Skip to content

staging/ingress: Allow snippet annotations

Guillaume Samson requested to merge staging_deny_webhooks_access into production

Related to swh/infra/sysadm-environment#5165 (closed)

The first commit allow snippet annotations on ingress.
The second deny access on webapp to path save/origin/visit/webhook for non-internal network ranges.

Helm diff
./swh/helm-diff.sh
[swh] Comparing changes between branches production and staging_deny_webhooks_access (per environment)...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
Your branch is up to date with 'origin/staging_deny_webhooks_access'.
[swh] Generate config in staging_deny_webhooks_access branch for environment staging...
[swh] Generate config in staging_deny_webhooks_access branch for environment staging...
[swh] Generate config in staging_deny_webhooks_access branch for environment staging...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
Your branch is up to date with 'origin/staging_deny_webhooks_access'.
[swh] Generate config in staging_deny_webhooks_access branch for environment production...
[swh] Generate config in staging_deny_webhooks_access branch for environment production...
[swh] Generate config in staging_deny_webhooks_access branch for environment production...


------------- diff for environment staging namespace swh -------------

--- /tmp/swh-chart.swh.DOBarzXL/staging-swh.before	2023-12-06 16:19:40.526358854 +0100
+++ /tmp/swh-chart.swh.DOBarzXL/staging-swh.after	2023-12-06 16:19:40.950364230 +0100
@@ -15047,20 +15047,27 @@
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh
   name: web-ingress-authenticated
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location = /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+        return 403;
+      }
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     # type of authentication
     nginx.ingress.kubernetes.io/auth-type: basic
     # an htpasswd file in the key auth within the secret
     nginx.ingress.kubernetes.io/auth-secret-type: auth-file
     # name of the secret that contains the user/password definitions
     nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
     # message to display with an appropriate context why the authentication is required
     nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
 
@@ -15101,20 +15108,27 @@
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh
   name: web-ingress-default
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location = /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+        return 403;
+      }
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
 
 spec:
   rules:
   - host: webapp-postgresql.internal.staging.swh.network
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:


------------- diff for environment staging namespace swh-cassandra -------------

--- /tmp/swh-chart.swh.DOBarzXL/staging-swh-cassandra.before	2023-12-06 16:19:40.658360528 +0100
+++ /tmp/swh-chart.swh.DOBarzXL/staging-swh-cassandra.after	2023-12-06 16:19:41.094366055 +0100
@@ -13706,20 +13706,27 @@
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
   name: web-ingress-authenticated
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location = /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+        return 403;
+      }
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     # type of authentication
     nginx.ingress.kubernetes.io/auth-type: basic
     # an htpasswd file in the key auth within the secret
     nginx.ingress.kubernetes.io/auth-secret-type: auth-file
     # name of the secret that contains the user/password definitions
     nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
     # message to display with an appropriate context why the authentication is required
     nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
 
@@ -13788,20 +13795,27 @@
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
   name: web-ingress-default
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location = /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+        return 403;
+      }
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 
 spec:
   rules:
   - host: webapp.staging.swh.network
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:


------------- diff for environment staging namespace swh-cassandra-next-version -------------

--- /tmp/swh-chart.swh.DOBarzXL/staging-swh-cassandra-next-version.before	2023-12-06 16:19:40.798362303 +0100
+++ /tmp/swh-chart.swh.DOBarzXL/staging-swh-cassandra-next-version.after	2023-12-06 16:19:41.218367627 +0100
@@ -11339,20 +11339,27 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra-next-version
   name: web-ingress-authenticated
   annotations:
     nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24,192.168.50.0/24
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location = /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+        return 403;
+      }
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     # type of authentication
     nginx.ingress.kubernetes.io/auth-type: basic
     # an htpasswd file in the key auth within the secret
     nginx.ingress.kubernetes.io/auth-secret-type: auth-file
     # name of the secret that contains the user/password definitions
     nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
     # message to display with an appropriate context why the authentication is required
     nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
 
@@ -11394,20 +11401,27 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra-next-version
   name: web-ingress-default
   annotations:
     nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24,192.168.50.0/24
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location = /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+        return 403;
+      }
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 
 spec:
   rules:
   - host: webapp-cassandra-next-version.internal.staging.swh.network
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:


------------- diff for environment production namespace swh -------------
./swh/helm-diff.sh
[swh] Comparing changes between branches production and staging_deny_webhooks_access (per environment)...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
Your branch is up to date with 'origin/staging_deny_webhooks_access'.
[swh] Generate config in staging_deny_webhooks_access branch for environment staging...
[swh] Generate config in staging_deny_webhooks_access branch for environment staging...
[swh] Generate config in staging_deny_webhooks_access branch for environment staging...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
Your branch is up to date with 'origin/staging_deny_webhooks_access'.
[swh] Generate config in staging_deny_webhooks_access branch for environment production...
[swh] Generate config in staging_deny_webhooks_access branch for environment production...
[swh] Generate config in staging_deny_webhooks_access branch for environment production...


------------- diff for environment staging namespace swh -------------

--- /tmp/swh-chart.swh.DOBarzXL/staging-swh.before	2023-12-06 16:19:40.526358854 +0100
+++ /tmp/swh-chart.swh.DOBarzXL/staging-swh.after	2023-12-06 16:19:40.950364230 +0100
@@ -15047,20 +15047,27 @@
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh
   name: web-ingress-authenticated
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location = /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+        return 403;
+      }
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     # type of authentication
     nginx.ingress.kubernetes.io/auth-type: basic
     # an htpasswd file in the key auth within the secret
     nginx.ingress.kubernetes.io/auth-secret-type: auth-file
     # name of the secret that contains the user/password definitions
     nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
     # message to display with an appropriate context why the authentication is required
     nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
 
@@ -15101,20 +15108,27 @@
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh
   name: web-ingress-default
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location = /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+        return 403;
+      }
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
 
 spec:
   rules:
   - host: webapp-postgresql.internal.staging.swh.network
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:


------------- diff for environment staging namespace swh-cassandra -------------

--- /tmp/swh-chart.swh.DOBarzXL/staging-swh-cassandra.before	2023-12-06 16:19:40.658360528 +0100
+++ /tmp/swh-chart.swh.DOBarzXL/staging-swh-cassandra.after	2023-12-06 16:19:41.094366055 +0100
@@ -13706,20 +13706,27 @@
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
   name: web-ingress-authenticated
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location = /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+        return 403;
+      }
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     # type of authentication
     nginx.ingress.kubernetes.io/auth-type: basic
     # an htpasswd file in the key auth within the secret
     nginx.ingress.kubernetes.io/auth-secret-type: auth-file
     # name of the secret that contains the user/password definitions
     nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
     # message to display with an appropriate context why the authentication is required
     nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
 
@@ -13788,20 +13795,27 @@
 # Source: swh/templates/web/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra
   name: web-ingress-default
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location = /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+        return 403;
+      }
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 
 spec:
   rules:
   - host: webapp.staging.swh.network
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:


------------- diff for environment staging namespace swh-cassandra-next-version -------------

--- /tmp/swh-chart.swh.DOBarzXL/staging-swh-cassandra-next-version.before	2023-12-06 16:19:40.798362303 +0100
+++ /tmp/swh-chart.swh.DOBarzXL/staging-swh-cassandra-next-version.after	2023-12-06 16:19:41.218367627 +0100
@@ -11339,20 +11339,27 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra-next-version
   name: web-ingress-authenticated
   annotations:
     nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24,192.168.50.0/24
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location = /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+        return 403;
+      }
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     # type of authentication
     nginx.ingress.kubernetes.io/auth-type: basic
     # an htpasswd file in the key auth within the secret
     nginx.ingress.kubernetes.io/auth-secret-type: auth-file
     # name of the secret that contains the user/password definitions
     nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/web-auth-secrets
     # message to display with an appropriate context why the authentication is required
     nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
 
@@ -11394,20 +11401,27 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   namespace: swh-cassandra-next-version
   name: web-ingress-default
   annotations:
     nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24,192.168.50.0/24
     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
     kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location = /save/origin/visit/webhook {
+        allow 10.42.0.0/16;
+        allow 10.43.0.0/16;
+        deny all;
+        return 403;
+      }
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 
 spec:
   rules:
   - host: webapp-cassandra-next-version.internal.staging.swh.network
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:


------------- diff for environment production namespace swh -------------

No differences


------------- diff for environment production namespace swh-cassandra -------------

No differences

No differences


------------- diff for environment production namespace swh-cassandra -------------

No differences

Merge request reports