feat: add origin protection key enforcement for envoy in lds.supabase.yaml

hf · hf · commit ee2bc6385937 · 2024-11-20T14:34:31.000+01:00
diff --git a/.github/workflows/dockerhub-release-aio.yml b/.github/workflows/dockerhub-release-aio.yml
@@ -74,6 +74,7 @@ jobs:
           push: true
           build-args: |
             postgres_version=${{ needs.settings.outputs.base_docker_version }}
+            envoy_lds=lds.supabase.yaml
             ${{ needs.settings.outputs.build_args }}
           target: production
           tags: ${{ needs.settings.outputs.image_tag }}_${{ matrix.arch }}
diff --git a/ansible/tasks/internal/setup-envoy.yml b/ansible/tasks/internal/setup-envoy.yml
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -11,8 +11,8 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgres15: "15.8.1.010"
-  postgres16: "16.3.1.016"
+  postgres15: "15.8.1.011"
+  postgres16: "16.3.1.017"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"
diff --git a/docker/all-in-one/Dockerfile b/docker/all-in-one/Dockerfile
@@ -227,9 +227,12 @@ COPY docker/all-in-one/etc/gotrue.env /etc/gotrue.env
 
 # Customizations for envoy
 ARG envoy_release
+ARG envoy_lds="lds.yaml"
 ADD --chmod=755 --chown=envoy:envoy "https://raw.githubusercontent.com/envoyproxy/envoy/v${envoy_release}/restarter/hot-restarter.py" /opt/envoy-hot-restarter.py
-COPY --chmod=775 --chown=envoy:envoy --exclude=*.supabase.yaml ansible/files/envoy_config/ /etc/envoy/
+COPY --chmod=775 --chown=envoy:envoy ansible/files/envoy_config/ /etc/envoy/
 COPY --chmod=755 --chown=envoy:envoy ansible/files/start-envoy.sh /opt/
+RUN mv /etc/envoy/${envoy_lds} /etc/envoy/lds.yaml
+RUN rm -f /etc/envoy/lds.supabase.yaml
 
 # Customizations for kong
 COPY docker/all-in-one/etc/kong/kong.conf /etc/kong/kong.conf
