Skip to content

test/webhooks: Deny all non-internal access to save/origin/visit/webhook

Guillaume Samson requested to merge test_deny_webhooks_access into staging

Related to swh/infra/sysadm-environment#5165 (closed)

  1. The modification in cluster-configuration allow to use server-snippet.
    https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#server-snippet
  2. The modification in test-cluster configuration allow access to the webapp location /save/origin/visit/webhook only for the cluster internal network range.
Helm diff cluster-configuration
./helm-diff.sh cluster-configuration
[cluster-configuration] Comparing changes between branches production and test_deny_webhooks_access...
Your branch is up to date with 'origin/production'.
[cluster-configuration] Generate config in production branch for cluster-configuration/values/admin-rke2.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/archive-production-rke2.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/archive-staging-rke2.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/gitlab-production.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/gitlab-staging.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/rancher.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/test-staging-rke2.yaml...
Your branch is up to date with 'origin/test_deny_webhooks_access'.
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/admin-rke2.yaml...
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/archive-production-rke2.yaml...
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/archive-staging-rke2.yaml...
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/gitlab-production.yaml...
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/gitlab-staging.yaml...
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/rancher.yaml...
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/test-staging-rke2.yaml...


------------- diff for cluster-configuration/values/admin-rke2.yaml -------------

No differences


------------- diff for cluster-configuration/values/archive-production-rke2.yaml -------------

No differences


------------- diff for cluster-configuration/values/archive-staging-rke2.yaml -------------

No differences


------------- diff for cluster-configuration/values/gitlab-production.yaml -------------

No differences


------------- diff for cluster-configuration/values/gitlab-staging.yaml -------------

No differences


------------- diff for cluster-configuration/values/rancher.yaml -------------

No differences


------------- diff for cluster-configuration/values/test-staging-rke2.yaml -------------

--- /tmp/swh-chart.cluster-configuration.XVJUyTS8/test-staging-rke2.yaml.before	2023-12-04 17:14:08.348706182 +0100
+++ /tmp/swh-chart.cluster-configuration.XVJUyTS8/test-staging-rke2.yaml.after	2023-12-04 17:14:08.632710755 +0100
@@ -165,20 +165,21 @@
           ingressClassResource:
             name: "nginx"
             default: true
           metrics:
             enabled: true
             serviceMonitor:
               enabled: true
               namespaceSelector:
                 any: true
           config:
+            server-snippets: true
             worker-processes: 2
           resources:
             requests:
               cpu: 50m
               memory: 200Mi
   destination:
     server: https://rancher.euwest.azure.internal.softwareheritage.org/k8s/clusters/c-m-hb9j7h5g
     namespace: ingress-nginx
   syncPolicy:
     automated:
Helm diff cluster-components
./helm-diff.sh cluster-components
[cluster-components] Comparing changes between branches production and test_deny_webhooks_access...
Your branch is up to date with 'origin/production'.
[cluster-components] Generate config in production branch for cluster-components/values/admin-rke2.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/archive-production-rke2.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/archive-staging-rke2.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/gitlab-production.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/gitlab-staging.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/minikube.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/rancher.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/test-staging-rke2.yaml...
Your branch is up to date with 'origin/test_deny_webhooks_access'.
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/admin-rke2.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/archive-production-rke2.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/archive-staging-rke2.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/gitlab-production.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/gitlab-staging.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/minikube.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/rancher.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/test-staging-rke2.yaml...


------------- diff for cluster-components/values/admin-rke2.yaml -------------

No differences


------------- diff for cluster-components/values/archive-production-rke2.yaml -------------

No differences


------------- diff for cluster-components/values/archive-staging-rke2.yaml -------------

No differences


------------- diff for cluster-components/values/gitlab-production.yaml -------------

No differences


------------- diff for cluster-components/values/gitlab-staging.yaml -------------

No differences


------------- diff for cluster-components/values/minikube.yaml -------------

No differences


------------- diff for cluster-components/values/rancher.yaml -------------

No differences


------------- diff for cluster-components/values/test-staging-rke2.yaml -------------

--- /tmp/swh-chart.cluster-components.opVTXqnt/test-staging-rke2.yaml.before	2023-12-04 17:15:40.450189172 +0100
+++ /tmp/swh-chart.cluster-components.opVTXqnt/test-staging-rke2.yaml.after	2023-12-04 17:15:41.758210235 +0100
@@ -310,20 +310,26 @@
 # Source: cluster-config/templates/svix/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: svix-server
   name: svix-ingress
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/tls-acme: "true"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      location /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+      }
     nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.130.0/24,192.168.50.0/24,192.168.101.0/24
 spec:
   rules:
   - host: svix-test.internal.staging.swh.network
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:

Merge request reports