fix: '0 NR filter_chain_not_found' by removing mTLS

defenseunicorns · Aug 13, 2024 · aa5d290 · aa5d290
1 parent 41c20dc
commit aa5d290
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 3 deletions.
diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml
@@ -10,10 +10,9 @@ packages:
   - name: dev-namespace
     path: ../
     ref: 0.1.0
-
   - name: postgres-operator
     repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator
-    ref: 1.10.1-uds.4-upstream
+    ref: 1.12.2-uds.2-upstream
     overrides:
       postgres-operator:
         uds-postgres-config:

diff --git a/chart/templates/peerauth-exception.yaml b/chart/templates/peerauth-exception.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: "confluence"
+  namespace: {{ .Release.Namespace }}
+spec:
+  mtls:
+    mode: STRICT
+  portLevelMtls:
+    5701:
+      mode: PERMISSIVE
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: confluence
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
@@ -88,7 +88,7 @@ spec:
         remoteGenerated: KubeAPI
         description: "Provides Hazelcast with access to K8s API"
 
-      - direction: Egress
+      - direction: Ingress
         selector:
           app.kubernetes.io/name: confluence
         remoteSelector:

diff --git a/src/namespace/confluence-ns.yaml b/src/namespace/confluence-ns.yaml
@@ -1,4 +1,9 @@
+---
+# Namespace must be created ahead of time so postgre-operator
+# can put the secret in an existing namespace.
 kind: Namespace
 apiVersion: v1
 metadata:
   name: confluence
+  labels:
+    istio-injection: enabled
diff --git a/values/common-values.yaml b/values/common-values.yaml
@@ -107,3 +107,12 @@ confluence:
     - "--add-opens java.base/sun.nio.ch=ALL-UNNAMED"
     - "--add-opens java.management/sun.management=ALL-UNNAMED"
     - "--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED"
+
+openshift:
+  # -- When set to true, the containers will run with a restricted Security Context Constraint (SCC).
+  # See: https://docs.openshift.com/container-platform/4.14/authentication/managing-security-context-constraints.html
+  # This configuration property unsets pod's SecurityContext, nfs-fixer init container (which runs as root), and mounts server
+  # configuration files as ConfigMaps.
+  #
+  # Lesson Learned: DO NOT ENABLE THIS - it is DOA
+  runWithRestrictedSCC: false