From c4903e5d1cab820ef6c1639ff70652410eeb0355 Mon Sep 17 00:00:00 2001 From: Nawaz Dhandala Date: Wed, 18 Mar 2026 21:00:37 +0000 Subject: [PATCH] feat: Add IP whitelist API and configuration support --- Common/Server/API/IPWhitelistAPI.ts | 34 +++++++++++++++++++ Common/Server/API/Index.ts | 2 ++ Common/Server/EnvironmentConfig.ts | 2 ++ .../Public/oneuptime/templates/_helpers.tpl | 2 ++ HelmChart/Public/oneuptime/values.schema.json | 4 +++ HelmChart/Public/oneuptime/values.yaml | 6 ++++ 6 files changed, 50 insertions(+) create mode 100644 Common/Server/API/IPWhitelistAPI.ts diff --git a/Common/Server/API/IPWhitelistAPI.ts b/Common/Server/API/IPWhitelistAPI.ts new file mode 100644 index 0000000000..07bfb23a28 --- /dev/null +++ b/Common/Server/API/IPWhitelistAPI.ts @@ -0,0 +1,34 @@ +import Express, { + ExpressRequest, + ExpressResponse, + ExpressRouter, +} from "../Utils/Express"; +import Response from "../Utils/Response"; +import { IpWhitelist } from "../EnvironmentConfig"; + +export default class IPWhitelistAPI { + public static init(): ExpressRouter { + const router: ExpressRouter = Express.getRouter(); + + router.get( + "/ip-whitelist", + (req: ExpressRequest, res: ExpressResponse) => { + const ipList: Array = IpWhitelist + ? IpWhitelist.split(",") + .map((ip: string) => { + return ip.trim(); + }) + .filter((ip: string) => { + return ip.length > 0; + }) + : []; + + Response.sendJsonObjectResponse(req, res, { + ipWhitelist: ipList, + }); + }, + ); + + return router; + } +} diff --git a/Common/Server/API/Index.ts b/Common/Server/API/Index.ts index a4aba7cf9c..c135fd7fb9 100644 --- a/Common/Server/API/Index.ts +++ b/Common/Server/API/Index.ts @@ -1,5 +1,6 @@ import Express, { ExpressApplication } from "../Utils/Express"; import StatusAPI, { StatusAPIOptions } from "./StatusAPI"; +import IPWhitelistAPI from "./IPWhitelistAPI"; import version from "./VersionAPI"; const app: ExpressApplication = Express.getExpressApp(); @@ -14,6 +15,7 @@ type InitFunction = (data: InitOptions) => void; const init: InitFunction = (data: InitOptions): void => { app.use([`/${data.appName}`, "/"], version); app.use([`/${data.appName}`, "/"], StatusAPI.init(data.statusOptions)); + app.use([`/${data.appName}`, "/"], IPWhitelistAPI.init()); }; export default init; diff --git a/Common/Server/EnvironmentConfig.ts b/Common/Server/EnvironmentConfig.ts index c095ad9073..76c4947eb2 100644 --- a/Common/Server/EnvironmentConfig.ts +++ b/Common/Server/EnvironmentConfig.ts @@ -397,6 +397,8 @@ export const DocsClientUrl: URL = new URL( new Route(DocsRoute.toString()), ); +export const IpWhitelist: string = process.env["IP_WHITELIST"] || ""; + export const DisableTelemetry: boolean = process.env["DISABLE_TELEMETRY"] === "true"; diff --git a/HelmChart/Public/oneuptime/templates/_helpers.tpl b/HelmChart/Public/oneuptime/templates/_helpers.tpl index c7520000c9..53c146f1cc 100644 --- a/HelmChart/Public/oneuptime/templates/_helpers.tpl +++ b/HelmChart/Public/oneuptime/templates/_helpers.tpl @@ -121,6 +121,8 @@ Usage: value: {{ $.Values.home.ports.http | squote }} - name: WORKER_PORT value: {{ $.Values.worker.ports.http | squote }} +- name: IP_WHITELIST + value: {{ default "" $.Values.ipWhitelist | quote }} {{- end }} diff --git a/HelmChart/Public/oneuptime/values.schema.json b/HelmChart/Public/oneuptime/values.schema.json index 2951b58791..bd4a1ccbbc 100644 --- a/HelmChart/Public/oneuptime/values.schema.json +++ b/HelmChart/Public/oneuptime/values.schema.json @@ -41,6 +41,10 @@ "encryptionSecret": { "type": ["string", "null"] }, + "ipWhitelist": { + "type": ["string", "null"], + "description": "Comma-separated list of probe egress IP addresses for firewall whitelisting. Returned via the /ip-whitelist API endpoint." + }, "externalSecrets": { "type": "object", "properties": { diff --git a/HelmChart/Public/oneuptime/values.yaml b/HelmChart/Public/oneuptime/values.yaml index 6e49003bf5..3c635ddbac 100644 --- a/HelmChart/Public/oneuptime/values.yaml +++ b/HelmChart/Public/oneuptime/values.yaml @@ -35,6 +35,12 @@ oneuptimeSecret: registerProbeKey: encryptionSecret: +# Comma-separated list of egress IP addresses that probes use for monitoring checks. +# Customers can use this to whitelist probe traffic in their firewalls. +# This is returned as a JSON array via the /ip-whitelist API endpoint. +# Example: "203.0.113.1,203.0.113.2,198.51.100.10" +ipWhitelist: + # External Secrets # You need to leave blank oneuptimeSecret and encryptionSecret to use this section externalSecrets: