wordpress-charmers team mailing list archive

[Laurent Sesquès <mp+414465@xxxxxxxxxxxxxxxxxx>]

Addressed comments.

Diff comments:

> diff --git a/config.yaml b/config.yaml
> index a043cad..6af47e2 100644
> --- a/config.yaml
> +++ b/config.yaml
> @@ -106,3 +106,8 @@ options:
>        YAML dictionary with keys named after WordPress settings and the desired values.
>        Please note that the settings will be reset to values provided every time hooks run.
>      default: ""
> +  use_nginx_ingress_modsec:
> +    type: boolean
> +    default: true

Yes. The Dockerfile method was more hacky, and I felt that it shouldn't be made the default immediately.
Here, we're using standard configurations and it can be very easily changed with a juju command, whereas with Docker we had to rebuild the image to deactivate it or fix something.

> +    description: >
> +      When set to true, the charm will configure the k8s ingress with modsec enabled.
> diff --git a/src/charm.py b/src/charm.py
> index cba136a..628677f 100755
> --- a/src/charm.py
> +++ b/src/charm.py
> @@ -261,6 +261,15 @@ class WordpressCharm(CharmBase):
>                  ]
>              },
>          }
> +        modsec_annotations = {
> +            "nginx.ingress.kubernetes.io/enable-modsecurity": "true",
> +            "nginx.ingress.kubernetes.io/enable-owasp-modsecurity-crs": "true",
> +            "nginx.ingress.kubernetes.io/modsecurity-snippet":
> +                ("SecRuleEngine On\n"
> +                 "Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf"),
> +        }

Done.

> +        if self.model.config["use_nginx_ingress_modsec"]:
> +            resources["kubernetesResources"]["ingressResources"][0]["annotations"].update(modsec_annotations)
>  
>          if self.model.config["additional_hostnames"]:
>              additional_hostnames = juju_setting_to_list(self.model.config["additional_hostnames"])
> diff --git a/tests/unit/test_charm.py b/tests/unit/test_charm.py
> index 7606877..e4af690 100644
> --- a/tests/unit/test_charm.py
> +++ b/tests/unit/test_charm.py
> @@ -133,6 +133,11 @@ class TestWordpressCharm(unittest.TestCase):
>                          "annotations": {
>                              "nginx.ingress.kubernetes.io/proxy-body-size": "10m",
>                              "nginx.ingress.kubernetes.io/proxy-send-timeout": "300s",
> +                            "nginx.ingress.kubernetes.io/enable-modsecurity": "true",
> +                            "nginx.ingress.kubernetes.io/enable-owasp-modsecurity-crs": "true",
> +                            "nginx.ingress.kubernetes.io/modsecurity-snippet":
> +                                ("SecRuleEngine On\n"
> +                                 "Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf"),

Done.

>                          },
>                          'name': ingress_name,
>                          'spec': {
> @@ -189,6 +194,11 @@ class TestWordpressCharm(unittest.TestCase):
>                              "nginx.ingress.kubernetes.io/proxy-body-size": "10m",
>                              "nginx.ingress.kubernetes.io/proxy-send-timeout": "300s",
>                              "nginx.ingress.kubernetes.io/ssl-redirect": "false",
> +                            "nginx.ingress.kubernetes.io/enable-modsecurity": "true",
> +                            "nginx.ingress.kubernetes.io/enable-owasp-modsecurity-crs": "true",
> +                            "nginx.ingress.kubernetes.io/modsecurity-snippet":
> +                                ("SecRuleEngine On\n"
> +                                 "Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf"),

Done.

>                          },
>                          'name': ingress_name,
>                          'spec': {


-- 
https://code.launchpad.net/~sajoupa/charm-k8s-wordpress/+git/charm-k8s-wordpress/+merge/414465
Your team Wordpress Charmers is subscribed to branch charm-k8s-wordpress:master.