From 5f7e4245c337883cd65f971c9522384006dceb84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Huss?= Date: Mon, 27 May 2024 18:46:25 +0200 Subject: [PATCH] fix --- apps/taiga/index.yaml | 64 +++++++++++++------------- apps/taiga/taiga_ConfigMap.tf | 41 +++-------------- apps/taiga/taiga_workload.tf | 86 ++++++++++++++++++++++++++--------- 3 files changed, 103 insertions(+), 88 deletions(-) diff --git a/apps/taiga/index.yaml b/apps/taiga/index.yaml index c7804d1..5963410 100644 --- a/apps/taiga/index.yaml +++ b/apps/taiga/index.yaml @@ -132,18 +132,18 @@ options: back: pull_policy: IfNotPresent registry: docker.io - repository: taigaio/taiga-back - tag: 6.7.3 + repository: sebt3/taiga-back + tag: 6.8.0 events: pull_policy: IfNotPresent registry: docker.io - repository: taigaio/taiga-events - tag: 6.7.0 + repository: sebt3/taiga-events + tag: 6.8.0 front: pull_policy: IfNotPresent registry: docker.io - repository: taigaio/taiga-front - tag: 6.7.7 + repository: sebt3/taiga-front + tag: 6.8.0 nginx: pull_policy: IfNotPresent registry: docker.io @@ -156,8 +156,8 @@ options: protected: pull_policy: IfNotPresent registry: docker.io - repository: taigaio/taiga-protected - tag: 6.7.0 + repository: sebt3/taiga-protected + tag: 6.8.0 rabbit: registry: docker.io repository: rabbitmq @@ -166,18 +166,18 @@ options: - back: pull_policy: IfNotPresent registry: docker.io - repository: taigaio/taiga-back - tag: 6.7.3 + repository: sebt3/taiga-back + tag: 6.8.0 events: pull_policy: IfNotPresent registry: docker.io - repository: taigaio/taiga-events - tag: 6.7.0 + repository: sebt3/taiga-events + tag: 6.8.0 front: pull_policy: IfNotPresent registry: docker.io - repository: taigaio/taiga-front - tag: 6.7.7 + repository: sebt3/taiga-front + tag: 6.8.0 nginx: pull_policy: IfNotPresent registry: docker.io @@ -190,8 +190,8 @@ options: protected: pull_policy: IfNotPresent registry: docker.io - repository: taigaio/taiga-protected - tag: 6.7.0 + repository: sebt3/taiga-protected + tag: 6.8.0 rabbit: registry: docker.io repository: rabbitmq @@ -201,8 +201,8 @@ options: default: pull_policy: IfNotPresent registry: docker.io - repository: taigaio/taiga-back - tag: 6.7.3 + repository: sebt3/taiga-back + tag: 6.8.0 properties: pull_policy: default: IfNotPresent @@ -215,18 +215,18 @@ options: default: docker.io type: string repository: - default: taigaio/taiga-back + default: sebt3/taiga-back type: string tag: - default: 6.7.3 + default: 6.8.0 type: string type: object events: default: pull_policy: IfNotPresent registry: docker.io - repository: taigaio/taiga-events - tag: 6.7.0 + repository: sebt3/taiga-events + tag: 6.8.0 properties: pull_policy: default: IfNotPresent @@ -239,18 +239,18 @@ options: default: docker.io type: string repository: - default: taigaio/taiga-events + default: sebt3/taiga-events type: string tag: - default: 6.7.0 + default: 6.8.0 type: string type: object front: default: pull_policy: IfNotPresent registry: docker.io - repository: taigaio/taiga-front - tag: 6.7.7 + repository: sebt3/taiga-front + tag: 6.8.0 properties: pull_policy: default: IfNotPresent @@ -263,10 +263,10 @@ options: default: docker.io type: string repository: - default: taigaio/taiga-front + default: sebt3/taiga-front type: string tag: - default: 6.7.7 + default: 6.8.0 type: string type: object nginx: @@ -313,8 +313,8 @@ options: default: pull_policy: IfNotPresent registry: docker.io - repository: taigaio/taiga-protected - tag: 6.7.0 + repository: sebt3/taiga-protected + tag: 6.8.0 properties: pull_policy: default: IfNotPresent @@ -327,10 +327,10 @@ options: default: docker.io type: string repository: - default: taigaio/taiga-protected + default: sebt3/taiga-protected type: string tag: - default: 6.7.0 + default: 6.8.0 type: string type: object rabbit: diff --git a/apps/taiga/taiga_ConfigMap.tf b/apps/taiga/taiga_ConfigMap.tf index b85e794..4af8ff2 100644 --- a/apps/taiga/taiga_ConfigMap.tf +++ b/apps/taiga/taiga_ConfigMap.tf @@ -27,7 +27,6 @@ resource "kubectl_manifest" "cm_env_back" { ENABLE_TRELLO_IMPORTER: "False" OPENID_CONNECT_SCOPES: "openid email profile" GITLAB_URL: "${module.oauth2.sso_configuration_url}" - REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt EOF } @@ -70,13 +69,12 @@ resource "kubectl_manifest" "cm_env_front" { ENABLE_TELEMETRY: "false" PUBLIC_REGISTER_ENABLED: "true" ENABLE_GITHUB_AUTH: "false" - ENABLE_GITLAB_AUTH: "true" + ENABLE_GITLAB_AUTH: "false" + ENABLE_OIDC_AUTH: "true" ENABLE_SLACK: "false" ENABLE_GITHUB_IMPORTER: "false" ENABLE_JIRA_IMPORTER: "false" ENABLE_TRELLO_IMPORTER: "false" - OPENID_CONNECT_SCOPES: "openid email profile" - GITLAB_URL: "${module.oauth2.sso_configuration_url}" EOF } @@ -94,40 +92,13 @@ resource "kubectl_manifest" "cm_scripts" { labels: ${jsonencode(local.postcfg_all_labels)} namespace: ${var.namespace} data: - back_entrypoint.sh: |- + certs.sh: |- #!/usr/bin/env bash - set -euo pipefail - python manage.py migrate - python manage.py loaddata initial_project_templates if [ -f /etc/local-ca/ca.crt ];then - cp /etc/local-ca/ca.crt /usr/local/share/ca-certificates/ - /usr/sbin/update-ca-certificates + export REQUESTS_CA_BUNDLE=/etc/local-ca/ca.crt + else + export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt fi - chown -R taiga:taiga /taiga-back - sed -i "s/taiga-events-rabbitmq/{ os.getenv('TAIGA_EVENTS_RABBITMQ_HOST') }/;s/taiga-async-rabbitmq/{ os.getenv('TAIGA_ASYNC_RABBITMQ_HOST') }/" /taiga-back/settings/config.py - echo Starting Taiga API... - exec gosu taiga gunicorn taiga.wsgi:application \ - --name taiga_api \ - --bind 0.0.0.0:8000 \ - --workers 3 \ - --worker-tmp-dir /dev/shm \ - --log-level=info \ - --access-logfile - \ - "$@" - async_entrypoint.sh: |- - #!/usr/bin/env bash - set -euo pipefail - chown -R taiga:taiga /taiga-back - if [ -f /etc/local-ca/ca.crt ];then - cp /etc/local-ca/ca.crt /usr/local/share/ca-certificates/ - /usr/sbin/update-ca-certificates - fi - sed -i "s/taiga-events-rabbitmq/{ os.getenv('TAIGA_EVENTS_RABBITMQ_HOST') }/;s/taiga-async-rabbitmq/{ os.getenv('TAIGA_ASYNC_RABBITMQ_HOST') }/" /taiga-back/settings/config.py - echo Starting Celery... - exec gosu taiga celery -A taiga.celery worker -B \ - --concurrency 4 \ - -l INFO \ - "$@" postconfig.py: |- #!/usr/bin/env python import time diff --git a/apps/taiga/taiga_workload.tf b/apps/taiga/taiga_workload.tf index 6beeffd..e941c95 100644 --- a/apps/taiga/taiga_workload.tf +++ b/apps/taiga/taiga_workload.tf @@ -17,11 +17,12 @@ resource "kubectl_manifest" "Deployment_taiga-events" { metadata: labels: ${jsonencode(local.event_labels)} spec: + securityContext: + fsGroup: 99 containers: - name: taiga-events image: "${var.images.events.registry}/${var.images.events.repository}:${var.images.events.tag}" imagePullPolicy: ${var.images.events.pull_policy} - command: ["/bin/start.sh"] envFrom: - secretRef: name: ${kubectl_manifest.secret.name} @@ -61,21 +62,20 @@ resource "kubectl_manifest" "Deployment_taiga-events" { timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsGroup: 99 + runAsNonRoot: true + runAsUser: 99 + seccompProfile: + type: RuntimeDefault volumeMounts: - name: files mountPath: /var/lib/env.template subPath: env.template - - name: scripts - mountPath: /bin/start.sh - subPath: start.sh volumes: - - name: scripts - configMap: - name: ${kubectl_manifest.cm_events.name} - defaultMode: 0755 - items: - - key: start.sh - path: start.sh - name: files configMap: name: ${kubectl_manifest.cm_events.name} @@ -105,6 +105,8 @@ resource "kubectl_manifest" "Deployment_taiga-front" { metadata: labels: ${jsonencode(local.front_labels)} spec: + securityContext: + fsGroup: 0 containers: - name: taiga-front image: "${var.images.front.registry}/${var.images.front.repository}:${var.images.front.tag}" @@ -134,6 +136,13 @@ resource "kubectl_manifest" "Deployment_taiga-front" { port: http initialDelaySeconds: 3 periodSeconds: 3 + securityContext: + allowPrivilegeEscalation: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault EOF } @@ -155,6 +164,8 @@ resource "kubectl_manifest" "Deployment_taiga-protected" { metadata: labels: ${jsonencode(local.protected_labels)} spec: + securityContext: + fsGroup: 999 containers: - name: taiga-protected image: "${var.images.protected.registry}/${var.images.protected.repository}:${var.images.protected.tag}" @@ -174,6 +185,15 @@ resource "kubectl_manifest" "Deployment_taiga-protected" { initialDelaySeconds: 10 exec: command: ["/bin/sh", "-c", "pidof -x gunicorn"] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 999 + seccompProfile: + type: RuntimeDefault EOF } @@ -196,11 +216,12 @@ resource "kubectl_manifest" "Deployment_taiga-back" { metadata: labels: ${jsonencode(local.back_labels)} spec: + securityContext: + fsGroup: 999 containers: - name: taiga-back image: "${var.images.back.registry}/${var.images.back.repository}:${var.images.back.tag}" imagePullPolicy: ${var.images.back.pull_policy} - command: ["/bin/back_entrypoint.sh"] env: - name: TAIGA_EVENTS_RABBITMQ_HOST value: ${kubectl_manifest.rabbit.name} @@ -241,8 +262,8 @@ resource "kubectl_manifest" "Deployment_taiga-back" { containerPort: 8000 volumeMounts: - name: scripts - mountPath: /bin/back_entrypoint.sh - subPath: back_entrypoint.sh + mountPath: /docker-entrypoint.d/certs.sh + subPath: certs.sh - name: data mountPath: /taiga-back/static subPath: static @@ -270,10 +291,19 @@ resource "kubectl_manifest" "Deployment_taiga-back" { timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 999 + seccompProfile: + type: RuntimeDefault - name: taiga-async image: "${var.images.back.registry}/${var.images.back.repository}:${var.images.back.tag}" imagePullPolicy: ${var.images.back.pull_policy} - command: ["/bin/async_entrypoint.sh"] + command: ["/usr/local/bin/async_entrypoint.sh"] env: - name: RABBITMQ_USER valueFrom: @@ -297,8 +327,8 @@ resource "kubectl_manifest" "Deployment_taiga-back" { name: ${kubectl_manifest.cm_env_back.name} volumeMounts: - name: scripts - mountPath: /bin/async_entrypoint.sh - subPath: async_entrypoint.sh + mountPath: /docker-entrypoint.d/certs.sh + subPath: certs.sh - name: data mountPath: /taiga-back/static subPath: static @@ -307,6 +337,15 @@ resource "kubectl_manifest" "Deployment_taiga-back" { subPath: media - name: certs mountPath: /opt/certs + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 999 + seccompProfile: + type: RuntimeDefault - name: nginx image: "${var.images.nginx.registry}/${var.images.nginx.repository}:${var.images.nginx.tag}" imagePullPolicy: ${var.images.nginx.pull_policy} @@ -322,6 +361,13 @@ resource "kubectl_manifest" "Deployment_taiga-back" { subPath: media - name: taiga-conf mountPath: /etc/nginx/conf.d/ + securityContext: + allowPrivilegeEscalation: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault volumes: - name: certs secret: @@ -332,10 +378,8 @@ resource "kubectl_manifest" "Deployment_taiga-back" { name: ${kubectl_manifest.cm_scripts.name} defaultMode: 0755 items: - - key: back_entrypoint.sh - path: back_entrypoint.sh - - key: async_entrypoint.sh - path: async_entrypoint.sh + - key: certs.sh + path: certs.sh - name: data persistentVolumeClaim: claimName: ${kubectl_manifest.pvc.name}