diff --git a/charts/base/Chart.lock b/charts/base/Chart.lock index 2eac893..66134e4 100644 --- a/charts/base/Chart.lock +++ b/charts/base/Chart.lock @@ -4,6 +4,6 @@ dependencies: version: 0.1.3 - name: zero-trust-mesh repository: https://dasmeta.github.io/helm - version: 0.1.3 -digest: sha256:e7ff901ebce4f9fa8dbaea29f55b6504a4c102dfab5184ab65516eb11cbbfdbb -generated: "2026-05-12T18:41:21.80521+04:00" + version: 0.1.4 +digest: sha256:30c9d3bbf30655057ba330fc10b341a63636f4887de22569a71de6bba25ef21e +generated: "2026-05-25T15:23:18.894969+04:00" diff --git a/charts/base/Chart.yaml b/charts/base/Chart.yaml index 2408a9c..ab42e73 100644 --- a/charts/base/Chart.yaml +++ b/charts/base/Chart.yaml @@ -30,7 +30,7 @@ dependencies: alias: gatewayApi condition: gatewayApi.enabled - name: zero-trust-mesh - version: 0.1.3 + version: 0.1.4 repository: "https://dasmeta.github.io/helm" alias: zeroTrustMesh condition: zeroTrustMesh.enabled diff --git a/charts/base/charts/zero-trust-mesh-0.1.3.tgz b/charts/base/charts/zero-trust-mesh-0.1.3.tgz deleted file mode 100644 index 8f5b13f..0000000 Binary files a/charts/base/charts/zero-trust-mesh-0.1.3.tgz and /dev/null differ diff --git a/charts/base/charts/zero-trust-mesh-0.1.4.tgz b/charts/base/charts/zero-trust-mesh-0.1.4.tgz new file mode 100644 index 0000000..b13642d Binary files /dev/null and b/charts/base/charts/zero-trust-mesh-0.1.4.tgz differ diff --git a/charts/base/values.yaml b/charts/base/values.yaml index 0bfc573..cc92a03 100644 --- a/charts/base/values.yaml +++ b/charts/base/values.yaml @@ -1026,21 +1026,24 @@ gatewayApi: # - providers: # - name: envoy -# zero-trust-mesh subchart (zero-trust-mesh-0.1.3). Disabled by default; enable per release. +# zero-trust-mesh subchart (zero-trust-mesh-0.1.4). Disabled by default; enable per release. # Values under this key are passed to the subchart. zeroTrustMesh: enabled: false # Keep empty by default so enabling the subchart from base does not create - # sample service or external egress allow rules. - allowTo: [] + # sample ingress or egress allow rules. + allowPolicies: [] # enabled: true # namespaceResourcesEnabled: true - # allowTo: - # - service: backend + # allowPolicies: + # - type: ingress + # service: gateway + # port: 80 + # - type: egress + # service: backend # port: 8080 - # methods: ["GET", "POST"] - # paths: ["/*"] - # - hosts: + # - type: egress + # hosts: # - google.com # - www.google.com diff --git a/examples/base/with-zero-trust-mesh.yaml b/examples/base/with-zero-trust-mesh.yaml index 0d2d3a0..aa3524d 100644 --- a/examples/base/with-zero-trust-mesh.yaml +++ b/examples/base/with-zero-trust-mesh.yaml @@ -13,7 +13,7 @@ service: port: 80 protocol: TCP -# Make pod/service selectors explicit so zeroTrustMesh `workload` maps correctly. +# Make pod/service selectors explicit so zeroTrustMesh `service` maps correctly. selectorLabelsOverride: app: nginx-curl-test @@ -53,12 +53,22 @@ gatewayApi: zeroTrustMesh: enabled: true - namespaceResourcesEnabled: true - allowTo: - - service: backend + namespaceResourcesEnabled: false + service: test-service + denyAll: + enabled: true + podLabels: + app: test-service + allowPolicies: + - type: ingress + service: nginx + podLabels: + app: nginx + port: 80 + - type: egress + service: backend port: 8080 - methods: ["GET", "POST"] - paths: ["/*"] - - hosts: + - type: egress + hosts: - google.com - www.google.com diff --git a/examples/zero-trust-mesh/ip-egress.yaml b/examples/zero-trust-mesh/ip-egress.yaml index 9581f3a..7dab69b 100644 --- a/examples/zero-trust-mesh/ip-egress.yaml +++ b/examples/zero-trust-mesh/ip-egress.yaml @@ -1,8 +1,9 @@ # helm template ztm-ip-egress ./charts/zero-trust-mesh -n default -f ./examples/zero-trust-mesh/ip-egress.yaml -workload: frontend +service: frontend namespaceResourcesEnabled: false -allowTo: - - ips: +allowPolicies: + - type: egress + ips: - 192.0.2.10 - 198.51.100.0/24 ports: diff --git a/examples/zero-trust-mesh/service-deny-all.yaml b/examples/zero-trust-mesh/service-deny-all.yaml index 412ea15..9b4ee98 100644 --- a/examples/zero-trust-mesh/service-deny-all.yaml +++ b/examples/zero-trust-mesh/service-deny-all.yaml @@ -1,9 +1,8 @@ # helm template ztm-service-deny-all ./charts/zero-trust-mesh -n default -f ./examples/zero-trust-mesh/service-deny-all.yaml -workload: frontend +service: frontend namespaceResourcesEnabled: false -serviceDenyAll: +denyAll: enabled: true podLabels: app: frontend component: api - diff --git a/examples/zero-trust-mesh/target-pod-labels.yaml b/examples/zero-trust-mesh/target-pod-labels.yaml index 1141892..5358553 100644 --- a/examples/zero-trust-mesh/target-pod-labels.yaml +++ b/examples/zero-trust-mesh/target-pod-labels.yaml @@ -1,11 +1,15 @@ # helm template ztm-target-pod-labels ./charts/zero-trust-mesh -n default -f ./examples/zero-trust-mesh/target-pod-labels.yaml -workload: frontend +service: frontend namespaceResourcesEnabled: false -allowTo: - - service: backend - targetPodLabels: +denyAll: + enabled: true + podLabels: + app: frontend + component: web +allowPolicies: + - type: egress + service: backend + podLabels: app: backend component: api port: 8080 - methods: ["GET"] - paths: ["/api/*"] diff --git a/examples/zero-trust-mesh/values.namespace.yaml b/examples/zero-trust-mesh/values.namespace.yaml index 0bec288..8a8b228 100644 --- a/examples/zero-trust-mesh/values.namespace.yaml +++ b/examples/zero-trust-mesh/values.namespace.yaml @@ -8,5 +8,5 @@ namespace: default # - default deny AuthorizationPolicy namespaceResourcesEnabled: true -# Keep allowTo list empty so no service-level rules are created. -allowTo: [] +# Keep allowPolicies empty so no service-level rules are created. +allowPolicies: []