bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

deploy(updater): contain public UpdateCenter on GX10

Browse Source
This commit is contained in:
Andrew Stoltz
2026-06-18 10:55:50 -05:00
parent aba9d7c995
commit 2c1aa3f0c8
3 changed files with 20 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
apps/fc-updater/README.md
View File

@@ -43,5 +43,6 @@ shared origin cert must exist in every namespace that serves a
```powershell ```powershell
kubectl.exe --kubeconfig C:\Users\AndrewStoltz\.kube\rke2.yaml -n argocd get application infra-fc-updater kubectl.exe --kubeconfig C:\Users\AndrewStoltz\.kube\rke2.yaml -n argocd get application infra-fc-updater
kubectl.exe --kubeconfig C:\Users\AndrewStoltz\.kube\rke2.yaml -n fc-updater get deploy,svc,ingressroute,certificate,pvc kubectl.exe --kubeconfig C:\Users\AndrewStoltz\.kube\rke2.yaml -n fc-updater get deploy,svc,ingressroute,certificate,pvc
curl.exe -sk https://update.flowercore.io/api/v1/manifests/_schema curl.exe -sk https://update.flowercore.io/
curl.exe -sk -o NUL -w "%{http_code}`n" https://update.flowercore.io/login
``` ```

4
apps/fc-updater/fc-updater.yaml
View File

@@ -61,7 +61,7 @@ spec:
nodeName: rke2-server nodeName: rke2-server
containers: containers:
- name: web - name: web
image: localhost/fc-updater-web:v20260614-regroup-bdf4a4a image: localhost/fc-updater-web:v20260618-public-containment-8c5386e
imagePullPolicy: Never imagePullPolicy: Never
ports: ports:
- containerPort: 8080 - containerPort: 8080
@@ -266,7 +266,7 @@ spec:
entryPoints: entryPoints:
- websecure - websecure
routes: routes:
- match: (Host(`update.flowercore.io`) || Host(`updates.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`)) - match: (Host(`update.flowercore.io`) || Host(`updates.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
kind: Rule kind: Rule
services: services:
- name: updatecenter-web - name: updatecenter-web

16
tests/bluejay-infra-lint/FleetManifestLintTests.cs
View File

@@ -1223,6 +1223,22 @@ public sealed class FleetManifestLintTests
match.Should().NotContain("Method(`POST`)"); match.Should().NotContain("Method(`POST`)");
} }
[Fact]
public void UpdateCenterPublicIngress_KeepsDeliveryOnlyGetHeadMethodAllowlist()
{
var publicIngress = AppDocuments("fc-updater")
.Single(document => document.Kind == "IngressRoute" && document.Name == "updatecenter-web-public");
var route = publicIngress.MappingSequence("spec", "routes").Should().ContainSingle().Subject;
var match = ManifestNodeExtensions.Scalar(route, "match");
match.Should().Contain("Host(`update.flowercore.io`)");
match.Should().Contain("Host(`updates.flowercore.io`)");
match.Should().Contain("Method(`GET`)");
match.Should().Contain("Method(`HEAD`)");
match.Should().NotContain("Method(`POST`)");
match.Should().NotContain("Method(`OPTIONS`)");
}
[Fact] [Fact]
public void DnsAndMediaIngressRoutes_MatchLiveInternalHosts() public void DnsAndMediaIngressRoutes_MatchLiveInternalHosts()
{ {