summaryrefslogtreecommitdiff
path: root/app/models/clusters/applications/ingress.rb
blob: a44450ec7a9fa652579eaaf1e52c573008df57bd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# frozen_string_literal: true

module Clusters
  module Applications
    class Ingress < ApplicationRecord
      VERSION = '1.29.7'
      INGRESS_CONTAINER_NAME = 'nginx-ingress-controller'
      MODSECURITY_LOG_CONTAINER_NAME = 'modsecurity-log'
      MODSECURITY_MODE_LOGGING = "DetectionOnly"
      MODSECURITY_MODE_BLOCKING = "On"
      MODSECURITY_OWASP_RULES_FILE = "/etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf"

      self.table_name = 'clusters_applications_ingress'

      include ::Clusters::Concerns::ApplicationCore
      include ::Clusters::Concerns::ApplicationStatus
      include ::Clusters::Concerns::ApplicationVersion
      include ::Clusters::Concerns::ApplicationData
      include AfterCommitQueue
      include UsageStatistics

      default_value_for :ingress_type, :nginx
      default_value_for :modsecurity_enabled, true
      default_value_for :version, VERSION
      default_value_for :modsecurity_mode, :logging

      enum ingress_type: {
        nginx: 1
      }

      enum modsecurity_mode: { logging: 0, blocking: 1 }

      scope :modsecurity_not_installed, -> { where(modsecurity_enabled: nil) }
      scope :modsecurity_enabled, -> { where(modsecurity_enabled: true) }
      scope :modsecurity_disabled, -> { where(modsecurity_enabled: false) }

      FETCH_IP_ADDRESS_DELAY = 30.seconds

      state_machine :status do
        after_transition any => [:installed] do |application|
          application.run_after_commit do
            ClusterWaitForIngressIpAddressWorker.perform_in(
              FETCH_IP_ADDRESS_DELAY, application.name, application.id)
          end
        end
      end

      def chart
        'stable/nginx-ingress'
      end

      def values
        content_values.to_yaml
      end

      def allowed_to_uninstall?
        external_ip_or_hostname? && !application_jupyter_installed?
      end

      def install_command
        Gitlab::Kubernetes::Helm::InstallCommand.new(
          name: name,
          version: VERSION,
          rbac: cluster.platform_kubernetes_rbac?,
          chart: chart,
          files: files,
          local_tiller_enabled: cluster.local_tiller_enabled?
        )
      end

      def external_ip_or_hostname?
        external_ip.present? || external_hostname.present?
      end

      def schedule_status_update
        return unless installed?
        return if external_ip
        return if external_hostname

        ClusterWaitForIngressIpAddressWorker.perform_async(name, id)
      end

      def ingress_service
        cluster.kubeclient.get_service("ingress-#{INGRESS_CONTAINER_NAME}", Gitlab::Kubernetes::Helm::NAMESPACE)
      end

      private

      def specification
        return {} unless modsecurity_enabled

        {
          "controller" => {
            "config" => {
              "enable-modsecurity" => "true",
              "enable-owasp-modsecurity-crs" => "false",
              "modsecurity-snippet" => modsecurity_snippet_content,
              "modsecurity.conf" => modsecurity_config_content
            },
            "extraContainers" => [
              {
                "name" => MODSECURITY_LOG_CONTAINER_NAME,
                "image" => "busybox",
                "args" => [
                  "/bin/sh",
                  "-c",
                  "tail -F /var/log/modsec/audit.log"
                ],
                "volumeMounts" => [
                  {
                    "name" => "modsecurity-log-volume",
                    "mountPath" => "/var/log/modsec",
                    "readOnly" => true
                  }
                ],
                "livenessProbe" => {
                  "exec" => {
                    "command" => [
                      "ls",
                      "/var/log/modsec/audit.log"
                    ]
                  }
                }
              }
            ],
            "extraVolumeMounts" => [
              {
                "name" => "modsecurity-template-volume",
                "mountPath" => "/etc/nginx/modsecurity/modsecurity.conf",
                "subPath" => "modsecurity.conf"
              },
              {
                "name" => "modsecurity-log-volume",
                "mountPath" => "/var/log/modsec"
              }
            ],
            "extraVolumes" => [
              {
                "name" => "modsecurity-template-volume",
                "configMap" => {
                  "name" => "ingress-#{INGRESS_CONTAINER_NAME}",
                  "items" => [
                    {
                      "key" => "modsecurity.conf",
                      "path" => "modsecurity.conf"
                    }
                  ]
                }
              },
              {
                "name" => "modsecurity-log-volume",
                "emptyDir" => {}
              }
            ]
          }
        }
      end

      def modsecurity_config_content
        File.read(modsecurity_config_file_path)
      end

      def modsecurity_config_file_path
        Rails.root.join('vendor', 'ingress', 'modsecurity.conf')
      end

      def content_values
        YAML.load_file(chart_values_file).deep_merge!(specification)
      end

      def application_jupyter_installed?
        cluster.application_jupyter&.installed?
      end

      def modsecurity_snippet_content
        sec_rule_engine = logging? ? MODSECURITY_MODE_LOGGING : MODSECURITY_MODE_BLOCKING
        "SecRuleEngine #{sec_rule_engine}\nInclude #{MODSECURITY_OWASP_RULES_FILE}"
      end
    end
  end
end