fix: allow g14 langbot postgres access
This commit is contained in:
@@ -86,6 +86,9 @@ postgres:
|
||||
- id: D601-public
|
||||
cidr: 36.49.29.73/32
|
||||
purpose: platform-infra-standby-app
|
||||
- id: G14-public
|
||||
cidr: 202.98.17.68/32
|
||||
purpose: platform-infra-langbot-runtime
|
||||
tuning:
|
||||
maxConnections: 50
|
||||
sharedBuffers: 512MB
|
||||
@@ -156,6 +159,16 @@ postgres:
|
||||
user: langbot
|
||||
address: 74.48.78.17/32
|
||||
method: scram-sha-256
|
||||
- type: hostssl
|
||||
database: langbot
|
||||
user: langbot
|
||||
address: 202.98.17.68/32
|
||||
method: scram-sha-256
|
||||
- type: hostssl
|
||||
database: postgres
|
||||
user: langbot
|
||||
address: 202.98.17.68/32
|
||||
method: scram-sha-256
|
||||
|
||||
secrets:
|
||||
source: master-local
|
||||
|
||||
@@ -473,7 +473,8 @@ async function apply(config: UniDeskConfig, options: ApplyOptions): Promise<Reco
|
||||
}
|
||||
const secretMaterial = prepareSecretMaterial(langbot);
|
||||
const frpcSecret = prepareFrpcSecret(langbot, target);
|
||||
const result = await capture(config, target.route, ["script"], applyScript(yaml, langbot, target, secretMaterial, frpcSecret));
|
||||
const confirmedYaml = renderManifest(langbot, target, secretMaterial.fingerprint);
|
||||
const result = await capture(config, target.route, ["script"], applyScript(confirmedYaml, langbot, target, secretMaterial, frpcSecret));
|
||||
const parsed = parseJsonOutput(result.stdout);
|
||||
const caddy = await applyPk01Caddy(config, target);
|
||||
return {
|
||||
@@ -642,7 +643,7 @@ function query(options: QueryOptions): Record<string, unknown> {
|
||||
};
|
||||
}
|
||||
|
||||
function renderManifest(langbot: LangBotConfig, target: LangBotTarget): string {
|
||||
function renderManifest(langbot: LangBotConfig, target: LangBotTarget, secretFingerprint = "not-prepared"): string {
|
||||
const image = `${langbot.image.repository}:${langbot.image.tag}`;
|
||||
const configHash = createHash("sha256").update(JSON.stringify({ langbot, target })).digest("hex").slice(0, 16);
|
||||
const db = langbot.runtime.database;
|
||||
@@ -859,6 +860,7 @@ spec:
|
||||
app.kubernetes.io/part-of: platform-infra
|
||||
annotations:
|
||||
unidesk.ai/langbot-config-hash: "${configHash}"
|
||||
unidesk.ai/langbot-secret-fingerprint: "${secretFingerprint}"
|
||||
unidesk.ai/public-base-url: "${exposure.publicBaseUrl}"
|
||||
unidesk.ai/box-enabled: "${langbot.runtime.box.enabled}"
|
||||
spec:
|
||||
@@ -1459,14 +1461,28 @@ tmp="$(mktemp -d)"
|
||||
trap 'rm -rf "$tmp"' EXIT
|
||||
${commands}
|
||||
python3 - "$tmp" ${components.map((item) => shQuote(item)).join(" ")} <<'PY'
|
||||
import json, os, sys
|
||||
import json, os, re, sys
|
||||
tmp = sys.argv[1]
|
||||
components = sys.argv[2:]
|
||||
payload = {"ok": True, "components": {}, "valuesPrinted": False}
|
||||
secret_markers = ("PASSWORD", "SECRET", "TOKEN", "API_KEY", "DATABASE_URL")
|
||||
generic_secret = re.compile(r"(?i)((?:password|secret|token|api[_-]?key|database_url)\\s*[=:]\\s*)[^\\s,;]+")
|
||||
def redact(value):
|
||||
value = re.sub(r"lbk_[A-Za-z0-9_-]+", "lbk_<redacted>", value)
|
||||
value = re.sub(r"(postgresql://)[^@\\s]+@", r"\\1<redacted>@", value)
|
||||
redacted_lines = []
|
||||
for line in value.splitlines():
|
||||
if "env_key:" in line and "env_value:" in line:
|
||||
key = line.split("env_key:", 1)[1].split(",", 1)[0].strip().upper()
|
||||
if any(marker in key for marker in secret_markers):
|
||||
line = line.split("env_value:", 1)[0] + "env_value: <redacted>"
|
||||
line = generic_secret.sub(r"\\1<redacted>", line)
|
||||
redacted_lines.append(line)
|
||||
return "\\n".join(redacted_lines)
|
||||
for component in components:
|
||||
def text(suffix):
|
||||
try:
|
||||
return open(os.path.join(tmp, f"{component}.{suffix}"), encoding="utf-8", errors="replace").read()[-12000:]
|
||||
return redact(open(os.path.join(tmp, f"{component}.{suffix}"), encoding="utf-8", errors="replace").read())[-12000:]
|
||||
except FileNotFoundError:
|
||||
return ""
|
||||
rc_text = text("rc").strip()
|
||||
|
||||
Reference in New Issue
Block a user