b/testing/values.yaml @@ -0,0 +1,101 @@ +app: test +version: v1 + +image: + registry: test.io + repository: some/repository + pullPolicy: IfNotPresent + tag: latest + containerPort: 80 + +service: + port: 8000 + liveness: + enabled: false + timeoutSeconds: 5 + periodSeconds: 10 + +gateway: + exposeService: true + +defaultRouting: + enabled: true + allHosts: false + + hosts: + - mysubdomain1.mydomain.com + - mysubdomain2.mydomain.com + + urlPrefixes: + - prefix1 + - prefix2 + + retries: + enabled: false + settings: + attempts: 3 + +health: + livenessProbe: + httpGet: + path: /healthz + port: 80 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /ready + port: 80 + successThreshold: 3 + startupProbe: + httpGet: + path: /health/startup + port: 80 + failureThreshold: 30 + periodSeconds: 10 + +env: + baseLevel: only set at base + definedInBaseAndDuplicatedInOverride: sharedValue + definedInBaseAndOverridden: "baseValue" + definedInBaseAndOverriddenValue: + valueFrom: + secretKeyRef: + name: base-secret + key: username + onlyDefinedInBaseValue: + valueFrom: + secretKeyRef: + name: base-secret + key: username + +volumes: + - name: service-secrets + mountPath: "/secrets" + volumeDefinition: | + secret: + secretName: test-secrets + +# Specify network and authorization policies + +# Enable default network policy (set false and create your own if needed) +networkPolicy: + enabled: true + + # List of workloads allowed access to this workload + appsAllowedAccess: + # App identifier for workload + - consumer +authorizationPolicy: + authorizedServices: + - servicePrincipalFullName: "cluster.local/ns/myns/sa/consumersp" + requireJwt: false + - servicePrincipalName: testsp +requestAuthentication: + jwtRules: + - issuer: "https://login.microsoftonline.com/abcd/v2.0/" + jwksUri: "https://jwksuri/discovery/v2.0/keys" + audiences: ["test-audience"] + forwardOriginalToken: true