diff --git a/charts/templates/ingress-https-ipwhitelist.yaml b/charts/templates/ingress-https-ipwhitelist.yaml new file mode 100644 index 0000000..260bdc7 --- /dev/null +++ b/charts/templates/ingress-https-ipwhitelist.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Chart.Name }}-ipwhitelist + namespace: {{ .Release.Namespace }} + labels: + {{- include "htwkalender.labels" . | nindent 4 }} + annotations: + traefik.ingress.kubernetes.io/router.middlewares: "{{- printf "%s-%s@kubernetescrd" .Release.Namespace .Values.middlewares.httpsIPWhitelist.name }},traefik-https-redirect@kubernetescrd" +spec: + ingressClassName: "PLACEHOLDER" + tls: + - hosts: + {{- range .Values.ingress.httpsIPWhitelist.hosts }} + - {{ .host | quote }} + {{- end }} + secretName: {{ $.Chart.Name }}-cert + rules: + {{- toYaml .Values.ingress.httpsIPWhitelist.hosts | nindent 4 }} diff --git a/charts/templates/middleware-whitelist-ip.yaml b/charts/templates/middleware-whitelist-ip.yaml new file mode 100644 index 0000000..777fe89 --- /dev/null +++ b/charts/templates/middleware-whitelist-ip.yaml @@ -0,0 +1,11 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: {{ .Values.middlewares.httpsIPWhitelist.name }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "htwkalender.labels" . | nindent 4 }} +spec: + ipWhiteList: + sourceRange: + - 10.0.0.0/29 \ No newline at end of file diff --git a/charts/values.yaml b/charts/values.yaml index 3f57ea8..32f46d0 100644 --- a/charts/values.yaml +++ b/charts/values.yaml @@ -54,6 +54,10 @@ readinessProbe: path: / port: http +middlewares: + httpsIPWhitelist: + name: ipwhitelist-fsrim-subnet + ingress: https: annotations: @@ -69,6 +73,18 @@ ingress: name: *service_ical port: number: *service_ical_port + httpsIPWhitelist: + hosts: + - host: *frontend_host + http: + paths: + - path: /_ + pathType: ImplementationSpecific + backend: + service: + name: *service_data_manager + port: + number: *service_data_manager_port httpsRedirect: hosts: - host: *frontend_host @@ -123,10 +139,3 @@ ingress: name: *service_data_manager port: number: *service_data_manager_port - - path: /_ - pathType: ImplementationSpecific - backend: - service: - name: *service_data_manager - port: - number: *service_data_manager_port diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index e29a4f4..c9cb379 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -46,7 +46,7 @@ services: - "net" rproxy: - image: docker.io/bitnami/nginx:1.25 + image: docker.io/bitnami/nginx:1.28 restart: always volumes: - ./reverseproxy.dev.conf:/opt/bitnami/nginx/conf/nginx.conf diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index d637c7f..772b023 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -45,7 +45,7 @@ services: - "net" rproxy: - image: docker.io/bitnami/nginx:1.25 + image: docker.io/bitnami/nginx:1.28 restart: always volumes: - ./reverseproxy.conf:/opt/bitnami/nginx/conf/nginx.conf diff --git a/docker-compose.yml b/docker-compose.yml index cbdefe9..968f180 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -50,7 +50,7 @@ services: - "8000:8000" rproxy: - image: docker.io/bitnami/nginx:1.27 + image: docker.io/bitnami/nginx:1.28 volumes: - ./reverseproxy.local.conf:/opt/bitnami/nginx/conf/nginx.conf depends_on: diff --git a/frontend/Dockerfile b/frontend/Dockerfile index f54973a..5cdcaa3 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -41,10 +41,10 @@ COPY . ./ # production stage # https://hub.docker.com/r/bitnami/nginx -> always run as non-root user -FROM docker.io/bitnami/nginx:1.27 AS prod +FROM docker.io/bitnami/nginx:1.28 AS prod # copy build files from build container -COPY --from=build /app/dist /app COPY ./nginx.conf /opt/bitnami/nginx/conf/nginx.conf +COPY --from=build /app/dist /app EXPOSE 8000 diff --git a/services/data-manager/Dockerfile b/services/data-manager/Dockerfile index e0c5ded..cefa788 100644 --- a/services/data-manager/Dockerfile +++ b/services/data-manager/Dockerfile @@ -29,7 +29,7 @@ COPY common/. ./common RUN CGO_ENABLED=1 GOOS=linux go build -o /htwkalender-data-manager data-manager/main.go # production stage -FROM docker.io/alpine:3.21 AS prod +FROM docker.io/alpine:3 AS prod WORKDIR /htwkalender-data-manager @@ -39,7 +39,7 @@ RUN adduser -Ds /bin/sh "$USER" && \ chown -R "$USER":"$USER" ./ # copies executable from build container -COPY --chown=$USER:$USER --chmod=744 --from=build /htwkalender-data-manager ./ +COPY --chown=$USER:$USER --chmod=500 --from=build /htwkalender-data-manager ./ USER $USER diff --git a/services/ical/Dockerfile b/services/ical/Dockerfile index 1c04ab9..f3963f3 100644 --- a/services/ical/Dockerfile +++ b/services/ical/Dockerfile @@ -29,7 +29,7 @@ COPY common/. ./common RUN CGO_ENABLED=1 GOOS=linux go build -o /htwkalender-ical ical/main.go # production stage -FROM docker.io/alpine:3.21 AS prod +FROM docker.io/alpine:3 AS prod WORKDIR /htwkalender-ical @@ -39,7 +39,7 @@ RUN adduser -Ds /bin/sh "$USER" && \ chown -R "$USER":"$USER" ./ # copies executable from build container -COPY --chown=$USER:$USER --chmod=744 --from=build /htwkalender-ical ./ +COPY --chown=$USER:$USER --chmod=500 --from=build /htwkalender-ical ./ USER $USER