github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
3,273 Commits 1 Branch 0 Tags
04aeee2e7bf84ed00a0ef80d7653922dbc4a76e9
Commit Graph

74 Commits

Author SHA1 Message Date
Jamil
ce727e7ed5 refactor(portal): Use ghcr.io for public pulls of prod images (#3105) 
Noticed our public pulls are coming from `pkg.dev` for prod, so this PR
fixes that so that they're from `ghcr.io` to avoid bandwidth fees and
segregate public pulls from our own infra pulls.

<img width="463" alt="Screenshot 2024-01-03 at 12 42 51 PM"
src="https://github.com/firezone/firezone/assets/167144/22f49996-fe6b-47c7-965f-23d14c9e4e59">
 2024-01-04 19:39:47 +00:00
Andrew Dryga
b7e3a5b4cd Remove token timeouts filter for incidents 2023-12-19 15:45:17 -06:00
Andrew Dryga
f1e9715d79 Change staging feed channel 2023-12-12 09:41:32 -06:00
Andrew Dryga
52b284abd9 Terraform improvements for production (#2873) 2023-12-11 19:41:01 -06:00
Jamil
fd9cc88746 Don't use host mode networking for gateways on prod (#2845) 
Try fixing masquerading by not using host mode to deploy gateway in GCP.
 2023-12-09 18:49:56 +00:00
Andrew Dryga
62507dc704 Add hostname as part of entropy source to generate FIREZONE_ID on prod 2023-12-08 21:04:40 -05:00
Andrew Dryga
715392b62f Use Ubuntu 24.04 LTS for our prod gateway deployments 2023-12-08 12:53:11 -05:00
Andrew Dryga
1bf107553d Do not create incidents on gcloud api timeouts 2023-12-07 22:49:53 -05:00
Andrew Dryga
8fe09d2859 Report incidents to PagerDuty and monitor website/errors in logs 2023-12-07 19:06:41 -05:00
Andrew Dryga
efc71914f8 Configure ip6tables rules for docker to reflect v4 rules 2023-11-28 16:50:58 -06:00
Andrew Dryga
48722d609f Fix production gateways deployment 2023-11-20 18:43:32 -06:00
Andrew Dryga
1ab3fdd3b5 Ephemeral gateways (#2656) 
- [x] Fixed docker run command to mount a volume at `/etc/firezone`
- [x] Fixed systemd unit file to prope setcap, create writeable
`/etc/firezone` directory, use non-root user, etc
- [x] Removed `FIREZONE_ID` from our terraform scripts

Now on Sites index we only show online gateways:
<img width="1728" alt="Screenshot 2023-11-15 at 18 04 12"
src="https://github.com/firezone/firezone/assets/1877644/b532f200-0420-4427-acff-a3b8623560c5">

On the Site view we also show only online ones with a link to see all:
<img width="1728" alt="Screenshot 2023-11-15 at 18 02 33"
src="https://github.com/firezone/firezone/assets/1877644/9774dfac-4340-41d4-8404-586e081505f5">

All can be seen on a separate page:
<img width="1728" alt="Screenshot 2023-11-15 at 18 02 27"
src="https://github.com/firezone/firezone/assets/1877644/5d135f60-c7af-4e48-9ebb-626ff7461316">

Some of the functions I've added are pretty dirty hacks, we really need
to implement filters from #2029 to properly implement those and remove
code duplicates.
 2023-11-16 11:17:22 -06:00
Andrew Dryga
33ab23b636 Cleanup UX and fix a bunch of TODOs (#2641) 
This PR cleans up a lot of TODO and some issues I've discovered while
fixing them, there are _a few_ UI changes.

We show `(you)` next to your name on the actor view page, where
`Profile` link goes from the dropdown menu:
<img width="1728" alt="Screenshot 2023-11-13 at 19 05 35"
src="https://github.com/firezone/firezone/assets/1877644/f52b2531-e3be-4d3a-a587-4f9f54ca2c49">

Relays were way behind Gateways in terms of view code, so I changed them
to be exactly the same:
<img width="1728" alt="Screenshot 2023-11-13 at 18 54 39"
src="https://github.com/firezone/firezone/assets/1877644/a9f0905d-80d2-4e91-a744-c4baf7ad4a7c">

We also show authorizations on the Actor page because previously to find
"what this user did" you had to go through all user clients
individually:
<img width="1728" alt="Screenshot 2023-11-13 at 18 54 27"
src="https://github.com/firezone/firezone/assets/1877644/02ada445-e175-427e-99de-f9fa5bdd5aab">

I've noticed there is some confusion around sign-in slugs so I added a
home page where you can use ID or slug to get the in link (not all the
clients will know you need to put that in the URL) and recently used
accounts:
<img width="1728" alt="Screenshot 2023-11-13 at 18 54 06"
src="https://github.com/firezone/firezone/assets/1877644/ccfb9198-ed1f-4b3e-a26f-b76bab24243c">

Buttons to copy the code are more visible now, I've used our accent
color but am open to better ideas:
<img width="1728" alt="Screenshot 2023-11-13 at 19 10 29"
src="https://github.com/firezone/firezone/assets/1877644/a2c0658e-1003-409b-b5ad-d5d3ade60a10">

When code is copied it's also more visible:
<img width="699" alt="Screenshot 2023-11-13 at 19 11 41"
src="https://github.com/firezone/firezone/assets/1877644/62e793d2-d760-4aa7-9a42-92a6bbfcbf52">

We also do not redirect from that page automatically, but the large
button becomes green with the text changed:
<img width="660" alt="Screenshot 2023-11-13 at 19 12 11"
src="https://github.com/firezone/firezone/assets/1877644/780dcde3-8018-4405-91e5-984288431ec1">
 2023-11-14 13:02:21 -06:00
Andrew Dryga
c4a3c2a630 Deploy Metabase and demo instance with access to it (#2606) 2023-11-07 18:09:37 -06:00
Andrew Dryga
4deb5797ff Try to resolve country coordinates from LB-provided country code and use US as default 2023-10-31 18:50:20 -06:00
Andrew Dryga
ad26e508ff GeoIP routing and load-balancing for traffic (#2517) 2023-10-31 15:01:37 -06:00
Jamil
2bca378f17 Allow data plane configuration at runtime (#2477) 
## Changelog

- Updates connlib parameter API_URL (formerly known under different
names as `CONTROL_PLANE_URL`, `PORTAL_URL`, `PORTAL_WS_URL`, and
friends) to be configured as an "advanced" or "hidden" feature at
runtime so that we can test production builds on both staging and
production.
- Makes `AUTH_BASE_URL` configurable at runtime too
- Moves `CONNLIB_LOG_FILTER_STRING` to be configured like this as well
and simplifies its naming
- Fixes a timing attack bug on Android when comparing the `csrf` token
- Adds proper account ID validation to Android to prevent invalid URL
parameter strings from being saved and used
- Cleans up a number of UI / view issues on Android regarding typos,
consistency, etc
- Hides vars from from the `relay` CLI we may not want to expose just
yet
- `get_device_id()` is flawed for connlib components -- SMBios is rarely
available. Data plane components now require a `FIREZONE_ID` now instead
to use for upserting.


Fixes #2482 
Fixes #2471

---------

Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Gabi <gabrielalejandro7@gmail.com>
 2023-10-30 23:46:53 -07:00
Andrew Dryga
1991659046 Fix container push for prod releases (#2494) 2023-10-23 22:49:29 -06:00
Andrew Dryga
8b8881f415 Make CodeQL a part of CI workflow (#2492) 2023-10-23 16:16:09 -06:00
Andrew Dryga
428eddd570 Clean up terraform module for gateway (#2474) 
Switched back to `cos-105` to reduce attack surface and generally have
less maintenance and cleaned up the module to be more reusable for our
customers.
 2023-10-20 12:29:54 -06:00
Andrew Dryga
593410be72 Deploy dogfood gateways on Google Cloud (#2468) 2023-10-20 03:14:36 -06:00
Andrew Dryga
711fb67868 Simplify gateway module 2023-10-20 00:48:57 -06:00
Andrew Dryga
414028a8ee Fix typos 2023-10-20 00:38:27 -06:00
Andrew Dryga
7464ee91bd Fix gateway deploy module 2023-10-20 00:36:46 -06:00
Andrew Dryga
0d7ae2b328 Deploy 2 gateways to Google Cloud 2023-10-20 00:23:56 -06:00
Andrew Dryga
c09f4d812d Fix alerting rules 2023-10-19 23:48:42 -06:00
Andrew Dryga
ee9dfc6ea7 Add TODO's for WAF rules 2023-10-19 23:14:17 -06:00
Andrew Dryga
4fc7ae5d0e Alert when services are down 2023-10-19 23:14:16 -06:00
Andrew Dryga
7034aa3853 Add missing dependencies 2023-10-19 20:35:30 -06:00
Andrew Dryga
66302a5063 Production environment (#2449) 2023-10-19 19:20:51 -06:00
Jamil
573124bd2f Document relay gateway client CLIs (#2424) 
Fixes #2363 

* Rename `relay` package to `firezone-relay` so that binaries outputted
match the `firezone-*` cli naming scheme
* Rename `firezone-headless-client` package to `firezone-linux-client`
for consistency
* Add READMEs for user-facing CLI components (there will also be docs
later)
 2023-10-19 00:59:17 +00:00
Jamil
6ec10b2669 Revert "Fix/website mdx" (#2434) 
Reverts firezone/firezone#2433
 2023-10-18 11:42:54 -07:00
Jamil
caef531b17 Fix/website mdx (#2433) 2023-10-18 11:42:18 -07:00
Andrew Dryga
0aab4077f8 Fix auth flow state, bump COS to 109, enable fluentbit logging, auto-remove docker registry artifacts (#2315) 2023-10-11 16:19:47 -06:00
Andrew Dryga
17a4171e04 Bind to higher port numbers 
When you change the user in a Dockerfile using USER default, the process inside the container runs with the permissions of that user. In COS, only the root user (or processes with elevated privileges) can bind to ports below 1024. So, if our application is trying to bind to a port below 1024, and it's not running as root, we are getting an error.
 2023-10-06 12:29:41 -06:00
Andrew Dryga
6e0f4d9563 Increase timeouts for rolling deploys 2023-10-06 10:30:48 -06:00
Andrew Dryga
e5fff809c0 Streamline apps versioning for Elixir and Terraform (#2257) 2023-10-05 20:29:25 -07:00
Andrew Dryga
55a54a328a Temporary allow http traffic to staging websocket endpoint 2023-10-05 11:14:16 -06:00
Andrew Dryga
9d45081f27 Remove usage of deprecated terraform provider 2023-09-28 21:46:10 -06:00
Thomas Eizinger
075d03432f fix(relay): remove debug exporter (#2153) 
It turns out that this one never worked. I found this in the logs:

> * error decoding 'exporters': unknown type: "debug" for id: "debug"
(valid values: [alibabacloud_logservice awscloudwatchlogs awss3
googlecloudpubsub instana loadbalancing skywalking awsemf
azuredataexplorer prometheus logging awskinesis dynatrace
googlemanagedprometheus kafka sentry otlphttp awsxray carbon cassandra
elasticsearch f5cloud googlecloud sumologic tanzuobservability
tencentcloud_logservice coralogix dataset influxdb logicmonitor loki
parquet pulsar otlp azuremonitor datadog file logzio mezmo
prometheusremotewrite signalfx splunk_hec zipkin opencensus sapm
clickhouse])

Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
 2023-09-26 09:21:06 -06:00
Andrew Dryga
c6ec7ab2db Drop healthcheck traces 2023-09-21 14:32:02 -06:00
Thomas Eizinger
32d6a55b01 ci: lint cloud-init config for elixir-app (#2105) 2023-09-21 11:47:39 -06:00
Thomas Eizinger
2e3171bbf8 fix(relay): only listen for traces & metrics on localhost (#2102) 
This fixes two warnings in our logs that tell us to not listen on
`0.0.0.0`. See
https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md#safeguards-against-denial-of-service-attacks.

I don't use the HTTP receiver for sending traces or metrics so that one
can safely be disabled.
 2023-09-21 06:51:26 +00:00
Thomas Eizinger
635a5d4091 feat(relay): enable debug logs for otel collector (#2099) 
The `debug` exporter prints statements like the following to stdout:

> 2023-09-07T09:57:43.468-0700 info TracesExporter {"kind": "exporter",
"data_type": "traces", "name": "debug", "resource spans": 1, "spans": 2}

Activating debug logs should give us overall more insight into what this
thing is doing.
 2023-09-21 06:35:19 +00:00
Thomas Eizinger
5ed3601231 ci(terraform): ensure relay cloud-init config is valid (#2097) 
I found the following in the serial port logs on GC:

> [ 24.279297] cloud-init[742]: 2023-09-20 19:34:00,095 -
schema.py[WARNING]: Invalid cloud-config provided: Please run 'sudo
cloud-init schema --system' to see the schema errors.

Not sure if it causes any problems at the moment because the spans seem
to import fine but I figured it cannot hurt to add a linter to our CI.
 2023-09-21 03:08:27 +00:00
Andrew Dryga
9281b7fede Allow client logs and messages instrumentation (#2086) 
Closes #2019
 2023-09-18 15:03:51 -06:00
Thomas Eizinger
9cfd28f73a fix(relay): re-label more metrics to prevent exporter from failing (#2074) 2023-09-18 07:14:48 +00:00
Andrew Dryga
cefc7cc989 Make sure metrics are not rejected due to reserved naming 2023-09-14 01:22:52 -06:00
Andrew Dryga
6f2818f7c7 Produce less state diff due to IPv6 addr formatting 2023-09-14 01:03:50 -06:00
Andrew Dryga
86f04bff63 Trace api app and finish file renames (#2069) 2023-09-14 00:24:40 -06:00