From cf3d5726e2a124e81c564d8e94e37fe034c0ae19 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 14 Dec 2023 12:37:05 +0000 Subject: [PATCH] chore: fix typos, cleanup --- [B | 164 ------------------ charts/kubezero-ci/README.md | 2 +- .../templates/envoyfilter-hardening.yaml | 2 +- charts/kubezero-istio-gateway/values.yaml | 2 +- docs/notes.md | 8 + 5 files changed, 11 insertions(+), 167 deletions(-) delete mode 100644 [B diff --git a/[B b/[B deleted file mode 100644 index 9ea27f3..0000000 --- a/[B +++ /dev/null @@ -1,164 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kubezero - namespace: argocd -spec: - destination: - namespace: argocd - server: https://kubernetes.default.svc - project: kubezero - source: - chart: kubezero - helm: - values: | - argocd: - enabled: true - configs: - cm: - url: https://argocd.vi.epmyalptest.com - istio: - enabled: true - gateway: istio-ingress/private-ingressgateway - cert-manager: - enabled: true - IamArn: arn:aws:iam::561550319853:role/us-east-1.plaympe-test-vi.cert-manager - clusterIssuer: - name: letsencrypt-dns-prod - email: admin@dice.net - server: https://acme-v02.api.letsencrypt.org/directory - solvers: - - dns01: - route53: - region: us-east-1 - selector: - dnsZones: - - epmyalptest.com - - vi.epmyalptest.com - - plaympetest.com - - vi.plaympetest.com - global: - aws: - accountId: '561550319853' - region: us-east-1 - clusterName: plaympe-test-vi - highAvailable: false - istio: - enabled: true - rateLimiting: - enabled: true - istio-ingress: - enabled: true - certificates: - - name: ingress-cert - dnsNames: - - '*.epmyalptest.com' - - '*.vi.epmyalptest.com' - - '*.plaympetest.com' - - '*.vi.plaympetest.com' - istio-private-ingress: - enabled: true - certificates: - - name: private-ingress-cert - dnsNames: - - '*.epmyalptest.com' - - '*.vi.epmyalptest.com' - - '*.plaympetest.com' - - '*.vi.plaympetest.com' - kubezero: - gitSync: - path: clusters/plaympe-test/us-east-1 - repoURL: https://bitbucket.org/destinymedia/kubernetes - targetRevision: HEAD - syncPolicy: - automated: - prune: true - logging: - enabled: true - fluent-bit: - enabled: true - config: - extraRecords: - source.clustername: plaympe-test-vi - output: - host: fluentd.or.epmyalptest.com - tls: true - metrics: - enabled: true - istio: - alertmanager: - enabled: true - gateway: istio-ingress/private-ingressgateway - url: alertmanager.vi.epmyalptest.com - grafana: - enabled: true - gateway: istio-ingress/private-ingressgateway - url: metrics.vi.epmyalptest.com - prometheus: - enabled: true - gateway: istio-ingress/private-ingressgateway - url: prometheus.vi.epmyalptest.com - kube-prometheus-stack: - alertmanager: - enabled: true - alertmanagerSpec: - externalUrl: https://alertmanager.vi.epmyalptest.com - prometheus: - prometheusSpec: - externalUrl: https://prometheus.vi.epmyalptest.com - network: - cilium: - enabled: true - cluster: - name: plaympe-test-vi - id: 221 - ipam: - operator: - clusterPoolIPv4PodCIDRList: - - 10.221.0.0/16 - operators: - enabled: true - eck-operator: - enabled: true - storage: - enabled: true - aws-ebs-csi-driver: - enabled: true - IamArn: arn:aws:iam::561550319853:role/us-east-1.plaympe-test-vi.ebs-csi-controller-sa - aws-efs-csi-driver: - enabled: true - IamArn: arn:aws:iam::561550319853:role/us-east-1.plaympe-test-vi.efs-csi-controller-sa - PersistentVolumes: - - name: services-dsny-cache - claimRef: - name: dsny-cache - namespace: services - volumeAttributes: - encryptInTransit: 'false' - volumeHandle: fs-ec4ad96f:/services/dsny-cache - - name: services-geolocation - claimRef: - name: geolocation - namespace: services - volumeAttributes: - encryptInTransit: 'false' - volumeHandle: fs-ec4ad96f:/services/geolocation - - name: platform-geolocation - claimRef: - name: geolocation - namespace: platform - volumeAttributes: - encryptInTransit: 'false' - volumeHandle: fs-ec4ad96f:/platform/geolocation - - name: services-soundmouse - claimRef: - name: soundmouse - namespace: services - volumeAttributes: - encryptInTransit: 'false' - volumeHandle: fs-ec4ad96f:/services/soundmouse - repoURL: https://cdn.zero-downtime.net/charts - targetRevision: 1.27.8 - syncPolicy: - automated: - prune: true diff --git a/charts/kubezero-ci/README.md b/charts/kubezero-ci/README.md index ecd3c59..215c0a3 100644 --- a/charts/kubezero-ci/README.md +++ b/charts/kubezero-ci/README.md @@ -149,7 +149,7 @@ Kubernetes: `>= 1.25.0` | renovate.env.LOG_FORMAT | string | `"json"` | | | renovate.securityContext.fsGroup | int | `1000` | | | trivy.enabled | bool | `false` | | -| trivy.image.tag | string | `"0.45.1"` | | +| trivy.image.tag | string | `"0.47.0"` | | | trivy.persistence.enabled | bool | `true` | | | trivy.persistence.size | string | `"1Gi"` | | | trivy.rbac.create | bool | `false` | | diff --git a/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml b/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml index b0ecff6..563a1b5 100644 --- a/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml +++ b/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml @@ -32,7 +32,7 @@ spec: use_remote_address: true normalize_path: true merge_slashes: true - {{- if .Values.hardening.unescapeSlahes }} + {{- if .Values.hardening.unescapeSlashes }} path_with_escaped_slashes_action: UNESCAPE_AND_REDIRECT {{- end }} common_http_protocol_options: diff --git a/charts/kubezero-istio-gateway/values.yaml b/charts/kubezero-istio-gateway/values.yaml index afacf6e..ae51063 100644 --- a/charts/kubezero-istio-gateway/values.yaml +++ b/charts/kubezero-istio-gateway/values.yaml @@ -42,4 +42,4 @@ proxyProtocol: true hardening: rejectUnderscoresHeaders: true - unescapeSlahes: true + unescapeSlashes: true diff --git a/docs/notes.md b/docs/notes.md index d777880..b112a25 100644 --- a/docs/notes.md +++ b/docs/notes.md @@ -52,3 +52,11 @@ See: https://github.com/int128/kauthproxy Once installed simply execute: `kubectl auth-proxy -n kubernetes-dashboard https://kubernetes-dashboard.svc` and access the dashboard via the automatically opened browser window. + + +## Istio +HTTP Body size +- https://github.com/istio/istio/issues/26152 + +AccessLogs: +- https://dev.to/ironcore864/a-comprehensive-tutorial-on-service-mesh-istio-envoy-access-log-and-log-filtering-2j3i