add vpn cli checks
This commit is contained in:
viktorbarzin
parent
0408b32848
commit
d11a85106c
4 changed files with 21 additions and 3 deletions
13
cli/vpn.go
13
cli/vpn.go
|
|
@ -5,6 +5,7 @@ import (
|
|||
"io/ioutil"
|
||||
"net"
|
||||
"os"
|
||||
"regexp"
|
||||
"strings"
|
||||
|
||||
"github.com/golang/glog"
|
||||
|
|
@ -19,6 +20,11 @@ const (
|
|||
vpnLastIPConfFileRelative = "/modules/kubernetes/wireguard/extra/last_ip.txt"
|
||||
)
|
||||
|
||||
var (
|
||||
allowedClientName = regexp.MustCompile(`^[a-zA-Z0-9 ]+$`)
|
||||
allowedPubKey = regexp.MustCompile(`^[a-zA-Z0-9=]$`)
|
||||
)
|
||||
|
||||
// addVPNClient inserts new client config
|
||||
func addVPNClient(gitFs *GitFS, clientName, publicKey, clientsConfPath, ip string) error {
|
||||
if clientName == "" {
|
||||
|
|
@ -27,6 +33,13 @@ func addVPNClient(gitFs *GitFS, clientName, publicKey, clientsConfPath, ip strin
|
|||
if publicKey == "" {
|
||||
return fmt.Errorf("public key cannot be empty when creating new vpn config")
|
||||
}
|
||||
if !allowedClientName.Match([]byte(clientName)) {
|
||||
return fmt.Errorf("client key must match '%s', got %s", allowedClientName.String(), clientName)
|
||||
}
|
||||
if !allowedPubKey.Match([]byte(publicKey)) {
|
||||
return fmt.Errorf("client public key must match '%s', got '%s'", allowedPubKey.String(), publicKey)
|
||||
}
|
||||
|
||||
contents := "[Peer]\n# friendly_name = " + clientName + "\nPublicKey = " + publicKey + "\nAllowedIPs = " + ip + "\n\n"
|
||||
glog.Infof("adding the following config: \n%s", contents)
|
||||
f, err := (*gitFs.fs).OpenFile(clientsConfPath, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0644)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
variable "tls_secret_name" {}
|
||||
variable "client_certificate_secret_name" {}
|
||||
|
||||
module "tls_secret" {
|
||||
source = "../setup_tls_secret"
|
||||
|
|
@ -109,7 +110,10 @@ resource "kubernetes_ingress" "kafka-ui" {
|
|||
name = "kafka-ui-ingress"
|
||||
namespace = "kafka"
|
||||
annotations = {
|
||||
"kubernetes.io/ingress.class" = "nginx"
|
||||
"kubernetes.io/ingress.class" = "nginx"
|
||||
"nginx.ingress.kubernetes.io/force-ssl-redirect" = "true"
|
||||
"nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
|
||||
"nginx.ingress.kubernetes.io/auth-tls-secret" = var.client_certificate_secret_name
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -84,8 +84,9 @@ module "hackmd" {
|
|||
# }
|
||||
|
||||
module "kafka" {
|
||||
source = "./kafka"
|
||||
tls_secret_name = var.tls_secret_name
|
||||
source = "./kafka"
|
||||
client_certificate_secret_name = var.client_certificate_secret_name
|
||||
tls_secret_name = var.tls_secret_name
|
||||
}
|
||||
|
||||
module "kms" {
|
||||
|
|
|
|||
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue