Merge "[AAI] Request blocking enhancement for AAI"

author Sylvain Desbureaux <sylvain.desbureaux@orange.com>

Fri, 25 Feb 2022 16:08:22 +0000 (16:08 +0000)

committer Gerrit Code Review <gerrit@onap.org>

Fri, 25 Feb 2022 16:08:22 +0000 (16:08 +0000)
author Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Fri, 25 Feb 2022 16:08:22 +0000 (16:08 +0000)
committer Gerrit Code Review <gerrit@onap.org>
Fri, 25 Feb 2022 16:08:22 +0000 (16:08 +0000)
diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg

index 9fa6d2e..6e7acef 100644 (file)
--- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
+++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
@@ -88,6 +88,15 @@ frontend IST_8443
          http-request set-header X-AAI-SSL-Client-ST             %{+Q}[ssl_c_s_dn(ST)]
          http-request set-header X-AAI-SSL-Client-C              %{+Q}[ssl_c_s_dn(C)]
          http-request set-header X-AAI-SSL-Client-O              %{+Q}[ssl_c_s_dn(O)]
+#######################################
+## Request blocking configuration ###
+#######################################
+        {{- if eq $.Values.haproxy.requestBlocking.enabled true }}
+        {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
+        {{ $custom_config }}
+        {{- end }}
+        {{- end }}
+
          reqadd X-Forwarded-Proto:\ https
          reqadd X-Forwarded-Port:\ 8443
  
diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg

index 1db4add..1accff9 100644 (file)
--- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg
+++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg
@@ -119,6 +119,15 @@ frontend IST_8443
          http-request set-header X-AAI-SSL-Client-ST             %{+Q}[ssl_c_s_dn(ST)]
          http-request set-header X-AAI-SSL-Client-C              %{+Q}[ssl_c_s_dn(C)]
          http-request set-header X-AAI-SSL-Client-O              %{+Q}[ssl_c_s_dn(O)]
+#######################################
+## Request blocking configuration ###
+#######################################
+        {{- if eq $.Values.haproxy.requestBlocking.enabled true }}
+        {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
+        {{ $custom_config }}
+        {{- end }}
+        {{- end }}
+
          reqadd X-Forwarded-Proto:\ https
          reqadd X-Forwarded-Port:\ 8443
  {{- end }}
diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml

index 68d7445..62d1d2e 100644 (file)
--- a/kubernetes/aai/values.yaml
+++ b/kubernetes/aai/values.yaml
@@ -349,6 +349,12 @@ nodeSelector: {}
  
  affinity: {}
  
+# HAProxy configuration to block HTTP requests to AAI based on configurable URL patterns
+haproxy:
+  requestBlocking:
+    enabled: false
+    customConfigs: []
+
  # probe configuration parameters
  liveness:
    initialDelaySeconds: 10
author	Sylvain Desbureaux <sylvain.desbureaux@orange.com>
	Fri, 25 Feb 2022 16:08:22 +0000 (16:08 +0000)
committer	Gerrit Code Review <gerrit@onap.org>
	Fri, 25 Feb 2022 16:08:22 +0000 (16:08 +0000)
kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg		patch \| blob \| history
kubernetes/aai/resources/config/haproxy/haproxy.cfg		patch \| blob \| history
kubernetes/aai/values.yaml		patch \| blob \| history