From 08e8c937090ae73e8cc9d9fb7ab6244717b12260 Mon Sep 17 00:00:00 2001 From: Jose Manuel Palomares Date: Mon, 22 Dec 2025 09:58:29 +0100 Subject: [PATCH 1/4] feat: inf-3308 adapt charts to support Envoy Gateway --- parcellab/common/Chart.yaml | 2 +- parcellab/common/templates/_httproute.tpl | 38 ++++ .../common/templates/_referencegrant.tpl | 57 ++++++ parcellab/common/templates/_routing.tpl | 11 + .../common/templates/_securitypolicy.tpl | 189 ++++++++++++++++++ parcellab/common/values.yaml | 73 +++++++ parcellab/cronjob/Chart.yaml | 2 +- parcellab/microservice/Chart.yaml | 2 +- parcellab/microservice/README.md | 6 + .../microservice/templates/httproute.yaml | 1 + .../templates/referencegrant.yaml | 1 + .../templates/securitypolicy.yaml | 1 + parcellab/microservice/values.yaml | 81 ++++++++ parcellab/monolith/Chart.yaml | 2 +- parcellab/monolith/README.md | 6 + parcellab/monolith/templates/httproute.yaml | 1 + .../monolith/templates/referencegrant.yaml | 1 + .../monolith/templates/securitypolicy.yaml | 1 + parcellab/monolith/values.yaml | 81 ++++++++ parcellab/worker-group/Chart.yaml | 2 +- 20 files changed, 553 insertions(+), 5 deletions(-) create mode 100644 parcellab/common/templates/_httproute.tpl create mode 100644 parcellab/common/templates/_referencegrant.tpl create mode 100644 parcellab/common/templates/_routing.tpl create mode 100644 parcellab/common/templates/_securitypolicy.tpl create mode 100644 parcellab/microservice/templates/httproute.yaml create mode 100644 parcellab/microservice/templates/referencegrant.yaml create mode 100644 parcellab/microservice/templates/securitypolicy.yaml create mode 100644 parcellab/monolith/templates/httproute.yaml create mode 100644 parcellab/monolith/templates/referencegrant.yaml create mode 100644 parcellab/monolith/templates/securitypolicy.yaml diff --git a/parcellab/common/Chart.yaml b/parcellab/common/Chart.yaml index da7e0dbe..e093e500 100644 --- a/parcellab/common/Chart.yaml +++ b/parcellab/common/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: common description: A Helm chart library for parcelLab charts type: library -version: 1.2.2 +version: 1.3.2 maintainers: - name: parcelLab email: engineering@parcellab.com diff --git a/parcellab/common/templates/_httproute.tpl b/parcellab/common/templates/_httproute.tpl new file mode 100644 index 00000000..4f7d465c --- /dev/null +++ b/parcellab/common/templates/_httproute.tpl @@ -0,0 +1,38 @@ +{{/* vim: set filetype=mustache: */}} +{{/* + Common httproute definition: + {{ include "common.httproute" ( + dict + "Values" "the values scope" + ) }} +*/}} + +{{- define "common.httproute" -}} +{{- $httproute := .Values.httproute | default dict -}} +{{- if $httproute.enabled }} +{{- $name := include "common.fullname" . }} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "common.labels" . | nindent 4 }} +spec: + parentRefs: + - name: {{ $httproute.parentGateway }} + namespace: {{ $httproute.parentGatewayNamespace | default "envoy-gateway" }} + hostnames: + {{- range $httproute.hosts }} + - {{ . | quote }} + {{- end }} + rules: + - matches: + - path: + type: PathPrefix + value: {{ $httproute.path | default "/" }} + backendRefs: + - name: {{ include "common.fullname" . }} + port: {{ .Values.service.port }} +{{- end }} +{{- end -}} diff --git a/parcellab/common/templates/_referencegrant.tpl b/parcellab/common/templates/_referencegrant.tpl new file mode 100644 index 00000000..e9bbd27d --- /dev/null +++ b/parcellab/common/templates/_referencegrant.tpl @@ -0,0 +1,57 @@ +{{/* vim: set filetype=mustache: */}} +{{/* + Common ReferenceGrant definition: + {{ include "common.referencegrant" ( + dict + "Values" "the values scope" + "Release" .Release + ) }} +*/}} + +{{- define "common.referencegrant" -}} +{{- $referenceGrant := .Values.referenceGrant | default dict -}} +{{- if $referenceGrant.enabled }} +{{- $name := include "common.fullname" . }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: {{ $referenceGrant.name | default (printf "%s-grant" $name) }} + namespace: {{ $referenceGrant.namespace | default .Release.Namespace }} + labels: + {{- include "common.labels" . | nindent 4 }} + {{- with $referenceGrant.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + from: + {{- if $referenceGrant.from }} + {{- range $referenceGrant.from }} + - group: {{ .group | quote }} + kind: {{ .kind | quote }} + namespace: {{ .namespace | quote }} + {{- with .name }} + name: {{ . | quote }} + {{- end }} + {{- end }} + {{- else }} + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: {{ .Release.Namespace | quote }} + {{- end }} + to: + {{- if $referenceGrant.to }} + {{- range $referenceGrant.to }} + - group: {{ .group | quote }} + kind: {{ .kind | quote }} + {{- with .name }} + name: {{ . | quote }} + {{- end }} + {{- end }} + {{- else }} + - group: "" + kind: Service + {{- end }} +{{- end }} +{{- end -}} diff --git a/parcellab/common/templates/_routing.tpl b/parcellab/common/templates/_routing.tpl new file mode 100644 index 00000000..d71941a0 --- /dev/null +++ b/parcellab/common/templates/_routing.tpl @@ -0,0 +1,11 @@ +{{- define "common.routing" -}} +{{- $httproute := .Values.httproute | default dict -}} +{{- $ingress := .Values.ingress | default dict -}} + +{{- if $httproute.enabled }} + {{- include "common.httproute" . }} +{{- else if $ingress.enabled }} + {{- include "common.ingress" . }} +{{- end }} + +{{- end -}} diff --git a/parcellab/common/templates/_securitypolicy.tpl b/parcellab/common/templates/_securitypolicy.tpl new file mode 100644 index 00000000..3f7d9923 --- /dev/null +++ b/parcellab/common/templates/_securitypolicy.tpl @@ -0,0 +1,189 @@ +{{/* vim: set filetype=mustache: */}} +{{/* + Common SecurityPolicy definition: + {{ include "common.securitypolicy" ( + dict + "Values" "the values scope" + "Release" .Release + ) }} +*/}} + +{{- define "common.securitypolicy" -}} +{{- $securityPolicy := .Values.securityPolicy | default dict -}} +{{- if $securityPolicy.enabled }} +{{- $name := include "common.fullname" . }} +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: {{ $securityPolicy.name | default (printf "%s-security" $name) }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "common.labels" . | nindent 4 }} + {{- with $securityPolicy.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + targetRef: + group: {{ $securityPolicy.targetRef.group | default "gateway.networking.k8s.io" }} + kind: {{ $securityPolicy.targetRef.kind | default "HTTPRoute" }} + name: {{ $securityPolicy.targetRef.name | default $name }} + {{- with $securityPolicy.targetRef.namespace }} + namespace: {{ . }} + {{- end }} + {{- if $securityPolicy.oidc }} + oidc: + provider: + issuer: {{ required "securityPolicy.oidc.provider.issuer is required" $securityPolicy.oidc.provider.issuer | quote }} + {{- with $securityPolicy.oidc.provider.authorizationEndpoint }} + authorizationEndpoint: {{ . | quote }} + {{- end }} + {{- with $securityPolicy.oidc.provider.tokenEndpoint }} + tokenEndpoint: {{ . | quote }} + {{- end }} + clientID: {{ required "securityPolicy.oidc.clientID is required" $securityPolicy.oidc.clientID | quote }} + clientSecret: + {{- if $securityPolicy.oidc.clientSecret }} + name: {{ $securityPolicy.oidc.clientSecret.name | quote }} + {{- with $securityPolicy.oidc.clientSecret.namespace }} + namespace: {{ . | quote }} + {{- end }} + {{- else }} + name: "keycloak-oidc-secret" + {{- end }} + redirectURL: {{ required "securityPolicy.oidc.redirectURL is required" $securityPolicy.oidc.redirectURL | quote }} + {{- with $securityPolicy.oidc.logoutPath }} + logoutPath: {{ . | quote }} + {{- end }} + {{- if $securityPolicy.oidc.scopes }} + scopes: + {{- toYaml $securityPolicy.oidc.scopes | nindent 6 }} + {{- else }} + scopes: + - openid + - profile + - email + {{- end }} + {{- with $securityPolicy.oidc.cookieDomain }} + cookieDomain: {{ . | quote }} + {{- end }} + {{- with $securityPolicy.oidc.cookieNames }} + cookieNames: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- if hasKey $securityPolicy.oidc "forwardAccessToken" }} + forwardAccessToken: {{ $securityPolicy.oidc.forwardAccessToken }} + {{- end }} + {{- if hasKey $securityPolicy.oidc "passThroughAuthHeader" }} + passThroughAuthHeader: {{ $securityPolicy.oidc.passThroughAuthHeader }} + {{- end }} + {{- with $securityPolicy.oidc.refreshToken }} + refreshToken: {{ . }} + {{- end }} + {{- end }} + {{- if $securityPolicy.jwt }} + jwt: + {{- if hasKey $securityPolicy.jwt "optional" }} + optional: {{ $securityPolicy.jwt.optional }} + {{- end }} + providers: + {{- range $securityPolicy.jwt.providers }} + - name: {{ .name | quote }} + issuer: {{ .issuer | quote }} + {{- with .audiences }} + audiences: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .remoteJWKS }} + remoteJWKS: + uri: {{ .remoteJWKS.uri | quote }} + {{- with .remoteJWKS.cacheDuration }} + cacheDuration: {{ . }} + {{- end }} + {{- end }} + {{- if .claimToHeaders }} + claimToHeaders: + {{- range .claimToHeaders }} + - header: {{ .header | quote }} + claim: {{ .claim | quote }} + {{- end }} + {{- end }} + {{- with .extractFrom }} + extractFrom: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if $securityPolicy.basicAuth }} + basicAuth: + users: + name: {{ $securityPolicy.basicAuth.users.name | quote }} + {{- with $securityPolicy.basicAuth.users.namespace }} + namespace: {{ . | quote }} + {{- end }} + {{- end }} + {{- if $securityPolicy.authorization }} + authorization: + defaultAction: {{ $securityPolicy.authorization.defaultAction | default "Deny" }} + {{- if $securityPolicy.authorization.rules }} + rules: + {{- range $securityPolicy.authorization.rules }} + - name: {{ .name | quote }} + action: {{ .action | default "Allow" }} + {{- if .principal }} + principal: + {{- if .principal.clientCIDRs }} + clientCIDRs: + {{- toYaml .principal.clientCIDRs | nindent 12 }} + {{- end }} + {{- if .principal.jwt }} + jwt: + provider: {{ .principal.jwt.provider | quote }} + {{- if .principal.jwt.scopes }} + scopes: + {{- toYaml .principal.jwt.scopes | nindent 14 }} + {{- end }} + {{- if .principal.jwt.claims }} + claims: + {{- range .principal.jwt.claims }} + - name: {{ .name | quote }} + {{- with .valueType }} + valueType: {{ . }} + {{- end }} + {{- if .values }} + values: + {{- toYaml .values | nindent 18 }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if $securityPolicy.cors }} + cors: + allowOrigins: + {{- toYaml $securityPolicy.cors.allowOrigins | nindent 6 }} + {{- with $securityPolicy.cors.allowMethods }} + allowMethods: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with $securityPolicy.cors.allowHeaders }} + allowHeaders: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with $securityPolicy.cors.exposeHeaders }} + exposeHeaders: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- if hasKey $securityPolicy.cors "allowCredentials" }} + allowCredentials: {{ $securityPolicy.cors.allowCredentials }} + {{- end }} + {{- with $securityPolicy.cors.maxAge }} + maxAge: {{ . }} + {{- end }} + {{- end }} +{{- end }} +{{- end -}} diff --git a/parcellab/common/values.yaml b/parcellab/common/values.yaml index 2e495bc4..ee333bd0 100644 --- a/parcellab/common/values.yaml +++ b/parcellab/common/values.yaml @@ -23,6 +23,79 @@ image: tag: stable ingress: enabled: false + +## +## Envoy Gateway Resources +## + +# HTTPRoute - Configure routing through Envoy Gateway +httproute: + enabled: false + # parentGateway: gateway-api + # parentGatewayNamespace: envoy-gateway + # hosts: + # - myapp.gateway.test.parcellab.dev + # path: / + +# ReferenceGrant - Allow cross-namespace references +referenceGrant: + enabled: false + # Automatically allows HTTPRoute and SecurityPolicy from current namespace + # to reference Gateway and Secret in envoy-gateway namespace + +# SecurityPolicy - OIDC Authentication with Group-Based Authorization +# Example: Employee-Only App +securityPolicy: + enabled: false + # name: employee-only # Optional: custom name + # targetRef: + # kind: HTTPRoute + # name: myapp # Optional: defaults to release name + # oidc: + # provider: + # issuer: "https://auth.test.parcellab.dev/realms/parcellab-internal" + # clientID: "envoy-gateway-client" + # clientSecret: + # name: "keycloak-oidc-secret" + # namespace: "envoy-gateway" + # redirectURL: "https://myapp.gateway.test.parcellab.dev/oauth2/callback" + # logoutPath: "/logout" + # scopes: + # - openid + # - profile + # - email + # cookieDomain: "myapp.gateway.test.parcellab.dev" + # forwardAccessToken: true + # passThroughAuthHeader: true + # jwt: + # optional: false + # providers: + # - name: keycloak + # issuer: "https://auth.test.parcellab.dev/realms/parcellab-internal" + # remoteJWKS: + # uri: "https://auth.test.parcellab.dev/realms/parcellab-internal/protocol/openid-connect/certs" + # cacheDuration: 300s + # claimToHeaders: + # - header: "x-user-email" + # claim: "email" + # - header: "x-user-groups" + # claim: "groups" + # - header: "x-user-id" + # claim: "sub" + # authorization: + # defaultAction: Deny + # rules: + # - name: allow-employees + # action: Allow + # principal: + # jwt: + # provider: keycloak + # claims: + # - name: groups + # valueType: StringArray + # values: + # - "/parcellab-employee" + name: common terminationGracePeriodSeconds: 30 nodeSelector: {} diff --git a/parcellab/cronjob/Chart.yaml b/parcellab/cronjob/Chart.yaml index 7eff6a05..3ba4d4c0 100644 --- a/parcellab/cronjob/Chart.yaml +++ b/parcellab/cronjob/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: cronjob description: Single cron job -version: 0.4.1 +version: 0.4.2 dependencies: - name: common version: "*" diff --git a/parcellab/microservice/Chart.yaml b/parcellab/microservice/Chart.yaml index 9445b295..b32100fb 100644 --- a/parcellab/microservice/Chart.yaml +++ b/parcellab/microservice/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: microservice description: Simple microservice -version: 0.4.1 +version: 0.5.1 dependencies: - name: common version: "*" diff --git a/parcellab/microservice/README.md b/parcellab/microservice/README.md index 5e268d3b..01136f96 100644 --- a/parcellab/microservice/README.md +++ b/parcellab/microservice/README.md @@ -31,10 +31,16 @@ needs. Its generated secret's data values will be loaded as environment variables to the target pod. - `hpa` - Horizontal automatic scaling rules of pods. Can be defined with the `autoscaling` setting. +- `httproute` + - Configure routing through Envoy Gateway. Defined with `httproute`. - `ingress` - Rules to open external access to the workload. Can be defined with `ingress`. - `poddisruptionbudget` - Limit the number of concurrent disruptions for the application. Defined with `podDisruptionBudget`. +- `referencegrant` + - Allow cross-namespace references for Envoy Gateway (e.g., HTTPRoute → Gateway). Defined with `referenceGrant`. +- `securitypolicy` + - Configure authentication and authorization with Envoy Gateway. Defined with `securityPolicy`. - `serviceaccount` - Configure a service account for the pods. Defined with `serviceAccount`. - `vpa` diff --git a/parcellab/microservice/templates/httproute.yaml b/parcellab/microservice/templates/httproute.yaml new file mode 100644 index 00000000..e0cd8f4d --- /dev/null +++ b/parcellab/microservice/templates/httproute.yaml @@ -0,0 +1 @@ +{{ include "common.httproute" . }} diff --git a/parcellab/microservice/templates/referencegrant.yaml b/parcellab/microservice/templates/referencegrant.yaml new file mode 100644 index 00000000..d64fae3a --- /dev/null +++ b/parcellab/microservice/templates/referencegrant.yaml @@ -0,0 +1 @@ +{{- include "common.referencegrant" . }} diff --git a/parcellab/microservice/templates/securitypolicy.yaml b/parcellab/microservice/templates/securitypolicy.yaml new file mode 100644 index 00000000..c62fbe00 --- /dev/null +++ b/parcellab/microservice/templates/securitypolicy.yaml @@ -0,0 +1 @@ +{{- include "common.securitypolicy" . }} diff --git a/parcellab/microservice/values.yaml b/parcellab/microservice/values.yaml index 8657c787..dc208c2b 100644 --- a/parcellab/microservice/values.yaml +++ b/parcellab/microservice/values.yaml @@ -46,6 +46,87 @@ ingress: # hosts: # - chart-example.local +## +## Envoy Gateway Resources +## + +# HTTPRoute - Configure routing through Envoy Gateway +httproute: + enabled: false + # parentGateway: gateway-api + # parentGatewayNamespace: envoy-gateway + # hosts: + # - myapp.gateway.test.parcellab.dev + # path: / + +# ReferenceGrant - Allow cross-namespace references +referenceGrant: + enabled: false + # name: custom-grant # Optional: custom name + # namespace: envoy-gateway # Optional: where to create the grant (default: current namespace) + # from: # Optional: specify what can reference (default: HTTPRoute from current namespace) + # - group: gateway.networking.k8s.io + # kind: HTTPRoute + # namespace: myapp + # to: # Optional: specify what can be referenced (default: Service) + # - group: "" + # kind: Service + # - group: "" + # kind: Secret + +# SecurityPolicy - OIDC Authentication with Group-Based Authorization +# Example: Employee-Only App +securityPolicy: + enabled: false + # name: employee-only # Optional: custom name + # targetRef: + # kind: HTTPRoute + # name: myapp # Optional: defaults to release name + # oidc: + # provider: + # issuer: "https://auth.test.parcellab.dev/realms/parcellab-internal" + # clientID: "envoy-gateway-client" + # clientSecret: + # name: "keycloak-oidc-secret" + # namespace: "envoy-gateway" + # redirectURL: "https://myapp.gateway.test.parcellab.dev/oauth2/callback" + # logoutPath: "/logout" + # scopes: + # - openid + # - profile + # - email + # cookieDomain: "myapp.gateway.test.parcellab.dev" + # forwardAccessToken: true + # passThroughAuthHeader: true + # jwt: + # optional: false + # providers: + # - name: keycloak + # issuer: "https://auth.test.parcellab.dev/realms/parcellab-internal" + # remoteJWKS: + # uri: "https://auth.test.parcellab.dev/realms/parcellab-internal/protocol/openid-connect/certs" + # cacheDuration: 300s + # claimToHeaders: + # - header: "x-user-email" + # claim: "email" + # - header: "x-user-groups" + # claim: "groups" + # - header: "x-user-id" + # claim: "sub" + # authorization: + # defaultAction: Deny + # rules: + # - name: allow-employees + # action: Allow + # principal: + # jwt: + # provider: keycloak + # claims: + # - name: groups + # valueType: StringArray + # values: + # - "/parcellab-employee" + ## ## Cronjob ## diff --git a/parcellab/monolith/Chart.yaml b/parcellab/monolith/Chart.yaml index be349dfb..1de13c65 100644 --- a/parcellab/monolith/Chart.yaml +++ b/parcellab/monolith/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: monolith description: Application that may define multiple services and cronjobs -version: 0.4.0 +version: 0.5.0 dependencies: - name: common version: "*" diff --git a/parcellab/monolith/README.md b/parcellab/monolith/README.md index 678dee32..c44c7789 100644 --- a/parcellab/monolith/README.md +++ b/parcellab/monolith/README.md @@ -31,10 +31,16 @@ needs. Its generated secret's data values will be loaded as environment variables to the target pod. - `hpa` - Horizontal automatic scaling rules of pods. Can be defined with the `autoscaling` setting. +- `httproute` + - Configure routing through Envoy Gateway. Defined with `httproute`. - `ingress` - Rules to open external access to the workload. Can be defined with `ingress`. - `poddisruptionbudget` - Limit the number of concurrent disruptions for the application. Defined with `podDisruptionBudget`. +- `referencegrant` + - Allow cross-namespace references for Envoy Gateway (e.g., HTTPRoute → Gateway). Defined with `referenceGrant`. +- `securitypolicy` + - Configure authentication and authorization with Envoy Gateway. Defined with `securityPolicy`. - `serviceaccount` - Configure a service account for the pods. Defined with `serviceAccount`. - `vpa` diff --git a/parcellab/monolith/templates/httproute.yaml b/parcellab/monolith/templates/httproute.yaml new file mode 100644 index 00000000..e0cd8f4d --- /dev/null +++ b/parcellab/monolith/templates/httproute.yaml @@ -0,0 +1 @@ +{{ include "common.httproute" . }} diff --git a/parcellab/monolith/templates/referencegrant.yaml b/parcellab/monolith/templates/referencegrant.yaml new file mode 100644 index 00000000..d64fae3a --- /dev/null +++ b/parcellab/monolith/templates/referencegrant.yaml @@ -0,0 +1 @@ +{{- include "common.referencegrant" . }} diff --git a/parcellab/monolith/templates/securitypolicy.yaml b/parcellab/monolith/templates/securitypolicy.yaml new file mode 100644 index 00000000..c62fbe00 --- /dev/null +++ b/parcellab/monolith/templates/securitypolicy.yaml @@ -0,0 +1 @@ +{{- include "common.securitypolicy" . }} diff --git a/parcellab/monolith/values.yaml b/parcellab/monolith/values.yaml index a4e9df5c..3b94e11c 100644 --- a/parcellab/monolith/values.yaml +++ b/parcellab/monolith/values.yaml @@ -75,6 +75,87 @@ ingress: # hosts: # - chart-example.local +## +## Envoy Gateway Resources +## + +# HTTPRoute - Configure routing through Envoy Gateway +httproute: + enabled: false + # parentGateway: gateway-api + # parentGatewayNamespace: envoy-gateway + # hosts: + # - myapp.gateway.test.parcellab.dev + # path: / + +# ReferenceGrant - Allow cross-namespace references +referenceGrant: + enabled: false + # name: custom-grant # Optional: custom name + # namespace: envoy-gateway # Optional: where to create the grant (default: current namespace) + # from: # Optional: specify what can reference (default: HTTPRoute from current namespace) + # - group: gateway.networking.k8s.io + # kind: HTTPRoute + # namespace: myapp + # to: # Optional: specify what can be referenced (default: Service) + # - group: "" + # kind: Service + # - group: "" + # kind: Secret + +# SecurityPolicy - OIDC Authentication with Group-Based Authorization +# Example: Employee-Only App +securityPolicy: + enabled: false + # name: employee-only # Optional: custom name + # targetRef: + # kind: HTTPRoute + # name: myapp # Optional: defaults to release name + # oidc: + # provider: + # issuer: "https://auth.test.parcellab.dev/realms/parcellab-internal" + # clientID: "envoy-gateway-client" + # clientSecret: + # name: "keycloak-oidc-secret" + # namespace: "envoy-gateway" + # redirectURL: "https://myapp.gateway.test.parcellab.dev/oauth2/callback" + # logoutPath: "/logout" + # scopes: + # - openid + # - profile + # - email + # cookieDomain: "myapp.gateway.test.parcellab.dev" + # forwardAccessToken: true + # passThroughAuthHeader: true + # jwt: + # optional: false + # providers: + # - name: keycloak + # issuer: "https://auth.test.parcellab.dev/realms/parcellab-internal" + # remoteJWKS: + # uri: "https://auth.test.parcellab.dev/realms/parcellab-internal/protocol/openid-connect/certs" + # cacheDuration: 300s + # claimToHeaders: + # - header: "x-user-email" + # claim: "email" + # - header: "x-user-groups" + # claim: "groups" + # - header: "x-user-id" + # claim: "sub" + # authorization: + # defaultAction: Deny + # rules: + # - name: allow-employees + # action: Allow + # principal: + # jwt: + # provider: keycloak + # claims: + # - name: groups + # valueType: StringArray + # values: + # - "/parcellab-employee" + ## ## Cronjob ## diff --git a/parcellab/worker-group/Chart.yaml b/parcellab/worker-group/Chart.yaml index 533d6ede..da9c5926 100644 --- a/parcellab/worker-group/Chart.yaml +++ b/parcellab/worker-group/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: worker-group description: Set of workers that do not expose a service -version: 0.3.1 +version: 0.3.2 dependencies: - name: common version: "*" From 96d39ebe7b6c9c106ac2f11baf7f027c891c16be Mon Sep 17 00:00:00 2001 From: Jose Manuel Palomares Date: Tue, 23 Dec 2025 10:03:17 +0100 Subject: [PATCH 2/4] feat: inf-3308 adapt charts to support Envoy Gateway --- parcellab/common/templates/_httproute.tpl | 6 ++++-- parcellab/common/templates/_referencegrant.tpl | 10 +++++----- parcellab/common/templates/_securitypolicy.tpl | 9 +++++---- parcellab/common/values.yaml | 13 +++++++++++-- 4 files changed, 25 insertions(+), 13 deletions(-) diff --git a/parcellab/common/templates/_httproute.tpl b/parcellab/common/templates/_httproute.tpl index 4f7d465c..3769fe0f 100644 --- a/parcellab/common/templates/_httproute.tpl +++ b/parcellab/common/templates/_httproute.tpl @@ -20,12 +20,14 @@ metadata: {{- include "common.labels" . | nindent 4 }} spec: parentRefs: - - name: {{ $httproute.parentGateway }} + - name: {{ required "httproute.parentGateway is required" $httproute.parentGateway }} namespace: {{ $httproute.parentGatewayNamespace | default "envoy-gateway" }} + {{- with $httproute.hosts }} hostnames: - {{- range $httproute.hosts }} + {{- range . }} - {{ . | quote }} {{- end }} + {{- end }} rules: - matches: - path: diff --git a/parcellab/common/templates/_referencegrant.tpl b/parcellab/common/templates/_referencegrant.tpl index e9bbd27d..84960137 100644 --- a/parcellab/common/templates/_referencegrant.tpl +++ b/parcellab/common/templates/_referencegrant.tpl @@ -28,9 +28,9 @@ spec: from: {{- if $referenceGrant.from }} {{- range $referenceGrant.from }} - - group: {{ .group | quote }} - kind: {{ .kind | quote }} - namespace: {{ .namespace | quote }} + - group: {{ .group | default "gateway.networking.k8s.io" | quote }} + kind: {{ required "referenceGrant.from.kind is required" .kind | quote }} + namespace: {{ .namespace | default $.Release.Namespace | quote }} {{- with .name }} name: {{ . | quote }} {{- end }} @@ -43,8 +43,8 @@ spec: to: {{- if $referenceGrant.to }} {{- range $referenceGrant.to }} - - group: {{ .group | quote }} - kind: {{ .kind | quote }} + - group: {{ .group | default "" | quote }} + kind: {{ required "referenceGrant.to.kind is required" .kind | quote }} {{- with .name }} name: {{ . | quote }} {{- end }} diff --git a/parcellab/common/templates/_securitypolicy.tpl b/parcellab/common/templates/_securitypolicy.tpl index 3f7d9923..6d398536 100644 --- a/parcellab/common/templates/_securitypolicy.tpl +++ b/parcellab/common/templates/_securitypolicy.tpl @@ -12,6 +12,7 @@ {{- $securityPolicy := .Values.securityPolicy | default dict -}} {{- if $securityPolicy.enabled }} {{- $name := include "common.fullname" . }} +{{- $targetRef := $securityPolicy.targetRef | default dict -}} --- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy @@ -26,10 +27,10 @@ metadata: {{- end }} spec: targetRef: - group: {{ $securityPolicy.targetRef.group | default "gateway.networking.k8s.io" }} - kind: {{ $securityPolicy.targetRef.kind | default "HTTPRoute" }} - name: {{ $securityPolicy.targetRef.name | default $name }} - {{- with $securityPolicy.targetRef.namespace }} + group: {{ $targetRef.group | default "gateway.networking.k8s.io" }} + kind: {{ $targetRef.kind | default "HTTPRoute" }} + name: {{ $targetRef.name | default $name }} + {{- with $targetRef.namespace }} namespace: {{ . }} {{- end }} {{- if $securityPolicy.oidc }} diff --git a/parcellab/common/values.yaml b/parcellab/common/values.yaml index ee333bd0..c19c10ed 100644 --- a/parcellab/common/values.yaml +++ b/parcellab/common/values.yaml @@ -40,8 +40,17 @@ httproute: # ReferenceGrant - Allow cross-namespace references referenceGrant: enabled: false - # Automatically allows HTTPRoute and SecurityPolicy from current namespace - # to reference Gateway and Secret in envoy-gateway namespace + # name: custom-grant # Optional: custom name + # namespace: envoy-gateway # Optional: where to create the grant (default: current namespace) + # from: # Optional: specify what can reference (default: HTTPRoute from current namespace) + # - group: gateway.networking.k8s.io + # kind: HTTPRoute + # namespace: myapp + # to: # Optional: specify what can be referenced (default: Service) + # - group: "" + # kind: Service + # - group: "" + # kind: Secret # SecurityPolicy - OIDC Authentication with Group-Based Authorization # Example: Employee-Only App From 9f2f436de62d285bd650bf15b698160c3a9dad08 Mon Sep 17 00:00:00 2001 From: Jose Manuel Palomares Date: Tue, 23 Dec 2025 10:12:12 +0100 Subject: [PATCH 3/4] feat: inf-3308 adapt charts to support Envoy Gateway --- parcellab/microservice/templates/httproute.yaml | 4 ++++ parcellab/microservice/templates/referencegrant.yaml | 4 ++++ parcellab/microservice/templates/securitypolicy.yaml | 4 ++++ parcellab/monolith/templates/httproute.yaml | 4 ++++ parcellab/monolith/templates/referencegrant.yaml | 4 ++++ parcellab/monolith/templates/securitypolicy.yaml | 4 ++++ 6 files changed, 24 insertions(+) diff --git a/parcellab/microservice/templates/httproute.yaml b/parcellab/microservice/templates/httproute.yaml index e0cd8f4d..579f4a86 100644 --- a/parcellab/microservice/templates/httproute.yaml +++ b/parcellab/microservice/templates/httproute.yaml @@ -1 +1,5 @@ +{{- if .Values.httproute }} +{{- if .Values.httproute.enabled }} {{ include "common.httproute" . }} +{{- end }} +{{- end }} diff --git a/parcellab/microservice/templates/referencegrant.yaml b/parcellab/microservice/templates/referencegrant.yaml index d64fae3a..45c9b4bb 100644 --- a/parcellab/microservice/templates/referencegrant.yaml +++ b/parcellab/microservice/templates/referencegrant.yaml @@ -1 +1,5 @@ +{{- if .Values.referenceGrant }} +{{- if .Values.referenceGrant.enabled }} {{- include "common.referencegrant" . }} +{{- end }} +{{- end }} diff --git a/parcellab/microservice/templates/securitypolicy.yaml b/parcellab/microservice/templates/securitypolicy.yaml index c62fbe00..90b407f0 100644 --- a/parcellab/microservice/templates/securitypolicy.yaml +++ b/parcellab/microservice/templates/securitypolicy.yaml @@ -1 +1,5 @@ +{{- if .Values.securityPolicy }} +{{- if .Values.securityPolicy.enabled }} {{- include "common.securitypolicy" . }} +{{- end }} +{{- end }} diff --git a/parcellab/monolith/templates/httproute.yaml b/parcellab/monolith/templates/httproute.yaml index e0cd8f4d..579f4a86 100644 --- a/parcellab/monolith/templates/httproute.yaml +++ b/parcellab/monolith/templates/httproute.yaml @@ -1 +1,5 @@ +{{- if .Values.httproute }} +{{- if .Values.httproute.enabled }} {{ include "common.httproute" . }} +{{- end }} +{{- end }} diff --git a/parcellab/monolith/templates/referencegrant.yaml b/parcellab/monolith/templates/referencegrant.yaml index d64fae3a..45c9b4bb 100644 --- a/parcellab/monolith/templates/referencegrant.yaml +++ b/parcellab/monolith/templates/referencegrant.yaml @@ -1 +1,5 @@ +{{- if .Values.referenceGrant }} +{{- if .Values.referenceGrant.enabled }} {{- include "common.referencegrant" . }} +{{- end }} +{{- end }} diff --git a/parcellab/monolith/templates/securitypolicy.yaml b/parcellab/monolith/templates/securitypolicy.yaml index c62fbe00..90b407f0 100644 --- a/parcellab/monolith/templates/securitypolicy.yaml +++ b/parcellab/monolith/templates/securitypolicy.yaml @@ -1 +1,5 @@ +{{- if .Values.securityPolicy }} +{{- if .Values.securityPolicy.enabled }} {{- include "common.securitypolicy" . }} +{{- end }} +{{- end }} From 69214205fcd4a38dcd127f6674df49c1587866f5 Mon Sep 17 00:00:00 2001 From: Jose Manuel Palomares Date: Wed, 24 Dec 2025 14:27:00 +0100 Subject: [PATCH 4/4] feat: inf-3308 adapt charts to support Envoy Gateway --- parcellab/common/templates/_httproute.tpl | 3 +- .../common/templates/_referencegrant.tpl | 3 +- parcellab/common/templates/_routing.tpl | 3 +- .../common/templates/_securitypolicy.tpl | 190 ------------------ parcellab/common/values.yaml | 100 +++------ parcellab/microservice/README.md | 8 +- .../microservice/templates/httproute.yaml | 6 +- .../templates/referencegrant.yaml | 4 - .../templates/securitypolicy.yaml | 5 - parcellab/microservice/values.yaml | 98 ++------- parcellab/monolith/README.md | 8 +- parcellab/monolith/templates/httproute.yaml | 6 +- .../monolith/templates/referencegrant.yaml | 4 - .../monolith/templates/securitypolicy.yaml | 5 - parcellab/monolith/values.yaml | 98 ++------- 15 files changed, 82 insertions(+), 459 deletions(-) delete mode 100644 parcellab/common/templates/_securitypolicy.tpl delete mode 100644 parcellab/microservice/templates/securitypolicy.yaml delete mode 100644 parcellab/monolith/templates/securitypolicy.yaml diff --git a/parcellab/common/templates/_httproute.tpl b/parcellab/common/templates/_httproute.tpl index 3769fe0f..4c4f758f 100644 --- a/parcellab/common/templates/_httproute.tpl +++ b/parcellab/common/templates/_httproute.tpl @@ -8,7 +8,8 @@ */}} {{- define "common.httproute" -}} -{{- $httproute := .Values.httproute | default dict -}} +{{- $envoy := .Values.envoy | default dict -}} +{{- $httproute := $envoy.httpRoute | default dict -}} {{- if $httproute.enabled }} {{- $name := include "common.fullname" . }} apiVersion: gateway.networking.k8s.io/v1 diff --git a/parcellab/common/templates/_referencegrant.tpl b/parcellab/common/templates/_referencegrant.tpl index 84960137..8072bc67 100644 --- a/parcellab/common/templates/_referencegrant.tpl +++ b/parcellab/common/templates/_referencegrant.tpl @@ -9,7 +9,8 @@ */}} {{- define "common.referencegrant" -}} -{{- $referenceGrant := .Values.referenceGrant | default dict -}} +{{- $envoy := .Values.envoy | default dict -}} +{{- $referenceGrant := $envoy.referenceGrant | default dict -}} {{- if $referenceGrant.enabled }} {{- $name := include "common.fullname" . }} --- diff --git a/parcellab/common/templates/_routing.tpl b/parcellab/common/templates/_routing.tpl index d71941a0..b89cc803 100644 --- a/parcellab/common/templates/_routing.tpl +++ b/parcellab/common/templates/_routing.tpl @@ -1,5 +1,6 @@ {{- define "common.routing" -}} -{{- $httproute := .Values.httproute | default dict -}} +{{- $envoy := .Values.envoy | default dict -}} +{{- $httproute := $envoy.httpRoute | default dict -}} {{- $ingress := .Values.ingress | default dict -}} {{- if $httproute.enabled }} diff --git a/parcellab/common/templates/_securitypolicy.tpl b/parcellab/common/templates/_securitypolicy.tpl deleted file mode 100644 index 6d398536..00000000 --- a/parcellab/common/templates/_securitypolicy.tpl +++ /dev/null @@ -1,190 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* - Common SecurityPolicy definition: - {{ include "common.securitypolicy" ( - dict - "Values" "the values scope" - "Release" .Release - ) }} -*/}} - -{{- define "common.securitypolicy" -}} -{{- $securityPolicy := .Values.securityPolicy | default dict -}} -{{- if $securityPolicy.enabled }} -{{- $name := include "common.fullname" . }} -{{- $targetRef := $securityPolicy.targetRef | default dict -}} ---- -apiVersion: gateway.envoyproxy.io/v1alpha1 -kind: SecurityPolicy -metadata: - name: {{ $securityPolicy.name | default (printf "%s-security" $name) }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "common.labels" . | nindent 4 }} - {{- with $securityPolicy.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - targetRef: - group: {{ $targetRef.group | default "gateway.networking.k8s.io" }} - kind: {{ $targetRef.kind | default "HTTPRoute" }} - name: {{ $targetRef.name | default $name }} - {{- with $targetRef.namespace }} - namespace: {{ . }} - {{- end }} - {{- if $securityPolicy.oidc }} - oidc: - provider: - issuer: {{ required "securityPolicy.oidc.provider.issuer is required" $securityPolicy.oidc.provider.issuer | quote }} - {{- with $securityPolicy.oidc.provider.authorizationEndpoint }} - authorizationEndpoint: {{ . | quote }} - {{- end }} - {{- with $securityPolicy.oidc.provider.tokenEndpoint }} - tokenEndpoint: {{ . | quote }} - {{- end }} - clientID: {{ required "securityPolicy.oidc.clientID is required" $securityPolicy.oidc.clientID | quote }} - clientSecret: - {{- if $securityPolicy.oidc.clientSecret }} - name: {{ $securityPolicy.oidc.clientSecret.name | quote }} - {{- with $securityPolicy.oidc.clientSecret.namespace }} - namespace: {{ . | quote }} - {{- end }} - {{- else }} - name: "keycloak-oidc-secret" - {{- end }} - redirectURL: {{ required "securityPolicy.oidc.redirectURL is required" $securityPolicy.oidc.redirectURL | quote }} - {{- with $securityPolicy.oidc.logoutPath }} - logoutPath: {{ . | quote }} - {{- end }} - {{- if $securityPolicy.oidc.scopes }} - scopes: - {{- toYaml $securityPolicy.oidc.scopes | nindent 6 }} - {{- else }} - scopes: - - openid - - profile - - email - {{- end }} - {{- with $securityPolicy.oidc.cookieDomain }} - cookieDomain: {{ . | quote }} - {{- end }} - {{- with $securityPolicy.oidc.cookieNames }} - cookieNames: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- if hasKey $securityPolicy.oidc "forwardAccessToken" }} - forwardAccessToken: {{ $securityPolicy.oidc.forwardAccessToken }} - {{- end }} - {{- if hasKey $securityPolicy.oidc "passThroughAuthHeader" }} - passThroughAuthHeader: {{ $securityPolicy.oidc.passThroughAuthHeader }} - {{- end }} - {{- with $securityPolicy.oidc.refreshToken }} - refreshToken: {{ . }} - {{- end }} - {{- end }} - {{- if $securityPolicy.jwt }} - jwt: - {{- if hasKey $securityPolicy.jwt "optional" }} - optional: {{ $securityPolicy.jwt.optional }} - {{- end }} - providers: - {{- range $securityPolicy.jwt.providers }} - - name: {{ .name | quote }} - issuer: {{ .issuer | quote }} - {{- with .audiences }} - audiences: - {{- toYaml . | nindent 10 }} - {{- end }} - {{- if .remoteJWKS }} - remoteJWKS: - uri: {{ .remoteJWKS.uri | quote }} - {{- with .remoteJWKS.cacheDuration }} - cacheDuration: {{ . }} - {{- end }} - {{- end }} - {{- if .claimToHeaders }} - claimToHeaders: - {{- range .claimToHeaders }} - - header: {{ .header | quote }} - claim: {{ .claim | quote }} - {{- end }} - {{- end }} - {{- with .extractFrom }} - extractFrom: - {{- toYaml . | nindent 10 }} - {{- end }} - {{- end }} - {{- end }} - {{- if $securityPolicy.basicAuth }} - basicAuth: - users: - name: {{ $securityPolicy.basicAuth.users.name | quote }} - {{- with $securityPolicy.basicAuth.users.namespace }} - namespace: {{ . | quote }} - {{- end }} - {{- end }} - {{- if $securityPolicy.authorization }} - authorization: - defaultAction: {{ $securityPolicy.authorization.defaultAction | default "Deny" }} - {{- if $securityPolicy.authorization.rules }} - rules: - {{- range $securityPolicy.authorization.rules }} - - name: {{ .name | quote }} - action: {{ .action | default "Allow" }} - {{- if .principal }} - principal: - {{- if .principal.clientCIDRs }} - clientCIDRs: - {{- toYaml .principal.clientCIDRs | nindent 12 }} - {{- end }} - {{- if .principal.jwt }} - jwt: - provider: {{ .principal.jwt.provider | quote }} - {{- if .principal.jwt.scopes }} - scopes: - {{- toYaml .principal.jwt.scopes | nindent 14 }} - {{- end }} - {{- if .principal.jwt.claims }} - claims: - {{- range .principal.jwt.claims }} - - name: {{ .name | quote }} - {{- with .valueType }} - valueType: {{ . }} - {{- end }} - {{- if .values }} - values: - {{- toYaml .values | nindent 18 }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if $securityPolicy.cors }} - cors: - allowOrigins: - {{- toYaml $securityPolicy.cors.allowOrigins | nindent 6 }} - {{- with $securityPolicy.cors.allowMethods }} - allowMethods: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- with $securityPolicy.cors.allowHeaders }} - allowHeaders: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- with $securityPolicy.cors.exposeHeaders }} - exposeHeaders: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- if hasKey $securityPolicy.cors "allowCredentials" }} - allowCredentials: {{ $securityPolicy.cors.allowCredentials }} - {{- end }} - {{- with $securityPolicy.cors.maxAge }} - maxAge: {{ . }} - {{- end }} - {{- end }} -{{- end }} -{{- end -}} diff --git a/parcellab/common/values.yaml b/parcellab/common/values.yaml index 54c13dcb..e5382eae 100644 --- a/parcellab/common/values.yaml +++ b/parcellab/common/values.yaml @@ -28,82 +28,34 @@ ingress: ## Envoy Gateway Resources ## -# HTTPRoute - Configure routing through Envoy Gateway -httproute: - enabled: false - # parentGateway: gateway-api - # parentGatewayNamespace: envoy-gateway - # hosts: - # - myapp.gateway.test.parcellab.dev - # path: / +# Configure Envoy Gateway resources under a single parent: +# +# envoy: +# httpRoute: {...} +# referenceGrant: {...} -# ReferenceGrant - Allow cross-namespace references -referenceGrant: - enabled: false - # name: custom-grant # Optional: custom name - # namespace: envoy-gateway # Optional: where to create the grant (default: current namespace) - # from: # Optional: specify what can reference (default: HTTPRoute from current namespace) - # - group: gateway.networking.k8s.io - # kind: HTTPRoute - # namespace: myapp - # to: # Optional: specify what can be referenced (default: Service) - # - group: "" - # kind: Service - # - group: "" - # kind: Secret +envoy: + httpRoute: + enabled: false + # parentGateway: gateway-api + # parentGatewayNamespace: envoy-gateway + # hosts: + # - myapp.gateway.test.parcellab.dev + # path: / -# SecurityPolicy - OIDC Authentication with Group-Based Authorization -# Example: Employee-Only App -securityPolicy: - enabled: false - # name: employee-only # Optional: custom name - # targetRef: - # kind: HTTPRoute - # name: myapp # Optional: defaults to release name - # oidc: - # provider: - # issuer: "https://auth.test.parcellab.dev/realms/parcellab-internal" - # clientID: "envoy-gateway-client" - # clientSecret: - # name: "keycloak-oidc-secret" - # namespace: "envoy-gateway" - # redirectURL: "https://myapp.gateway.test.parcellab.dev/oauth2/callback" - # logoutPath: "/logout" - # scopes: - # - openid - # - profile - # - email - # cookieDomain: "myapp.gateway.test.parcellab.dev" - # forwardAccessToken: true - # passThroughAuthHeader: true - # jwt: - # optional: false - # providers: - # - name: keycloak - # issuer: "https://auth.test.parcellab.dev/realms/parcellab-internal" - # remoteJWKS: - # uri: "https://auth.test.parcellab.dev/realms/parcellab-internal/protocol/openid-connect/certs" - # cacheDuration: 300s - # claimToHeaders: - # - header: "x-user-email" - # claim: "email" - # - header: "x-user-groups" - # claim: "groups" - # - header: "x-user-id" - # claim: "sub" - # authorization: - # defaultAction: Deny - # rules: - # - name: allow-employees - # action: Allow - # principal: - # jwt: - # provider: keycloak - # claims: - # - name: groups - # valueType: StringArray - # values: - # - "/parcellab-employee" + referenceGrant: + enabled: false + # name: custom-grant # Optional: custom name + # namespace: envoy-gateway # Optional: where to create the grant (default: current namespace) + # from: # Optional: specify what can reference (default: HTTPRoute from current namespace) + # - group: gateway.networking.k8s.io + # kind: HTTPRoute + # namespace: myapp + # to: # Optional: specify what can be referenced (default: Service) + # - group: "" + # kind: Service + # - group: "" + # kind: Secret name: common terminationGracePeriodSeconds: 30 diff --git a/parcellab/microservice/README.md b/parcellab/microservice/README.md index 01136f96..a53956d8 100644 --- a/parcellab/microservice/README.md +++ b/parcellab/microservice/README.md @@ -31,16 +31,12 @@ needs. Its generated secret's data values will be loaded as environment variables to the target pod. - `hpa` - Horizontal automatic scaling rules of pods. Can be defined with the `autoscaling` setting. -- `httproute` - - Configure routing through Envoy Gateway. Defined with `httproute`. +- `envoy` + - Envoy Gateway resources (HTTPRoute, ReferenceGrant). Defined under `envoy.*`. - `ingress` - Rules to open external access to the workload. Can be defined with `ingress`. - `poddisruptionbudget` - Limit the number of concurrent disruptions for the application. Defined with `podDisruptionBudget`. -- `referencegrant` - - Allow cross-namespace references for Envoy Gateway (e.g., HTTPRoute → Gateway). Defined with `referenceGrant`. -- `securitypolicy` - - Configure authentication and authorization with Envoy Gateway. Defined with `securityPolicy`. - `serviceaccount` - Configure a service account for the pods. Defined with `serviceAccount`. - `vpa` diff --git a/parcellab/microservice/templates/httproute.yaml b/parcellab/microservice/templates/httproute.yaml index 579f4a86..56066a75 100644 --- a/parcellab/microservice/templates/httproute.yaml +++ b/parcellab/microservice/templates/httproute.yaml @@ -1,5 +1 @@ -{{- if .Values.httproute }} -{{- if .Values.httproute.enabled }} -{{ include "common.httproute" . }} -{{- end }} -{{- end }} +{{- include "common.httproute" . }} diff --git a/parcellab/microservice/templates/referencegrant.yaml b/parcellab/microservice/templates/referencegrant.yaml index 45c9b4bb..d64fae3a 100644 --- a/parcellab/microservice/templates/referencegrant.yaml +++ b/parcellab/microservice/templates/referencegrant.yaml @@ -1,5 +1 @@ -{{- if .Values.referenceGrant }} -{{- if .Values.referenceGrant.enabled }} {{- include "common.referencegrant" . }} -{{- end }} -{{- end }} diff --git a/parcellab/microservice/templates/securitypolicy.yaml b/parcellab/microservice/templates/securitypolicy.yaml deleted file mode 100644 index 90b407f0..00000000 --- a/parcellab/microservice/templates/securitypolicy.yaml +++ /dev/null @@ -1,5 +0,0 @@ -{{- if .Values.securityPolicy }} -{{- if .Values.securityPolicy.enabled }} -{{- include "common.securitypolicy" . }} -{{- end }} -{{- end }} diff --git a/parcellab/microservice/values.yaml b/parcellab/microservice/values.yaml index ed31e0a1..61272323 100644 --- a/parcellab/microservice/values.yaml +++ b/parcellab/microservice/values.yaml @@ -50,82 +50,28 @@ ingress: ## Envoy Gateway Resources ## -# HTTPRoute - Configure routing through Envoy Gateway -httproute: - enabled: false - # parentGateway: gateway-api - # parentGatewayNamespace: envoy-gateway - # hosts: - # - myapp.gateway.test.parcellab.dev - # path: / - -# ReferenceGrant - Allow cross-namespace references -referenceGrant: - enabled: false - # name: custom-grant # Optional: custom name - # namespace: envoy-gateway # Optional: where to create the grant (default: current namespace) - # from: # Optional: specify what can reference (default: HTTPRoute from current namespace) - # - group: gateway.networking.k8s.io - # kind: HTTPRoute - # namespace: myapp - # to: # Optional: specify what can be referenced (default: Service) - # - group: "" - # kind: Service - # - group: "" - # kind: Secret - -# SecurityPolicy - OIDC Authentication with Group-Based Authorization -# Example: Employee-Only App -securityPolicy: - enabled: false - # name: employee-only # Optional: custom name - # targetRef: - # kind: HTTPRoute - # name: myapp # Optional: defaults to release name - # oidc: - # provider: - # issuer: "https://auth.test.parcellab.dev/realms/parcellab-internal" - # clientID: "envoy-gateway-client" - # clientSecret: - # name: "keycloak-oidc-secret" - # namespace: "envoy-gateway" - # redirectURL: "https://myapp.gateway.test.parcellab.dev/oauth2/callback" - # logoutPath: "/logout" - # scopes: - # - openid - # - profile - # - email - # cookieDomain: "myapp.gateway.test.parcellab.dev" - # forwardAccessToken: true - # passThroughAuthHeader: true - # jwt: - # optional: false - # providers: - # - name: keycloak - # issuer: "https://auth.test.parcellab.dev/realms/parcellab-internal" - # remoteJWKS: - # uri: "https://auth.test.parcellab.dev/realms/parcellab-internal/protocol/openid-connect/certs" - # cacheDuration: 300s - # claimToHeaders: - # - header: "x-user-email" - # claim: "email" - # - header: "x-user-groups" - # claim: "groups" - # - header: "x-user-id" - # claim: "sub" - # authorization: - # defaultAction: Deny - # rules: - # - name: allow-employees - # action: Allow - # principal: - # jwt: - # provider: keycloak - # claims: - # - name: groups - # valueType: StringArray - # values: - # - "/parcellab-employee" +envoy: + httpRoute: + enabled: false + # parentGateway: gateway-api + # parentGatewayNamespace: envoy-gateway + # hosts: + # - myapp.gateway.test.parcellab.dev + # path: / + + referenceGrant: + enabled: false + # name: custom-grant # Optional: custom name + # namespace: envoy-gateway # Optional: where to create the grant (default: current namespace) + # from: # Optional: specify what can reference (default: HTTPRoute from current namespace) + # - group: gateway.networking.k8s.io + # kind: HTTPRoute + # namespace: myapp + # to: # Optional: specify what can be referenced (default: Service) + # - group: "" + # kind: Service + # - group: "" + # kind: Secret ## ## Cronjob diff --git a/parcellab/monolith/README.md b/parcellab/monolith/README.md index c44c7789..f9e27133 100644 --- a/parcellab/monolith/README.md +++ b/parcellab/monolith/README.md @@ -31,16 +31,12 @@ needs. Its generated secret's data values will be loaded as environment variables to the target pod. - `hpa` - Horizontal automatic scaling rules of pods. Can be defined with the `autoscaling` setting. -- `httproute` - - Configure routing through Envoy Gateway. Defined with `httproute`. +- `envoy` + - Envoy Gateway resources (HTTPRoute, ReferenceGrant). Defined under `envoy.*`. - `ingress` - Rules to open external access to the workload. Can be defined with `ingress`. - `poddisruptionbudget` - Limit the number of concurrent disruptions for the application. Defined with `podDisruptionBudget`. -- `referencegrant` - - Allow cross-namespace references for Envoy Gateway (e.g., HTTPRoute → Gateway). Defined with `referenceGrant`. -- `securitypolicy` - - Configure authentication and authorization with Envoy Gateway. Defined with `securityPolicy`. - `serviceaccount` - Configure a service account for the pods. Defined with `serviceAccount`. - `vpa` diff --git a/parcellab/monolith/templates/httproute.yaml b/parcellab/monolith/templates/httproute.yaml index 579f4a86..56066a75 100644 --- a/parcellab/monolith/templates/httproute.yaml +++ b/parcellab/monolith/templates/httproute.yaml @@ -1,5 +1 @@ -{{- if .Values.httproute }} -{{- if .Values.httproute.enabled }} -{{ include "common.httproute" . }} -{{- end }} -{{- end }} +{{- include "common.httproute" . }} diff --git a/parcellab/monolith/templates/referencegrant.yaml b/parcellab/monolith/templates/referencegrant.yaml index 45c9b4bb..d64fae3a 100644 --- a/parcellab/monolith/templates/referencegrant.yaml +++ b/parcellab/monolith/templates/referencegrant.yaml @@ -1,5 +1 @@ -{{- if .Values.referenceGrant }} -{{- if .Values.referenceGrant.enabled }} {{- include "common.referencegrant" . }} -{{- end }} -{{- end }} diff --git a/parcellab/monolith/templates/securitypolicy.yaml b/parcellab/monolith/templates/securitypolicy.yaml deleted file mode 100644 index 90b407f0..00000000 --- a/parcellab/monolith/templates/securitypolicy.yaml +++ /dev/null @@ -1,5 +0,0 @@ -{{- if .Values.securityPolicy }} -{{- if .Values.securityPolicy.enabled }} -{{- include "common.securitypolicy" . }} -{{- end }} -{{- end }} diff --git a/parcellab/monolith/values.yaml b/parcellab/monolith/values.yaml index df069ddb..253c8d36 100644 --- a/parcellab/monolith/values.yaml +++ b/parcellab/monolith/values.yaml @@ -79,82 +79,28 @@ ingress: ## Envoy Gateway Resources ## -# HTTPRoute - Configure routing through Envoy Gateway -httproute: - enabled: false - # parentGateway: gateway-api - # parentGatewayNamespace: envoy-gateway - # hosts: - # - myapp.gateway.test.parcellab.dev - # path: / - -# ReferenceGrant - Allow cross-namespace references -referenceGrant: - enabled: false - # name: custom-grant # Optional: custom name - # namespace: envoy-gateway # Optional: where to create the grant (default: current namespace) - # from: # Optional: specify what can reference (default: HTTPRoute from current namespace) - # - group: gateway.networking.k8s.io - # kind: HTTPRoute - # namespace: myapp - # to: # Optional: specify what can be referenced (default: Service) - # - group: "" - # kind: Service - # - group: "" - # kind: Secret - -# SecurityPolicy - OIDC Authentication with Group-Based Authorization -# Example: Employee-Only App -securityPolicy: - enabled: false - # name: employee-only # Optional: custom name - # targetRef: - # kind: HTTPRoute - # name: myapp # Optional: defaults to release name - # oidc: - # provider: - # issuer: "https://auth.test.parcellab.dev/realms/parcellab-internal" - # clientID: "envoy-gateway-client" - # clientSecret: - # name: "keycloak-oidc-secret" - # namespace: "envoy-gateway" - # redirectURL: "https://myapp.gateway.test.parcellab.dev/oauth2/callback" - # logoutPath: "/logout" - # scopes: - # - openid - # - profile - # - email - # cookieDomain: "myapp.gateway.test.parcellab.dev" - # forwardAccessToken: true - # passThroughAuthHeader: true - # jwt: - # optional: false - # providers: - # - name: keycloak - # issuer: "https://auth.test.parcellab.dev/realms/parcellab-internal" - # remoteJWKS: - # uri: "https://auth.test.parcellab.dev/realms/parcellab-internal/protocol/openid-connect/certs" - # cacheDuration: 300s - # claimToHeaders: - # - header: "x-user-email" - # claim: "email" - # - header: "x-user-groups" - # claim: "groups" - # - header: "x-user-id" - # claim: "sub" - # authorization: - # defaultAction: Deny - # rules: - # - name: allow-employees - # action: Allow - # principal: - # jwt: - # provider: keycloak - # claims: - # - name: groups - # valueType: StringArray - # values: - # - "/parcellab-employee" +envoy: + httpRoute: + enabled: false + # parentGateway: gateway-api + # parentGatewayNamespace: envoy-gateway + # hosts: + # - myapp.gateway.test.parcellab.dev + # path: / + + referenceGrant: + enabled: false + # name: custom-grant # Optional: custom name + # namespace: envoy-gateway # Optional: where to create the grant (default: current namespace) + # from: # Optional: specify what can reference (default: HTTPRoute from current namespace) + # - group: gateway.networking.k8s.io + # kind: HTTPRoute + # namespace: myapp + # to: # Optional: specify what can be referenced (default: Service) + # - group: "" + # kind: Service + # - group: "" + # kind: Secret ## ## Cronjob