Compare commits
5 Commits
cbceac786d
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| ca2800a5c9 | |||
| 9761996957 | |||
| 23c38fc813 | |||
| 1d3db54909 | |||
| 70077c1956 |
@@ -23,7 +23,7 @@ jobs:
|
||||
- name: Login to Gitea Container Registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: gitea.arcodange.duckdns.org
|
||||
registry: gitea.arcodange.lab
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.PACKAGES_TOKEN }}
|
||||
|
||||
@@ -35,7 +35,7 @@ jobs:
|
||||
TAGS="latest ${{ github.ref_name }}"
|
||||
docker build -t app .
|
||||
for TAG in $TAGS; do
|
||||
docker tag app gitea.arcodange.duckdns.org/${{ github.repository }}:$TAG
|
||||
docker push gitea.arcodange.duckdns.org/${{ github.repository }}:$TAG
|
||||
docker tag app gitea.arcodange.lab/${{ github.repository }}:$TAG
|
||||
docker push gitea.arcodange.lab/${{ github.repository }}:$TAG
|
||||
done
|
||||
|
||||
@@ -16,10 +16,11 @@ concurrency:
|
||||
|
||||
.vault_step: &vault_step
|
||||
name: read vault secret
|
||||
uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
|
||||
uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
|
||||
id: vault-secrets
|
||||
with:
|
||||
url: https://vault.arcodange.duckdns.org
|
||||
url: https://vault.arcodange.lab
|
||||
caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
|
||||
jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
|
||||
role: gitea_cicd_webapp
|
||||
method: jwt
|
||||
@@ -30,7 +31,7 @@ concurrency:
|
||||
jobs:
|
||||
gitea_vault_auth:
|
||||
name: Auth with gitea for vault
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-latest-ca
|
||||
outputs:
|
||||
gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
|
||||
steps:
|
||||
@@ -44,13 +45,16 @@ jobs:
|
||||
name: Tofu - Vault
|
||||
needs:
|
||||
- gitea_vault_auth
|
||||
runs-on: ubuntu-latest
|
||||
runs-on: ubuntu-latest-ca
|
||||
env:
|
||||
OPENTOFU_VERSION: 1.8.2
|
||||
TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
|
||||
VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
|
||||
steps:
|
||||
- *vault_step
|
||||
- uses: actions/checkout@v4
|
||||
- name: prepare vault self signed cert
|
||||
run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
|
||||
- name: terraform apply
|
||||
uses: dflook/terraform-apply@v1
|
||||
with:
|
||||
|
||||
@@ -4,7 +4,7 @@ metadata:
|
||||
name: {{ include "webapp.name" . }}-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
data:
|
||||
OAUTH_ALLOWED_HOST: webapp.arcodange.duckdns.org
|
||||
OAUTH_DEVICE_CODE_ALLOWED_IPS: 86.247.157.144,
|
||||
OAUTH_ALLOWED_HOSTS: webapp.arcodange.lab,webapp.arcodange.fr
|
||||
# OAUTH_DEVICE_CODE_ALLOWED_IPS: 86.238.234.54,
|
||||
DATABASE_URL: postgres://pgbouncer_auth:pgbouncer_auth@pgbouncer.tools/postgres?sslmode=disable
|
||||
# DATABASE_URL: postgres://username:password@localhost/dbname?sslmode=disable
|
||||
25
chart/templates/localIngress.yaml
Normal file
25
chart/templates/localIngress.yaml
Normal file
@@ -0,0 +1,25 @@
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/tracking-id: webapp:networking.k8s.io/Ingress:webapp/webapp
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
traefik.ingress.kubernetes.io/router.middlewares: localIp@file
|
||||
traefik.ingress.kubernetes.io/router.tls: 'true'
|
||||
traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
|
||||
traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
|
||||
traefik.ingress.kubernetes.io/router.tls.domains.0.sans: webapp.arcodange.lab
|
||||
name: webapp-local
|
||||
namespace: webapp
|
||||
spec:
|
||||
rules:
|
||||
- host: webapp.arcodange.lab
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: webapp
|
||||
port:
|
||||
number: 8080
|
||||
path: /
|
||||
pathType: Prefix
|
||||
@@ -5,7 +5,7 @@
|
||||
replicaCount: 1
|
||||
|
||||
image:
|
||||
repository: gitea.arcodange.duckdns.org/arcodange-org/webapp
|
||||
repository: gitea.arcodange.lab/arcodange-org/webapp
|
||||
pullPolicy: Always
|
||||
# Overrides the image tag whose default is the chart appVersion.
|
||||
tag: ""
|
||||
@@ -47,18 +47,31 @@ ingress:
|
||||
enabled: true
|
||||
className: ""
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
traefik.ingress.kubernetes.io/router.tls: "true"
|
||||
traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
|
||||
traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
|
||||
traefik.ingress.kubernetes.io/router.tls.domains.0.sans: webapp.arcodange.duckdns.org
|
||||
traefik.ingress.kubernetes.io/router.middlewares: localIp@file
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: web
|
||||
traefik.ingress.kubernetes.io/router.middlewares: kube-system-crowdsec@kubernetescrd
|
||||
hosts:
|
||||
- host: webapp.arcodange.duckdns.org
|
||||
- host: webapp.arcodange.fr
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls: []
|
||||
|
||||
# ingress:
|
||||
# enabled: true
|
||||
# className: ""
|
||||
# annotations:
|
||||
# traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
# traefik.ingress.kubernetes.io/router.tls: "true"
|
||||
# traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
|
||||
# traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
|
||||
# traefik.ingress.kubernetes.io/router.tls.domains.0.sans: webapp.arcodange.lab
|
||||
# traefik.ingress.kubernetes.io/router.middlewares: localIp@file
|
||||
# hosts:
|
||||
# - host: webapp.arcodange.lab
|
||||
# paths:
|
||||
# - path: /
|
||||
# pathType: Prefix
|
||||
# tls: []
|
||||
# - secretName: chart-example-tls
|
||||
# hosts:
|
||||
# - chart-example.local
|
||||
|
||||
2
go.mod
2
go.mod
@@ -1,4 +1,4 @@
|
||||
module gitea.arcodange.duckdns.org/arcodange-org/webapp
|
||||
module gitea.arcodange.lab/arcodange-org/webapp
|
||||
|
||||
go 1.23
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ terraform {
|
||||
}
|
||||
|
||||
provider vault {
|
||||
address = "https://vault.arcodange.duckdns.org"
|
||||
address = "https://vault.arcodange.lab"
|
||||
auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
|
||||
mount = "gitea_jwt"
|
||||
role = "gitea_cicd_webapp"
|
||||
|
||||
25
main.go
25
main.go
@@ -21,8 +21,11 @@ import (
|
||||
var (
|
||||
db *sql.DB // Global database connection
|
||||
c = cache.New(5*time.Minute, 10*time.Minute)
|
||||
oauthAllowedHost = os.Getenv("OAUTH_ALLOWED_HOST") // URL authorized for device code
|
||||
oauthAllowedHosts = strings.Split(os.Getenv("OAUTH_ALLOWED_HOSTS"), ",") // authorized HOSTS for device code
|
||||
oauthDeviceCodeAllowedIPs = strings.Split(os.Getenv("OAUTH_DEVICE_CODE_ALLOWED_IPS"), ",") // IPS autorisées pour /retrieve
|
||||
_, localNetwork, _ = net.ParseCIDR("192.168.0.0/16")
|
||||
_, localNetworkIPV6, _ = net.ParseCIDR("2a01:cb04:dff:cf00::/56")
|
||||
_, k3sNetwork, _ = net.ParseCIDR("10.42.0.0/16")
|
||||
)
|
||||
|
||||
// dbConnection initializes the database connection.
|
||||
@@ -103,7 +106,7 @@ func indexHandler(w http.ResponseWriter, r *http.Request) {
|
||||
</body>
|
||||
</html>
|
||||
`
|
||||
fmt.Fprintf(w, tmpl)
|
||||
fmt.Fprint(w, tmpl)
|
||||
}
|
||||
|
||||
// selectHandler handles HTTP requests and executes a SQL query.
|
||||
@@ -151,7 +154,7 @@ func oauth2_callback(w http.ResponseWriter, r *http.Request) {
|
||||
// Vérifier le référent (ou origine)
|
||||
|
||||
hostHeader := strings.Trim(r.Header.Get("X-Forwarded-Host"), "[]")
|
||||
if oauthAllowedHost != "" && hostHeader != oauthAllowedHost {
|
||||
if len(oauthAllowedHosts) > 0 && !slices.Contains(oauthAllowedHosts, hostHeader) {
|
||||
fmt.Fprintln(os.Stderr, "X-Forwarded-Host: "+hostHeader)
|
||||
fmt.Fprintln(os.Stderr, "received headers")
|
||||
for key, value := range r.Header {
|
||||
@@ -283,11 +286,17 @@ func oauth2_callback(w http.ResponseWriter, r *http.Request) {
|
||||
func retrieveHandler(w http.ResponseWriter, r *http.Request) {
|
||||
// Récupérer l'IP de l'utilisateur
|
||||
userIP, _, err := net.SplitHostPort(r.RemoteAddr)
|
||||
userIPforwarded := r.Header.Get("X-Forwarded-For")
|
||||
userIPforwarded := net.ParseIP(r.Header.Get("X-Forwarded-For"))
|
||||
ip := userIPforwarded
|
||||
if ip == nil {
|
||||
ip = net.ParseIP(userIP)
|
||||
}
|
||||
if err != nil ||
|
||||
!slices.Contains(oauthDeviceCodeAllowedIPs, userIP) &&
|
||||
!slices.Contains(oauthDeviceCodeAllowedIPs, userIPforwarded) {
|
||||
fmt.Fprintln(os.Stderr, "denied userIP: "+userIP+" forwarded: "+userIPforwarded)
|
||||
!slices.Contains(oauthDeviceCodeAllowedIPs, ip.String()) &&
|
||||
!localNetwork.Contains(ip) &&
|
||||
!localNetworkIPV6.Contains(ip) &&
|
||||
!k3sNetwork.Contains(ip) {
|
||||
fmt.Fprintln(os.Stderr, "denied userIP: "+userIP+" forwarded: "+userIPforwarded.String())
|
||||
fmt.Fprintf(os.Stderr, "alowed ips: %+v", oauthDeviceCodeAllowedIPs)
|
||||
// Parcourir tous les headers
|
||||
for name, values := range r.Header {
|
||||
@@ -480,7 +489,7 @@ func main() {
|
||||
|
||||
/*
|
||||
Gitea doesn't come with device flow # https://github.com/go-gitea/gitea/issues/27309
|
||||
https://gitea.arcodange.duckdns.org/.well-known/openid-configuration
|
||||
https://gitea.arcodange.lab/.well-known/openid-configuration
|
||||
"grant_types_supported": [
|
||||
"authorization_code",
|
||||
"refresh_token"
|
||||
|
||||
Reference in New Issue
Block a user