Skip to content

Commit

Permalink
OPSEXP-2188: add nginx specific annotation to use from repo a share (#70
Browse files Browse the repository at this point in the history
)
  • Loading branch information
alxgomz authored Jul 10, 2023
1 parent c98c8fe commit 854f5a1
Show file tree
Hide file tree
Showing 4 changed files with 70 additions and 2 deletions.
2 changes: 1 addition & 1 deletion charts/alfresco-common/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: |
A helper subchart to avoid duplication in alfresco charts and set common
external dependencies
type: library
version: 2.0.0
version: 2.1.0-alpha.0
dependencies:
- name: common
repository: >-
Expand Down
2 changes: 1 addition & 1 deletion charts/alfresco-common/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# alfresco-common

![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square)
![Version: 2.1.0-alpha.0](https://img.shields.io/badge/Version-2.1.0--alpha.0-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square)

A helper subchart to avoid duplication in alfresco charts and set common
external dependencies
Expand Down
23 changes: 23 additions & 0 deletions charts/alfresco-common/templates/_helpers-nginx.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{{/*
Define annotations as provided in values
Skip ANY server-snippet annotation (CVE-2021-25742)
*/}}
{{- define "alfresco-common.nginx.annotations" }}
{{- range $annotation, $value := .ingress.annotations }}
{{- if ne $annotation "nginx.ingress.kubernetes.io/server-snippet" }}
{{- $annotation | nindent 4 }}: |-
{{- $value | nindent 6 }}
{{- end }}
{{- end }}
{{- end }}

{{/*
Define required annotations for secure ACS/SHARE API access
*/}}
{{- define "alfresco-common.nginx.secure.annotations" }}
nginx.ingress.kubernetes.io/server-snippet: |
location ~ ^/.*/(wc)?s(ervice)?/api/solr/.*$ {return 403;}
location ~ ^/.*/proxy/.*/api/solr/.*$ {return 403;}
location ~ ^/.*/-default-/proxy/.*/api/.*$ {return 403;}
location ~ ^/.*/s/prometheus$ {return 403;}
{{- end }}
45 changes: 45 additions & 0 deletions charts/alfresco-common/templates/_helpers-url.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
{{/*
Build up CSRF referer
*/}}
{{- define "alfresco-common.csrf.referer" -}}
{{- $known_urls := . }}
{{- $csrf_referers := list }}
{{- if kindIs "string" . }}
{{- $known_urls = splitList "," . }}
{{- end }}
{{- range $known_urls }}
{{- $parsed_url := urlParse . }}
{{- $known_url := urlJoin (dict "host" $parsed_url.host "path" $parsed_url.path "scheme" $parsed_url.scheme) }}
{{- $csrf_referers = append $csrf_referers $known_url }}
{{- end }}
{{- $csrf_referers | join "/.*\\|" }}/.*
{{- end -}}

{{/*
Build up CSRF Origin
*/}}
{{- define "alfresco-common.csrf.origin" -}}
{{- $known_urls := . }}
{{- $csrf_origins := list }}
{{- if kindIs "string" . }}
{{- $known_urls = splitList "," . }}
{{- end }}
{{- range $known_urls }}
{{- $parsed_url := urlParse . }}
{{- $known_url := urlJoin (dict "host" $parsed_url.host "scheme" $parsed_url.scheme) }}
{{- $csrf_origins = append $csrf_origins $known_url }}
{{- end }}
{{- $csrf_origins | join "," }}
{{- end -}}

{{/*
Pick the main external host
*/}}
{{- define "alfresco-common.external.url" -}}
{{- $known_urls := .}}
{{- if kindIs "string" . }}
{{- $known_urls = splitList "," . }}
{{- end }}
{{- $parsed_url := urlParse (first $known_urls) }}
{{- urlJoin (dict "host" $parsed_url.host "scheme" $parsed_url.scheme) }}
{{- end -}}

0 comments on commit 854f5a1

Please sign in to comment.