From aaeb739f12b10d1c942a7e20a0e73accd9c1c75e Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Wed, 14 Apr 2021 10:30:10 +0200 Subject: [PATCH] funkwhale: Update to 1.1.1 --- charts/funkwhale/Chart.yaml | 4 +- .../funkwhale/templates/configmap-front.yaml | 21 +++++++++- charts/funkwhale/templates/deployment.yaml | 37 ++++-------------- charts/funkwhale/values.yaml | 38 +++++++++++++++---- 4 files changed, 60 insertions(+), 40 deletions(-) diff --git a/charts/funkwhale/Chart.yaml b/charts/funkwhale/Chart.yaml index 209d84b..fcb2893 100644 --- a/charts/funkwhale/Chart.yaml +++ b/charts/funkwhale/Chart.yaml @@ -1,10 +1,10 @@ --- apiVersion: v2 -appVersion: "1.1" +appVersion: "1.1.1" description: A social platform to enjoy and share music icon: https://funkwhale.audio/favicon.png name: funkwhale -version: 0.3.7 +version: 0.3.8 dependencies: - name: redis diff --git a/charts/funkwhale/templates/configmap-front.yaml b/charts/funkwhale/templates/configmap-front.yaml index 0d5b3a5..0c5c147 100644 --- a/charts/funkwhale/templates/configmap-front.yaml +++ b/charts/funkwhale/templates/configmap-front.yaml @@ -28,6 +28,10 @@ data: root /frontend; + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + location / { include /etc/nginx/funkwhale_proxy.conf; # this is needed if you have file import via upload enabled @@ -36,11 +40,25 @@ data: } location /front/ { + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header Service-Worker-Allowed "/"; + add_header X-Frame-Options "ALLOW"; alias /frontend/; expires 30d; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; - add_header Service-Worker-Allowed "/"; + } + + location /front/embed.html { + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + add_header X-Frame-Options "ALLOW"; + alias /frontend/embed.html; + expires 30d; + add_header Pragma public; + add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } location /federation/ { @@ -66,6 +84,7 @@ data: {{- if .Values.s3.enabled }} location ~ /_protected/media/(.+) { internal; + proxy_set_header Authorization ""; proxy_pass $1; } {{- else }} diff --git a/charts/funkwhale/templates/deployment.yaml b/charts/funkwhale/templates/deployment.yaml index bd80a91..8e9b11f 100644 --- a/charts/funkwhale/templates/deployment.yaml +++ b/charts/funkwhale/templates/deployment.yaml @@ -48,21 +48,11 @@ spec: compose/django/entrypoint.sh compose/django/server.sh fi readinessProbe: - exec: - command: - - stat - - /run/funkwhale/funkwhale.sock - failureThreshold: {{ .Values.api.readinessProbe.failureThreshold | default 3 }} - periodSeconds: {{ .Values.api.readinessProbe.periodSeconds | default 5 }} - initialDelaySeconds: {{ .Values.api.readinessProbe.initialDelaySeconds | default 5 }} + {{ toYaml .Values.api.readinessProbe | nindent 12 }} + livenessProbe: + {{ toYaml .Values.api.livenessProbe | nindent 12 }} startupProbe: - exec: - command: - - stat - - /run/funkwhale/funkwhale.sock - failureThreshold: {{ .Values.api.startupProbe.failureThreshold | default 3 }} - periodSeconds: {{ .Values.api.startupProbe.periodSeconds | default 20 }} - initialDelaySeconds: {{ .Values.api.startupProbe.initialDelaySeconds | default 5 }} + {{ toYaml .Values.api.startupProbe | nindent 12 }} envFrom: - configMapRef: name: {{ include "funkwhale.fullname" . }} @@ -105,24 +95,11 @@ spec: containerPort: 80 protocol: TCP livenessProbe: - httpGet: - path: / - port: http - failureThreshold: {{ .Values.front.livenessProbe.failureThreshold | default 3 }} - periodSeconds: {{ .Values.front.livenessProbe.periodSeconds | default 20 }} - initialDelaySeconds: {{ .Values.front.livenessProbe.initialDelaySeconds | default 15 }} + {{ toYaml .Values.front.livenessProbe | nindent 12 }} readinessProbe: - tcpSocket: - port: http - failureThreshold: {{ .Values.front.readinessProbe.failureThreshold | default 3 }} - periodSeconds: {{ .Values.front.readinessProbe.periodSeconds | default 5 }} - initialDelaySeconds: {{ .Values.front.readinessProbe.initialDelaySeconds | default 5 }} + {{ toYaml .Values.front.readinessProbe | nindent 12 }} startupProbe: - tcpSocket: - port: http - failureThreshold: {{ .Values.front.startupProbe.failureThreshold | default 3 }} - periodSeconds: {{ .Values.front.startupProbe.periodSeconds | default 20 }} - initialDelaySeconds: {{ .Values.front.startupProbe.initialDelaySeconds | default 5 }} + {{ toYaml .Values.front.startupProbe | nindent 12 }} volumeMounts: - mountPath: /run/funkwhale name: funkwhale-sock diff --git a/charts/funkwhale/values.yaml b/charts/funkwhale/values.yaml index 345ef6c..c2b06f6 100644 --- a/charts/funkwhale/values.yaml +++ b/charts/funkwhale/values.yaml @@ -127,8 +127,23 @@ api: tolerations: [] affinity: {} - readinessProbe: {} - startupProbe: {} + readinessProbe: + exec: + command: + - stat + - /run/funkwhale/funkwhale.sock + + livenessProbe: + exec: + command: + - stat + - /run/funkwhale/funkwhale.sock + + startupProbe: + exec: + command: + - stat + - /run/funkwhale/funkwhale.sock front: image: @@ -156,13 +171,22 @@ front: # memory: 128Mi nodeSelector: {} - tolerations: [] - affinity: {} - readinessProbe: {} - livenessProbe: {} - startupProbe: {} + + readinessProbe: + httpGet: + path: / + port: http + + livenessProbe: + httpGet: + path: / + port: http + + startupProbe: + tcpSocket: + port: http celery: beat: