diff --git a/package.json b/package.json index 3245952..29a98f2 100644 --- a/package.json +++ b/package.json @@ -23,11 +23,11 @@ "url": "https://gitlab.com/domaindrivenarchitecture/c4k-website/issues" }, "dependencies": { - "js-base64": "^3.6.1", + "js-base64": "^3.7.2", "js-yaml": "^4.0.0" }, "devDependencies": { "shadow-cljs": "^2.11.18", "source-map-support": "^0.5.19" } -} \ No newline at end of file +} diff --git a/src/main/cljc/dda/c4k_website/core.cljc b/src/main/cljc/dda/c4k_website/core.cljc index bddf835..f6c32bd 100644 --- a/src/main/cljc/dda/c4k_website/core.cljc +++ b/src/main/cljc/dda/c4k_website/core.cljc @@ -15,16 +15,3 @@ (website/generate-certificate config) (website/generate-website-build-cron config) (website/generate-website-build-secret config)]))) - -(not - (= - {:website.conf-c1 - "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.de;\n # security headers\n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # maybe need to add:\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n # root /usr/share/nginx/html/; # testing purposes\n index index.html;\n location / { \n try_files $uri $uri/ /index.html =404; \n }\n}", - :website.conf-c2 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.com;\n # security headers\n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # maybe need to add:\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n # root /usr/share/nginx/html/; # testing purposes\n index index.html;\n location / { \n try_files $uri $uri/ /index.html =404; \n }\n}", - :name-c1 "test-de-configmap", - :name-c2 "test-com-configmap"} - {:website.conf-c1 - "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.de;\n # security headers\n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # maybe need to add:\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n # root /usr/share/nginx/html/; # testing purposes\n index index.html;\n location / { \n try_files $uri $uri/ /index.html =404; \n }\n}\n", - :website.conf-c2 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.com;\n # security headers\n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # maybe need to add:\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n # root /usr/share/nginx/html/; # testing purposes\n index index.html;\n location / { \n try_files $uri $uri/ /index.html =404; \n }\n}\n", - :name-c1 "test-de-configmap", - :name-c2 "test-com-configmap"})) diff --git a/src/main/resources/website/certificate.yaml b/src/main/resources/website/certificate.yaml index 003e8e9..4495833 100644 --- a/src/main/resources/website/certificate.yaml +++ b/src/main/resources/website/certificate.yaml @@ -12,4 +12,5 @@ spec: - FQDN issuerRef: name: staging - kind: ClusterIssuer \ No newline at end of file + kind: ClusterIssuer + \ No newline at end of file diff --git a/src/main/resources/website/nginx-configmap.yaml b/src/main/resources/website/nginx-configmap.yaml index 6e6b6f5..1bdee73 100644 --- a/src/main/resources/website/nginx-configmap.yaml +++ b/src/main/resources/website/nginx-configmap.yaml @@ -82,20 +82,18 @@ data: listen 443 ssl; ssl_certificate /etc/certs/tls.crt; ssl_certificate_key /etc/certs/tls.key; - server_name FQDN - # security headers + server_name FQDN add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *"; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy "strict-origin"; - # maybe need to add: # add_header Permissions-Policy "permissions here"; root /var/www/html/website/; - # root /usr/share/nginx/html/; # testing purposes index index.html; - location / { - try_files $uri $uri/ /index.html =404; + location / { + try_files $uri $uri/ /index.html =404; } - } \ No newline at end of file + } + \ No newline at end of file diff --git a/src/main/resources/website/nginx-deployment.yaml b/src/main/resources/website/nginx-deployment.yaml index 5d1fbcd..eba5998 100644 --- a/src/main/resources/website/nginx-deployment.yaml +++ b/src/main/resources/website/nginx-deployment.yaml @@ -26,6 +26,7 @@ spec: name: log - mountPath: /var/www/html/website name: website-content-volume + readOnly: true - mountPath: /etc/certs name: website-cert readOnly: true @@ -52,4 +53,5 @@ spec: - key: tls.crt path: tls.crt - key: tls.key - path: tls.key \ No newline at end of file + path: tls.key + \ No newline at end of file diff --git a/src/main/resources/website/website-build-cron.yaml b/src/main/resources/website/website-build-cron.yaml index 920c715..2cc3c4f 100644 --- a/src/main/resources/website/website-build-cron.yaml +++ b/src/main/resources/website/website-build-cron.yaml @@ -30,4 +30,5 @@ spec: - name: content-volume persistentVolumeClaim: claimName: NAME-content-volume - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + \ No newline at end of file diff --git a/src/test/cljc/dda/c4k_website/website_test.cljc b/src/test/cljc/dda/c4k_website/website_test.cljc index 890bf7f..083e0e3 100644 --- a/src/test/cljc/dda/c4k_website/website_test.cljc +++ b/src/test/cljc/dda/c4k_website/website_test.cljc @@ -36,8 +36,8 @@ (cut/generate-ingress {:fqdn "test.de"})))) (deftest should-generate-nginx-configmap - (is (= {:website.conf-c1 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.de;\n # security headers\n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # maybe need to add:\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n # root /usr/share/nginx/html/; # testing purposes\n index index.html;\n location / { \n try_files $uri $uri/ /index.html =404; \n }\n}", - :website.conf-c2 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.com;\n # security headers\n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # maybe need to add:\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n # root /usr/share/nginx/html/; # testing purposes\n index index.html;\n location / { \n try_files $uri $uri/ /index.html =404; \n }\n}", + (is (= {:website.conf-c1 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.de; \n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n index index.html;\n location / {\n try_files $uri $uri/ /index.html =404;\n }\n}\n", + :website.conf-c2 "server {\n listen 80 default_server;\n listen [::]:80 default_server;\n listen 443 ssl;\n ssl_certificate /etc/certs/tls.crt;\n ssl_certificate_key /etc/certs/tls.key;\n server_name test.com; \n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";\n add_header X-XSS-Protection \"1; mode=block\";\n add_header X-Frame-Options \"SAMEORIGIN\";\n add_header X-Content-Type-Options nosniff;\n add_header Referrer-Policy \"strict-origin\";\n # add_header Permissions-Policy \"permissions here\";\n root /var/www/html/website/;\n index index.html;\n location / {\n try_files $uri $uri/ /index.html =404;\n }\n}\n", :name-c1 "test-de-configmap", :name-c2 "test-com-configmap"} (th/map-diff (cut/generate-nginx-configmap {:fqdn "test.de"}) @@ -61,7 +61,7 @@ :volumeMounts [{:mountPath "/etc/nginx", :readOnly true, :name "nginx-config-volume"} {:mountPath "/var/log/nginx", :name "log"} - {:mountPath "/var/www/html/website", :name "website-content-volume"} + {:mountPath "/var/www/html/website", :name "website-content-volume", :readOnly true} {:mountPath "/etc/certs", :name "website-cert", :readOnly true}]}], :volumes [{:name "nginx-config-volume",