diff --git a/cluster-manifests/ingress-nginx/namespace.yaml b/cluster-manifests/ingress-nginx/namespace.yaml index 6a729f2f..6282416b 100644 --- a/cluster-manifests/ingress-nginx/namespace.yaml +++ b/cluster-manifests/ingress-nginx/namespace.yaml @@ -4,4 +4,5 @@ metadata: name: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx \ No newline at end of file + app.kubernetes.io/instance: ingress-nginx + openservicemesh.io/monitored-by: osm \ No newline at end of file diff --git a/cluster-manifests/kube-system/osm-config.yaml b/cluster-manifests/kube-system/osm-config.yaml index c5c463b5..d2272d0f 100644 --- a/cluster-manifests/kube-system/osm-config.yaml +++ b/cluster-manifests/kube-system/osm-config.yaml @@ -2,12 +2,27 @@ apiVersion: config.openservicemesh.io/v1alpha1 kind: MeshConfig metadata: name: osm-mesh-config + namespace: kube-system spec: certificate: + certKeyBitSize: 2048 serviceCertValidityDuration: 24h + ingressGateway: + secret: + name: osm-nginx-client-cert + namespace: ingress-nginx + subjectAltNames: + - ingress-nginx.ingress-nginx.cluster.local + validityDuration: 24h featureFlags: enableEgressPolicy: true - enableWASMStats: false + enableWASMStats: true + enableMulticlusterMode: false + enableSnapshotCacheMode: false + enableAsyncProxyServiceMapping: false + enableIngressBackendPolicy: true + enableEnvoyActiveHealthChecks: false + enableRetryPolicy: false observability: enableDebugServer: false osmLogLevel: info @@ -16,6 +31,7 @@ spec: sidecar: enablePrivilegedInitContainer: false logLevel: error + maxDataPlaneConnections: 0 traffic: enableEgress: true enablePermissiveTrafficPolicyMode: false @@ -23,4 +39,4 @@ spec: - 169.254.169.254/32 - 168.63.129.16/32 - 10.240.12.4/32 - useHTTPSIngress: true \ No newline at end of file + diff --git a/workload/a0005-i/web-frontend/ingress.yaml b/workload/a0005-i/web-frontend/ingress.yaml index 6ecac118..ee3a3ab7 100644 --- a/workload/a0005-i/web-frontend/ingress.yaml +++ b/workload/a0005-i/web-frontend/ingress.yaml @@ -12,7 +12,7 @@ metadata: nginx.ingress.kubernetes.io/backend-protocol: HTTPS nginx.ingress.kubernetes.io/configuration-snippet: | proxy_ssl_name "web-frontend-sa.a0005-i.cluster.local"; - nginx.ingress.kubernetes.io/proxy-ssl-secret: kube-system/osm-ca-bundle + nginx.ingress.kubernetes.io/proxy-ssl-secret: ingress-nginx/osm-nginx-client-cert nginx.ingress.kubernetes.io/proxy-ssl-server-name: "on" nginx.ingress.kubernetes.io/proxy-ssl-verify: "on" nginx.ingress.kubernetes.io/use-regex: "true" @@ -31,4 +31,27 @@ spec: service: name: web-frontend port: - number: 8080 \ No newline at end of file + number: 8080 +--- +apiVersion: policy.openservicemesh.io/v1alpha1 +kind: IngressBackend +metadata: + name: web-frontend + labels: + app.kubernetes.io/name: a0005 + app.kubernetes.io/component: web-frontend + pci-scope: in-scope +spec: + backends: + - name: web-frontend + port: + number: 8080 + protocol: https + tls: + skipClientCertValidation: false + sources: + - kind: Service + namespace: ingress-nginx + name: ingress-nginx-controller + - kind: AuthenticatedPrincipal + name: ingress-nginx.ingress-nginx.cluster.local \ No newline at end of file