diff --git a/src/neuvector/chart/templates/neuvector-deny.yaml b/src/neuvector/chart/templates/neuvector-deny.yaml new file mode 100644 index 000000000..fc0fe6411 --- /dev/null +++ b/src/neuvector/chart/templates/neuvector-deny.yaml @@ -0,0 +1,20 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +{{- if .Values.denyLocalAuth }} +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: neuvector-deny-local-login + namespace: {{ .Release.Namespace }} +spec: + action: DENY + selector: + matchLabels: + app: neuvector-manager-pod + rules: + - to: + - operation: + paths: ["/auth"] + ports: ["8443"] +{{- end }} diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index 0644dd4f9..484b6866e 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -1,5 +1,6 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +{{- $neuvectorAdminPass := join "" (list (randAlphaNum 12) (randAlpha 2 | upper) (randAlpha 2 | lower) (randNumeric 2))}} apiVersion: uds.dev/v1alpha1 kind: Package @@ -24,6 +25,13 @@ spec: - "https://neuvector.admin.{{ .Values.domain }}/openId_auth" secretName: neuvector-secret secretTemplate: + userinitcfg.yaml: |- + always_reload: true + users: + - username: admin + fullname: admin + password: {{ $neuvectorAdminPass }} + role: admin oidcinitcfg.yaml: |- always_reload: true client_id: clientField(clientId) diff --git a/src/neuvector/chart/values.yaml b/src/neuvector/chart/values.yaml index 9c16875a1..495a6291c 100644 --- a/src/neuvector/chart/values.yaml +++ b/src/neuvector/chart/values.yaml @@ -7,3 +7,5 @@ grafana: enabled: false generateInternalCert: false + +denyLocalAuth: true