Merge branch 'main' into re-add-multiple-convictions

vertism · web-flow · commit 7ea607f2e139 · 2024-09-04T13:48:11.000+01:00
diff --git a/config/kubernetes/production/ingress.yml b/config/kubernetes/production/ingress.yml
@@ -1,11 +1,16 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: disclosure-checker-ingress-production
+  name: disclosure-checker-ingress-modsec-production
   namespace: disclosure-checker-production
   annotations:
-    external-dns.alpha.kubernetes.io/set-identifier: disclosure-checker-ingress-production-disclosure-checker-production-green
+    external-dns.alpha.kubernetes.io/set-identifier: disclosure-checker-ingress-modsec-production-disclosure-checker-production-green
     external-dns.alpha.kubernetes.io/aws-weight: "100"
+    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
+    nginx.ingress.kubernetes.io/modsecurity-snippet: |
+      SecAuditEngine On
+      SecRuleEngine DetectionOnly
+      SecDefaultAction "phase:2,pass,log,tag:github_team=central-digital-product-team,tag:namespace=disclosure-checker-production"
     nginx.ingress.kubernetes.io/server-snippet: |
       location ~* \.(php|cgi|xml)$ {
         deny all; access_log off;
@@ -17,7 +22,7 @@ metadata:
         return 301 https://raw.githubusercontent.com/ministryofjustice/security-guidance/main/contact/vulnerability-disclosure-security.txt;
       }
 spec:
-  ingressClassName: default
+  ingressClassName: modsec
   tls:
   - hosts:
     - disclosure-checker-production.apps.live.cloud-platform.service.justice.gov.uk
diff --git a/config/kubernetes/qa/ingress.yml b/config/kubernetes/qa/ingress.yml
@@ -15,8 +15,12 @@ metadata:
       location ~* \.(php|cgi|xml)$ {
         deny all; access_log off;
       }
+    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
+    nginx.ingress.kubernetes.io/modsecurity-snippet: |
+      SecRuleEngine On
+      SecDefaultAction "phase:2,pass,log,tag:github_team=central-digital-product-team,tag:namespace=disclosure-checker-qa"
 spec:
-  ingressClassName: default
+  ingressClassName: modsec
   tls:
   - hosts:
     - disclosure-checker-qa.apps.live.cloud-platform.service.justice.gov.uk
diff --git a/config/kubernetes/staging/ingress.yml b/config/kubernetes/staging/ingress.yml
@@ -15,8 +15,12 @@ metadata:
       location ~* \.(php|cgi|xml)$ {
         deny all; access_log off;
       }
+    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
+    nginx.ingress.kubernetes.io/modsecurity-snippet: |
+      SecRuleEngine On
+      SecDefaultAction "phase:2,pass,log,tag:github_team=central-digital-product-team,tag:namespace=disclosure-checker-staging"
 spec:
-  ingressClassName: default
+  ingressClassName: modsec
   tls:
   - hosts:
     - disclosure-checker-staging.apps.live.cloud-platform.service.justice.gov.uk
