mTLS termination early implementation

.gitignore

@@ -158,3 +158,5 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+nginx/certs/

charts/eric-oss-hello-world-python-app/Chart.yaml

@@ -3,4 +3,4 @@ appVersion: "2.0.0"
 description: IDUN SDK Hello World App
 name: eric-oss-hello-world-python-app
 type: application
-version: VERSION
+version: "0.0.1-0"

charts/eric-oss-hello-world-python-app/templates/authorization-policy/authorization_policy.yaml

@@ -0,0 +1,24 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ include "eric-oss-hello-world-python-app.name" . }}-ap
+  labels:
+    {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }}
+    {{- if .Values.labels }}
+    {{ .Values.labels | toYaml | indent 4 }}
+    {{- end }}
+  annotations:
+    {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: eric-oss-hello-world-python-app
+  rules:
+    - to:
+        - operation:
+            ports: ["80"]
+            paths: ["/sample-app/python/metrics", "/sample-app/python/health"]
+    - to:
+        - operation:
+            ports: ["443"]
+            paths: ["/sample-app/python/hello"]

charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml

@@ -9,6 +9,7 @@ metadata:
     {{- end }}
   annotations:
     {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }}
+    sidecar.istio.io/inject: "true"
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
@@ -37,7 +38,7 @@ spec:
         service.cleartext/scraping: "true"
       annotations:
         {{- if not (semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion) }}
-        container.apparmor.security.beta.kubernetes.io/eric-oss-hello-world-python-app: {{ include "eric-oss-hello-world-python-app.appArmorProfileAnnotation" . | default "runtime/default" }}
+{{/*        container.apparmor.security.beta.kubernetes.io/eric-oss-hello-world-python-app: {{ include "eric-oss-hello-world-python-app.appArmorProfileAnnotation" . | default "runtime/default" }}*/}}
         {{- end }}
         prometheus.io/port: "{{ .Values.service.port }}"
         prometheus.io/scrape: "{{ .Values.prometheus.scrape }}"
@@ -55,27 +56,27 @@ spec:
             items:
               - key: LOG_CTRL_FILE
                 path: logcontrol.json
-        - name: platform-cacerts
-          secret:
-            secretName: {{ index .Values "platformCaCertSecretName" | quote }}
-            defaultMode: 420
-        - name: app-certs
-          secret:
-            secretName: {{ index .Values "appSecretName" | quote }}
-            defaultMode: 420
-        - name: client-creds
-          secret:
-            secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }}
-            defaultMode: 420
+{{/*        - name: platform-cacerts*/}}
+{{/*          secret:*/}}
+{{/*            secretName: {{ index .Values "platformCaCertSecretName" | quote }}*/}}
+{{/*            defaultMode: 420*/}}
+{{/*        - name: app-certs*/}}
+{{/*          secret:*/}}
+{{/*            secretName: {{ index .Values "appSecretName" | quote }}*/}}
+{{/*            defaultMode: 420*/}}
+{{/*        - name: client-creds*/}}
+{{/*          secret:*/}}
+{{/*            secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }}*/}}
+{{/*            defaultMode: 420*/}}
       containers:
         - name: eric-oss-hello-world-python-app
-          image: {{ template "eric-oss-hello-world-python-app.imagePath" (dict "imageId" "eric-oss-hello-world-python-app" "values" .Values "files" .Files) }}
+          image: python-sample-app-eric-oss-hello-world-python-app
           imagePullPolicy: {{ include "eric-oss-hello-world-python-app.registryImagePullPolicy" . | quote }}
           securityContext:
-            {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} 
-            appArmorProfile:
-              type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }}
-            {{- end }}
+{{/*            {{- if semverCompare ">=1.30.0" .Capabilities.KubeVersion.GitVersion }} */}}
+{{/*            appArmorProfile:*/}}
+{{/*              type: {{ include "eric-oss-hello-world-python-app.appArmorProfile.type" . | default "RuntimeDefault" }}*/}}
+{{/*            {{- end }}*/}}
             allowPrivilegeEscalation: false
             privileged: false
             readOnlyRootFilesystem: true
@@ -87,15 +88,15 @@ spec:
           volumeMounts:
             - name: config-volume
               mountPath: /etc/adp
-            - name: platform-cacerts
-              mountPath: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }}
-              readOnly: true
-            - name: app-certs
-              mountPath: {{ index .Values "appCertMountPath" | default .Values.instantiationDefaults.appCertMountPath | quote }}
-              readOnly: true
-            - name: client-creds
-              mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }}
-              readOnly: true
+{{/*            - name: platform-cacerts*/}}
+{{/*              mountPath: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }}*/}}
+{{/*              readOnly: true*/}}
+{{/*            - name: app-certs*/}}
+{{/*              mountPath: {{ index .Values "appCertMountPath" | default .Values.instantiationDefaults.appCertMountPath | quote }}*/}}
+{{/*              readOnly: true*/}}
+{{/*            - name: client-creds*/}}
+{{/*              mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }}*/}}
+{{/*              readOnly: true*/}}
           env:
             - name: IAM_CLIENT_ID
               value: {{ index .Values "clientId" | quote }}

charts/eric-oss-hello-world-python-app/templates/destination-rule/destination_rule.yaml

@@ -0,0 +1,23 @@
+{{/*apiVersion: networking.istio.io/v1*/}}
+{{/*kind: DestinationRule*/}}
+{{/*metadata:*/}}
+{{/*  name: {{ include "eric-oss-hello-world-python-app.name" . }}-pa*/}}
+{{/*  labels:*/}}
+{{/*    {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }}*/}}
+{{/*    {{- if .Values.labels }}*/}}
+{{/*    {{ .Values.labels | toYaml | indent 4 }}*/}}
+{{/*    {{- end }}*/}}
+{{/*  annotations:*/}}
+{{/*    {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }}*/}}
+{{/*spec:*/}}
+{{/*  host: eric-oss-hello-world-python-app*/}}
+{{/*  trafficPolicy:*/}}
+{{/*    portLevelSettings:*/}}
+{{/*      - port:*/}}
+{{/*          number: 80*/}}
+{{/*        tls:*/}}
+{{/*          mode: DISABLE*/}}
+{{/*      - port:*/}}
+{{/*          number: 443*/}}
+{{/*        tls:*/}}
+{{/*          mode: ISTIO_MUTUAL*/}}

charts/eric-oss-hello-world-python-app/templates/peer-authentication/peer_authentication.yaml

@@ -0,0 +1,20 @@
+{{/*apiVersion: security.istio.io/v1*/}}
+{{/*kind: PeerAuthentication*/}}
+{{/*metadata:*/}}
+{{/*  name: {{ include "eric-oss-hello-world-python-app.name" . }}-pa*/}}
+{{/*  labels:*/}}
+{{/*    {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }}*/}}
+{{/*    {{- if .Values.labels }}*/}}
+{{/*    {{ .Values.labels | toYaml | indent 4 }}*/}}
+{{/*    {{- end }}*/}}
+{{/*  annotations:*/}}
+{{/*    {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }}*/}}
+{{/*spec:*/}}
+{{/*  selector:*/}}
+{{/*    matchLabels:*/}}
+{{/*      app: eric-oss-hello-world-python-app*/}}
+{{/*  mtls:*/}}
+{{/*    mode: STRICT*/}}
+{{/*  portLevelMtls:*/}}
+{{/*    80:*/}}
+{{/*      mode: DISABLE*/}}

charts/eric-oss-hello-world-python-app/templates/service-account/service_account.yaml

@@ -8,5 +8,5 @@ metadata:
       {{ .Values.labels | toYaml | indent 4 }}
     {{- end }}
   annotations:
-  {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }}
+    {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }}
 automountServiceAccountToken: false

charts/eric-oss-hello-world-python-app/templates/service/service.yaml

@@ -8,17 +8,21 @@ metadata:
       {{ .Values.labels | toYaml | indent 4 }}
     {{- end }}
   annotations:
-{{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }}
+  {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }}
 spec:
   type: {{ .Values.service.type }}
   {{- if .Values.global.internalIPFamily }}
   ipFamilies: [{{ .Values.global.internalIPFamily }}]
   {{- end }}
   ports:
-    - port: {{ .Values.service.port }}
-      targetPort: 8050
+    - port: 80
+      targetPort: 80
       protocol: TCP
       name: http
+    - port: 443
+      targetPort: 443
+      protocol: TCP
+      name: https
   selector:
     app.kubernetes.io/name: {{ include "eric-oss-hello-world-python-app.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}

charts/eric-oss-hello-world-python-app/templates/sidecar/sidecar.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.istio.io/v1
+kind: Sidecar
+metadata:
+  name: {{ include "eric-oss-hello-world-python-app.name" . }}-sc
+  labels:
+    {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }}
+    {{- if .Values.labels }}
+    {{ .Values.labels | toYaml | indent 4 }}
+    {{- end }}
+  annotations:
+    {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }}
+spec:
+  workloadSelector:
+    labels:
+      app: eric-oss-hello-world-python-app
+  ingress:
+    - port:
+        number: 80
+        protocol: HTTP
+      defaultEndpoint: 127.0.0.1:8050
+    - port:
+        number: 443
+        protocol: HTTP
+      defaultEndpoint: 127.0.0.1:8050

charts/eric-oss-hello-world-python-app/templates/virtual-service/virtual_service.yaml

@@ -0,0 +1,36 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: {{ include "eric-oss-hello-world-python-app.name" . }}-pa
+  labels:
+    {{- include "eric-oss-hello-world-python-app.labels" . | indent 4 }}
+    {{- if .Values.labels }}
+    {{ .Values.labels | toYaml | indent 4 }}
+    {{- end }}
+  annotations:
+    {{- include "eric-oss-hello-world-python-app.product-info" . | indent 4 }}
+spec:
+  hosts:
+    - eric-oss-hello-world-python-app
+  http:
+    - match:
+        - port: 80
+          uri:
+            prefix: /sample-app/python/metrics
+        - port: 80
+          uri:
+            prefix: /sample-app/python/health
+      route:
+        - destination:
+            host: eric-oss-hello-world-python-app
+            port:
+              number: 80
+    - match:
+        - port: 443
+          uri:
+            prefix: /sample-app/python/hello
+      route:
+        - destination:
+            host: eric-oss-hello-world-python-app
+            port:
+              number: 443

charts/eric-oss-hello-world-python-app/values.yaml

@@ -34,8 +34,8 @@ fullnameOverride: ""
 # unconfined  - Indicates that there is no profile loaded.
 # runtime/default - Applies the default profile of the container engine.
 # localhost   - Applies a specific profile loaded on the host
-appArmorProfile:
-  type: "RuntimeDefault"
+#appArmorProfile:
+#  type: "RuntimeDefault"
 
 seccompProfile:
   type: "RuntimeDefault"
@@ -45,18 +45,6 @@ service:
   type: ClusterIP
   port: 8050
 
-ingress:
-  enabled: false
-  ingressClass: OAM-IngressClass
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  host: ""
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
-
 resources:
   helloWorld:
     limits:

docker-compose.yaml

@@ -0,0 +1,17 @@
+services:
+  nginx:
+    image: nginx:stable
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./nginx/certs:/etc/nginx/certs:ro
+    depends_on:
+      - eric-oss-hello-world-python-app
+
+  eric-oss-hello-world-python-app:
+    build:
+      context: .
+    ports:
+      - "8050:8050"