test/webhooks: Deny all non-internal access to save/origin/visit/webhook
Related to swh/infra/sysadm-environment#5165 (closed)
- The modification in
cluster-configurationallow to useserver-snippet.
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#server-snippet - The modification in test-cluster configuration allow access to the webapp location
/save/origin/visit/webhookonly for the cluster internal network range.
Helm diff cluster-configuration
./helm-diff.sh cluster-configuration
[cluster-configuration] Comparing changes between branches production and test_deny_webhooks_access...
Your branch is up to date with 'origin/production'.
[cluster-configuration] Generate config in production branch for cluster-configuration/values/admin-rke2.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/archive-production-rke2.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/archive-staging-rke2.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/gitlab-production.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/gitlab-staging.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/rancher.yaml...
[cluster-configuration] Generate config in production branch for cluster-configuration/values/test-staging-rke2.yaml...
Your branch is up to date with 'origin/test_deny_webhooks_access'.
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/admin-rke2.yaml...
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/archive-production-rke2.yaml...
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/archive-staging-rke2.yaml...
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/gitlab-production.yaml...
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/gitlab-staging.yaml...
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/rancher.yaml...
[cluster-configuration] Generate config in test_deny_webhooks_access branch for cluster-configuration/values/test-staging-rke2.yaml...
------------- diff for cluster-configuration/values/admin-rke2.yaml -------------
No differences
------------- diff for cluster-configuration/values/archive-production-rke2.yaml -------------
No differences
------------- diff for cluster-configuration/values/archive-staging-rke2.yaml -------------
No differences
------------- diff for cluster-configuration/values/gitlab-production.yaml -------------
No differences
------------- diff for cluster-configuration/values/gitlab-staging.yaml -------------
No differences
------------- diff for cluster-configuration/values/rancher.yaml -------------
No differences
------------- diff for cluster-configuration/values/test-staging-rke2.yaml -------------
--- /tmp/swh-chart.cluster-configuration.XVJUyTS8/test-staging-rke2.yaml.before 2023-12-04 17:14:08.348706182 +0100
+++ /tmp/swh-chart.cluster-configuration.XVJUyTS8/test-staging-rke2.yaml.after 2023-12-04 17:14:08.632710755 +0100
@@ -165,20 +165,21 @@
ingressClassResource:
name: "nginx"
default: true
metrics:
enabled: true
serviceMonitor:
enabled: true
namespaceSelector:
any: true
config:
+ server-snippets: true
worker-processes: 2
resources:
requests:
cpu: 50m
memory: 200Mi
destination:
server: https://rancher.euwest.azure.internal.softwareheritage.org/k8s/clusters/c-m-hb9j7h5g
namespace: ingress-nginx
syncPolicy:
automated:Helm diff cluster-components
./helm-diff.sh cluster-components
[cluster-components] Comparing changes between branches production and test_deny_webhooks_access...
Your branch is up to date with 'origin/production'.
[cluster-components] Generate config in production branch for cluster-components/values/admin-rke2.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/archive-production-rke2.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/archive-staging-rke2.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/gitlab-production.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/gitlab-staging.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/minikube.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/rancher.yaml...
[cluster-components] Generate config in production branch for cluster-components/values/test-staging-rke2.yaml...
Your branch is up to date with 'origin/test_deny_webhooks_access'.
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/admin-rke2.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/archive-production-rke2.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/archive-staging-rke2.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/gitlab-production.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/gitlab-staging.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/minikube.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/rancher.yaml...
[cluster-components] Generate config in test_deny_webhooks_access branch for cluster-components/values/test-staging-rke2.yaml...
------------- diff for cluster-components/values/admin-rke2.yaml -------------
No differences
------------- diff for cluster-components/values/archive-production-rke2.yaml -------------
No differences
------------- diff for cluster-components/values/archive-staging-rke2.yaml -------------
No differences
------------- diff for cluster-components/values/gitlab-production.yaml -------------
No differences
------------- diff for cluster-components/values/gitlab-staging.yaml -------------
No differences
------------- diff for cluster-components/values/minikube.yaml -------------
No differences
------------- diff for cluster-components/values/rancher.yaml -------------
No differences
------------- diff for cluster-components/values/test-staging-rke2.yaml -------------
--- /tmp/swh-chart.cluster-components.opVTXqnt/test-staging-rke2.yaml.before 2023-12-04 17:15:40.450189172 +0100
+++ /tmp/swh-chart.cluster-components.opVTXqnt/test-staging-rke2.yaml.after 2023-12-04 17:15:41.758210235 +0100
@@ -310,20 +310,26 @@
# Source: cluster-config/templates/svix/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: svix-server
name: svix-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production-gandi
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+ nginx.ingress.kubernetes.io/server-snippet: |
+ location /save/origin/visit/webhook {
+ allow 10.42.0.0/16;
+ allow 10.43.0.0/16;
+ deny all;
+ }
nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.130.0/24,192.168.50.0/24,192.168.101.0/24
spec:
rules:
- host: svix-test.internal.staging.swh.network
http:
paths:
- path: /
pathType: Prefix
backend:
service: