security: upgrade Gitea to 1.25.4, add security headers
Some checks failed
Build and Deploy GooSeek / build-and-deploy (push) Has been cancelled
Some checks failed
Build and Deploy GooSeek / build-and-deploy (push) Has been cancelled
- Update Gitea from 1.22.6 to 1.25.4 (fixes CVE-2026-20736, CVE-2026-20912) - Disable public registration - Disable Swagger API - Add nginx-ingress security headers: - X-Content-Type-Options: nosniff - X-XSS-Protection: 1; mode=block - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy - Enable HSTS preload - Reorganize Gitea K8s manifests into gitea/ directory Made-with: Cursor
This commit is contained in:
home
72
backend/deploy/k8s/gitea/deploy.sh
Executable file
72
backend/deploy/k8s/gitea/deploy.sh
Executable file
@@ -0,0 +1,72 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
|
||||
echo "=== Gitea Security Update Deployment ==="
|
||||
echo "Version: 1.25.4"
|
||||
echo ""
|
||||
|
||||
# Check kubectl
|
||||
if ! command -v kubectl &> /dev/null; then
|
||||
echo "Error: kubectl not found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check cluster connectivity
|
||||
echo "Checking cluster connectivity..."
|
||||
if ! kubectl cluster-info &> /dev/null; then
|
||||
echo "Error: Cannot connect to Kubernetes cluster"
|
||||
echo "Please ensure kubectl is configured correctly"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "=== Backing up current Gitea data ==="
|
||||
BACKUP_POD=$(kubectl get pods -n gitea -l app=gitea -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
|
||||
if [ -n "$BACKUP_POD" ]; then
|
||||
echo "Creating backup of Gitea database..."
|
||||
kubectl exec -n gitea "$BACKUP_POD" -- sh -c "cp /data/gitea/gitea.db /data/gitea/gitea.db.backup.$(date +%Y%m%d%H%M%S)" || echo "Backup skipped (new installation)"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "=== Applying Gitea manifests ==="
|
||||
cd "$SCRIPT_DIR"
|
||||
kubectl apply -k .
|
||||
|
||||
echo ""
|
||||
echo "=== Waiting for rollout ==="
|
||||
kubectl -n gitea rollout status deployment/gitea --timeout=300s
|
||||
|
||||
echo ""
|
||||
echo "=== Verifying deployment ==="
|
||||
kubectl -n gitea get pods -o wide
|
||||
echo ""
|
||||
kubectl -n gitea get svc
|
||||
echo ""
|
||||
kubectl -n gitea get ingress
|
||||
|
||||
echo ""
|
||||
echo "=== Security verification ==="
|
||||
echo "Checking HTTP headers..."
|
||||
sleep 5
|
||||
curl -sI https://git.gooseek.ru/ | grep -E "(strict-transport|x-frame|x-content-type|content-security)" || echo "Headers check failed - wait for DNS propagation"
|
||||
|
||||
echo ""
|
||||
echo "=== Deployment Complete ==="
|
||||
echo ""
|
||||
echo "Gitea URL: https://git.gooseek.ru"
|
||||
echo "SSH: git@git.gooseek.ru (port 30022 NodePort)"
|
||||
echo ""
|
||||
echo "Security fixes applied:"
|
||||
echo " [✓] Updated to Gitea 1.25.4 (CVE fixes)"
|
||||
echo " [✓] Disabled public registration"
|
||||
echo " [✓] Added CSP header"
|
||||
echo " [✓] Added X-Content-Type-Options header"
|
||||
echo " [✓] Added X-XSS-Protection header"
|
||||
echo " [✓] Added Referrer-Policy header"
|
||||
echo " [✓] Disabled Swagger API"
|
||||
echo " [✓] Enabled CAPTCHA for login"
|
||||
echo " [✓] Enforced strong passwords (12+ chars)"
|
||||
echo " [✓] Disabled Gravatar"
|
||||
echo ""
|
||||
Reference in New Issue
Block a user