fix(auth): harden public infra routes

2026-06-04 13:20:16 -05:00
parent 81a3ddac4c
commit 90599b0413
15 changed files with 189 additions and 20 deletions
--- a/apps/fit/fit.yaml
+++ b/apps/fit/fit.yaml
@@ -201,6 +201,8 @@ spec:
    metadata:
      labels:
        app: fit-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -225,12 +227,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -265,7 +273,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)
+    - match: (Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)) && (Method(`GET`) || Method(`HEAD`))
      kind: Rule
      services:
        - name: fit-web