From 163119483bf4b50437dffd78024636e5944fc32e Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jewertow@redhat.com>
Date: Thu, 14 Mar 2024 00:38:48 +0100
Subject: [PATCH] OSSM-5556: Set `net.ipv4.ip_unprivileged_port_start=0` in
 ingress and egress gateways (#951)

* OSSM-5556: Use net.ipv4.ip_unprivileged_port_start=0 in gateways chart

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* Apply change to injected-deployment

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

---------

Co-authored-by: Jacek Ewertowski <jewertow@redhat.com>
Signed-off-by: Yann Liu <yannliu@redhat.com>
---
 .../charts/gateways/istio-egress/templates/deployment.yaml | 7 +++----
 .../istio-egress/templates/injected-deployment.yaml        | 7 +++----
 manifests/charts/gateways/istio-egress/values.yaml         | 4 ++--
 .../gateways/istio-ingress/templates/deployment.yaml       | 7 +++----
 .../istio-ingress/templates/injected-deployment.yaml       | 7 +++----
 manifests/charts/gateways/istio-ingress/values.yaml        | 4 ++--
 6 files changed, 16 insertions(+), 20 deletions(-)

diff --git a/manifests/charts/gateways/istio-egress/templates/deployment.yaml b/manifests/charts/gateways/istio-egress/templates/deployment.yaml
index 1bdaa8e155..ea52764e6a 100644
--- a/manifests/charts/gateways/istio-egress/templates/deployment.yaml
+++ b/manifests/charts/gateways/istio-egress/templates/deployment.yaml
@@ -58,6 +58,9 @@ spec:
         runAsGroup: 1337
 {{- end }}
         runAsNonRoot: true
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
 {{- end }}
       serviceAccountName: {{ $gateway.name }}-service-account
 {{- if .Values.global.priorityClassName }}
@@ -207,10 +210,6 @@ spec:
           - name: TRUST_DOMAIN
             value: "{{ .Values.meshConfig.trustDomain }}"
           {{- end }}
-          {{- if not $gateway.runAsRoot }}
-          - name: ISTIO_META_UNPRIVILEGED_POD
-            value: "true"
-          {{- end }}
           {{- range $key, $val := $gateway.env }}
           - name: {{ $key }}
             value: "{{ $val }}"
diff --git a/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml b/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml
index 4fa160c849..fb9e1966d6 100644
--- a/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml
+++ b/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml
@@ -62,6 +62,9 @@ spec:
         runAsGroup: 1337
 {{- end }}
         runAsNonRoot: true
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
 {{- end }}
       serviceAccountName: {{ $gateway.name | default "istio-egressgateway" }}-service-account
 {{- if .Values.global.priorityClassName }}
@@ -97,10 +100,6 @@ spec:
 {{ toYaml .Values.global.defaultResources | indent 12 }}
 {{- end }}
           env:
-          {{- if not $gateway.runAsRoot }}
-          - name: ISTIO_META_UNPRIVILEGED_POD
-            value: "true"
-          {{- end }}
           {{- range $key, $val := $gateway.env }}
           - name: {{ $key }}
             value: {{ $val | quote }}
diff --git a/manifests/charts/gateways/istio-egress/values.yaml b/manifests/charts/gateways/istio-egress/values.yaml
index 91c355764b..fac5909ada 100644
--- a/manifests/charts/gateways/istio-egress/values.yaml
+++ b/manifests/charts/gateways/istio-egress/values.yaml
@@ -5,12 +5,12 @@ gateways:
     name: istio-egressgateway
     ports:
     - port: 80
-      targetPort: 8080
+      targetPort: 80
       name: http2
       protocol: TCP
     - port: 443
       name: https
-      targetPort: 8443
+      targetPort: 443
       protocol: TCP
 
     labels:
diff --git a/manifests/charts/gateways/istio-ingress/templates/deployment.yaml b/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
index 081a6d1f57..465b026525 100644
--- a/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
+++ b/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
@@ -58,6 +58,9 @@ spec:
         runAsGroup: 1337
 {{- end }}
         runAsNonRoot: true
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
 {{- end }}
       serviceAccountName: {{ $gateway.name }}-service-account
 {{- if .Values.global.priorityClassName }}
@@ -207,10 +210,6 @@ spec:
           - name: TRUST_DOMAIN
             value: "{{ .Values.meshConfig.trustDomain }}"
           {{- end }}
-          {{- if not $gateway.runAsRoot }}
-          - name: ISTIO_META_UNPRIVILEGED_POD
-            value: "true"
-          {{- end }}
           {{- range $key, $val := $gateway.env }}
           - name: {{ $key }}
             value: "{{ $val }}"
diff --git a/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml b/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml
index ec4a4e0fe9..e510c41fb0 100644
--- a/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml
+++ b/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml
@@ -62,6 +62,9 @@ spec:
         runAsGroup: 1337
 {{- end }}
         runAsNonRoot: true
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
 {{- end }}
       serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
 {{- if .Values.global.priorityClassName }}
@@ -97,10 +100,6 @@ spec:
 {{ toYaml .Values.global.defaultResources | indent 12 }}
 {{- end }}
           env:
-          {{- if not $gateway.runAsRoot }}
-          - name: ISTIO_META_UNPRIVILEGED_POD
-            value: "true"
-          {{- end }}
           {{- range $key, $val := $gateway.env }}
           - name: {{ $key }}
             value: {{ $val | quote }}
diff --git a/manifests/charts/gateways/istio-ingress/values.yaml b/manifests/charts/gateways/istio-ingress/values.yaml
index 12c272e26b..1293d70369 100644
--- a/manifests/charts/gateways/istio-ingress/values.yaml
+++ b/manifests/charts/gateways/istio-ingress/values.yaml
@@ -17,11 +17,11 @@ gateways:
       name: status-port
       protocol: TCP
     - port: 80
-      targetPort: 8080
+      targetPort: 80
       name: http2
       protocol: TCP
     - port: 443
-      targetPort: 8443
+      targetPort: 443
       name: https
       protocol: TCP