[go: up one dir, main page]

Skip to content

Revise template logic for contentSecurityPolicy

Summary

Changes to chart templates to configure global.appConfig.contentSecurityPolicy were added when GitLab had them disabled by default: #2257 (closed)

Starting GitLab 13.12, CSP has been turned on by default: gitlab-org/gitlab!56923 (merged)

This has bought up two issues in use of global.appConfig.contentSecurityPolicy config controls in 4.12:

  1. CSP cannot be disabled, even by specifying enabled: false, because the prior template logic omits writing any explicit config block when it is false: https://gitlab.com/gitlab-org/charts/gitlab/-/blob/4-12-stable/charts/gitlab/charts/webservice/templates/configmap.yml#L65-67
  2. Requiring the user to provide a directives key when enabled: true is specified is no longer necessary, as default directives are now applied when the setting is enabled, but the templates will throw an error if no directives are manually provided.

Steps to reproduce

  1. Install the GitLab Helm Chart
  2. Try to disable contentSecurityPolicy in the values.yml:
global:
  appConfig:
    contentSecurityPolicy:
      enabled: false
  1. Check if it was disabled by inspecting the browser response headers. It remains enabled. (Unexpected)
  2. Check if it was disabled in configs by opening a rails console in the webservice pod. It remains enabled. (Unexpected)
irb(main):011:0> pp Settings.gitlab.content_security_policy
{"enabled"=>true, "report_only"=>false, "directives"=>{[…snipped…]}}
  1. Now, set enabled: true, but do not specify a directive: block in order to use the defaults.
  2. Try applying the change to the cluster. It fails and requires an explicit directive to be supplied. (Unexpected)
Error: UPGRADE FAILED: template: gitlab/templates/NOTES.txt:128:3: executing "gitlab/templates/NOTES.txt" at <include "gitlab.checkConfig" .>: error calling include: template: gitlab/templates/_checkConfig.tpl:68:54: executing "gitlab.checkConfig" at <fail>: error calling fail: 
CONFIGURATION CHECKS:

contentSecurityPolicy:
    When configuring Content Security Policy, you must also configure its Directives.
    set `global.appConfig.contentSecurityPolicy.directives`
    See https://docs.gitlab.com/charts/charts/globals#content-security-policy

Configuration used

Disable attempt:

global:
  appConfig:
    contentSecurityPolicy:
      enabled: false

Enable with defaults attempt:

global:
  appConfig:
    contentSecurityPolicy:
      enabled: true

Current behavior

  • Cannot disable CSP
  • Cannot use default directives when enabling CSP

Expected behavior

  • Should be able to turn off CSP without enabling it and specifying empty directives: {}
  • Should be able to turn on CSP and use the default directives from the application

Versions

  • Chart: 4.12
  • Platform:
    • Self-hosted: Minikube
  • Kubernetes: (kubectl version)
    • Client: v1.19
    • Server: v1.19
  • Helm: (helm version)
    • Client: v3.6.0

Relevant logs

(None)