Skip to content

staging/web: Deny access to save/origin/visit/webhook

Guillaume Samson requested to merge staging_webhooks_check into production

Related to swh/infra/sysadm-environment#5165 (closed)

After trying to use ingress-nginx snippets, I created two ingress on test-staging and it works fine.
Then I discovered that everything was already provided in swh-charts.
I just added some values.

Helm diff 
./swh/helm-diff.sh
[swh] Comparing changes between branches production and staging_webhooks_check (per environment)...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
Your branch is up to date with 'origin/staging_webhooks_check'.
[swh] Generate config in staging_webhooks_check branch for environment staging...
[swh] Generate config in staging_webhooks_check branch for environment staging...
[swh] Generate config in staging_webhooks_check branch for environment staging...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
Your branch is up to date with 'origin/staging_webhooks_check'.
[swh] Generate config in staging_webhooks_check branch for environment production...
[swh] Generate config in staging_webhooks_check branch for environment production...
[swh] Generate config in staging_webhooks_check branch for environment production...


------------- diff for environment staging namespace swh -------------

--- /tmp/swh-chart.swh.dRjrdpDa/staging-swh.before	2023-12-08 16:48:41.888055721 +0100
+++ /tmp/swh-chart.swh.dRjrdpDa/staging-swh.after	2023-12-08 16:48:42.292062394 +0100
@@ -15129,20 +15129,51 @@
           service:
             name: web
             port:
               number: 80
       
   tls:
   - hosts:
     - webapp-postgresql.internal.staging.swh.network
     secretName: swh-web-crt
 ---
+# Source: swh/templates/web/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: swh
+  name: web-ingress-webhooks
+  annotations:
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16
+    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+
+spec:
+  rules:
+  - host: webapp-postgresql.internal.staging.swh.network
+    http:
+      paths:
+      - path: /save/origin/visit/webhook
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+      
+  tls:
+  - hosts:
+    - webapp-postgresql.internal.staging.swh.network
+    secretName: swh-web-crt
+---
 # Source: swh/templates/listers/deployment.yaml
 # Set useJsonLogger to false to let the logs be plain text
 ---
 # Source: swh/templates/checker-deposit/keda-autoscaling.yaml
 apiVersion: keda.sh/v1alpha1
 kind: ScaledObject
 metadata:
   name: checker-deposit-operators
   namespace: swh
 spec:


------------- diff for environment staging namespace swh-cassandra -------------

--- /tmp/swh-chart.swh.dRjrdpDa/staging-swh-cassandra.before	2023-12-08 16:48:42.016057836 +0100
+++ /tmp/swh-chart.swh.dRjrdpDa/staging-swh-cassandra.after	2023-12-08 16:48:42.432064706 +0100
@@ -13836,20 +13836,63 @@
             name: web
             port:
               number: 80
       
   tls:
   - hosts:
     - webapp.staging.swh.network
     - webapp-cassandra.internal.staging.swh.network
     secretName: swh-web-crt
 ---
+# Source: swh/templates/web/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: swh-cassandra
+  name: web-ingress-webhooks
+  annotations:
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16
+    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
+spec:
+  rules:
+  - host: webapp.staging.swh.network
+    http:
+      paths:
+      - path: /save/origin/visit/webhook
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+      
+  - host: webapp-cassandra.internal.staging.swh.network
+    http:
+      paths:
+      - path: /save/origin/visit/webhook
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+      
+  tls:
+  - hosts:
+    - webapp.staging.swh.network
+    - webapp-cassandra.internal.staging.swh.network
+    secretName: swh-web-crt
+---
 # Source: swh/templates/cookers/deployment.yaml
 # Set useJsonLogger to false to let the logs be plain text
 ---
 # Source: swh/templates/loaders/deployment.yaml
 # if defined at the "typed" loader level
 # otherwise use the global image is defined First this needs to replace - in
 # $loader_type with "" to find the proper image name.
 ---
 # Source: swh/templates/cookers/keda-autoscaling.yaml
 apiVersion: keda.sh/v1alpha1


------------- diff for environment staging namespace swh-cassandra-next-version -------------

--- /tmp/swh-chart.swh.dRjrdpDa/staging-swh-cassandra-next-version.before	2023-12-08 16:48:42.136059817 +0100
+++ /tmp/swh-chart.swh.dRjrdpDa/staging-swh-cassandra-next-version.after	2023-12-08 16:48:42.552066688 +0100
@@ -11422,20 +11422,51 @@
           service:
             name: web
             port:
               number: 80
       
   tls:
   - hosts:
     - webapp-cassandra-next-version.internal.staging.swh.network
     secretName: swh-web-crt
 ---
+# Source: swh/templates/web/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: swh-cassandra-next-version
+  name: web-ingress-webhooks
+  annotations:
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.130.0/24,192.168.50.0/24
+    cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
+spec:
+  rules:
+  - host: webapp-cassandra-next-version.internal.staging.swh.network
+    http:
+      paths:
+      - path: /save/origin/visit/webhook
+        pathType: Prefix
+        backend:
+          service:
+            name: web
+            port:
+              number: 5004
+      
+  tls:
+  - hosts:
+    - webapp-cassandra-next-version.internal.staging.swh.network
+    secretName: swh-web-crt
+---
 # Source: swh/templates/cookers/deployment.yaml
 # Set useJsonLogger to false to let the logs be plain text
 ---
 # Source: swh/templates/loaders/deployment.yaml
 # if defined at the "typed" loader level
 # otherwise use the global image is defined First this needs to replace - in
 # $loader_type with "" to find the proper image name.
 ---
 # Source: swh/templates/cookers/keda-autoscaling.yaml
 apiVersion: keda.sh/v1alpha1


------------- diff for environment production namespace swh -------------

No differences


------------- diff for environment production namespace swh-cassandra -------------

No differences

Merge request reports