From d965ee706014b6395fdb2d2ce0f3e4f520f64503 Mon Sep 17 00:00:00 2001
From: lebaudantoine <lebaud.antoine131@gmail.com>
Date: Mon, 5 Aug 2024 16:58:11 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F(helm)=20allow=20server=20?=
 =?UTF-8?q?host=20and=20whitelist=20pod=20IP=20for=20health=20checks?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updated Django's ALLOWED_HOSTS setting from '*' to the specific host of the
server. Setting ALLOWED_HOSTS to '*' is a security risk as it allows any host
to access the application, potentially exposing it to malicious attacks.
Restricting ALLOWED_HOSTS to the server's host ensures only legitimate
requests are processed.

In a Kubernetes environment, we also needed to whitelist the pod's IP address
to allow health checks to pass. This ensures that Kubernetes liveness and
readiness probes can access the application to verify its health.
---
 bin/{update_openapi_schema => update-openapi-schema} | 0
 src/backend/meet/settings.py                         | 7 ++++++-
 src/helm/env.d/dev/values.meet.yaml.gotmpl           | 2 +-
 src/helm/env.d/preprod/values.meet.yaml.gotmpl       | 2 +-
 src/helm/env.d/production/values.meet.yaml.gotmpl    | 2 +-
 src/helm/env.d/staging/values.meet.yaml.gotmpl       | 2 +-
 6 files changed, 10 insertions(+), 5 deletions(-)
 rename bin/{update_openapi_schema => update-openapi-schema} (100%)

diff --git a/bin/update_openapi_schema b/bin/update-openapi-schema
similarity index 100%
rename from bin/update_openapi_schema
rename to bin/update-openapi-schema
diff --git a/src/backend/meet/settings.py b/src/backend/meet/settings.py
index d59dc233..96a53ea5 100755
--- a/src/backend/meet/settings.py
+++ b/src/backend/meet/settings.py
@@ -12,6 +12,7 @@ https://docs.djangoproject.com/en/3.1/ref/settings/
 
 import json
 import os
+from socket import gethostbyname, gethostname
 
 from django.utils.translation import gettext_lazy as _
 
@@ -514,7 +515,11 @@ class Production(Base):
     """
 
     # Security
-    ALLOWED_HOSTS = values.ListValue(None)
+    ALLOWED_HOSTS = [
+        *values.ListValue([], environ_name="ALLOWED_HOSTS"),
+        gethostbyname(gethostname()),
+    ]
+
     CSRF_TRUSTED_ORIGINS = values.ListValue([])
     SECURE_BROWSER_XSS_FILTER = True
     SECURE_CONTENT_TYPE_NOSNIFF = True
diff --git a/src/helm/env.d/dev/values.meet.yaml.gotmpl b/src/helm/env.d/dev/values.meet.yaml.gotmpl
index 03a21dd7..46519b41 100644
--- a/src/helm/env.d/dev/values.meet.yaml.gotmpl
+++ b/src/helm/env.d/dev/values.meet.yaml.gotmpl
@@ -8,7 +8,7 @@ backend:
   envVars:
     DJANGO_CSRF_TRUSTED_ORIGINS: https://meet.127.0.0.1.nip.io,http://meet.127.0.0.1.nip.io
     DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_ALLOWED_HOSTS: meet.127.0.0.1.nip.io
     DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }}
     DJANGO_SETTINGS_MODULE: meet.settings
     DJANGO_SILENCED_SYSTEM_CHECKS: security.W004, security.W008
diff --git a/src/helm/env.d/preprod/values.meet.yaml.gotmpl b/src/helm/env.d/preprod/values.meet.yaml.gotmpl
index 80804cdd..5bada2d6 100644
--- a/src/helm/env.d/preprod/values.meet.yaml.gotmpl
+++ b/src/helm/env.d/preprod/values.meet.yaml.gotmpl
@@ -10,7 +10,7 @@ backend:
   envVars:
     DJANGO_CSRF_TRUSTED_ORIGINS: http://meet-preprod.beta.numerique.gouv.fr,https://meet-preprod.beta.numerique.gouv.fr
     DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_ALLOWED_HOSTS: meet-preprod.beta.numerique.gouv.fr
     DJANGO_SUPERUSER_EMAIL:
       secretKeyRef:
         name: backend
diff --git a/src/helm/env.d/production/values.meet.yaml.gotmpl b/src/helm/env.d/production/values.meet.yaml.gotmpl
index b16ca097..a2d30e2d 100644
--- a/src/helm/env.d/production/values.meet.yaml.gotmpl
+++ b/src/helm/env.d/production/values.meet.yaml.gotmpl
@@ -10,7 +10,7 @@ backend:
   envVars:
     DJANGO_CSRF_TRUSTED_ORIGINS: https://meet.numerique.gouv.fr
     DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_ALLOWED_HOSTS: meet.numerique.gouv.fr
     DJANGO_SECRET_KEY:
       secretKeyRef:
         name: backend
diff --git a/src/helm/env.d/staging/values.meet.yaml.gotmpl b/src/helm/env.d/staging/values.meet.yaml.gotmpl
index 7dcaa71c..18a3e243 100644
--- a/src/helm/env.d/staging/values.meet.yaml.gotmpl
+++ b/src/helm/env.d/staging/values.meet.yaml.gotmpl
@@ -10,7 +10,7 @@ backend:
   envVars:
     DJANGO_CSRF_TRUSTED_ORIGINS: http://meet-staging.beta.numerique.gouv.fr,https://meet-staging.beta.numerique.gouv.fr
     DJANGO_CONFIGURATION: Production
-    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_ALLOWED_HOSTS: meet-staging.beta.numerique.gouv.fr
     DJANGO_SECRET_KEY:
       secretKeyRef:
         name: backend