starred/holos
1
0
Fork 0
mirror of https://github.com/holos-run/holos.git synced 2026-03-19 16:54:58 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity
Files
ce8bc798f61606e8a286717256dda824975ac821
holos/docs/examples
History
Jeff McCune ce8bc798f6 (#133) Exclude nats and provision hosts from the auth proxy 
Problem:
The identity aware auth proxy attached to the default gateway is
blocking access to NATS and the Choria Provisioner cluster.

Solution:
Add configuration that causes the project hosts to get added to the
exclusion list of the AuthorizationPolicy/authproxy-custom rule.

Result:
Requests bypass the auth proxy and go straight to the backend.  The
rules look like:

    kubectl get authorizationpolicy authproxy-custom -o yaml

```yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: authproxy-custom
  namespace: istio-ingress
  labels:
    app.kubernetes.io/name: authproxy-custom
    app.kubernetes.io/part-of: istio-ingressgateway
spec:
  action: CUSTOM
  provider:
    name: ingressauth
  rules:
  - to:
    - operation:
        notHosts:
        - login.ois.run
        - vault.core.ois.run
        - provision.holos.run
        - nats.holos.run
        - provision.dev.holos.run
        - nats.dev.holos.run
        - jeff.provision.dev.holos.run
        - jeff.nats.dev.holos.run
        - gary.provision.dev.holos.run
        - gary.nats.dev.holos.run
        - nate.provision.dev.holos.run
        - nate.nats.dev.holos.run
        - provision.k2.holos.run
        - nats.k2.holos.run
        - provision.dev.k2.holos.run
        - nats.dev.k2.holos.run
        - jeff.provision.dev.k2.holos.run
        - jeff.nats.dev.k2.holos.run
        - gary.provision.dev.k2.holos.run
        - gary.nats.dev.k2.holos.run
        - nate.provision.dev.k2.holos.run
        - nate.nats.dev.k2.holos.run
    when:
    - key: request.headers[x-oidc-id-token]
      notValues:
      - '*'
  selector:
    matchLabels:
      istio: ingressgateway
```
2024-04-19 06:32:11 -07:00
..
cue.mod
(#133) Choria Broker for Holos Controller provisioning
2024-04-17 08:48:31 -07:00
platforms
(#133) Exclude nats and provision hosts from the auth proxy
2024-04-19 06:32:11 -07:00
authpolicy.cue
(#133) Exclude nats and provision hosts from the auth proxy
2024-04-19 06:32:11 -07:00
helpers.cue
(#133) Choria Broker for Holos Controller provisioning
2024-04-17 08:48:31 -07:00
holos.cue
(#71) Refactor Zitadel components for BuildPlan
2024-03-22 15:04:43 -07:00
managednamespaces.cue
(#115) Minor clean up of cue code
2024-04-10 21:21:16 -07:00
meshconfig.cue
(#82) ingressgateway ExtAuthzHttp provider
2024-04-01 16:53:11 -07:00
namespaces.cue
(#30) Add https redirect overlay resources
2024-03-02 15:01:58 -08:00
optionalservices.cue
(#115) Minor clean up of cue code
2024-04-10 21:21:16 -07:00
project_types.cue
(#133) Exclude nats and provision hosts from the auth proxy
2024-04-19 06:32:11 -07:00
project-hosts.cue
(#133) Exclude nats and provision hosts from the auth proxy
2024-04-19 06:32:11 -07:00
project-template-provisioner-certs.cue
(#101) Use letsencrypt production instead of staging
2024-04-18 10:36:28 -07:00
project-template.cue
(#133) Exclude nats and provision hosts from the auth proxy
2024-04-19 06:32:11 -07:00
schema.cue
(#133) Choria Broker for Holos Controller provisioning
2024-04-17 08:48:31 -07:00