Add IPS_FORMATTED to develop

ministryofjustice · Jul 26, 2024 · 9848cae · 9848cae
1 parent ede507b
commit 9848cae
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 3 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -51,6 +51,7 @@ jobs:
           BASIC_AUTH_USER: ${{ secrets.BASIC_AUTH_USER }}
           BASIC_AUTH_PASS: ${{ secrets.BASIC_AUTH_PASS }}
           IP_RANGES: ${{ inputs.ip_ranges }}
+          IPS_FORMATTED: ${{ inputs.ips_formatted }}
           IGNORE_IP_RANGES: ${{ vars.IGNORE_IP_RANGES }}
         run: |
           ## - - - - - - - - - -
@@ -83,16 +84,19 @@ jobs:
           ## IP Ranges - - - - -
           ## - - - - - - - - - -
 
-          ## Allow IP rangges to be ignored.
+          ## Allow IP ranges to be ignored.
           ## Nb. set IGNORE_IP_RANGES env var to `true` for the intended GH environment.
           
           if [ "$IGNORE_IP_RANGES" = "true" ]; then
-            IP_RANGES=$'{"ignore":true}'
+            IP_RANGES    =$'{"ignore":true}'
+            IPS_FORMATTED=""
           fi
 
-          IP_RANGES_BASE64=$(echo -n "$IP_RANGES" | base64 -w 0)
+          IP_RANGES_BASE64    =$(echo -n "$IP_RANGES"     | base64 -w 0)
+          IPS_FORMATTED_BASE64=$(echo -n "$IPS_FORMATTED" | base64 -w 0)
 
           export IP_RANGES_BASE64
+          export IPS_FORMATTED_BASE64
 
 
           ## - - - - - - - - - - -

diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -33,6 +33,7 @@ jobs:
       environment: development
       registry: ${{ needs.image.outputs.registry }}
       ip_ranges: ${{ needs.get_ip_ranges.outputs.ip_ranges }}
+      ips_formatted: ${{ needs.get_ip_ranges.outputs.ips_formatted }}
     secrets: inherit
 
   deploy_staging:
@@ -44,6 +45,7 @@ jobs:
       environment: staging
       registry: ${{ needs.image.outputs.registry }}
       ip_ranges: ${{ needs.get_ip_ranges.outputs.ip_ranges }}
+      ips_formatted: ${{ needs.get_ip_ranges.outputs.ips_formatted }}
     secrets: inherit
 
   deploy_demo:
@@ -55,6 +57,7 @@ jobs:
       environment: demo
       registry: ${{ needs.image.outputs.registry }}
       ip_ranges: ${{ needs.get_ip_ranges.outputs.ip_ranges }}
+      ips_formatted: ${{ needs.get_ip_ranges.outputs.ips_formatted }}
     secrets: inherit
 
   deploy_production:
@@ -66,4 +69,5 @@ jobs:
       environment: production
       registry: ${{ needs.image.outputs.registry }}
       ip_ranges: ${{ needs.get_ip_ranges.outputs.ip_ranges }}
+      ips_formatted: ${{ needs.get_ip_ranges.outputs.ips_formatted }}
     secrets: inherit
diff --git a/.github/workflows/ip-ranges-configure.yml b/.github/workflows/ip-ranges-configure.yml
@@ -6,13 +6,17 @@ on:
       ip_ranges:
         description: "IPs Ranges"
         value: ${{ jobs.get_ip_ranges.outputs.ip_ranges }}
+      ips_formatted:
+        description: "IPs Ranges (formatted)"
+        value: ${{ jobs.get_ip_ranges.outputs.ips_formatted }}
 
 jobs:
   get_ip_ranges:
     name: "Build"
     runs-on: ubuntu-latest
     outputs:
       ip_ranges: ${{ steps.get-ips.outputs.ip_ranges }}
+      ips_formatted: ${{ steps.get-ips.outputs.ips_formatted }}
     steps:
       - name: "Checkout"
         uses: actions/checkout@v4
@@ -30,3 +34,13 @@ jobs:
           cmd: |
             IP_RANGES=$(yq 'explode(.) | {"deprecating": .deprecating_access_to_moj_intranet | flatten, "allow": .allow_access_to_moj_intranet | flatten }' -o json -I=0 moj-cidr-addresses.yml)
             echo "ip_ranges=$IP_RANGES" >> $GITHUB_OUTPUT
+
+            # Transform into nginx geo format. 1 IP range per line, each range is followed by it's value.
+            # @see https://nginx.org/en/docs/http/ngx_http_geo_module.html
+            ALLOW_VALUE=1
+            DEPRI_VALUE=2
+
+            ALLOW_FORMATTED=$(yq 'explode(.) | .allow_access_to_moj_intranet       | flatten | map(. + " '$ALLOW_VALUE';") | join("\n")' moj-cidr-addresses.yml)
+            DEPRI_FORMATTED=$(yq 'explode(.) | .deprecating_access_to_moj_intranet | flatten | map(. + " '$DEPRI_VALUE';") | join("\n")' moj-cidr-addresses.yml)
+
+            echo "ips_formatted=$ALLOW_FORMATTED"$'\n'"$DEPRI_FORMATTED" >> $GITHUB_OUTPUT
diff --git a/deploy/config/local/nginx/geo.conf b/deploy/config/local/nginx/geo.conf
@@ -0,0 +1,7 @@
+# Source IPs where 'X-Forwarded-For' is to be truested.
+proxy 172.17.0.0/16;
+proxy 172.25.0.0/16;
+
+# Maybe use init script to substitude env vars
+
+192.168.65.1   1;
diff --git a/deploy/development/deployment.tpl.yml b/deploy/development/deployment.tpl.yml
@@ -37,6 +37,12 @@ spec:
               mountPath: /var/www/html/public/app/uploads
             - name: php-socket
               mountPath: /sock
+          env:
+            - name: IPS_FORMATTED
+              valueFrom:
+                secretKeyRef:
+                  name: ${KUBE_NAMESPACE}-base64-secrets
+                  key: IPS_FORMATTED
 
         - name: cron
           image: ${ECR_URL}:${IMAGE_TAG_CRON}

diff --git a/deploy/development/secret.tpl.yml b/deploy/development/secret.tpl.yml
@@ -28,6 +28,7 @@ type: Opaque
 data:
   AWS_CLOUDFRONT_PRIVATE_KEY: "${AWS_CLOUDFRONT_PRIVATE_KEY_BASE64}"
   IP_RANGES: "${IP_RANGES_BASE64}"
+  IPS_FORMATTED: "${IPS_FORMATTED_BASE64}"
 ---
 apiVersion: v1
 kind: Secret