๐Ÿ“ฆ kurokobo / awx-on-k3s

awx-on-k3s / tips / enable-hsts.md
๐Ÿ“„ enable-hsts.md ยท 177 lines 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177<!-- omit in toc -->
# Enable HTTP Strict Transport Security (HSTS)

Traefik, the default Ingress controller for K3s, listens for access over both HTTP and HTTPS by default, but can be configured to force users to use HTTPS.

To achieve this, this guide provides the steps to enable [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security).

<!-- omit in toc -->
## Table of Contents

- [Procedure](#procedure)
  - [Prepare Traefik](#prepare-traefik)
    - [Note for restoring AWX that uses HSTS](#note-for-restoring-awx-that-uses-hsts)
  - [Patch your AWX to enable HSTS](#patch-your-awx-to-enable-hsts)
    - [Patch your AWX using Kustomize](#patch-your-awx-using-kustomize)
    - [Patch your AWX manually](#patch-your-awx-manually)
- [Enable HSTS for other services in this repository](#enable-hsts-for-other-services-in-this-repository)

## Procedure

Note that the method described in this page is applicable only when Traefik is used as Ingress Controller.

### Prepare Traefik

To enable HSTS, you need to deploy a middleware with [customized headers](https://doc.traefik.io/traefik/middlewares/http/headers/).

Since this can be referenced from other namespaces, in this guide it will be created in the `kube-system` namespace for ease of sharing.

```bash
cat <<EOF > middleware.yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  namespace: kube-system
  name: hsts
spec:
  headers:
    sslRedirect: true
    forceSTSHeader: true
    stsSeconds: 63072000
    stsIncludeSubdomains: true
    stsPreload: true
EOF

kubectl -n kube-system apply -f middleware.yaml
kubectl -n kube-system get middleware.traefik.io
```

#### Note for restoring AWX that uses HSTS

When deploying the middleware, it will not be part of the [restore instructions in the restore guide](../restore/README.md).

Traefik will assume the middleware is present when the restore is complete, but you will have to reapply the middleware in the `kube-system` namespace if it is not already present, e.g. after restoring to a fresh node.

### Patch your AWX to enable HSTS

To enable HSTS for your AWX, the Ingress resource must have the following annotation.

```bash
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-hsts@kubernetescrd
```

AWX Operator allows you to add any annotations to your Ingress by `ingress_annotations` parameter for AWX. Here are two ways to add `ingress_annotations` parameter.

- Patch your AWX using Kustomize
- Patch your AWX manually

#### Patch your AWX using Kustomize

In this repository, Kustomize was used to deploy AWX. If you still have the files you used for your first deployment, it is easy to use them again to modify AWX.

Add these two lines to your `awx.yaml`,

```yaml
spec:
  ...
  ingress_annotations: |                                                               ๐Ÿ‘ˆ๐Ÿ‘ˆ๐Ÿ‘ˆ
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-hsts@kubernetescrd   ๐Ÿ‘ˆ๐Ÿ‘ˆ๐Ÿ‘ˆ
```

then invoke `apply` again. Once the command has been invoked, then AWX Operator will start to modify related resources. Note that the AWX Pod will be recreated, so AWX will be temporarily disabled.

```bash
$ kubectl apply -k base
namespace/awx unchanged
secret/awx-admin-password unchanged
secret/awx-postgres-configuration unchanged
secret/awx-secret-tls configured
persistentvolume/awx-postgres-15-volume unchanged
persistentvolume/awx-projects-volume unchanged
persistentvolumeclaim/awx-projects-claim unchanged
awx.awx.ansible.com/awx configured   ๐Ÿ‘ˆ๐Ÿ‘ˆ๐Ÿ‘ˆ
```

Once this completed, the logs of `deployments/awx-operator-controller-manager` end with:

```txt
$ kubectl -n awx logs -f deployments/awx-operator-controller-manager --tail=100
...
----- Ansible Task Status Event StdOut (awx.ansible.com/v1beta1, Kind=AWX, awx/awx) -----
PLAY RECAP *********************************************************************
localhost                  : ok=**   changed=0    unreachable=0    failed=0    skipped=**   rescued=0    ignored=0
```

You can confirm that the annotations will be added to the Ingress resource.

```bash
$ kubectl -n awx get ingress awx-ingress -o=jsonpath='{.metadata.annotations}' | jq
{
  ...
  "traefik.ingress.kubernetes.io/router.middlewares": "kube-system-hsts@kubernetescrd"
}
```

Now the HSTS should be working. Go to `http://awx.example.com/` (HTTP) or the hostname you specified and make sure you are redirected to `https://awx.example.com/` (HTTPS).

#### Patch your AWX manually

You can patch the AWX resource with the following command. Once the command has been invoked, then AWX Operator will start to modify related resources. Note that the AWX Pod will be recreated, so AWX will be temporarily disabled.

```bash
kubectl -n awx patch awx awx --type=merge \
 -p '{"spec": {"ingress_annotations": "traefik.ingress.kubernetes.io/router.middlewares: kube-system-hsts@kubernetescrd"}}'
```

Once this completed, the logs of `deployments/awx-operator-controller-manager` end with:

```txt
$ kubectl -n awx logs -f deployments/awx-operator-controller-manager --tail=100
...
----- Ansible Task Status Event StdOut (awx.ansible.com/v1beta1, Kind=AWX, awx/awx) -----
PLAY RECAP *********************************************************************
localhost                  : ok=**   changed=0    unreachable=0    failed=0    skipped=**   rescued=0    ignored=0
```

You can confirm that the annotations will be added to the Ingress resource.

```bash
$ kubectl -n awx get ingress awx-ingress -o=jsonpath='{.metadata.annotations}' | jq
{
  ...
  "traefik.ingress.kubernetes.io/router.middlewares": "kube-system-hsts@kubernetescrd"
}
```

Now the HSTS should be working. Go to `http://awx.example.com/` (HTTP) or the hostname you specified and make sure you are redirected to `https://awx.example.com/` (HTTPS).

## Enable HSTS for other services in this repository

You can also enable HSTS for [Git repository](../git/), [container registry](../registry) and [Galaxy NG](../galaxy), which are included in this repository, by configuring Ingress as well.

Add the following lines to the `ingress.yaml` for each resource,

```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: <resource name>
  annotations:                                                                         ๐Ÿ‘ˆ๐Ÿ‘ˆ๐Ÿ‘ˆ
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-hsts@kubernetescrd   ๐Ÿ‘ˆ๐Ÿ‘ˆ๐Ÿ‘ˆ
...
```

and `apply` them by Kustomize as you did the first time you deployed it.

```bash
kubectl apply -k <path>
```

Or you can also patch Ingress resources directly.

```bash
kubectl -n <namespace> patch ingress <resource name> --type=merge \
 -p '{"metadata": {"annotations": {"traefik.ingress.kubernetes.io/router.middlewares": "kube-system-hsts@kubernetescrd"}}}'
```