From f971ceaa6fda0125c5e1db634decd3292c16fe96 Mon Sep 17 00:00:00 2001 From: Ben Millar Date: Mon, 2 Sep 2024 13:26:50 +0100 Subject: [PATCH] Add additional IPs from shared LAA whitelist (#1237) * Add additional IPs from shared LAA whitelist * Remove duplicate IP addresses --- bin/production_deploy.sh | 5 +++++ bin/staging_deploy.sh | 5 +++++ bin/training_deploy.sh | 5 +++++ bin/uat_deploy.sh | 5 +++++ .../cla-backend/templates/_helpers.tpl | 2 +- helm_deploy/cla-backend/values.yaml | 21 ------------------- 6 files changed, 21 insertions(+), 22 deletions(-) diff --git a/bin/production_deploy.sh b/bin/production_deploy.sh index d32fa1b35..a5438956f 100755 --- a/bin/production_deploy.sh +++ b/bin/production_deploy.sh @@ -4,6 +4,10 @@ set -e ROOT=$(dirname "$0") HELM_DIR="$ROOT/../helm_deploy/cla-backend/" +# Pull ranges from shared LAA IP ranges and then remove spaces, +# replace linebreaks with commas, remove last comma, and escape commas for helm input +SHARED_IP_RANGES_LAA=$(curl -s https://raw.githubusercontent.com/ministryofjustice/laa-ip-allowlist/main/cidrs.txt | tr -d ' ' | tr '\n' ',' | sed 's/,/\\,/g' | sed 's/\\,$//') + helm upgrade $RELEASE_NAME \ $HELM_DIR \ --namespace=${KUBE_ENV_PRODUCTION_NAMESPACE} \ @@ -14,4 +18,5 @@ helm upgrade $RELEASE_NAME \ --set image.repository=$DOCKER_REPOSITORY \ --set image.tag=$IMAGE_TAG \ --set-string pingdomIPs=$PINGDOM_IPS \ + --set-string sharedIPRangesLAA=$SHARED_IP_RANGES_LAA \ --install diff --git a/bin/staging_deploy.sh b/bin/staging_deploy.sh index b53522527..3df0b6e73 100755 --- a/bin/staging_deploy.sh +++ b/bin/staging_deploy.sh @@ -4,6 +4,10 @@ set -e ROOT=$(dirname "$0") HELM_DIR="$ROOT/../helm_deploy/cla-backend/" +# Pull ranges from shared LAA IP ranges and then remove spaces, +# replace linebreaks with commas, remove last comma, and escape commas for helm input +SHARED_IP_RANGES_LAA=$(curl -s https://raw.githubusercontent.com/ministryofjustice/laa-ip-allowlist/main/cidrs.txt | tr -d ' ' | tr '\n' ',' | sed 's/,/\\,/g' | sed 's/\\,$//') + helm upgrade $RELEASE_NAME \ $HELM_DIR \ --namespace=${KUBE_ENV_STAGING_NAMESPACE} \ @@ -15,4 +19,5 @@ helm upgrade $RELEASE_NAME \ --set image.repository=$DOCKER_REPOSITORY \ --set image.tag=$IMAGE_TAG \ --set-string pingdomIPs=$PINGDOM_IPS \ + --set-string sharedIPRangesLAA=$SHARED_IP_RANGES_LAA \ --install diff --git a/bin/training_deploy.sh b/bin/training_deploy.sh index ca58ab92e..579930e9e 100755 --- a/bin/training_deploy.sh +++ b/bin/training_deploy.sh @@ -4,6 +4,10 @@ set -e ROOT=$(dirname "$0") HELM_DIR="$ROOT/../helm_deploy/cla-backend/" +# Pull ranges from shared LAA IP ranges and then remove spaces, +# replace linebreaks with commas, remove last comma, and escape commas for helm input +SHARED_IP_RANGES_LAA=$(curl -s https://raw.githubusercontent.com/ministryofjustice/laa-ip-allowlist/main/cidrs.txt | tr -d ' ' | tr '\n' ',' | sed 's/,/\\,/g' | sed 's/\\,$//') + helm upgrade $RELEASE_NAME \ $HELM_DIR \ --namespace=${KUBE_ENV_TRAINING_NAMESPACE} \ @@ -15,4 +19,5 @@ helm upgrade $RELEASE_NAME \ --set image.repository=$DOCKER_REPOSITORY \ --set image.tag=$IMAGE_TAG \ --set-string pingdomIPs=$PINGDOM_IPS \ + --set-string sharedIPRangesLAA=$SHARED_IP_RANGES_LAA \ --install diff --git a/bin/uat_deploy.sh b/bin/uat_deploy.sh index 2cbf57fdb..807522f5a 100755 --- a/bin/uat_deploy.sh +++ b/bin/uat_deploy.sh @@ -11,6 +11,10 @@ fi echo "Using values file:$VALUES" +# Pull ranges from shared LAA IP ranges and then remove spaces, +# replace linebreaks with commas, remove last comma, and escape commas for helm input +SHARED_IP_RANGES_LAA=$(curl -s https://raw.githubusercontent.com/ministryofjustice/laa-ip-allowlist/main/cidrs.txt | tr -d ' ' | tr '\n' ',' | sed 's/,/\\,/g' | sed 's/\\,$//') + helm upgrade $RELEASE_NAME \ $HELM_DIR \ --namespace=${KUBE_ENV_UAT_NAMESPACE} \ @@ -23,4 +27,5 @@ helm upgrade $RELEASE_NAME \ --set image.repository=$DOCKER_REPOSITORY \ --set image.tag=$IMAGE_TAG \ --set-string pingdomIPs=$PINGDOM_IPS \ + --set-string sharedIPRangesLAA=$SHARED_IP_RANGES_LAA \ --install diff --git a/helm_deploy/cla-backend/templates/_helpers.tpl b/helm_deploy/cla-backend/templates/_helpers.tpl index 263d79ece..1693a295f 100644 --- a/helm_deploy/cla-backend/templates/_helpers.tpl +++ b/helm_deploy/cla-backend/templates/_helpers.tpl @@ -13,7 +13,7 @@ Expand the name of the chart. {{- end -}} {{- define "cla-backend.whitelist" -}} -{{ join "," .Values.ingress.whitelist }},{{- .Values.pingdomIPs }}{{ include "cla-backend.whitelist_additional" . }} +{{ join "," .Values.ingress.whitelist }},{{- .Values.pingdomIPs }}{{ include "cla-backend.whitelist_additional" . }},{{- .Values.sharedIPRangesLAA }} {{- end -}} {{/* diff --git a/helm_deploy/cla-backend/values.yaml b/helm_deploy/cla-backend/values.yaml index b840a9aef..a9bf69262 100644 --- a/helm_deploy/cla-backend/values.yaml +++ b/helm_deploy/cla-backend/values.yaml @@ -46,31 +46,10 @@ ingress: name: ~ weight: ~ whitelist: - # Cisco Anyconnect (Dom1) / ARK data centre - - 194.33.192.0/25 - - 194.33.196.0/25 # HGS - 84.43.86.100/32 # CHS - 52.210.114.89/32 - # GlobalProtect VPN (Digital Mac) - - 18.169.147.172/32 - - 35.176.93.186/32 - - 18.130.148.126/32 - - 35.176.148.126/32 - # MoJ Official - - 51.149.250.0/24 - # DOM1 VPN Addresses - # ARK Corsham Internet Egress Exponential-E - - 51.149.249.0/29 - # ARK Farnborough Internet Egress Exponential-E - - 51.149.249.32/29 - # PRP DIA Sites - - 194.33.200.0/21 - - 194.33.216.0/23 - - 194.33.218.0/24 - # Palo Alto Prisma Access Egress IP Addresses - Prisma_Access: - - 128.77.75.64/26 localPostgres: enabled: false