Merge pull request #29 from wenzel-felix/feature/ingresswaf

Feature/ingresswaf
wenzel-felix · Jul 13, 2023 · 3ef94b7 · 3ef94b7
2 parents d14f34f + 4d8774b
commit 3ef94b7
Show file tree

Hide file tree

Showing 10 changed files with 77 additions and 4 deletions.
diff --git a/cluster-certmanager.tf b/cluster-certmanager.tf
@@ -4,6 +4,12 @@ resource "kubernetes_namespace" "cert_manager" {
   metadata {
     name = "cert-manager"
   }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].annotations,
+    ]
+  }
 }
 
 resource "kubernetes_secret" "cert_manager" {
@@ -17,6 +23,12 @@ resource "kubernetes_secret" "cert_manager" {
   data = {
     api-token   = var.cloudflare_token
   }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].annotations,
+    ]
+  }
 }
 
 resource "helm_release" "cert_manager" {

diff --git a/cluster-hccm.tf b/cluster-hccm.tf
@@ -10,6 +10,12 @@ resource "kubernetes_secret" "hcloud_ccm" {
     token   = var.hetzner_token
     network = "${hcloud_network.main.name}"
   }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].annotations,
+    ]
+  }
 }
 
 resource "helm_release" "hccm" {

diff --git a/cluster-ingresscontroller.tf b/cluster-ingresscontroller.tf
@@ -0,0 +1,5 @@
+resource "kubectl_manifest" "ingress_configuration" {
+  depends_on = [ hcloud_load_balancer_service.management_lb_k8s_service ]
+  count = var.enable_nginx_modsecurity_waf ? 1 : 0
+    yaml_body = file("${path.module}/templates/values/ingress_controller.yaml")
+}
diff --git a/cluster-monitoring.tf b/cluster-monitoring.tf
@@ -4,6 +4,12 @@ resource "kubernetes_namespace" "monitoring" {
   metadata {
     name = "monitoring"
   }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].annotations,
+    ]
+  }
 }
 
 resource "helm_release" "prom_stack" {
@@ -91,6 +97,12 @@ resource "kubernetes_ingress_v1" "monitoring_ingress" {
       secret_name = "monitoring-tls"
     }
   }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].annotations,
+    ]
+  }
 }
 
 resource "kubernetes_config_map_v1" "dashboard" {
@@ -108,4 +120,10 @@ resource "kubernetes_config_map_v1" "dashboard" {
   data = {
     "dashboard.json" = file("${path.module}/templates/misc/grafana-dashboard.json")
   }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].annotations,
+    ]
+  }
 }
diff --git a/cluster-selfmaintenance.tf b/cluster-selfmaintenance.tf
@@ -4,6 +4,12 @@ resource "kubernetes_namespace" "kured" {
   metadata {
     name = "kured"
   }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].annotations,
+    ]
+  }
 }
 
 resource "helm_release" "kured" {

diff --git a/cluster-servicemesh.tf b/cluster-servicemesh.tf
@@ -4,6 +4,12 @@ resource "kubernetes_namespace" "istio_system" {
   metadata {
     name = "istio-system"
   }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].annotations,
+    ]
+  }
 }
 
 resource "helm_release" "istio_base" {

diff --git a/examples/simple-setup/main.tf b/examples/simple-setup/main.tf
@@ -17,6 +17,7 @@ module "rke2" {
   cloudflare_domain                    = var.cloudflare_domain
   letsencrypt_issuer                   = var.letsencrypt_issuer
   use_cluster_managed_tls_certificates = true
+  enable_nginx_modsecurity_waf         = true
 }
 
 resource "local_file" "name" {

diff --git a/locals.tf b/locals.tf
@@ -5,11 +5,11 @@ locals {
   client_cert                  = data.remote_file.kubeconfig.content == "" ? "" : base64decode(yamldecode(data.remote_file.kubeconfig.content).users[0].user.client-certificate-data)
   cluster_host                 = "https://${hcloud_load_balancer.management_lb.ipv4}:6443"
   kube_config                  = replace(data.remote_file.kubeconfig.content, "https://127.0.0.1:6443", local.cluster_host)
-  
+
   istio_charts_url = "https://istio-release.storage.googleapis.com/charts"
-  istio_values = var.cluster_configuration.preinstall_tracing_stack ? [file("${path.module}/templates/values/istiod.yaml")] : []
+  istio_values     = var.cluster_configuration.preinstall_tracing_stack ? [file("${path.module}/templates/values/istiod.yaml")] : []
 
   is_ha_cluster = var.master_node_count >= 3
-  
+
   system_upgrade_controller_components = split("---", data.http.system_upgrade_controller.response_body)
-}
+}
diff --git a/templates/values/ingress_controller.yaml b/templates/values/ingress_controller.yaml
@@ -0,0 +1,13 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: rke2-ingress-nginx
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    controller:
+      config:
+        enable-modsecurity: "true"
+        enable-owasp-modsecurity-crs: "true"
+        modsecurity-snippet: |-
+          SecRuleEngine On
diff --git a/variables.tf b/variables.tf
@@ -90,6 +90,12 @@ variable "cluster_configuration" {
   }
 }
 
+variable "enable_nginx_modsecurity_waf" {
+  type        = bool
+  default     = false
+  description = "Defines whether the nginx modsecurity waf should be enabled."
+}
+
 variable "expose_kubernetes_metrics" {
   type        = bool
   default     = false