From 33ffe2e710f225a7d61b1b125cbbe0b42a6e91ec Mon Sep 17 00:00:00 2001
From: Wesley Ellis <wesley@opslevel.com>
Date: Mon, 8 Sep 2025 16:55:15 -0400
Subject: [PATCH] Expose MAX_WEBHOOK_PAYLOAD_SIZE option

---
 .changes/unreleased/Feature-opslevel-max-webhook-size.yaml | 3 +++
 charts/opslevel/templates/opslevel/configmap.yaml          | 1 +
 charts/opslevel/values.yaml                                | 2 ++
 3 files changed, 6 insertions(+)
 create mode 100644 .changes/unreleased/Feature-opslevel-max-webhook-size.yaml

diff --git a/.changes/unreleased/Feature-opslevel-max-webhook-size.yaml b/.changes/unreleased/Feature-opslevel-max-webhook-size.yaml
new file mode 100644
index 0000000..a308048
--- /dev/null
+++ b/.changes/unreleased/Feature-opslevel-max-webhook-size.yaml
@@ -0,0 +1,3 @@
+kind: Feature
+body: Add `opslevel.web.maxWebhookPayloadSize`. Incoming webhook payloads (like custom event checks and sboms) larger than this will be rejected with a 413. Default is 0/unlimited.
+time: 2025-09-08T00:00:00Z
diff --git a/charts/opslevel/templates/opslevel/configmap.yaml b/charts/opslevel/templates/opslevel/configmap.yaml
index 84af1f0..307f4bf 100644
--- a/charts/opslevel/templates/opslevel/configmap.yaml
+++ b/charts/opslevel/templates/opslevel/configmap.yaml
@@ -34,6 +34,7 @@ data:
   MAIL_DOMAIN: '{{ default .Values.opslevel.domain .Values.smtp.secret.emailDomain }}'
   MAIL_SENDER_NAME: '{{ default "" .Values.smtp.secret.emailDisplayName }}'
   MAIL_USERNAME: '{{ default "" .Values.smtp.secret.emailUsername }}'
+  MAX_WEBHOOK_PAYLOAD_SIZE: '{{ default "0" .Values.opslevel.web.maxWebhookPayloadSize }}'
   OPSGENIE_ENABLED: 'true'
   OPSLEVEL_ENV: '{{ default "on-prem" (((.Values.global.replicated).licenseFields).opslevel_env).value }}'
   OPSLEVEL_DOMAIN: '{{ default "example.com" .Values.opslevel.domain }}'
diff --git a/charts/opslevel/values.yaml b/charts/opslevel/values.yaml
index 7311529..3548dfd 100644
--- a/charts/opslevel/values.yaml
+++ b/charts/opslevel/values.yaml
@@ -50,6 +50,8 @@ opslevel:
   web:
     replicas: 3
     resources: *resourcesMedium
+    # limits webhook payload size accepted by Rails (bytes)
+    maxWebhookPayloadSize: 0
   workerHigh:
     replicas: 2
     resources: *resourcesSmall