Add proper CSP header for argo

author: Patrick Spek <p.spek@tyil.nl> 2023-10-27 13:15:57 +0200
committer: Patrick Spek <p.spek@tyil.nl> 2023-10-27 13:17:59 +0200
commit: 8936cde0433bbdf23a663d3feaf6faef31461bae (patch)
tree: f8df2b4d8ba84112c8c4cb7de84a39d7150c86a9
parent: 53f513e057a8259f5e5272ab713f2d35a75d70ce (diff)
3 files changed, 31 insertions, 0 deletions
diff --git a/data.d/k3s-master/manifests.d/tyilnet/cicd-system/auth-proxy.yaml b/data.d/k3s-master/manifests.d/tyilnet/cicd-system/auth-proxy.yaml
index cd9aeb9..3b96bf8 100644
--- a/data.d/k3s-master/manifests.d/tyilnet/cicd-system/auth-proxy.yaml
+++ b/data.d/k3s-master/manifests.d/tyilnet/cicd-system/auth-proxy.yaml
@@ -7,9 +7,27 @@ metadata:
 spec:
   chart: https://git.tyil.nl/helm/oauth2-proxy/snapshot/oauth2-proxy-497a618778ead59ce985b81031a863dda9ff2126.tar.gz
   valuesContent: |-
+    image:
+      tag: v7.4.0
     secret:
       enabled: false
     envFrom:
       secretRef:
       - name: auth-proxy-ci
+    ingress:
+      enabled: true
+      ingressClassName: traefik
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-production"
+        traefik.ingress.kubernetes.io/router.middlewares: kube-system-redirect-https@kubernetescrd
+        traefik.ingress.kubernetes.io/router.middlewares: kube-system-headers-argo@kubernetescrd
+      tls:
+      - secretName: tls-nl.tyil.ci
+        hosts:
+        - ci.tyil.nl
+      hosts:
+      - host: ci.tyil.nl
+        paths:
+        - path: /
+          pathType: Prefix
 ...
diff --git a/data.d/k3s-master/manifests.d/tyilnet/cicd-system/ingress.yaml b/data.d/k3s-master/manifests.d/tyilnet/cicd-system/ingress.yaml
index b97af7c..39da576 100644
--- a/data.d/k3s-master/manifests.d/tyilnet/cicd-system/ingress.yaml
+++ b/data.d/k3s-master/manifests.d/tyilnet/cicd-system/ingress.yaml
@@ -12,6 +12,7 @@ metadata:
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-production"
     traefik.ingress.kubernetes.io/router.middlewares: kube-system-redirect-https@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-headers-argo@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/data.d/k3s-master/manifests.d/tyilnet/kube-system/treafik/middleware-headers-argo.yaml b/data.d/k3s-master/manifests.d/tyilnet/kube-system/treafik/middleware-headers-argo.yaml
new file mode 100644
index 0000000..c19e4f6
--- /dev/null
+++ b/data.d/k3s-master/manifests.d/tyilnet/kube-system/treafik/middleware-headers-argo.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: headers-argo
+  namespace: kube-system
+spec:
+  headers:
+    stsPreload: true
+    forceSTSHeader: true
+    contentSecurityPolicy: "default-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:; worker-src *"
+...
author	Patrick Spek <p.spek@tyil.nl>	2023-10-27 13:15:57 +0200
committer	Patrick Spek <p.spek@tyil.nl>	2023-10-27 13:17:59 +0200
commit	8936cde0433bbdf23a663d3feaf6faef31461bae (patch)
tree	f8df2b4d8ba84112c8c4cb7de84a39d7150c86a9
parent	53f513e057a8259f5e5272ab713f2d35a75d70ce (diff)