From 14195e5da7fba43b1f2024f8b1583967131917ff Mon Sep 17 00:00:00 2001 From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com> Date: Thu, 18 Jun 2026 10:37:53 -0500 Subject: [PATCH] harden updatecenter public route methods --- apps/fc-updater/README.md | 3 ++- apps/fc-updater/fc-updater.yaml | 2 +- .../bluejay-infra-lint/FleetManifestLintTests.cs | 16 ++++++++++++++++ .../08_public_readwrite_allowlist.rego | 2 -- 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/apps/fc-updater/README.md b/apps/fc-updater/README.md index 6228059..66dcde6 100644 --- a/apps/fc-updater/README.md +++ b/apps/fc-updater/README.md @@ -43,5 +43,6 @@ shared origin cert must exist in every namespace that serves a ```powershell kubectl.exe --kubeconfig C:\Users\AndrewStoltz\.kube\rke2.yaml -n argocd get application infra-fc-updater kubectl.exe --kubeconfig C:\Users\AndrewStoltz\.kube\rke2.yaml -n fc-updater get deploy,svc,ingressroute,certificate,pvc -curl.exe -sk https://update.flowercore.io/api/v1/manifests/_schema +curl.exe -sk https://update.flowercore.io/ +curl.exe -sk -o NUL -w "%{http_code}`n" https://update.flowercore.io/login ``` diff --git a/apps/fc-updater/fc-updater.yaml b/apps/fc-updater/fc-updater.yaml index ae6b5f3..f36920c 100644 --- a/apps/fc-updater/fc-updater.yaml +++ b/apps/fc-updater/fc-updater.yaml @@ -266,7 +266,7 @@ spec: entryPoints: - websecure routes: - - match: (Host(`update.flowercore.io`) || Host(`updates.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`)) + - match: (Host(`update.flowercore.io`) || Host(`updates.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`)) kind: Rule services: - name: updatecenter-web diff --git a/tests/bluejay-infra-lint/FleetManifestLintTests.cs b/tests/bluejay-infra-lint/FleetManifestLintTests.cs index e369d74..bcfa14f 100644 --- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs +++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs @@ -1013,6 +1013,22 @@ public sealed class FleetManifestLintTests match.Should().NotContain("Method(`POST`)"); } + [Fact] + public void UpdateCenterPublicIngress_KeepsDeliveryOnlyGetHeadMethodAllowlist() + { + var publicIngress = AppDocuments("fc-updater") + .Single(document => document.Kind == "IngressRoute" && document.Name == "updatecenter-web-public"); + var route = publicIngress.MappingSequence("spec", "routes").Should().ContainSingle().Subject; + var match = ManifestNodeExtensions.Scalar(route, "match"); + + match.Should().Contain("Host(`update.flowercore.io`)"); + match.Should().Contain("Host(`updates.flowercore.io`)"); + match.Should().Contain("Method(`GET`)"); + match.Should().Contain("Method(`HEAD`)"); + match.Should().NotContain("Method(`POST`)"); + match.Should().NotContain("Method(`OPTIONS`)"); + } + [Fact] public void DnsAndMediaIngressRoutes_MatchLiveInternalHosts() { diff --git a/tests/bluejay-infra-lint/conftest.dev/08_public_readwrite_allowlist.rego b/tests/bluejay-infra-lint/conftest.dev/08_public_readwrite_allowlist.rego index 00a701c..9386f5e 100644 --- a/tests/bluejay-infra-lint/conftest.dev/08_public_readwrite_allowlist.rego +++ b/tests/bluejay-infra-lint/conftest.dev/08_public_readwrite_allowlist.rego @@ -9,8 +9,6 @@ package bluejayinfra.public_readwrite_allowlist public_readwrite_hosts := { "updatecenter.iamworkin.lan", "updates.iamworkin.lan", - "update.flowercore.io", - "updates.flowercore.io", } required_methods := {"GET", "HEAD", "POST", "OPTIONS"}