From 9848caeaed2c4614e34e6cc9130740a5297a9893 Mon Sep 17 00:00:00 2001 From: EarthlingDavey <15802017+EarthlingDavey@users.noreply.github.com> Date: Fri, 26 Jul 2024 16:55:37 +0100 Subject: [PATCH] Add IPS_FORMATTED to develop --- .github/workflows/deploy.yml | 10 +++++++--- .github/workflows/integration.yml | 4 ++++ .github/workflows/ip-ranges-configure.yml | 14 ++++++++++++++ deploy/config/local/nginx/geo.conf | 7 +++++++ deploy/development/deployment.tpl.yml | 6 ++++++ deploy/development/secret.tpl.yml | 1 + 6 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 deploy/config/local/nginx/geo.conf diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 88360b2a1..2b6124900 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -51,6 +51,7 @@ jobs: BASIC_AUTH_USER: ${{ secrets.BASIC_AUTH_USER }} BASIC_AUTH_PASS: ${{ secrets.BASIC_AUTH_PASS }} IP_RANGES: ${{ inputs.ip_ranges }} + IPS_FORMATTED: ${{ inputs.ips_formatted }} IGNORE_IP_RANGES: ${{ vars.IGNORE_IP_RANGES }} run: | ## - - - - - - - - - - @@ -83,16 +84,19 @@ jobs: ## IP Ranges - - - - - ## - - - - - - - - - - - ## Allow IP rangges to be ignored. + ## Allow IP ranges to be ignored. ## Nb. set IGNORE_IP_RANGES env var to `true` for the intended GH environment. if [ "$IGNORE_IP_RANGES" = "true" ]; then - IP_RANGES=$'{"ignore":true}' + IP_RANGES =$'{"ignore":true}' + IPS_FORMATTED="" fi - IP_RANGES_BASE64=$(echo -n "$IP_RANGES" | base64 -w 0) + IP_RANGES_BASE64 =$(echo -n "$IP_RANGES" | base64 -w 0) + IPS_FORMATTED_BASE64=$(echo -n "$IPS_FORMATTED" | base64 -w 0) export IP_RANGES_BASE64 + export IPS_FORMATTED_BASE64 ## - - - - - - - - - - - diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 0ae3ccac9..a84b48f54 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -33,6 +33,7 @@ jobs: environment: development registry: ${{ needs.image.outputs.registry }} ip_ranges: ${{ needs.get_ip_ranges.outputs.ip_ranges }} + ips_formatted: ${{ needs.get_ip_ranges.outputs.ips_formatted }} secrets: inherit deploy_staging: @@ -44,6 +45,7 @@ jobs: environment: staging registry: ${{ needs.image.outputs.registry }} ip_ranges: ${{ needs.get_ip_ranges.outputs.ip_ranges }} + ips_formatted: ${{ needs.get_ip_ranges.outputs.ips_formatted }} secrets: inherit deploy_demo: @@ -55,6 +57,7 @@ jobs: environment: demo registry: ${{ needs.image.outputs.registry }} ip_ranges: ${{ needs.get_ip_ranges.outputs.ip_ranges }} + ips_formatted: ${{ needs.get_ip_ranges.outputs.ips_formatted }} secrets: inherit deploy_production: @@ -66,4 +69,5 @@ jobs: environment: production registry: ${{ needs.image.outputs.registry }} ip_ranges: ${{ needs.get_ip_ranges.outputs.ip_ranges }} + ips_formatted: ${{ needs.get_ip_ranges.outputs.ips_formatted }} secrets: inherit diff --git a/.github/workflows/ip-ranges-configure.yml b/.github/workflows/ip-ranges-configure.yml index a6590c8a9..194d05a56 100644 --- a/.github/workflows/ip-ranges-configure.yml +++ b/.github/workflows/ip-ranges-configure.yml @@ -6,6 +6,9 @@ on: ip_ranges: description: "IPs Ranges" value: ${{ jobs.get_ip_ranges.outputs.ip_ranges }} + ips_formatted: + description: "IPs Ranges (formatted)" + value: ${{ jobs.get_ip_ranges.outputs.ips_formatted }} jobs: get_ip_ranges: @@ -13,6 +16,7 @@ jobs: runs-on: ubuntu-latest outputs: ip_ranges: ${{ steps.get-ips.outputs.ip_ranges }} + ips_formatted: ${{ steps.get-ips.outputs.ips_formatted }} steps: - name: "Checkout" uses: actions/checkout@v4 @@ -30,3 +34,13 @@ jobs: cmd: | IP_RANGES=$(yq 'explode(.) | {"deprecating": .deprecating_access_to_moj_intranet | flatten, "allow": .allow_access_to_moj_intranet | flatten }' -o json -I=0 moj-cidr-addresses.yml) echo "ip_ranges=$IP_RANGES" >> $GITHUB_OUTPUT + + # Transform into nginx geo format. 1 IP range per line, each range is followed by it's value. + # @see https://nginx.org/en/docs/http/ngx_http_geo_module.html + ALLOW_VALUE=1 + DEPRI_VALUE=2 + + ALLOW_FORMATTED=$(yq 'explode(.) | .allow_access_to_moj_intranet | flatten | map(. + " '$ALLOW_VALUE';") | join("\n")' moj-cidr-addresses.yml) + DEPRI_FORMATTED=$(yq 'explode(.) | .deprecating_access_to_moj_intranet | flatten | map(. + " '$DEPRI_VALUE';") | join("\n")' moj-cidr-addresses.yml) + + echo "ips_formatted=$ALLOW_FORMATTED"$'\n'"$DEPRI_FORMATTED" >> $GITHUB_OUTPUT diff --git a/deploy/config/local/nginx/geo.conf b/deploy/config/local/nginx/geo.conf new file mode 100644 index 000000000..5ffeef8ae --- /dev/null +++ b/deploy/config/local/nginx/geo.conf @@ -0,0 +1,7 @@ +# Source IPs where 'X-Forwarded-For' is to be truested. +proxy 172.17.0.0/16; +proxy 172.25.0.0/16; + +# Maybe use init script to substitude env vars + +192.168.65.1 1; \ No newline at end of file diff --git a/deploy/development/deployment.tpl.yml b/deploy/development/deployment.tpl.yml index ac4de15db..b45c7722f 100644 --- a/deploy/development/deployment.tpl.yml +++ b/deploy/development/deployment.tpl.yml @@ -37,6 +37,12 @@ spec: mountPath: /var/www/html/public/app/uploads - name: php-socket mountPath: /sock + env: + - name: IPS_FORMATTED + valueFrom: + secretKeyRef: + name: ${KUBE_NAMESPACE}-base64-secrets + key: IPS_FORMATTED - name: cron image: ${ECR_URL}:${IMAGE_TAG_CRON} diff --git a/deploy/development/secret.tpl.yml b/deploy/development/secret.tpl.yml index 3d5cffa72..9b3f1c07e 100644 --- a/deploy/development/secret.tpl.yml +++ b/deploy/development/secret.tpl.yml @@ -28,6 +28,7 @@ type: Opaque data: AWS_CLOUDFRONT_PRIVATE_KEY: "${AWS_CLOUDFRONT_PRIVATE_KEY_BASE64}" IP_RANGES: "${IP_RANGES_BASE64}" + IPS_FORMATTED: "${IPS_FORMATTED_BASE64}" --- apiVersion: v1 kind: Secret