2018-08-03 07:15:25 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2017-11-06 09:41:27 +00:00
|
|
|
module Clusters
|
|
|
|
module Applications
|
2019-03-28 13:17:42 +00:00
|
|
|
class Ingress < ApplicationRecord
|
2020-08-04 03:09:50 +00:00
|
|
|
VERSION = '1.40.2'
|
2020-03-06 21:07:59 +00:00
|
|
|
INGRESS_CONTAINER_NAME = 'nginx-ingress-controller'
|
2020-01-24 18:09:00 +00:00
|
|
|
MODSECURITY_LOG_CONTAINER_NAME = 'modsecurity-log'
|
2020-03-19 09:09:27 +00:00
|
|
|
MODSECURITY_MODE_LOGGING = "DetectionOnly"
|
|
|
|
MODSECURITY_MODE_BLOCKING = "On"
|
|
|
|
MODSECURITY_OWASP_RULES_FILE = "/etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf"
|
2018-07-22 10:48:53 +00:00
|
|
|
|
2017-11-06 09:41:27 +00:00
|
|
|
self.table_name = 'clusters_applications_ingress'
|
|
|
|
|
2017-12-22 17:23:43 +00:00
|
|
|
include ::Clusters::Concerns::ApplicationCore
|
2017-11-06 09:41:27 +00:00
|
|
|
include ::Clusters::Concerns::ApplicationStatus
|
2018-07-22 10:48:53 +00:00
|
|
|
include ::Clusters::Concerns::ApplicationVersion
|
2018-03-01 23:46:02 +00:00
|
|
|
include ::Clusters::Concerns::ApplicationData
|
2018-02-20 01:42:05 +00:00
|
|
|
include AfterCommitQueue
|
2020-05-04 03:09:50 +00:00
|
|
|
include UsageStatistics
|
2017-11-06 09:41:27 +00:00
|
|
|
|
|
|
|
default_value_for :ingress_type, :nginx
|
2020-03-13 09:09:23 +00:00
|
|
|
default_value_for :modsecurity_enabled, true
|
2018-07-22 10:48:53 +00:00
|
|
|
default_value_for :version, VERSION
|
2020-03-19 09:09:27 +00:00
|
|
|
default_value_for :modsecurity_mode, :logging
|
2017-11-06 09:41:27 +00:00
|
|
|
|
|
|
|
enum ingress_type: {
|
|
|
|
nginx: 1
|
|
|
|
}
|
|
|
|
|
2020-03-19 09:09:27 +00:00
|
|
|
enum modsecurity_mode: { logging: 0, blocking: 1 }
|
|
|
|
|
2020-05-04 03:09:50 +00:00
|
|
|
scope :modsecurity_not_installed, -> { where(modsecurity_enabled: nil) }
|
|
|
|
scope :modsecurity_enabled, -> { where(modsecurity_enabled: true) }
|
|
|
|
scope :modsecurity_disabled, -> { where(modsecurity_enabled: false) }
|
|
|
|
|
2018-02-25 01:46:16 +00:00
|
|
|
FETCH_IP_ADDRESS_DELAY = 30.seconds
|
2018-02-12 03:22:15 +00:00
|
|
|
|
2018-02-20 01:42:05 +00:00
|
|
|
state_machine :status do
|
2018-12-13 12:25:14 +00:00
|
|
|
after_transition any => [:installed] do |application|
|
2018-02-20 01:42:05 +00:00
|
|
|
application.run_after_commit do
|
|
|
|
ClusterWaitForIngressIpAddressWorker.perform_in(
|
2018-02-25 01:46:16 +00:00
|
|
|
FETCH_IP_ADDRESS_DELAY, application.name, application.id)
|
2018-02-20 01:42:05 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-11-06 09:41:27 +00:00
|
|
|
def chart
|
|
|
|
'stable/nginx-ingress'
|
|
|
|
end
|
2017-11-07 16:49:27 +00:00
|
|
|
|
2019-09-18 14:02:45 +00:00
|
|
|
def values
|
|
|
|
content_values.to_yaml
|
|
|
|
end
|
|
|
|
|
2019-04-12 05:42:48 +00:00
|
|
|
def allowed_to_uninstall?
|
2020-03-24 09:09:25 +00:00
|
|
|
external_ip_or_hostname? && !application_jupyter_installed?
|
2019-04-12 05:42:48 +00:00
|
|
|
end
|
|
|
|
|
2017-11-07 16:49:27 +00:00
|
|
|
def install_command
|
2018-03-01 23:46:02 +00:00
|
|
|
Gitlab::Kubernetes::Helm::InstallCommand.new(
|
2018-08-07 12:39:38 +00:00
|
|
|
name: name,
|
2018-07-22 10:48:53 +00:00
|
|
|
version: VERSION,
|
2018-09-06 10:03:38 +00:00
|
|
|
rbac: cluster.platform_kubernetes_rbac?,
|
2018-03-01 23:46:02 +00:00
|
|
|
chart: chart,
|
2020-08-10 03:09:44 +00:00
|
|
|
files: files
|
2018-03-01 23:46:02 +00:00
|
|
|
)
|
2017-11-07 16:49:27 +00:00
|
|
|
end
|
2018-02-20 02:49:35 +00:00
|
|
|
|
2019-07-02 12:59:59 +00:00
|
|
|
def external_ip_or_hostname?
|
|
|
|
external_ip.present? || external_hostname.present?
|
|
|
|
end
|
|
|
|
|
2018-02-22 22:08:12 +00:00
|
|
|
def schedule_status_update
|
2018-02-20 02:49:35 +00:00
|
|
|
return unless installed?
|
|
|
|
return if external_ip
|
2019-03-07 21:51:43 +00:00
|
|
|
return if external_hostname
|
2018-02-20 02:49:35 +00:00
|
|
|
|
2018-02-25 01:46:16 +00:00
|
|
|
ClusterWaitForIngressIpAddressWorker.perform_async(name, id)
|
2018-02-20 02:49:35 +00:00
|
|
|
end
|
2018-11-26 20:02:33 +00:00
|
|
|
|
|
|
|
def ingress_service
|
2020-03-06 21:07:59 +00:00
|
|
|
cluster.kubeclient.get_service("ingress-#{INGRESS_CONTAINER_NAME}", Gitlab::Kubernetes::Helm::NAMESPACE)
|
2018-11-26 20:02:33 +00:00
|
|
|
end
|
2019-07-02 12:59:59 +00:00
|
|
|
|
|
|
|
private
|
|
|
|
|
2019-09-18 14:02:45 +00:00
|
|
|
def specification
|
2020-01-07 12:07:55 +00:00
|
|
|
return {} unless modsecurity_enabled
|
2019-09-18 14:02:45 +00:00
|
|
|
|
|
|
|
{
|
|
|
|
"controller" => {
|
|
|
|
"config" => {
|
|
|
|
"enable-modsecurity" => "true",
|
2020-03-19 09:09:27 +00:00
|
|
|
"enable-owasp-modsecurity-crs" => "false",
|
|
|
|
"modsecurity-snippet" => modsecurity_snippet_content,
|
2019-10-23 18:06:07 +00:00
|
|
|
"modsecurity.conf" => modsecurity_config_content
|
|
|
|
},
|
2019-11-13 15:07:29 +00:00
|
|
|
"extraContainers" => [
|
|
|
|
{
|
2020-01-24 18:09:00 +00:00
|
|
|
"name" => MODSECURITY_LOG_CONTAINER_NAME,
|
2019-11-13 15:07:29 +00:00
|
|
|
"image" => "busybox",
|
|
|
|
"args" => [
|
|
|
|
"/bin/sh",
|
|
|
|
"-c",
|
2020-04-22 09:09:36 +00:00
|
|
|
"tail -F /var/log/modsec/audit.log"
|
2019-11-13 15:07:29 +00:00
|
|
|
],
|
|
|
|
"volumeMounts" => [
|
|
|
|
{
|
|
|
|
"name" => "modsecurity-log-volume",
|
|
|
|
"mountPath" => "/var/log/modsec",
|
|
|
|
"readOnly" => true
|
|
|
|
}
|
|
|
|
],
|
2020-04-21 15:21:10 +00:00
|
|
|
"livenessProbe" => {
|
2019-11-13 15:07:29 +00:00
|
|
|
"exec" => {
|
2020-04-21 15:21:10 +00:00
|
|
|
"command" => [
|
|
|
|
"ls",
|
|
|
|
"/var/log/modsec/audit.log"
|
|
|
|
]
|
|
|
|
}
|
2019-11-13 15:07:29 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
],
|
2019-10-23 18:06:07 +00:00
|
|
|
"extraVolumeMounts" => [
|
|
|
|
{
|
|
|
|
"name" => "modsecurity-template-volume",
|
|
|
|
"mountPath" => "/etc/nginx/modsecurity/modsecurity.conf",
|
|
|
|
"subPath" => "modsecurity.conf"
|
2019-11-13 15:07:29 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"name" => "modsecurity-log-volume",
|
|
|
|
"mountPath" => "/var/log/modsec"
|
2019-10-23 18:06:07 +00:00
|
|
|
}
|
|
|
|
],
|
|
|
|
"extraVolumes" => [
|
|
|
|
{
|
|
|
|
"name" => "modsecurity-template-volume",
|
|
|
|
"configMap" => {
|
2020-03-06 21:07:59 +00:00
|
|
|
"name" => "ingress-#{INGRESS_CONTAINER_NAME}",
|
2019-10-23 18:06:07 +00:00
|
|
|
"items" => [
|
|
|
|
{
|
|
|
|
"key" => "modsecurity.conf",
|
|
|
|
"path" => "modsecurity.conf"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
2019-11-13 15:07:29 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"name" => "modsecurity-log-volume",
|
|
|
|
"emptyDir" => {}
|
2019-10-23 18:06:07 +00:00
|
|
|
}
|
|
|
|
]
|
2019-09-18 14:02:45 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
2019-10-23 18:06:07 +00:00
|
|
|
def modsecurity_config_content
|
|
|
|
File.read(modsecurity_config_file_path)
|
|
|
|
end
|
|
|
|
|
|
|
|
def modsecurity_config_file_path
|
|
|
|
Rails.root.join('vendor', 'ingress', 'modsecurity.conf')
|
|
|
|
end
|
|
|
|
|
2019-09-18 14:02:45 +00:00
|
|
|
def content_values
|
|
|
|
YAML.load_file(chart_values_file).deep_merge!(specification)
|
|
|
|
end
|
|
|
|
|
2020-03-24 09:09:25 +00:00
|
|
|
def application_jupyter_installed?
|
|
|
|
cluster.application_jupyter&.installed?
|
2019-07-02 12:59:59 +00:00
|
|
|
end
|
2020-03-19 09:09:27 +00:00
|
|
|
|
|
|
|
def modsecurity_snippet_content
|
|
|
|
sec_rule_engine = logging? ? MODSECURITY_MODE_LOGGING : MODSECURITY_MODE_BLOCKING
|
|
|
|
"SecRuleEngine #{sec_rule_engine}\nInclude #{MODSECURITY_OWASP_RULES_FILE}"
|
|
|
|
end
|
2017-11-06 09:41:27 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|