From b1f514b13dcae57802fae48772c4fe6e98d0d6e9 Mon Sep 17 00:00:00 2001 From: Maximilian Moehl Date: Thu, 26 Jun 2025 10:33:48 +0200 Subject: [PATCH 1/4] ci: move app to CNB --- ip-allow-listing-route-service/Procfile | 1 + ip-allow-listing-route-service/main.go | 21 ++++++++------------- ip-allow-listing-route-service/manifest.yml | 5 ++--- 3 files changed, 11 insertions(+), 16 deletions(-) create mode 100644 ip-allow-listing-route-service/Procfile diff --git a/ip-allow-listing-route-service/Procfile b/ip-allow-listing-route-service/Procfile new file mode 100644 index 0000000..cfed67e --- /dev/null +++ b/ip-allow-listing-route-service/Procfile @@ -0,0 +1 @@ +web: ip-allow-listing-route-service diff --git a/ip-allow-listing-route-service/main.go b/ip-allow-listing-route-service/main.go index a8dc6f9..8ffbf0b 100644 --- a/ip-allow-listing-route-service/main.go +++ b/ip-allow-listing-route-service/main.go @@ -2,6 +2,8 @@ package main import ( "bufio" + "bytes" + _ "embed" "errors" "fmt" "log/slog" @@ -21,6 +23,9 @@ var ( ErrInvalidTrueClientIP = fmt.Errorf("%w: invalid x-cf-true-client-ip header", ErrBadRequest) ) +//go:embed allowlist.txt +var allowListFile []byte + func main() { slog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelDebug}))) @@ -32,12 +37,7 @@ func main() { } func Main() error { - allowListFile := os.Getenv("ALLOW_LIST_FILE") - if allowListFile == "" { - return fmt.Errorf("no file to read prefixes from provided") - } - - allowedPrefixes, err := loadPrefixes(allowListFile) + allowedPrefixes, err := loadPrefixes() if err != nil { return err } @@ -59,13 +59,8 @@ func Main() error { return s.ListenAndServe() } -func loadPrefixes(path string) (prefixes []netip.Prefix, err error) { - f, err := os.Open(path) - if err != nil { - return nil, err - } - - s := bufio.NewScanner(f) +func loadPrefixes() (prefixes []netip.Prefix, err error) { + s := bufio.NewScanner(bytes.NewReader(allowListFile)) for s.Scan() { l := strings.TrimSpace(s.Text()) if len(l) == 0 || l[0] == '#' { diff --git a/ip-allow-listing-route-service/manifest.yml b/ip-allow-listing-route-service/manifest.yml index e9b3f57..f88cfc7 100644 --- a/ip-allow-listing-route-service/manifest.yml +++ b/ip-allow-listing-route-service/manifest.yml @@ -1,10 +1,9 @@ applications: - name: ip-allow-listing-route-service + lifecycle: cnb buildpacks: - - go_buildpack + - docker://docker.io/paketobuildpacks/go memory: 128M instances: 1 - env: - ALLOW_LIST_FILE: allowlist.txt routes: - route: ip-allow-list-rs-((suffix)).((domain)) From 364d830b8d2ded4fd7cd726c7d5c853f556b0271 Mon Sep 17 00:00:00 2001 From: Maximilian Moehl Date: Thu, 26 Jun 2025 10:35:12 +0200 Subject: [PATCH 2/4] feat: add ok app for testing --- ip-allow-listing-route-service/manifest.yml | 9 +++++++++ ip-allow-listing-route-service/ok/Procfile | 1 + ip-allow-listing-route-service/ok/go.mod | 3 +++ ip-allow-listing-route-service/ok/main.go | 21 +++++++++++++++++++++ 4 files changed, 34 insertions(+) create mode 100644 ip-allow-listing-route-service/ok/Procfile create mode 100644 ip-allow-listing-route-service/ok/go.mod create mode 100644 ip-allow-listing-route-service/ok/main.go diff --git a/ip-allow-listing-route-service/manifest.yml b/ip-allow-listing-route-service/manifest.yml index f88cfc7..3623efd 100644 --- a/ip-allow-listing-route-service/manifest.yml +++ b/ip-allow-listing-route-service/manifest.yml @@ -7,3 +7,12 @@ applications: instances: 1 routes: - route: ip-allow-list-rs-((suffix)).((domain)) +- name: ok + path: ./ok + lifecycle: cnb + buildpacks: + - docker://docker.io/paketobuildpacks/go + memory: 64M + instances: 1 + routes: + - route: ok-((suffix)).((domain)) diff --git a/ip-allow-listing-route-service/ok/Procfile b/ip-allow-listing-route-service/ok/Procfile new file mode 100644 index 0000000..54fb6be --- /dev/null +++ b/ip-allow-listing-route-service/ok/Procfile @@ -0,0 +1 @@ +web: ok diff --git a/ip-allow-listing-route-service/ok/go.mod b/ip-allow-listing-route-service/ok/go.mod new file mode 100644 index 0000000..af6adf4 --- /dev/null +++ b/ip-allow-listing-route-service/ok/go.mod @@ -0,0 +1,3 @@ +module github.com/sap-samples/cf-routing-samples/ip-allow-listing-route-service/ok + +go 1.24.0 diff --git a/ip-allow-listing-route-service/ok/main.go b/ip-allow-listing-route-service/ok/main.go new file mode 100644 index 0000000..fec88c7 --- /dev/null +++ b/ip-allow-listing-route-service/ok/main.go @@ -0,0 +1,21 @@ +package main + +import ( + "fmt" + "net/http" + "os" +) + +func main() { + err := http.ListenAndServe(":"+os.Getenv("PORT"), http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "text/plain") + w.WriteHeader(http.StatusOK) + _, err := fmt.Fprint(w, "ok") + if err != nil { + fmt.Printf("error: handle request: %s\n", err.Error()) + } + })) + if err != nil { + fmt.Printf("error: server exited: %s\n", err.Error()) + } +} From 6d27d5cd451ac8913353e458ae1cf8f738419829 Mon Sep 17 00:00:00 2001 From: Maximilian Moehl Date: Thu, 26 Jun 2025 10:39:39 +0200 Subject: [PATCH 3/4] feat: add dummy allow-list --- ip-allow-listing-route-service/allowlist.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 ip-allow-listing-route-service/allowlist.txt diff --git a/ip-allow-listing-route-service/allowlist.txt b/ip-allow-listing-route-service/allowlist.txt new file mode 100644 index 0000000..b043870 --- /dev/null +++ b/ip-allow-listing-route-service/allowlist.txt @@ -0,0 +1 @@ +0.0.0.0/0 From 45a5c3f58ad3b055d6a4286e40dd6afc0b113af5 Mon Sep 17 00:00:00 2001 From: Maximilian Moehl Date: Thu, 26 Jun 2025 10:52:27 +0200 Subject: [PATCH 4/4] ci: add PR check for allow-list --- .github/workflows/test-sample-apps.yml | 20 ++++++++++++++++++-- ip-allow-listing-route-service/manifest.yml | 1 + 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-sample-apps.yml b/.github/workflows/test-sample-apps.yml index 687415d..dc9042c 100644 --- a/.github/workflows/test-sample-apps.yml +++ b/.github/workflows/test-sample-apps.yml @@ -4,6 +4,7 @@ on: pull_request_target: branches: [ main ] types: [ opened, synchronize, reopened ] + workflow_dispatch: permissions: pull-requests: write @@ -57,7 +58,7 @@ jobs: run: cf8 login -a "${{ secrets.CF_API }}" -u "${{ secrets.CF_USERNAME }}" -p "${{ secrets.CF_PASSWORD }}" -o "${{ secrets.CF_ORG }}" -s "${{ secrets.CF_SPACE }}" --origin uaa - name: Deploy CloudFoundry sample apps run: cf8 push -f "${GITHUB_WORKSPACE}/http2/apps-manifest.yml" --var domain=${{ secrets.CF_DOMAIN }} --var hostname_prefix="$HOSTNAME_PREFIX" --vars-file "${GITHUB_WORKSPACE}/http2/gradle.properties" - - name: Test Sample apps + - name: Test HTTP/2 Sample apps run: | get_route() { echo "${HOSTNAME_PREFIX}${1}.${{ secrets.CF_DOMAIN }}" @@ -72,13 +73,28 @@ jobs: grpcurl -proto http2/node-grpc/example.proto $(get_route node-grpc-test):443 Example.Run grpcurl -proto http2/python-grpc/example.proto $(get_route python-grpc-test):443 Example.Run grpcurl -proto http2/ruby-grpc/example.proto $(get_route ruby-grpc-test):443 Example.Run + - name: Deploy IP Allow-List Sample App + run: | + cf8 push --var "domain=${{ secrets.CF_DOMAIN }}" --var "suffix=${HOSTNAME_PREFIX}" --manifest "${GITHUB_WORKSPACE}/ip-allow-listing-route-service/manifest.yml" + cf8 create-user-provided-service "allow-list-${HOSTNAME_PREFIX}" -r "https://ip-allow-list-rs-${HOSTNAME_PREFIX}.${{ secrets.CF_DOMAIN }}" + cf8 bind-route-service "${{ secrets.CF_DOMAIN }}" --hostname "ok-${HOSTNAME_PREFIX}" "allow-list-${HOSTNAME_PREFIX}" + - name: Test IP Allow-List Sample App + run: | + echo "Test IPv4 is accesible" + test "$(curl --silent --output /dev/null --write-out "%{http_code}" -4 "https://ok-${HOSTNAME_PREFIX}.cfapps.eu12.hana.ondemand.com")" -eq 200 - name: Clean-up if: success() || failure() run: | + echo "Deleting service instance" + cf8 -f delete-service "allow-list-${HOSTNAME_PREFIX}" || true echo "Deleting apps and routes" yq e '.applications.[].name' "${GITHUB_WORKSPACE}/http2/apps-manifest.yml" | while read -r app_name; do echo "Deleting app: $app_name" - cf8 delete "$app_name" -r -f + cf8 delete "$app_name" -r -f || true + done + yq e '.applications.[].name' "${GITHUB_WORKSPACE}/ip-allow-listing-route-service/manifest.yml" | while read -r app_name; do + echo "Deleting app: $app_name" + cf8 delete "$app_name" -r -f || true done automerge: runs-on: ubuntu-latest diff --git a/ip-allow-listing-route-service/manifest.yml b/ip-allow-listing-route-service/manifest.yml index 3623efd..8288449 100644 --- a/ip-allow-listing-route-service/manifest.yml +++ b/ip-allow-listing-route-service/manifest.yml @@ -1,5 +1,6 @@ applications: - name: ip-allow-listing-route-service + path: . lifecycle: cnb buildpacks: - docker://docker.io/paketobuildpacks/go