From 545a7fd8b191ef0b54ac371fdfee032c1dea1003 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 13 Mar 2025 21:02:53 +0000 Subject: [PATCH] feat: latest CI tools, improved Gitea API endpoint protection --- charts/envoy-ratelimit/values.yaml | 22 +++++++++++++++---- charts/kubezero-ci/README.md | 18 ++++++++------- .../kubezero-ci/charts/jenkins/CHANGELOG.md | 8 +++++++ charts/kubezero-ci/charts/jenkins/Chart.yaml | 8 +++---- charts/kubezero-ci/charts/jenkins/VALUES.md | 2 +- charts/kubezero-ci/charts/jenkins/values.yaml | 2 +- .../gitea/istio-authorization-policy.yaml | 4 +++- .../templates/gitea/istio-service.yaml | 15 +++++++------ charts/kubezero-ci/values.yaml | 2 +- charts/kubezero-istio-gateway/README.md | 1 + charts/kubezero-istio/README.md | 10 --------- 11 files changed, 55 insertions(+), 37 deletions(-) diff --git a/charts/envoy-ratelimit/values.yaml b/charts/envoy-ratelimit/values.yaml index 773e058b..3756e5c1 100644 --- a/charts/envoy-ratelimit/values.yaml +++ b/charts/envoy-ratelimit/values.yaml @@ -17,22 +17,36 @@ failureModeDeny: false # - slow: 1 req/s over a minute per sourceIP descriptors: ingress: - - key: speed - value: slow + - key: sourceIp + value: sixtyPerMinute descriptors: - key: remote_address rate_limit: unit: minute requests_per_unit: 60 + - key: sourceIp + value: tenPerSecond + descriptors: + - key: remote_address + rate_limit: + unit: second + requests_per_unit: 10 privateIngress: - - key: speed - value: slow + - key: sourceIp + value: sixtyPerMinute descriptors: - key: remote_address rate_limit: unit: minute requests_per_unit: 60 + - key: sourceIp + value: tenPerSecond + descriptors: + - key: remote_address + rate_limit: + unit: second + requests_per_unit: 10 metrics: enabled: false diff --git a/charts/kubezero-ci/README.md b/charts/kubezero-ci/README.md index ceef6748..7ccb5999 100644 --- a/charts/kubezero-ci/README.md +++ b/charts/kubezero-ci/README.md @@ -1,6 +1,6 @@ # kubezero-ci -![Version: 0.8.20](https://img.shields.io/badge/Version-0.8.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.8.21](https://img.shields.io/badge/Version-0.8.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things CI @@ -18,11 +18,11 @@ Kubernetes: `>= 1.25.0` | Repository | Name | Version | |------------|------|---------| -| https://aquasecurity.github.io/helm-charts/ | trivy | 0.11.1 | -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.1.6 | -| https://charts.jenkins.io | jenkins | 5.8.16 | -| https://dl.gitea.io/charts/ | gitea | 10.6.0 | -| https://docs.renovatebot.com/helm-charts | renovate | 39.180.2 | +| https://aquasecurity.github.io/helm-charts/ | trivy | 0.12.0 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 | +| https://charts.jenkins.io | jenkins | 5.8.18 | +| https://dl.gitea.io/charts/ | gitea | 11.0.0 | +| https://docs.renovatebot.com/helm-charts | renovate | 39.200.0 | # Jenkins - default build retention 10 builds, 32days @@ -68,7 +68,8 @@ Kubernetes: `>= 1.25.0` | gitea.gitea.metrics.enabled | bool | `false` | | | gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` | | | gitea.image.rootless | bool | `true` | | -| gitea.image.tag | string | `"1.23.4"` | | +| gitea.image.tag | string | `"1.23.5"` | | +| gitea.istio.blockApi | bool | `false` | | | gitea.istio.enabled | bool | `false` | | | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | | gitea.istio.url | string | `"git.example.com"` | | @@ -83,6 +84,7 @@ Kubernetes: `>= 1.25.0` | gitea.resources.requests.memory | string | `"320Mi"` | | | gitea.securityContext.allowPrivilegeEscalation | bool | `false` | | | gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| gitea.service.http.port | int | `80` | | | gitea.strategy.type | string | `"Recreate"` | | | gitea.test.enabled | bool | `false` | | | jenkins.agent.annotations."cluster-autoscaler.kubernetes.io/safe-to-evict" | string | `"false"` | | @@ -156,7 +158,7 @@ Kubernetes: `>= 1.25.0` | jenkins.serviceAccountAgent.create | bool | `true` | | | jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` | | | renovate.cronjob.concurrencyPolicy | string | `"Forbid"` | | -| renovate.cronjob.jobBackoffLimit | int | `3` | | +| renovate.cronjob.jobBackoffLimit | int | `2` | | | renovate.cronjob.schedule | string | `"0 3 * * *"` | | | renovate.cronjob.successfulJobsHistoryLimit | int | `1` | | | renovate.enabled | bool | `false` | | diff --git a/charts/kubezero-ci/charts/jenkins/CHANGELOG.md b/charts/kubezero-ci/charts/jenkins/CHANGELOG.md index a3341d37..ea89fed1 100644 --- a/charts/kubezero-ci/charts/jenkins/CHANGELOG.md +++ b/charts/kubezero-ci/charts/jenkins/CHANGELOG.md @@ -12,6 +12,14 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0. The changelog until v1.5.7 was auto-generated based on git commits. Those entries include a reference to the git commit to be able to get more details. +## 5.8.18 + +Update `jenkins/jenkins` to version `2.492.2-jdk17` + +## 5.8.17 + +Update `kubernetes` to version `4314.v5b_846cf499eb_` + ## 5.8.16 Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.1` diff --git a/charts/kubezero-ci/charts/jenkins/Chart.yaml b/charts/kubezero-ci/charts/jenkins/Chart.yaml index 3b235e50..25334a5c 100644 --- a/charts/kubezero-ci/charts/jenkins/Chart.yaml +++ b/charts/kubezero-ci/charts/jenkins/Chart.yaml @@ -1,10 +1,10 @@ annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | - - Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.1` + - Update `jenkins/jenkins` to version `2.492.2-jdk17` artifacthub.io/images: | - name: jenkins - image: docker.io/jenkins/jenkins:2.492.1-jdk17 + image: docker.io/jenkins/jenkins:2.492.2-jdk17 - name: k8s-sidecar image: docker.io/kiwigrid/k8s-sidecar:1.30.1 - name: inbound-agent @@ -18,7 +18,7 @@ annotations: - name: support url: https://github.com/jenkinsci/helm-charts/issues apiVersion: v2 -appVersion: 2.492.1 +appVersion: 2.492.2 description: 'Jenkins - Build great things at any scale! As the leading open source automation server, Jenkins provides over 2000 plugins to support building, deploying and automating any project. ' @@ -46,4 +46,4 @@ sources: - https://github.com/maorfr/kube-tasks - https://github.com/jenkinsci/configuration-as-code-plugin type: application -version: 5.8.16 +version: 5.8.18 diff --git a/charts/kubezero-ci/charts/jenkins/VALUES.md b/charts/kubezero-ci/charts/jenkins/VALUES.md index e67f484d..b25b535d 100644 --- a/charts/kubezero-ci/charts/jenkins/VALUES.md +++ b/charts/kubezero-ci/charts/jenkins/VALUES.md @@ -165,7 +165,7 @@ The following tables list the configurable parameters of the Jenkins chart and t | [controller.initializeOnce](./values.yaml#L424) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` | | [controller.installLatestPlugins](./values.yaml#L413) | bool | Download the minimum required version or latest version of all dependencies | `true` | | [controller.installLatestSpecifiedPlugins](./values.yaml#L416) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` | -| [controller.installPlugins](./values.yaml#L405) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4313.va_9b_4fe2a_0e34","workflow-aggregator:600.vb_57cdd26fdd7","git:5.7.0","configuration-as-code:1932.v75cb_b_f1b_698d"]` | +| [controller.installPlugins](./values.yaml#L405) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4314.v5b_846cf499eb_","workflow-aggregator:600.vb_57cdd26fdd7","git:5.7.0","configuration-as-code:1932.v75cb_b_f1b_698d"]` | | [controller.javaOpts](./values.yaml#L162) | string | Append to `JAVA_OPTS` env var | `nil` | | [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` | | [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` | diff --git a/charts/kubezero-ci/charts/jenkins/values.yaml b/charts/kubezero-ci/charts/jenkins/values.yaml index cc8f39c2..bc77c57d 100644 --- a/charts/kubezero-ci/charts/jenkins/values.yaml +++ b/charts/kubezero-ci/charts/jenkins/values.yaml @@ -403,7 +403,7 @@ controller: # Plugins will be installed during Jenkins controller start # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` installPlugins: - - kubernetes:4313.va_9b_4fe2a_0e34 + - kubernetes:4314.v5b_846cf499eb_ - workflow-aggregator:600.vb_57cdd26fdd7 - git:5.7.0 - configuration-as-code:1932.v75cb_b_f1b_698d diff --git a/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml b/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml index 266cddd4..f8bd94d7 100644 --- a/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml +++ b/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml @@ -1,4 +1,5 @@ -{{- if and .Values.gitea.enabled .Values.gitea.istio.enabled .Values.gitea.istio.ipBlocks }} +{{- if and .Values.gitea.enabled .Values.gitea.istio.enabled .Values.gitea.istio.ipBlocks .Values.gitea.istio.blockApi }} +# Limit access to /api apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: @@ -19,6 +20,7 @@ spec: to: - operation: hosts: ["{{ .Values.gitea.istio.url }}"] + paths: [ "/api/*" ] when: - key: connection.sni values: diff --git a/charts/kubezero-ci/templates/gitea/istio-service.yaml b/charts/kubezero-ci/templates/gitea/istio-service.yaml index dd3a406f..3d2e1d83 100644 --- a/charts/kubezero-ci/templates/gitea/istio-service.yaml +++ b/charts/kubezero-ci/templates/gitea/istio-service.yaml @@ -12,14 +12,15 @@ spec: hosts: - {{ .Values.gitea.istio.url }} http: - {{- if .Values.gitea.istio.blockApi }} - - match: + - name: api + match: - uri: - prefix: /api - directResponse: - status: 401 - {{- end }} - - route: + prefix: /api/ + route: + - destination: + host: gitea-http + - name: notApi + route: - destination: host: gitea-http tcp: diff --git a/charts/kubezero-ci/values.yaml b/charts/kubezero-ci/values.yaml index 7d2f5e60..f97d68ad 100644 --- a/charts/kubezero-ci/values.yaml +++ b/charts/kubezero-ci/values.yaml @@ -2,7 +2,7 @@ gitea: enabled: false image: - tag: 1.23.4 + tag: 1.23.5 rootless: true repliaCount: 1 diff --git a/charts/kubezero-istio-gateway/README.md b/charts/kubezero-istio-gateway/README.md index af129f6c..4515c52c 100644 --- a/charts/kubezero-istio-gateway/README.md +++ b/charts/kubezero-istio-gateway/README.md @@ -41,6 +41,7 @@ Kubernetes: `>= 1.30.0-0` | gateway.service.externalTrafficPolicy | string | `"Local"` | | | gateway.service.type | string | `"NodePort"` | | | gateway.terminationGracePeriodSeconds | int | `120` | | +| hardening.preserveExternalRequestId | bool | `false` | | | hardening.rejectUnderscoresHeaders | bool | `true` | | | hardening.unescapeSlashes | bool | `true` | | | proxyProtocol | bool | `true` | | diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index cf71a856..e5865aa7 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -30,17 +30,7 @@ Kubernetes: `>= 1.30.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| envoy-ratelimit.descriptors.ingress[0].key | string | `"remote_address"` | | -| envoy-ratelimit.descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` | | -| envoy-ratelimit.descriptors.ingress[0].rate_limit.unit | string | `"second"` | | -| envoy-ratelimit.descriptors.privateIngress[0].key | string | `"remote_address"` | | -| envoy-ratelimit.descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` | | -| envoy-ratelimit.descriptors.privateIngress[0].rate_limit.unit | string | `"second"` | | | envoy-ratelimit.enabled | bool | `false` | | -| envoy-ratelimit.failureModeDeny | bool | `false` | | -| envoy-ratelimit.localCacheSize | int | `1048576` | | -| envoy-ratelimit.log.format | string | `"json"` | | -| envoy-ratelimit.log.level | string | `"warn"` | | | global.defaultPodDisruptionBudget.enabled | bool | `false` | | | global.logAsJson | bool | `true` | | | global.variant | string | `"distroless"` | |