From f0cb8e6cc77c5eff12a6d27fd54811fce7a8c601 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 14 Dec 2023 12:18:00 +0000 Subject: [PATCH] fix: various minor fixes, istio ingress hardening configurable --- .../templates/envoyfilter-hardening.yaml | 4 +++ charts/kubezero-istio-gateway/values.yaml | 4 +++ charts/kubezero-logging/Chart.yaml | 2 +- charts/kubezero-logging/values.yaml | 6 ++-- .../jsonnet/jsonnetfile.lock.json | 28 +++++++++---------- charts/kubezero-storage/jsonnet/rules.yaml | 2 +- .../templates/lvm/prometheus-rules.yaml | 2 +- charts/kubezero/templates/istio-ingress.yaml | 4 +++ .../templates/istio-private-ingress.yaml | 4 +++ charts/kubezero/values.yaml | 2 +- 10 files changed, 36 insertions(+), 22 deletions(-) diff --git a/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml b/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml index f836fae..b0ecff6 100644 --- a/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml +++ b/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml @@ -32,10 +32,14 @@ spec: use_remote_address: true normalize_path: true merge_slashes: true + {{- if .Values.hardening.unescapeSlahes }} path_with_escaped_slashes_action: UNESCAPE_AND_REDIRECT + {{- end }} common_http_protocol_options: idle_timeout: 3600s # 1 hour + {{- if .Values.hardening.rejectUnderscoresHeaders }} headers_with_underscores_action: REJECT_REQUEST + {{- end }} http2_protocol_options: max_concurrent_streams: 100 initial_stream_window_size: 65536 # 64 KiB diff --git a/charts/kubezero-istio-gateway/values.yaml b/charts/kubezero-istio-gateway/values.yaml index 0b0506e..afacf6e 100644 --- a/charts/kubezero-istio-gateway/values.yaml +++ b/charts/kubezero-istio-gateway/values.yaml @@ -39,3 +39,7 @@ telemetry: enabled: false proxyProtocol: true + +hardening: + rejectUnderscoresHeaders: true + unescapeSlahes: true diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index 065c091..039be18 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-logging description: KubeZero Umbrella Chart for complete EFK stack type: application -version: 0.8.9 +version: 0.8.10 appVersion: 1.6.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index 06c0a41..536f2c6 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -37,7 +37,7 @@ fluentd: enabled: false image: repository: public.ecr.aws/zero-downtime/fluentd-concenter - tag: v1.16.0 + tag: v1.16.3 istio: enabled: false @@ -88,10 +88,8 @@ fluentd: # OUTPUT_USER: elastic # OUTPUT_SSL_VERIFY: "false" - env: - - name: "FLUENTD_CONF" - value: "../../etc/fluent/fluent.conf" # Same here the secret names change if fullnameOverride is not used !! + env: - name: OUTPUT_PASSWORD valueFrom: secretKeyRef: diff --git a/charts/kubezero-storage/jsonnet/jsonnetfile.lock.json b/charts/kubezero-storage/jsonnet/jsonnetfile.lock.json index 10c11a9..19b43fd 100644 --- a/charts/kubezero-storage/jsonnet/jsonnetfile.lock.json +++ b/charts/kubezero-storage/jsonnet/jsonnetfile.lock.json @@ -18,7 +18,7 @@ "subdir": "contrib/mixin" } }, - "version": "6db5e00103accde744c856be03f38f44569eca65", + "version": "7851295966ae3dd5308c37079b5df58440d1fb36", "sum": "xuUBd2vqF7asyVDe5CE08uPT/RxAdy8O75EjFJoMXXU=" }, { @@ -58,7 +58,7 @@ "subdir": "gen/grafonnet-v10.0.0" } }, - "version": "bb2afaffbcefeae1035cd691ab06a486e0022002", + "version": "a1b14991306adebdb0107ea9aa74870bf86c346e", "sum": "gj/20VIGucG2vDGjG7YdHLC4yUUfrpuaneUYaRmymOM=" }, { @@ -68,7 +68,7 @@ "subdir": "grafana-builder" } }, - "version": "32685d75e4ae753e06ab3bea13df9d59bb5da46a", + "version": "931f6b1139bb3694b06f2261279ba3dc01aca5b8", "sum": "VmOxvg9FuY9UYr3lN6ZJe2HhuIErJoWimPybQr3S3yQ=" }, { @@ -108,7 +108,7 @@ "subdir": "jsonnet/kube-state-metrics" } }, - "version": "240cffd908220854a27f7e92d8157eaee4dc8d42", + "version": "c707af4c2d84193a3480729b3525b0fc3d686e73", "sum": "+dOzAK+fwsFf97uZpjcjTcEJEC1H8hh/j8f5uIQK/5g=" }, { @@ -118,7 +118,7 @@ "subdir": "jsonnet/kube-state-metrics-mixin" } }, - "version": "240cffd908220854a27f7e92d8157eaee4dc8d42", + "version": "c707af4c2d84193a3480729b3525b0fc3d686e73", "sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c=" }, { @@ -138,8 +138,8 @@ "subdir": "jsonnet/kube-prometheus" } }, - "version": "0fe6411003b3b9a969a61220fc17a94e2c0be94f", - "sum": "paNe3vjoMkCzrTCW1RCPLcXo+ymOPi9AxA98C/1nbrY=" + "version": "035b09f42441d4630b3a3de4e4a490d19b1ba5e4", + "sum": "bp+cUUcoQjREBPigCP2S1xIvrh7HDQeYqCcrHCuDnUQ=" }, { "source": { @@ -148,7 +148,7 @@ "subdir": "jsonnet/mixin" } }, - "version": "88eca6a97b762701fe336bda67a67a498883b7e2", + "version": "0d918323945ce87f0094c05c153075c0a6edc8de", "sum": "n3flMIzlADeyygb0uipZ4KPp2uNSjdtkrwgHjTC7Ca4=", "name": "prometheus-operator-mixin" }, @@ -159,8 +159,8 @@ "subdir": "jsonnet/prometheus-operator" } }, - "version": "88eca6a97b762701fe336bda67a67a498883b7e2", - "sum": "7ZYZMNBsObCl3OsXsu4Gu4J4tu/g1qf6HOyYkSQY52o=" + "version": "0d918323945ce87f0094c05c153075c0a6edc8de", + "sum": "1X9mGAj+nRaBAgNRG19mYtDc+ZLVIeAiK5M3h0Tpu7A=" }, { "source": { @@ -169,7 +169,7 @@ "subdir": "doc/alertmanager-mixin" } }, - "version": "4494abfce419d1bbd3cb1a2c0b6584da88ac9b64", + "version": "83486834deb4f886b4828cad3dbbe42d141d951d", "sum": "IpF46ZXsm+0wJJAPtAre8+yxTNZA57mBqGpBP/r7/kw=", "name": "alertmanager" }, @@ -180,7 +180,7 @@ "subdir": "docs/node-mixin" } }, - "version": "4abf2c972e058ec875c0768f20d0d4766feb3173", + "version": "9666d002487039ac66b20287998945461eefe746", "sum": "QZwFBpulndqo799gkR5rP2/WdcQKQkNnaBwhaOI8Jeg=" }, { @@ -190,7 +190,7 @@ "subdir": "documentation/prometheus-mixin" } }, - "version": "59844498f7b12f16c7f004aa951bbb14cdb83991", + "version": "2ae84f980f981a004143c8239f4f20a35547ef04", "sum": "rNvddVTMNfaguOGzEGoeKjUsfhlXJBUImC+SIFNNCiM=", "name": "prometheus" }, @@ -212,7 +212,7 @@ "subdir": "mixin" } }, - "version": "023faa2d67a3050cd68cafd9c4e86e6915b79dc5", + "version": "e7aecb401f54bec52540900d455a9c226c5791ff", "sum": "HhSSbGGCNHCMy1ee5jElYDm0yS9Vesa7QB2/SHKdjsY=", "name": "thanos-mixin" } diff --git a/charts/kubezero-storage/jsonnet/rules.yaml b/charts/kubezero-storage/jsonnet/rules.yaml index 5816638..6f6ddff 100644 --- a/charts/kubezero-storage/jsonnet/rules.yaml +++ b/charts/kubezero-storage/jsonnet/rules.yaml @@ -1,4 +1,4 @@ rules: - name: prometheus-rules url: file://rules/openebs-mixin-prometheusRules - condition: 'index .Values "lvm-localpv" "prometheus" "enabled"' + condition: 'and (index .Values "lvm-localpv" "enabled") (index .Values "lvm-localpv" "prometheus" "enabled")' diff --git a/charts/kubezero-storage/templates/lvm/prometheus-rules.yaml b/charts/kubezero-storage/templates/lvm/prometheus-rules.yaml index 905c6b3..65c7e34 100644 --- a/charts/kubezero-storage/templates/lvm/prometheus-rules.yaml +++ b/charts/kubezero-storage/templates/lvm/prometheus-rules.yaml @@ -1,4 +1,4 @@ -{{- if index .Values "lvm-localpv" "prometheus" "enabled" }} +{{- if and (index .Values "lvm-localpv" "enabled") (index .Values "lvm-localpv" "prometheus" "enabled") }} apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: diff --git a/charts/kubezero/templates/istio-ingress.yaml b/charts/kubezero/templates/istio-ingress.yaml index 604c6b8..1c170e8 100644 --- a/charts/kubezero/templates/istio-ingress.yaml +++ b/charts/kubezero/templates/istio-ingress.yaml @@ -88,6 +88,10 @@ certificates: {{- end }} {{- end }} proxyProtocol: {{ default true (index .Values "istio-ingress" "proxyProtocol") }} +{{- with (index .Values "istio-ingress" "hardening") }} +hardening: + {{- toYaml . | nindent 2 }} +{{- end }} {{- end }} diff --git a/charts/kubezero/templates/istio-private-ingress.yaml b/charts/kubezero/templates/istio-private-ingress.yaml index 7c66870..60376a9 100644 --- a/charts/kubezero/templates/istio-private-ingress.yaml +++ b/charts/kubezero/templates/istio-private-ingress.yaml @@ -83,6 +83,10 @@ certificates: {{- toYaml $cert.dnsNames | nindent 4 }} {{- end }} proxyProtocol: {{ default true (index .Values "istio-private-ingress" "proxyProtocol") }} +{{- with (index .Values "istio-private-ingress" "hardening") }} +hardening: + {{- toYaml . | nindent 2 }} +{{- end }} {{- end }} diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 2400b14..423ec68 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -108,7 +108,7 @@ metrics: logging: enabled: false namespace: logging - targetRevision: 0.8.9 + targetRevision: 0.8.10 argocd: enabled: false