viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

add vpn cli checks

Browse source
This commit is contained in:
viktorbarzin 2021-03-24 21:24:27 +00:00
parent aa7e3b6cb6
commit f52f85bf83
3 changed files with 21 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
cli/vpn.go
View file

@ -5,6 +5,7 @@ import (
"io/ioutil" "io/ioutil"
"net" "net"
"os" "os"
"regexp"
"strings" "strings"
"github.com/golang/glog" "github.com/golang/glog"
@ -19,6 +20,11 @@ const (
vpnLastIPConfFileRelative = "/modules/kubernetes/wireguard/extra/last_ip.txt" vpnLastIPConfFileRelative = "/modules/kubernetes/wireguard/extra/last_ip.txt"
) )
var (
allowedClientName = regexp.MustCompile(`^[a-zA-Z0-9 ]+$`)
allowedPubKey = regexp.MustCompile(`^[a-zA-Z0-9=]$`)
)
// addVPNClient inserts new client config // addVPNClient inserts new client config
func addVPNClient(gitFs *GitFS, clientName, publicKey, clientsConfPath, ip string) error { func addVPNClient(gitFs *GitFS, clientName, publicKey, clientsConfPath, ip string) error {
if clientName == "" { if clientName == "" {
@ -27,6 +33,13 @@ func addVPNClient(gitFs *GitFS, clientName, publicKey, clientsConfPath, ip strin
if publicKey == "" { if publicKey == "" {
return fmt.Errorf("public key cannot be empty when creating new vpn config") return fmt.Errorf("public key cannot be empty when creating new vpn config")
} }
if !allowedClientName.Match([]byte(clientName)) {
return fmt.Errorf("client key must match '%s', got %s", allowedClientName.String(), clientName)
}
if !allowedPubKey.Match([]byte(publicKey)) {
return fmt.Errorf("client public key must match '%s', got '%s'", allowedPubKey.String(), publicKey)
}
contents := "[Peer]\n# friendly_name = " + clientName + "\nPublicKey = " + publicKey + "\nAllowedIPs = " + ip + "\n\n" contents := "[Peer]\n# friendly_name = " + clientName + "\nPublicKey = " + publicKey + "\nAllowedIPs = " + ip + "\n\n"
glog.Infof("adding the following config: \n%s", contents) glog.Infof("adding the following config: \n%s", contents)
f, err := (*gitFs.fs).OpenFile(clientsConfPath, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0644) f, err := (*gitFs.fs).OpenFile(clientsConfPath, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0644)

6
modules/kubernetes/kafka/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {} variable "tls_secret_name" {}
variable "client_certificate_secret_name" {}
module "tls_secret" { module "tls_secret" {
source = "../setup_tls_secret" source = "../setup_tls_secret"
@ -109,7 +110,10 @@ resource "kubernetes_ingress" "kafka-ui" {
name = "kafka-ui-ingress" name = "kafka-ui-ingress"
namespace = "kafka" namespace = "kafka"
annotations = { annotations = {
"kubernetes.io/ingress.class" = "nginx" "kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/force-ssl-redirect" = "true"
"nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
"nginx.ingress.kubernetes.io/auth-tls-secret" = var.client_certificate_secret_name
} }
} }

5
modules/kubernetes/main.tf
View file

@ -84,8 +84,9 @@ module "hackmd" {
# } # }
module "kafka" { module "kafka" {
source = "./kafka" source = "./kafka"
tls_secret_name = var.tls_secret_name client_certificate_secret_name = var.client_certificate_secret_name
tls_secret_name = var.tls_secret_name
} }
module "kms" { module "kms" {