From 8936cde0433bbdf23a663d3feaf6faef31461bae Mon Sep 17 00:00:00 2001
From: Patrick Spek <p.spek@tyil.nl>
Date: Fri, 27 Oct 2023 13:15:57 +0200
Subject: Add proper CSP header for argo

---
 .../manifests.d/tyilnet/cicd-system/auth-proxy.yaml    | 18 ++++++++++++++++++
 .../manifests.d/tyilnet/cicd-system/ingress.yaml       |  1 +
 .../kube-system/treafik/middleware-headers-argo.yaml   | 12 ++++++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 data.d/k3s-master/manifests.d/tyilnet/kube-system/treafik/middleware-headers-argo.yaml

diff --git a/data.d/k3s-master/manifests.d/tyilnet/cicd-system/auth-proxy.yaml b/data.d/k3s-master/manifests.d/tyilnet/cicd-system/auth-proxy.yaml
index cd9aeb9..3b96bf8 100644
--- a/data.d/k3s-master/manifests.d/tyilnet/cicd-system/auth-proxy.yaml
+++ b/data.d/k3s-master/manifests.d/tyilnet/cicd-system/auth-proxy.yaml
@@ -7,9 +7,27 @@ metadata:
 spec:
   chart: https://git.tyil.nl/helm/oauth2-proxy/snapshot/oauth2-proxy-497a618778ead59ce985b81031a863dda9ff2126.tar.gz
   valuesContent: |-
+    image:
+      tag: v7.4.0
     secret:
       enabled: false
     envFrom:
       secretRef:
       - name: auth-proxy-ci
+    ingress:
+      enabled: true
+      ingressClassName: traefik
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-production"
+        traefik.ingress.kubernetes.io/router.middlewares: kube-system-redirect-https@kubernetescrd
+        traefik.ingress.kubernetes.io/router.middlewares: kube-system-headers-argo@kubernetescrd
+      tls:
+      - secretName: tls-nl.tyil.ci
+        hosts:
+        - ci.tyil.nl
+      hosts:
+      - host: ci.tyil.nl
+        paths:
+        - path: /
+          pathType: Prefix
 ...
diff --git a/data.d/k3s-master/manifests.d/tyilnet/cicd-system/ingress.yaml b/data.d/k3s-master/manifests.d/tyilnet/cicd-system/ingress.yaml
index b97af7c..39da576 100644
--- a/data.d/k3s-master/manifests.d/tyilnet/cicd-system/ingress.yaml
+++ b/data.d/k3s-master/manifests.d/tyilnet/cicd-system/ingress.yaml
@@ -12,6 +12,7 @@ metadata:
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-production"
     traefik.ingress.kubernetes.io/router.middlewares: kube-system-redirect-https@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-headers-argo@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/data.d/k3s-master/manifests.d/tyilnet/kube-system/treafik/middleware-headers-argo.yaml b/data.d/k3s-master/manifests.d/tyilnet/kube-system/treafik/middleware-headers-argo.yaml
new file mode 100644
index 0000000..c19e4f6
--- /dev/null
+++ b/data.d/k3s-master/manifests.d/tyilnet/kube-system/treafik/middleware-headers-argo.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: headers-argo
+  namespace: kube-system
+spec:
+  headers:
+    stsPreload: true
+    forceSTSHeader: true
+    contentSecurityPolicy: "default-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:; worker-src *"
+...
-- 
cgit v1.1