From 1270e09e6d2bed77f3cb46658887d3ac6b6adc9d Mon Sep 17 00:00:00 2001
From: trivernis <trivernis@protonmail.com>
Date: Fri, 22 Dec 2023 21:24:36 +0100
Subject: [PATCH] apps(sharkey): Add traefik security middlewares

---
 apps/sharkey/app.yaml            |  1 +
 apps/sharkey/app/middleware.yaml | 29 +++++++++++++++++++++++++++++
 apps/sharkey/app/route.yaml      |  2 ++
 3 files changed, 32 insertions(+)
 create mode 100644 apps/sharkey/app/middleware.yaml

diff --git a/apps/sharkey/app.yaml b/apps/sharkey/app.yaml
index 348e160..230a818 100644
--- a/apps/sharkey/app.yaml
+++ b/apps/sharkey/app.yaml
@@ -14,4 +14,5 @@ resources:
   - app/stackgres.yaml
   - app/deploy.yaml
   - app/service.yaml
+  - app/middleware.yaml
   - app/route.yaml
diff --git a/apps/sharkey/app/middleware.yaml b/apps/sharkey/app/middleware.yaml
new file mode 100644
index 0000000..7d8286c
--- /dev/null
+++ b/apps/sharkey/app/middleware.yaml
@@ -0,0 +1,29 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: circuit-breaker
+  namespace: sharkey 
+spec:
+  circuitBreaker:
+    expression: LatencyAtQuantileMS(50.0) > 200 || ResponseCodeRatio(500, 600, 0, 600) > 0.5
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: ratelimit
+  namespace: sharkey
+spec:
+  rateLimit:
+    average: 120
+    burst: 60
+    period: 1s
+    sourceCriterion:
+      ipStrategy:
+        excludedIPs:
+        - 127.0.0.1/32   # loopback
+        - 10.0.0.0/16    # bridge network
+        - 10.243.0.0/16  # cluster network
+        - 167.235.111.84 # lb
+        - 128.140.35.44  # node
+        - 5.75.144.230   # node
+        - 144.76.167.59  # node
diff --git a/apps/sharkey/app/route.yaml b/apps/sharkey/app/route.yaml
index dcf25d2..72931d7 100644
--- a/apps/sharkey/app/route.yaml
+++ b/apps/sharkey/app/route.yaml
@@ -12,6 +12,8 @@ spec:
     middlewares:
       - name: strict-security-headers
         namespace: default
+      - name: ratelimit
+      - name: circuit-breaker
     services:
     - name: sharkey
       port: http