uselagoon / lagoon-linter Goto Github PK

As the active/standby route lives in a different array to environment.X.routes, it will need to be added into the linter as production_routes.X.routes

production_routes:
  active:
    routes:
      - nginx:
          - "www.example.com":
              tls-acme: true
              insecure: Redirect
              annotations:
                nginx.ingress.kubernetes.io/server-snippet: |
                  if ($request_uri !~ \"^/abc\") {
                    return 301 https://dev.example.com$request_uri;
                  }
  standby:
    routes:
      - nginx:
          - "www.standby.example.com":
              tls-acme: "false"
              insecure: Redirect

Routes could be configured to return the HSTS header by using the hsts field. The format was:

environments:
  main:
    routes:
      - nginx:
        - "www.example.com":
            hsts: max-age=31536000

HSTS is still supported, but the field names have changed, so existing hsts fields should throw a deprecation.

we see some projects that have a .lagoon.yml yaml with unquoted booleans, aka tls-acme: true instead of tls-acme: 'true'. While it's technically valid yaml and lagoon can deploy with it, the linter fails to load the .lagoon.yml and errors with:

lagoon-linter: error: couldn't unmarshal .lagoon.yml: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal bool into Go struct field Environment.environments.routes of type string

It only affects a small percentage of projects and we are telling all customers about this.
But it would be great if we can somehow catch this and fail with a message that there are unquoted booleans that need to be fixed

We have some code in the build-deploy-tool that will convert routes.insecure to routes.autogenerate.insecure and echo a message.

The message should be part of the linter instead.

e.g. in the route definition:

          -
            beta.example.com:
              tls-amce: 'false'

This issue tracks the rollout of application security in CI, including:

• Dependabot Alerts
• Dependabot Security updates
• Dependabot Version updates
• CodeQL
• secret scanning and push protection
• private vulnerability reporting
• dependency review
• OpenSSF scorecard and best practices (badges in README)
• release artifact signing
• release SBOMs
• coverage (badge in README)
• code linters

Because Lagoons .lagoon.yml is pretty terrible. There are some cases where the defined yaml passes the Lagoon build phase, but the linter can't decode properly.

For example, the following will deploy a lagoon environment correctly, even though cronjobs: are defined as an environment.
The linter fails to unmarshal this and errors preventing a build

environments:
  cronjobs:
    - name: a cronjob defined as environment
      schedule: "* * * * *"
      command: echo "broken definition"
      service: cli
  main:
    routes:
    - nginx:
      - example.com
      - "www.example.com":
          tls-acme: 'true'
          insecure: Redirect
          hsts: max-age=31536000

Ideally, we could just print a warning message that a section is incorrectly defined.

Routes have an insecure field that can be set to Allow, Redirect, or None. The None option used to block any HTTP connections under openshfit, but in kubernetes we've configured it to be the same as Redirect. We can throw deprecations for None because it no longer works the way it was documented.

It could be set for autogenerated routes:

routes:
  autogenerate:
    insecure: None

and/or for manual routes:

environments:
  main:
    routes:
      - nginx:
        - "www.example.com":
            insecure: None

Essentially the snippet:

    nginx.ingress.kubernetes.io/server-snippet: |
      client_header_buffer_size 64k;
      large_client_header_buffers 4 64k;

The use case is JSONAPI to which can have URIs that exceed the default of 8,000 characters.