Kubernetes ingress and other improvement (#395)

claudex · web-flow · commit 3e807270d807 · 2026-03-18T12:19:47.000Z
* Add an ingress for the kubernetes manifests

This changes the configuration for the nginx deployment to run with root
privileges and use a configmap for the settings. TLS is disabled as it
can cause issue with ingress and untrusted certificates

* Use an env var for cronjob endpoint

* Split misp-module in dedicated deployment
diff --git a/core/files/kubernetes/entrypoint_nginx.sh b/core/files/kubernetes/entrypoint_nginx.sh
diff --git a/kubernetes/instance-secrets.env b/kubernetes/instance-secrets.env
@@ -2,6 +2,7 @@ REDIS_PASSWORD=replacemewithsomethingelse
 ADMIN_KEY=REPLACEMEWITHANACTUALKEYTHATWILLWORKFORU
 ADMIN_PASSWORD=sometimespasswordsarelongsometimespasswordsareshort
 BASE_URL=https://localhost:9002
+MISP_SERVICE=nginx:8080
 S3_BUCKET=files-storage-bucket
 S3_ENDPOINT=https://s3-service-endpoint
 S3_ACCESS_KEY=s3-access-key
diff --git a/kubernetes/kustomization.yaml b/kubernetes/kustomization.yaml
@@ -7,6 +7,8 @@ resources:
 - ./manifests/redis.yaml
 - ./manifests/mysql.yaml
 - ./manifests/services.yaml
+- ./manifests/ingress.yaml
+- ./manifests/nginx-cm.yaml
 - ./manifests/cronjobs/cache-all-feeds.yaml
 - ./manifests/cronjobs/fetch-all-feeds.yaml
 - ./manifests/cronjobs/pull-all-servers.yaml
@@ -25,4 +27,4 @@ secretGenerator:
       - ./mysql-credentials.env
     literals:
       - MYSQL_DATABASE=misp
-      - MYSQL_USER=misp
+      - MYSQL_USER=misp
diff --git a/kubernetes/manifests/cronjobs/cache-all-feeds.yaml b/kubernetes/manifests/cronjobs/cache-all-feeds.yaml
@@ -14,16 +14,17 @@ spec:
             app.kubernetes.io/name: misp-cron
         spec:
           containers:
-          - name: curl
-            image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh", "-c"]
-            args:
-              - 'curl -s -k -X POST -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" https://nginx/feeds/cacheFeeds/all'
-            envFrom:
-              - secretRef:
-                  name: instance-secrets
+            - name: curl
+              image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
+              imagePullPolicy: IfNotPresent
+              command: ["/bin/sh", "-c"]
+              args:
+                - 'curl -s -X POST -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" "http://$MISP_SERVICE/feeds/cacheFeeds/all"'
+              envFrom:
+                - secretRef:
+                    name: instance-secrets
           restartPolicy: Never
       backoffLimit: 2
       activeDeadlineSeconds: 1200
-  concurrencyPolicy: Forbid
+  concurrencyPolicy: Forbid
+
diff --git a/kubernetes/manifests/cronjobs/fetch-all-feeds.yaml b/kubernetes/manifests/cronjobs/fetch-all-feeds.yaml
@@ -14,16 +14,17 @@ spec:
             app.kubernetes.io/name: misp-cron
         spec:
           containers:
-          - name: curl
-            image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh", "-c"]
-            args:
-              - 'curl -s -X POST -k -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" https://nginx/feeds/fetchFromAllFeeds'
-            envFrom:
-              - secretRef:
-                  name: instance-secrets
+            - name: curl
+              image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
+              imagePullPolicy: IfNotPresent
+              command: ["/bin/sh", "-c"]
+              args:
+                - 'curl -s -X POST -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" "http://$MISP_SERVICE/feeds/fetchFromAllFeeds"'
+              envFrom:
+                - secretRef:
+                    name: instance-secrets
           restartPolicy: Never
       backoffLimit: 2
       activeDeadlineSeconds: 1200
-  concurrencyPolicy: Forbid
+  concurrencyPolicy: Forbid
+
diff --git a/kubernetes/manifests/cronjobs/pull-all-servers.yaml b/kubernetes/manifests/cronjobs/pull-all-servers.yaml
@@ -14,27 +14,28 @@ spec:
             app.kubernetes.io/name: misp-cron
         spec:
           containers:
-          - name: curl
-            image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh", "-c"]
-            args:
-              - |
-                echo "Fetching server list"
-                json_data=$(curl -s -k -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" https://nginx/servers)
-                echo "Fetched server list"
-                id_list=$(echo "$json_data" | jq -r '.[]? | select(.Server.pull == true) | .Server.id')
-                echo "Pulling all servers with pull enabled"
-                for id in $id_list
-                do
-                    echo "Creating job to pull from server with id $id"
-                    result=$(curl -s -k -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" https://nginx/servers/pull/$id)
-                    echo " - $(echo $result | jq -r '.message')"
-                done
-            envFrom:
-              - secretRef:
-                  name: instance-secrets
+            - name: curl
+              image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
+              imagePullPolicy: IfNotPresent
+              command: ["/bin/sh", "-c"]
+              args:
+                - |
+                  echo "Fetching server list"
+                  json_data=$(curl -s -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" "http://$MISP_SERVICE/servers")
+                  echo "Fetched server list"
+                  id_list=$(echo "$json_data" | jq -r '.[]? | select(.Server.pull == true) | .Server.id')
+                  echo "Pulling all servers with pull enabled"
+                  for id in $id_list
+                  do
+                      echo "Creating job to pull from server with id $id"
+                      result=$(curl -s -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" "http://$MISP_SERVICE/servers/pull/$id")
+                      echo " - $(echo $result | jq -r '.message')"
+                  done
+              envFrom:
+                - secretRef:
+                    name: instance-secrets
           restartPolicy: Never
       backoffLimit: 2
       activeDeadlineSeconds: 1200
-  concurrencyPolicy: Forbid
+  concurrencyPolicy: Forbid
+
diff --git a/kubernetes/manifests/cronjobs/push-all-servers.yaml b/kubernetes/manifests/cronjobs/push-all-servers.yaml
@@ -14,27 +14,28 @@ spec:
             app.kubernetes.io/name: misp-cron
         spec:
           containers:
-          - name: curl
-            image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh", "-c"]
-            args:
-              - |
-                echo "Fetching server list"
-                json_data=$(curl -s -k -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" https://nginx/servers)
-                echo "Fetched server list"
-                id_list=$(echo "$json_data" | jq -r '.[]? | select(.Server.push == true) | .Server.id')
-                echo "Pulling all servers with push enabled"
-                for id in $id_list
-                do
-                    echo "Creating job to push from server with id $id"
-                    result=$(curl -s -k -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" https://nginx/servers/push/$id)
-                    echo " - $(echo $result | jq -r '.message')"
-                done
-            envFrom:
-              - secretRef:
-                  name: instance-secrets
+            - name: curl
+              image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
+              imagePullPolicy: IfNotPresent
+              command: ["/bin/sh", "-c"]
+              args:
+                - |
+                  echo "Fetching server list"
+                  json_data=$(curl -s -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" "http://$MISP_SERVICE/servers")
+                  echo "Fetched server list"
+                  id_list=$(echo "$json_data" | jq -r '.[]? | select(.Server.push == true) | .Server.id')
+                  echo "Pulling all servers with push enabled"
+                  for id in $id_list
+                  do
+                      echo "Creating job to push from server with id $id"
+                      result=$(curl -s -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" "http://$MISP_SERVICE/servers/push/$id")
+                      echo " - $(echo $result | jq -r '.message')"
+                  done
+              envFrom:
+                - secretRef:
+                    name: instance-secrets
           restartPolicy: Never
       backoffLimit: 2
       activeDeadlineSeconds: 1200
-  concurrencyPolicy: Forbid
+  concurrencyPolicy: Forbid
+
diff --git a/kubernetes/manifests/cronjobs/update-galaxies.yaml b/kubernetes/manifests/cronjobs/update-galaxies.yaml
@@ -14,16 +14,17 @@ spec:
             app.kubernetes.io/name: misp-cron
         spec:
           containers:
-          - name: curl
-            image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh", "-c"]
-            args:
-              - 'curl -s -k -X POST -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" https://nginx/galaxies/update'
-            envFrom:
-              - secretRef:
-                  name: instance-secrets
+            - name: curl
+              image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
+              imagePullPolicy: IfNotPresent
+              command: ["/bin/sh", "-c"]
+              args:
+                - 'curl -s -X POST -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" "http://$MISP_SERVICE/galaxies/update"'
+              envFrom:
+                - secretRef:
+                    name: instance-secrets
           restartPolicy: Never
       backoffLimit: 2
       activeDeadlineSeconds: 1200
-  concurrencyPolicy: Forbid
+  concurrencyPolicy: Forbid
+
diff --git a/kubernetes/manifests/cronjobs/update-noticelists.yaml b/kubernetes/manifests/cronjobs/update-noticelists.yaml
@@ -14,16 +14,17 @@ spec:
             app.kubernetes.io/name: misp-cron
         spec:
           containers:
-          - name: curl
-            image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh", "-c"]
-            args:
-              - 'curl -s -X POST -k -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" https://nginx/noticelists/update'
-            envFrom:
-              - secretRef:
-                  name: instance-secrets
+            - name: curl
+              image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
+              imagePullPolicy: IfNotPresent
+              command: ["/bin/sh", "-c"]
+              args:
+                - 'curl -s -X POST -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" "http://$MISP_SERVICE/noticelists/update"'
+              envFrom:
+                - secretRef:
+                    name: instance-secrets
           restartPolicy: Never
       backoffLimit: 2
       activeDeadlineSeconds: 1200
-  concurrencyPolicy: Forbid
+  concurrencyPolicy: Forbid
+
diff --git a/kubernetes/manifests/cronjobs/update-taxonomies.yaml b/kubernetes/manifests/cronjobs/update-taxonomies.yaml
@@ -14,16 +14,17 @@ spec:
             app.kubernetes.io/name: misp-cron
         spec:
           containers:
-          - name: curl
-            image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh", "-c"]
-            args:
-              - 'curl -s -X POST -k -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" https://nginx/taxonomies/update'
-            envFrom:
-              - secretRef:
-                  name: instance-secrets
+            - name: curl
+              image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
+              imagePullPolicy: IfNotPresent
+              command: ["/bin/sh", "-c"]
+              args:
+                - 'curl -s -X POST -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" http://$MISP_SERVICE/taxonomies/update'
+              envFrom:
+                - secretRef:
+                    name: instance-secrets
           restartPolicy: Never
       backoffLimit: 2
       activeDeadlineSeconds: 1200
-  concurrencyPolicy: Forbid
+  concurrencyPolicy: Forbid
+
diff --git a/kubernetes/manifests/cronjobs/update-warninglists.yaml b/kubernetes/manifests/cronjobs/update-warninglists.yaml
@@ -14,15 +14,15 @@ spec:
             app.kubernetes.io/name: misp-cron
         spec:
           containers:
-          - name: curl
-            image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
-            imagePullPolicy: IfNotPresent
-            command: ["/bin/sh", "-c"]
-            args:
-              - 'curl -s -X POST -k -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" https://nginx/warninglists/update'
-            envFrom:
-              - secretRef:
-                  name: instance-secrets
+            - name: curl
+              image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.2.1
+              imagePullPolicy: IfNotPresent
+              command: ["/bin/sh", "-c"]
+              args:
+                - 'curl -s -X POST -H "Authorization: ${ADMIN_KEY}" -H "Accept: application/json" -H "Content-Type: application/json" http://$MISP_SERVICE/warninglists/update'
+              envFrom:
+                - secretRef:
+                    name: instance-secrets
           restartPolicy: Never
       backoffLimit: 2
       activeDeadlineSeconds: 600
diff --git a/kubernetes/manifests/deployment-misp.yaml b/kubernetes/manifests/deployment-misp.yaml
@@ -4,6 +4,7 @@ metadata:
   name: misp
   labels:
     app.kubernetes.io/name: misp
+    app.kubernetes.io/part-of: misp
 spec:
   strategy:
     type: Recreate
@@ -22,7 +23,7 @@ spec:
         fsGroup: 33
       containers:
         - name: misp
-          command: 
+          command:
             - /kubernetes/entrypoint_fpm.sh
           image: "ghcr.io/misp/misp-docker/misp-core:latest"
           imagePullPolicy: IfNotPresent
@@ -55,9 +56,11 @@ spec:
             - name: PYTHONUNBUFFERED
               value: "1"
             - name: MISP_MODULES_FQDN
-              value: http://localhost
+              value: http://misp-modules
             - name: MYSQL_HOST
               value: misp-mysql
+            - name: ENABLE_DB_SETTINGS
+              value: "true"
           envFrom:
             - secretRef:
                 name: mysql-credentials
@@ -70,6 +73,38 @@ spec:
             # Non-S3 persistence for attachment data
             #- mountPath: /var/www/MISP/app/files
             #  name: misp-files
+      volumes:
+        - emptyDir:
+            sizeLimit: 300Mi
+          name: shared-logs
+      #- name: misp-files
+      #  persistentVolumeClaim:
+      #    claimName: misp-files
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: misp-modules
+  labels:
+    app.kubernetes.io/name: misp-modules
+    app.kubernetes.io/part-of: misp
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: misp-modules
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: misp-modules
+    spec:
+      enableServiceLinks: false
+      securityContext:
+        # We want imported files to be owned by www-data group
+        fsGroup: 33
+      containers:
         - name: misp-modules
           resources:
             limits:
@@ -91,11 +126,3 @@ spec:
             - name: misp-modules
               containerPort: 6666
               protocol: TCP
-      volumes:
-      - emptyDir:
-          sizeLimit: 300Mi
-        name: shared-logs
-      #- name: misp-files
-      #  persistentVolumeClaim:
-      #    claimName: misp-files
-
diff --git a/kubernetes/manifests/deployment-nginx.yaml b/kubernetes/manifests/deployment-nginx.yaml
diff --git a/kubernetes/manifests/ingress.yaml b/kubernetes/manifests/ingress.yaml
diff --git a/kubernetes/manifests/nginx-cm.yaml b/kubernetes/manifests/nginx-cm.yaml
diff --git a/kubernetes/manifests/services.yaml b/kubernetes/manifests/services.yaml
