Stop listening at 0.0.0.0 by default

Usage of 0.0.0.0 exposes API endpoint to all networks and can cause unexpected leakage. This change updates the default to use more restricted address (127.0.0.1, which is the default defined in Watcher itself) unless the address is given by a user explicitly. Change-Id: Ibc895cf2b06d3b0c1b2073d8d6aa90d7d6f299d2
2022-08-15 02:15:10 +09:00 · 2022-08-15 02:15:10 +09:00 · 388e3a2dfb
commit 388e3a2dfb
parent a9314d0c38
3 changed files with 10 additions and 4 deletions
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -29,11 +29,11 @@
 # [*max_limit*]
 #   (Optional)The maximum number of items returned in a single response from a
 #   collection resource.
-#   Defaults to $::os_service_default
+#   Defaults to $::os_service_default.
 #
 # [*bind_host*]
 #   (Optional) Listen IP for the watcher API server.
-#   Defaults to '0.0.0.0'.
+#   Defaults to $::os_service_default.
 #
 # [*workers*]
 #   (Optional) Number of worker processors to for the Watcher API service.
@ -170,7 +170,7 @@ class watcher::api (
  $manage_service                     = true,
  $port                               = 9322,
  $max_limit                          = $::os_service_default,
-  $bind_host                          = '0.0.0.0',
+  $bind_host                          = $::os_service_default,
  $workers                            = $::os_workers,
  $enable_ssl_api                     = $::os_service_default,
  $service_name                       = $::watcher::params::api_service_name,
--- a/releasenotes/notes/default-bind_host-7ab540eba59c4135.yaml
+++ b/releasenotes/notes/default-bind_host-7ab540eba59c4135.yaml
@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    Default value of the ``watcher::api::bind_host`` parameter has been changed
+    from ``0.0.0.0`` to the service default(``127.0.0.1``). The parameter
+    should be configured propelry during upgrade.
--- a/spec/classes/watcher_api_spec.rb
+++ b/spec/classes/watcher_api_spec.rb
@ -52,7 +52,7 @@ describe 'watcher::api' do
      it 'should configure the api configurations section when enabled' do
        is_expected.to contain_watcher_config('api/port').with_value(9322)
        is_expected.to contain_watcher_config('api/max_limit').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_watcher_config('api/host').with_value('0.0.0.0')
+        is_expected.to contain_watcher_config('api/host').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_watcher_config('api/workers').with_value(2)
        is_expected.to contain_watcher_config('api/enable_ssl_api').with_value('<SERVICE DEFAULT>')
      end