Add ingress.modSecurity.secRuleEngine support
Update ingress template to support ingress.modSecurity.secRuleEngine
configuration, per https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity.
Implementation
As modsecurity
has already been enabled at the ingress-controller with https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/32905 this change will optionally override the default configuration by using nginx.ingress.kubernetes.io/modsecurity-snippet
, which takes priority over the ingress-controller configuration nginx.ingress.kubernetes.io/enable-modsecurity-crs
.
Since the snippet will completely override the inclusion of the core rule set, we instead manually include it here first with our Include
, then set the SecRuleEngine
to the passed value (enum: On | Off | DetectionOnly
). As DetectionOnly
is the default behavior defined by the ingress-controller
's config map we use the same default here.
Next Steps
This MR is part of gitlab-org/gitlab#8558 (closed). Next step will be configuring auto-deploy-image
with the following, done with gitlab-org/cluster-integration/auto-deploy-image!28 (merged):
diff --git a/src/bin/auto-deploy b/src/bin/auto-deploy
index b3d91ac..195cef1 100755
--- a/src/bin/auto-deploy
+++ b/src/bin/auto-deploy
@@ -161,6 +161,7 @@ function deploy() {
--set postgresql.postgresDatabase="$POSTGRES_DB" \
--set postgresql.imageTag="$POSTGRES_VERSION" \
--set application.initializeCommand="$DB_INITIALIZE" \
+ --set ingress.modsecurity.enabled="$modsecurity_enabled" \
+ --set ingress.modsecurity.secRuleEngine="$MODSECURITY_SEC_RULE_ENGINE" \
$HELM_UPGRADE_EXTRA_ARGS \
--namespace="$KUBE_NAMESPACE" \
"$name" \