Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

expand errer (!) in a config block - can't process "://"? #973

Closed
ghost opened this issue Nov 16, 2019 · 2 comments · Fixed by #974
Closed

expand errer (!) in a config block - can't process "://"? #973

ghost opened this issue Nov 16, 2019 · 2 comments · Fixed by #974
Labels
bug

Comments

@ghost
Copy link

ghost commented Nov 16, 2019

I ship an nginx config in a config block, and it trips up helmfile, but is ok with helm (and k8s) itself.

The offender seems to be

return 301 $scheme://$host:$server_port/remote.php/dav;

repositories:
# Stable repo of official helm charts
- name: "movi"
  url: "https://inzmovi.gitlab.io/helm-charts"

releases:
- name: "nextcloud"
  namespace: "nextcloud"
  chart: "movi/nextcloud"
  version: "1.8.2"
  wait: false
  values:
    - nginx:
        enabled: true
        config:
          default: true
          custom: |-
            worker_processes auto;

            error_log  /var/log/nginx/error.log warn;
            pid        /var/run/nginx.pid;

            events {
                worker_connections  1024;
            }

            http {
                include       /etc/nginx/mime.types;
                default_type  application/octet-stream;

                log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                                  '$status $body_bytes_sent "$http_referer" '
                                  '"$http_user_agent" "$http_x_forwarded_for"';

                access_log  /var/log/nginx/access.log  main;

                sendfile        on;
                #tcp_nopush     on;

                keepalive_timeout  65;

                #gzip  on;

                upstream php-handler {
                    server 127.0.0.1:9000;
                }

                server {
                    listen 80;

                    # set max upload size
                    client_max_body_size 10G;
                    fastcgi_buffers 64 8K;
                    # Add headers to serve security related headers
                    # Before enabling Strict-Transport-Security headers please read into this
                    # topic first.
                    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

                    #
                    # WARNING: Only add the preload option once you read about
                    # the consequences in https://hstspreload.org/. This option
                    # will add the domain to a hardcoded list that is shipped
                    # in all major browsers and getting removed from this list
                    # could take several months.
                    add_header Referrer-Policy "no-referrer" always;
                    add_header X-Content-Type-Options "nosniff" always;
                    add_header X-Download-Options "noopen" always;
                    add_header X-Frame-Options "SAMEORIGIN" always;
                    add_header X-Permitted-Cross-Domain-Policies "none" always;
                    add_header X-Robots-Tag "none" always;
                    add_header X-XSS-Protection "1; mode=block" always;

                    # Remove X-Powered-By, which is an information leak
                    fastcgi_hide_header X-Powered-By;

                    # Path to the root of your installation
                    root /var/www/html;

                    location = /robots.txt {
                        allow all;
                        log_not_found off;
                        access_log off;
                    }

                    # The following 2 rules are only needed for the user_webfinger app.
                    # Uncomment it if you're planning to use this app.
                    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
                    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

                    # The following rule is only needed for the Social app.
                    # Uncomment it if you're planning to use this app.
                    #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

                    location = /.well-known/carddav {
                        return 301 $scheme://$host:$server_port/remote.php/dav;
                    }

                    location = /.well-known/caldav {
                        return 301 $scheme://$host:$server_port/remote.php/dav;
                    }

                    # Enable gzip but do not remove ETag headers
                    gzip on;
                    gzip_vary on;
                    gzip_comp_level 4;
                    gzip_min_length 256;
                    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
                    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

                    # Uncomment if your server is build with the ngx_pagespeed module
                    # This module is currently not supported.
                    #pagespeed off;

                    location / {
                        rewrite ^ /index.php;
                    }

                    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
                        deny all;
                    }

                    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
                        deny all;
                    }

                    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
                        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
                        set $path_info $fastcgi_path_info;
                        try_files $fastcgi_script_name =404;
                        include fastcgi_params;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        fastcgi_param PATH_INFO $path_info;
                        # fastcgi_param HTTPS on;
                        # Avoid sending the security headers twice
                        fastcgi_param modHeadersAvailable true;
                        # Enable pretty urls
                        fastcgi_param front_controller_active true;
                        fastcgi_pass php-handler;
                        fastcgi_intercept_errors on;
                        fastcgi_request_buffering off;
                    }

                    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
                        try_files $uri/ =404;
                        index index.php;
                    }

                    # Adding the cache control header for js, css and map files
                    # Make sure it is BELOW the PHP block
                    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
                        try_files $uri /index.php$request_uri;
                        add_header Cache-Control "public, max-age=15778463";
                        # Add headers to serve security related headers (It is intended to
                        # have those duplicated to the ones above)
                        # Before enabling Strict-Transport-Security headers please read into
                        # this topic first.
                        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
                        #
                        # WARNING: Only add the preload option once you read about
                        # the consequences in https://hstspreload.org/. This option
                        # will add the domain to a hardcoded list that is shipped
                        # in all major browsers and getting removed from this list
                        # could take several months.
                        add_header Referrer-Policy "no-referrer" always;
                        add_header X-Content-Type-Options "nosniff" always;
                        add_header X-Download-Options "noopen" always;
                        add_header X-Frame-Options "SAMEORIGIN" always;
                        add_header X-Permitted-Cross-Domain-Policies "none" always;
                        add_header X-Robots-Tag "none" always;
                        add_header X-XSS-Protection "1; mode=block" always;

                        # Optional: Don't log access to assets
                        access_log off;
                    }

                    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
                        try_files $uri /index.php$request_uri;
                        # Optional: Don't log access to other assets
                        access_log off;
                    }
                }
            }
mumoshu added a commit that referenced this issue Nov 17, 2019
@mumoshu
Fix random "expansion errors" in large values contained in values
e94c3f9 
Those are not actually random but would have looked like so. We use an external go pkg `variantdev/vals` to expand urls like `ref+vault://foo/bar` contained in release values into their respective secret values.

There was a bug in `vals` that it tries to expand unintended types of strings which resulted in confusing errors like reported in #973.

`vals` fixed the issue in helmfile/vals@ba4c7a2. This commit upgrades `vals` to accomodate that.

Fixes #973
@mumoshu mumoshu mentioned this issue Nov 17, 2019
Merged
mumoshu added a commit that referenced this issue Nov 17, 2019
@mumoshu
Fix random "expansion errors" in large values contained in values
5f8a4c2 
Those are not actually random but would have looked like so. We use an external go pkg `variantdev/vals` to expand urls like `ref+vault://foo/bar` contained in release values into their respective secret values.

There was a bug in `vals` that it tries to expand unintended types of strings which resulted in confusing errors like reported in #973.

`vals` fixed the issue in helmfile/vals@ba4c7a2. This commit upgrades `vals` to accomodate that.

Fixes #973
@mumoshu mumoshu added the bug label Nov 17, 2019
mumoshu added a commit that referenced this issue Nov 17, 2019
@mumoshu
Fix random "expansion errors" in large values contained in values (#…
468b9b6 
…974)

Those are not actually random but would have looked like so. We use an external go pkg `variantdev/vals` to expand urls like `ref+vault://foo/bar` contained in release values into their respective secret values.

There was a bug in `vals` that it tries to expand unintended types of strings which resulted in confusing errors like reported in #973.

`vals` fixed the issue in helmfile/vals@ba4c7a2. This commit upgrades `vals` to accomodate that.

Fixes #973
@mumoshu
Copy link
Collaborator

mumoshu commented Nov 17, 2019

@elfhack Thanks a lot for your detailed report!

This must be a regression since #906, which is now fixed via #974.

I've just released v0.92.1 for that. Would you mind trying again?

@ghost
Copy link
Author

ghost commented Nov 17, 2019

@mumoshu Yes, this fixes it :) Thank you!
However, right today helm 3 got released on homebrew, and it seems helmfile is now incompatible. I'll fill in another issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix random "expansion errors" in large values contained in values roboll/helmfile
1 participant
@mumoshu