Add rbac rule for PeerAuthentication

PeerAuthentication enforces mTLS for NATS pods
kyma-project · Sep 27, 2024 · 9d31039 · 9d31039
1 parent 12e5e26
commit 9d31039
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 2 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -119,6 +119,13 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - security.istio.io
+  resources:
+  - peerauthentications
+  verbs:
+  - list
+  - watch
 - apiGroups:
   - networking.istio.io
   resourceNames:
@@ -133,6 +140,20 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - security.istio.io
+  resourceNames:
+  - eventing-nats
+  resources:
+  - peerauthentications
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - operator.kyma-project.io
   resources:

diff --git a/internal/controller/nats/controller.go b/internal/controller/nats/controller.go
@@ -108,6 +108,7 @@ func NewReconciler(
 //+kubebuilder:rbac:groups="",resourceNames=eventing-nats-config,resources=configmaps,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups="apps",resourceNames=eventing-nats,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups="networking.istio.io",resourceNames=eventing-nats,resources=destinationrules,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="security.istio.io",resourceNames=eventing-nats,resources=peerauthentications,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups="policy",resourceNames=eventing-nats,resources=poddisruptionbudgets,verbs=get;list;watch;update;patch;create;delete
 
 // RBAC permissions by resource
@@ -120,6 +121,7 @@ func NewReconciler(
 //+kubebuilder:rbac:groups="",resources=nodes,verbs=list;watch;get
 //+kubebuilder:rbac:groups="apps",resources=statefulsets,verbs=list;watch
 //+kubebuilder:rbac:groups="networking.istio.io",resources=destinationrules,verbs=list;watch
+//+kubebuilder:rbac:groups="security.istio.io",resources=peerauthentications,verbs=list;watch
 //+kubebuilder:rbac:groups="policy",resources=poddisruptionbudgets,verbs=list;watch
 
 //nolint:lll

diff --git a/resources/nats/templates/destination-rule.yaml b/resources/nats/templates/destination-rule.yaml
@@ -14,5 +14,5 @@ spec:
   host: {{ include "nats.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
   trafficPolicy:
     tls:
-      mode: ISTIO_MUTUAL
-{{- end }}
+      mode: DISABLE
+{{- end }}