From 229db2f1552b2bfb0beece4ecd4a1b11eac690c0 Mon Sep 17 00:00:00 2001
From: Itxaka <igarcia@suse.com>
Date: Mon, 25 Mar 2019 12:26:13 +0100
Subject: [PATCH] Allow more generic overrides for keystone

With this patch we allow for a more easy way of overriding some
of the values that may be used in other distros while maintainting
the default values if those values are not overriden.

The following values are introduced to be overriden:
conf:
  security:
  software:
    apache2:
      conf_dir:
      site_dir:
      mods_dir:
      binary:
      start_flags:
      a2enmod:
      a2dismod:

On which:
 * conf_dir: directory where to drop the config files
 * site_dir: directory where to drop the enabled virtualhosts
 * mods_dir: directory where to drop any mod configuration
 * binary: the binary to use for launching apache
 * start_flags: any flags that will be passed to the apache binary call
 * a2enmod: mods to enable
 * a2dismod: mods to disable
 * security: security configuration for apache

Notice that if there is no overrides given, it should not affect anything
and the templates will not be changed as the default values are set to what
they used to be as to not disrupt existing deployments.

Change-Id: I7622325cf23e5afb26a5f5e887458fd58af2fab8
---
 keystone/templates/bin/_keystone-api.sh.tpl | 16 ++++-
 keystone/templates/configmap-etc.yaml       |  3 +
 keystone/templates/deployment-api.yaml      | 10 ++-
 keystone/values.yaml                        | 75 +++++++++++++++++++++
 4 files changed, 100 insertions(+), 4 deletions(-)

diff --git a/keystone/templates/bin/_keystone-api.sh.tpl b/keystone/templates/bin/_keystone-api.sh.tpl
index 2f127b94cb..384ee8b392 100644
--- a/keystone/templates/bin/_keystone-api.sh.tpl
+++ b/keystone/templates/bin/_keystone-api.sh.tpl
@@ -26,6 +26,18 @@ function start () {
     cp -a $(type -p ${KEYSTONE_WSGI_SCRIPT}) /var/www/cgi-bin/keystone/
   done
 
+  {{- if .Values.conf.software.apache2.a2enmod }}
+    {{- range .Values.conf.software.apache2.a2enmod }}
+  a2enmod {{ . }}
+    {{- end }}
+  {{- end }}
+
+  {{- if .Values.conf.software.apache2.a2dismod }}
+    {{- range .Values.conf.software.apache2.a2dismod }}
+  a2dismod {{ . }}
+    {{- end }}
+  {{- end }}
+
   if [ -f /etc/apache2/envvars ]; then
      # Loading Apache2 ENV variables
      source /etc/apache2/envvars
@@ -37,11 +49,11 @@ function start () {
   fi
 
   # Start Apache2
-  exec apache2 -DFOREGROUND
+  exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
 }
 
 function stop () {
-  apachectl -k graceful-stop
+  {{ .Values.conf.software.apache2.binary }} -k graceful-stop
 }
 
 $COMMAND
diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml
index 5e7721b6b6..25605f04ab 100644
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@@ -57,6 +57,9 @@ data:
 {{- range $k, $v := .Values.conf.ks_domains }}
   keystone.{{ $k }}.json: {{ toJson $v | b64enc }}
 {{- end }}
+{{- if .Values.conf.security }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
+{{- end}}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_keystone "key" "wsgi-keystone.conf" "format" "Secret" ) | indent 2 }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.sso_callback_template "key" "sso_callback_template.html" "format" "Secret" ) | indent 2 }}
diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml
index e3cfe39b88..3069a2ad41 100644
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@@ -122,13 +122,19 @@ spec:
             subPath: sso_callback_template.html
             readOnly: true
           - name: keystone-etc
-            mountPath: /etc/apache2/conf-enabled/wsgi-keystone.conf
+            mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-keystone.conf
             subPath: wsgi-keystone.conf
             readOnly: true
           - name: keystone-etc
-            mountPath: /etc/apache2/mods-available/mpm_event.conf
+            mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
             subPath: mpm_event.conf
             readOnly: true
+{{- if .Values.conf.security }}
+          - name: keystone-etc
+            mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
+            subPath: security.conf
+            readOnly: true
+{{- end }}
           - name: keystone-bin
             mountPath: /tmp/keystone-api.sh
             subPath: keystone-api.sh
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 93899f3681..d901804635 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -434,6 +434,81 @@ network_policy:
               application: ceph
 
 conf:
+  security: |
+    #
+    # Disable access to the entire file system except for the directories that
+    # are explicitly allowed later.
+    #
+    # This currently breaks the configurations that come with some web application
+    # Debian packages.
+    #
+    #<Directory />
+    #   AllowOverride None
+    #   Require all denied
+    #</Directory>
+
+    # Changing the following options will not really affect the security of the
+    # server, but might make attacks slightly more difficult in some cases.
+
+    #
+    # ServerTokens
+    # This directive configures what you return as the Server HTTP response
+    # Header. The default is 'Full' which sends information about the OS-Type
+    # and compiled in modules.
+    # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+    # where Full conveys the most information, and Prod the least.
+    ServerTokens Prod
+
+    #
+    # Optionally add a line containing the server version and virtual host
+    # name to server-generated pages (internal error documents, FTP directory
+    # listings, mod_status and mod_info output etc., but not CGI generated
+    # documents or custom error documents).
+    # Set to "EMail" to also include a mailto: link to the ServerAdmin.
+    # Set to one of:  On | Off | EMail
+    ServerSignature Off
+
+    #
+    # Allow TRACE method
+    #
+    # Set to "extended" to also reflect the request body (only for testing and
+    # diagnostic purposes).
+    #
+    # Set to one of:  On | Off | extended
+    TraceEnable Off
+
+    #
+    # Forbid access to version control directories
+    #
+    # If you use version control systems in your document root, you should
+    # probably deny access to their directories. For example, for subversion:
+    #
+    #<DirectoryMatch "/\.svn">
+    #   Require all denied
+    #</DirectoryMatch>
+
+    #
+    # Setting this header will prevent MSIE from interpreting files as something
+    # else than declared by the content type in the HTTP headers.
+    # Requires mod_headers to be enabled.
+    #
+    #Header set X-Content-Type-Options: "nosniff"
+
+    #
+    # Setting this header will prevent other sites from embedding pages from this
+    # site as frames. This defends against clickjacking attacks.
+    # Requires mod_headers to be enabled.
+    #
+    #Header set X-Frame-Options: "sameorigin"
+  software:
+    apache2:
+      binary: apache2
+      start_parameters: -DFOREGROUND
+      site_dir: /etc/apache2/sites-enable
+      conf_dir: /etc/apache2/conf-enabled
+      mods_dir: /etc/apache2/mods-available
+      a2enmod: null
+      a2dismod: null
   keystone:
     DEFAULT:
       log_config_append: /etc/keystone/logging.conf