From aa5d290245b176d1c21b45b26c98148cb1e1b128 Mon Sep 17 00:00:00 2001
From: Joseph Richardson <joe@defenseunicorns.com>
Date: Tue, 13 Aug 2024 14:29:59 -0400
Subject: [PATCH] fix: '0 NR filter_chain_not_found' by removing mTLS

---
 bundle/uds-bundle.yaml                  |  3 +--
 chart/templates/peerauth-exception.yaml | 15 +++++++++++++++
 chart/templates/uds-package.yaml        |  2 +-
 src/namespace/confluence-ns.yaml        |  5 +++++
 values/common-values.yaml               |  9 +++++++++
 5 files changed, 31 insertions(+), 3 deletions(-)
 create mode 100644 chart/templates/peerauth-exception.yaml

diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml
index 1e8d963..c4ebac4 100644
--- a/bundle/uds-bundle.yaml
+++ b/bundle/uds-bundle.yaml
@@ -10,10 +10,9 @@ packages:
   - name: dev-namespace
     path: ../
     ref: 0.1.0
-
   - name: postgres-operator
     repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator
-    ref: 1.10.1-uds.4-upstream
+    ref: 1.12.2-uds.2-upstream
     overrides:
       postgres-operator:
         uds-postgres-config:
diff --git a/chart/templates/peerauth-exception.yaml b/chart/templates/peerauth-exception.yaml
new file mode 100644
index 0000000..fba5275
--- /dev/null
+++ b/chart/templates/peerauth-exception.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: "confluence"
+  namespace: {{ .Release.Namespace }}
+spec:
+  mtls:
+    mode: STRICT
+  portLevelMtls:
+    5701:
+      mode: PERMISSIVE
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: confluence
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
index 8feb414..4e3c457 100644
--- a/chart/templates/uds-package.yaml
+++ b/chart/templates/uds-package.yaml
@@ -88,7 +88,7 @@ spec:
         remoteGenerated: KubeAPI
         description: "Provides Hazelcast with access to K8s API"
 
-      - direction: Egress
+      - direction: Ingress
         selector:
           app.kubernetes.io/name: confluence
         remoteSelector:
diff --git a/src/namespace/confluence-ns.yaml b/src/namespace/confluence-ns.yaml
index 42f17db..9e8f838 100644
--- a/src/namespace/confluence-ns.yaml
+++ b/src/namespace/confluence-ns.yaml
@@ -1,4 +1,9 @@
+---
+# Namespace must be created ahead of time so postgre-operator
+# can put the secret in an existing namespace.
 kind: Namespace
 apiVersion: v1
 metadata:
   name: confluence
+  labels:
+    istio-injection: enabled
diff --git a/values/common-values.yaml b/values/common-values.yaml
index ba4e509..a1fae92 100644
--- a/values/common-values.yaml
+++ b/values/common-values.yaml
@@ -107,3 +107,12 @@ confluence:
     - "--add-opens java.base/sun.nio.ch=ALL-UNNAMED"
     - "--add-opens java.management/sun.management=ALL-UNNAMED"
     - "--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED"
+
+openshift:
+  # -- When set to true, the containers will run with a restricted Security Context Constraint (SCC).
+  # See: https://docs.openshift.com/container-platform/4.14/authentication/managing-security-context-constraints.html
+  # This configuration property unsets pod's SecurityContext, nfs-fixer init container (which runs as root), and mounts server
+  # configuration files as ConfigMaps.
+  #
+  # Lesson Learned: DO NOT ENABLE THIS - it is DOA
+  runWithRestrictedSCC: false