From 5635807505e265bce5968f5654ef5e6b007a8a70 Mon Sep 17 00:00:00 2001 From: Alex Chapellon Date: Wed, 2 Aug 2023 09:19:14 +0200 Subject: [PATCH] OPSEXP-1862: add proper repo ingress (#86) --- .checkov-values.yml | 4 ++ charts/alfresco-repository/Chart.yaml | 2 +- charts/alfresco-repository/README.md | 2 +- .../templates/deployment.yaml | 2 +- .../templates/ingress.yaml | 24 +++++--- .../tests/ingress_test.yaml | 56 +++++++++++++++++++ 6 files changed, 80 insertions(+), 10 deletions(-) create mode 100644 charts/alfresco-repository/tests/ingress_test.yaml diff --git a/.checkov-values.yml b/.checkov-values.yml index 7de03edc..6f86e76c 100644 --- a/.checkov-values.yml +++ b/.checkov-values.yml @@ -4,6 +4,10 @@ activemq: enabled: true elasticsearch: enabled: true +db: + url: postgresql://pg-postgresql-acs/alfresco + username: pguser + password: pgpass global: tracking: sharedsecret: dummy diff --git a/charts/alfresco-repository/Chart.yaml b/charts/alfresco-repository/Chart.yaml index 14fd8a55..62d91a6a 100644 --- a/charts/alfresco-repository/Chart.yaml +++ b/charts/alfresco-repository/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: alfresco-repository description: Alfresco content repository Helm chart type: application -version: 0.1.0-alpha.0 +version: 0.1.0-alpha.1 appVersion: 23.1.0-A21 dependencies: - name: alfresco-common diff --git a/charts/alfresco-repository/README.md b/charts/alfresco-repository/README.md index ec9e304e..048f9612 100644 --- a/charts/alfresco-repository/README.md +++ b/charts/alfresco-repository/README.md @@ -1,6 +1,6 @@ # alfresco-repository -![Version: 0.1.0-alpha.0](https://img.shields.io/badge/Version-0.1.0--alpha.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 23.1.0-A21](https://img.shields.io/badge/AppVersion-23.1.0--A21-informational?style=flat-square) +![Version: 0.1.0-alpha.1](https://img.shields.io/badge/Version-0.1.0--alpha.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 23.1.0-A21](https://img.shields.io/badge/AppVersion-23.1.0--A21-informational?style=flat-square) Alfresco content repository Helm chart diff --git a/charts/alfresco-repository/templates/deployment.yaml b/charts/alfresco-repository/templates/deployment.yaml index c176039c..46fef971 100644 --- a/charts/alfresco-repository/templates/deployment.yaml +++ b/charts/alfresco-repository/templates/deployment.yaml @@ -50,7 +50,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} envFrom: - configMapRef: - {{ $alfoptsCtx := dict "Values" (dict "nameOverride" "alfresco-opts") "Chart" .Chart "Release" .Release }} + {{- $alfoptsCtx := dict "Values" (dict "nameOverride" "alfresco-opts") "Chart" .Chart "Release" .Release }} name: {{ template "alfresco-repository.fullname" $alfoptsCtx }} {{- $dbsecretCtx := dict "Values" (dict "nameOverride" "secret-database") "Chart" .Chart "Release" .Release }} {{- $dbsecret := coalesce .Values.db.existingSecret.name (include "alfresco-repository.fullname" $dbsecretCtx) }} diff --git a/charts/alfresco-repository/templates/ingress.yaml b/charts/alfresco-repository/templates/ingress.yaml index 38e30494..ca8f0d9f 100644 --- a/charts/alfresco-repository/templates/ingress.yaml +++ b/charts/alfresco-repository/templates/ingress.yaml @@ -1,10 +1,13 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "alfresco-repository.fullname" . -}} {{- $svcPort := .Values.service.port -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} +{{/* +We only support nginx ingress for now: https://alfresco.atlassian.net/browse/OPSEXP-131 +so forcibly set the ingress.class annotation to nginx for pre 1.18 k8s +*/}} +{{- if not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + {{- $_ := unset .Values.ingress.annotations "kubernetes.io/ingress.class" }} + {{- $_ = set .Values.ingress.annotations "kubernetes.io/ingress.class" "nginx" }} {{- end }} {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1 @@ -18,14 +21,21 @@ metadata: name: {{ $fullName }} labels: {{- include "alfresco-repository.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} annotations: - {{- toYaml . | nindent 4 }} - {{- end }} + checkov.io/skip1: CKV_K8S_153=We're filtering out snippet in named template + {{- include "alfresco-common.nginx.annotations" .Values }} + {{- include "alfresco-common.nginx.secure.annotations" .Values }} spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} ingressClassName: {{ .Values.ingress.className }} {{- end }} +{{/* +We only support nginx ingress for now: https://alfresco.atlassian.net/browse/OPSEXP-131 +so forcibly set the ingressClassName to nginx for post 1.18 k8s +*/}} + {{- if (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: nginx + {{- end }} {{- if .Values.ingress.tls }} tls: {{- range .Values.ingress.tls }} diff --git a/charts/alfresco-repository/tests/ingress_test.yaml b/charts/alfresco-repository/tests/ingress_test.yaml new file mode 100644 index 00000000..b461fc54 --- /dev/null +++ b/charts/alfresco-repository/tests/ingress_test.yaml @@ -0,0 +1,56 @@ +--- +suite: test Alfresco repository ingress +templates: + - ingress.yaml +tests: + - it: should render with default security annotations + asserts: + - equal: + path: metadata.annotations['nginx.ingress.kubernetes.io/server-snippet'] + value: | + location ~ ^/.*/(wc)?s(ervice)?/api/solr/.*$ {return 403;} + location ~ ^/.*/proxy/.*/api/solr/.*$ {return 403;} + location ~ ^/.*/-default-/proxy/.*/api/.*$ {return 403;} + location ~ ^/.*/s/prometheus$ {return 403;} + template: ingress.yaml + - equal: + path: spec.ingressClassName + value: nginx + template: ingress.yaml + + - it: should sanitize ingress + capabilities: + majorVersion: 1 + minorVersion: 17 + set: + ingress: + annotations: + kubernetes.io/ingress.class: myfancyClass + nginx.ingress.kubernetes.io/server-snippet: listen 6666; + asserts: + - notMatchRegex: + path: metadata.annotations['nginx.ingress.kubernetes.io/server-snippet'] + pattern: listen 6666; + template: ingress.yaml + - equal: + path: metadata.annotations['kubernetes.io/ingress.class'] + value: nginx + template: ingress.yaml + + - it: should sanitize ingress + capabilities: + majorVersion: 1 + minorVersion: 19 + set: + ingress: + annotations: + nginx.ingress.kubernetes.io/server-snippet: listen 6666; + asserts: + - notMatchRegex: + path: metadata.annotations['nginx.ingress.kubernetes.io/server-snippet'] + pattern: listen 6666; + template: ingress.yaml + - equal: + path: spec.ingressClassName + value: nginx + template: ingress.yaml