lerkolabs/uptop
1
1
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects 2 Releases 4 Wiki Activity

fix: Kuma import tokens/paused, Docker hardening, migrate-secrets idempotency
CI / test (pull_request) Successful in 1m54s
Details
CI / lint (pull_request) Successful in 1m27s
Details
CI / vulncheck (pull_request) Successful in 56s
Details

Browse Source 
1. Kuma import now maps push monitor tokens (generates crypto/rand
   token) and paused state (Active=false → Paused=true). Previously
   push monitors imported with empty token sat DOWN forever, and
   paused Kuma monitors came in unpaused and started alerting.

2. Dockerfile adds HEALTHCHECK against /api/health on port 8080.
   Container orchestrators can now detect unhealthy instances.

3. migrate-secrets sets the encryptor before loading alerts, so
   already-encrypted settings are decrypted correctly on second run
   instead of failing with a JSON unmarshal error.

4. docker-compose.yml adds container hardening: read_only filesystem,
   cap_drop ALL, no-new-privileges, tmpfs for /tmp.
This commit was merged in pull request #116.
This commit is contained in:
Tyler Koenig
2026-06-12 08:39:30 -04:00
parent 13637ec216
commit edfe6122b1
4 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Dockerfile
+2
View File
@@ -31,6 +31,8 @@ ENV UPTOP_SSH_HOST_KEY=/data/.ssh/id_ed25519
ENV UPTOP_PORT=23234 ENV UPTOP_PORT=23234
EXPOSE 23234 EXPOSE 23234
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD wget -qO- http://localhost:8080/api/health || exit 1
USER uptop USER uptop
ENTRYPOINT ["docker-entrypoint.sh"] ENTRYPOINT ["docker-entrypoint.sh"]
CMD ["./uptop"] CMD ["./uptop"]
cmd/uptop/main.go
+2 -2
View File
@@ -237,13 +237,13 @@ func runMigrateSecrets(args []string) {
os.Exit(1) os.Exit(1)
} }
ss.SetEncryptor(enc)
alerts, err := ss.GetAllAlerts(context.Background()) alerts, err := ss.GetAllAlerts(context.Background())
if err != nil { if err != nil {
slog.Error("failed to load alerts", "err", err) slog.Error("failed to load alerts", "err", err)
os.Exit(1) os.Exit(1)
} }
ss.SetEncryptor(enc)
migrated := 0 migrated := 0
for _, a := range alerts { for _, a := range alerts {
if err := ss.UpdateAlert(context.Background(), a.ID, a.Name, a.Type, a.Settings); err != nil { if err := ss.UpdateAlert(context.Background(), a.ID, a.Name, a.Type, a.Settings); err != nil {
deploy/docker-compose.yml
+7
View File
@@ -5,6 +5,13 @@ services:
dockerfile: Dockerfile dockerfile: Dockerfile
container_name: uptop container_name: uptop
restart: unless-stopped restart: unless-stopped
read_only: true
cap_drop:
- ALL
security_opt:
- no-new-privileges:true
tmpfs:
- /tmp
ports: ports:
- "23234:23234" - "23234:23234"
- "8080:8080" - "8080:8080"
internal/importer/kuma.go
+10
View File
@@ -1,6 +1,8 @@
package importer package importer
import ( import (
"crypto/rand"
"encoding/hex"
"encoding/json" "encoding/json"
"fmt" "fmt"
"os" "os"
@@ -156,10 +158,18 @@ func convertKumaMonitor(m KumaMonitor, alertMap map[int]int) models.SiteConfig {
site.DNSResolveType = m.DNSResolveType site.DNSResolveType = m.DNSResolveType
site.DNSServer = m.DNSResolveServer site.DNSServer = m.DNSResolveServer
site.Paused = !m.Active
switch m.Type { switch m.Type {
case "http": case "http":
site.URL = m.URL site.URL = m.URL
site.CheckSSL = m.ExpiryNotif site.CheckSSL = m.ExpiryNotif
case "push":
site.Type = "push"
b := make([]byte, 16)
if _, err := rand.Read(b); err == nil {
site.Token = hex.EncodeToString(b)
}
case "ping": case "ping":
if m.Hostname != "" { if m.Hostname != "" {
site.Hostname = m.Hostname site.Hostname = m.Hostname