block access to assets.*/minio/ path (#4297)

* add rules to allow signed url * Revert "add rules to allow signed url" This reverts commit ef47149. * add seperate template for minio ingress * remove minio rules from from existing template * add changelog
wireapp · Oct 31, 2024 · c11434b · c11434b
1 parent 7345889
commit c11434b
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 22 deletions.
diff --git a/changelog.d/5-internal/WPB-11791 b/changelog.d/5-internal/WPB-11791
@@ -0,0 +1 @@
+Block access to assets.*/minio/ path for public access.
diff --git a/charts/nginx-ingress-services/templates/ingress.yaml b/charts/nginx-ingress-services/templates/ingress.yaml
@@ -51,9 +51,6 @@ spec:
 {{- if .Values.webapp.enabled }}
       - {{ .Values.config.dns.webapp }}
 {{- end }}
-{{- if .Values.fakeS3.enabled }}
-      - {{ .Values.config.dns.fakeS3 }}
-{{- end }}
 {{- if .Values.teamSettings.enabled }}
       - {{ .Values.config.dns.teamSettings }}
 {{- end }}
@@ -117,25 +114,6 @@ spec:
               servicePort: {{ .Values.service.webapp.externalPort }}
               {{- end }}
 {{- end }}
-{{- if .Values.fakeS3.enabled }}
-    - host: {{ .Values.config.dns.fakeS3 }}
-      http:
-        paths:
-          - path: /
-            {{- if $ingressSupportsPathType }}
-            pathType: Prefix
-            {{- end }}
-            backend:
-              {{- if $apiIsStable }}
-              service:
-                name: {{ .Values.service.s3.serviceName }}
-                port:
-                  number: {{ .Values.service.s3.externalPort }}
-              {{- else }}
-              serviceName: {{ .Values.service.s3.serviceName }}
-              servicePort: {{ .Values.service.s3.externalPort }}
-              {{- end }}
-{{- end }}
 {{- if .Values.teamSettings.enabled }}
     - host: {{ .Values.config.dns.teamSettings }}
       http:

diff --git a/charts/nginx-ingress-services/templates/ingress_minio.yaml b/charts/nginx-ingress-services/templates/ingress_minio.yaml
@@ -0,0 +1,45 @@
+{{- $apiIsStable := eq (include "ingress.isStable" .) "true" -}}
+{{- $ingressFieldNotAnnotation := eq (include "ingress.FieldNotAnnotation" .) "true" -}}
+{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}}
+{{- if .Values.fakeS3.enabled }}
+# We use a separate ingress for minio because we want to restrict access to /minio/ path
+# for security reasons
+apiVersion: {{ include "ingress.apiVersion" . }}
+kind: Ingress
+metadata:
+  name: minio-ingress
+  annotations:
+    {{- if not $ingressFieldNotAnnotation }}
+    kubernetes.io/ingress.class: "{{ .Values.config.ingressClass }}"
+    {{- end }}
+    nginx.ingress.kubernetes.io/server-snippet: |
+      location /minio/ {
+        return 403;
+      }
+spec:
+  {{- if $ingressFieldNotAnnotation }}
+  ingressClassName: "{{ .Values.config.ingressClass }}"
+  {{- end }}
+  tls:
+  - hosts:
+      - {{ .Values.config.dns.fakeS3 }}
+    secretName: {{ include "nginx-ingress-services.getCertificateSecretName" . | quote }}
+  rules:
+    - host: {{ .Values.config.dns.fakeS3 }}
+      http:
+        paths:
+          - path: /
+            {{- if $ingressSupportsPathType }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if $apiIsStable }}
+              service:
+                name: {{ .Values.service.s3.serviceName }}
+                port:
+                  number: {{ .Values.service.s3.externalPort }}
+              {{- else }}
+              serviceName: {{ .Values.service.s3.serviceName }}
+              servicePort: {{ .Values.service.s3.externalPort }}
+              {{- end }}
+{{- end }}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Block access to assets.*/minio/ path for public access.