Ingress: clear X-Frame-Options header from responses.
This enables applications to be loaded in iframes. Although it does
sacrifice security a bit.
https: //developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Change-Id: Ibb5568b5461bbe001106724a0cf64ec25e7fd4ce
diff --git a/core/installer/app_test.go b/core/installer/app_test.go
index a979342..0d7bd6a 100644
--- a/core/installer/app_test.go
+++ b/core/installer/app_test.go
@@ -187,3 +187,71 @@
t.Log(string(r))
}
}
+
+func TestIngressPublic(t *testing.T) {
+ r := NewInMemoryAppRepository(CreateAllApps())
+ a, err := FindInfraApp(r, "ingress-public")
+ if err != nil {
+ t.Fatal(err)
+ }
+ if a == nil {
+ t.Fatal("returned app is nil")
+ }
+ release := Release{
+ Namespace: "foo",
+ }
+ env := InfraConfig{
+ Name: "dodo",
+ PublicIP: []net.IP{net.ParseIP("1.2.3.4")},
+ InfraNamespacePrefix: "id-",
+ InfraAdminPublicKey: []byte("foo"),
+ }
+ values := map[string]any{
+ "sshPrivateKey": "private",
+ }
+ rendered, err := a.Render(release, env, values)
+ if err != nil {
+ t.Fatal(err)
+ }
+ for _, r := range rendered.Resources {
+ t.Log(string(r))
+ }
+}
+
+func TestPrivateNetwork(t *testing.T) {
+ r := NewInMemoryAppRepository(CreateAllApps())
+ a, err := FindEnvApp(r, "private-network")
+ if err != nil {
+ t.Fatal(err)
+ }
+ if a == nil {
+ t.Fatal("returned app is nil")
+ }
+ release := Release{
+ Namespace: "foo",
+ }
+ env := AppEnvConfig{
+ InfraName: "dodo",
+ Id: "id",
+ ContactEmail: "foo@bar.ge",
+ Domain: "bar.ge",
+ PrivateDomain: "p.bar.ge",
+ PublicIP: []net.IP{net.ParseIP("1.2.3.4")},
+ NamespacePrefix: "id-",
+ }
+ values := map[string]any{
+ "privateNetwork": map[string]any{
+ "hostname": "foo",
+ "username": "bar",
+ "ipSubnet": "123123",
+ },
+ "sshPrivateKey": "private",
+ }
+ rendered, err := a.Render(release, env, values)
+ if err != nil {
+ t.Fatal(err)
+ }
+ for _, r := range rendered.Resources {
+ t.Log(string(r))
+ }
+}
diff --git a/core/installer/values-tmpl/ingress-public.cue b/core/installer/values-tmpl/ingress-public.cue
index 93ce90c..2258945 100644
--- a/core/installer/values-tmpl/ingress-public.cue
+++ b/core/installer/values-tmpl/ingress-public.cue
@@ -61,7 +61,12 @@
default: false
controllerValue: "k8s.io/\(_ingressPublic)"
}
- config: "proxy-body-size": "100M" // TODO(giolekva): configurable
+ config: {
+ "proxy-body-size": "200M" // TODO(giolekva): configurable
+ "server-snippet": """
+ more_clear_headers "X-Frame-Options";
+ """
+ }
image: {
registry: images.ingressNginx.registry
image: images.ingressNginx.imageName
diff --git a/core/installer/values-tmpl/private-network.cue b/core/installer/values-tmpl/private-network.cue
index bc58a9f..156b078 100644
--- a/core/installer/values-tmpl/private-network.cue
+++ b/core/installer/values-tmpl/private-network.cue
@@ -84,7 +84,11 @@
controllerValue: "k8s.io/\(_ingressPrivate)"
}
config: {
+ "proxy-body-size": "200M" // TODO(giolekva): configurable
"force-ssl-redirect": "true"
+ "server-snippet": """
+ more_clear_headers "X-Frame-Options";
+ """
}
extraArgs: {
"default-ssl-certificate": "\(_ingressPrivate)/cert-wildcard.\(global.privateDomain)"