From 0ade6b1a529828c72d68ae2c42d17a33dd61586e Mon Sep 17 00:00:00 2001
From: JingLu5 <lvjing5@huawei.com>
Date: Fri, 7 Sep 2018 16:18:15 +0800
Subject: Add ModSecurity config guide

This patch adds ModSecurity config guide.
This patch also deploy the modsecurity and ext_authz filter to clover-gateway namespace.

Change-Id: I5ab21e6337b8f8b839ddd028370df378686bd017
Signed-off-by: JingLu5 <lvjing5@huawei.com>
---
 .../scenarios/ingressgateway_ext_authz_filter.yaml | 24 ++++++++
 .../istio_ingressgateway_envoyfilter.yaml          | 24 --------
 samples/scenarios/modsecurity_all_in_one.yaml      | 65 ++++++++++++++++++++++
 .../services/modsecurity/yaml/manifest.template    |  2 +
 .../modsecurity/yaml/modsecurity-deployment.yaml   |  1 +
 .../modsecurity/yaml/modsecurity-service.yaml      |  1 +
 samples/services/modsecurity/yaml/render_yaml.py   |  4 ++
 7 files changed, 97 insertions(+), 24 deletions(-)
 create mode 100644 samples/scenarios/ingressgateway_ext_authz_filter.yaml
 delete mode 100644 samples/scenarios/istio_ingressgateway_envoyfilter.yaml
 create mode 100644 samples/scenarios/modsecurity_all_in_one.yaml

(limited to 'samples')

diff --git a/samples/scenarios/ingressgateway_ext_authz_filter.yaml b/samples/scenarios/ingressgateway_ext_authz_filter.yaml
new file mode 100644
index 0000000..0960a50
--- /dev/null
+++ b/samples/scenarios/ingressgateway_ext_authz_filter.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: ext-authz
+  namespace: clover-gateway
+spec:
+  workloadLabels:
+    app: istio-ingressgateway
+  filters:
+  - insertPosition:
+      index: FIRST
+    listenerMatch:
+      portNumber: 80
+      listenerType: GATEWAY
+      listenerProtocol: HTTP
+    filterType: HTTP
+    filterName: "envoy.ext_authz"
+    filterConfig:
+      http_service:
+        server_uri:
+          uri: "http://modsecurity-crs.clover-gateway.svc.cluster.local"
+          cluster: "outbound|80||modsecurity-crs.clover-gateway.svc.cluster.local"
+          timeout: 0.5s
+      failure_mode_allow: false
diff --git a/samples/scenarios/istio_ingressgateway_envoyfilter.yaml b/samples/scenarios/istio_ingressgateway_envoyfilter.yaml
deleted file mode 100644
index 46f730c..0000000
--- a/samples/scenarios/istio_ingressgateway_envoyfilter.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: EnvoyFilter
-metadata:
-  name: ext-authz
-  namespace: istio-system
-spec:
-  workloadLabels:
-    app: istio-ingressgateway
-  filters:
-  - insertPosition:
-      index: FIRST
-    listenerMatch:
-      portNumber: 80
-      listenerType: GATEWAY
-      listenerProtocol: HTTP
-    filterType: HTTP
-    filterName: "envoy.ext_authz"
-    filterConfig:
-      http_service:
-        server_uri:
-          uri: "http://modsecurity-crs.istio-system.svc.cluster.local"
-          cluster: "outbound|80||modsecurity-crs.istio-system.svc.cluster.local"
-          timeout: 0.5s
-      failure_mode_allow: false
diff --git a/samples/scenarios/modsecurity_all_in_one.yaml b/samples/scenarios/modsecurity_all_in_one.yaml
new file mode 100644
index 0000000..aa92b13
--- /dev/null
+++ b/samples/scenarios/modsecurity_all_in_one.yaml
@@ -0,0 +1,65 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: modsecurity-crs
+  namespace: clover-gateway
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: modsecurity-crs
+  template:
+    metadata:
+      labels:
+        app: modsecurity-crs
+    spec:
+      containers:
+        - name: modsecurity-crs
+          image: clover/clover-ns-modsecurity-crs
+          ports:
+            - containerPort: 80
+          env:
+            - name: PARANOIA
+              value: '1'
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: modsecurity-crs
+  namespace: clover-gateway
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    name: http-modsecurity-crs
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: modsecurity-crs
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: ext-authz
+  namespace: clover-gateway
+spec:
+  workloadLabels:
+    app: istio-ingressgateway
+  filters:
+  - insertPosition:
+      index: FIRST
+    listenerMatch:
+      portNumber: 80
+      listenerType: GATEWAY
+      listenerProtocol: HTTP
+    filterType: HTTP
+    filterName: "envoy.ext_authz"
+    filterConfig:
+      http_service:
+        server_uri:
+          uri: "http://modsecurity-crs.clover-gateway.svc.cluster.local"
+          cluster: "outbound|80||modsecurity-crs.clover-gateway.svc.cluster.local"
+          timeout: 0.5s
+      failure_mode_allow: false
+---
diff --git a/samples/services/modsecurity/yaml/manifest.template b/samples/services/modsecurity/yaml/manifest.template
index afeb9dc..2206e6d 100644
--- a/samples/services/modsecurity/yaml/manifest.template
+++ b/samples/services/modsecurity/yaml/manifest.template
@@ -3,6 +3,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: {{ deploy_name }}
+  namespace: {{ deploy_namespace }}
   labels:
     app: {{ deploy_name }}
 spec:
@@ -26,6 +27,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ deploy_name }}
+  namespace: {{ deploy_namespace }}
   labels:
     app: {{ deploy_name }}
 spec:
diff --git a/samples/services/modsecurity/yaml/modsecurity-deployment.yaml b/samples/services/modsecurity/yaml/modsecurity-deployment.yaml
index 450ede5..1e88f30 100644
--- a/samples/services/modsecurity/yaml/modsecurity-deployment.yaml
+++ b/samples/services/modsecurity/yaml/modsecurity-deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: modsecurity-crs
+  namespace: clover-gateway
 spec:
   replicas: 1
   selector:
diff --git a/samples/services/modsecurity/yaml/modsecurity-service.yaml b/samples/services/modsecurity/yaml/modsecurity-service.yaml
index 8548dca..7432630 100644
--- a/samples/services/modsecurity/yaml/modsecurity-service.yaml
+++ b/samples/services/modsecurity/yaml/modsecurity-service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: modsecurity-crs
+  namespace: clover-gateway
 spec:
   type: NodePort
   ports:
diff --git a/samples/services/modsecurity/yaml/render_yaml.py b/samples/services/modsecurity/yaml/render_yaml.py
index 54f8069..67622d6 100644
--- a/samples/services/modsecurity/yaml/render_yaml.py
+++ b/samples/services/modsecurity/yaml/render_yaml.py
@@ -22,6 +22,7 @@ def render_yaml(args):
             image_name=args['image_name'],
             image_tag=args['image_tag'],
             deploy_name=args['deploy_name'],
+            deploy_namespace=args['deploy_namespace'],
             http_port=args['http_port'],
             paranoia_level=args['paranoia_level']
         )
@@ -48,6 +49,9 @@ if __name__ == '__main__':
     parser.add_argument(
             '--deploy_name', default='modsecurity-crs',
             help='The k8s deploy name to use')
+    parser.add_argument(
+            '--deploy_namespace', default='clover-gateway',
+            help='The k8s namespace to deploy pod and service')
     parser.add_argument(
             '--http_port', default='80',
             help='Analyze http traffic on this port')
-- 
cgit 1.2.3-korg