[AAI] Create Authorization Policies for AAI

- Create Authorization Policies for AAI
- Add initial authorized serviceAccounts for each sub-component service

Issue-ID: OOM-3126
Change-Id: Ic7fdaf595ae3534805a39859fe8e02b81999bef3
Signed-off-by: amatthews <adrian.matthews@est.tech>
Signed-off-by: AndrewLamb <andrew.a.lamb@est.tech>
diff --git a/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml
index bbc64d2..718651d 100644
--- a/kubernetes/aai/components/aai-babel/values.yaml
+++ b/kubernetes/aai/components/aai-babel/values.yaml
@@ -71,6 +71,13 @@
   config:
     ssl: "redirect"
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: aai-modelloader-read
+      - serviceAccount: istio-ingress
+        namespace: istio-ingress
+
 resources:
   small:
     limits:
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml
index 3e3d685..253a11c 100644
--- a/kubernetes/aai/components/aai-graphadmin/values.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/values.yaml
@@ -202,6 +202,11 @@
 ingress:
   enabled: false
 
+# No inbound communications.
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals: []
+
 persistence:
   enabled: true
   ## A manually managed Persistent Volume and Claim
diff --git a/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml
index a966776..613604f 100644
--- a/kubernetes/aai/components/aai-resources/values.yaml
+++ b/kubernetes/aai/components/aai-resources/values.yaml
@@ -205,6 +205,12 @@
 ingress:
   enabled: false
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: aai-read
+      - serviceAccount: consul-read
+
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
diff --git a/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml
index 19ee9d4..88f1786 100644
--- a/kubernetes/aai/components/aai-schema-service/values.yaml
+++ b/kubernetes/aai/components/aai-schema-service/values.yaml
@@ -98,6 +98,13 @@
 ingress:
   enabled: false
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: aai-graphadmin-read
+      - serviceAccount: aai-resources-read
+      - serviceAccount: aai-traversal-read
+
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
diff --git a/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml
index 8ec4553..7fe0a62 100644
--- a/kubernetes/aai/components/aai-sparky-be/values.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/values.yaml
@@ -95,6 +95,12 @@
   config:
     ssl: "redirect"
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: istio-ingress
+        namespace: istio-ingress
+
 podAnnotations:
   sidecar.istio.io/rewriteAppHTTPProbers: "false"
 
diff --git a/kubernetes/aai/components/aai-traversal/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-traversal/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..5a9baa8
--- /dev/null
+++ b/kubernetes/aai/components/aai-traversal/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml
index 106b440..fac033b 100644
--- a/kubernetes/aai/components/aai-traversal/values.yaml
+++ b/kubernetes/aai/components/aai-traversal/values.yaml
@@ -228,6 +228,12 @@
 ingress:
   enabled: false
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: aai-read
+      - serviceAccount: consul-read
+
 # To make logback capping values configurable
 logback:
   logToFileEnabled: true
diff --git a/kubernetes/aai/templates/authorizationpolicy.yaml b/kubernetes/aai/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..fa59f52
--- /dev/null
+++ b/kubernetes/aai/templates/authorizationpolicy.yaml
@@ -0,0 +1,100 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- $dot := default . .dot -}}
+{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}}
+{{- $authorizedPrincipalsMetrics := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsMetrics -}}
+{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}}
+{{- $relName := include "common.release" . -}}
+
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}}
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ include "common.name" . }}
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipals }}
+{{-     range $principal := $authorizedPrincipals }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        methods:
+{{-       if $principal.allowedOperationMethods }}
+{{-         range $method := $principal.allowedOperationMethods }}
+        - {{ $method }}
+{{-         end }}
+{{-       else }}
+{{-           range $method := $defaultOperationMethods }}
+        - {{ $method }}
+{{-         end }}
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+---
+{{- if (include "common.useAuthorizationPolicies" .) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ include "common.fullname" (dict "suffix" "metrics-authz" "dot" . )}}
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ include "common.name" . }}-metrics
+  action: ALLOW
+  rules:
+{{-   if $authorizedPrincipalsMetrics }}
+{{-     range $principal := $authorizedPrincipalsMetrics }}
+  - from:
+    - source:
+        principals:
+{{-       $namespace := default "onap" $principal.namespace -}}
+{{-       if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-       else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-       end }}
+    to:
+    - operation:
+        methods:
+{{-       if $principal.allowedOperationMethods }}
+{{-         range $method := $principal.allowedOperationMethods }}
+        - {{ $method }}
+{{-         end }}
+{{-       else }}
+{{-           range $method := $defaultOperationMethods }}
+        - {{ $method }}
+{{-         end }}
+{{-       end }}
+{{-     end }}
+{{-   end }}
+{{- end }}
diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml
index 58f1723..87de5a3 100644
--- a/kubernetes/aai/values.yaml
+++ b/kubernetes/aai/values.yaml
@@ -396,6 +396,34 @@
       config:
        ssl: "redirect"
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipalsMetrics: []
+    authorizedPrincipals:
+      - serviceAccount: aai-graphadmin-read
+      - serviceAccount: aai-modelloader-read
+      - serviceAccount: aai-resources-read
+      - serviceAccount: aai-schema-service-read
+      - serviceAccount: aai-traversal-read
+      - serviceAccount: cds-blueprints-processor-read
+      - serviceAccount: consul-read
+      - serviceAccount: dcae-prh-read
+      - serviceAccount: dcae-slice-analysis-ms-read
+      - serviceAccount: dcae-tcagen2
+      - serviceAccount: nbi-read
+      - serviceAccount: sdnc-read
+      - serviceAccount: so-read
+      - serviceAccount: so-bpmn-infra-read
+      - serviceAccount: so-cnf-adapter-read
+      - serviceAccount: so-nssmf-adapter-read
+      - serviceAccount: so-etsi-nfvo-ns-lcm-read
+      - serviceAccount: so-etsi-sol003-adapter-read
+      - serviceAccount: so-openstack-adapter-read
+      - serviceAccount: so-sdc-controller-read
+      - serviceAccount: so-ve-vnfm-adapter
+      - serviceAccount: istio-ingress
+        namespace: istio-ingress
+
 resources:
   small:
     limits: