OPSEXP-1862: add proper repo ingress (#86)

.checkov-values.yml

@@ -4,6 +4,10 @@ activemq:
   enabled: true
 elasticsearch:
   enabled: true
+db:
+  url: postgresql://pg-postgresql-acs/alfresco
+  username: pguser
+  password: pgpass
 global:
   tracking:
     sharedsecret: dummy

charts/alfresco-repository/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: alfresco-repository
 description: Alfresco content repository Helm chart
 type: application
-version: 0.1.0-alpha.0
+version: 0.1.0-alpha.1
 appVersion: 23.1.0-A21
 dependencies:
   - name: alfresco-common

charts/alfresco-repository/README.md

@@ -1,6 +1,6 @@
 # alfresco-repository
 
-![Version: 0.1.0-alpha.0](https://img.shields.io/badge/Version-0.1.0--alpha.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 23.1.0-A21](https://img.shields.io/badge/AppVersion-23.1.0--A21-informational?style=flat-square)
+![Version: 0.1.0-alpha.1](https://img.shields.io/badge/Version-0.1.0--alpha.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 23.1.0-A21](https://img.shields.io/badge/AppVersion-23.1.0--A21-informational?style=flat-square)
 
 Alfresco content repository Helm chart
 

charts/alfresco-repository/templates/deployment.yaml

@@ -50,7 +50,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           envFrom:
             - configMapRef:
-                {{ $alfoptsCtx := dict "Values" (dict "nameOverride" "alfresco-opts") "Chart" .Chart "Release" .Release }}
+                {{- $alfoptsCtx := dict "Values" (dict "nameOverride" "alfresco-opts") "Chart" .Chart "Release" .Release }}
                 name: {{ template "alfresco-repository.fullname" $alfoptsCtx }}
           {{- $dbsecretCtx := dict "Values" (dict "nameOverride" "secret-database") "Chart" .Chart "Release" .Release }}
           {{- $dbsecret := coalesce .Values.db.existingSecret.name (include "alfresco-repository.fullname" $dbsecretCtx) }}

charts/alfresco-repository/templates/ingress.yaml

@@ -1,10 +1,13 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "alfresco-repository.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
-{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
-  {{- end }}
+{{/*
+We only support nginx ingress for now: https://alfresco.atlassian.net/browse/OPSEXP-131
+so forcibly set the ingress.class annotation to nginx for pre 1.18 k8s
+*/}}
+{{- if not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  {{- $_ := unset .Values.ingress.annotations "kubernetes.io/ingress.class" }}
+  {{- $_ = set .Values.ingress.annotations "kubernetes.io/ingress.class" "nginx" }}
 {{- end }}
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
@@ -18,14 +21,21 @@ metadata:
   name: {{ $fullName }}
   labels:
     {{- include "alfresco-repository.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
   annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+    checkov.io/skip1: CKV_K8S_153=We're filtering out snippet in named template
+    {{- include "alfresco-common.nginx.annotations" .Values }}
+    {{- include "alfresco-common.nginx.secure.annotations" .Values }}
 spec:
   {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName: {{ .Values.ingress.className }}
   {{- end }}
+{{/*
+We only support nginx ingress for now: https://alfresco.atlassian.net/browse/OPSEXP-131
+so forcibly set the ingressClassName to nginx for post 1.18 k8s
+*/}}
+  {{- if (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: nginx
+  {{- end }}
   {{- if .Values.ingress.tls }}
   tls:
     {{- range .Values.ingress.tls }}

charts/alfresco-repository/tests/ingress_test.yaml

@@ -0,0 +1,56 @@
+---
+suite: test Alfresco repository ingress
+templates:
+  - ingress.yaml
+tests:
+  - it: should render with default security annotations
+    asserts:
+      - equal:
+          path: metadata.annotations['nginx.ingress.kubernetes.io/server-snippet']
+          value: |
+            location ~ ^/.*/(wc)?s(ervice)?/api/solr/.*$ {return 403;}
+            location ~ ^/.*/proxy/.*/api/solr/.*$ {return 403;}
+            location ~ ^/.*/-default-/proxy/.*/api/.*$ {return 403;}
+            location ~ ^/.*/s/prometheus$ {return 403;}
+        template: ingress.yaml
+      - equal:
+          path: spec.ingressClassName
+          value: nginx
+        template: ingress.yaml
+
+  - it: should sanitize ingress
+    capabilities:
+      majorVersion: 1
+      minorVersion: 17
+    set:
+      ingress:
+        annotations:
+          kubernetes.io/ingress.class: myfancyClass
+          nginx.ingress.kubernetes.io/server-snippet: listen 6666;
+    asserts:
+      - notMatchRegex:
+          path: metadata.annotations['nginx.ingress.kubernetes.io/server-snippet']
+          pattern: listen 6666;
+        template: ingress.yaml
+      - equal:
+          path: metadata.annotations['kubernetes.io/ingress.class']
+          value: nginx
+        template: ingress.yaml
+
+  - it: should sanitize ingress
+    capabilities:
+      majorVersion: 1
+      minorVersion: 19
+    set:
+      ingress:
+        annotations:
+          nginx.ingress.kubernetes.io/server-snippet: listen 6666;
+    asserts:
+      - notMatchRegex:
+          path: metadata.annotations['nginx.ingress.kubernetes.io/server-snippet']
+          pattern: listen 6666;
+        template: ingress.yaml
+      - equal:
+          path: spec.ingressClassName
+          value: nginx
+        template: ingress.yaml