From 2f3cfb6e20d91f6e6eb0861ded5a96ab17190d49 Mon Sep 17 00:00:00 2001 From: Othman Touijer Date: Fri, 5 Mar 2021 08:26:51 +0100 Subject: [CONTRIB][AWX] Fix Web Interface Add NGINX configuration so it can be run as non root. Issue-ID: INT-1858 Signed-off-by: Othman Touijer Change-Id: I8e313a49db0dfadf5c180c4415c7237ffd3635f9 --- .../components/awx/templates/configmap.yaml | 92 ++++++++++++++++++++++ .../components/awx/templates/statefulset.yaml | 14 ++++ kubernetes/contrib/components/awx/values.yaml | 2 +- 3 files changed, 107 insertions(+), 1 deletion(-) diff --git a/kubernetes/contrib/components/awx/templates/configmap.yaml b/kubernetes/contrib/components/awx/templates/configmap.yaml index 9bc62b0856..59900f1c64 100644 --- a/kubernetes/contrib/components/awx/templates/configmap.yaml +++ b/kubernetes/contrib/components/awx/templates/configmap.yaml @@ -144,3 +144,95 @@ data: {"vhost":"{{ .Values.config.rabbitmqVhost }}","name":"ha-all","pattern":".*","definition":{"ha-mode":"all","ha-sync-mode":"automatic"}} ] } +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-nginx-conf + namespace: {{ include "common.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "common.name" . }} + helm.sh/chart: {{ include "common.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + nginx.conf: | + worker_processes 1; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + server_tokens off; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + access_log /dev/stdout main; + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + sendfile on; + #tcp_nopush on; + #gzip on; + upstream uwsgi { + server 127.0.0.1:8050; + } + upstream daphne { + server 127.0.0.1:8051; + } + server { + listen 8052 default_server; + # If you have a domain name, this is where to add it + server_name _; + keepalive_timeout 65; + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; + add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; + # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) + add_header X-Frame-Options "DENY"; + location /nginx_status { + stub_status on; + access_log off; + allow 127.0.0.1; + deny all; + } + location /static/ { + alias /var/lib/awx/public/static/; + } + location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; } + location /websocket { + # Pass request to the upstream alias + proxy_pass http://daphne; + # Require http version 1.1 to allow for upgrade requests + proxy_http_version 1.1; + # We want proxy_buffering off for proxying to websockets. + proxy_buffering off; + # http://en.wikipedia.org/wiki/X-Forwarded-For + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # enable this if you use HTTPS: + proxy_set_header X-Forwarded-Proto https; + # pass the Host: header from the client for the sake of redirects + proxy_set_header Host $http_host; + # We've set the Host header, so we don't need Nginx to muddle + # about with redirects + proxy_redirect off; + # Depending on the request value, set the Upgrade and + # connection headers + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + location / { + # Add trailing / if missing + rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent; + uwsgi_read_timeout 120s; + uwsgi_pass uwsgi; + include /etc/nginx/uwsgi_params; + proxy_set_header X-Forwarded-Port 443; + } + } + } diff --git a/kubernetes/contrib/components/awx/templates/statefulset.yaml b/kubernetes/contrib/components/awx/templates/statefulset.yaml index 46747cd85f..1f2c093742 100644 --- a/kubernetes/contrib/components/awx/templates/statefulset.yaml +++ b/kubernetes/contrib/components/awx/templates/statefulset.yaml @@ -82,6 +82,10 @@ spec: name: awx-secret-key readOnly: true subPath: SECRET_KEY + - mountPath: /etc/nginx/nginx.conf + name: awx-nginx-conf + subPath: "nginx.conf" + - command: ["/bin/sh","-c"] args: ["/usr/bin/launch_awx_task.sh"] env: @@ -109,6 +113,9 @@ spec: name: awx-secret-key readOnly: true subPath: SECRET_KEY + - mountPath: /etc/nginx/nginx.conf + name: awx-nginx-conf + subPath: "nginx.conf" - env: - name: MY_POD_IP valueFrom: @@ -209,5 +216,12 @@ spec: path: rabbitmq_definitions.json name: {{ include "common.fullname" . }}-rabbitmq name: rabbitmq-config + - configMap: + defaultMode: 420 + items: + - key: nginx.conf + path: nginx.conf + name: {{ include "common.fullname" . }}-nginx-conf + name: awx-nginx-conf imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/awx/values.yaml b/kubernetes/contrib/components/awx/values.yaml index a29866da9a..02642fd3fd 100755 --- a/kubernetes/contrib/components/awx/values.yaml +++ b/kubernetes/contrib/components/awx/values.yaml @@ -95,7 +95,7 @@ service: type: NodePort portName: web internalPort: 8052 - externalPort: 80 + externalPort: 8052 nodePort: 78 rabbitmq: type: ClusterIP -- cgit 1.2.3-korg