🧑‍💻 wik

scality · Jul 25, 2024 · 890403d · 890403d
1 parent 7cf77a0
commit 890403d
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 6 deletions.
diff --git a/charts/ingress-nginx.yaml b/charts/ingress-nginx.yaml
@@ -1,6 +1,9 @@
 controller:
   allowSnippetAnnotations: true
 
+  config:
+    custom-http-errors: "403,404,500,503"
+
   image:
     digest: null
     repository: __image__(nginx-ingress-controller)
@@ -19,12 +22,12 @@ controller:
   kind: DaemonSet
 
   tolerations:
-    - key: "node-role.kubernetes.io/bootstrap"
-      operator: "Exists"
-      effect: "NoSchedule"
-    - key: "node-role.kubernetes.io/infra"
-      operator: "Exists"
-      effect: "NoSchedule"
+  - key: "node-role.kubernetes.io/bootstrap"
+    operator: "Exists"
+    effect: "NoSchedule"
+  - key: "node-role.kubernetes.io/infra"
+    operator: "Exists"
+    effect: "NoSchedule"
 
   service:
     type: ClusterIP
@@ -43,3 +46,24 @@ controller:
 
 defaultBackend:
   enabled: false
+  extraConfigMaps:
+  - name: cis
+    labels:
+      type: hardening
+    data:
+      keep-alive: '10'
+      hide-headers: 'Server,X-Powered-By'
+      ssl-protocols: 'TLSv1.3'
+      ssl-ciphers: 'ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4'
+      enable-ocsp: 'true'
+      client-header-timeout: '10'
+      client-body-timeout: '10'
+  - name: custom-404.html
+    labels:
+      type: custom-404
+    data:
+      custom-404.html: |
+        <html>
+        <head><title>Page Not Found</title></head>
+        <body><h1>404 - Page Not Found</h1></body>
+        </html>
diff --git a/salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2 b/salt/metalk8s/addons/nginx-ingress/config/ingress-controller.yaml.j2
@@ -6,3 +6,37 @@ kind: IngressControllerConfig
 spec:
   config:
     allow-snippet-annotations: 'true'
+    keep-alive: '10'
+    hide-headers: 'Server,X-Powered-By'
+    ssl-protocols: 'TLSv1.3'
+    ssl-ciphers: 'EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA'
+    client-header-timeout: '10'
+    client-body-timeout: '10'
+    proxy-body-size: '10m'
+    large-client-header-buffers: '2 1k'
+    enable-brotli: 'true'
+    brotli-level: '6'
+    403: |
+      <!DOCTYPE html>
+      <html>
+        <head><title>FORBIDDEN</title></head>
+        <body>FORBIDDEN</body>
+      </html>
+    404: |
+      <!DOCTYPE html>
+      <html>
+        <head><title>PAGE NOT FOUND</title></head>
+        <body>PAGE NOT FOUND</body>
+      </html>
+    500: |
+      <!DOCTYPE html>
+      <html>
+        <head><title>INTERNAL SERVER ERROR</title></head>
+        <body>INTERNAL SERVER ERROR</body>
+      </html>
+    503: |
+      <!DOCTYPE html>
+      <html>
+        <head><title>CUSTOM SERVICE UNAVAILABLE</title></head>
+        <body>CUSTOM SERVICE UNAVAILABLE</body>
+      </html>
diff --git a/salt/metalk8s/addons/nginx-ingress/deployed/chart.sls b/salt/metalk8s/addons/nginx-ingress/deployed/chart.sls
@@ -439,6 +439,10 @@ kind: IngressClass
 metadata:
   annotations:
     ingressclass.kubernetes.io/is-default-class: 'true'
+    nginx.ingress.kubernetes.io/limit-connections: '10'
+    nginx.ingress.kubernetes.io/limit-rps: '10'
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      add_header Referrer-Policy 'no-referrer';
   labels:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: ingress-nginx