diff options
author | Patrick Spek <p.spek@tyil.nl> | 2023-10-27 13:15:57 +0200 |
---|---|---|
committer | Patrick Spek <p.spek@tyil.nl> | 2023-10-27 13:17:59 +0200 |
commit | 8936cde0433bbdf23a663d3feaf6faef31461bae (patch) | |
tree | f8df2b4d8ba84112c8c4cb7de84a39d7150c86a9 | |
parent | 53f513e057a8259f5e5272ab713f2d35a75d70ce (diff) |
Add proper CSP header for argo
3 files changed, 31 insertions, 0 deletions
diff --git a/data.d/k3s-master/manifests.d/tyilnet/cicd-system/auth-proxy.yaml b/data.d/k3s-master/manifests.d/tyilnet/cicd-system/auth-proxy.yaml index cd9aeb9..3b96bf8 100644 --- a/data.d/k3s-master/manifests.d/tyilnet/cicd-system/auth-proxy.yaml +++ b/data.d/k3s-master/manifests.d/tyilnet/cicd-system/auth-proxy.yaml @@ -7,9 +7,27 @@ metadata: spec: chart: https://git.tyil.nl/helm/oauth2-proxy/snapshot/oauth2-proxy-497a618778ead59ce985b81031a863dda9ff2126.tar.gz valuesContent: |- + image: + tag: v7.4.0 secret: enabled: false envFrom: secretRef: - name: auth-proxy-ci + ingress: + enabled: true + ingressClassName: traefik + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-production" + traefik.ingress.kubernetes.io/router.middlewares: kube-system-redirect-https@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: kube-system-headers-argo@kubernetescrd + tls: + - secretName: tls-nl.tyil.ci + hosts: + - ci.tyil.nl + hosts: + - host: ci.tyil.nl + paths: + - path: / + pathType: Prefix ... diff --git a/data.d/k3s-master/manifests.d/tyilnet/cicd-system/ingress.yaml b/data.d/k3s-master/manifests.d/tyilnet/cicd-system/ingress.yaml index b97af7c..39da576 100644 --- a/data.d/k3s-master/manifests.d/tyilnet/cicd-system/ingress.yaml +++ b/data.d/k3s-master/manifests.d/tyilnet/cicd-system/ingress.yaml @@ -12,6 +12,7 @@ metadata: annotations: cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.middlewares: kube-system-redirect-https@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: kube-system-headers-argo@kubernetescrd spec: ingressClassName: traefik tls: diff --git a/data.d/k3s-master/manifests.d/tyilnet/kube-system/treafik/middleware-headers-argo.yaml b/data.d/k3s-master/manifests.d/tyilnet/kube-system/treafik/middleware-headers-argo.yaml new file mode 100644 index 0000000..c19e4f6 --- /dev/null +++ b/data.d/k3s-master/manifests.d/tyilnet/kube-system/treafik/middleware-headers-argo.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: headers-argo + namespace: kube-system +spec: + headers: + stsPreload: true + forceSTSHeader: true + contentSecurityPolicy: "default-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:; worker-src *" +... |