From 1dd8d54f957715104f991ad60eb540d964c7bb76 Mon Sep 17 00:00:00 2001
From: Sven Tennie <sven.tennie@wire.com>
Date: Thu, 14 Mar 2024 11:11:34 +0100
Subject: [PATCH] smallstep-accomp: Disable client-side caching

To ensure certificate revocations get active in a short time frame, disable
caching of proxy results on client side by setting respective HTTP headers.
---
 .../5-internal/smallstep-accomp-no-client-side-caching       | 2 ++
 .../smallstep-accomp/templates/server-block-configmap.yaml   | 5 +++++
 2 files changed, 7 insertions(+)
 create mode 100644 changelog.d/5-internal/smallstep-accomp-no-client-side-caching

diff --git a/changelog.d/5-internal/smallstep-accomp-no-client-side-caching b/changelog.d/5-internal/smallstep-accomp-no-client-side-caching
new file mode 100644
index 00000000000..a70d4e0496a
--- /dev/null
+++ b/changelog.d/5-internal/smallstep-accomp-no-client-side-caching
@@ -0,0 +1,2 @@
+To ensure certificate revocations get active in a short time frame, disable
+caching of proxy results on client side by setting respective HTTP headers.
diff --git a/charts/smallstep-accomp/templates/server-block-configmap.yaml b/charts/smallstep-accomp/templates/server-block-configmap.yaml
index a6765595d31..59c423d3345 100644
--- a/charts/smallstep-accomp/templates/server-block-configmap.yaml
+++ b/charts/smallstep-accomp/templates/server-block-configmap.yaml
@@ -26,6 +26,11 @@ data:
         proxy_set_header Host $backend;
         proxy_hide_header Content-Type;
         add_header Content-Type application/pkix-crl;
+        # Prevent caching on client side
+        add_header Cache-Control 'no-cache, no-store, must-revalidate';
+        add_header Pragma 'no-cache';
+        add_header Expires '0';
+
         proxy_pass "https://$backend/crl";
       }