diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 1e8d963..c4ebac4 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -10,10 +10,9 @@ packages: - name: dev-namespace path: ../ ref: 0.1.0 - - name: postgres-operator repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator - ref: 1.10.1-uds.4-upstream + ref: 1.12.2-uds.2-upstream overrides: postgres-operator: uds-postgres-config: diff --git a/chart/templates/peerauth-exception.yaml b/chart/templates/peerauth-exception.yaml new file mode 100644 index 0000000..fba5275 --- /dev/null +++ b/chart/templates/peerauth-exception.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: "confluence" + namespace: {{ .Release.Namespace }} +spec: + mtls: + mode: STRICT + portLevelMtls: + 5701: + mode: PERMISSIVE + selector: + matchLabels: + app.kubernetes.io/name: confluence diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 8feb414..4e3c457 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -88,7 +88,7 @@ spec: remoteGenerated: KubeAPI description: "Provides Hazelcast with access to K8s API" - - direction: Egress + - direction: Ingress selector: app.kubernetes.io/name: confluence remoteSelector: diff --git a/src/namespace/confluence-ns.yaml b/src/namespace/confluence-ns.yaml index 42f17db..9e8f838 100644 --- a/src/namespace/confluence-ns.yaml +++ b/src/namespace/confluence-ns.yaml @@ -1,4 +1,9 @@ +--- +# Namespace must be created ahead of time so postgre-operator +# can put the secret in an existing namespace. kind: Namespace apiVersion: v1 metadata: name: confluence + labels: + istio-injection: enabled diff --git a/values/common-values.yaml b/values/common-values.yaml index ba4e509..a1fae92 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -107,3 +107,12 @@ confluence: - "--add-opens java.base/sun.nio.ch=ALL-UNNAMED" - "--add-opens java.management/sun.management=ALL-UNNAMED" - "--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED" + +openshift: + # -- When set to true, the containers will run with a restricted Security Context Constraint (SCC). + # See: https://docs.openshift.com/container-platform/4.14/authentication/managing-security-context-constraints.html + # This configuration property unsets pod's SecurityContext, nfs-fixer init container (which runs as root), and mounts server + # configuration files as ConfigMaps. + # + # Lesson Learned: DO NOT ENABLE THIS - it is DOA + runWithRestrictedSCC: false