From 494c9201fff1daf5b0f9728a53fe3b891db23a77 Mon Sep 17 00:00:00 2001 From: Kyle Lape Date: Wed, 17 Apr 2024 12:59:24 -0500 Subject: [PATCH] Remove proxy settings from fleetshard-sync --- .../data/tenant-resources/config/squid.conf | 59 --------- .../templates/egress-proxy.yaml | 120 ------------------ .../charts/data/tenant-resources/values.yaml | 9 -- fleetshard/pkg/central/reconciler/proxy.go | 55 -------- .../pkg/central/reconciler/proxy_test.go | 119 ----------------- .../pkg/central/reconciler/reconciler.go | 16 --- 6 files changed, 378 deletions(-) delete mode 100644 fleetshard/pkg/central/charts/data/tenant-resources/config/squid.conf delete mode 100644 fleetshard/pkg/central/charts/data/tenant-resources/templates/egress-proxy.yaml delete mode 100644 fleetshard/pkg/central/reconciler/proxy.go delete mode 100644 fleetshard/pkg/central/reconciler/proxy_test.go diff --git a/fleetshard/pkg/central/charts/data/tenant-resources/config/squid.conf b/fleetshard/pkg/central/charts/data/tenant-resources/config/squid.conf deleted file mode 100644 index cc0cf72cf6..0000000000 --- a/fleetshard/pkg/central/charts/data/tenant-resources/config/squid.conf +++ /dev/null @@ -1,59 +0,0 @@ -# Squid proxy configuration -# -# This file configures Squid as an egress proxy that -# (a) only accepts traffic from the local network -# (b) does not allow outgoing traffic to the local network (but to all other destinations) - -acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) -acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) -acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) -acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines -acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) -acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) -acl localnet src fc00::/7 # RFC 4193 local private network range -acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines - -acl to_localnet dst 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) -acl to_localnet dst 10.0.0.0/8 # RFC 1918 local private network (LAN) -acl to_localnet dst 100.64.0.0/10 # RFC 6598 shared address space (CGN) -acl to_localnet dst 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines -acl to_localnet dst 172.16.0.0/12 # RFC 1918 local private network (LAN) -acl to_localnet dst 192.168.0.0/16 # RFC 1918 local private network (LAN) -acl to_localnet dst fc00::/7 # RFC 4193 local private network range -acl to_localnet dst fe80::/10 # RFC 4291 link-local (directly plugged) machines - -acl CONNECT method CONNECT - -# Forbid all access to localhost and local networks, either directly or via CONNECT -http_access deny to_localnet -http_access deny to_localhost -http_access deny CONNECT to_localnet -http_access deny CONNECT to_localhost - -# Only allow cachemgr access from localhost -http_access allow localhost manager -http_access deny manager - -# Allow access from the lcoal network -http_access allow localnet -http_access allow localhost - -# Allow access to non-local destinations -http_access allow !to_localnet -http_access allow !to_localhost -http_access allow CONNECT !to_localnet -http_access allow CONNECT !to_localhost - -# Catch-all rule for anything else -http_access deny all - -# Serve on standard port 3128 -http_port 3128 - -# Disable caching and most logging -cache deny all -cache_log /dev/null -access_log none all -debug_options ALL,0 -pid_filename none -shutdown_lifetime 0 diff --git a/fleetshard/pkg/central/charts/data/tenant-resources/templates/egress-proxy.yaml b/fleetshard/pkg/central/charts/data/tenant-resources/templates/egress-proxy.yaml deleted file mode 100644 index b244f257fa..0000000000 --- a/fleetshard/pkg/central/charts/data/tenant-resources/templates/egress-proxy.yaml +++ /dev/null @@ -1,120 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: egress-proxy-config - labels: - app.kubernetes.io/component: egress-proxy - {{- include "labels" . | nindent 4 }} - annotations: - {{- include "annotations" . | nindent 4 }} -data: - squid.conf: | - {{- .Files.Get "config/squid.conf" | nindent 4 }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: egress-proxy - labels: - app.kubernetes.io/component: egress-proxy - {{- include "labels" . | nindent 4 }} - annotations: - {{- include "annotations" . | nindent 4 }} -spec: - replicas: {{ .Values.egressProxy.replicas }} - selector: - matchLabels: - app.kubernetes.io/component: egress-proxy - template: - metadata: - labels: - app.kubernetes.io/component: egress-proxy - annotations: - config-hash: {{ .Files.Get "config/squid.conf" | sha256sum | quote }} - spec: - automountServiceAccountToken: false - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - labelSelector: - matchLabels: - app.kubernetes.io/component: egress-proxy - weight: 100 - containers: - - name: egress-proxy - imagePullPolicy: Always - image: {{ .Values.egressProxy.image }} - command: - - "squid" - - "-N" - - "-f" - - "/etc/squid/squid.conf" - ports: - - containerPort: 3128 - protocol: TCP - name: egress-proxy - volumeMounts: - - name: config-volume - mountPath: /etc/squid/squid.conf - subPath: squid.conf - readOnly: true - {{ if .Values.egressProxy.resources }} - resources: {{ toYaml .Values.egressProxy.resources | nindent 10 }} - {{- end }} - volumes: - - name: config-volume - configMap: - name: egress-proxy-config ---- -apiVersion: v1 -kind: Service -metadata: - name: egress-proxy - labels: - app.kubernetes.io/component: egress-proxy - {{- include "labels" . | nindent 4 }} - annotations: - {{- include "annotations" . | nindent 4 }} -spec: - selector: - app.kubernetes.io/component: egress-proxy - ports: - - port: 3128 - protocol: TCP - targetPort: 3128 - type: ClusterIP ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: egress-proxy - labels: - app.kubernetes.io/component: egress-proxy - {{- include "labels" . | nindent 4 }} - annotations: - {{- include "annotations" . | nindent 4 }} -spec: - policyTypes: - - Ingress - podSelector: - matchLabels: - app.kubernetes.io/component: egress-proxy - ingress: - - from: - - podSelector: - matchLabels: - app: central - - podSelector: - matchLabels: - app: scanner - - podSelector: - matchLabels: - app: scanner-v4-matcher - - podSelector: - matchLabels: - app: scanner-v4-indexer - ports: - - port: 3128 - protocol: TCP diff --git a/fleetshard/pkg/central/charts/data/tenant-resources/values.yaml b/fleetshard/pkg/central/charts/data/tenant-resources/values.yaml index 227808b045..21f9225b0d 100644 --- a/fleetshard/pkg/central/charts/data/tenant-resources/values.yaml +++ b/fleetshard/pkg/central/charts/data/tenant-resources/values.yaml @@ -1,12 +1,3 @@ -egressProxy: - image: ubuntu/squid:5.2-22.04_beta - replicas: 2 - resources: - requests: - cpu: 100m - memory: 275Mi - limits: - memory: 275Mi labels: {} annotations: {} secureTenantNetwork: false diff --git a/fleetshard/pkg/central/reconciler/proxy.go b/fleetshard/pkg/central/reconciler/proxy.go deleted file mode 100644 index 7832c5b041..0000000000 --- a/fleetshard/pkg/central/reconciler/proxy.go +++ /dev/null @@ -1,55 +0,0 @@ -package reconciler - -import ( - "fmt" - "net/url" - "sort" - "strings" - - corev1 "k8s.io/api/core/v1" -) - -func getProxyEnvVars(namespace string, additionalNoProxyTargets ...url.URL) []corev1.EnvVar { - var envVars []corev1.EnvVar - proxyURL := fmt.Sprintf("http://egress-proxy.%s.svc:3128", namespace) - // Use both upper- and lowercase env var names for maximum compatibility. - for _, envVarName := range []string{"http_proxy", "HTTP_PROXY", "https_proxy", "HTTPS_PROXY", "all_proxy", "ALL_PROXY"} { - envVars = append(envVars, corev1.EnvVar{ - Name: envVarName, - Value: proxyURL, - }) - } - - directServicesAndPorts := map[string][]int{ - "central": {443}, - "scanner": {8080, 8443}, - "scanner-db": {5432}, - "scanner-v4-db": {5432}, - "scanner-v4-indexer": {8443}, - "scanner-v4-matcher": {8443}, - } - var noProxyTargets []string - for svcName, ports := range directServicesAndPorts { - for _, port := range ports { - noProxyTargets = append(noProxyTargets, - fmt.Sprintf("%s:%d", svcName, port), - fmt.Sprintf("%s.%s:%d", svcName, namespace, port), - fmt.Sprintf("%s.%s.svc:%d", svcName, namespace, port), - ) - } - } - for _, noProxyURL := range additionalNoProxyTargets { - noProxyEndPoint := fmt.Sprintf("%s:%s", noProxyURL.Hostname(), noProxyURL.Port()) - noProxyTargets = append(noProxyTargets, noProxyEndPoint) - } - sort.Strings(noProxyTargets) // ensure deterministic output - noProxyStr := strings.Join(noProxyTargets, ",") - for _, envVarName := range []string{"no_proxy", "NO_PROXY"} { - envVars = append(envVars, corev1.EnvVar{ - Name: envVarName, - Value: noProxyStr, - }) - } - - return envVars -} diff --git a/fleetshard/pkg/central/reconciler/proxy_test.go b/fleetshard/pkg/central/reconciler/proxy_test.go deleted file mode 100644 index 24d24ad3a6..0000000000 --- a/fleetshard/pkg/central/reconciler/proxy_test.go +++ /dev/null @@ -1,119 +0,0 @@ -package reconciler - -import ( - "net/url" - "testing" - - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - "golang.org/x/net/http/httpproxy" -) - -const testNS = `acscs-01` - -func testProxyConfiguration(t *testing.T, noProxyURLs []string, proxiedURLs []string) { - proxyFunc := httpproxy.FromEnvironment().ProxyFunc() - - for _, u := range noProxyURLs { - parsedURL, err := url.Parse(u) - require.NoError(t, err) - - proxyURL, err := proxyFunc(parsedURL) - require.NoError(t, err) - assert.Nilf(t, proxyURL, "expected URL %s to not be proxied, got: %s", u, proxyURL) - } - - const expectedProxyURL = "http://egress-proxy.acscs-01.svc:3128" - - for _, u := range proxiedURLs { - parsedURL, err := url.Parse(u) - require.NoError(t, err) - - proxyURL, err := proxyFunc(parsedURL) - require.NoError(t, err) - if !assert.NotNilf(t, proxyURL, "expected URL %s to be proxied", u) { - continue - } - assert.Equal(t, expectedProxyURL, proxyURL.String()) - } -} - -func TestProxyConfiguration(t *testing.T) { - for _, envVar := range getProxyEnvVars(testNS) { - t.Setenv(envVar.Name, envVar.Value) - } - - noProxyURLs := []string{ - "https://central", - "https://central.acscs-01", - "https://central.acscs-01.svc", - "https://central.acscs-01.svc:443", - "https://scanner-db.acscs-01.svc:5432", - "https://scanner:8443", - "https://scanner.acscs-01:8080", - } - - proxiedURLs := []string{ - "https://audit-logs-aggregator.rhacs-audit-logs:8888", - "https://www.example.com", - "https://www.example.com:8443", - "http://example.com", - "http://example.com:8080", - "https://central.acscs-01.svc:8443", - "https://scanner.acscs-01.svc", - } - - testProxyConfiguration(t, noProxyURLs, proxiedURLs) -} - -func TestProxyConfiguration_IsDeterministic(t *testing.T) { - envVars := getProxyEnvVars(testNS) - for i := 0; i < 5; i++ { - otherEnvVars := getProxyEnvVars(testNS) - assert.Equal(t, envVars, otherEnvVars) - } -} - -var ( - additionalNoProxyURLs = []url.URL{ - { - Host: "audit-logs-aggregator.rhacs-audit-logs:8888", - }, - } -) - -func TestProxyConfigurationWithAdditionalDirectAccess(t *testing.T) { - for _, envVar := range getProxyEnvVars(testNS, additionalNoProxyURLs...) { - t.Setenv(envVar.Name, envVar.Value) - } - - noProxyURLs := []string{ - "https://central", - "https://central.acscs-01", - "https://central.acscs-01.svc", - "https://central.acscs-01.svc:443", - "https://scanner-db.acscs-01.svc:5432", - "https://scanner:8443", - "https://scanner.acscs-01:8080", - "https://audit-logs-aggregator.rhacs-audit-logs:8888", - } - - proxiedURLs := []string{ - "https://www.example.com", - "https://www.example.com:8443", - "http://example.com", - "http://example.com:8080", - "https://central.acscs-01.svc:8443", - "https://scanner.acscs-01.svc", - } - - testProxyConfiguration(t, noProxyURLs, proxiedURLs) -} - -func TestProxyConfigurationWithAdditionalDirectAccess_IsDeterministic(t *testing.T) { - envVars := getProxyEnvVars(testNS, additionalNoProxyURLs...) - for i := 0; i < 5; i++ { - otherEnvVars := getProxyEnvVars(testNS, additionalNoProxyURLs...) - assert.Equal(t, envVars, otherEnvVars) - } -} diff --git a/fleetshard/pkg/central/reconciler/reconciler.go b/fleetshard/pkg/central/reconciler/reconciler.go index 6cc27d19ac..176b9d26e2 100644 --- a/fleetshard/pkg/central/reconciler/reconciler.go +++ b/fleetshard/pkg/central/reconciler/reconciler.go @@ -7,7 +7,6 @@ import ( "encoding/base64" "encoding/json" "fmt" - "net/url" "reflect" "sort" "sync/atomic" @@ -312,9 +311,6 @@ func (r *CentralReconciler) getInstanceConfig(remoteCentral *private.ManagedCent func (r *CentralReconciler) applyCentralConfig(remoteCentral *private.ManagedCentral, central *v1alpha1.Central) error { r.applyTelemetry(remoteCentral, central) r.applyRoutes(central) - if !r.secureTenantNetwork { - r.applyProxyConfig(central) - } r.applyDeclarativeConfig(central) r.applyAnnotations(remoteCentral, central) return nil @@ -352,18 +348,6 @@ func (r *CentralReconciler) applyDeclarativeConfig(central *v1alpha1.Central) { central.Spec.Central.DeclarativeConfiguration = declarativeConfig } -func (r *CentralReconciler) applyProxyConfig(central *v1alpha1.Central) { - if central.Spec.Customize == nil { - central.Spec.Customize = &v1alpha1.CustomizeSpec{} - } - auditLoggingURL := url.URL{Host: r.auditLogging.Endpoint(false)} - kubernetesURL := url.URL{ - Host: "kubernetes.default.svc.cluster.local.:443", - } - envVars := getProxyEnvVars(central.Namespace, auditLoggingURL, kubernetesURL) - central.Spec.Customize.EnvVars = append(central.Spec.Customize.EnvVars, envVars...) -} - func (r *CentralReconciler) applyRoutes(central *v1alpha1.Central) { if central.Spec.Central == nil { central.Spec.Central = &v1alpha1.CentralComponentSpec{}