Commit Graph

41 Commits

Author SHA1 Message Date
Chris Wedgwood
82a828ce8d Update to container image repo k8s.gcr.io
gcr.io/google_containers/ no longer contains the image versions we
require, use the new location.

Change-Id: Iabb9e672e494f27d1a3691a9ce0dd2ccf10d5797
2020-12-07 19:34:09 +00:00
KHIYANI, RAHUL (rk0850)
24a0dcdee4 Ingress: Configure ingress dhparam secret
Configuring dhparam secret to generate 2048 DH group for
nginx openstack ingress

Change-Id: I8d8add9d518cbf928f58bfcac71e2b6c74075060
2020-09-15 14:16:50 -05:00
Phil Sphicas
341e9b29df Ingress: Configure Default SSL Certificate
Adds configuration options for the --default-ssl-certificate feature of
NGINX Ingress Controller, which provides a default certificate for
requests that do not match any configured server names.[0]

To enable with a new certificate, specify:
  .conf.default_ssl_certificate.enabled=true
  .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data"
  .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data"
  .manifests.secret_ingress_tls=true

To enable using a TLS cert in an existing secret, specify:
  .conf.default_ssl_certificate.enabled=true
  .conf.default_ssl_certificate.name="name of the secret"
  .conf.default_ssl_certificate.namespace="namespace of the secret"

0: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate

Change-Id: Idd704fd880f56137923d4c38cc188b130ee3b56d
2020-08-14 05:32:51 +00:00
Gupta, Sangeet (sg774j)
9ff76434aa Ingress: Use latest controller image
Use nginx-ingress-controller:0.32.0 and change user to 101
intead of 33 which is suported by this image.

Change-Id: I38679e350ec352f13074055b7e08b98df1090fbf
2020-06-01 21:46:44 +00:00
Andrii Ostapenko
731a6b4cfa Enable yamllint checks
- document-end
- document-start
- empty-lines
- hyphens
- indentation
- key-duplicates
- new-line-at-end-of-file
- new-lines
- octal-values

with corresponding code adjustment.

Change-Id: I92d6aa20df82aa0fe198f8ccd535cfcaf613f43a
2020-05-29 19:49:05 +00:00
KHIYANI, RAHUL (rk0850)
99a77eefda error-pages: updating the defaultbackend version to 1.4
removing the command "/tmp/ingress-error-pages.sh" script as the
1.4 version already uses "/server" exec
https://hub.docker.com/layers/siriuszg/defaultbackend/1.4/images/sha256-989154cad9fa0edab79acd8904b3ed643f3325fe827616ffa7c1181bb1e1321b?context=explore

Change-Id: I3769abeea16254fe5cc4f0f92eb8e8d89cf356a6
2020-05-26 10:42:29 -05:00
Tin Lam
3dd6d0e7a0 chore(images): update to stein bionic images
Some infra charts still have old ocata xenial images as default. This
should bring them up to date with the OSH charts.

Change-Id: If8454b6d0fe52387bf6327501ee4ff87f56e87b8
Signed-off-by: Tin Lam <tin@irrational.io>
2020-05-14 07:21:41 -05:00
Gage Hugo
d14d826b26 Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.

This change removes all references to this copyright by the
non-existent group and any blank lines underneath.

Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
2020-05-07 02:11:15 +00:00
KHIYANI, RAHUL (rk0850)
5bc24e78a4 Ingress: Run nginx ingress as non-root user
Running nginx ingress with www-data user

Change-Id: I769577cdedd05cc1b8b035928e67ad7ed70568db
2020-04-27 16:12:21 -05:00
Phil Sphicas
e7b4242c3b Ingress: nginx-ingress-controller 0.26.1+ support
nginx-ingress-controller 0.26.1 introduces configurable parameters for
streamPort and profilerPort, and changes the default for statusPort.

This change allows those parameters to be configured, while maintaining
compatibility with earlier versions of nginx-ingress.controller. It also
modifies the default status port value from 18080 to 10246.

Reference: https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0261

Change-Id: I88a7315f2ed47c31b8c2862ce1ad47b590b32137
2020-01-01 13:34:00 -08:00
Steve Wilkerson
b50fae62a4 Update kubernetes-entrypoint image reference
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintained

Change-Id: I5bfdc156ae228ab16da57569ac6b05a9a125cb6a
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-10-18 18:20:11 +00:00
Gage Hugo
ab3ab66bcb Add open egress rules to multiple infra charts
This change adds egress rules to the following charts:
- ingress
- memcache
- libvirt
- rabbitmq

These rules will be tightend down in future changes

Change-Id: I6f297d50ca4c06234c7c79986a12cccf3beb5efb
2019-09-12 13:07:19 -05:00
Alexander Noskov
3b5a1c7909 Take dnsPolicy from .Values.pod.dns_policy variable
Change-Id: Iae7caa5bdefe7749231c031c6003591a6251fa97
2019-07-15 17:31:16 +00:00
Alexander Noskov
0eff94f51c Remove quotes for bind-address in ingress Chart
Currently, we are getting `bind-address: null` in ingress-conf for ingress pod in kube-system namespace
In that case, nginx starting on 0.0.0.0:80 which breaks other ingress controllers, such as maas-ingress.
All further ingress controllers can't start because they can't bind on 80 port.

Change-Id: Ie7e9563bf14fe347969bea0d3c900c8d87d06de0
2019-07-12 17:10:00 -05:00
Zuul
c3ac26a35d Merge "Pentest-NC1.0 Nova–Security HTTP Headers Not Present" 2019-07-11 22:28:11 +00:00
NarlaSandeepNarlaSaibaba
3f32f08319 Pentest-NC1.0 Nova–Security HTTP Headers Not Present
Added new HTTP Security header Content-Security-Policy:self to make
sure the browser does not allow any cross-site scripting attacks.

Added new HTTP Security header X-Permitted-Cross-Domain-Policies:none
To prevent web client to load data from the current domain.

Added new HTTP Security header X-XSS-Protection:1 mode=block to
sanitize the page, when a XSS attack is detected, the browser will
prevent rendering of the page.

Change-Id: Ief137738f4b793f49f3632e25339c6f49492fd80
2019-07-09 09:45:53 -05:00
Steve Wilkerson
b117b14c3a Update helm version to 2.14.1
This updates the helm version from 2.13.1 to 2.14.1

Change-Id: I619351d846253bf17caa922ad7f7b0ff19c778a2
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-06-25 21:33:20 +00:00
SIRI KIM
9022c9237d Ingress: add keepalived-router-id for keeplived vip
When there are multiple keepalived instances in same network space,
equal keepalived router-ids cause conflict (now default router-id number
is 100). So we have to specify keepalived's router_id for VRRP peering.
This commit make keepalived route-id configurable, so that we can
prevent keepalived conflict caused by default keepalived router-id.

Change-Id: Ia92a8b64205ab52ad15237e9fdeaacb61aae6400
2019-06-19 18:06:04 +00:00
Alexander Noskov
d9b939979d Ingress: Fix security context for pod/container
During armada bootstrap, ingress pod tries to execute chroot [0]
inside root directory on host machine to load dummy kernel module
and getting permission denied error.

[0] https://opendev.org/openstack/openstack-helm-infra/src/branch/master/ingress/templates/bin/_ingress-vip-routed.sh.tpl#L22

Change-Id: Icf7e29e95e0c3cf2bf71a22711a03218390c90cb
2019-06-14 17:24:42 +00:00
RAHUL KHIYANI
a0d67a1117 Ingress: Add pod/container security context
This updates the etcd chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem to true

Change-Id: I9bf05ab5c21f9afbe269e1566cfecd20b3c086c0
2019-06-04 15:19:21 -05:00
Jean-Philippe Evrard
5f5e988fb3 Point to OSH-images images
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.

Without this, the osh-images build process is completely not
in use (and completely opaque to deployers), and updating the
osh-images process or patching its code has no impact on OSH.

This should fix it.

Change-Id: Ic00bd98c151669dc2485cd88e0e8c2ab05445959
2019-05-17 08:17:32 +00:00
Roy Tang (rt7380)
85bd731562 Expose Anti-Affinity Weight Setting
This ps exposes the anti-affinity weight value, including
default, that will be consumed by the updated htk function.

Change-Id: Id8eb303674764ef8b0664f62040723aaf77e0a54
2019-05-14 17:04:52 -05:00
RAHUL KHIYANI
befb8b65e8 Ingress: Add pod/container security context
This PS fixes the use of the security context macros for the
ingress chart.

Change-Id: I28171d529a27c3f203b02c031a6cf289fcc5f3e6
2019-04-24 03:12:16 +00:00
Steve Wilkerson
3413dba8c0 Update ingress controller image, ingress cookie annotations
This updates the ingress controller image to v0.23.0, which was
required to add support for configuring cookie max age and expires
for ingresses via annotations on the ingress.

This also removes the --enable-dynamic-configuration flag, as the
flag is no longer valid in 0.23.0 due to the functionality being
a default behavior of the nginx ingress controller in recent
releases

Change-Id: I4917797c43ec973ed0bb311fc305b01f10abd4e5
2019-03-07 20:39:03 +00:00
Chris Wedgwood
03ee843b22 [ingress] explicitly specify the Prometheus scrape port
Change-Id: I9e191257c436ca6ab74d013feb07bb0ffed2d532
2019-01-29 04:42:26 +00:00
Jagan Kavva
c49207819e Pentest - NC1.0 K8S –Security HTTP Headers Not Present – TCP 6443
The server should send an X-Content-Type-Options: nosniff to make sure
the browser does not try to detect a different Content-Type than what is
actually sent (can lead to XSS).

Additionally the server should send an X-Frame-Options: deny to protect
against drag'n drop clickjacking attacks in older browsers.

Change-Id: I779c519cf75bbee23d3a8348291c0fd053e61e4e
2019-01-23 16:21:32 -06:00
Zuul
6d354f0f7b Merge "Revert "Add Egress Helm-toolkit function & enforce the nework policy at OSH-INFRA"" 2018-12-16 08:57:09 +00:00
Pete Birley
0bf3674539 Revert "Add Egress Helm-toolkit function & enforce the nework policy at OSH-INFRA"
This reverts commit 8d33a2911c.

Change-Id: Ic861b9bf9b337449b47a3558da8355e7a5bcacee
2018-12-16 04:21:46 +00:00
Zuul
b90bf10b89 Merge "Add Egress Helm-toolkit function & enforce the nework policy at OSH-INFRA" 2018-12-15 09:32:21 +00:00
Mike Pham
8d33a2911c Add Egress Helm-toolkit function & enforce the nework policy at OSH-INFRA
This PS implements the helm toolkit function to generate the
Egress in kubernetes network policy manifest based on overrideable values.
It also enbale the K8s network policy at Osh-infra gate.

Change-Id: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
2018-12-14 16:32:40 -05:00
Pete Birley
8c9227273f Ingress: Remove server headers from response
This PS removes the server headers from client responses, as per
security guidelines.

Change-Id: I351f396e8e735e1d13f00c661b9c4068664d934a
Signed-off-by: Pete Birley <pete@port.direct>
2018-12-11 10:05:43 -06:00
Pete Birley
4803fe31d1 Ingress: Break out helper container images
This PS breaks out the helper container images, which is required
now that the ingress image is more compact.

Change-Id: I6afb08954f37eda1ed913a4b3acdaf6e2b89d30e
Signed-off-by: Pete Birley <pete@port.direct>
2018-11-28 20:54:35 -06:00
Andrey Pavlov
5ac56d9307 add parameter to allow redefining of server port for ingress
To allow to integrate TungstenFabric(Contrail) with Airship
there should be ability to redifine ports that can be conflicted.

Change-Id: Id15658c65339577cec03f25ebd22dd664bb5976a
2018-11-27 13:15:32 +03:00
Zuul
8e369d2c9c Merge "Ingress: Update version of ingress controller image" 2018-11-23 20:39:38 +00:00
Pete Birley
4d2085f0af Ingress: Update version of ingress controller image
This PS updates the version of the ingress controller image used.

This brings in the ability to update the ingress configuration without
reloading nginx. There may also need to be some changes for prom based
monitoring:
 * https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0100

Change-Id: Ia0bf3dbb9b726f3a5cfb1f95d7ede456af13374a
Signed-off-by: Pete Birley <pete@port.direct>
2018-11-21 19:21:40 +00:00
Pete Birley
ea875b1dcc Ingress: Make healthz port configurable
This PS updates the healthz port to be configurable

Change-Id: Ifa5ea4b7b422156a7309886ecc21668fc096065b
Signed-off-by: Pete Birley <pete@port.direct>
2018-11-20 12:28:14 -06:00
Pete Birley
f3e1fa4e72 Ingress: Allow status port to be customised
This PS updates the ingress chart to allow the status pport to be
changed.

Change-Id: Ia38223c56806f6113622a809e792b4fedd010d87
Signed-off-by: Pete Birley <pete@port.direct>
2018-11-20 09:57:56 -06:00
Tin Lam
92e68d33ea Add network policy toolkit function
This patch set implements the helm toolkit function to generate a
kubernetes network policy manifest based on overrideable values.
This also adds a chart that shuts down all the ingress and egress
traffics in the namespace. This can be used to ensure the
whitelisted network policy works as intended.

Additionally, implementation is done for some infrastructure charts.

Change-Id: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
2018-10-15 13:50:50 +00:00
Jean-Philippe Evrard
bf069b2311 Revert "Update OSH Author copyrights to OSF"
This reverts commit 178aa271a4.

Change-Id: I38a52d866527dfff2689b618e055f439bc248c13
2018-08-28 17:25:54 +00:00
Matt McEuen
178aa271a4 Update OSH Author copyrights to OSF
This PS updates the "Openstack-Helm Authors" copyright attribution
to be the "OpenStack Foundation", as decided in the 2018-03-20
team meeting:
http://eavesdrop.openstack.org/meetings/openstack_helm/2018/openstack_helm.2018-03-20-15.00.log.html

No other copyright attributions were changed.

Change-Id: I1137dee2ae5728771835f4b33fcaff60fcc22ca9
2018-08-26 17:17:06 -05:00
Pete Birley
d8a2864779 Ingress: move ingress chart to OSH-Infra
This PS moves the ingress chart to OSH-Infra

Story: 2002204
Task: 21733

Change-Id: I85a46d5907f2ffe293f6fef0f528fdef167a7f0f
Signed-off-by: Pete Birley <pete@port.direct>
2018-07-24 21:01:51 +00:00