From be2b904392ae6d346e835ceb436933080e924c0d Mon Sep 17 00:00:00 2001 From: Yoan Moscatelli Date: Thu, 28 Nov 2024 14:29:51 +0100 Subject: [PATCH] :lock: first iteration ingress hardenning --- buildchain/buildchain/codegen.py | 6 ++- .../config/ingress-controller.yaml.j2 | 11 ++++++ .../deployed/chart.sls | 17 --------- .../deployed/config-map.sls | 29 +++++++++++++++ .../deployed/init.sls | 2 + .../deployed/service-configuration.sls | 37 +++++++++++++++++++ .../config/ingress-controller.yaml.j2 | 3 ++ .../nginx-ingress/deployed/config-map.sls | 3 +- 8 files changed, 88 insertions(+), 20 deletions(-) create mode 100644 salt/metalk8s/addons/nginx-ingress-control-plane/config/ingress-controller.yaml.j2 create mode 100644 salt/metalk8s/addons/nginx-ingress-control-plane/deployed/config-map.sls create mode 100644 salt/metalk8s/addons/nginx-ingress-control-plane/deployed/service-configuration.sls diff --git a/buildchain/buildchain/codegen.py b/buildchain/buildchain/codegen.py index e44b2bdf50..50b9faf9e2 100644 --- a/buildchain/buildchain/codegen.py +++ b/buildchain/buildchain/codegen.py @@ -157,8 +157,10 @@ def codegen_chart_ingress_nginx() -> types.TaskDict: value_file = constants.CHART_ROOT / "ingress-nginx-control-plane.yaml" actions.append( doit.action.CmdAction( - f"{constants.CHART_RENDER_CMD} ingress-nginx-control-plane {value_file} " - f"{chart_dir} --namespace metalk8s-ingress --output {target_sls}", + f"{constants.CHART_RENDER_CMD} ingress-nginx-control-plane {value_file} {chart_dir} " + f"--namespace metalk8s-ingress --remove-manifest ConfigMap " + f"ingress-nginx-control-plane-controller " + f"--output {target_sls}", cwd=constants.ROOT, ) ) diff --git a/salt/metalk8s/addons/nginx-ingress-control-plane/config/ingress-controller.yaml.j2 b/salt/metalk8s/addons/nginx-ingress-control-plane/config/ingress-controller.yaml.j2 new file mode 100644 index 0000000000..accad03a8d --- /dev/null +++ b/salt/metalk8s/addons/nginx-ingress-control-plane/config/ingress-controller.yaml.j2 @@ -0,0 +1,11 @@ +#!jinja|yaml + +# Defaults for configuration of Ingress Controller +apiVersion: addons.metalk8s.scality.com/v1alpha2 +kind: IngressControllerConfig +spec: + config: + allow-snippet-annotations: 'true' + hide-headers: 'Server,X-Powered-By' + ssl-ciphers: 'EECDH+AESGCM:EDH+AESGCM' + ssl-protocols: 'TLSv1.2 TLSv1.3' diff --git a/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/chart.sls b/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/chart.sls index 889579c38e..ec14b94fcf 100644 --- a/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/chart.sls +++ b/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/chart.sls @@ -23,23 +23,6 @@ metadata: name: ingress-nginx-control-plane namespace: metalk8s-ingress --- -apiVersion: v1 -data: - allow-snippet-annotations: 'true' -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx-control-plane - app.kubernetes.io/managed-by: salt - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 1.10.3 - helm.sh/chart: ingress-nginx-4.10.3 - heritage: metalk8s - name: ingress-nginx-control-plane-controller - namespace: metalk8s-ingress ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/config-map.sls b/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/config-map.sls new file mode 100644 index 0000000000..ed3fa5d2b8 --- /dev/null +++ b/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/config-map.sls @@ -0,0 +1,29 @@ +{%- set ingress_controller_defaults = salt.slsutil.renderer( + 'salt://metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2', saltenv=saltenv + ) +%} + +{%- set ingress_controller = salt.metalk8s_service_configuration.get_service_conf( + 'metalk8s-ingress', 'metalk8s-ingress-controller-config', ingress_controller_defaults + ) +%} + +Create Ingress Controller configuration Config Map: + metalk8s_kubernetes.object_present: + - manifest: + apiVersion: v1 + kind: ConfigMap + metadata: + name: ingress-nginx-controller + namespace: metalk8s-ingress + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/managed-by: salt + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: metalk8s + heritage: metalk8s + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + data: + {{ ingress_controller.spec.config | yaml(False) | indent(10) }} diff --git a/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/init.sls b/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/init.sls index c1a259eee6..b202872be4 100644 --- a/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/init.sls +++ b/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/init.sls @@ -2,3 +2,5 @@ include: - metalk8s.addons.nginx-ingress.deployed.namespace - .tls-secret - .chart + - .service-configuration + - .config-map diff --git a/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/service-configuration.sls b/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/service-configuration.sls new file mode 100644 index 0000000000..13083ed63b --- /dev/null +++ b/salt/metalk8s/addons/nginx-ingress-control-plane/deployed/service-configuration.sls @@ -0,0 +1,37 @@ +include: + - .namespace + +{%- set namespace = 'metalk8s-ingress' %} +{%- set name = 'metalk8s-ingress-control-plane-controller-config' %} + +{%- set ingress_service_config = salt.metalk8s_kubernetes.get_object( + kind='ConfigMap', + apiVersion='v1', + namespace=namespace, + name=name + ) +%} + +{%- if ingress_service_config is none %} + +Create Ingress ServiceConfiguration (metalk8s-ingress/metalk8s-ingress-control-plane-controller-config): + metalk8s_kubernetes.object_present: + - manifest: + apiVersion: v1 + kind: ConfigMap + metadata: + name: {{ name }} + namespace: {{ namespace }} + data: + config.yaml: |- + apiVersion: addons.metalk8s.scality.com/v1alpha2 + kind: IngressControllerConfig + spec: {} + + +{%- else %} + +Ingress ServiceConfiguration already exists: + test.succeed_without_changes: [] + +{%- endif %} diff --git a/salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2 b/salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2 index 2aa5243d7d..accad03a8d 100644 --- a/salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2 +++ b/salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2 @@ -6,3 +6,6 @@ kind: IngressControllerConfig spec: config: allow-snippet-annotations: 'true' + hide-headers: 'Server,X-Powered-By' + ssl-ciphers: 'EECDH+AESGCM:EDH+AESGCM' + ssl-protocols: 'TLSv1.2 TLSv1.3' diff --git a/salt/metalk8s/addons/nginx-ingress/deployed/config-map.sls b/salt/metalk8s/addons/nginx-ingress/deployed/config-map.sls index 5807845a37..ed3fa5d2b8 100644 --- a/salt/metalk8s/addons/nginx-ingress/deployed/config-map.sls +++ b/salt/metalk8s/addons/nginx-ingress/deployed/config-map.sls @@ -23,6 +23,7 @@ Create Ingress Controller configuration Config Map: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: metalk8s heritage: metalk8s + annotations: + ingressclass.kubernetes.io/is-default-class: "true" data: {{ ingress_controller.spec.config | yaml(False) | indent(10) }} -