This PR enforces more security in some of the resources the appmanager sets up.
Fixes
Fixed a bug ingress-middleware template, OAuthBearerTokens was not camelcase and didn't work.
Security
Key vaults now only accepts traffic from the application environment vnet.
Storage accounts now only accepts traffic from the application environment vnet, with the option to add external ip-adresses to storage account accesslist.
This is used like this in the configuration json:
Changed nginx logging to include the "x-fowarded-for" header, as it holds the actual originating IP of the request.
Rejects any ingress definitions that do not have any identity solution defined (identity provider, oauth bearertoken or accesslist).
Extended ingress configuration options to work with a regexp-style ingress path.
This requires a dns resolver to be set as well on the ingress, and a flag on the route hinting that it should be used.
This allows us to basically accesslist paths even with variable components, having a 404 fallback.
Here is an example ingress definition that accepts calls to "/swagger" and "/###/prefixedroute/#####", which then requires the use of useResolver (or nginx will fail):
Summary
Fixes
Fixed a bug ingress-middleware template, OAuthBearerTokens was not camelcase and didn't work.
Security
Key vaults now only accepts traffic from the application environment vnet.
Storage accounts now only accepts traffic from the application environment vnet, with the option to add external ip-adresses to storage account accesslist. This is used like this in the configuration json:
Changed nginx logging to include the "x-fowarded-for" header, as it holds the actual originating IP of the request.
Rejects any ingress definitions that do not have any identity solution defined (identity provider, oauth bearertoken or accesslist).
Extended ingress configuration options to work with a regexp-style ingress path.