Allow configuring insecure access to K8s probes

wadimw · wadimw · commit 3c8a8a40c8ed · 2025-12-19T00:41:04.000+01:00
diff --git a/webapp/src/main/java/com/box/l10n/mojito/security/ActuatorHealthConfig.java b/webapp/src/main/java/com/box/l10n/mojito/security/ActuatorHealthConfig.java
@@ -0,0 +1,24 @@
+package com.box.l10n.mojito.security;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * Configures insecure access to Kubernetes probes.
+ *
+ * @author wadimw
+ */
+@Configuration
+@ConfigurationProperties("l10n.actuator.health")
+public class ActuatorHealthConfig {
+
+  boolean allowInsecureKubernetesProbes = false;
+
+  public boolean getAllowInsecureKubernetesProbes() {
+    return allowInsecureKubernetesProbes;
+  }
+
+  public void setAllowInsecureKubernetesProbes(boolean allowInsecureKubernetesProbes) {
+    this.allowInsecureKubernetesProbes = allowInsecureKubernetesProbes;
+  }
+}
diff --git a/webapp/src/main/java/com/box/l10n/mojito/security/WebSecurityConfig.java b/webapp/src/main/java/com/box/l10n/mojito/security/WebSecurityConfig.java
@@ -58,6 +58,8 @@ public class WebSecurityConfig {
 
   @Autowired ActuatorHealthLegacyConfig actuatorHealthLegacyConfig;
 
+  @Autowired ActuatorHealthConfig actuatorHealthConfig;
+
   @Autowired UserDetailsContextMapperImpl userDetailsContextMapperImpl;
 
   @Autowired UserService userService;
@@ -217,8 +219,13 @@ public SecurityFilterChain configure(HttpSecurity http) throws Exception {
     http.csrf()
         .ignoringRequestMatchers("/actuator/shutdown", "/actuator/loggers/**", "/api/rotation");
 
-    setAuthorizationRequests(
-        http, getHealthcheckPatterns(actuatorHealthLegacyConfig.isForwarding()));
+    List<String> extraPermitAllPatterns =
+        new ArrayList<>(getHealthcheckPatterns(actuatorHealthLegacyConfig.isForwarding()));
+    if (actuatorHealthConfig.getAllowInsecureKubernetesProbes()) {
+      extraPermitAllPatterns.add("/actuator/health/liveness");
+      extraPermitAllPatterns.add("/actuator/health/readiness");
+    }
+    setAuthorizationRequests(http, extraPermitAllPatterns);
 
     logger.debug("For APIs, we don't redirect to login page. Instead we return a 401");
     http.exceptionHandling()
