mlflow: add var for network exposure configuration

charts/mlflow/Chart.yaml

@@ -21,12 +21,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.0.11
+version: 3.0.0
 
 dependencies:
   - name: postgresql
     version: 13.1.5
     repository: https://charts.bitnami.com/bitnami
   - name: library-chart
-    version: 2.0.0
+    version: 2.0.1
     repository: https://inseefrlab.github.io/helm-charts-interactive-services

charts/mlflow/templates/deployment.yaml

@@ -43,8 +43,15 @@ spec:
             - --host=0.0.0.0
             - --port=8000
             - --backend-store-uri=postgresql://{{ .Values.postgresql.auth.username }}:{{ .Values.postgresql.auth.password }}@{{ .Values.postgresql.fullnameOverride }}:5432/{{ .Values.postgresql.auth.database}}
-            {{ if .Values.security.disableSecurityMiddleware -}}
+            {{- if .Values.security.middleware.disabled }}
             - --disable-security-middleware
+            {{- else }}
+            {{- if .Values.security.middleware.allowedHosts }}
+            - --allowed-hosts={{ .Values.security.middleware.allowedHosts }}
+            {{- end }}
+            {{- if .Values.security.middleware.corsAllowedOrigins }}
+            - --cors-allowed-origins={{ .Values.security.middleware.corsAllowedOrigins }}
+            {{- end }}
             {{- end }}
             {{ if .Values.service.proxyArtifact.enabled -}}
             - --artifacts-destination={{ .Values.service.directory }}

charts/mlflow/values.schema.json

@@ -242,10 +242,37 @@
           "description": "[Specify a secret key for flask server. Learn more about about it](https://mlflow.org/docs/latest/auth)",
           "render": "password"
         },
-        "disableSecurityMiddleware":{
-          "type": "boolean",
-          "default": true,
-          "description": "Disable all security middleware including CORS protection and host validation, do not disable in production"
+        "middleware":{
+          "title": "Security middleware",
+          "type": "object",
+          "properties": {
+            "disabled":{
+              "title": "Disable security middleware",
+              "type": "boolean",
+              "default": true,
+              "description": "Disable all security middleware including CORS protection and host validation, do not disable in production"
+              },
+            "allowedHosts" :{
+              "description": "Controls which Host headers the server accepts. This prevents DNS rebinding attacks by validating incoming requests:",
+              "type": "string",
+              "default": "localhost",
+              "hidden": {
+                "value": true,
+                "isPathRelative": true,
+                "path": "disabled"
+              }
+            },
+            "corsAllowedOrigins" :{
+              "description": "Specifies which web applications can make API requests from browsers:",
+              "type": "string",
+              "default": "localhost:*",
+              "hidden": {
+                "value": true,
+                "isPathRelative": true,
+                "path": "disabled"
+              }
+            }
+          }
         },
         "networkPolicy": {
           "type": "object",

charts/mlflow/values.yaml

@@ -55,7 +55,10 @@ security:
   allowlist:
     enabled: true
     ip: "0.0.0.0/0"
-  disableSecurityMiddleware: true
+  middleware:
+    disabled: true
+    allowedHosts: "localhost"
+    corsAllowedOrigins: "localhost:*"
 
 postgresql:
   image: