jsonnet: move files around

Signed-off-by: paulfantom <pawel@krupa.net.pl>
2021-01-15 14:54:19 +01:00
parent 75f918067d
commit 1eedb90c17
48 changed files with 27 additions and 36 deletions
--- a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
@@ -0,0 +1,63 @@
+local defaults = {
+  namespace: error 'must provide namespace',
+  image: 'quay.io/brancz/kube-rbac-proxy:v0.8.0',
+  ports: error 'must provide ports',
+  secureListenAddress: error 'must provide secureListenAddress',
+  upstream: error 'must provide upstream',
+  resources: {
+    requests: { cpu: '10m', memory: '20Mi' },
+    limits: { cpu: '20m', memory: '40Mi' },
+  },
+  tlsCipherSuites: [
+    'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',  // required by h2: http://golang.org/cl/30721
+    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',  // required by h2: http://golang.org/cl/30721
+
+    // 'TLS_RSA_WITH_RC4_128_SHA',                // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+    // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA',           // insecure: https://access.redhat.com/articles/2548661
+    // 'TLS_RSA_WITH_AES_128_CBC_SHA',            // disabled by h2
+    // 'TLS_RSA_WITH_AES_256_CBC_SHA',            // disabled by h2
+    // 'TLS_RSA_WITH_AES_128_CBC_SHA256',         // insecure: https://access.redhat.com/security/cve/cve-2013-0169
+    // 'TLS_RSA_WITH_AES_128_GCM_SHA256',         // disabled by h2
+    // 'TLS_RSA_WITH_AES_256_GCM_SHA384',         // disabled by h2
+    // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA',        // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+    // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',    // disabled by h2
+    // 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',    // disabled by h2
+    // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA',          // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+    // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA',     // insecure: https://access.redhat.com/articles/2548661
+    // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',      // disabled by h2
+    // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',      // disabled by h2
+    // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
+    // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',   // insecure: https://access.redhat.com/security/cve/cve-2013-0169
+
+    // disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
+
+    'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+    'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
+    'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
+  ],
+};
+
+
+function(params) {
+  local krp = self,
+  config:: defaults + params,
+  // Safety check
+  assert std.isObject(krp.config.resources),
+
+  name: krp.config.name,
+  image: krp.config.image,
+  args: [
+    '--logtostderr',
+    '--secure-listen-address=' + krp.config.secureListenAddress,
+    '--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites),
+    '--upstream=' + krp.config.upstream,
+  ],
+  resources: krp.config.resources,
+  ports: krp.config.ports,
+  securityContext: {
+    runAsUser: 65532,
+    runAsGroup: 65532,
+    runAsNonRoot: true,
+  },
+}