diff --git a/changelog.d/3-bug-fixes/cspExtraConnect-multiIngress b/changelog.d/3-bug-fixes/cspExtraConnect-multiIngress new file mode 100644 index 00000000000..3f48e4f9597 --- /dev/null +++ b/changelog.d/3-bug-fixes/cspExtraConnect-multiIngress @@ -0,0 +1 @@ +Enable passing cspExtraConnectSrc value to nginx-ingress-services when working with multi-ingresses (renderCSPInIngress=True). It would be required for webapp to connect to third party sft servers. diff --git a/charts/nginx-ingress-services/templates/ingress.yaml b/charts/nginx-ingress-services/templates/ingress.yaml index 7ae2f42dff9..ff144a312b9 100644 --- a/charts/nginx-ingress-services/templates/ingress.yaml +++ b/charts/nginx-ingress-services/templates/ingress.yaml @@ -20,7 +20,7 @@ metadata: {{if .Values.websockets.enabled}} set $CSP "${CSP} wss://{{ .Values.config.dns.ssl }}"; {{end}} - set $CSP "${CSP} https://*.{{ .Values.config.dns.base }};"; + set $CSP "${CSP} https://*.{{ .Values.config.dns.base }}{{- if .Values.config.cspExtraConnectSrc }} {{ .Values.config.cspExtraConnectSrc }}{{- end }};"; set $CSP "${CSP} default-src 'self';"; set $CSP "${CSP} font-src 'self' data:;"; set $CSP "${CSP} frame-src https://*.soundcloud.com https://*.spotify.com https://*.vimeo.com https://*.youtube-nocookie.com;"; diff --git a/charts/nginx-ingress-services/values.yaml b/charts/nginx-ingress-services/values.yaml index e77de580fb9..43ce350c550 100644 --- a/charts/nginx-ingress-services/values.yaml +++ b/charts/nginx-ingress-services/values.yaml @@ -175,6 +175,10 @@ config: # (multi-ingress), because the webapps can only provide CSP headers for one # (root) domain. renderCSPInIngress: false +# Adds additional CSP connect-src entries. This is exclusive to `.config.dns.https`. +# It is only respected when renderCSPInIngress=True. Multiple entries can be passed with a space in between. + cspExtraConnectSrc: +# cspExtraConnectSrc: "https://sft.example-calling.com https://second-domain-example.com" # Is this a chart instantiation for an additional backend domain (multi-ingress)? # # If 'true' some resources aren't created because they're expected to already diff --git a/charts/wire-server/values.yaml b/charts/wire-server/values.yaml index fc50c17dfad..4f93b23a8ac 100644 --- a/charts/wire-server/values.yaml +++ b/charts/wire-server/values.yaml @@ -107,8 +107,8 @@ galley: # If set it must a map from `Z-Host` to URI prefix # Example: # multiIngress: - # wire.example: https://accounts.wire.example/conversation-join/ - # example.net: https://accounts.example.net/conversation-join/ + # wire.example: https://account.wire.example/conversation-join/ + # example.net: https://account.example.net/conversation-join/ multiIngress: null # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts: # brig, cannon, cargohold, galley, gundeck, proxy, spar. diff --git a/docs/src/developer/reference/config-options.md b/docs/src/developer/reference/config-options.md index 4a269a7fe45..562d6d95061 100644 --- a/docs/src/developer/reference/config-options.md +++ b/docs/src/developer/reference/config-options.md @@ -1403,8 +1403,8 @@ Example: ```yaml multiIngress: - red.example.com: https://accounts.red.example.com/conversation-join/ - green.example.com: https://accounts.green.example.net/conversation-join/ + red.example.com: https://account.red.example.com/conversation-join/ + green.example.com: https://account.green.example.net/conversation-join/ ``` ### Spar diff --git a/docs/src/understand/associate/deeplink.md b/docs/src/understand/associate/deeplink.md index 9eb00b304db..045fbedbed3 100644 --- a/docs/src/understand/associate/deeplink.md +++ b/docs/src/understand/associate/deeplink.md @@ -207,7 +207,7 @@ Otherwise you need to create a `.json` file, and host it somewhere users can get "backendWSURL" : "https://prod-nginz-ssl.wire.com", "blackListURL" : "https://clientblacklist.wire.com/prod", "teamsURL" : "https://teams.wire.com", - "accountsURL" : "https://accounts.wire.com", + "accountsURL" : "https://account.wire.com", "websiteURL" : "https://wire.com" }, "apiProxy" : {