fix(auth): harden public infra routes

2026-06-04 13:20:16 -05:00
parent 81a3ddac4c
commit 90599b0413
15 changed files with 189 additions and 20 deletions
--- a/apps/pki-web/pki-web.yaml
+++ b/apps/pki-web/pki-web.yaml
@@ -134,6 +134,8 @@ spec:
    metadata:
      labels:
        app: pki-web
+      annotations:
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
@@ -158,12 +160,18 @@ spec:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
+              httpHeaders:
+                - name: X-Forwarded-Proto
+                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
@@ -201,6 +209,7 @@ spec:
  dnsNames:
    - pki.iamworkin.lan
 ---
+# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
 # Traefik IngressRoute
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute