Simplify Postgres DB certificate handling and use a CSP during web development #9
Conversation
gary-archer
changed the title
|
|
||
| RUN apt-get update && apt-get install -y inotify-tools | ||
|
|
||
| COPY postgresql.conf /etc/postgresql/postgresql.conf |
There was a problem hiding this comment.
Previously I copied these files around in some initialization bash scripting which was a little non standard. Now I just copy in custom file and configure Postgres to use it in a more standard way..
| @@ -63,9 +63,12 @@ GRANT SELECT, INSERT, UPDATE, DELETE ON products TO demoapi; | |||
|
|
|||
| ## X509 SVID Downloads | |||
|
|
|||
There was a problem hiding this comment.
Previously I had problems if Postgres started but the certificate was not available yet. Now I use a pattern of a init container to get the initial secret and a sidecar container to keep it updated.
| ((COUNT++)) | ||
| done | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Whereas this type of polling felt non standard and is now removed.
| @@ -76,6 +81,25 @@ spec: | |||
| readOnly: true | |||
| - name: svids | |||
| mountPath: /svids | |||
| initContainers: | |||
There was a problem hiding this comment.
The init container uses a SPIFFE helper configuration file with daemon_mode = false. Once the init container runs to completion, the main container starts and SVIDs are available to it. Demonstrating these two modes feels like a quite neat technique to show to the reader.
| policy += " object-src 'none';"; | ||
| policy += " frame-ancestors 'none';"; | ||
| policy += " base-uri 'self';"; | ||
| policy += " form-action 'self'"; | ||
|
|
There was a problem hiding this comment.
Previously I had thought that webpack dev server required insecure options like unsafe-eval, but it turns out that it does not, as long as you use source maps. Therefore our example can use secure headers for development, like those in various online articles.
gary-archer
changed the title
gary-archer
changed the title
A couple of odds and ends to make our example deployments more robust with reader appeal: