Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[4.5.x] feat(helm): remove nginx configuration-snippet by default #10672

Merged
merged 1 commit into from
Feb 14, 2025
Merged

[4.5.x] feat(helm): remove nginx configuration-snippet by default #10672

merged 1 commit into from
Feb 14, 2025

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Feb 14, 2025

This is an automatic copy of pull request #10646 done by Mergify.

Issue

https://gravitee.atlassian.net/browse/APIM-8630
https://gravitee.atlassian.net/browse/TT-6449

Description

By default, the console, portal and the management ingress
define this nginx configuration:

nginx.ingress.kubernetes.io/configuration-snippet: "etag on;\nproxy_pass_header ETag;\n"

However this configuration implies security issue
as mentioned in official documentation (CVE-2021-25742).
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#configuration-snippet

Also, this Etag configuration is not needed
for Console and Portal as the Etag are already
covered by the nginx in their respective container
to serve static files.

Finally, for the management-api it may not be needed.
So we keep it in comment to mention that it is still an option.

So the goal here is to remove the
nginx.ingress.kubernetes.io/configuration-snippet in helm/values.yaml.

For testing, deploy you APIM and then curl console and portal:

With Etag provided by nginx ingress:

curl -I -u 'admin:admin' 'https://your.management-api.url.gravitee.dev/management/v2/environments/DEFAULT/apis/f415bb33-9282-4f7f-95bb-3392821f7f97'
HTTP/2 200
etag: "1739439486097"

curl -I 'https://your.console.url.gravitee.dev/webcomponents/webcomponents-loader.js'
HTTP/2 200
etag: "67adbfd2-1e5d"

curl -I 'https://your.portal.url.gravitee.dev/webcomponents/webcomponents-loader.js'
HTTP/2 200
etag: "67adbfd0-1911"

Without Etag from nginx but Etag from management, console or portal
itself:

curl -I -u 'admin:admin' 'https://your.management-api.url.gravitee.dev/management/v2/environments/DEFAULT/apis/f415bb33-9282-4f7f-95bb-3392821f7f97'
HTTP/2 200
etag: "1739439486097"

curl -I 'https://your.console.url.gravitee.dev/webcomponents/webcomponents-loader.js'
HTTP/2 200
etag: "67ad234b-1911"

curl -I 'https://your.portal.url.gravitee.dev/webcomponents/webcomponents-loader.js'
HTTP/2 200
etag: "67ad2357-1e5d"

With both kind of nginx configuration to see ETag headers.

Cherry-pick of 52da33f has failed:

On branch mergify/bp/4.5.x/pr-10646
Your branch is up to date with 'origin/4.5.x'.

You are currently cherry-picking commit 52da33f3ca.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   helm/values.yaml

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   helm/CHANGELOG.md
	both modified:   helm/Chart.yaml

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@mergify mergify bot requested a review from a team as a code owner February 14, 2025 13:56
@mergify mergify bot added the conflicts label Feb 14, 2025
@mergify mergify bot requested a review from a team as a code owner February 14, 2025 13:56
@mergify Mergify
Copy link
Contributor Author

mergify bot commented Feb 14, 2025

Cherry-pick of 52da33f has failed:

On branch mergify/bp/4.5.x/pr-10646
Your branch is up to date with 'origin/4.5.x'.

You are currently cherry-picking commit 52da33f3ca.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   helm/values.yaml

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   helm/CHANGELOG.md
	both modified:   helm/Chart.yaml

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@phiz71 phiz71 force-pushed the mergify/bp/4.5.x/pr-10646 branch from 82309ef to 4be37c7 Compare February 14, 2025 15:31
@phiz71 phiz71 removed the conflicts label Feb 14, 2025
@passionne passionne enabled auto-merge (rebase) February 14, 2025 15:34
@passionne
feat(helm): remove nginx configuration-snippet by default
31e1fbf 
By default, the console, portal and the management ingress
define this nginx configuration:

----
nginx.ingress.kubernetes.io/configuration-snippet: "etag on;\nproxy_pass_header ETag;\n"
----

However this configuration implies security issue
as mentioned in official documentation (CVE-2021-25742).
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#configuration-snippet

Also, this Etag configuration is not needed
for Console and Portal as the Etag are already
covered by the nginx in their respective container
to serve static files.

Finally, for the management-api it may not be needed.
So we keep it in comment to mention that it is still an option.

So the goal here is to remove the
`nginx.ingress.kubernetes.io/configuration-snippet` in `helm/values.yaml`.

For testing, deploy you APIM and then curl console and portal:

With Etag provided by nginx ingress:
----
curl -I -u 'admin:admin' 'https://your.management-api.url.gravitee.dev/management/v2/environments/DEFAULT/apis/f415bb33-9282-4f7f-95bb-3392821f7f97'
HTTP/2 200
etag: "1739439486097"

curl -I 'https://your.console.url.gravitee.dev/webcomponents/webcomponents-loader.js'
HTTP/2 200
etag: "67adbfd2-1e5d"

curl -I 'https://your.portal.url.gravitee.dev/webcomponents/webcomponents-loader.js'
HTTP/2 200
etag: "67adbfd0-1911"
----

Without Etag from nginx but Etag from management, console or portal
itself:
----
curl -I -u 'admin:admin' 'https://your.management-api.url.gravitee.dev/management/v2/environments/DEFAULT/apis/f415bb33-9282-4f7f-95bb-3392821f7f97'
HTTP/2 200
etag: "1739439486097"

curl -I 'https://your.console.url.gravitee.dev/webcomponents/webcomponents-loader.js'
HTTP/2 200
etag: "67ad234b-1911"

curl -I 'https://your.portal.url.gravitee.dev/webcomponents/webcomponents-loader.js'
HTTP/2 200
etag: "67ad2357-1e5d"
----

With both kind of nginx configuration to see ETag headers.

APIM-8630
TT-6449

(cherry picked from commit 52da33f)
@passionne passionne force-pushed the mergify/bp/4.5.x/pr-10646 branch from 4be37c7 to 31e1fbf Compare February 14, 2025 15:51
@passionne passionne merged commit c3c9edd into 4.5.x Feb 14, 2025
4 of 5 checks passed
@passionne passionne deleted the mergify/bp/4.5.x/pr-10646 branch February 14, 2025 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@passionne passionne passionne approved these changes

Assignees

@passionne passionne

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@passionne @phiz71