[COMMON][SO] Create authorization policy template

Create template for istio authorization policies

Issue-ID: OOM-3148
Change-Id: I081288e8e9b0e8347ee6fd0d656398126826c273
Signed-off-by: AndrewLamb <andrew.a.lamb@est.tech>
diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl
index a685a73..fe2424c 100644
--- a/kubernetes/common/common/templates/_serviceMesh.tpl
+++ b/kubernetes/common/common/templates/_serviceMesh.tpl
@@ -1,5 +1,6 @@
 {{/*
 # Copyright © 2020 Amdocs, Bell Canada, Orange
+# Modifications Copyright © 2023 Nordix Foundation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -66,3 +67,83 @@
         fieldPath: metadata.namespace
 {{- end }}
 {{- end }}
+
+{{/*
+  Use Authorization Policies or not.
+*/}}
+{{- define "common.useAuthorizationPolicies" -}}
+{{-   if (include "common.onServiceMesh" .) }}
+{{-     if .Values.global.authorizationPolicies -}}
+{{-       if (default false .Values.global.authorizationPolicies.enabled) -}}
+true
+{{-       end -}}
+{{-     end -}}
+{{-   end -}}
+{{- end -}}
+
+{{/*
+  Create Authorization Policy template.
+    If common.useAuthorizationPolicies returns true:
+      Will create authorization policy, provided with array of authorized principals in .Values.serviceMesh.authorizationPolicy.authorizedPrincipals
+        in the format:
+          authorizedPrincipals:
+          - serviceAccount: <serviceaccount name>                       (Mandatory)
+            namespace: <namespace name>                                 (Optional, will default to onap)
+            allowedOperationMethods: <list of allowed HTTP operations   (Optional, will default to ["GET", "POST", "PUT", "PATCH", "DELETE"])
+
+      If no authorizedPrincipals provided, will default to denying all requests to the app matched under the
+        spec:
+          selector:
+            matchLabels:
+              app.kubernetes.io/name: <app-to-match>    ("app.kubernetes.io/name" corresponds to key defined in "common.labels", which is included in "common.service")
+
+    If common.useAuthorizationPolicies returns false:
+      Will create an authorization policy without rules, i.e., an allow-all policy
+*/}}
+{{- define "common.authorizationPolicy" -}}
+{{-   $dot := default . .dot -}}
+{{-   $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}}
+{{-   $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}}
+{{-   $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}}
+{{-   $relName := include "common.release" . -}}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}}
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "common.servicename" . }}
+  action: ALLOW
+  rules:
+{{-   if (include "common.useAuthorizationPolicies" .) }}
+{{-     if $authorizedPrincipals }}
+{{-       range $principal := $authorizedPrincipals }}
+  - from:
+    - source:
+        principals:
+{{-         $namespace := default "onap" $principal.namespace -}}
+{{-         if eq "onap" $namespace }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}"
+{{-         else }}
+        - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}"
+{{-         end }}
+    to:
+    - operation:
+        methods:
+{{-         if $principal.allowedOperationMethods }}
+{{-           range $method := $principal.allowedOperationMethods }}
+        - {{ $method }}
+{{-           end }}
+{{-         else }}
+{{-           range $method := $defaultOperationMethods }}
+        - {{ $method }}
+{{-           end }}
+{{-         end }}
+{{-       end }}
+{{-     end }}
+{{-   else }}
+    - {}
+{{-   end }}
+{{- end -}}
diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index c7399b3..40ac5ed 100755
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -1,6 +1,7 @@
 # Copyright © 2019 Amdocs, Bell Canada
 # Copyright (c) 2020 Nordix Foundation, Modifications
 # Modifications Copyright © 2020-2021 Nokia
+# Modifications Copyright © 2023 Nordix Foundation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -187,6 +188,10 @@
     # be aware that linkerd is not well tested
     engine: "istio" # valid value: istio or linkerd
 
+  # Global Istio Authorization Policy configuration
+  authorizationPolicies:
+    enabled: false
+
   # metrics part
   # If enabled, exporters (for prometheus) will be deployed
   # if custom resources set to yes, CRD from prometheus operartor will be
diff --git a/kubernetes/so/templates/authorizationpolicy.yaml b/kubernetes/so/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000..7158c02
--- /dev/null
+++ b/kubernetes/so/templates/authorizationpolicy.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2023 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.authorizationPolicy" . }}
\ No newline at end of file
diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml
index 014cbad..a35fe32 100755
--- a/kubernetes/so/values.yaml
+++ b/kubernetes/so/values.yaml
@@ -599,6 +599,15 @@
       name: 'so'
       port: 8080
 
+serviceMesh:
+  authorizationPolicy:
+    authorizedPrincipals:
+      - serviceAccount: consul-read
+      - serviceAccount: consul-server-read
+      - serviceAccount: nbi-read
+      - serviceAccount: istio-ingress
+        namespace: istio-ingress
+
 mso:
   adapters:
     requestDb: