Adds configuration options for the --default-ssl-certificate feature of
NGINX Ingress Controller, which provides a default certificate for
requests that do not match any configured server names.[0]
To enable with a new certificate, specify:
.conf.default_ssl_certificate.enabled=true
.endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data"
.endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data"
.manifests.secret_ingress_tls=true
To enable using a TLS cert in an existing secret, specify:
.conf.default_ssl_certificate.enabled=true
.conf.default_ssl_certificate.name="name of the secret"
.conf.default_ssl_certificate.namespace="namespace of the secret"
0: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate
Change-Id: Idd704fd880f56137923d4c38cc188b130ee3b56d
Use nginx-ingress-controller:0.32.0 and change user to 101
intead of 33 which is suported by this image.
Change-Id: I38679e350ec352f13074055b7e08b98df1090fbf
Some infra charts still have old ocata xenial images as default. This
should bring them up to date with the OSH charts.
Change-Id: If8454b6d0fe52387bf6327501ee4ff87f56e87b8
Signed-off-by: Tin Lam <tin@irrational.io>
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
nginx-ingress-controller 0.26.1 introduces configurable parameters for
streamPort and profilerPort, and changes the default for statusPort.
This change allows those parameters to be configured, while maintaining
compatibility with earlier versions of nginx-ingress.controller. It also
modifies the default status port value from 18080 to 10246.
Reference: https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0261
Change-Id: I88a7315f2ed47c31b8c2862ce1ad47b590b32137
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintained
Change-Id: I5bfdc156ae228ab16da57569ac6b05a9a125cb6a
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This change adds egress rules to the following charts:
- ingress
- memcache
- libvirt
- rabbitmq
These rules will be tightend down in future changes
Change-Id: I6f297d50ca4c06234c7c79986a12cccf3beb5efb
Currently, we are getting `bind-address: null` in ingress-conf for ingress pod in kube-system namespace
In that case, nginx starting on 0.0.0.0:80 which breaks other ingress controllers, such as maas-ingress.
All further ingress controllers can't start because they can't bind on 80 port.
Change-Id: Ie7e9563bf14fe347969bea0d3c900c8d87d06de0
Added new HTTP Security header Content-Security-Policy:self to make
sure the browser does not allow any cross-site scripting attacks.
Added new HTTP Security header X-Permitted-Cross-Domain-Policies:none
To prevent web client to load data from the current domain.
Added new HTTP Security header X-XSS-Protection:1 mode=block to
sanitize the page, when a XSS attack is detected, the browser will
prevent rendering of the page.
Change-Id: Ief137738f4b793f49f3632e25339c6f49492fd80
This updates the helm version from 2.13.1 to 2.14.1
Change-Id: I619351d846253bf17caa922ad7f7b0ff19c778a2
Signed-off-by: Steve Wilkerson <sw5822@att.com>
When there are multiple keepalived instances in same network space,
equal keepalived router-ids cause conflict (now default router-id number
is 100). So we have to specify keepalived's router_id for VRRP peering.
This commit make keepalived route-id configurable, so that we can
prevent keepalived conflict caused by default keepalived router-id.
Change-Id: Ia92a8b64205ab52ad15237e9fdeaacb61aae6400
This updates the etcd chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem to true
Change-Id: I9bf05ab5c21f9afbe269e1566cfecd20b3c086c0
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use (and completely opaque to deployers), and updating the
osh-images process or patching its code has no impact on OSH.
This should fix it.
Change-Id: Ic00bd98c151669dc2485cd88e0e8c2ab05445959
This ps exposes the anti-affinity weight value, including
default, that will be consumed by the updated htk function.
Change-Id: Id8eb303674764ef8b0664f62040723aaf77e0a54
This updates the ingress controller image to v0.23.0, which was
required to add support for configuring cookie max age and expires
for ingresses via annotations on the ingress.
This also removes the --enable-dynamic-configuration flag, as the
flag is no longer valid in 0.23.0 due to the functionality being
a default behavior of the nginx ingress controller in recent
releases
Change-Id: I4917797c43ec973ed0bb311fc305b01f10abd4e5
The server should send an X-Content-Type-Options: nosniff to make sure
the browser does not try to detect a different Content-Type than what is
actually sent (can lead to XSS).
Additionally the server should send an X-Frame-Options: deny to protect
against drag'n drop clickjacking attacks in older browsers.
Change-Id: I779c519cf75bbee23d3a8348291c0fd053e61e4e
This PS implements the helm toolkit function to generate the
Egress in kubernetes network policy manifest based on overrideable values.
It also enbale the K8s network policy at Osh-infra gate.
Change-Id: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
This PS removes the server headers from client responses, as per
security guidelines.
Change-Id: I351f396e8e735e1d13f00c661b9c4068664d934a
Signed-off-by: Pete Birley <pete@port.direct>
This PS breaks out the helper container images, which is required
now that the ingress image is more compact.
Change-Id: I6afb08954f37eda1ed913a4b3acdaf6e2b89d30e
Signed-off-by: Pete Birley <pete@port.direct>
To allow to integrate TungstenFabric(Contrail) with Airship
there should be ability to redifine ports that can be conflicted.
Change-Id: Id15658c65339577cec03f25ebd22dd664bb5976a
This PS updates the version of the ingress controller image used.
This brings in the ability to update the ingress configuration without
reloading nginx. There may also need to be some changes for prom based
monitoring:
* https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0100
Change-Id: Ia0bf3dbb9b726f3a5cfb1f95d7ede456af13374a
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the ingress chart to allow the status pport to be
changed.
Change-Id: Ia38223c56806f6113622a809e792b4fedd010d87
Signed-off-by: Pete Birley <pete@port.direct>
This patch set implements the helm toolkit function to generate a
kubernetes network policy manifest based on overrideable values.
This also adds a chart that shuts down all the ingress and egress
traffics in the namespace. This can be used to ensure the
whitelisted network policy works as intended.
Additionally, implementation is done for some infrastructure charts.
Change-Id: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This PS moves the ingress chart to OSH-Infra
Story: 2002204
Task: 21733
Change-Id: I85a46d5907f2ffe293f6fef0f528fdef167a7f0f
Signed-off-by: Pete Birley <pete@port.direct>