wordpress-charmers team mailing list archive
-
wordpress-charmers team
-
Mailing list archive
-
Message #00813
[Merge] ~sajoupa/charm-k8s-wordpress:nginx-ingress-modsec into charm-k8s-wordpress:master
Laurent Sesquès has proposed merging ~sajoupa/charm-k8s-wordpress:nginx-ingress-modsec into charm-k8s-wordpress:master.
Commit message:
replace modsec configuration in the docker image with the k8s ingress built-in modsec. Make it a juju config option. Also, update the wordpress image version.
Requested reviews:
Wordpress Charmers (wordpress-charmers)
For more details, see:
https://code.launchpad.net/~sajoupa/charm-k8s-wordpress/+git/charm-k8s-wordpress/+merge/414465
--
Your team Wordpress Charmers is requested to review the proposed merge of ~sajoupa/charm-k8s-wordpress:nginx-ingress-modsec into charm-k8s-wordpress:master.
diff --git a/Dockerfile b/Dockerfile
index 7eb38c0..a338c56 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,6 @@ FROM ubuntu:${DIST_RELEASE} as base
# HTTPS_PROXY used when we RUN curl to download Wordpress itself
ARG BUILD_DATE
ARG HTTPS_PROXY
-ARG MODSEC
# Launchpad OCI image builds don't support dynamic arg parsing. Skip until
@@ -47,12 +46,6 @@ RUN apt-get update && apt-get -y dist-upgrade \
&& ln -sfT /dev/stdout "$APACHE_LOG_DIR/other_vhosts_access.log" \
&& chown -R --no-dereference "$APACHE_RUN_USER:$APACHE_RUN_GROUP" "$APACHE_LOG_DIR"
-# Install apache2-modsec, activate the engine, and allow wordpress exclusions to avoid false positives
-RUN if [ -n "$MODSEC" ] ; then apt-get -y install modsecurity-crs \
- && cp -p /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf \
- && sed -i -e 's/^SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/modsecurity/modsecurity.conf \
- && sed -i -e '/setvar:tx.crs_exclusions_xenforo/a SecAction \\\n "id:900130,\\\n phase:1,\\\n nolog,\\\n pass,\\\n t:none,\\\n setvar:tx.crs_exclusions_wordpress=1"' /etc/modsecurity/crs/crs-setup.conf ; fi
-
# Configure PHP and apache2 - mod_php requires us to use mpm_prefork
COPY ./image-builder/files/docker-php.conf $APACHE_CONFDIR/conf-available/docker-php.conf
COPY ./image-builder/files/docker-php-swift-proxy.conf $APACHE_CONFDIR/conf-available/docker-php-swift-proxy.conf
diff --git a/config.yaml b/config.yaml
index a043cad..6af47e2 100644
--- a/config.yaml
+++ b/config.yaml
@@ -2,7 +2,7 @@ options:
image:
type: string
description: "The docker image to install. Required."
- default: "wordpresscharmers/wordpress:focal-5.8.3"
+ default: "wordpresscharmers/wordpress:v5.8.3-20.04"
image_user:
type: string
description: "Username to use for the configured image registry, if required"
@@ -106,3 +106,8 @@ options:
YAML dictionary with keys named after WordPress settings and the desired values.
Please note that the settings will be reset to values provided every time hooks run.
default: ""
+ use_nginx_ingress_modsec:
+ type: boolean
+ default: true
+ description: >
+ When set to true, the charm will configure the k8s ingress with modsec enabled.
diff --git a/image-builder/Makefile b/image-builder/Makefile
index 14f1716..11c4542 100644
--- a/image-builder/Makefile
+++ b/image-builder/Makefile
@@ -1,13 +1,11 @@
DIST_RELEASE ?= focal
VERSION ?= 5.8.3
-MODSEC ?= ""
build-image:
@echo "Building the image."
@docker build \
--no-cache=true \
--build-arg DIST_RELEASE=$(DIST_RELEASE) \
- --build-arg MODSEC=$(MODSEC) \
--build-arg VERSION=$(VERSION) \
-t wordpress:$(DIST_RELEASE)-$(VERSION) \
.
diff --git a/src/charm.py b/src/charm.py
index cba136a..628677f 100755
--- a/src/charm.py
+++ b/src/charm.py
@@ -261,6 +261,15 @@ class WordpressCharm(CharmBase):
]
},
}
+ modsec_annotations = {
+ "nginx.ingress.kubernetes.io/enable-modsecurity": "true",
+ "nginx.ingress.kubernetes.io/enable-owasp-modsecurity-crs": "true",
+ "nginx.ingress.kubernetes.io/modsecurity-snippet":
+ ("SecRuleEngine On\n"
+ "Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf"),
+ }
+ if self.model.config["use_nginx_ingress_modsec"]:
+ resources["kubernetesResources"]["ingressResources"][0]["annotations"].update(modsec_annotations)
if self.model.config["additional_hostnames"]:
additional_hostnames = juju_setting_to_list(self.model.config["additional_hostnames"])
diff --git a/tests/unit/test_charm.py b/tests/unit/test_charm.py
index 7606877..e4af690 100644
--- a/tests/unit/test_charm.py
+++ b/tests/unit/test_charm.py
@@ -133,6 +133,11 @@ class TestWordpressCharm(unittest.TestCase):
"annotations": {
"nginx.ingress.kubernetes.io/proxy-body-size": "10m",
"nginx.ingress.kubernetes.io/proxy-send-timeout": "300s",
+ "nginx.ingress.kubernetes.io/enable-modsecurity": "true",
+ "nginx.ingress.kubernetes.io/enable-owasp-modsecurity-crs": "true",
+ "nginx.ingress.kubernetes.io/modsecurity-snippet":
+ ("SecRuleEngine On\n"
+ "Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf"),
},
'name': ingress_name,
'spec': {
@@ -189,6 +194,11 @@ class TestWordpressCharm(unittest.TestCase):
"nginx.ingress.kubernetes.io/proxy-body-size": "10m",
"nginx.ingress.kubernetes.io/proxy-send-timeout": "300s",
"nginx.ingress.kubernetes.io/ssl-redirect": "false",
+ "nginx.ingress.kubernetes.io/enable-modsecurity": "true",
+ "nginx.ingress.kubernetes.io/enable-owasp-modsecurity-crs": "true",
+ "nginx.ingress.kubernetes.io/modsecurity-snippet":
+ ("SecRuleEngine On\n"
+ "Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf"),
},
'name': ingress_name,
'spec': {
Follow ups
