chore: update aergia to v0.3.0 (#49)

amazeeio · Dec 15, 2023 · 22afea9 · 22afea9
1 parent 6e8eabe
commit 22afea9
Show file tree

Hide file tree

Showing 7 changed files with 216 additions and 21 deletions.
diff --git a/charts/aergia/Chart.yaml b/charts/aergia/Chart.yaml
@@ -8,15 +8,19 @@ maintainers:
 - name: shreddedbacon
   email: [email protected]
   url: https://amazee.io
-kubeVersion: ">= 1.19.0-0"
+kubeVersion: ">= 1.23.0-0"
 
 type: application
 
-version: 0.4.0
+version: 0.5.0
 
-appVersion: v0.2.0
+appVersion: v0.3.0
 
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: update aergia-controller appVersion to v0.2.0
+      description: update aergia-controller appVersion to v0.3.0
+    - kind: changed
+      description: added configmap for setting ip and useragent allow and block lists
+    - kind: changed
+      description: minimum kubernetes version to 1.23.0
diff --git a/charts/aergia/ci/linter-values.yaml b/charts/aergia/ci/linter-values.yaml
@@ -1 +1,22 @@
 # CI uses default values
+unidling:
+  verifyRequests:
+    enabled: true
+    secret: super-secret-string
+  ipAllowList:
+    - 1.2.3.4
+  ipBlockList:
+    - 1.2.3.5
+    - 4.3.2.1
+  agentAllowList:
+    - "@(example).com.?$"
+  agentBlockList:
+    - "@(example).test.?$"
+    - "@(internal).test.?$"
+customSelectors:
+  enabled: true
+  selectors: |-
+    servicedeployments: abc
+    clideployments: abc
+templates:
+  enabled: true
diff --git a/charts/aergia/templates/clusterrole.yaml b/charts/aergia/templates/clusterrole.yaml
@@ -21,6 +21,7 @@ rules:
   verbs:
   - get
   - list
+  - patch
   - watch
 - apiGroups:
   - ""

diff --git a/charts/aergia/templates/configmap.yaml b/charts/aergia/templates/configmap.yaml
@@ -1,22 +1,59 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "aergia.fullname" . }}-lists
+data:
+  {{- if .Values.unidling.ipAllowList}}
+  allowedips: |
+    {{- range .Values.unidling.ipAllowList }}
+    {{ . }}
+    {{- end}}
+  {{- end}}
+  {{- if .Values.unidling.ipBlockList}}
+  blockedips: |
+    {{- range .Values.unidling.ipBlockList }}
+    {{ . }}
+    {{- end}}
+  {{- end}}
+  {{- if .Values.unidling.agentAllowList}}
+  allowedagents: |
+    {{- range .Values.unidling.agentAllowList }}
+    {{ . }}
+    {{- end}}
+  {{- end}}
+  {{- if .Values.unidling.agentBlockList}}
+  blockedagents: |
+    {{- range .Values.unidling.agentBlockList }}
+    {{ . }}
+    {{- end}}
+  {{- end}}
 {{- if .Values.templates.enabled }}
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ include "aergia.fullname" . }}-templates
 data:
+{{- if .Values.templates.error}}
   error.html: |
 {{ .Values.templates.error | indent 4 }}
+{{- if .Values.templates.forced}}
+{{- end}}
   forced.html: |
 {{ .Values.templates.forced | indent 4 }}
+{{- if .Values.templates.unidle}}
+{{- end}}
   unidle.html: |
 {{ .Values.templates.unidle | indent 4 }}
 {{- end}}
+{{- end}}
 {{- if .Values.customSelectors.enabled }}
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ include "aergia.fullname" . }}-selectors
 data:
   selectors.yaml: |
-    {{ .Values.customSelectors.selectors | indent 4 }}
-{{- end }}
+{{ .Values.customSelectors.selectors  | indent 4}}
+{{- end }}
diff --git a/charts/aergia/templates/deployment.yaml b/charts/aergia/templates/deployment.yaml
@@ -90,40 +90,125 @@ spec:
             - name: {{ .name }}
               value: {{ .value | quote }}
           {{- end }}
+          {{- if .Values.unidling.verifyRequests.enabled }}
+          envFrom:
+            - secretRef:
+                name: {{ include "aergia.fullname" . }}
+          {{- end }}
           ports:
             - containerPort: 5000
               name: backend
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:
+          {{- if .Values.unidling.ipAllowList}}
+            - name: {{ include "aergia.fullname" . }}-allowedips
+              mountPath: "/lists/allowedips"
+              readOnly: true
+          {{- end}}
+          {{- if .Values.unidling.ipBlockList}}
+            - name: {{ include "aergia.fullname" . }}-blockedips
+              mountPath: "/lists/blockedips"
+              readOnly: true
+          {{- end}}
+          {{- if .Values.unidling.agentAllowList}}
+            - name: {{ include "aergia.fullname" . }}-allowedagents
+              mountPath: "/lists/allowedagents"
+              readOnly: true
+          {{- end}}
+          {{- if .Values.unidling.agentBlockList}}
+            - name: {{ include "aergia.fullname" . }}-blockedagents
+              mountPath: "/lists/blockedagents"
+              readOnly: true
+          {{- end}}
           {{- if .Values.templates.enabled}}
-            - name: {{ include "aergia.fullname" . }}-templates
-              mountPath: "/templates"
+          {{- if .Values.templates.error}}
+            - name: {{ include "aergia.fullname" . }}-error
+              mountPath: "/templates/error.html"
               readOnly: true
           {{- end}}
+          {{- if .Values.templates.forced}}
+            - name: {{ include "aergia.fullname" . }}-forced
+              mountPath: "/templates/forced.html"
+              readOnly: true
+          {{- end}}
+          {{- if .Values.templates.unidle}}
+            - name: {{ include "aergia.fullname" . }}-unidle
+              mountPath: "/templates/unidle.html"
+              readOnly: true
+          {{- end}}
+          {{- end}}
           {{- if .Values.customSelectors.enabled }}
             - name: {{ include "aergia.fullname" . }}-selectors
               mountPath: "/custom"
               readOnly: true
           {{- end }}
       volumes:
+      {{- if .Values.unidling.ipAllowList}}
+        - name: {{ include "aergia.fullname" . }}-allowedips
+          configMap:
+            name: {{ include "aergia.fullname" . }}-lists
+            items:
+              - key: "allowedips"
+                path: "allowedips"
+      {{- end }}
+      {{- if .Values.unidling.ipBlockList}}
+        - name: {{ include "aergia.fullname" . }}-blockedips
+          configMap:
+            name: {{ include "aergia.fullname" . }}-lists
+            items:
+              - key: "blockedips"
+                path: "blockedips"
+      {{- end }}
+      {{- if .Values.unidling.agentAllowList}}
+        - name: {{ include "aergia.fullname" . }}-allowedagents
+          configMap:
+            name: {{ include "aergia.fullname" . }}-lists
+            items:
+              - key: "allowedagents"
+                path: "allowedagents"
+      {{- end }}
+      {{- if .Values.unidling.agentBlockList}}
+        - name: {{ include "aergia.fullname" . }}-blockedagents
+          configMap:
+            name: {{ include "aergia.fullname" . }}-lists
+            items:
+              - key: "blockedagents"
+                path: "blockedagents"
+      {{- end }}
       {{- if .Values.templates.enabled}}
-        - name: {{ include "aergia.fullname" . }}-templates
+      {{- if .Values.templates.error}}
+        - name: {{ include "aergia.fullname" . }}-error
           configMap:
             name: {{ include "aergia.fullname" . }}-templates
             items:
-            - key: "error.html"
-              path: "error.html"
-            - key: "unidle.html"
-              path: "unidle.html"
+              - key: "error.html"
+                path: "error.html"
+      {{- end }}
+      {{- if .Values.templates.forced}}
+        - name: {{ include "aergia.fullname" . }}-forced
+          configMap:
+            name: {{ include "aergia.fullname" . }}-templates
+            items:
+              - key: "forced.html"
+                path: "forced.html"
+      {{- end }}
+      {{- if .Values.templates.unidle}}
+        - name: {{ include "aergia.fullname" . }}-unidle
+          configMap:
+            name: {{ include "aergia.fullname" . }}-templates
+            items:
+              - key: "unidle.html"
+                path: "unidle.html"
+      {{- end }}
       {{- end}}
       {{- if .Values.customSelectors.enabled }}
         - name: {{ include "aergia.fullname" . }}-selectors
           configMap:
             name: {{ include "aergia.fullname" . }}-selectors
             items:
-            - key: "selectors.yaml"
-              path: "selectors.yaml"
+              - key: "selectors.yaml"
+                path: "selectors.yaml"
       {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:

diff --git a/charts/aergia/templates/secret.yaml b/charts/aergia/templates/secret.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.unidling.verifyRequests.enabled }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "aergia.fullname" . }}
+  labels:
+    {{- include "aergia.labels" . | nindent 4 }}
+stringData:
+  VERIFIED_UNIDLING: {{ .Values.unidling.verifyRequests.enabled | quote }}
+  VERIFY_SECRET: {{ .Values.unidling.verifyRequests.secret | quote }}
+{{- end}}
diff --git a/charts/aergia/values.yaml b/charts/aergia/values.yaml
@@ -54,15 +54,15 @@ kubeRBACProxy:
 
 templates:
   enabled: false
-  error: |
+  error: |-
     {{define "base"}}
     <html>
     <body>
     {{ .ErrorCode }} {{ .ErrorMessage }}
     </body>
     </html>
     {{end}}
-  forced: |
+  forced: |-
     {{define "base"}}
     <html>
     <head>
@@ -72,7 +72,7 @@ templates:
     </body>
     </html>
     {{end}}
-  unidle: |
+  unidle: |-
     {{define "base"}}
     <html>
     <head>
@@ -88,19 +88,54 @@ idling:
   enabled: false
   dryRun: false
   prometheusEndpoint: "http://monitoring-kube-prometheus-prometheus.monitoring.svc:9090"
+  # these two interval checks are golang time.Duration format (https://pkg.go.dev/time#ParseDuration)
   prometheusCheckInterval: "4h"
-  podCheckInterval: 4
+  podCheckInterval: "4h"
   enableCLIIdler: true
   enableServiceIdler: true
   cliCron: "5,35 * * * *"
   serviceCron: "0 */4 * * *"
   skipHitCheck: false
-  # the length of time to display the loading page when unidling a namespace
+  # the length of time to display the loading page when unidling a namespace in seconds
   refreshInterval: 30
 
+unidling:
+  verifyRequests:
+    enabled: false
+    secret: super-secret-string
+  # if you want or need to block or allow certain ip address or useragents
+  # from being able to unidle environments in your cluster
+  # you can define the items you want to allow or block here
+  # these are applied to all environments unless they have annotation overrides, eg:
+  # ipAllowList:
+  #   - 1.2.3.4
+  # ipBlockList:
+  #   - 1.2.3.5
+  #   - 4.3.2.1
+  # agentAllowList:
+  #   - "@(example).com.?$"
+  # agentBlockList:
+  #   - "@(example).test.?$"
+  #   - "@(internal).test.?$"
+
+  # ip addresses to allow or block.
+  ipAllowList:
+  ipBlockList:
+  # user agents to allow or block
+  agentAllowList:
+  agentBlockList:
+
 customSelectors:
   enabled: false
-  selectors: ""
+  # example for defining selectors, see aergia for the full format, you need to provide the full file if you want to change any selectors
+  # selectors: |-
+  #   cli:
+  #     namespace:
+  #       - name: "lagoon.sh/environmentType"
+  #         operator: "in"
+  #         values:
+  #           - "production"
+  #           - "development"
 
 servicemonitor:
   enabled: false
-Original file line number
+Diff line change
@@ Expand Up / @@ -21,6 +21,7 @@ rules: @@
       verbs:
       - get
       - list
+      - patch
       - watch
     - apiGroups:
       - ""
@@ Expand Down @@