-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bitnami/wordpress] Add secondary ingress to Wordpress for /wp-admin #24311
Conversation
Thank you for initiating this pull request. We appreciate your effort. Just a friendly reminder that it's important to sign your commits. Adding your signature certifies that you either authored the patch or have the necessary rights to contribute the changes. You can find detailed information on how to do this in the “Sign your work” section of our contributing guidelines. Feel free to reach out if you have any questions or need assistance with the signing process. Apart from that, please note there are some issues related to the metadata that should appear in the values.yaml to properly generate the table in the README describing the different configuration parameters:
|
b425189
to
bd4e1e9
Compare
Thanks, I've fixed the comments in |
Hey, could I get some help merging this please? It's all good from my side but I'm not sure what the procedure is. Thanks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left some minor review comments, thank you very much for your contribution!!
But before we continue with the review process and merge of this PR, I think we should check if the proposed implementation fits in the use case you described, for example restrict the allowed IPs with access to /wp-admin
.
What would be the values a user would pass to the Helm chart installation to achieve that?
Wouldn't the main ingress still serve /wp-admin
anyways?
Please, let's clarify that. Thank you again for your contribution!
Hi @andresbono. I'll have a look at your review comments next, but to answer your question about use case examples: The main ingressYes, this will require user action to prevent exposing ingress:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
server_tokens off;
location /wp-admin {
deny all;
return 403;
} The secondary ingressAnnotations can be used to secure the secondary ingress for To restrict to a whitelist of IPs: ingress:
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/24" To apply basic auth from a secret: ingress:
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo' To apply auth via oauth2-proxy (e.g. to GitHub or social login): ingress:
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://auth.example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://auth.example.com/oauth2/start?rd=https%3A%2F%2F$host$request_uri" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you for addressing the issues and explaining the use case where this secondary ingress would be of help.
Please, check the DCO action details. There are a couple of commits with missing sign-off. In that page you have instructions to fix it. Let us know if you need help. |
* [bitnami/gitea] Release 2.0.1 updating components versions Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
* [bitnami/grafana-mimir] Release 1.0.1 updating components versions Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
* [bitnami/etcd] Release 10.0.2 updating components versions Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
* [bitnami/grafana-operator] Release 4.0.1 updating components versions Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
* [bitnami/kiam] Release 2.0.1 updating components versions Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…ami#24876) * [bitnami/matomo] Improve Cypress stability and update resources Signed-off-by: Fran de Paz <fran.de-paz@broadcom.com> * Fix syintax Signed-off-by: Fran de Paz <fran.de-paz@broadcom.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Fran de Paz <fran.de-paz@broadcom.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
* [bitnami/discourse] feat!: 🔒 💥 Improve security defaults Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Set proper add capabilities Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Set proper add capabilities Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Set proper capability name Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Change CHROOT to SYS_CHROOT Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: 🔧 Bump resource preset Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * chore: 🔧 Bump platform size Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: 🔧 Increase resource preset to xlarge Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * Update networkpolicy.yaml Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
* Update statefulset.yaml fix bug 24545 Signed-off-by: lkad <eloony@163.com> * Update statefulset.yaml Signed-off-by: lkad <eloony@163.com> * Update Chart.yaml Signed-off-by: lkad <eloony@163.com> --------- Signed-off-by: lkad <eloony@163.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…ent spec (bitnami#25113) Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…nd fix headless service (bitnami#25110) Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…pec (bitnami#25097) * [bitnami/grafana-tempo] fix: 🐛 🔒 Expose missing ports in deployment spec Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Remove query-frontend from gossip Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…#24932) * [bitnami/discourse] fix: 🐛 Remove incorrect CHMOD capability Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: 🔧 Bump version Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…o generate mTLS certs (bitnami#25172) Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…i#25076) Signed-off-by: François Blondel <francois.blondel@diva-e.com> Co-authored-by: François Blondel <francois.blondel@diva-e.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…i#25178) Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…r consul data (bitnami#25023) * Updated consul chart to address empty dir Signed-off-by: Evan Stork <estork@live.com> * Added emptry dir to work with read only file system Signed-off-by: Evan Stork <estork@live.com> * Updated for read only Signed-off-by: Evan Stork <estork@live.com> --------- Signed-off-by: Evan Stork <estork@live.com> Signed-off-by: Fran Mulero <fmulero@vmware.com> Co-authored-by: Fran Mulero <fmulero@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…i#25185) Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
* [bitnami/kong] Release 12.0.3 updating components versions Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update CRDs automatically Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…5186) Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…mi#25187) Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…i#25190) Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…i#25193) Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…ami#25194) Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…mi#25197) Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
…25196) Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
d01d80d
to
8ca9d2e
Compare
Argh, I followed the instructions in https://github.com/bitnami/charts/pull/24311/checks?check_run_id=23918274064 and it has pulled in loads of commits. I'm probably going to have to make a new branch and cherry-pick my handful of commits into it. |
Signed-off-by: Andrés Bono <andresbono@vmware.com>
Signed-off-by: Andrés Bono <andresbono@vmware.com>
I think it should be good now |
Merged now, thank you! |
Description of the change
This change adds a secondary Ingress to the Wordpress helm chart. The intention is that a secondary Ingress may be used to serve the
/wp-admin
endpoint and add Ingress annotations for authentication, IP restriction, etc. Annotations are per-ingress, not per-path so a separate Ingress is necessary. There is some relevant discussion on #17007.Benefits
This change allows increased security by allowing the user to protect the
/wp-admin
management endpoint and keeping it separate from the public-facing Wordpress site.Possible drawbacks
Ideally we would implement an arbitrary number of Ingresses, as in bjw-s/common. However this would be a breaking change for every chart that uses
bitnami/common
. As a compromise, we add this secondary Ingress.There may also be a smarter way to handle
/wp-admin
by creating Ingress resources with the paths already filled in.Applicable issues
Checklist
Chart.yaml
according to semver. This is not necessary when the changes only affect README.md files.README.md
using readme-generator-for-helmI'll see if I can figure out the readme generator and the signing later. For now I wanted to create this PR to start a discussion about it.