20610: Restricts backends' HTTP access by nginx rules.

author Lucas Di Pentima <lucas.dipentima@curii.com>

Thu, 27 Jul 2023 18:39:56 +0000 (15:39 -0300)

committer Lucas Di Pentima <lucas.dipentima@curii.com>

Thu, 27 Jul 2023 18:39:56 +0000 (15:39 -0300)
author Lucas Di Pentima <lucas.dipentima@curii.com>
Thu, 27 Jul 2023 18:39:56 +0000 (15:39 -0300)
committer Lucas Di Pentima <lucas.dipentima@curii.com>
Thu, 27 Jul 2023 18:39:56 +0000 (15:39 -0300)
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls

index d87f55f4e4074ab952ba4a94ff6234c343399321..5bd67a6ce4b1b7bbeeef6dd7744f902cec85eff3 100644 (file)
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
@@ -36,8 +36,13 @@ nginx:
              - location /.well-known:
                - root: /var/www
              {%- if balanced_controller %}
+            {%- set balancer_ip = salt['cmd.run']("getent hosts __BALANCER_NODENAME__ | awk '{print $1 ; exit}'", python_shell=True) %}
+            {%- set prometheus_ip = salt['cmd.run']("getent hosts __PROMETHEUS_NODENAME__ | awk '{print $1 ; exit}'", python_shell=True) %}
              - index: index.html index.htm
              - location /:
+              - allow: {{ balancer_ip }}
+              - allow: {{ prometheus_ip }}
+              - deny: all
                - proxy_pass: 'http://controller_upstream'
                - proxy_read_timeout: 300
                - proxy_connect_timeout: 90
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh

index 78bd976e6b28e77b4b0f3c05bb703bb3a0786dae..610134cf395c5074def6b9ee919eb4b9003c5529 100755 (executable)
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -467,6 +467,7 @@ for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do
         s#__DISPATCHER_SSH_PRIVKEY__#${DISPATCHER_SSH_PRIVKEY//$'\n'/\\n}#g;
         s#__ENABLE_BALANCER__#${ENABLE_BALANCER}#g;
         s#__BALANCER_NODENAME__#${ROLES['balancer']}#g;
+       s#__PROMETHEUS_NODENAME__#${ROLES['monitoring']}#g;
         s#__CONTROLLER_NODES__#${ROLES['controller']}#g;
         s#__NODELIST__#${NODELIST}#g;
         s#__DISPATCHER_INT_IP__#${DISPATCHER_INT_IP}#g;
@@ -559,6 +560,7 @@ if [ -d "${SOURCE_STATES_DIR}" ]; then
           s#__DISPATCHER_SSH_PRIVKEY__#${DISPATCHER_SSH_PRIVKEY//$'\n'/\\n}#g;
           s#__ENABLE_BALANCER__#${ENABLE_BALANCER}#g;
           s#__BALANCER_NODENAME__#${ROLES['balancer']}#g;
+         s#__PROMETHEUS_NODENAME__#${ROLES['monitoring']}#g;
           s#__CONTROLLER_NODES__#${ROLES['controller']}#g;
           s#__NODELIST__#${NODELIST}#g;
           s#__DISPATCHER_INT_IP__#${DISPATCHER_INT_IP}#g;
author	Lucas Di Pentima <lucas.dipentima@curii.com>
	Thu, 27 Jul 2023 18:39:56 +0000 (15:39 -0300)
committer	Lucas Di Pentima <lucas.dipentima@curii.com>
	Thu, 27 Jul 2023 18:39:56 +0000 (15:39 -0300)
tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls		patch \| blob \| history
tools/salt-install/provision.sh		patch \| blob \| history