Skip to content

Commit

Permalink
feat: add origin protection key enforcement for envoy in `lds.supabas…
Browse files Browse the repository at this point in the history
…e.yaml`
  • Loading branch information
hf committed Nov 20, 2024
1 parent 2d9d454 commit b6500c3
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 1 deletion.
1 change: 1 addition & 0 deletions .github/workflows/dockerhub-release-aio.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ jobs:
push: true
build-args: |
postgres_version=${{ needs.settings.outputs.base_docker_version }}
envoy_lds=lds.supabase.yaml
${{ needs.settings.outputs.build_args }}
target: production
tags: ${{ needs.settings.outputs.image_tag }}_${{ matrix.arch }}
Expand Down
21 changes: 21 additions & 0 deletions ansible/files/envoy_config/lds.supabase.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,27 @@ resources:
name: ':path'
string_match:
contains: apikey=supabase_admin_key
origin_protection_key_missing:
permissions:
- any: true
principals:
- not_id:
or_ids:
ids:
- header:
name: sb-opk
present_match: true
origin_protection_key_not_valid:
permissions:
- any: true
principals:
- not_id:
or_ids:
ids:
- header:
name: sb-opk
string_match:
exact: supabase_origin_protection_key
- name: envoy.filters.http.lua
typed_config:
'@type': >-
Expand Down
5 changes: 4 additions & 1 deletion docker/all-in-one/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -227,9 +227,12 @@ COPY docker/all-in-one/etc/gotrue.env /etc/gotrue.env

# Customizations for envoy
ARG envoy_release
ARG envoy_lds="lds.yaml"
ADD --chmod=755 --chown=envoy:envoy "https://raw.githubusercontent.com/envoyproxy/envoy/v${envoy_release}/restarter/hot-restarter.py" /opt/envoy-hot-restarter.py
COPY --chmod=775 --chown=envoy:envoy --exclude=*.supabase.yaml ansible/files/envoy_config/ /etc/envoy/
COPY --chmod=775 --chown=envoy:envoy ansible/files/envoy_config/ /etc/envoy/
COPY --chmod=755 --chown=envoy:envoy ansible/files/start-envoy.sh /opt/
RUN mv /etc/envoy/${envoy_lds} /etc/envoy/lds.yaml
RUN rm -f /etc/envoy/lds.supabase.yaml

# Customizations for kong
COPY docker/all-in-one/etc/kong/kong.conf /etc/kong/kong.conf
Expand Down

0 comments on commit b6500c3

Please sign in to comment.