feat: change some little security risks, add another ingress that has ip whitelist for admin panel and update some OCI image versions

2025-07-16 09:38:49 +02:00 · 2025-05-12 23:26:29 +02:00
parent 3374dfd8f9
commit 5aa1c32fcd
9 changed files with 55 additions and 16 deletions
--- a/charts/templates/ingress-https-ipwhitelist.yaml
+++ b/charts/templates/ingress-https-ipwhitelist.yaml
@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Chart.Name }}-ipwhitelist
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "htwkalender.labels" . | nindent 4 }}
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: "{{- printf "%s-%s@kubernetescrd" .Release.Namespace .Values.middlewares.httpsIPWhitelist.name }},traefik-https-redirect@kubernetescrd"
+spec:
+  ingressClassName: "PLACEHOLDER"
+  tls:
+    - hosts:
+      {{- range .Values.ingress.httpsIPWhitelist.hosts }}
+        - {{ .host | quote }}
+      {{- end }}
+      secretName: {{ $.Chart.Name }}-cert
+  rules:
+    {{- toYaml .Values.ingress.httpsIPWhitelist.hosts | nindent 4 }}
--- a/charts/templates/middleware-whitelist-ip.yaml
+++ b/charts/templates/middleware-whitelist-ip.yaml
@ -0,0 +1,11 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ .Values.middlewares.httpsIPWhitelist.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "htwkalender.labels" . | nindent 4 }}
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 10.0.0.0/29
--- a/charts/values.yaml
+++ b/charts/values.yaml
@ -54,6 +54,10 @@ readinessProbe:
    path: /
    port: http

+middlewares:
+  httpsIPWhitelist:
+    name: ipwhitelist-fsrim-subnet
+
 ingress:
  https:
    annotations:
@ -69,6 +73,18 @@ ingress:
                  name: *service_ical
                  port:
                    number: *service_ical_port
+  httpsIPWhitelist:
+    hosts:
+      - host: *frontend_host
+        http:
+          paths:
+            - path: /_
+              pathType: ImplementationSpecific
+              backend:
+                service:
+                  name: *service_data_manager
+                  port:
+                    number: *service_data_manager_port
  httpsRedirect:
    hosts:
      - host: *frontend_host
@ -123,10 +139,3 @@ ingress:
                  name: *service_data_manager
                  port:
                    number: *service_data_manager_port
-            - path: /_
-              pathType: ImplementationSpecific
-              backend:
-                service:
-                  name: *service_data_manager
-                  port:
-                    number: *service_data_manager_port
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@ -46,7 +46,7 @@ services:
      - "net"

  rproxy:
-    image: docker.io/bitnami/nginx:1.25
+    image: docker.io/bitnami/nginx:1.28
    restart: always
    volumes:
      - ./reverseproxy.dev.conf:/opt/bitnami/nginx/conf/nginx.conf
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@ -45,7 +45,7 @@ services:
      - "net"

  rproxy:
-    image: docker.io/bitnami/nginx:1.25
+    image: docker.io/bitnami/nginx:1.28
    restart: always
    volumes:
      - ./reverseproxy.conf:/opt/bitnami/nginx/conf/nginx.conf
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -50,7 +50,7 @@ services:
      - "8000:8000"

  rproxy:
-    image: docker.io/bitnami/nginx:1.27
+    image: docker.io/bitnami/nginx:1.28
    volumes:
      - ./reverseproxy.local.conf:/opt/bitnami/nginx/conf/nginx.conf
    depends_on:
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@ -41,10 +41,10 @@ COPY . ./

 # production stage
 # https://hub.docker.com/r/bitnami/nginx -> always run as non-root user
-FROM docker.io/bitnami/nginx:1.27 AS prod
+FROM docker.io/bitnami/nginx:1.28 AS prod

 # copy build files from build container
-COPY --from=build /app/dist /app
 COPY ./nginx.conf /opt/bitnami/nginx/conf/nginx.conf
+COPY --from=build /app/dist /app

 EXPOSE 8000
--- a/services/data-manager/Dockerfile
+++ b/services/data-manager/Dockerfile
@ -29,7 +29,7 @@ COPY common/. ./common
 RUN CGO_ENABLED=1 GOOS=linux go build -o /htwkalender-data-manager data-manager/main.go

 # production stage
-FROM docker.io/alpine:3.21 AS prod
+FROM docker.io/alpine:3 AS prod

 WORKDIR /htwkalender-data-manager

@ -39,7 +39,7 @@ RUN adduser -Ds /bin/sh "$USER" && \
    chown -R "$USER":"$USER" ./

 # copies executable from build container
-COPY --chown=$USER:$USER --chmod=744 --from=build /htwkalender-data-manager ./
+COPY --chown=$USER:$USER --chmod=500 --from=build /htwkalender-data-manager ./

 USER $USER

--- a/services/ical/Dockerfile
+++ b/services/ical/Dockerfile
@ -29,7 +29,7 @@ COPY common/. ./common
 RUN CGO_ENABLED=1 GOOS=linux go build -o /htwkalender-ical ical/main.go

 # production stage
-FROM docker.io/alpine:3.21 AS prod
+FROM docker.io/alpine:3 AS prod

 WORKDIR /htwkalender-ical

@ -39,7 +39,7 @@ RUN adduser -Ds /bin/sh "$USER" && \
    chown -R "$USER":"$USER" ./

 # copies executable from build container
-COPY --chown=$USER:$USER --chmod=744 --from=build /htwkalender-ical ./
+COPY --chown=$USER:$USER --chmod=500 --from=build /htwkalender-ical ./

 USER $USER