ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 25 Packages Projects Releases Wiki Activity

feat: latest CI tools, improved Gitea API endpoint protection

Browse Source
This commit is contained in:
Stefan Reimer 2025-03-13 21:02:53 +00:00
parent 56a2926917
commit 545a7fd8b1
11 changed files with 55 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
charts/envoy-ratelimit/values.yaml
View File

@ -17,22 +17,36 @@ failureModeDeny: false
# - slow: 1 req/s over a minute per sourceIP # - slow: 1 req/s over a minute per sourceIP
descriptors: descriptors:
ingress: ingress:
- key: speed - key: sourceIp
value: slow value: sixtyPerMinute
descriptors: descriptors:
- key: remote_address - key: remote_address
rate_limit: rate_limit:
unit: minute unit: minute
requests_per_unit: 60 requests_per_unit: 60
- key: sourceIp
value: tenPerSecond
descriptors:
- key: remote_address
rate_limit:
unit: second
requests_per_unit: 10
privateIngress: privateIngress:
- key: speed - key: sourceIp
value: slow value: sixtyPerMinute
descriptors: descriptors:
- key: remote_address - key: remote_address
rate_limit: rate_limit:
unit: minute unit: minute
requests_per_unit: 60 requests_per_unit: 60
- key: sourceIp
value: tenPerSecond
descriptors:
- key: remote_address
rate_limit:
unit: second
requests_per_unit: 10
metrics: metrics:
enabled: false enabled: false

18
charts/kubezero-ci/README.md
View File

@ -1,6 +1,6 @@
# kubezero-ci # kubezero-ci
![Version: 0.8.20](https://img.shields.io/badge/Version-0.8.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.8.21](https://img.shields.io/badge/Version-0.8.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero umbrella chart for all things CI KubeZero umbrella chart for all things CI
@ -18,11 +18,11 @@ Kubernetes: `>= 1.25.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://aquasecurity.github.io/helm-charts/ | trivy | 0.11.1 | | https://aquasecurity.github.io/helm-charts/ | trivy | 0.12.0 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.1.6 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
| https://charts.jenkins.io | jenkins | 5.8.16 | | https://charts.jenkins.io | jenkins | 5.8.18 |
| https://dl.gitea.io/charts/ | gitea | 10.6.0 | | https://dl.gitea.io/charts/ | gitea | 11.0.0 |
| https://docs.renovatebot.com/helm-charts | renovate | 39.180.2 | | https://docs.renovatebot.com/helm-charts | renovate | 39.200.0 |
# Jenkins # Jenkins
- default build retention 10 builds, 32days - default build retention 10 builds, 32days
@ -68,7 +68,8 @@ Kubernetes: `>= 1.25.0`
| gitea.gitea.metrics.enabled | bool | `false` | | | gitea.gitea.metrics.enabled | bool | `false` | |
| gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` | | | gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` | |
| gitea.image.rootless | bool | `true` | | | gitea.image.rootless | bool | `true` | |
| gitea.image.tag | string | `"1.23.4"` | | | gitea.image.tag | string | `"1.23.5"` | |
| gitea.istio.blockApi | bool | `false` | |
| gitea.istio.enabled | bool | `false` | | | gitea.istio.enabled | bool | `false` | |
| gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
| gitea.istio.url | string | `"git.example.com"` | | | gitea.istio.url | string | `"git.example.com"` | |
@ -83,6 +84,7 @@ Kubernetes: `>= 1.25.0`
| gitea.resources.requests.memory | string | `"320Mi"` | | | gitea.resources.requests.memory | string | `"320Mi"` | |
| gitea.securityContext.allowPrivilegeEscalation | bool | `false` | | | gitea.securityContext.allowPrivilegeEscalation | bool | `false` | |
| gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | | | gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| gitea.service.http.port | int | `80` | |
| gitea.strategy.type | string | `"Recreate"` | | | gitea.strategy.type | string | `"Recreate"` | |
| gitea.test.enabled | bool | `false` | | | gitea.test.enabled | bool | `false` | |
| jenkins.agent.annotations."cluster-autoscaler.kubernetes.io/safe-to-evict" | string | `"false"` | | | jenkins.agent.annotations."cluster-autoscaler.kubernetes.io/safe-to-evict" | string | `"false"` | |
@ -156,7 +158,7 @@ Kubernetes: `>= 1.25.0`
| jenkins.serviceAccountAgent.create | bool | `true` | | | jenkins.serviceAccountAgent.create | bool | `true` | |
| jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` | | | jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` | |
| renovate.cronjob.concurrencyPolicy | string | `"Forbid"` | | | renovate.cronjob.concurrencyPolicy | string | `"Forbid"` | |
| renovate.cronjob.jobBackoffLimit | int | `3` | | | renovate.cronjob.jobBackoffLimit | int | `2` | |
| renovate.cronjob.schedule | string | `"0 3 * * *"` | | | renovate.cronjob.schedule | string | `"0 3 * * *"` | |
| renovate.cronjob.successfulJobsHistoryLimit | int | `1` | | | renovate.cronjob.successfulJobsHistoryLimit | int | `1` | |
| renovate.enabled | bool | `false` | | | renovate.enabled | bool | `false` | |

8
charts/kubezero-ci/charts/jenkins/CHANGELOG.md
View File

@ -12,6 +12,14 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0.
The changelog until v1.5.7 was auto-generated based on git commits. The changelog until v1.5.7 was auto-generated based on git commits.
Those entries include a reference to the git commit to be able to get more details. Those entries include a reference to the git commit to be able to get more details.
## 5.8.18
Update `jenkins/jenkins` to version `2.492.2-jdk17`
## 5.8.17
Update `kubernetes` to version `4314.v5b_846cf499eb_`
## 5.8.16 ## 5.8.16
Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.1` Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.1`

8
charts/kubezero-ci/charts/jenkins/Chart.yaml
View File

@ -1,10 +1,10 @@
annotations: annotations:
artifacthub.io/category: integration-delivery artifacthub.io/category: integration-delivery
artifacthub.io/changes: | artifacthub.io/changes: |
- Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.1` - Update `jenkins/jenkins` to version `2.492.2-jdk17`
artifacthub.io/images: | artifacthub.io/images: |
- name: jenkins - name: jenkins
image: docker.io/jenkins/jenkins:2.492.1-jdk17 image: docker.io/jenkins/jenkins:2.492.2-jdk17
- name: k8s-sidecar - name: k8s-sidecar
image: docker.io/kiwigrid/k8s-sidecar:1.30.1 image: docker.io/kiwigrid/k8s-sidecar:1.30.1
- name: inbound-agent - name: inbound-agent
@ -18,7 +18,7 @@ annotations:
- name: support - name: support
url: https://github.com/jenkinsci/helm-charts/issues url: https://github.com/jenkinsci/helm-charts/issues
apiVersion: v2 apiVersion: v2
appVersion: 2.492.1 appVersion: 2.492.2
description: 'Jenkins - Build great things at any scale! As the leading open source description: 'Jenkins - Build great things at any scale! As the leading open source
automation server, Jenkins provides over 2000 plugins to support building, deploying automation server, Jenkins provides over 2000 plugins to support building, deploying
and automating any project. ' and automating any project. '
@ -46,4 +46,4 @@ sources:
- https://github.com/maorfr/kube-tasks - https://github.com/maorfr/kube-tasks
- https://github.com/jenkinsci/configuration-as-code-plugin - https://github.com/jenkinsci/configuration-as-code-plugin
type: application type: application
version: 5.8.16 version: 5.8.18

2
charts/kubezero-ci/charts/jenkins/VALUES.md
View File

@ -165,7 +165,7 @@ The following tables list the configurable parameters of the Jenkins chart and t
| [controller.initializeOnce](./values.yaml#L424) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` | | [controller.initializeOnce](./values.yaml#L424) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` |
| [controller.installLatestPlugins](./values.yaml#L413) | bool | Download the minimum required version or latest version of all dependencies | `true` | | [controller.installLatestPlugins](./values.yaml#L413) | bool | Download the minimum required version or latest version of all dependencies | `true` |
| [controller.installLatestSpecifiedPlugins](./values.yaml#L416) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` | | [controller.installLatestSpecifiedPlugins](./values.yaml#L416) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` |
| [controller.installPlugins](./values.yaml#L405) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4313.va_9b_4fe2a_0e34","workflow-aggregator:600.vb_57cdd26fdd7","git:5.7.0","configuration-as-code:1932.v75cb_b_f1b_698d"]` | | [controller.installPlugins](./values.yaml#L405) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4314.v5b_846cf499eb_","workflow-aggregator:600.vb_57cdd26fdd7","git:5.7.0","configuration-as-code:1932.v75cb_b_f1b_698d"]` |
| [controller.javaOpts](./values.yaml#L162) | string | Append to `JAVA_OPTS` env var | `nil` | | [controller.javaOpts](./values.yaml#L162) | string | Append to `JAVA_OPTS` env var | `nil` |
| [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` | | [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` |
| [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` | | [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` |

2
charts/kubezero-ci/charts/jenkins/values.yaml
View File

@ -403,7 +403,7 @@ controller:
# Plugins will be installed during Jenkins controller start # Plugins will be installed during Jenkins controller start
# -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false`
installPlugins: installPlugins:
- kubernetes:4313.va_9b_4fe2a_0e34 - kubernetes:4314.v5b_846cf499eb_
- workflow-aggregator:600.vb_57cdd26fdd7 - workflow-aggregator:600.vb_57cdd26fdd7
- git:5.7.0 - git:5.7.0
- configuration-as-code:1932.v75cb_b_f1b_698d - configuration-as-code:1932.v75cb_b_f1b_698d

4
charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml
View File

@ -1,4 +1,5 @@
{{- if and .Values.gitea.enabled .Values.gitea.istio.enabled .Values.gitea.istio.ipBlocks }} {{- if and .Values.gitea.enabled .Values.gitea.istio.enabled .Values.gitea.istio.ipBlocks .Values.gitea.istio.blockApi }}
# Limit access to /api
apiVersion: security.istio.io/v1beta1 apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy kind: AuthorizationPolicy
metadata: metadata:
@ -19,6 +20,7 @@ spec:
to: to:
- operation: - operation:
hosts: ["{{ .Values.gitea.istio.url }}"] hosts: ["{{ .Values.gitea.istio.url }}"]
paths: [ "/api/*" ]
when: when:
- key: connection.sni - key: connection.sni
values: values:

15
charts/kubezero-ci/templates/gitea/istio-service.yaml
View File

@ -12,14 +12,15 @@ spec:
hosts: hosts:
- {{ .Values.gitea.istio.url }} - {{ .Values.gitea.istio.url }}
http: http:
{{- if .Values.gitea.istio.blockApi }} - name: api
- match: match:
- uri: - uri:
prefix: /api prefix: /api/
directResponse: route:
status: 401 - destination:
{{- end }} host: gitea-http
- route: - name: notApi
route:
- destination: - destination:
host: gitea-http host: gitea-http
tcp: tcp:

2
charts/kubezero-ci/values.yaml
View File

@ -2,7 +2,7 @@ gitea:
enabled: false enabled: false
image: image:
tag: 1.23.4 tag: 1.23.5
rootless: true rootless: true
repliaCount: 1 repliaCount: 1

1
charts/kubezero-istio-gateway/README.md
View File

@ -41,6 +41,7 @@ Kubernetes: `>= 1.30.0-0`
| gateway.service.externalTrafficPolicy | string | `"Local"` | | | gateway.service.externalTrafficPolicy | string | `"Local"` | |
| gateway.service.type | string | `"NodePort"` | | | gateway.service.type | string | `"NodePort"` | |
| gateway.terminationGracePeriodSeconds | int | `120` | | | gateway.terminationGracePeriodSeconds | int | `120` | |
| hardening.preserveExternalRequestId | bool | `false` | |
| hardening.rejectUnderscoresHeaders | bool | `true` | | | hardening.rejectUnderscoresHeaders | bool | `true` | |
| hardening.unescapeSlashes | bool | `true` | | | hardening.unescapeSlashes | bool | `true` | |
| proxyProtocol | bool | `true` | | | proxyProtocol | bool | `true` | |

10
charts/kubezero-istio/README.md
View File

@ -30,17 +30,7 @@ Kubernetes: `>= 1.30.0-0`
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| envoy-ratelimit.descriptors.ingress[0].key | string | `"remote_address"` | |
| envoy-ratelimit.descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` | |
| envoy-ratelimit.descriptors.ingress[0].rate_limit.unit | string | `"second"` | |
| envoy-ratelimit.descriptors.privateIngress[0].key | string | `"remote_address"` | |
| envoy-ratelimit.descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` | |
| envoy-ratelimit.descriptors.privateIngress[0].rate_limit.unit | string | `"second"` | |
| envoy-ratelimit.enabled | bool | `false` | | | envoy-ratelimit.enabled | bool | `false` | |
| envoy-ratelimit.failureModeDeny | bool | `false` | |
| envoy-ratelimit.localCacheSize | int | `1048576` | |
| envoy-ratelimit.log.format | string | `"json"` | |
| envoy-ratelimit.log.level | string | `"warn"` | |
| global.defaultPodDisruptionBudget.enabled | bool | `false` | | | global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| global.logAsJson | bool | `true` | | | global.logAsJson | bool | `true` | |
| global.variant | string | `"distroless"` | | | global.variant | string | `"distroless"` | |