From d28a04cf88bf236019bc92715f91098b87c64dbd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nils=20Gustav=20Str=C3=A5b=C3=B8?=
 <65334626+nilsgstrabo@users.noreply.github.com>
Date: Thu, 26 Sep 2024 13:20:16 +0200
Subject: [PATCH] Documentation for ingress allow list (#392)

---
 public-site/docs/radix-config/index.md | 58 +++++++++++++++++++++++++-
 public-site/docusaurus.config.ts       | 11 +++++
 2 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/public-site/docs/radix-config/index.md b/public-site/docs/radix-config/index.md
index 20edae52..062398b8 100644
--- a/public-site/docs/radix-config/index.md
+++ b/public-site/docs/radix-config/index.md
@@ -384,7 +384,9 @@ spec:
       publicPort: http
 ```
 
-The `publicPort` field of a component, if set to `<PORT_NAME>`, is used to make the component accessible on the internet by generating a public endpoint. Any component without `publicPort: <PORT_NAME>` can only be accessed from another component in the app. If specified, the `<PORT_NAME>` should exist in the `ports` field.
+The `publicPort` field of a component, if set to `<PORT_NAME>`, is used to make the component accessible on the internet by generating a public endpoint. By default, the public endpoint can be accessed from all public IP addresses. You can restrict access to the public endpoints by configuring a list of IP address ranges in `network.ingress.public.allow`, see [network](#network-1) for more information.
+
+A component without `publicPort: <PORT_NAME>` can only be accessed from another component in the app. If specified, the `<PORT_NAME>` should exist in the `ports` field.
 
 :::tip
 If no [ports](./#ports) specified for a component, `publicPort` should not be set.
@@ -924,6 +926,24 @@ spec:
 
 See [runtime](#runtime-1) for more information.
 
+#### `network`
+
+```yaml
+spec:
+  components:
+    - name: backend
+      environmentConfig:
+        - environment: prod
+          network:
+            ingress:
+              public:
+                allow:
+                  - 100.1.1.1
+                  - 100.2.2.2/30
+```
+
+See [network](#network-1) for more information.
+
 ### `authentication`
 
 ```yaml
@@ -1133,6 +1153,42 @@ If you use the [`build and deploy`](/guides/build-and-deploy) pipeline to build
 
 For deploy-only components and jobs (with [`image`](#image) property set), make sure that the selected image supports the configured architecture. Many frequently used public images, like [nginx-unprivileged](https://hub.docker.com/r/nginxinc/nginx-unprivileged) and [bitnami/redis](https://hub.docker.com/r/bitnami/redis/tags), includes variants for both `amd64` and `arm64` in the same image. Radix (Kubernetes) will pull the appropriate variant based on the configured architecture.
 
+### `network`
+
+```yaml
+spec:
+  environment:
+    - name: dev
+    - name: qa
+    - name: prod
+  components:
+    - name: backend
+      network:
+        ingress:
+          public:
+            allow:
+              - 100.1.1.1
+              - 110.1.1.1/30
+      environmentConfig:
+        - environment: dev
+          network:
+            ingress:
+              public:
+                allow: []
+        - environment: qa
+          network:
+            ingress:
+              public:
+                allow:
+                  - 200.1.1.1
+                  - 200.10.1.1
+        - environment: prod
+```
+
+The `network.ingress.public.allow` property defines a list of public IP addresses or CIDRs allowed to access the component's public endpoints. The `allow` list can be configured on the component level and/or in `environmentConfig` for a specific environment. `environmentConfig` takes precedence over component level configuration. Setting `allow` to an empty list allows access from all public IP addresses.
+
+In the example, `allow` is configured on the component level with two IP address ranges. This configuration will apply to all environments, unless `allow` is configured in `environmentConfig`. For environment `dev`, `allow` to en empty list, which will allow all public IP addresses to access the component. In the `qa` environment, `allow` is configured with a new list if IP addresses. These will be used instead of the IP addresses configured on the component level. The `environmentConfig` for `prod` does not specify `allow`, which means that the configuration from the component level will be used.
+
 ## `jobs`
 
 This is where you specify the various [jobs](/guides/jobs) for your application.
diff --git a/public-site/docusaurus.config.ts b/public-site/docusaurus.config.ts
index 215f5dc4..e2208181 100644
--- a/public-site/docusaurus.config.ts
+++ b/public-site/docusaurus.config.ts
@@ -47,6 +47,17 @@ const config: Config = {
   themeConfig: {
     // Replace with your project's social card
     // image: 'img/docusaurus-social-card.jpg',
+    
+    metadata:[
+      {name: 'Content-Security-Policy', content: `default-src 'self'; object-src 'none'; img-src 'self' data:; style-src 'self' https://cdn.eds.equinor.com/font/; font-src 'self' https://cdn.eds.equinor.com/font/; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content`},
+      {name: 'Permissions-Policy', content: 'none'},
+      {name: 'Cross-Origin-Resource-Policy', content: 'same-origin'},
+      {name: 'Referrer-Policy', content: 'no-referrer'},
+      {name: 'X-Content-Type-Options', content: 'nosniff'},
+      {name: 'X-Frame-Options', content: 'deny'},
+      {name: 'X-Permitted-Cross-Domain-Policies', content: 'none'},
+    ],
+
     navbar: {
       title: 'Omnia Radix',
       logo: {