Merge branch 'improvement/ARTESCA-10641-cis-nginx-hardening' into q/1…

…28.0

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 ## Release 128.0.1 (in development)
 
+### Enhancements
+
+- Only use modern Ciphers in Ingress configuration
+  (PR[#4488](https://github.com/scality/metalk8s/pull/4488)) 
+
 ## Release 128.0.0
 
 ### Enhancements

buildchain/buildchain/codegen.py

@@ -128,6 +128,7 @@ def codegen_chart_fluent_bit() -> types.TaskDict:
 def codegen_chart_ingress_nginx() -> types.TaskDict:
     """Generate the SLS file for NGINX Ingress using the chart render script."""
     chart_dir = constants.CHART_ROOT / "ingress-nginx"
+    ingress_nginx_namespace = "metalk8s-ingress"
     actions = []
     file_dep = list(utils.git_ls(chart_dir))
     file_dep.append(constants.CHART_RENDER_SCRIPT)
@@ -136,12 +137,13 @@ def codegen_chart_ingress_nginx() -> types.TaskDict:
     target_sls = (
         constants.ROOT / "salt/metalk8s/addons/nginx-ingress/deployed/chart.sls"
     )
-    value_file = constants.CHART_ROOT / "ingress-nginx.yaml"
+    chart_name = "ingress-nginx"
+    value_file = constants.CHART_ROOT / f"{chart_name}.yaml"
     actions.append(
         doit.action.CmdAction(
-            f"{constants.CHART_RENDER_CMD} ingress-nginx {value_file} {chart_dir} "
-            f"--namespace metalk8s-ingress --remove-manifest ConfigMap "
-            f"ingress-nginx-controller "
+            f"{constants.CHART_RENDER_CMD} {chart_name} {value_file} {chart_dir} "
+            f"--namespace {ingress_nginx_namespace} --remove-manifest ConfigMap "
+            f"{chart_name}-controller "
             f"--output {target_sls}",
             cwd=constants.ROOT,
         )
@@ -154,11 +156,14 @@ def codegen_chart_ingress_nginx() -> types.TaskDict:
         / "salt/metalk8s/addons/nginx-ingress-control-plane"
         / "deployed/chart.sls"
     )
-    value_file = constants.CHART_ROOT / "ingress-nginx-control-plane.yaml"
+    chart_name = "ingress-nginx-control-plane"
+    value_file = constants.CHART_ROOT / f"{chart_name}.yaml"
     actions.append(
         doit.action.CmdAction(
-            f"{constants.CHART_RENDER_CMD} ingress-nginx-control-plane {value_file} "
-            f"{chart_dir} --namespace metalk8s-ingress --output {target_sls}",
+            f"{constants.CHART_RENDER_CMD} {chart_name} {value_file} {chart_dir} "
+            f"--namespace {ingress_nginx_namespace} --remove-manifest ConfigMap "
+            f"{chart_name}-controller "
+            f"--output {target_sls}",
             cwd=constants.ROOT,
         )
     )

buildchain/buildchain/salt_tree.py

@@ -443,6 +443,15 @@ def task(self) -> types.TaskDict:
     Path("salt/metalk8s/addons/nginx-ingress-control-plane/certs/server.sls"),
     Path("salt/metalk8s/addons/nginx-ingress-control-plane/deployed/init.sls"),
     Path("salt/metalk8s/addons/nginx-ingress-control-plane/deployed/chart.sls"),
+    Path("salt/metalk8s/addons/nginx-ingress-control-plane/deployed/config-map.sls"),
+    Path(
+        "salt/metalk8s/addons/nginx-ingress-control-plane/deployed/",
+        "service-configuration.sls",
+    ),
+    Path(
+        "salt/metalk8s/addons/nginx-ingress-control-plane/config/",
+        "ingress-controller.yaml.j2",
+    ),
     Path("salt/metalk8s/addons/nginx-ingress-control-plane/deployed/tls-secret.sls"),
     Path("salt/metalk8s/backup/certs/ca.sls"),
     Path("salt/metalk8s/backup/certs/server.sls"),

docs/operation/cluster_and_service_configuration.rst

@@ -140,8 +140,28 @@ Shell UI has a different configuration for the workload plane.
 The default Shell UI workload plane configuration values are specified below:
 
 .. literalinclude:: ../../salt/metalk8s/addons/ui/config/workloadplane-shell-ui-config.yaml.j2
+   :language: yaml
+   :lines: 3-
+
+Ingress Control Plane Default Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The default Control Plane Ingress Controller configuration values
+are specified below:
+
+.. literalinclude:: ../../salt/metalk8s/addons/nginx-ingress-control-plane/config/ingress-controller.yaml.j2
+   :language: yaml
    :lines: 3-
 
+Ingress Workload Plane Default Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The default Workload Plane Ingress Controller configuration values
+are specified below:
+
+.. literalinclude:: ../../salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2
+   :language: yaml
+   :lines: 3-
 
 Service Configurations Customization
 ------------------------------------
@@ -163,6 +183,28 @@ under the key ``data.config\.yaml``:
                         metalk8s-ingress-controller-config
 
 
+The following documentation is not exhaustive and is just here to give
+some hints on basic usage, for more details or advanced
+configuration, see the official `Nginx Ingress Controller documentation`_.
+
+.. _Nginx Ingress Controller documentation: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
+
+Control plane Ingress Controller Configuration Customization
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Same as the Workload plane Ingress Controller, Control Plane can be overridden
+by editing its Cluster and Service ConfigMap
+``metalk8s-ingress-control-plane-controller-config``
+in namespace ``metalk8s-ingress``
+under the key ``data.config\.yaml``:
+
+  .. code-block:: shell
+
+     root@bootstrap $ kubectl --kubeconfig /etc/kubernetes/admin.conf \
+                        edit configmap -n metalk8s-ingress \
+                        metalk8s-ingress-control-plane-controller-config
+
+
 The following documentation is not exhaustive and is just here to give
 some hints on basic usage, for more details or advanced
 configuration, see the official `Nginx Ingress Controller documentation`_.
@@ -186,6 +228,29 @@ HTTP2 can be disabled by setting ``use-http2`` to ``false``:
           config:
             use-http2: "false"
 
+Modify authorized Ciphers
+"""""""""""""""""""""""""
+
+Strong cipher configurations may not allow legacy user agents or user agents
+with weak configurations to connect to your site. If your server must also
+pass to a legacy upstream server, this may prevent it from being able to
+negotiate a cipher upstream.
+
+If you use an old client that does not support modern ciphers, you can use the
+ones provided by the CIS Nginx Benchmark for example:
+
+  .. code-block:: yaml
+
+    apiVersion: v1
+    kind: ConfigMap
+    data:
+      config.yaml: |-
+        apiVersion: addons.metalk8s.scality.com/v1alpha2
+        kind: IngressControllerConfig
+        spec:
+          config:
+            ssl-ciphers: "ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4"
+
 Applying configuration
 """"""""""""""""""""""
 
@@ -195,9 +260,10 @@ then be applied with Salt.
 .. parsed-literal::
 
    root\@bootstrap $ kubectl exec --kubeconfig /etc/kubernetes/admin.conf \\
-                      -n kube-system -c salt-master salt-master-bootstrap -- \\
-                      salt-run state.sls \\
-                      metalk8s.addons.nginx-ingress.deployed \\
+                      $(kubectl --kubeconfig /etc/kubernetes/admin.conf \\
+                      get pod -n kube-system -l app=salt-master -o name) \\
+                      -n kube-system -c salt-master -- \\
+                      salt-run state.sls metalk8s.addons.nginx-ingress.deployed,metalk8s.addons.nginx-ingress-control-plane.deploye \\
                       saltenv=metalk8s-|version|
 
 

salt/metalk8s/addons/nginx-ingress-control-plane/config/ingress-controller.yaml.j2

@@ -0,0 +1,11 @@
+#!jinja|yaml
+
+# Defaults for configuration of Ingress Controller
+apiVersion: addons.metalk8s.scality.com/v1alpha2
+kind: IngressControllerConfig
+spec:
+  config:
+    allow-snippet-annotations: 'true'
+    hide-headers: 'Server,X-Powered-By'
+    ssl-ciphers: 'EECDH+AESGCM:EDH+AESGCM'
+    ssl-protocols: 'TLSv1.2 TLSv1.3'

salt/metalk8s/addons/nginx-ingress-control-plane/deployed/chart.sls

@@ -23,23 +23,6 @@ metadata:
   name: ingress-nginx-control-plane
   namespace: metalk8s-ingress
 ---
-apiVersion: v1
-data:
-  allow-snippet-annotations: 'true'
-kind: ConfigMap
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx-control-plane
-    app.kubernetes.io/managed-by: salt
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: metalk8s
-    app.kubernetes.io/version: 1.10.3
-    helm.sh/chart: ingress-nginx-4.10.3
-    heritage: metalk8s
-  name: ingress-nginx-control-plane-controller
-  namespace: metalk8s-ingress
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

salt/metalk8s/addons/nginx-ingress-control-plane/deployed/config-map.sls

@@ -0,0 +1,27 @@
+{%- set ingress_control_plane_controller_defaults = salt.slsutil.renderer(
+        'salt://metalk8s/addons/nginx-ingress-control-plane/config/ingress-controller.yaml.j2', saltenv=saltenv
+    )
+%}
+
+{%- set ingress_control_plane_controller = salt.metalk8s_service_configuration.get_service_conf(
+        'metalk8s-ingress', 'metalk8s-ingress-control-plane-controller-config', ingress_control_plane_controller_defaults
+    )
+%}
+
+Create Control Plane Ingress Controller configuration Config Map:
+  metalk8s_kubernetes.object_present:
+    - manifest:
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: ingress-nginx-control-plane-controller
+          namespace: metalk8s-ingress
+          labels:
+            app.kubernetes.io/component: controller
+            app.kubernetes.io/instance: ingress-nginx-control-plane
+            app.kubernetes.io/managed-by: salt
+            app.kubernetes.io/name: ingress-nginx
+            app.kubernetes.io/part-of: metalk8s
+            heritage: metalk8s
+        data:
+          {{ ingress_control_plane_controller.spec.config | yaml(False) | indent(10) }}

salt/metalk8s/addons/nginx-ingress-control-plane/deployed/init.sls

@@ -2,3 +2,5 @@ include:
   - metalk8s.addons.nginx-ingress.deployed.namespace
   - .tls-secret
   - .chart
+  - .service-configuration
+  - .config-map

salt/metalk8s/addons/nginx-ingress-control-plane/deployed/service-configuration.sls

@@ -0,0 +1,37 @@
+include:
+  - metalk8s.addons.nginx-ingress.deployed.namespace
+
+{%- set namespace = 'metalk8s-ingress' %}
+{%- set name = 'metalk8s-ingress-control-plane-controller-config' %}
+
+{%- set ingress_service_config = salt.metalk8s_kubernetes.get_object(
+        kind='ConfigMap',
+        apiVersion='v1',
+        namespace=namespace,
+        name=name
+  )
+%}
+
+{%- if ingress_service_config is none %}
+
+Create Ingress ServiceConfiguration ({{ namespace }}/{{ name }}):
+  metalk8s_kubernetes.object_present:
+    - manifest:
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: {{ name }}
+          namespace: {{ namespace }}
+        data:
+          config.yaml: |-
+            apiVersion: addons.metalk8s.scality.com/v1alpha2
+            kind: IngressControllerConfig
+            spec: {}
+
+
+{%- else %}
+
+Ingress Control Plane ServiceConfiguration already exists:
+  test.succeed_without_changes: []
+
+{%- endif %}

salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2

@@ -6,3 +6,6 @@ kind: IngressControllerConfig
 spec:
   config:
     allow-snippet-annotations: 'true'
+    hide-headers: 'Server,X-Powered-By'
+    ssl-ciphers: 'EECDH+AESGCM:EDH+AESGCM'
+    ssl-protocols: 'TLSv1.2 TLSv1.3'

salt/metalk8s/addons/nginx-ingress/deployed/service-configuration.sls

@@ -31,7 +31,7 @@ Create Ingress ServiceConfiguration (metalk8s-ingress/metalk8s-ingress-controlle
 
 {%- else %}
 
-Ingress ServiceConfiguration already exists:
+Ingress Workload Plane ServiceConfiguration already exists:
   test.succeed_without_changes: []
 
 {%- endif %}