From cd4023f5ce883b07839db28f7e709a52c9c18da6 Mon Sep 17 00:00:00 2001 From: Erik Brakkee Date: Sat, 25 Jan 2025 12:44:01 +0100 Subject: [PATCH] emojivoto is working. But... need to do major rework only a single networkauthentication may be set the required authenticationRefs in the authorization policy are anded together so we should use a separate authorization policy for each communication link --- cmd/policygen/linkerd_generator.go | 26 ++++++++++++++----- .../application/meshtlsauthentication.yaml | 5 ++-- .../templates/linkerd/application/server.yaml | 2 +- 3 files changed, 24 insertions(+), 9 deletions(-) diff --git a/cmd/policygen/linkerd_generator.go b/cmd/policygen/linkerd_generator.go index c9252a6..183d780 100644 --- a/cmd/policygen/linkerd_generator.go +++ b/cmd/policygen/linkerd_generator.go @@ -3,9 +3,12 @@ package main import ( "fmt" "io" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "os" "slices" "strconv" + "strings" ) type LinkerdPolicyGenerator struct { @@ -104,7 +107,7 @@ func (g *LinkerdPolicyGenerator) GenerateCommunicationRule( // linkerd rules // 1. an authpolicy may contain only one meshtlsauthentication rule // 2. an authpolicy may contain only one service account . - // 3. an authpolicy may contain more than one networkauthentication + // 3. an authpolicy may contain only one networkauthentication // // Should generate here a methtlsautheorization for every port // and pass in a list of service accounts instead of a list of apps. @@ -136,13 +139,24 @@ func (g *LinkerdPolicyGenerator) GenerateCommunicationRule( return nil } -func (g *LinkerdPolicyGenerator) serviceAccounts(peers []*ApplicationPeer) []string { - serviceAccounts := []string{} +func (g *LinkerdPolicyGenerator) serviceAccounts(peers []*ApplicationPeer) []v1.ServiceAccount { + serviceAccounts := []v1.ServiceAccount{} for _, peer := range peers { - serviceAccounts = append(serviceAccounts, peer.Application.ServiceAccounts...) + for _, sa := range peer.Application.ServiceAccounts { + serviceAccounts = append(serviceAccounts, v1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{ + Name: sa, + Namespace: peer.Application.Namespace.Name, + }, + }) + } } - slices.Sort(serviceAccounts) - return slices.Compact(serviceAccounts) + slices.SortFunc(serviceAccounts, func(s1 v1.ServiceAccount, s2 v1.ServiceAccount) int { + return strings.Compare(s1.Namespace+"/"+s1.Name, s2.Namespace+"/"+s2.Name) + }) + return slices.CompactFunc(serviceAccounts, func(s1, s2 v1.ServiceAccount) bool { + return s1.Namespace == s2.Namespace && s1.Name == s2.Name + }) } func (g *LinkerdPolicyGenerator) Finalize(writer io.Writer) error { diff --git a/cmd/policygen/templates/linkerd/application/meshtlsauthentication.yaml b/cmd/policygen/templates/linkerd/application/meshtlsauthentication.yaml index 68af912..f956c9e 100644 --- a/cmd/policygen/templates/linkerd/application/meshtlsauthentication.yaml +++ b/cmd/policygen/templates/linkerd/application/meshtlsauthentication.yaml @@ -2,12 +2,13 @@ apiVersion: policy.linkerd.io/v1alpha1 kind: MeshTLSAuthentication metadata: - name: {{ .app.Name }}-{{.port}} + name: {{ .app.Name }}-p{{.port}} namespace: {{ .app.Namespace.Name }} spec: identityRefs: {{- range $sa := .serviceAccounts }} - kind: ServiceAccount - name: {{ $sa }} + name: {{ $sa.Name }} + namespace: {{ $sa.Namespace }} {{- end }} diff --git a/cmd/policygen/templates/linkerd/application/server.yaml b/cmd/policygen/templates/linkerd/application/server.yaml index 72e1380..9c98ad1 100644 --- a/cmd/policygen/templates/linkerd/application/server.yaml +++ b/cmd/policygen/templates/linkerd/application/server.yaml @@ -1,7 +1,7 @@ {{- range $port := .Ports }} {{- if or (eq $port.Protocol "TCP") (not $port.Protocol) }} --- -apiVersion: policy.linkerd.io/v1beta1 +apiVersion: policy.linkerd.io/v1beta3 kind: Server metadata: name: {{ $.Name }}-p{{ $port.Port }}