From 06c35588e3ba4517cd2bab93936f926705af3098 Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Sat, 10 Jan 2026 00:22:36 +0900
Subject: [PATCH] FIX(zot): add Traefik middleware to fix CSP header for UI

- Add blob: to script-src directive
- Add unsafe-eval for UI functionality
- Fix Content Security Policy for proper UI rendering
---
 zot/helm-values.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/zot/helm-values.yaml b/zot/helm-values.yaml
index ef09f84..b2e6e4f 100644
--- a/zot/helm-values.yaml
+++ b/zot/helm-values.yaml
@@ -56,11 +56,20 @@ service:
       http:
         port: 5000
 
+rawResources:
+  csp-fix:
+    apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    spec:
+      headers:
+        contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' data:; manifest-src 'self'; base-uri 'self'"
+
 ingress:
   zot:
     className: traefik
     annotations:
       cert-manager.io/cluster-issuer: letsencrypt-prod
+      traefik.ingress.kubernetes.io/router.middlewares: zot-csp-fix@kubernetescrd
     hosts:
     - host: zot0213.kro.kr
       paths: