feat: Add IP whitelist API and configuration support

2026-04-06 00:32:12 +02:00 · 2026-03-18 21:00:37 +00:00
parent a2c8022442
commit c4903e5d1c
6 changed files with 50 additions and 0 deletions
--- a/Common/Server/API/IPWhitelistAPI.ts
+++ b/Common/Server/API/IPWhitelistAPI.ts
@@ -0,0 +1,34 @@
+import Express, {
+  ExpressRequest,
+  ExpressResponse,
+  ExpressRouter,
+} from "../Utils/Express";
+import Response from "../Utils/Response";
+import { IpWhitelist } from "../EnvironmentConfig";
+
+export default class IPWhitelistAPI {
+  public static init(): ExpressRouter {
+    const router: ExpressRouter = Express.getRouter();
+
+    router.get(
+      "/ip-whitelist",
+      (req: ExpressRequest, res: ExpressResponse) => {
+        const ipList: Array<string> = IpWhitelist
+          ? IpWhitelist.split(",")
+              .map((ip: string) => {
+                return ip.trim();
+              })
+              .filter((ip: string) => {
+                return ip.length > 0;
+              })
+          : [];
+
+        Response.sendJsonObjectResponse(req, res, {
+          ipWhitelist: ipList,
+        });
+      },
+    );
+
+    return router;
+  }
+}
--- a/Common/Server/API/Index.ts
+++ b/Common/Server/API/Index.ts
@@ -1,5 +1,6 @@
 import Express, { ExpressApplication } from "../Utils/Express";
 import StatusAPI, { StatusAPIOptions } from "./StatusAPI";
+import IPWhitelistAPI from "./IPWhitelistAPI";
 import version from "./VersionAPI";

 const app: ExpressApplication = Express.getExpressApp();
@@ -14,6 +15,7 @@ type InitFunction = (data: InitOptions) => void;
 const init: InitFunction = (data: InitOptions): void => {
  app.use([`/${data.appName}`, "/"], version);
  app.use([`/${data.appName}`, "/"], StatusAPI.init(data.statusOptions));
+  app.use([`/${data.appName}`, "/"], IPWhitelistAPI.init());
 };

 export default init;
--- a/Common/Server/EnvironmentConfig.ts
+++ b/Common/Server/EnvironmentConfig.ts
@@ -397,6 +397,8 @@ export const DocsClientUrl: URL = new URL(
  new Route(DocsRoute.toString()),
 );

+export const IpWhitelist: string = process.env["IP_WHITELIST"] || "";
+
 export const DisableTelemetry: boolean =
  process.env["DISABLE_TELEMETRY"] === "true";

--- a/HelmChart/Public/oneuptime/templates/_helpers.tpl
+++ b/HelmChart/Public/oneuptime/templates/_helpers.tpl
@@ -121,6 +121,8 @@ Usage:
  value: {{ $.Values.home.ports.http | squote }}
 - name: WORKER_PORT
  value: {{ $.Values.worker.ports.http | squote }}
+- name: IP_WHITELIST
+  value: {{ default "" $.Values.ipWhitelist | quote }}
 {{- end }}


--- a/HelmChart/Public/oneuptime/values.schema.json
+++ b/HelmChart/Public/oneuptime/values.schema.json
@@ -41,6 +41,10 @@
    "encryptionSecret": {
      "type": ["string", "null"]
    },
+    "ipWhitelist": {
+      "type": ["string", "null"],
+      "description": "Comma-separated list of probe egress IP addresses for firewall whitelisting. Returned via the /ip-whitelist API endpoint."
+    },
    "externalSecrets": {
      "type": "object",
      "properties": {
--- a/HelmChart/Public/oneuptime/values.yaml
+++ b/HelmChart/Public/oneuptime/values.yaml
@@ -35,6 +35,12 @@ oneuptimeSecret:
 registerProbeKey:
 encryptionSecret:

+# Comma-separated list of egress IP addresses that probes use for monitoring checks.
+# Customers can use this to whitelist probe traffic in their firewalls.
+# This is returned as a JSON array via the /ip-whitelist API endpoint.
+# Example: "203.0.113.1,203.0.113.2,198.51.100.10"
+ipWhitelist:
+
 # External Secrets
 # You need to leave blank oneuptimeSecret and encryptionSecret to use this section
 externalSecrets: