fix: various minor fixes, istio ingress hardening configurable

2023-12-14 12:18:00 +00:00 · 2023-12-14 12:18:00 +00:00 · f0cb8e6cc7
parent a39542e387
commit f0cb8e6cc7
10 changed files with 36 additions and 22 deletions
--- a/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml
+++ b/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml
@ -32,10 +32,14 @@ spec:
          use_remote_address: true
          normalize_path: true
          merge_slashes: true
+          {{- if .Values.hardening.unescapeSlahes }}
          path_with_escaped_slashes_action: UNESCAPE_AND_REDIRECT
+          {{- end }}
          common_http_protocol_options:
            idle_timeout: 3600s # 1 hour
+            {{- if .Values.hardening.rejectUnderscoresHeaders }}
            headers_with_underscores_action: REJECT_REQUEST
+            {{- end }}
          http2_protocol_options:
            max_concurrent_streams: 100
            initial_stream_window_size: 65536 # 64 KiB
--- a/charts/kubezero-istio-gateway/values.yaml
+++ b/charts/kubezero-istio-gateway/values.yaml
@ -39,3 +39,7 @@ telemetry:
  enabled: false

 proxyProtocol: true
+
+hardening:
+  rejectUnderscoresHeaders: true
+  unescapeSlahes: true
--- a/charts/kubezero-logging/Chart.yaml
+++ b/charts/kubezero-logging/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-logging
 description: KubeZero Umbrella Chart for complete EFK stack
 type: application
-version: 0.8.9
+version: 0.8.10
 appVersion: 1.6.0
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
--- a/charts/kubezero-logging/values.yaml
+++ b/charts/kubezero-logging/values.yaml
@ -37,7 +37,7 @@ fluentd:
  enabled: false
  image:
    repository: public.ecr.aws/zero-downtime/fluentd-concenter
-    tag: v1.16.0
+    tag: v1.16.3
  istio:
    enabled: false

@ -88,10 +88,8 @@ fluentd:
  #  OUTPUT_USER: elastic
  #  OUTPUT_SSL_VERIFY: "false"

-  env:
-  - name: "FLUENTD_CONF"
-    value: "../../etc/fluent/fluent.conf"
  # Same here the secret names change if fullnameOverride is not used !!
+  env:
  - name: OUTPUT_PASSWORD
    valueFrom:
      secretKeyRef:
--- a/charts/kubezero-storage/jsonnet/jsonnetfile.lock.json
+++ b/charts/kubezero-storage/jsonnet/jsonnetfile.lock.json
@ -18,7 +18,7 @@
          "subdir": "contrib/mixin"
        }
      },
-      "version": "6db5e00103accde744c856be03f38f44569eca65",
+      "version": "7851295966ae3dd5308c37079b5df58440d1fb36",
      "sum": "xuUBd2vqF7asyVDe5CE08uPT/RxAdy8O75EjFJoMXXU="
    },
    {
@ -58,7 +58,7 @@
          "subdir": "gen/grafonnet-v10.0.0"
        }
      },
-      "version": "bb2afaffbcefeae1035cd691ab06a486e0022002",
+      "version": "a1b14991306adebdb0107ea9aa74870bf86c346e",
      "sum": "gj/20VIGucG2vDGjG7YdHLC4yUUfrpuaneUYaRmymOM="
    },
    {
@ -68,7 +68,7 @@
          "subdir": "grafana-builder"
        }
      },
-      "version": "32685d75e4ae753e06ab3bea13df9d59bb5da46a",
+      "version": "931f6b1139bb3694b06f2261279ba3dc01aca5b8",
      "sum": "VmOxvg9FuY9UYr3lN6ZJe2HhuIErJoWimPybQr3S3yQ="
    },
    {
@ -108,7 +108,7 @@
          "subdir": "jsonnet/kube-state-metrics"
        }
      },
-      "version": "240cffd908220854a27f7e92d8157eaee4dc8d42",
+      "version": "c707af4c2d84193a3480729b3525b0fc3d686e73",
      "sum": "+dOzAK+fwsFf97uZpjcjTcEJEC1H8hh/j8f5uIQK/5g="
    },
    {
@ -118,7 +118,7 @@
          "subdir": "jsonnet/kube-state-metrics-mixin"
        }
      },
-      "version": "240cffd908220854a27f7e92d8157eaee4dc8d42",
+      "version": "c707af4c2d84193a3480729b3525b0fc3d686e73",
      "sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c="
    },
    {
@ -138,8 +138,8 @@
          "subdir": "jsonnet/kube-prometheus"
        }
      },
-      "version": "0fe6411003b3b9a969a61220fc17a94e2c0be94f",
-      "sum": "paNe3vjoMkCzrTCW1RCPLcXo+ymOPi9AxA98C/1nbrY="
+      "version": "035b09f42441d4630b3a3de4e4a490d19b1ba5e4",
+      "sum": "bp+cUUcoQjREBPigCP2S1xIvrh7HDQeYqCcrHCuDnUQ="
    },
    {
      "source": {
@ -148,7 +148,7 @@
          "subdir": "jsonnet/mixin"
        }
      },
-      "version": "88eca6a97b762701fe336bda67a67a498883b7e2",
+      "version": "0d918323945ce87f0094c05c153075c0a6edc8de",
      "sum": "n3flMIzlADeyygb0uipZ4KPp2uNSjdtkrwgHjTC7Ca4=",
      "name": "prometheus-operator-mixin"
    },
@ -159,8 +159,8 @@
          "subdir": "jsonnet/prometheus-operator"
        }
      },
-      "version": "88eca6a97b762701fe336bda67a67a498883b7e2",
-      "sum": "7ZYZMNBsObCl3OsXsu4Gu4J4tu/g1qf6HOyYkSQY52o="
+      "version": "0d918323945ce87f0094c05c153075c0a6edc8de",
+      "sum": "1X9mGAj+nRaBAgNRG19mYtDc+ZLVIeAiK5M3h0Tpu7A="
    },
    {
      "source": {
@ -169,7 +169,7 @@
          "subdir": "doc/alertmanager-mixin"
        }
      },
-      "version": "4494abfce419d1bbd3cb1a2c0b6584da88ac9b64",
+      "version": "83486834deb4f886b4828cad3dbbe42d141d951d",
      "sum": "IpF46ZXsm+0wJJAPtAre8+yxTNZA57mBqGpBP/r7/kw=",
      "name": "alertmanager"
    },
@ -180,7 +180,7 @@
          "subdir": "docs/node-mixin"
        }
      },
-      "version": "4abf2c972e058ec875c0768f20d0d4766feb3173",
+      "version": "9666d002487039ac66b20287998945461eefe746",
      "sum": "QZwFBpulndqo799gkR5rP2/WdcQKQkNnaBwhaOI8Jeg="
    },
    {
@ -190,7 +190,7 @@
          "subdir": "documentation/prometheus-mixin"
        }
      },
-      "version": "59844498f7b12f16c7f004aa951bbb14cdb83991",
+      "version": "2ae84f980f981a004143c8239f4f20a35547ef04",
      "sum": "rNvddVTMNfaguOGzEGoeKjUsfhlXJBUImC+SIFNNCiM=",
      "name": "prometheus"
    },
@ -212,7 +212,7 @@
          "subdir": "mixin"
        }
      },
-      "version": "023faa2d67a3050cd68cafd9c4e86e6915b79dc5",
+      "version": "e7aecb401f54bec52540900d455a9c226c5791ff",
      "sum": "HhSSbGGCNHCMy1ee5jElYDm0yS9Vesa7QB2/SHKdjsY=",
      "name": "thanos-mixin"
    }
--- a/charts/kubezero-storage/jsonnet/rules.yaml
+++ b/charts/kubezero-storage/jsonnet/rules.yaml
@ -1,4 +1,4 @@
 rules:
 - name: prometheus-rules
  url: file://rules/openebs-mixin-prometheusRules
-  condition: 'index .Values "lvm-localpv" "prometheus" "enabled"'
+  condition: 'and (index .Values "lvm-localpv" "enabled") (index .Values "lvm-localpv" "prometheus" "enabled")'
--- a/charts/kubezero-storage/templates/lvm/prometheus-rules.yaml
+++ b/charts/kubezero-storage/templates/lvm/prometheus-rules.yaml
@ -1,4 +1,4 @@
-{{- if index .Values "lvm-localpv" "prometheus" "enabled" }}
+{{- if and (index .Values "lvm-localpv" "enabled") (index .Values "lvm-localpv" "prometheus" "enabled") }}
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
--- a/charts/kubezero/templates/istio-ingress.yaml
+++ b/charts/kubezero/templates/istio-ingress.yaml
@ -88,6 +88,10 @@ certificates:
 {{- end }}
 {{- end }}
 proxyProtocol: {{ default true (index .Values "istio-ingress" "proxyProtocol") }}
+{{- with (index .Values "istio-ingress" "hardening") }}
+hardening:
+  {{- toYaml . | nindent 2 }}
+{{- end }}

 {{- end }}

--- a/charts/kubezero/templates/istio-private-ingress.yaml
+++ b/charts/kubezero/templates/istio-private-ingress.yaml
@ -83,6 +83,10 @@ certificates:
  {{- toYaml $cert.dnsNames | nindent 4 }}
 {{- end }}
 proxyProtocol: {{ default true (index .Values "istio-private-ingress" "proxyProtocol") }}
+{{- with (index .Values "istio-private-ingress" "hardening") }}
+hardening:
+  {{- toYaml . | nindent 2 }}
+{{- end }}

 {{- end }}

--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@ -108,7 +108,7 @@ metrics:
 logging:
  enabled: false
  namespace: logging
-  targetRevision: 0.8.9
+  targetRevision: 0.8.10

 argocd:
  enabled: false