Add options to set additional nginx headers

cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml

@@ -153,7 +153,9 @@ data:
         root /var/www;
         index index.html;
 
-        add_header Cache-Control "must-revalidate";
+        {{- range .Values.kubecostFrontend.nginxHeaders.server }}
+        add_header {{ . }}
+        {{- end }}
 
         {{- if .Values.kubecostFrontend.extraServerConfig }}
         {{- .Values.kubecostFrontend.extraServerConfig | toString | nindent 8 -}}
@@ -169,6 +171,9 @@ data:
 {{- if or .Values.saml.enabled .Values.oidc.enabled }}
         add_header Cache-Control "max-age=0";
         location / {
+            {{- range .Values.kubecostFrontend.nginxHeaders.location.root }}
+            add_header {{ . }}
+            {{- end }}
             auth_request /auth;
             proxy_redirect off;
             proxy_http_version 1.1;
@@ -180,6 +185,9 @@ data:
         }
         location /healthz {
             add_header 'Content-Type' 'text/plain';
+            {{- range .Values.kubecostFrontend.nginxHeaders.location.healthz }}
+            add_header {{ . }}
+            {{- end }}
             return 200 "healthy\n";
         }
 {{- else }}
@@ -218,6 +226,9 @@ data:
 {{- end }}
 
         location /model/ {
+            {{- range .Values.kubecostFrontend.nginxHeaders.location.model }}
+            add_header {{ . }}
+            {{- end }}
             proxy_connect_timeout       {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }};
             proxy_send_timeout          {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }};
             proxy_read_timeout          {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }};
@@ -234,8 +245,9 @@ data:
 
         location ~ ^/(turndown|cluster)/ {
 
-            add_header 'Access-Control-Allow-Origin' '*' always;
-            add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;
+            {{- range .Values.kubecostFrontend.nginxHeaders.location.clusterTurndown }}
+            add_header {{ . }}
+            {{- end }}
 {{- if .Values.clusterController }}
 {{- if .Values.clusterController.enabled }}
             {{- if or .Values.saml .Values.oidc }}
@@ -1407,8 +1419,9 @@ data:
 {{- end }}
         location = /model/hideOrphanedResources {
             default_type 'application/json';
-            add_header 'Access-Control-Allow-Origin' '*' always;
-            add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;
+            {{- range .Values.kubecostFrontend.nginxHeaders.location.hideOrphanedResources }}
+            add_header {{ . }}
+            {{- end }}
             {{- if .Values.kubecostFrontend.hideOrphanedResources }}
             return 200 '{"hideOrphanedResources": "true"}';
             {{- else }}
@@ -1417,8 +1430,9 @@ data:
         }
         location = /model/hideDiagnostics {
             default_type 'application/json';
-            add_header 'Access-Control-Allow-Origin' '*' always;
-            add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;
+            {{- range .Values.kubecostFrontend.nginxHeaders.location.hideDiagnostics }}
+            add_header {{ . }}
+            {{- end }}
             {{- if .Values.kubecostFrontend.hideDiagnostics }}
             return 200 '{"hideDiagnostics": "true"}';
             {{- else }}
@@ -1434,8 +1448,9 @@ data:
 
         location /model/multi-cluster-diagnostics-enabled {
             default_type 'application/json';
-            add_header 'Access-Control-Allow-Origin' '*' always;
-            add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;
+            {{- range .Values.kubecostFrontend.nginxHeaders.location.multiClusterDiagnosticsEnabled }}
+            add_header {{ . }}
+            {{- end }}
             {{- if and .Values.diagnostics.enabled .Values.diagnostics.primary.enabled }}
             {{- if or (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) .Values.kubecostModel.federatedStorageConfig }}
             return 200 '{"multiClusterDiagnosticsEnabled": true}';
@@ -1455,8 +1470,9 @@ data:
         # Deployment, we should forward that path to the K8s Service.
         location /model/diagnostics/multicluster {
             default_type 'application/json';
-            add_header 'Access-Control-Allow-Origin' '*' always;
-            add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;
+            {{- range .Values.kubecostFrontend.nginxHeaders.location.multiClusterDiagnostics }}
+            add_header {{ . }}
+            {{- end }}
             proxy_read_timeout          300;
             proxy_pass http://multi-cluster-diagnostics/status;
             proxy_redirect off;
@@ -1467,8 +1483,9 @@ data:
         # simple alias for support
         location /mcd {
             default_type 'application/json';
-            add_header 'Access-Control-Allow-Origin' '*' always;
-            add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;
+            {{- range .Values.kubecostFrontend.nginxHeaders.location.multiClusterDiagnostics }}
+            add_header {{ . }}
+            {{- end }}
             proxy_read_timeout          300;
             proxy_pass http://multi-cluster-diagnostics/status?window=7d;
             proxy_redirect off;
@@ -1488,8 +1505,9 @@ data:
         {{- if .Values.forecasting.enabled }}
         location /forecasting {
             default_type 'application/json';
-            add_header 'Access-Control-Allow-Origin' '*' always;
-            add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;
+            {{- range .Values.kubecostFrontend.nginxHeaders.location.forecastingEnabled }}
+            add_header {{ . }}
+            {{- end }}
             proxy_read_timeout          300;
             proxy_pass http://forecasting/;
             proxy_redirect off;
@@ -1506,8 +1524,9 @@ data:
 
         location /model/productConfigs {
             default_type 'application/json';
-            add_header 'Access-Control-Allow-Origin' '*' always;
-            add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;
+            {{- range .Values.kubecostFrontend.nginxHeaders.location.productConfigs }}
+            add_header {{ . }}
+            {{- end }}
             return 200 '\n
                 {
                 "ssoConfigured": "{{ template "ssoEnabled" . }}",

cost-analyzer/values.yaml

@@ -536,6 +536,40 @@ kubecostFrontend:
 #    fqdn: kubecost-multi-diag.kubecost.svc.cluster.local:9007
 #  clusterController:
 #    fqdn: cluster-controller.kubecost.svc.cluster.local:9731
+#
+
+  # Configurable headers for nginx responses.
+  nginxHeaders:
+    # applied to all route locations
+    server:
+      - Content-Security-Policy "default-src 'self' cdn.userway.org; frame-ancestors 'none';";
+      - Cache-Control "must-revalidate";
+    # per-location headers
+    location:
+      root: []
+      healthz: []
+      model: []
+      clusterTurndown:
+        - "'Access-Control-Allow-Origin' '*' always;"
+        - "'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;"
+      hideOrphanedResources:
+        - "'Access-Control-Allow-Origin' '*' always;"
+        - "'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;"
+      hideDiagnostics:
+        - "'Access-Control-Allow-Origin' '*' always;"
+        - "'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;"
+      multiClusterDiagnosticsEnabled:
+        - "'Access-Control-Allow-Origin' '*' always;"
+        - "'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;"
+      multiClusterDiagnostics:
+        - "'Access-Control-Allow-Origin' '*' always;"
+        - "'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;"
+      forecastingEnabled:
+        - "'Access-Control-Allow-Origin' '*' always;"
+        - "'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;"
+      productConfigs:
+        - "'Access-Control-Allow-Origin' '*' always;"
+        - "'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always;"
 
 # Kubecost Metrics deploys a separate pod which will emit kubernetes specific metrics required
 # by the cost-model. This pod is designed to remain active and decoupled from the cost-model itself.