diff --git a/charts/aergia/Chart.yaml b/charts/aergia/Chart.yaml index 41e8cd0..56c3eee 100644 --- a/charts/aergia/Chart.yaml +++ b/charts/aergia/Chart.yaml @@ -8,15 +8,19 @@ maintainers: - name: shreddedbacon email: ben.jackson@amazee.io url: https://amazee.io -kubeVersion: ">= 1.19.0-0" +kubeVersion: ">= 1.23.0-0" type: application -version: 0.4.0 +version: 0.5.0 -appVersion: v0.2.0 +appVersion: v0.3.0 annotations: artifacthub.io/changes: | - kind: changed - description: update aergia-controller appVersion to v0.2.0 + description: update aergia-controller appVersion to v0.3.0 + - kind: changed + description: added configmap for setting ip and useragent allow and block lists + - kind: changed + description: minimum kubernetes version to 1.23.0 diff --git a/charts/aergia/ci/linter-values.yaml b/charts/aergia/ci/linter-values.yaml index aab94a9..5865a8c 100644 --- a/charts/aergia/ci/linter-values.yaml +++ b/charts/aergia/ci/linter-values.yaml @@ -1 +1,22 @@ # CI uses default values +unidling: + verifyRequests: + enabled: true + secret: super-secret-string + ipAllowList: + - 1.2.3.4 + ipBlockList: + - 1.2.3.5 + - 4.3.2.1 + agentAllowList: + - "@(example).com.?$" + agentBlockList: + - "@(example).test.?$" + - "@(internal).test.?$" +customSelectors: + enabled: true + selectors: |- + servicedeployments: abc + clideployments: abc +templates: + enabled: true diff --git a/charts/aergia/templates/clusterrole.yaml b/charts/aergia/templates/clusterrole.yaml index 579192a..df30e0d 100644 --- a/charts/aergia/templates/clusterrole.yaml +++ b/charts/aergia/templates/clusterrole.yaml @@ -21,6 +21,7 @@ rules: verbs: - get - list + - patch - watch - apiGroups: - "" diff --git a/charts/aergia/templates/configmap.yaml b/charts/aergia/templates/configmap.yaml index a6aef11..29bb2cd 100644 --- a/charts/aergia/templates/configmap.yaml +++ b/charts/aergia/templates/configmap.yaml @@ -1,22 +1,59 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "aergia.fullname" . }}-lists +data: + {{- if .Values.unidling.ipAllowList}} + allowedips: | + {{- range .Values.unidling.ipAllowList }} + {{ . }} + {{- end}} + {{- end}} + {{- if .Values.unidling.ipBlockList}} + blockedips: | + {{- range .Values.unidling.ipBlockList }} + {{ . }} + {{- end}} + {{- end}} + {{- if .Values.unidling.agentAllowList}} + allowedagents: | + {{- range .Values.unidling.agentAllowList }} + {{ . }} + {{- end}} + {{- end}} + {{- if .Values.unidling.agentBlockList}} + blockedagents: | + {{- range .Values.unidling.agentBlockList }} + {{ . }} + {{- end}} + {{- end}} {{- if .Values.templates.enabled }} +--- apiVersion: v1 kind: ConfigMap metadata: name: {{ include "aergia.fullname" . }}-templates data: +{{- if .Values.templates.error}} error.html: | {{ .Values.templates.error | indent 4 }} +{{- if .Values.templates.forced}} +{{- end}} forced.html: | {{ .Values.templates.forced | indent 4 }} +{{- if .Values.templates.unidle}} +{{- end}} unidle.html: | {{ .Values.templates.unidle | indent 4 }} {{- end}} +{{- end}} {{- if .Values.customSelectors.enabled }} +--- apiVersion: v1 kind: ConfigMap metadata: name: {{ include "aergia.fullname" . }}-selectors data: selectors.yaml: | - {{ .Values.customSelectors.selectors | indent 4 }} -{{- end }} \ No newline at end of file +{{ .Values.customSelectors.selectors | indent 4}} +{{- end }} diff --git a/charts/aergia/templates/deployment.yaml b/charts/aergia/templates/deployment.yaml index cca07f0..3015ae9 100644 --- a/charts/aergia/templates/deployment.yaml +++ b/charts/aergia/templates/deployment.yaml @@ -90,40 +90,125 @@ spec: - name: {{ .name }} value: {{ .value | quote }} {{- end }} + {{- if .Values.unidling.verifyRequests.enabled }} + envFrom: + - secretRef: + name: {{ include "aergia.fullname" . }} + {{- end }} ports: - containerPort: 5000 name: backend resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: + {{- if .Values.unidling.ipAllowList}} + - name: {{ include "aergia.fullname" . }}-allowedips + mountPath: "/lists/allowedips" + readOnly: true + {{- end}} + {{- if .Values.unidling.ipBlockList}} + - name: {{ include "aergia.fullname" . }}-blockedips + mountPath: "/lists/blockedips" + readOnly: true + {{- end}} + {{- if .Values.unidling.agentAllowList}} + - name: {{ include "aergia.fullname" . }}-allowedagents + mountPath: "/lists/allowedagents" + readOnly: true + {{- end}} + {{- if .Values.unidling.agentBlockList}} + - name: {{ include "aergia.fullname" . }}-blockedagents + mountPath: "/lists/blockedagents" + readOnly: true + {{- end}} {{- if .Values.templates.enabled}} - - name: {{ include "aergia.fullname" . }}-templates - mountPath: "/templates" + {{- if .Values.templates.error}} + - name: {{ include "aergia.fullname" . }}-error + mountPath: "/templates/error.html" readOnly: true {{- end}} + {{- if .Values.templates.forced}} + - name: {{ include "aergia.fullname" . }}-forced + mountPath: "/templates/forced.html" + readOnly: true + {{- end}} + {{- if .Values.templates.unidle}} + - name: {{ include "aergia.fullname" . }}-unidle + mountPath: "/templates/unidle.html" + readOnly: true + {{- end}} + {{- end}} {{- if .Values.customSelectors.enabled }} - name: {{ include "aergia.fullname" . }}-selectors mountPath: "/custom" readOnly: true {{- end }} volumes: + {{- if .Values.unidling.ipAllowList}} + - name: {{ include "aergia.fullname" . }}-allowedips + configMap: + name: {{ include "aergia.fullname" . }}-lists + items: + - key: "allowedips" + path: "allowedips" + {{- end }} + {{- if .Values.unidling.ipBlockList}} + - name: {{ include "aergia.fullname" . }}-blockedips + configMap: + name: {{ include "aergia.fullname" . }}-lists + items: + - key: "blockedips" + path: "blockedips" + {{- end }} + {{- if .Values.unidling.agentAllowList}} + - name: {{ include "aergia.fullname" . }}-allowedagents + configMap: + name: {{ include "aergia.fullname" . }}-lists + items: + - key: "allowedagents" + path: "allowedagents" + {{- end }} + {{- if .Values.unidling.agentBlockList}} + - name: {{ include "aergia.fullname" . }}-blockedagents + configMap: + name: {{ include "aergia.fullname" . }}-lists + items: + - key: "blockedagents" + path: "blockedagents" + {{- end }} {{- if .Values.templates.enabled}} - - name: {{ include "aergia.fullname" . }}-templates + {{- if .Values.templates.error}} + - name: {{ include "aergia.fullname" . }}-error configMap: name: {{ include "aergia.fullname" . }}-templates items: - - key: "error.html" - path: "error.html" - - key: "unidle.html" - path: "unidle.html" + - key: "error.html" + path: "error.html" + {{- end }} + {{- if .Values.templates.forced}} + - name: {{ include "aergia.fullname" . }}-forced + configMap: + name: {{ include "aergia.fullname" . }}-templates + items: + - key: "forced.html" + path: "forced.html" + {{- end }} + {{- if .Values.templates.unidle}} + - name: {{ include "aergia.fullname" . }}-unidle + configMap: + name: {{ include "aergia.fullname" . }}-templates + items: + - key: "unidle.html" + path: "unidle.html" + {{- end }} {{- end}} {{- if .Values.customSelectors.enabled }} - name: {{ include "aergia.fullname" . }}-selectors configMap: name: {{ include "aergia.fullname" . }}-selectors items: - - key: "selectors.yaml" - path: "selectors.yaml" + - key: "selectors.yaml" + path: "selectors.yaml" {{- end }} {{- with .Values.nodeSelector }} nodeSelector: diff --git a/charts/aergia/templates/secret.yaml b/charts/aergia/templates/secret.yaml new file mode 100644 index 0000000..0e4023c --- /dev/null +++ b/charts/aergia/templates/secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.unidling.verifyRequests.enabled }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "aergia.fullname" . }} + labels: + {{- include "aergia.labels" . | nindent 4 }} +stringData: + VERIFIED_UNIDLING: {{ .Values.unidling.verifyRequests.enabled | quote }} + VERIFY_SECRET: {{ .Values.unidling.verifyRequests.secret | quote }} +{{- end}} diff --git a/charts/aergia/values.yaml b/charts/aergia/values.yaml index 1f291c8..c711794 100644 --- a/charts/aergia/values.yaml +++ b/charts/aergia/values.yaml @@ -54,7 +54,7 @@ kubeRBACProxy: templates: enabled: false - error: | + error: |- {{define "base"}} @@ -62,7 +62,7 @@ templates: {{end}} - forced: | + forced: |- {{define "base"}} @@ -72,7 +72,7 @@ templates: {{end}} - unidle: | + unidle: |- {{define "base"}} @@ -88,19 +88,54 @@ idling: enabled: false dryRun: false prometheusEndpoint: "http://monitoring-kube-prometheus-prometheus.monitoring.svc:9090" + # these two interval checks are golang time.Duration format (https://pkg.go.dev/time#ParseDuration) prometheusCheckInterval: "4h" - podCheckInterval: 4 + podCheckInterval: "4h" enableCLIIdler: true enableServiceIdler: true cliCron: "5,35 * * * *" serviceCron: "0 */4 * * *" skipHitCheck: false - # the length of time to display the loading page when unidling a namespace + # the length of time to display the loading page when unidling a namespace in seconds refreshInterval: 30 +unidling: + verifyRequests: + enabled: false + secret: super-secret-string + # if you want or need to block or allow certain ip address or useragents + # from being able to unidle environments in your cluster + # you can define the items you want to allow or block here + # these are applied to all environments unless they have annotation overrides, eg: + # ipAllowList: + # - 1.2.3.4 + # ipBlockList: + # - 1.2.3.5 + # - 4.3.2.1 + # agentAllowList: + # - "@(example).com.?$" + # agentBlockList: + # - "@(example).test.?$" + # - "@(internal).test.?$" + + # ip addresses to allow or block. + ipAllowList: + ipBlockList: + # user agents to allow or block + agentAllowList: + agentBlockList: + customSelectors: enabled: false - selectors: "" + # example for defining selectors, see aergia for the full format, you need to provide the full file if you want to change any selectors + # selectors: |- + # cli: + # namespace: + # - name: "lagoon.sh/environmentType" + # operator: "in" + # values: + # - "production" + # - "development" servicemonitor: enabled: false