Revise template logic for contentSecurityPolicy
Summary
Changes to chart templates to configure global.appConfig.contentSecurityPolicy
were added when GitLab had them disabled by default: #2257 (closed)
Starting GitLab 13.12, CSP has been turned on by default: gitlab-org/gitlab!56923 (merged)
This has bought up two issues in use of global.appConfig.contentSecurityPolicy
config controls in 4.12:
- CSP cannot be disabled, even by specifying
enabled: false
, because the prior template logic omits writing any explicit config block when it isfalse
: https://gitlab.com/gitlab-org/charts/gitlab/-/blob/4-12-stable/charts/gitlab/charts/webservice/templates/configmap.yml#L65-67 - Requiring the user to provide a directives key when
enabled: true
is specified is no longer necessary, as default directives are now applied when the setting is enabled, but the templates will throw an error if no directives are manually provided.
Steps to reproduce
- Install the GitLab Helm Chart
- Try to disable
contentSecurityPolicy
in thevalues.yml
:
global:
appConfig:
contentSecurityPolicy:
enabled: false
- Check if it was disabled by inspecting the browser response headers. It remains enabled. (Unexpected)
- Check if it was disabled in configs by opening a rails console in the webservice pod. It remains enabled. (Unexpected)
irb(main):011:0> pp Settings.gitlab.content_security_policy
{"enabled"=>true, "report_only"=>false, "directives"=>{[…snipped…]}}
- Now, set
enabled: true
, but do not specify adirective:
block in order to use the defaults. - Try applying the change to the cluster. It fails and requires an explicit
directive
to be supplied. (Unexpected)
Error: UPGRADE FAILED: template: gitlab/templates/NOTES.txt:128:3: executing "gitlab/templates/NOTES.txt" at <include "gitlab.checkConfig" .>: error calling include: template: gitlab/templates/_checkConfig.tpl:68:54: executing "gitlab.checkConfig" at <fail>: error calling fail:
CONFIGURATION CHECKS:
contentSecurityPolicy:
When configuring Content Security Policy, you must also configure its Directives.
set `global.appConfig.contentSecurityPolicy.directives`
See https://docs.gitlab.com/charts/charts/globals#content-security-policy
Configuration used
Disable attempt:
global:
appConfig:
contentSecurityPolicy:
enabled: false
Enable with defaults attempt:
global:
appConfig:
contentSecurityPolicy:
enabled: true
Current behavior
- Cannot disable CSP
- Cannot use default directives when enabling CSP
Expected behavior
- Should be able to turn off CSP without enabling it and specifying empty
directives: {}
- Should be able to turn on CSP and use the default directives from the application
Versions
- Chart: 4.12
- Platform:
- Self-hosted: Minikube
- Kubernetes: (
kubectl version
)- Client: v1.19
- Server: v1.19
- Helm: (
helm version
)- Client: v3.6.0
Relevant logs
(None)