diff --git a/keystone/templates/bin/_keystone-api.sh.tpl b/keystone/templates/bin/_keystone-api.sh.tpl
index 2f127b94cb..384ee8b392 100644
--- a/keystone/templates/bin/_keystone-api.sh.tpl
+++ b/keystone/templates/bin/_keystone-api.sh.tpl
@@ -26,6 +26,18 @@ function start () {
cp -a $(type -p ${KEYSTONE_WSGI_SCRIPT}) /var/www/cgi-bin/keystone/
done
+ {{- if .Values.conf.software.apache2.a2enmod }}
+ {{- range .Values.conf.software.apache2.a2enmod }}
+ a2enmod {{ . }}
+ {{- end }}
+ {{- end }}
+
+ {{- if .Values.conf.software.apache2.a2dismod }}
+ {{- range .Values.conf.software.apache2.a2dismod }}
+ a2dismod {{ . }}
+ {{- end }}
+ {{- end }}
+
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
@@ -37,11 +49,11 @@ function start () {
fi
# Start Apache2
- exec apache2 -DFOREGROUND
+ exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
}
function stop () {
- apachectl -k graceful-stop
+ {{ .Values.conf.software.apache2.binary }} -k graceful-stop
}
$COMMAND
diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml
index 5e7721b6b6..25605f04ab 100644
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@@ -57,6 +57,9 @@ data:
{{- range $k, $v := .Values.conf.ks_domains }}
keystone.{{ $k }}.json: {{ toJson $v | b64enc }}
{{- end }}
+{{- if .Values.conf.security }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
+{{- end}}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_keystone "key" "wsgi-keystone.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.sso_callback_template "key" "sso_callback_template.html" "format" "Secret" ) | indent 2 }}
diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml
index e3cfe39b88..3069a2ad41 100644
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@@ -122,13 +122,19 @@ spec:
subPath: sso_callback_template.html
readOnly: true
- name: keystone-etc
- mountPath: /etc/apache2/conf-enabled/wsgi-keystone.conf
+ mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-keystone.conf
subPath: wsgi-keystone.conf
readOnly: true
- name: keystone-etc
- mountPath: /etc/apache2/mods-available/mpm_event.conf
+ mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
+{{- if .Values.conf.security }}
+ - name: keystone-etc
+ mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
+ subPath: security.conf
+ readOnly: true
+{{- end }}
- name: keystone-bin
mountPath: /tmp/keystone-api.sh
subPath: keystone-api.sh
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 93899f3681..d901804635 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -434,6 +434,81 @@ network_policy:
application: ceph
conf:
+ security: |
+ #
+ # Disable access to the entire file system except for the directories that
+ # are explicitly allowed later.
+ #
+ # This currently breaks the configurations that come with some web application
+ # Debian packages.
+ #
+ #
+ # AllowOverride None
+ # Require all denied
+ #
+
+ # Changing the following options will not really affect the security of the
+ # server, but might make attacks slightly more difficult in some cases.
+
+ #
+ # ServerTokens
+ # This directive configures what you return as the Server HTTP response
+ # Header. The default is 'Full' which sends information about the OS-Type
+ # and compiled in modules.
+ # Set to one of: Full | OS | Minimal | Minor | Major | Prod
+ # where Full conveys the most information, and Prod the least.
+ ServerTokens Prod
+
+ #
+ # Optionally add a line containing the server version and virtual host
+ # name to server-generated pages (internal error documents, FTP directory
+ # listings, mod_status and mod_info output etc., but not CGI generated
+ # documents or custom error documents).
+ # Set to "EMail" to also include a mailto: link to the ServerAdmin.
+ # Set to one of: On | Off | EMail
+ ServerSignature Off
+
+ #
+ # Allow TRACE method
+ #
+ # Set to "extended" to also reflect the request body (only for testing and
+ # diagnostic purposes).
+ #
+ # Set to one of: On | Off | extended
+ TraceEnable Off
+
+ #
+ # Forbid access to version control directories
+ #
+ # If you use version control systems in your document root, you should
+ # probably deny access to their directories. For example, for subversion:
+ #
+ #
+ # Require all denied
+ #
+
+ #
+ # Setting this header will prevent MSIE from interpreting files as something
+ # else than declared by the content type in the HTTP headers.
+ # Requires mod_headers to be enabled.
+ #
+ #Header set X-Content-Type-Options: "nosniff"
+
+ #
+ # Setting this header will prevent other sites from embedding pages from this
+ # site as frames. This defends against clickjacking attacks.
+ # Requires mod_headers to be enabled.
+ #
+ #Header set X-Frame-Options: "sameorigin"
+ software:
+ apache2:
+ binary: apache2
+ start_parameters: -DFOREGROUND
+ site_dir: /etc/apache2/sites-enable
+ conf_dir: /etc/apache2/conf-enabled
+ mods_dir: /etc/apache2/mods-available
+ a2enmod: null
+ a2dismod: null
keystone:
DEFAULT:
log_config_append: /etc/keystone/logging.conf