HTWK/htwkalender
1
1
Fork 0
mirror of https://gitlab.dit.htwk-leipzig.de/htwk-software/htwkalender.git synced 2025-08-07 04:09:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: change some little security risks, add another ingress that has ip whitelist for admin panel and update some OCI image versions

Browse Source
This commit is contained in:
Justin Kreller
2025-05-12 23:26:29 +02:00
parent 3374dfd8f9
commit 5aa1c32fcd
9 changed files with 55 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
charts/templates/ingress-https-ipwhitelist.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Chart.Name }}-ipwhitelist
namespace: {{ .Release.Namespace }}
labels:
{{- include "htwkalender.labels" . | nindent 4 }}
annotations:
traefik.ingress.kubernetes.io/router.middlewares: "{{- printf "%s-%s@kubernetescrd" .Release.Namespace .Values.middlewares.httpsIPWhitelist.name }},traefik-https-redirect@kubernetescrd"
spec:
ingressClassName: "PLACEHOLDER"
tls:
- hosts:
{{- range .Values.ingress.httpsIPWhitelist.hosts }}
- {{ .host | quote }}
{{- end }}
secretName: {{ $.Chart.Name }}-cert
rules:
{{- toYaml .Values.ingress.httpsIPWhitelist.hosts | nindent 4 }}

11
charts/templates/middleware-whitelist-ip.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: {{ .Values.middlewares.httpsIPWhitelist.name }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "htwkalender.labels" . | nindent 4 }}
spec:
ipWhiteList:
sourceRange:
- 10.0.0.0/29

23
charts/values.yaml
View File

@@ -54,6 +54,10 @@ readinessProbe:
path: / path: /
port: http port: http
middlewares:
httpsIPWhitelist:
name: ipwhitelist-fsrim-subnet
ingress: ingress:
https: https:
annotations: annotations:
@@ -69,6 +73,18 @@ ingress:
name: *service_ical name: *service_ical
port: port:
number: *service_ical_port number: *service_ical_port
httpsIPWhitelist:
hosts:
- host: *frontend_host
http:
paths:
- path: /_
pathType: ImplementationSpecific
backend:
service:
name: *service_data_manager
port:
number: *service_data_manager_port
httpsRedirect: httpsRedirect:
hosts: hosts:
- host: *frontend_host - host: *frontend_host
@@ -123,10 +139,3 @@ ingress:
name: *service_data_manager name: *service_data_manager
port: port:
number: *service_data_manager_port number: *service_data_manager_port
- path: /_
pathType: ImplementationSpecific
backend:
service:
name: *service_data_manager
port:
number: *service_data_manager_port

2
docker-compose.dev.yml
View File

@@ -46,7 +46,7 @@ services:
- "net" - "net"
rproxy: rproxy:
image: docker.io/bitnami/nginx:1.25 image: docker.io/bitnami/nginx:1.28
restart: always restart: always
volumes: volumes:
- ./reverseproxy.dev.conf:/opt/bitnami/nginx/conf/nginx.conf - ./reverseproxy.dev.conf:/opt/bitnami/nginx/conf/nginx.conf

2
docker-compose.prod.yml
View File

@@ -45,7 +45,7 @@ services:
- "net" - "net"
rproxy: rproxy:
image: docker.io/bitnami/nginx:1.25 image: docker.io/bitnami/nginx:1.28
restart: always restart: always
volumes: volumes:
- ./reverseproxy.conf:/opt/bitnami/nginx/conf/nginx.conf - ./reverseproxy.conf:/opt/bitnami/nginx/conf/nginx.conf

2
docker-compose.yml
View File

@@ -50,7 +50,7 @@ services:
- "8000:8000" - "8000:8000"
rproxy: rproxy:
image: docker.io/bitnami/nginx:1.27 image: docker.io/bitnami/nginx:1.28
volumes: volumes:
- ./reverseproxy.local.conf:/opt/bitnami/nginx/conf/nginx.conf - ./reverseproxy.local.conf:/opt/bitnami/nginx/conf/nginx.conf
depends_on: depends_on:

4
frontend/Dockerfile
View File

@@ -41,10 +41,10 @@ COPY . ./
# production stage # production stage
# https://hub.docker.com/r/bitnami/nginx -> always run as non-root user # https://hub.docker.com/r/bitnami/nginx -> always run as non-root user
FROM docker.io/bitnami/nginx:1.27 AS prod FROM docker.io/bitnami/nginx:1.28 AS prod
# copy build files from build container # copy build files from build container
COPY --from=build /app/dist /app
COPY ./nginx.conf /opt/bitnami/nginx/conf/nginx.conf COPY ./nginx.conf /opt/bitnami/nginx/conf/nginx.conf
COPY --from=build /app/dist /app
EXPOSE 8000 EXPOSE 8000

4
services/data-manager/Dockerfile
View File

@@ -29,7 +29,7 @@ COPY common/. ./common
RUN CGO_ENABLED=1 GOOS=linux go build -o /htwkalender-data-manager data-manager/main.go RUN CGO_ENABLED=1 GOOS=linux go build -o /htwkalender-data-manager data-manager/main.go
# production stage # production stage
FROM docker.io/alpine:3.21 AS prod FROM docker.io/alpine:3 AS prod
WORKDIR /htwkalender-data-manager WORKDIR /htwkalender-data-manager
@@ -39,7 +39,7 @@ RUN adduser -Ds /bin/sh "$USER" && \
chown -R "$USER":"$USER" ./ chown -R "$USER":"$USER" ./
# copies executable from build container # copies executable from build container
COPY --chown=$USER:$USER --chmod=744 --from=build /htwkalender-data-manager ./ COPY --chown=$USER:$USER --chmod=500 --from=build /htwkalender-data-manager ./
USER $USER USER $USER

4
services/ical/Dockerfile
View File

@@ -29,7 +29,7 @@ COPY common/. ./common
RUN CGO_ENABLED=1 GOOS=linux go build -o /htwkalender-ical ical/main.go RUN CGO_ENABLED=1 GOOS=linux go build -o /htwkalender-ical ical/main.go
# production stage # production stage
FROM docker.io/alpine:3.21 AS prod FROM docker.io/alpine:3 AS prod
WORKDIR /htwkalender-ical WORKDIR /htwkalender-ical
@@ -39,7 +39,7 @@ RUN adduser -Ds /bin/sh "$USER" && \
chown -R "$USER":"$USER" ./ chown -R "$USER":"$USER" ./
# copies executable from build container # copies executable from build container
COPY --chown=$USER:$USER --chmod=744 --from=build /htwkalender-ical ./ COPY --chown=$USER:$USER --chmod=500 --from=build /htwkalender-ical ./
USER $USER USER $USER