Add Cloud Armor to onlineboutique.dev (#689)

* Update README with instruction

* Delete frontend-nodeport.yaml

* Update frontend-ingress.yaml

* Update README.md

* add backend-config and frontend-config

* update according to the tests conducted

* fix typo in --redis-version=redis_6_x

* Alter wording/casing in release-cluster/README.md

* Taking into consideration comments

Co-authored-by: Nim Jayawardena <[email protected]>

Author: mathieu-benoit

.github/release-cluster/README.md

@@ -1,3 +1,67 @@
 # onlineboutique.dev manifests
 
-This directory contains extra deploy manifests for configuring a domain name/static IP to point to an Online Boutique deployment running in GKE. 
+This directory contains extra deploy manifests for configuring a domain name/static IP to point to an Online Boutique deployment running in GKE and for setting up Cloud Armor.
+
+_Note: before moving forward, the OnlineBoutique apps should already be deployed [on the online-boutique-release GKE cluster](../../hack#10-deploy-releasekubernetes-manifestsyaml-to-our-online-boutique-release-gke-cluster)._
+
+Create the static public IP address:
+```
+STATIC_IP_NAME=online-boutique-ip # name hard-coded in: frontend-ingress.yaml
+gcloud compute addresses create $STATIC_IP_NAME --global
+```
+
+When ready to do so, you could grab this public IP address and update your DNS:
+```
+gcloud compute addresses describe $STATIC_IP_NAME \
+    --global \
+    --format "value(address)"
+```
+
+Set up Cloud Armor:
+```
+SECURITY_POLICY_NAME=online-boutique-security-policy # Name hard-coded in: backendconfig.yaml
+gcloud compute security-policies create $SECURITY_POLICY_NAME \
+    --description "Block various attacks"
+gcloud compute security-policies rules create 1000 \
+    --security-policy $SECURITY_POLICY_NAME \
+    --expression "evaluatePreconfiguredExpr('xss-stable')" \
+    --action "deny-403" \
+    --description "XSS attack filtering"
+gcloud compute security-policies rules create 12345 \
+    --security-policy $SECURITY_POLICY_NAME \
+    --expression "evaluatePreconfiguredExpr('cve-canary')" \
+    --action "deny-403" \
+    --description "CVE-2021-44228 and CVE-2021-45046"
+gcloud compute security-policies update $SECURITY_POLICY_NAME \
+    --enable-layer7-ddos-defense
+gcloud compute security-policies update $SECURITY_POLICY_NAME \
+    --log-level=VERBOSE
+```
+
+Set up an SSL policy in order to later set up a redirect from HTTP to HTTPs:
+```
+SSL_POLICY_NAME=online-boutique-ssl-policy # Name hard-coded in: frontendconfig.yaml
+gcloud compute ssl-policies create $SSL_POLICY_NAME \
+    --profile COMPATIBLE  \
+    --min-tls-version 1.0
+```
+
+Deploy the Kubernetes manifests in this current folder:
+```
+kubectl apply -f .
+```
+
+Wait for the `ManagedCertificate` to be provisioned. This usually takes about 30 minutes.
+```
+kubectl get managedcertificates
+```
+
+Remove the default `LoadBalancer` `Service` not used at this point:
+```
+kubectl delete service frontend-external
+```
+
+Remove the `loadgenerator` `Deployment` not used at this point:
+```
+kubectl delete deployment loadgenerator
+```

.github/release-cluster/backend-config.yaml

@@ -0,0 +1,7 @@
+apiVersion: cloud.google.com/v1
+kind: BackendConfig
+metadata:
+  name: frontend-backend-config
+spec:
+  securityPolicy:
+    name: online-boutique-security-policy

.github/release-cluster/frontend-config.yaml

@@ -0,0 +1,9 @@
+apiVersion: networking.gke.io/v1beta1
+kind: FrontendConfig
+metadata:
+  name: frontend-frontend-config
+spec:
+  sslPolicy: online-boutique-ssl-policy
+  redirectToHttps:
+    enabled: true
+    responseCodeName: MOVED_PERMANENTLY_DEFAULT

.github/release-cluster/frontend-ingress.yaml

@@ -1,11 +1,19 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: frontend-ingress
   annotations:
     kubernetes.io/ingress.global-static-ip-name: online-boutique-ip
     networking.gke.io/managed-certificates: online-boutique-certificate
+    networking.gke.io/v1beta1.FrontendConfig: frontend-frontend-config
 spec:
-  backend:
-    serviceName: frontend-nodeport
-    servicePort: 80
+  rules:
+  - http:
+      paths:
+      - path: /*
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: frontend
+            port:
+              number: 80

.github/release-cluster/frontend-nodeport.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+  annotations:
+    cloud.google.com/neg: '{"ingress": true}'
+    cloud.google.com/backend-config: '{"default": "frontend-backend-config"}'
+spec:
+  type: ClusterIP
+  selector:
+    app: frontend
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080

.github/release-cluster/frontend-service.yaml

@@ -33,7 +33,7 @@ gcloud services enable redis.googleapis.com --project=${PROJECT_ID}
 3. Create the Memorystore (redis) instance. 
 
 ```sh
-gcloud redis instances create redis-cart --size=1 --region=${REGION} --zone=${ZONE} --redis-version=redis_6_X --project=${PROJECT_ID}
+gcloud redis instances create redis-cart --size=1 --region=${REGION} --zone=${ZONE} --redis-version=redis_6_x --project=${PROJECT_ID}
 ```
 
 After a few minutes, you will see the `STATUS` as `READY` when your Memorystore instance will be successfully provisioned: