deploy(updater): gate public UpdateCenter host

2026-06-17 23:47:07 -05:00
parent 63fde0a593
commit b7d34da3d6
6 changed files with 23 additions and 13 deletions
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -16,6 +16,8 @@ public sealed class FleetManifestLintTests
    {
        "brochure.flowercore.io",
        "dist.flowercore.io",
+        "update.flowercore.io",
+        "updates.flowercore.io",
    };

    // Hosts that allow a tightly bounded write surface in addition to GET/HEAD.
--- a/tests/bluejay-infra-lint/conftest.dev/02_public_method_allowlist.rego
+++ b/tests/bluejay-infra-lint/conftest.dev/02_public_method_allowlist.rego
@@ -1,6 +1,12 @@
 package bluejayinfra.public_method_allowlist

-public_hosts := {"brochure.flowercore.io", "dist.flowercore.io", "dns.iamworkin.lan"}
+public_hosts := {
+  "brochure.flowercore.io",
+  "dist.flowercore.io",
+  "dns.iamworkin.lan",
+  "update.flowercore.io",
+  "updates.flowercore.io",
+}

 deny[msg] {
  input.kind == "IngressRoute"
--- a/tests/bluejay-infra-lint/conftest.dev/08_public_readwrite_allowlist.rego
+++ b/tests/bluejay-infra-lint/conftest.dev/08_public_readwrite_allowlist.rego
@@ -9,8 +9,6 @@ package bluejayinfra.public_readwrite_allowlist
 public_readwrite_hosts := {
  "updatecenter.iamworkin.lan",
  "updates.iamworkin.lan",
-  "update.flowercore.io",
-  "updates.flowercore.io",
 }

 required_methods := {"GET", "HEAD", "POST", "OPTIONS"}