jwt auth support added.

canpolatoral · Dec 2, 2024 · bd395ee · bd395ee
1 parent 01493cb
commit bd395ee
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 6 deletions.
diff --git a/charts/apps/account/values-base.yaml b/charts/apps/account/values-base.yaml
@@ -20,7 +20,7 @@ base-ms-chart:
   authorizationPolicy:
     enabled: true
 
-    allowedSources:
+    allowedServiceAccounts:
       - namespace: transfer
         serviceAccount: transfer-service
       - namespace: istio-system

diff --git a/charts/base/base-ms-chart/templates/authorizationpolicy.yaml b/charts/base/base-ms-chart/templates/authorizationpolicy.yaml
@@ -9,10 +9,29 @@ spec:
       app.kubernetes.io/name: {{ include "ms.name" . }}
   action: ALLOW
   rules:
-{{- range .Values.authorizationPolicy.allowedSources }}
+{{- range .Values.authorizationPolicy.allowedServiceAccounts }}
   - from:
     - source:
-        # namespaces: ["{{ .namespace }}"]
         principals: ["cluster.local/ns/{{ .namespace }}/sa/{{ .serviceAccount }}"]
+    to:
+    - operation:
+{{- if .methods }}
+        methods: {{ .methods | toYaml | nindent 8 }}
+{{- end }}
+{{- if .paths }}
+        paths: {{ .paths | toYaml | nindent 8 }}
+{{- end }}
+{{- end }}
+{{- range .Values.authorizationPolicy.allowedClients }}
+  - from:
+    - source:
+        principals: ["{{ .issuer }}/{{ .clientId }}"]
+    to:
+{{- if .methods }}
+        methods: {{ .methods | toYaml | nindent 8 }}
+{{- end }}
+{{- if .paths }}
+        paths: {{ .paths | toYaml | nindent 8 }}
+{{- end }}
 {{- end }}
 {{- end }}
diff --git a/charts/base/base-ms-chart/templates/requestauthentication.yaml b/charts/base/base-ms-chart/templates/requestauthentication.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.requestAuthentication.enabled }}
+apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+  name: {{ include "ms.fullname" . }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ms.name" . }}
+  jwtRules:
+{{- range .Values.requestAuthentication.jwtRules }}
+  - issuer: "{{ .issuer }}"
+    jwksUri: "{{ .jwksUri }}"
+{{- end }}
+{{- end }}
diff --git a/charts/base/base-ms-chart/values.yaml b/charts/base/base-ms-chart/values.yaml
@@ -2,11 +2,21 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-mtls:
+peerAuthentication:
   enabled: false
-
+
+  # mtls:
+  #   mode: STRICT
+
   # mode: STRICT
 
+requestAuthentication:
+  enabled: false
+
+  # jwtRules:
+  #   - issuer: https://auth.example.com
+  #     jwksUri: https://auth.example.com/.well-known/jwks.json
+
 virtualService:
   enabled: false
 
@@ -56,7 +66,7 @@ destinationRule:
 authorizationPolicy:
   enabled: false
 
-  # allowedSources:
+  # allowedServiceAccounts:
   #   - namespace: transfer
   #     serviceAccount: transfer-service-account
   #   - namespace: customer