mirror of
https://github.com/holos-run/holos.git
synced 2026-03-20 17:25:01 +00:00
ce8bc798f6
Problem:
The identity aware auth proxy attached to the default gateway is
blocking access to NATS and the Choria Provisioner cluster.
Solution:
Add configuration that causes the project hosts to get added to the
exclusion list of the AuthorizationPolicy/authproxy-custom rule.
Result:
Requests bypass the auth proxy and go straight to the backend. The
rules look like:
kubectl get authorizationpolicy authproxy-custom -o yaml
```yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: authproxy-custom
namespace: istio-ingress
labels:
app.kubernetes.io/name: authproxy-custom
app.kubernetes.io/part-of: istio-ingressgateway
spec:
action: CUSTOM
provider:
name: ingressauth
rules:
- to:
- operation:
notHosts:
- login.ois.run
- vault.core.ois.run
- provision.holos.run
- nats.holos.run
- provision.dev.holos.run
- nats.dev.holos.run
- jeff.provision.dev.holos.run
- jeff.nats.dev.holos.run
- gary.provision.dev.holos.run
- gary.nats.dev.holos.run
- nate.provision.dev.holos.run
- nate.nats.dev.holos.run
- provision.k2.holos.run
- nats.k2.holos.run
- provision.dev.k2.holos.run
- nats.dev.k2.holos.run
- jeff.provision.dev.k2.holos.run
- jeff.nats.dev.k2.holos.run
- gary.provision.dev.k2.holos.run
- gary.nats.dev.k2.holos.run
- nate.provision.dev.k2.holos.run
- nate.nats.dev.k2.holos.run
when:
- key: request.headers[x-oidc-id-token]
notValues:
- '*'
selector:
matchLabels:
istio: ingressgateway
```
69 lines
1.5 KiB
CUE
69 lines
1.5 KiB
CUE
package holos
|
|
|
|
#Project: authProxyOrgDomain: "openinfrastructure.co"
|
|
|
|
let ZitadelProjectID = 257713952794870157
|
|
|
|
let AllClusters = {
|
|
// platform level services typically run in the core cluster pair.
|
|
core1: _
|
|
core2: _
|
|
// for development, probably wouldn't run these services in the workload clusters.
|
|
k1: _
|
|
k2: _
|
|
k3: _
|
|
k4: _
|
|
k5: _
|
|
}
|
|
|
|
_Projects: #Projects & {
|
|
// The platform project is required and where platform services reside. ArgoCD, Grafana, Prometheus, etc...
|
|
platform: {
|
|
resourceId: ZitadelProjectID
|
|
clusters: AllClusters
|
|
// Services hosted in the platform project
|
|
hosts: argocd: _
|
|
hosts: grafana: _
|
|
hosts: prometheus: _
|
|
}
|
|
|
|
holos: {
|
|
resourceId: ZitadelProjectID
|
|
domain: "holos.run"
|
|
clusters: AllClusters
|
|
|
|
environments: {
|
|
prod: stage: "prod"
|
|
dev: stage: "dev"
|
|
jeff: stage: dev.stage
|
|
gary: stage: dev.stage
|
|
nate: stage: dev.stage
|
|
}
|
|
|
|
// app is the holos web app and grpc api.
|
|
hosts: app: _
|
|
// provision is the choria broker provisioning system.
|
|
hosts: provision: NoAuthorizationPolicy: true
|
|
// nats is the nats service holos controller machine room agents connect after provisioning.
|
|
hosts: nats: NoAuthorizationPolicy: true
|
|
}
|
|
|
|
iam: {
|
|
resourceId: ZitadelProjectID
|
|
hosts: login: _
|
|
clusters: {
|
|
core1: _
|
|
core2: _
|
|
}
|
|
}
|
|
}
|
|
|
|
// Manage namespaces for platform project environments.
|
|
for project in _Projects {
|
|
for ns in project.managedNamespaces {
|
|
if ns.clusters[#ClusterName] != _|_ {
|
|
#ManagedNamespaces: (ns.namespace.metadata.name): ns
|
|
}
|
|
}
|
|
}
|