Poc: Add a sidecar to the PDF generator container

Altinn / altinn-pdf

Altinn platform microservice for generating PDFs

0 stars 1 forks source link

Poc: Add a sidecar to the PDF generator container #42

Closed SandGrainOne closed 1 year ago

SandGrainOne commented 1 year ago

Description

The goal with the sidecar is to validate and clean the input being sent to the PDF generator. We need to limit which web pages the PDF-generator can convert to PDF with a whitelist.

As of this writing the requested URL must be for an app from the correct application owner in the correct environment.

Additional Information

No response

Tasks

No response

Acceptance Criterias

[ ] A working PoC.
[ ] Impossible to create PDF from "random" pages on the internet.

bengtfredh commented 1 year ago

Analyse if we can use linkerd policies to allow/reject https://linkerd.io/2.12/reference/authorization-policy/

SandGrainOne commented 1 year ago

The idea right now is actually to remove the entry in the ingress to make the app unavailable outside AKS. Just need to reconfigure the apps using the service so that they can access it through an internal address.

SandGrainOne commented 1 year ago

Took a very quick look at the documentation from linkerd and it looks like there are no way of setting up a rule based on the request body. The value we would want to filter on is in the request body.

SandGrainOne commented 1 year ago

There might not be any need for a sidecar after all. See the above discussion. This issue is now being superseded by #43