Skip to content

Commit

Permalink
🔒 first iteration ingress hardenning
Browse files Browse the repository at this point in the history
  • Loading branch information
Yoan Moscatelli committed Nov 29, 2024
1 parent c28c59c commit be2b904
Show file tree
Hide file tree
Showing 8 changed files with 88 additions and 20 deletions.
6 changes: 4 additions & 2 deletions buildchain/buildchain/codegen.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,8 +157,10 @@ def codegen_chart_ingress_nginx() -> types.TaskDict:
value_file = constants.CHART_ROOT / "ingress-nginx-control-plane.yaml"
actions.append(
doit.action.CmdAction(
f"{constants.CHART_RENDER_CMD} ingress-nginx-control-plane {value_file} "
f"{chart_dir} --namespace metalk8s-ingress --output {target_sls}",
f"{constants.CHART_RENDER_CMD} ingress-nginx-control-plane {value_file} {chart_dir} "
f"--namespace metalk8s-ingress --remove-manifest ConfigMap "
f"ingress-nginx-control-plane-controller "
f"--output {target_sls}",
cwd=constants.ROOT,
)
)
Expand Down
11 changes: 11 additions & 0 deletions salt/metalk8s/addons/nginx-ingress-control-plane/config/ingress-controller.yaml.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!jinja|yaml

# Defaults for configuration of Ingress Controller
apiVersion: addons.metalk8s.scality.com/v1alpha2
kind: IngressControllerConfig
spec:
config:
allow-snippet-annotations: 'true'
hide-headers: 'Server,X-Powered-By'
ssl-ciphers: 'EECDH+AESGCM:EDH+AESGCM'
ssl-protocols: 'TLSv1.2 TLSv1.3'
17 changes: 0 additions & 17 deletions salt/metalk8s/addons/nginx-ingress-control-plane/deployed/chart.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,23 +23,6 @@ metadata:
name: ingress-nginx-control-plane
namespace: metalk8s-ingress
---
apiVersion: v1
data:
allow-snippet-annotations: 'true'
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx-control-plane
app.kubernetes.io/managed-by: salt
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: metalk8s
app.kubernetes.io/version: 1.10.3
helm.sh/chart: ingress-nginx-4.10.3
heritage: metalk8s
name: ingress-nginx-control-plane-controller
namespace: metalk8s-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down
29 changes: 29 additions & 0 deletions salt/metalk8s/addons/nginx-ingress-control-plane/deployed/config-map.sls
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{%- set ingress_controller_defaults = salt.slsutil.renderer(
'salt://metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2', saltenv=saltenv
)
%}

{%- set ingress_controller = salt.metalk8s_service_configuration.get_service_conf(
'metalk8s-ingress', 'metalk8s-ingress-controller-config', ingress_controller_defaults
)
%}

Create Ingress Controller configuration Config Map:
metalk8s_kubernetes.object_present:
- manifest:
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-nginx-controller
namespace: metalk8s-ingress
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: salt
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: metalk8s
heritage: metalk8s
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
data:
{{ ingress_controller.spec.config | yaml(False) | indent(10) }}
2 changes: 2 additions & 0 deletions salt/metalk8s/addons/nginx-ingress-control-plane/deployed/init.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,5 @@ include:
- metalk8s.addons.nginx-ingress.deployed.namespace
- .tls-secret
- .chart
- .service-configuration
- .config-map
37 changes: 37 additions & 0 deletions salt/metalk8s/addons/nginx-ingress-control-plane/deployed/service-configuration.sls
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
include:
- .namespace

{%- set namespace = 'metalk8s-ingress' %}
{%- set name = 'metalk8s-ingress-control-plane-controller-config' %}

{%- set ingress_service_config = salt.metalk8s_kubernetes.get_object(
kind='ConfigMap',
apiVersion='v1',
namespace=namespace,
name=name
)
%}

{%- if ingress_service_config is none %}

Create Ingress ServiceConfiguration (metalk8s-ingress/metalk8s-ingress-control-plane-controller-config):
metalk8s_kubernetes.object_present:
- manifest:
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ name }}
namespace: {{ namespace }}
data:
config.yaml: |-
apiVersion: addons.metalk8s.scality.com/v1alpha2
kind: IngressControllerConfig
spec: {}


{%- else %}

Ingress ServiceConfiguration already exists:
test.succeed_without_changes: []

{%- endif %}
3 changes: 3 additions & 0 deletions salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,6 @@ kind: IngressControllerConfig
spec:
config:
allow-snippet-annotations: 'true'
hide-headers: 'Server,X-Powered-By'
ssl-ciphers: 'EECDH+AESGCM:EDH+AESGCM'
ssl-protocols: 'TLSv1.2 TLSv1.3'
3 changes: 2 additions & 1 deletion salt/metalk8s/addons/nginx-ingress/deployed/config-map.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ Create Ingress Controller configuration Config Map:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: metalk8s
heritage: metalk8s
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
data:
{{ ingress_controller.spec.config | yaml(False) | indent(10) }}

0 comments on commit be2b904

Please sign in to comment.