Skip to content

Commit f7af517

Browse files
authored
version 2.16.0 (#99)
* version 2.16.0 (#98) * add howto test behind HTTP proxy * update actions/upload-artifact action to v5 (#97)
1 parent 9aa398c commit f7af517

4 files changed

Lines changed: 89 additions & 5 deletions

File tree

.github/workflows/build-image.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ jobs:
88
runs-on: ubuntu-latest
99
steps:
1010
- name: Checkout code
11-
uses: actions/checkout@v4
11+
uses: actions/checkout@v5
1212

1313
- name: Add VirtualBox and other dependencies
1414
run: |
@@ -36,13 +36,13 @@ jobs:
3636
id: appliance_ovf
3737

3838
- name: Save original OVF file
39-
uses: actions/upload-artifact@v4
39+
uses: actions/upload-artifact@v5
4040
with:
4141
name: czertainly-appliance-original-ovf-file
4242
path: "tmp/${{ steps.appliance_ovf.outputs.APPLIANCE_ORIG_OVF }}"
4343

4444
- name: Save builded CZERTAINLY Appliance OVA file
45-
uses: actions/upload-artifact@v4
45+
uses: actions/upload-artifact@v5
4646
with:
4747
name: "${{ steps.appliance_name.outputs.APPLIANCE_FILENAME }}"
4848
path: "tmp/${{ steps.appliance_name.outputs.APPLIANCE_FILENAME }}"

http-proxy.md

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
# Testing the Appliance behind HTTP Proxy
2+
3+
This guide is meant for developers who want to test the Appliance behind an HTTP proxy.
4+
5+
## Prerequisites
6+
7+
VirtualBox with configured Host-only Network (File -> Tools -> Network manager). In this guide I use vboxnet0 with IP network 192.168.56.0/24
8+
9+
### DNS
10+
DNS server running on same host as VirtualBox. DNSMASQ with config `/etc/dnsmasq.conf`:
11+
```conf
12+
interface=vboxnet0 # VirtualBox host-only interface name
13+
listen-address=192.168.56.1 # Host-only IP
14+
bind-interfaces
15+
server=192.168.1.1 # Upstream DNS
16+
```
17+
will do the trick.
18+
19+
### HTTP Proxy
20+
And finally Squid proxy server. I used squid-5.7-2+deb12u2 on Debian Bookworm and tested with CZERTAINLY v 2.15.1. With following config `/etc/squid/conf.d/vboxnet0.conf`:
21+
22+
```conf
23+
# Allow access from your host-only network (e.g., 192.168.56.0/24)
24+
acl hostonlynet src 192.168.56.0/24
25+
26+
# Debian package system - needed for system updates
27+
acl debian_packages dstdomain deb.debian.org security.debian.org
28+
# 3Key Resources - debian package + oci helm charts
29+
acl 3key_resources dstdomain deb.czertainly.com harbor.3key.company
30+
# Resources for helm package + helm diff plugin
31+
# https://github.com/CZERTAINLY/ansible-role-helm/blob/develop/tasks/helm.yml#L28
32+
# https://github.com/CZERTAINLY/ansible-role-helm/blob/develop/tasks/helm_diff.yml#L13
33+
acl helm_resources dstdom_regex ^packages.buildkite.com$ ^github.com$ ^release-assets.githubusercontent.com$ cloudfront.net$
34+
# Resources for Docker needed by RKE2, cert-manager and CZERTAINLY
35+
acl docker_resources dstdomain index.docker.io auth.docker.io production.cloudflare.docker.com registry-1.docker.io
36+
# Resources for RKE2
37+
acl rke2_resources dstdomain get.rke2.io update.rke2.io
38+
# Resources for local-path-provisioner
39+
# docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443 seems like crazy name
40+
# that is why are using regex.
41+
acl local_path_resources dstdom_regex ^raw\.githubusercontent\.com$ ^docker-images-prod\..*\.cloudflarestorage\.com$
42+
# Resources for cert-manager - images are at cdn01.quay.io I rather use regex.
43+
acl cert_mananager_resources dstdom_regex ^charts\.jetstack\.io$ ^quay\.io$ ^cdn.*\.quay\.io$
44+
45+
# Access rules: Only allow source from hostonlynet to allowed_domains
46+
http_access allow hostonlynet debian_packages
47+
http_access allow hostonlynet 3key_resources
48+
http_access allow hostonlynet helm_resources
49+
http_access allow hostonlynet docker_resources
50+
http_access allow hostonlynet rke2_resources
51+
http_access allow hostonlynet local_path_resources
52+
http_access allow hostonlynet cert_mananager_resources
53+
54+
# Deny all other traffic from hostonlynet
55+
http_access deny hostonlynet
56+
57+
# Usual final deny all
58+
http_access deny all
59+
```
60+
61+
## Appliance testing
62+
63+
Exec appliance, gain root and manually do following tasks.
64+
65+
Configure DNS Server as Host-only adapter doesn't provide any:
66+
```
67+
echo "nameserver 192.168.56.1" > /etc/resolv.conf
68+
```
69+
70+
Add default route (without it rke2 install fails):
71+
```
72+
echo '#!/bin/sh
73+
74+
ip route add default via 192.168.56.1 dev eth0
75+
exit 0
76+
' > /etc/network/if-up.d/eth0-poststart
77+
chmod +x /etc/network/if-up.d/eth0-poststart
78+
```
79+
80+
Configure HTTP proxy using TUI to use https://192.168.56.1:3128/
81+
82+
Reboot to make sure changes take effect.
83+
84+
**Commence testing behind the HTTP proxy.**

vars/develop

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
APPLIANCE_VERSION="2.15.1"
1+
APPLIANCE_VERSION="2.16.0"
22
APPLIANCE_DEVELOP_VERSION=1
33
CZERTAINLY_DEB_REPOSITORY="http://deb.czertainly.com/ develop main"
44
CZERTAINLY_DEB_KEY="http://deb.czertainly.com/deb.czertainly.com.gpg"

vars/master

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
APPLIANCE_VERSION="2.15.1"
1+
APPLIANCE_VERSION="2.16.0"
22
APPLIANCE_DEVELOP_VERSION=0
33
CZERTAINLY_DEB_REPOSITORY="http://deb.czertainly.com/ bullseye main"
44
CZERTAINLY_DEB_KEY="http://deb.czertainly.com/deb.czertainly.com.gpg"

0 commit comments

Comments
 (0)