adding init

robinmordasiewicz · Sep 19, 2024 · 2ba862a · 2ba862a
1 parent 757db89
commit 2ba862a
Show file tree

Hide file tree

Showing 3 changed files with 169 additions and 169 deletions.
diff --git a/manifests/infrastructure/fortiweb-ingress/HelmRelease.yaml b/manifests/infrastructure/fortiweb-ingress/HelmRelease.yaml
@@ -14,12 +14,12 @@ spec:
         kind: HelmRepository
         name: fortiweb-ingress-controller
         namespace: cluster-config
-      version: "2.0.1"
+      version: "1.0.0-1"
   interval: 10m0s
   install:
     remediation:
       retries: 3
   values:
     image:
       repository: fortinet/fortiweb-ingress
-      tag: "latest"
+      tag: "1.0"
diff --git a/terraform/cloud-init/fortiweb.conf b/terraform/cloud-init/fortiweb.conf
@@ -1,10 +1,8 @@
 {
 "cloud-initd":"enable",
 "usr-cli":'
-config global
-  config system advanced
-    set owasp-top10-compliance enable
-  end
+config system settings
+  set enable-file-upload enable
 end
 config log disk
   set severity notification
@@ -13,181 +11,185 @@ config log traffic-log
   set status enable
   set packet-log enable
 end
-  config system interface
-    edit "port2"
-      set allowaccess ping https
-    next
-  end
-  config system settings
-    set enable-file-upload enable
-  end
-  config system dashboard-widget
-    edit "sys_${VAR-admin-username}_8_root"
-      config  widget
-        edit 1
-          set type fortiview
-          set fortiview-type owasp-top10
-        next
-      end
-    next
-    edit "sys_${VAR-admin-username}_9_root"
-      config  widget
-        edit 1
-          set type fortiview
-          set fortiview-type topology
-          set fortiview-visualization1 chart
-          set fortiview-visualization2 chart
+config system interface
+  edit "port2"
+    set allowaccess ping https
+  next
+end
+config system dashboard-widget
+  edit "sys_${VAR-admin-username}_8_root"
+    config  widget
+      edit 1
+        set type fortiview
+        set fortiview-type owasp-top10
         next
       end
     next
-  end
+  edit "sys_${VAR-admin-username}_9_root"
+    config  widget
+      edit 1
+        set type fortiview
+        set fortiview-type topology
+        set fortiview-visualization1 chart
+        set fortiview-visualization2 chart
+      next
+    end
+  next
+end
+config system admin
   edit "${VAR-admin-username}"
     config gui-dashboard
-        edit 8
-          set name "OWASP Top 10 Compliance"
-          set layout-type standalone
-          set widget-table sys_${VAR-admin-username}_8_root
-        next
-      end
-    next
-  end
-  config router static
+      edit 8
+        set name "OWASP Top 10 Compliance"
+        set layout-type standalone
+        set widget-table sys_${VAR-admin-username}_8_root
+      next
+    end
+  next
+end
+config system advanced
+  set owasp-top10-compliance enable
+end
+config router static
+  edit 1
+    set dst ${VAR-spoke-virtual-network_address_prefix}
+    set gateway ${VAR-spoke-default-gateway}
+    set device port2
+  next
+  edit 2
+    set gateway ${VAR-hub-external-subnet-gateway}
+    set device port1
+  next
+end
+config router setting
+  set ip-forward enable
+end
+config system firewall address
+  edit "spoke-aks-node-ip"
+    set ip-address-value ${VAR-spoke-aks-node-ip}
+  next
+  edit "internet"
+    set type ip-netmask
+  next
+  edit "spoke-check-internet-up-ip"
+    set ip-address-value ${VAR-spoke-check-internet-up-ip}
+  next
+  edit "hub-nva-external-vip"
+    set ip-address-value ${VAR-hub-nva-vip}
+  next
+  edit "kubernetes_nodes"
+    set type ip-netmask
+    set ip-netmask ${VAR-spoke-aks-network}
+  next
+end
+config system firewall service
+  edit "http"
+    set destination-port-min 80
+    set destination-port-max 80
+  next
+  edit "https"
+    set destination-port-min 443
+    set destination-port-max 443
+  next
+  edit "ICMP"
+    set protocol ICMP
+  next
+  edit "ollama-port"
+    set destination-port-min 11434
+    set destination-port-max 11434
+  next
+end
+config system firewall firewall-policy
+  set default-action deny
+  config firewall-policy-match-list
     edit 1
-      set dst ${VAR-spoke-virtual-network_address_prefix}
-      set gateway ${VAR-spoke-default-gateway}
-      set device port2
+      set in-interface port2
+      set out-interface port1
+      set src-address spoke-aks-node-ip
+      set dest-address internet
+      set service http
+      set action accept
     next
     edit 2
-      set gateway ${VAR-hub-external-subnet-gateway}
-      set device port1
-    next
-  end
-  config router setting
-    set ip-forward enable
-  end
-  config system firewall address
-    edit "spoke-aks-node-ip"
-      set ip-address-value ${VAR-spoke-aks-node-ip}
-    next
-    edit "internet"
-      set type ip-netmask
-    next
-    edit "spoke-check-internet-up-ip"
-      set ip-address-value ${VAR-spoke-check-internet-up-ip}
+      set in-interface port2
+      set out-interface port1
+      set src-address spoke-aks-node-ip
+      set dest-address internet
+      set service https
+      set action accept
     next
-    edit "hub-nva-external-vip"
-      set ip-address-value ${VAR-hub-nva-vip}
+    edit 3
+      set in-interface port2
+      set out-interface port1
+      set src-address spoke-aks-node-ip
+      set dest-address spoke-check-internet-up-ip
+      set service ICMP
+      set action accept
     next
-    edit "kubernetes_nodes"
-      set type ip-netmask
-      set ip-netmask ${VAR-spoke-aks-network}
+    edit 4
+      set in-interface port1
+      set src-address internet
+      set dest-address hub-nva-external-vip
+      set service http
+      set action accept
     next
-  end
-  config system firewall service
-    edit "http"
-      set destination-port-min 80
-      set destination-port-max 80
+    edit 5
+      set in-interface port1
+      set src-address internet
+      set dest-address hub-nva-external-vip
+      set service https
+      set action accept
     next
-    edit "https"
-      set destination-port-min 443
-      set destination-port-max 443
+    edit 6
+      set out-interface port2
+      set src-address internet
+      set dest-address spoke-aks-node-ip
+      set service ollama-port
+      set action accept
     next
-    edit "ICMP"
-      set protocol ICMP
+    edit 7
+      set in-interface port1
+      set out-interface port2
+      set src-address internet
+      set dest-address spoke-aks-node-ip
+      set service ollama-port
+      set action accept
     next
-  end
-  config system firewall firewall-policy
-    set default-action deny
-    config firewall-policy-match-list
-      edit 1
-        set in-interface port2
-        set out-interface port1
-        set src-address spoke-aks-node-ip
-        set dest-address internet
-        set service http
-        set action accept
-      next
-      edit 2
-        set in-interface port2
-        set out-interface port1
-        set src-address spoke-aks-node-ip
-        set dest-address internet
-        set service https
-        set action accept
-      next
-      edit 3
-        set in-interface port2
-        set out-interface port1
-        set src-address spoke-aks-node-ip
-        set dest-address google-dns
-        set service ICMP
-        set action accept
-      next
-      edit 4
-        set in-interface port1
-        set src-address internet
-        set dest-address hub-nva-external-vip
-        set service http
-        set action accept
-      next
-      edit 5
-        set in-interface port1
-        set src-address internet
-        set dest-address hub-nva-external-vip
-        set service https
-        set action accept
-      next
-      edit 6
-        set out-interface port2
-        set src-address internet
-        set dest-address spoke-aks-node-ip
-        set service spoke-aks-node-ports
-        set action accept
-      next
-      edit 7
-        set in-interface port1
-        set out-interface port2
-        set src-address internet
-        set dest-address spoke-aks-node-ip
-        set service spoke-aks-node-ports
-        set action accept
-      next
-      edit 8
-        set in-interface port2
-        set out-interface port1
-        set src-address kubernetes_nodes
-        set dest-address internet
-        set service all
-        set action accept
-      next
-    end
-  end
-  config system firewall snat-policy
-    edit "spoke-aks-node-to-internet-snat"
-      set source-start ${VAR-spoke-virtual-network_subnet}
-      set source-end ${VAR-spoke-virtual-network_netmask}
+    edit 8
+      set in-interface port2
       set out-interface port1
-      set trans-to-ip ${VAR-hub-nva-vip}
+      set src-address kubernetes_nodes
+      set dest-address internet
+      set service all
+      set action accept
     next
   end
-  config system feature-visibility
-    set ftp-security enable
-    set acceleration-policy enable
-    set web-cache enable
-    set wvs enable
-    set api-gateway enable
-    set firewall enable
-    set wad enable
-    set fortigate-integration enable
-    set recaptcha enable
-  end
-  config log traffic-log
-    set status enable
-    set packet-log enable
-  end
-  config log disk
-    set severity notification
-  end
+end
+config system firewall snat-policy
+  edit "spoke-aks-node-to-internet-snat"
+    set source-start ${VAR-spoke-virtual-network_subnet}
+    set source-end ${VAR-spoke-virtual-network_netmask}
+    set out-interface port1
+    set trans-to-ip ${VAR-hub-nva-vip}
+  next
+end
+config system feature-visibility
+  set ftp-security enable
+  set acceleration-policy enable
+  set web-cache enable
+  set wvs enable
+  set api-gateway enable
+  set firewall enable
+  set wad enable
+  set fortigate-integration enable
+  set recaptcha enable
+end
+config log traffic-log
+  set status enable
+  set packet-log enable
+end
+config log disk
+  set severity notification
 end
 config system certificate local
   edit "self-signed-cert"
@@ -199,7 +201,5 @@ config system certificate local
   next
 end
 ',
-"HaAzureInit":"enable",
-"FwbLicenseBYOL":"${VAR-fwb_license_file}",
-"flex_token":"${VAR-fwb_license_fortiflex}"
+"HaAzureInit":"disable"
 }