openstack/openstack-helm-infra
Code Issues Proposed changes

Change default ingress path type to prefix

Browse Source 
Due to CVE-2022-4886 the default pathType for an ingress should be
either "Exact" or "Prefix". This allows for more strict path validation by
the admission controller. This PS changes the default pathType to Prefix.
This value can be overridden.

In a separate PS I will add the pathType parameter to the ingressOpts
for all helm charts that create an ingress.

See:

https://github.com/kubernetes/ingress-nginx/issues/10570

Change-Id: I8f1df594f0c86f2de6cdd7cf2ee56637bd508565
This commit is contained in:
Ritchie, Frank (fr801x) 2024-01-16 13:26:55 -05:00
parent d0b3f1c1d2
commit 5b72041fd9
3 changed files with 33 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
helm-toolkit/Chart.yaml
View File

@ -15,7 +15,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Helm-Toolkit
name: helm-toolkit
version: 0.2.59
version: 0.2.60
home: https://docs.openstack.org/openstack-helm
icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
sources:

60
helm-toolkit/templates/manifests/_ingress.tpl
View File

@ -59,7 +59,7 @@ examples:
default: 9311
public: 80
usage: |
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "pathType" "Prefix" ) -}}
return: |
---
apiVersion: networking.k8s.io/v1
@ -76,7 +76,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -86,7 +86,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -96,7 +96,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -121,7 +121,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -146,7 +146,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -194,7 +194,7 @@ examples:
default: 9311
public: 80
usage: |
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "pathType" "Prefix" ) -}}
return: |
---
apiVersion: networking.k8s.io/v1
@ -217,7 +217,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -227,7 +227,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -237,7 +237,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -294,7 +294,7 @@ examples:
name: ca-issuer
kind: Issuer
usage: |
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" "pathType" "Prefix" ) -}}
return: |
---
apiVersion: networking.k8s.io/v1
@ -319,7 +319,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -329,7 +329,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -339,7 +339,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -396,7 +396,7 @@ examples:
name: ca-issuer
kind: ClusterIssuer
usage: |
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" "pathType" "Prefix" ) -}}
return: |
---
apiVersion: networking.k8s.io/v1
@ -421,7 +421,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -431,7 +431,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -441,7 +441,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: barbican-api
@ -479,7 +479,7 @@ examples:
grafana:
public: grafana-tls-public
usage: |
{{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
{{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" "pathType" "Prefix" -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
return: |
---
@ -497,7 +497,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: grafana-dashboard
@ -507,7 +507,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: grafana-dashboard
@ -517,7 +517,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: grafana-dashboard
@ -543,7 +543,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: grafana-dashboard
@ -553,7 +553,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: grafana-dashboard
@ -579,7 +579,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: grafana-dashboard
@ -589,7 +589,7 @@ examples:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: grafana-dashboard
@ -602,11 +602,12 @@ examples:
{{- $vHost := index . "vHost" -}}
{{- $backendName := index . "backendName" -}}
{{- $backendPort := index . "backendPort" -}}
{{- $pathType := index . "pathType" -}}
- host: {{ $vHost }}
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: {{ $pathType }}
backend:
service:
name: {{ $backendName }}
@ -624,6 +625,7 @@ examples:
{{- $backendServiceType := index . "backendServiceType" -}}
{{- $backendPort := index . "backendPort" -}}
{{- $endpoint := index . "endpoint" | default "public" -}}
{{- $pathType := index . "pathType" | default "Prefix" -}}
{{- $certIssuer := index . "certIssuer" | default "" -}}
{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
@ -681,7 +683,7 @@ spec:
{{- end }}
rules:
{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort "pathType" $pathType }}
{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
{{- end }}
{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
@ -719,7 +721,7 @@ spec:
{{- end }}
rules:
{{- range $vHost := $vHosts }}
{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort "pathType" $pathType }}
{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
{{- end }}
{{- end }}

1
releasenotes/notes/helm-toolkit.yaml
View File

@ -66,4 +66,5 @@ helm-toolkit:
- 0.2.57 Safer file removal
- 0.2.58 Backups verification improvements
- 0.2.59 Added throttling remote backups
- 0.2.60 Change default ingress pathType to Prefix
...