Add custom modsecurity template to ingress-controller

Disable default `SecRuleEngine` configuration, allowing override via `Ingress` resource instead. Part of the work to implement https://gitlab.com/gitlab-org/gitlab/issues/8558

Add custom modsecurity template to ingress-controller
Disable default `SecRuleEngine` configuration, allowing override via `Ingress` resource instead. Part of the work to implement https://gitlab.com/gitlab-org/gitlab/issues/8558
04b4a516 · Lucas Charles · Mayra Cabrera · 0122ca3b · 04b4a516 · 04b4a516
Commit 04b4a516 authored Oct 23, 2019 by Lucas Charles Committed by Mayra Cabrera Oct 23, 2019
4 changed files
--- a/app/models/clusters/applications/ingress.rb
+++ b/app/models/clusters/applications/ingress.rb
@@ -78,12 +78,42 @@ module Clusters
          "controller" => {
            "config" => {
              "enable-modsecurity" => "true",
-              "enable-owasp-modsecurity-crs" => "true"
+              "enable-owasp-modsecurity-crs" => "true",
-            }
+              "modsecurity.conf" => modsecurity_config_content
+            },
+            "extraVolumeMounts" => [
+              {
+                "name" => "modsecurity-template-volume",
+                "mountPath" => "/etc/nginx/modsecurity/modsecurity.conf",
+                "subPath" => "modsecurity.conf"
+              }
+            ],
+            "extraVolumes" => [
+              {
+                "name" => "modsecurity-template-volume",
+                "configMap" => {
+                  "name" => "ingress-nginx-ingress-controller",
+                  "items" => [
+                    {
+                      "key" => "modsecurity.conf",
+                      "path" => "modsecurity.conf"
+                    }
+                  ]
+                }
+              }
+            ]
          }
        }
      end
+      def modsecurity_config_content
+        File.read(modsecurity_config_file_path)
+      end
+      def modsecurity_config_file_path
+        Rails.root.join('vendor', 'ingress', 'modsecurity.conf')
+      end
      def content_values
        YAML.load_file(chart_values_file).deep_merge!(specification)
      end

--- a/changelogs/unreleased/8558-use-custom-modsecurity-ingress-config.yml
+++ b/changelogs/unreleased/8558-use-custom-modsecurity-ingress-config.yml
+---
+title: Add modsecurity template for ingress-controller
+merge_request: 18485
+author:
+type: changed
--- a/spec/models/clusters/applications/ingress_spec.rb
+++ b/spec/models/clusters/applications/ingress_spec.rb
@@ -156,6 +156,15 @@ describe Clusters::Applications::Ingress do
      it 'includes modsecurity core ruleset enablement' do
        expect(subject.values).to include("enable-owasp-modsecurity-crs: 'true'")
      end
+      it 'includes modsecurity.conf content' do
+        expect(subject.values).to include('modsecurity.conf')
+        # Includes file content from Ingress#modsecurity_config_content
+        expect(subject.values).to include('SecAuditLog')
+        expect(subject.values).to include('extraVolumes')
+        expect(subject.values).to include('extraVolumeMounts')
+      end
    end
    context 'when ingress_modsecurity is disabled' do
@@ -172,6 +181,15 @@ describe Clusters::Applications::Ingress do
      it 'excludes modsecurity core ruleset enablement' do
        expect(subject.values).not_to include('enable-owasp-modsecurity-crs')
      end
+      it 'excludes modsecurity.conf content' do
+        expect(subject.values).not_to include('modsecurity.conf')
+        # Excludes file content from Ingress#modsecurity_config_content
+        expect(subject.values).not_to include('SecAuditLog')
+        expect(subject.values).not_to include('extraVolumes')
+        expect(subject.values).not_to include('extraVolumeMounts')
+      end
    end
  end
 end
--- a/vendor/ingress/modsecurity.conf
+++ b/vendor/ingress/modsecurity.conf