[reverse proxy] Feature/cluster one click deploy#707
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
💤 Files with no reviewable changes (1)
📝 WalkthroughWalkthroughThe change adds one-click reverse-proxy deployment through Hetzner, DigitalOcean, and AWS, shared Cloud-init and CloudFormation templates, registration polling, modal integration, CSP updates, CI validation, and updated cluster setup text. ChangesReverse-proxy cloud deployment
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant User
participant ClustersModal
participant ClusterCloudDeploy
participant CloudProviderAPI
participant NetBirdManagementAPI
User->>ClustersModal: select cloud deployment method
ClustersModal->>ClusterCloudDeploy: render provider deployment
ClusterCloudDeploy->>CloudProviderAPI: provision instance or open AWS launch
CloudProviderAPI-->>ClusterCloudDeploy: return deployment result
ClusterCloudDeploy->>NetBirdManagementAPI: poll cluster registration
NetBirdManagementAPI-->>ClusterCloudDeploy: return registered proxy status
ClusterCloudDeploy-->>ClustersModal: report registration complete
ClustersModal-->>User: enable Finish Setup
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…ify proxy registration
There was a problem hiding this comment.
Actionable comments posted: 6
🧹 Nitpick comments (2)
.github/workflows/test-cloud-deploy.yml (1)
27-27: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low valueSet
persist-credentials: falseon checkout steps.By default
actions/checkout@v4persists theGITHUB_TOKENin.git/config. Although this workflow only requestscontents: read, disabling credential persistence is a security best practice that prevents accidental token leakage through artifacts or debug output.🔒️ Proposed fix
- - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + with: + persist-credentials: falseApply the same change to both checkout steps (lines 27 and 72).
Also applies to: 72-72
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/test-cloud-deploy.yml at line 27, Update both actions/checkout@v4 steps in the workflow to set persist-credentials to false, ensuring checkout does not store the GITHUB_TOKEN in the repository configuration.Source: Linters/SAST tools
.github/workflows/sync-deploy-templates.yml (1)
5-6: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winRemove the dev-only feature branch before merging.
The
feature/cluster-one-click-deploytrigger is marked as dev-only. Leaving it would make the workflow push templates to the production S3 bucket from that branch.Want me to open a tracking issue so this isn't forgotten?
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/sync-deploy-templates.yml around lines 5 - 6, Remove feature/cluster-one-click-deploy from the branches trigger in the sync-deploy-templates workflow, and delete the associated dev-only TODO comment. Retain only the main branch trigger so production template deployment cannot run from the feature branch.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/sync-deploy-templates.yml:
- Line 18: Update the actions/checkout@v4 step in the sync-deploy-templates
workflow to disable credential persistence by configuring persist-credentials as
false, while leaving the existing checkout behavior unchanged.
In @.github/workflows/test-cloud-deploy.yml:
- Line 79: Adjust the cfn-template-url job’s external URL liveness check around
curl so it cannot block pull requests when sync-deploy-templates has not yet
published the template. Make the check non-blocking with a warning, or gate the
job to the default branch while preserving validation where the URL is expected
to exist.
- Around line 11-12: Remove the dev-only feature/cluster-one-click-deploy branch
from the push trigger in the workflow, along with its associated TODO comment,
while preserving any remaining intended workflow triggers and configuration.
In `@src/modules/reverse-proxy/clusters/ClusterCloudDeploy.tsx`:
- Around line 462-495: Normalize hetznerToken once before the Hetzner API
requests by defining a trimmed apiToken, then use apiToken consistently for the
create-server request and the primary-IP update within the surrounding
deployment flow. Replace the raw token usage in the fetch headers and the
existing hetznerToken.trim() usage in the primary-IP call, preserving the
current request behavior.
In `@src/modules/reverse-proxy/clusters/ClustersTable.tsx`:
- Line 204: Update the empty-state message in ClustersTable to use neutral
wording or explicitly mention both self-hosted and cloud deployment options,
while preserving its purpose of guiding users to set up a cluster.
In `@templates/reverse-proxy/netbird-proxy-cfn.yaml`:
- Around line 180-191: Update ProxySecurityGroup and ProxyInstance to support
non-default VPC deployments: define the security group in the selected VPC using
the existing VPC configuration, replace ProxyInstance.SecurityGroups with
SecurityGroupIds, and provide the required SubnetId/VPC parameter wiring.
Preserve the current default behavior where applicable while ensuring accounts
without a default VPC can create the stack.
---
Nitpick comments:
In @.github/workflows/sync-deploy-templates.yml:
- Around line 5-6: Remove feature/cluster-one-click-deploy from the branches
trigger in the sync-deploy-templates workflow, and delete the associated
dev-only TODO comment. Retain only the main branch trigger so production
template deployment cannot run from the feature branch.
In @.github/workflows/test-cloud-deploy.yml:
- Line 27: Update both actions/checkout@v4 steps in the workflow to set
persist-credentials to false, ensuring checkout does not store the GITHUB_TOKEN
in the repository configuration.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: dc5725ba-6f0b-4a4b-a911-19b4ee381ab8
📒 Files selected for processing (10)
.github/workflows/sync-deploy-templates.yml.github/workflows/test-cloud-deploy.ymldocker/init_react_envs.shsrc/app/(dashboard)/reverse-proxy/clusters/page.tsxsrc/modules/reverse-proxy/clusters/ClusterCloudDeploy.tsxsrc/modules/reverse-proxy/clusters/ClustersModal.tsxsrc/modules/reverse-proxy/clusters/ClustersTable.tsxtemplates/reverse-proxy/README.mdtemplates/reverse-proxy/netbird-proxy-cfn.yamltemplates/reverse-proxy/netbird-proxy-cloud-init.yaml
Issue ticket number and link
Documentation
Select exactly one:
Docs PR URL (required if "docs added" is checked)
Paste the PR link from https://github.com/netbirdio/docs here:
https://github.com/netbirdio/docs/pull/__
E2E tests
Optional: override the image tags used by the Playwright e2e workflow.
Defaults to
mainwhen omitted.management-cloud-tag: main
reverse-proxy-tag: main
Summary by CodeRabbit