Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/envoy-gateway/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -314,7 +314,7 @@ highAvailability:

| Key | Default | Description |
|-----|---------|-------------|
| `security.networkPolicies` | `false` | Enable NetworkPolicies |
| `security.networkPolicies` | `false` | Enable rendering of NetworkPolicy resources |
| `security.podSecurityStandards` | `true` | Enable PodSecurityStandards (restricted mode) |

### High Availability
Expand Down
22 changes: 22 additions & 0 deletions charts/envoy-gateway/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -235,3 +235,25 @@ affinity:
{{- toYaml $affinity | nindent 2 }}
{{- end }}
{{- end }}

{{/*
Central fail-fast validation entrypoint.
*/}}
{{- define "envoy-gateway.validate" -}}
{{- if and .Values.externalSecrets.enabled (not .Values.rateLimiting.externalRedis.auth.secretName) -}}
{{- fail "externalSecrets.enabled requires rateLimiting.externalRedis.auth.secretName to be set to prevent credential drift between the chart-managed Secret and the ExternalSecret." -}}
{{- end -}}
{{- if and .Values.rateLimiting.enabled (not .Values.redis.enabled) (not .Values.rateLimiting.externalRedis.host) -}}
{{- fail "rateLimiting.enabled requires redis.enabled=true or rateLimiting.externalRedis.host to be set" -}}
{{- end -}}
{{- if and .Values.rateLimiting.enabled (not .Values.redis.enabled) .Values.rateLimiting.externalRedis.host .Values.rateLimiting.externalRedis.auth.enabled (not .Values.rateLimiting.externalRedis.auth.secretName) -}}
{{- fail "rateLimiting.externalRedis.auth.enabled requires rateLimiting.externalRedis.auth.secretName" -}}
{{- end -}}
{{- $podLabels := .Values.podLabels | default dict -}}
{{- $selectorLabels := include "envoy-gateway.controller.selectorLabels" . | fromYaml -}}
{{- range $key, $_ := $selectorLabels -}}
{{- if hasKey $podLabels $key -}}
{{- fail (printf "podLabels must not override selector label %s" $key) -}}
{{- end -}}
{{- end -}}
{{- end -}}
2 changes: 1 addition & 1 deletion charts/envoy-gateway/templates/certgen-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ spec:
template:
metadata:
labels:
{{- include "envoy-gateway.labels" . | nindent 8 }}
{{- include "envoy-gateway.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: certgen
spec:
serviceAccountName: {{ $fullName }}-certgen
Expand Down
3 changes: 3 additions & 0 deletions charts/envoy-gateway/templates/networkpolicy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ spec:
port: 53
- protocol: UDP
port: 53
{{- with .Values.security.networkPolicy.extraEgress }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- if and .Values.rateLimiting.enabled .Values.redis.enabled }}
---
apiVersion: networking.k8s.io/v1
Expand Down
3 changes: 3 additions & 0 deletions charts/envoy-gateway/templates/validate.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# yamllint disable-file
# SPDX-License-Identifier: Apache-2.0
{{- include "envoy-gateway.validate" . -}}
Comment thread
coderabbitai[bot] marked this conversation as resolved.
14 changes: 14 additions & 0 deletions charts/envoy-gateway/tests/certgen_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,20 @@ tests:
content: --disable-topology-injector
documentIndex: 3

- it: should keep certgen pod labels limited to selector labels and component
asserts:
- notExists:
path: spec.template.metadata.labels["helm.sh/chart"]
documentIndex: 3
- equal:
path: spec.template.metadata.labels["app.kubernetes.io/name"]
value: envoy-gateway
documentIndex: 3
- equal:
path: spec.template.metadata.labels["app.kubernetes.io/component"]
value: certgen
documentIndex: 3

- it: should have pre-install hook annotation on Job
asserts:
- equal:
Expand Down
25 changes: 25 additions & 0 deletions charts/envoy-gateway/tests/security_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,31 @@ tests:
count: 0
template: networkpolicy.yaml

- it: should append controller extra egress rules
set:
security:
networkPolicies: true
networkPolicy:
extraEgress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: observability
ports:
- protocol: TCP
port: 4317
asserts:
- equal:
path: spec.egress[2].to[0].namespaceSelector.matchLabels["kubernetes.io/metadata.name"]
value: observability
template: networkpolicy.yaml
documentIndex: 0
- equal:
path: spec.egress[2].ports[0].port
value: 4317
template: networkpolicy.yaml
documentIndex: 0

- it: should create NetworkPolicies for Redis and ratelimit when rate limiting enabled
set:
namespaceOverride: envoy-system
Expand Down
64 changes: 64 additions & 0 deletions charts/envoy-gateway/tests/validation_test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# SPDX-License-Identifier: Apache-2.0
suite: Validation
templates:
- validate.yaml
tests:
- it: should reject rate limiting without redis backend
set:
rateLimiting:
enabled: true
redis:
enabled: false
asserts:
- failedTemplate:
errorMessage: "rateLimiting.enabled requires redis.enabled=true or rateLimiting.externalRedis.host to be set"

- it: should reject external redis auth without secret
set:
rateLimiting:
enabled: true
externalRedis:
host: redis.example.com
auth:
enabled: true
secretName: ""
redis:
enabled: false
asserts:
- failedTemplate:
errorMessage: "rateLimiting.externalRedis.auth.enabled requires rateLimiting.externalRedis.auth.secretName"

- it: should allow unused external redis auth settings
set:
rateLimiting:
enabled: false
externalRedis:
auth:
enabled: true
secretName: ""
redis:
enabled: true
asserts:
- notFailedTemplate: {}

- it: should reject external secrets without external redis auth secret
set:
externalSecrets:
enabled: true
asserts:
- failedTemplate:
errorMessage: "externalSecrets.enabled requires rateLimiting.externalRedis.auth.secretName to be set to prevent credential drift between the chart-managed Secret and the ExternalSecret."

- it: should reject reserved pod label overrides
set:
podLabels:
app.kubernetes.io/component: custom
asserts:
- failedTemplate:
errorMessage: "podLabels must not override selector label app.kubernetes.io/component"

- it: should allow null pod labels
set:
podLabels: null
asserts:
- notFailedTemplate: {}
14 changes: 13 additions & 1 deletion charts/envoy-gateway/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -635,9 +635,21 @@
"properties": {
"networkPolicies": {
"type": "boolean",
"description": "Enable NetworkPolicies for zero-trust networking",
"description": "Enable rendering of NetworkPolicy resources for zero-trust networking",
"default": false
},
"networkPolicy": {
"type": "object",
"description": "NetworkPolicy rule extensions used when security.networkPolicies is enabled",
"properties": {
"extraEgress": {
"type": "array",
"description": "Additional complete egress rules appended to the controller NetworkPolicy",
"items": { "type": "object" },
"default": []
}
}
},
"podSecurityStandards": {
"type": "boolean",
"description": "Enable PodSecurityStandard restricted mode",
Expand Down
5 changes: 4 additions & 1 deletion charts/envoy-gateway/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -384,8 +384,11 @@ monitoring:

## Security and Hardening
security:
# -- Enable NetworkPolicies
# -- Enable rendering of NetworkPolicy resources
networkPolicies: false
networkPolicy:
# -- Additional complete egress rules appended to the controller NetworkPolicy when security.networkPolicies is enabled
extraEgress: []
# -- Enable PodSecurityStandard restricted
podSecurityStandards: true

Expand Down