fix: various minor fixes, istio ingress hardening configurable
This commit is contained in:
parent
06504de5f0
commit
4940406f77
@ -32,10 +32,14 @@ spec:
|
|||||||
use_remote_address: true
|
use_remote_address: true
|
||||||
normalize_path: true
|
normalize_path: true
|
||||||
merge_slashes: true
|
merge_slashes: true
|
||||||
|
{{- if .Values.hardening.unescapeSlahes }}
|
||||||
path_with_escaped_slashes_action: UNESCAPE_AND_REDIRECT
|
path_with_escaped_slashes_action: UNESCAPE_AND_REDIRECT
|
||||||
|
{{- end }}
|
||||||
common_http_protocol_options:
|
common_http_protocol_options:
|
||||||
idle_timeout: 3600s # 1 hour
|
idle_timeout: 3600s # 1 hour
|
||||||
|
{{- if .Values.hardening.rejectUnderscoresHeaders }}
|
||||||
headers_with_underscores_action: REJECT_REQUEST
|
headers_with_underscores_action: REJECT_REQUEST
|
||||||
|
{{- end }}
|
||||||
http2_protocol_options:
|
http2_protocol_options:
|
||||||
max_concurrent_streams: 100
|
max_concurrent_streams: 100
|
||||||
initial_stream_window_size: 65536 # 64 KiB
|
initial_stream_window_size: 65536 # 64 KiB
|
||||||
|
|||||||
@ -39,3 +39,7 @@ telemetry:
|
|||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
proxyProtocol: true
|
proxyProtocol: true
|
||||||
|
|
||||||
|
hardening:
|
||||||
|
rejectUnderscoresHeaders: true
|
||||||
|
unescapeSlahes: true
|
||||||
|
|||||||
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: kubezero-logging
|
name: kubezero-logging
|
||||||
description: KubeZero Umbrella Chart for complete EFK stack
|
description: KubeZero Umbrella Chart for complete EFK stack
|
||||||
type: application
|
type: application
|
||||||
version: 0.8.9
|
version: 0.8.10
|
||||||
appVersion: 1.6.0
|
appVersion: 1.6.0
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
|
|||||||
@ -37,7 +37,7 @@ fluentd:
|
|||||||
enabled: false
|
enabled: false
|
||||||
image:
|
image:
|
||||||
repository: public.ecr.aws/zero-downtime/fluentd-concenter
|
repository: public.ecr.aws/zero-downtime/fluentd-concenter
|
||||||
tag: v1.16.0
|
tag: v1.16.3
|
||||||
istio:
|
istio:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
@ -88,10 +88,8 @@ fluentd:
|
|||||||
# OUTPUT_USER: elastic
|
# OUTPUT_USER: elastic
|
||||||
# OUTPUT_SSL_VERIFY: "false"
|
# OUTPUT_SSL_VERIFY: "false"
|
||||||
|
|
||||||
env:
|
|
||||||
- name: "FLUENTD_CONF"
|
|
||||||
value: "../../etc/fluent/fluent.conf"
|
|
||||||
# Same here the secret names change if fullnameOverride is not used !!
|
# Same here the secret names change if fullnameOverride is not used !!
|
||||||
|
env:
|
||||||
- name: OUTPUT_PASSWORD
|
- name: OUTPUT_PASSWORD
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
|
|||||||
@ -18,7 +18,7 @@
|
|||||||
"subdir": "contrib/mixin"
|
"subdir": "contrib/mixin"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "6db5e00103accde744c856be03f38f44569eca65",
|
"version": "7851295966ae3dd5308c37079b5df58440d1fb36",
|
||||||
"sum": "xuUBd2vqF7asyVDe5CE08uPT/RxAdy8O75EjFJoMXXU="
|
"sum": "xuUBd2vqF7asyVDe5CE08uPT/RxAdy8O75EjFJoMXXU="
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -58,7 +58,7 @@
|
|||||||
"subdir": "gen/grafonnet-v10.0.0"
|
"subdir": "gen/grafonnet-v10.0.0"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "bb2afaffbcefeae1035cd691ab06a486e0022002",
|
"version": "a1b14991306adebdb0107ea9aa74870bf86c346e",
|
||||||
"sum": "gj/20VIGucG2vDGjG7YdHLC4yUUfrpuaneUYaRmymOM="
|
"sum": "gj/20VIGucG2vDGjG7YdHLC4yUUfrpuaneUYaRmymOM="
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -68,7 +68,7 @@
|
|||||||
"subdir": "grafana-builder"
|
"subdir": "grafana-builder"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "32685d75e4ae753e06ab3bea13df9d59bb5da46a",
|
"version": "931f6b1139bb3694b06f2261279ba3dc01aca5b8",
|
||||||
"sum": "VmOxvg9FuY9UYr3lN6ZJe2HhuIErJoWimPybQr3S3yQ="
|
"sum": "VmOxvg9FuY9UYr3lN6ZJe2HhuIErJoWimPybQr3S3yQ="
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -108,7 +108,7 @@
|
|||||||
"subdir": "jsonnet/kube-state-metrics"
|
"subdir": "jsonnet/kube-state-metrics"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "240cffd908220854a27f7e92d8157eaee4dc8d42",
|
"version": "c707af4c2d84193a3480729b3525b0fc3d686e73",
|
||||||
"sum": "+dOzAK+fwsFf97uZpjcjTcEJEC1H8hh/j8f5uIQK/5g="
|
"sum": "+dOzAK+fwsFf97uZpjcjTcEJEC1H8hh/j8f5uIQK/5g="
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -118,7 +118,7 @@
|
|||||||
"subdir": "jsonnet/kube-state-metrics-mixin"
|
"subdir": "jsonnet/kube-state-metrics-mixin"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "240cffd908220854a27f7e92d8157eaee4dc8d42",
|
"version": "c707af4c2d84193a3480729b3525b0fc3d686e73",
|
||||||
"sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c="
|
"sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c="
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -138,8 +138,8 @@
|
|||||||
"subdir": "jsonnet/kube-prometheus"
|
"subdir": "jsonnet/kube-prometheus"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "0fe6411003b3b9a969a61220fc17a94e2c0be94f",
|
"version": "035b09f42441d4630b3a3de4e4a490d19b1ba5e4",
|
||||||
"sum": "paNe3vjoMkCzrTCW1RCPLcXo+ymOPi9AxA98C/1nbrY="
|
"sum": "bp+cUUcoQjREBPigCP2S1xIvrh7HDQeYqCcrHCuDnUQ="
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"source": {
|
"source": {
|
||||||
@ -148,7 +148,7 @@
|
|||||||
"subdir": "jsonnet/mixin"
|
"subdir": "jsonnet/mixin"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "88eca6a97b762701fe336bda67a67a498883b7e2",
|
"version": "0d918323945ce87f0094c05c153075c0a6edc8de",
|
||||||
"sum": "n3flMIzlADeyygb0uipZ4KPp2uNSjdtkrwgHjTC7Ca4=",
|
"sum": "n3flMIzlADeyygb0uipZ4KPp2uNSjdtkrwgHjTC7Ca4=",
|
||||||
"name": "prometheus-operator-mixin"
|
"name": "prometheus-operator-mixin"
|
||||||
},
|
},
|
||||||
@ -159,8 +159,8 @@
|
|||||||
"subdir": "jsonnet/prometheus-operator"
|
"subdir": "jsonnet/prometheus-operator"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "88eca6a97b762701fe336bda67a67a498883b7e2",
|
"version": "0d918323945ce87f0094c05c153075c0a6edc8de",
|
||||||
"sum": "7ZYZMNBsObCl3OsXsu4Gu4J4tu/g1qf6HOyYkSQY52o="
|
"sum": "1X9mGAj+nRaBAgNRG19mYtDc+ZLVIeAiK5M3h0Tpu7A="
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"source": {
|
"source": {
|
||||||
@ -169,7 +169,7 @@
|
|||||||
"subdir": "doc/alertmanager-mixin"
|
"subdir": "doc/alertmanager-mixin"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "4494abfce419d1bbd3cb1a2c0b6584da88ac9b64",
|
"version": "83486834deb4f886b4828cad3dbbe42d141d951d",
|
||||||
"sum": "IpF46ZXsm+0wJJAPtAre8+yxTNZA57mBqGpBP/r7/kw=",
|
"sum": "IpF46ZXsm+0wJJAPtAre8+yxTNZA57mBqGpBP/r7/kw=",
|
||||||
"name": "alertmanager"
|
"name": "alertmanager"
|
||||||
},
|
},
|
||||||
@ -180,7 +180,7 @@
|
|||||||
"subdir": "docs/node-mixin"
|
"subdir": "docs/node-mixin"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "4abf2c972e058ec875c0768f20d0d4766feb3173",
|
"version": "9666d002487039ac66b20287998945461eefe746",
|
||||||
"sum": "QZwFBpulndqo799gkR5rP2/WdcQKQkNnaBwhaOI8Jeg="
|
"sum": "QZwFBpulndqo799gkR5rP2/WdcQKQkNnaBwhaOI8Jeg="
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -190,7 +190,7 @@
|
|||||||
"subdir": "documentation/prometheus-mixin"
|
"subdir": "documentation/prometheus-mixin"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "59844498f7b12f16c7f004aa951bbb14cdb83991",
|
"version": "2ae84f980f981a004143c8239f4f20a35547ef04",
|
||||||
"sum": "rNvddVTMNfaguOGzEGoeKjUsfhlXJBUImC+SIFNNCiM=",
|
"sum": "rNvddVTMNfaguOGzEGoeKjUsfhlXJBUImC+SIFNNCiM=",
|
||||||
"name": "prometheus"
|
"name": "prometheus"
|
||||||
},
|
},
|
||||||
@ -212,7 +212,7 @@
|
|||||||
"subdir": "mixin"
|
"subdir": "mixin"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "023faa2d67a3050cd68cafd9c4e86e6915b79dc5",
|
"version": "e7aecb401f54bec52540900d455a9c226c5791ff",
|
||||||
"sum": "HhSSbGGCNHCMy1ee5jElYDm0yS9Vesa7QB2/SHKdjsY=",
|
"sum": "HhSSbGGCNHCMy1ee5jElYDm0yS9Vesa7QB2/SHKdjsY=",
|
||||||
"name": "thanos-mixin"
|
"name": "thanos-mixin"
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
rules:
|
rules:
|
||||||
- name: prometheus-rules
|
- name: prometheus-rules
|
||||||
url: file://rules/openebs-mixin-prometheusRules
|
url: file://rules/openebs-mixin-prometheusRules
|
||||||
condition: 'index .Values "lvm-localpv" "prometheus" "enabled"'
|
condition: 'and (index .Values "lvm-localpv" "enabled") (index .Values "lvm-localpv" "prometheus" "enabled")'
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
{{- if index .Values "lvm-localpv" "prometheus" "enabled" }}
|
{{- if and (index .Values "lvm-localpv" "enabled") (index .Values "lvm-localpv" "prometheus" "enabled") }}
|
||||||
apiVersion: monitoring.coreos.com/v1
|
apiVersion: monitoring.coreos.com/v1
|
||||||
kind: PrometheusRule
|
kind: PrometheusRule
|
||||||
metadata:
|
metadata:
|
||||||
|
|||||||
@ -88,6 +88,10 @@ certificates:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
proxyProtocol: {{ default true (index .Values "istio-ingress" "proxyProtocol") }}
|
proxyProtocol: {{ default true (index .Values "istio-ingress" "proxyProtocol") }}
|
||||||
|
{{- with (index .Values "istio-ingress" "hardening") }}
|
||||||
|
hardening:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
|||||||
@ -83,6 +83,10 @@ certificates:
|
|||||||
{{- toYaml $cert.dnsNames | nindent 4 }}
|
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
proxyProtocol: {{ default true (index .Values "istio-private-ingress" "proxyProtocol") }}
|
proxyProtocol: {{ default true (index .Values "istio-private-ingress" "proxyProtocol") }}
|
||||||
|
{{- with (index .Values "istio-private-ingress" "hardening") }}
|
||||||
|
hardening:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
|||||||
@ -108,7 +108,7 @@ metrics:
|
|||||||
logging:
|
logging:
|
||||||
enabled: false
|
enabled: false
|
||||||
namespace: logging
|
namespace: logging
|
||||||
targetRevision: 0.8.9
|
targetRevision: 0.8.10
|
||||||
|
|
||||||
argocd:
|
argocd:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user