fix(auth): harden public infra routes

2026-06-04 13:20:16 -05:00
parent 81a3ddac4c
commit 90599b0413
15 changed files with 189 additions and 20 deletions
--- a/apps/fc-landing/fc-landing.yaml
+++ b/apps/fc-landing/fc-landing.yaml
@@ -203,6 +203,8 @@ spec:
    metadata:
      labels:
        app: fc-landing
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -227,12 +229,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -298,7 +306,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+    - match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: fc-landing
@@ -316,7 +324,7 @@ spec:
  entryPoints:
    - web
  routes:
-    - match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
+    - match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: fc-landing