debian-mirror-gitlab/app/models/clusters/applications/ingress.rb

181 lines
5.3 KiB
Ruby
Raw Normal View History

2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2018-03-17 18:26:18 +05:30
module Clusters
module Applications
2019-07-07 11:18:12 +05:30
class Ingress < ApplicationRecord
2020-04-08 14:13:33 +05:30
VERSION = '1.29.7'
INGRESS_CONTAINER_NAME = 'nginx-ingress-controller'
2020-03-13 15:44:24 +05:30
MODSECURITY_LOG_CONTAINER_NAME = 'modsecurity-log'
2020-04-22 19:07:51 +05:30
MODSECURITY_MODE_LOGGING = "DetectionOnly"
MODSECURITY_MODE_BLOCKING = "On"
MODSECURITY_OWASP_RULES_FILE = "/etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf"
2018-11-18 11:00:15 +05:30
2018-03-17 18:26:18 +05:30
self.table_name = 'clusters_applications_ingress'
include ::Clusters::Concerns::ApplicationCore
include ::Clusters::Concerns::ApplicationStatus
2018-11-18 11:00:15 +05:30
include ::Clusters::Concerns::ApplicationVersion
2018-03-27 19:54:05 +05:30
include ::Clusters::Concerns::ApplicationData
include AfterCommitQueue
2020-05-24 23:13:21 +05:30
include UsageStatistics
2018-03-17 18:26:18 +05:30
default_value_for :ingress_type, :nginx
2020-04-08 14:13:33 +05:30
default_value_for :modsecurity_enabled, true
2018-11-18 11:00:15 +05:30
default_value_for :version, VERSION
2020-04-22 19:07:51 +05:30
default_value_for :modsecurity_mode, :logging
2018-03-17 18:26:18 +05:30
enum ingress_type: {
nginx: 1
}
2020-04-22 19:07:51 +05:30
enum modsecurity_mode: { logging: 0, blocking: 1 }
2020-05-24 23:13:21 +05:30
scope :modsecurity_not_installed, -> { where(modsecurity_enabled: nil) }
scope :modsecurity_enabled, -> { where(modsecurity_enabled: true) }
scope :modsecurity_disabled, -> { where(modsecurity_enabled: false) }
2018-03-27 19:54:05 +05:30
FETCH_IP_ADDRESS_DELAY = 30.seconds
state_machine :status do
2019-02-15 15:39:39 +05:30
after_transition any => [:installed] do |application|
2018-03-27 19:54:05 +05:30
application.run_after_commit do
ClusterWaitForIngressIpAddressWorker.perform_in(
FETCH_IP_ADDRESS_DELAY, application.name, application.id)
end
end
end
2018-03-17 18:26:18 +05:30
def chart
'stable/nginx-ingress'
end
2019-12-04 20:38:33 +05:30
def values
content_values.to_yaml
end
2019-07-31 22:56:46 +05:30
def allowed_to_uninstall?
2020-04-22 19:07:51 +05:30
external_ip_or_hostname? && !application_jupyter_installed?
2019-07-31 22:56:46 +05:30
end
2018-03-27 19:54:05 +05:30
def install_command
Gitlab::Kubernetes::Helm::InstallCommand.new(
2018-11-18 11:00:15 +05:30
name: name,
version: VERSION,
2018-11-20 20:47:30 +05:30
rbac: cluster.platform_kubernetes_rbac?,
2018-03-27 19:54:05 +05:30
chart: chart,
2018-11-18 11:00:15 +05:30
files: files
2018-03-27 19:54:05 +05:30
)
2018-03-17 18:26:18 +05:30
end
2019-09-30 21:07:59 +05:30
def external_ip_or_hostname?
external_ip.present? || external_hostname.present?
end
2018-03-27 19:54:05 +05:30
def schedule_status_update
return unless installed?
return if external_ip
2019-07-07 11:18:12 +05:30
return if external_hostname
2018-03-27 19:54:05 +05:30
ClusterWaitForIngressIpAddressWorker.perform_async(name, id)
2018-03-17 18:26:18 +05:30
end
2019-02-15 15:39:39 +05:30
def ingress_service
2020-04-08 14:13:33 +05:30
cluster.kubeclient.get_service("ingress-#{INGRESS_CONTAINER_NAME}", Gitlab::Kubernetes::Helm::NAMESPACE)
2019-02-15 15:39:39 +05:30
end
2019-09-30 21:07:59 +05:30
private
2019-12-04 20:38:33 +05:30
def specification
2020-03-13 15:44:24 +05:30
return {} unless modsecurity_enabled
2019-12-04 20:38:33 +05:30
{
"controller" => {
"config" => {
"enable-modsecurity" => "true",
2020-04-22 19:07:51 +05:30
"enable-owasp-modsecurity-crs" => "false",
"modsecurity-snippet" => modsecurity_snippet_content,
2019-12-26 22:10:19 +05:30
"modsecurity.conf" => modsecurity_config_content
},
"extraContainers" => [
{
2020-03-13 15:44:24 +05:30
"name" => MODSECURITY_LOG_CONTAINER_NAME,
2019-12-26 22:10:19 +05:30
"image" => "busybox",
"args" => [
"/bin/sh",
"-c",
2020-05-24 23:13:21 +05:30
"tail -F /var/log/modsec/audit.log"
2019-12-26 22:10:19 +05:30
],
"volumeMounts" => [
{
"name" => "modsecurity-log-volume",
"mountPath" => "/var/log/modsec",
"readOnly" => true
}
],
2020-04-22 19:07:51 +05:30
"livenessProbe" => {
2019-12-26 22:10:19 +05:30
"exec" => {
2020-04-22 19:07:51 +05:30
"command" => [
"ls",
"/var/log/modsec/audit.log"
]
}
2019-12-26 22:10:19 +05:30
}
}
],
"extraVolumeMounts" => [
{
"name" => "modsecurity-template-volume",
"mountPath" => "/etc/nginx/modsecurity/modsecurity.conf",
"subPath" => "modsecurity.conf"
},
{
"name" => "modsecurity-log-volume",
"mountPath" => "/var/log/modsec"
}
],
"extraVolumes" => [
{
"name" => "modsecurity-template-volume",
"configMap" => {
2020-04-08 14:13:33 +05:30
"name" => "ingress-#{INGRESS_CONTAINER_NAME}",
2019-12-26 22:10:19 +05:30
"items" => [
{
"key" => "modsecurity.conf",
"path" => "modsecurity.conf"
}
]
}
},
{
"name" => "modsecurity-log-volume",
"emptyDir" => {}
}
]
2019-12-04 20:38:33 +05:30
}
}
end
2019-12-26 22:10:19 +05:30
def modsecurity_config_content
File.read(modsecurity_config_file_path)
end
def modsecurity_config_file_path
Rails.root.join('vendor', 'ingress', 'modsecurity.conf')
end
2019-12-04 20:38:33 +05:30
def content_values
YAML.load_file(chart_values_file).deep_merge!(specification)
end
2020-04-22 19:07:51 +05:30
def application_jupyter_installed?
cluster.application_jupyter&.installed?
end
def modsecurity_snippet_content
sec_rule_engine = logging? ? MODSECURITY_MODE_LOGGING : MODSECURITY_MODE_BLOCKING
"SecRuleEngine #{sec_rule_engine}\nInclude #{MODSECURITY_OWASP_RULES_FILE}"
2019-09-30 21:07:59 +05:30
end
2018-03-17 18:26:18 +05:30
end
end
end