new: initial egress proxy deployment framework (#172)

nickumia-reisys · web-flow · commit 356421fe681c · 2023-01-09T08:55:21.000-08:00
Mostly a copy from data.gov egress deployment.  A few edits to account for data.gov-specific names and deployment oddities.  I'm not confident that this will work out of the box because of uniqueness of the management spaces.  More commits will likely follow haha
diff --git a/.github/workflows/disable-egress.yml b/.github/workflows/disable-egress.yml
@@ -0,0 +1,40 @@
+---
+name: disable egress proxy
+
+on:   # yamllint disable-line rule:truthy
+  workflow_dispatch:
+    inputs:
+      appName:
+        description: 'App Name'
+        required: true
+        type: choice
+        options:
+          - "ssb-eks"
+          - "ssb-smtp"
+          - "ssb-solrcloud"
+      appSpace:
+        description: 'Cloud Foundry Space'
+        required: true
+        type: choice
+        options:
+          - "development-ssb"
+          - "management-staging"
+          - "management"
+
+jobs:
+  disable-egress:
+    concurrency: ${{ github.event.inputs.appSpace }}
+    name: ${{ github.event.inputs.appName }} -- ${{ github.event.inputs.appSpace }}
+    environment: ${{ github.event.inputs.appSpace }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+      - name: disable egress
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          command: egress/disable-egress ${{ github.event.inputs.appName }}
+          cf_org: gsa-datagov
+          cf_space: ${{ github.event.inputs.appSpace }}
+          cf_username: ${{secrets.CF_SERVICE_USER}}
+          cf_password: ${{secrets.CF_SERVICE_AUTH}}
diff --git a/.github/workflows/enable-egress.yml b/.github/workflows/enable-egress.yml
@@ -0,0 +1,72 @@
+---
+name: enable egress proxy
+
+on:   # yamllint disable-line rule:truthy
+  workflow_dispatch:
+    inputs:
+      appName:
+        description: 'App Name'
+        required: true
+        type: choice
+        options:
+          - "ssb-eks"
+          - "ssb-smtp"
+          - "ssb-solrcloud"
+      appSpace:
+        description: 'Cloud Foundry Space'
+        required: true
+        type: choice
+        options:
+          - "development-ssb"
+          - "management-staging"
+          - "management"
+
+env:
+  SSB_DIR: ssb
+  CG_DIR: cg-egress-proxy
+
+jobs:
+  enable-egress:
+    concurrency: ${{ github.event.inputs.appSpace }}
+    name: ${{ github.event.inputs.appName }} -- ${{ github.event.inputs.appSpace }}
+    environment: ${{ github.event.inputs.appSpace }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout ssb
+        uses: actions/checkout@v3
+        with:
+          path: ${{ env.SSB_DIR }}
+      - name: checkout cg-egress-proxy
+        uses: actions/checkout@v3
+        with:
+          repository: 'GSA/cg-egress-proxy'
+          path: ${{ env.CG_DIR }}
+
+      # trying to emulate:
+      # https://github.com/GSA/cg-egress-proxy/blob/main/Dockerfile
+      - name: build caddy - setup go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.18.4'  # latest
+      - name: build caddy - get xcaddy
+        run: go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
+      - name: build caddy - xcaddy build
+        run: >
+          xcaddy build
+          --with github.com/hairyhenderson/caddy-teapot-module@v0.0.3-0
+          --with github.com/caddyserver/forwardproxy@caddy2
+          --output ${{ env.CG_DIR }}/proxy/caddy
+
+      - name: enable egress
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          # tmate command for testing and debugging
+          # command: apt-get -y install tmate; tmate -F
+          command: >
+            ssb/egress/enable-egress
+            ${{ github.event.inputs.appName }}
+            ${{ github.event.inputs.appSpace }}
+          cf_org: gsa-datagov
+          cf_space: ${{ github.event.inputs.appSpace }}
+          cf_username: ${{secrets.CF_SERVICE_USER}}
+          cf_password: ${{secrets.CF_SERVICE_AUTH}}
diff --git a/.github/workflows/restart-egress.yml b/.github/workflows/restart-egress.yml
@@ -0,0 +1,29 @@
+---
+name: restart egress proxy
+
+on:   # yamllint disable-line rule:truthy
+  workflow_dispatch:
+  schedule:
+    - cron: '0 3 * * *'  # every day at 3am UTC
+
+jobs:
+
+  restart-egress:
+    strategy:
+      matrix:
+        environ: [development-ssb, management-staging, management]
+    name: restart egress (${{matrix.environ}})
+    concurrency: ${{matrix.environ}}
+    environment: ${{matrix.environ}}
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+      - name: cf restart
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          command: egress/restart-egress
+          cf_org: gsa-datagov
+          cf_space: ${{matrix.environ}}-egress
+          cf_username: ${{secrets.CF_SERVICE_EGRESS_USER}}
+          cf_password: ${{secrets.CF_SERVICE_EGRESS_AUTH}}
diff --git a/egress/acl/allow.acl b/egress/acl/allow.acl
@@ -0,0 +1,3 @@
+  *.gov
+  *.mil
+  s3-us-gov-west-1.amazonaws.com
diff --git a/egress/acl/deny.acl b/egress/acl/deny.acl
@@ -0,0 +1,2 @@
+  *.bing.com
+  somewebsitesothisisntempty.com
diff --git a/egress/disable-egress b/egress/disable-egress
@@ -0,0 +1,45 @@
+#!/bin/bash
+set -e
+set -o pipefail
+# for debugging
+# set -x
+
+help()
+{
+    echo
+    echo "$0: disables egress proxy for a given app."
+    echo "Syntax: disable-egress <APP>"
+    echo "  <APP> must be a valid cf app in the current space with egress enabled."
+    #echo "Options:"
+    #echo "  --space <SPACE>: #TODO"
+    echo
+    echo "To re-enable egress for an app, use enable-egress."
+    exit 1
+}
+
+app="$1"
+
+if [ -z "$app" ]; then
+    echo "No app provided."
+    help
+else
+    echo "Checking for app $app in space.."
+    if cf apps | tr -s ' ' | cut -d ' ' -f 1 | grep -q -E "(^|\s)$app($|\s)"; then
+        echo "$app found."
+        echo "Unsetting environment variable proxy_url.."
+        cf unset-env "$app" proxy_url
+        echo "Checking network policy.."
+        read -r source dest protocol port space <<< "$( cf network-policies --source "$app" | tail -n +4 | tr -s ' ' | cut -d ' ' -f 1-5 )"
+        if [ -z "$dest" ] && [ -z "$protocol" ] && [ -z "$port" ] &&  [ -z "$space" ]; then
+            # network policy already empty, pass
+            echo "Network policy not found, continuing.."
+        else
+            cf remove-network-policy "$source" "$dest" -s "$space" --protocol "$protocol" --port "$port"
+        fi
+        echo "Restarting $app.."
+        cf restart "$app"
+    else
+        echo "App not found in space."
+        help
+    fi
+fi
diff --git a/egress/egress-smoke.sh b/egress/egress-smoke.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Smoke test for testing egress
+
+set -o errexit
+set -o pipefail
+set -o nounset
+set -x
+
+SPACE=$2
+ALLOW_DOMAIN="data.gov"
+DENY_DOMAIN="bing.com"
+
+function test_egress {
+    DOMAIN=$1
+    CODE=$2
+    [ "$CODE" == "$(curl -I --silent https://"$DOMAIN" | head -n 1 | cut -d$' ' -f2)" ]
+}
+
+# Application may not be fully available immediately, wait 15 seconds
+sleep 15
+
+if [ "$SPACE" == "egress" ]; then
+    # in the egress space, the egress app itself should be able to reach anything
+    DENY_CODE=200
+elif [ "$SPACE" == "app" ]; then
+    # in the app space, the app's egress should be restricted
+    DENY_CODE=403
+else
+    false || echo 'Error: SPACE not found'
+fi
+
+test_egress "$ALLOW_DOMAIN" 200
+echo "Allow domain ok"
+
+test_egress "$DENY_DOMAIN" "$DENY_CODE"
+echo "Deny domain ok"
+
+echo ok
diff --git a/egress/enable-egress b/egress/enable-egress
@@ -0,0 +1,41 @@
+#!/bin/bash
+set -e
+set -o pipefail
+
+help()
+{
+    echo
+    echo "$0: enables egress proxy for a given app."
+    echo "Note that this will not set up egress, but rather re-enable egress that has been disabled with disable-egress."
+    echo "Syntax: $0 <APP>"
+    echo "  <APP> must be a valid cf app in the current space with egress disabled."
+    #echo "Options:"
+    #echo "  --space <SPACE>: #TODO"
+    echo
+    echo "To disable egress for an app, use disable-egress."
+    echo "This depends on SSB_DIR and CG_DIR environment variables being set."
+    exit 1
+}
+
+app="$1"
+space="$2"
+
+if [ -z "$app" ]; then
+    echo "No app provided."
+    help
+elif [ -z "$space" ]; then
+    echo "No space provided."
+    help
+else
+    # cg-egress-proxy needs jq 🤷
+    if ! command -v jq &> /dev/null; then
+        apt-get install jq -y
+    fi
+
+    cp "$SSB_DIR/egress/acl/allow.acl" "$CG_DIR/${app}.allow.acl"
+    cp "$SSB_DIR/egress/acl/deny.acl" "$CG_DIR/${app}.deny.acl"
+
+    # need to be in CG_DIR for cg-egress-proxy scripts to run correctly
+    cd "$CG_DIR"
+    bin/cf-deployproxy -a "$app" -s "$space-egress" -e "proxy_url"
+fi
diff --git a/egress/restart-egress b/egress/restart-egress
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+set -o pipefail
+
+for app in $(cf apps | tail -n +4 | tr -s ' ' | cut -d ' ' -f 1)
+do
+    cf restart "$app" --strategy rolling
+done

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+ *.gov`
	`2`	`+ *.mil`
	`3`	`+ s3-us-gov-west-1.amazonaws.com`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+ *.bing.com`
	`2`	`+ somewebsitesothisisntempty.com`