Merge pull request #26 from ministryofjustice/NIT-1097-alfresco-dev-c…

…utover NIT-1097 limit access to alfresco envs
ministryofjustice · Feb 15, 2024 · 8f09fdc · 8f09fdc
2 parents f24f015 + a3efb16
commit 8f09fdc
Show file tree

Hide file tree

Showing 6 changed files with 96 additions and 8 deletions.
diff --git a/alfresco-content-services/templates/ingress-ms-teams-service.yaml b/alfresco-content-services/templates/ingress-ms-teams-service.yaml
@@ -9,6 +9,7 @@ metadata:
     {{- include "ms-teams-service.labels" . | nindent 4 }}
   annotations:
     kubernetes.io/ingress.class: "nginx"
+    nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," .Values.global.whitelistSourceRanges }}
 {{- if .Values.msTeamsService.extraAnnotations }}
 {{ toYaml .Values.msTeamsService.extraAnnotations | indent 4 }}
 {{- end }}

diff --git a/alfresco-content-services/templates/ingress-ooi-service.yaml b/alfresco-content-services/templates/ingress-ooi-service.yaml
@@ -9,6 +9,7 @@ metadata:
     {{- include "ooi-service.labels" . | nindent 4 }}
   annotations:
     kubernetes.io/ingress.class: "nginx"
+    nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," .Values.global.whitelistSourceRanges }}
 {{- if .Values.ooiService.extraAnnotations }}
 {{ toYaml .Values.ooiService.extraAnnotations | indent 4 }}
 {{- end }}

diff --git a/alfresco-content-services/templates/ingress-repository.yaml b/alfresco-content-services/templates/ingress-repository.yaml
@@ -5,6 +5,7 @@ metadata:
   labels:
     {{- include "repository.labels" . | nindent 4 }}
   annotations:
+    nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," .Values.global.whitelistSourceRanges }}
     nginx.ingress.kubernetes.io/affinity: "cookie"
     nginx.ingress.kubernetes.io/session-cookie-name: "alf_affinity_route"
     nginx.ingress.kubernetes.io/session-cookie-hash: "sha1"

diff --git a/alfresco-content-services/templates/ingress-share.yaml b/alfresco-content-services/templates/ingress-share.yaml
@@ -7,6 +7,7 @@ metadata:
   labels:
     {{- include "share.labels" . | nindent 4 }}
   annotations:
+    nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," .Values.global.whitelistSourceRanges }}
     # Default limit is 1m, document(s) above this size will throw 413 (Request Entity Too Large) error
     nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.repository.ingress.maxUploadSize }}
     nginx.ingress.kubernetes.io/affinity: "cookie"

diff --git a/alfresco-content-services/values_dev.yaml b/alfresco-content-services/values_dev.yaml
@@ -1,5 +1,47 @@
 # this file overrides values defined in ./values.yaml
-# repository:
-#   replicaCount: 1
-# share:
-#   replicaCount: 1
+repository:
+  replicaCount: 1
+share:
+  replicaCount: 1
+global:
+  whitelistSourceRanges:
+    - "3.11.29.246"        # delius-mis-dev-az1-nat-gateway
+    - "18.130.165.209"     # delius-mis-dev-az2-nat-gateway
+    - "35.178.35.115"      # delius-mis-dev-az3-nat-gateway
+    - "35.176.93.186/32"   # MoJ GlobalProtect
+    - "35.177.125.252/32"  # MoJ VPN Gateway Proxies
+    - "35.177.137.160/32"  # MoJ VPN Gateway Proxies
+    - "81.134.202.29/32"   # MoJ VPN
+    - "51.149.250.0/24"    # PTTP / MoJO Production Account BYOIP CIDR range
+    - "51.149.251.0/24"    # PTTP / MoJO Production Account BYOIP CIDR range - PreProd
+    - "213.121.161.112/28" # 102 Petty France WiFi
+    - "217.33.148.210/32"  # Digital studio
+    - "13.43.9.198/32"     # MP non_live_data-public-eu-west-2a-nat
+    - "13.42.163.245/32"   # MP non_live_data-public-eu-west-2b-nat
+    - "18.132.208.127/32"  # MP non_live_data-public-eu-west-2c-nat
+    - "51.149.249.0/29"    # ARK Corsham Internet Egress Exponential-E
+    - "51.149.249.32/29"   # ARK Corsham Internet Egress Exponential-E
+    - "194.33.192.0/25"    # ARK internet (DOM1)
+    - "194.33.193.0/25"    # ARK internet (DOM1)
+    - "194.33.196.0/25"    # ARK internet (DOM1)
+    - "194.33.197.0/25"    # ARK internet (DOM1)
+    - "195.59.75.0/24"     # ARK internet (DOM1)
+    - "194.33.248.0/29"    # ARK Corsham Internet Egress Vodafone
+    - "194.33.249.0/29"    # ARK Corsham Internet Egress Vodafone
+    - "62.25.106.209/32"   # OMNI
+    - "195.92.40.49/32"    # OMNI
+    - "62.25.109.197/32"   # Quantum
+    - "195.92.38.16/28"    # Quantum
+    - "212.137.36.230/32"  # Quantum
+    - "78.33.10.50/31"     # Unilink AOVPN
+    - "78.33.10.52/30"     # Unilink AOVPN
+    - "78.33.10.56/30"     # Unilink AOVPN
+    - "78.33.10.60/32"     # Unilink AOVPN
+    - "78.33.32.99/32"     # Unilink AOVPN
+    - "78.33.32.100/30"    # Unilink AOVPN
+    - "78.33.32.104/30"    # Unilink AOVPN
+    - "78.33.32.108/32"    # Unilink AOVPN
+    - "83.98.63.176/29"    # Unilink AOVPN
+    - "194.75.210.216/29"  # Unilink AOVPN
+    - "217.138.45.109/32"  # Unilink AOVPN
+    - "217.138.45.110/32"  # Unilink AOVPN
diff --git a/alfresco-content-services/values_poc.yaml b/alfresco-content-services/values_poc.yaml
@@ -1,5 +1,47 @@
 # this file overrides values defined in ./values.yaml
-# repository:
-#   replicaCount: 1
-# share:
-#   replicaCount: 1
+repository:
+  replicaCount: 1
+share:
+  replicaCount: 1
+global:
+  whitelistSourceRanges:
+    - "3.11.29.246"        # delius-mis-dev-az1-nat-gateway
+    - "18.130.165.209"     # delius-mis-dev-az2-nat-gateway
+    - "35.178.35.115"      # delius-mis-dev-az3-nat-gateway
+    - "35.176.93.186/32"   # MoJ GlobalProtect
+    - "35.177.125.252/32"  # MoJ VPN Gateway Proxies
+    - "35.177.137.160/32"  # MoJ VPN Gateway Proxies
+    - "81.134.202.29/32"   # MoJ VPN
+    - "51.149.250.0/24"    # PTTP / MoJO Production Account BYOIP CIDR range
+    - "51.149.251.0/24"    # PTTP / MoJO Production Account BYOIP CIDR range - PreProd
+    - "213.121.161.112/28" # 102 Petty France WiFi
+    - "217.33.148.210/32"  # Digital studio
+    - "13.43.9.198/32"     # MP non_live_data-public-eu-west-2a-nat
+    - "13.42.163.245/32"   # MP non_live_data-public-eu-west-2b-nat
+    - "18.132.208.127/32"  # MP non_live_data-public-eu-west-2c-nat
+    - "51.149.249.0/29"    # ARK Corsham Internet Egress Exponential-E
+    - "51.149.249.32/29"   # ARK Corsham Internet Egress Exponential-E
+    - "194.33.192.0/25"    # ARK internet (DOM1)
+    - "194.33.193.0/25"    # ARK internet (DOM1)
+    - "194.33.196.0/25"    # ARK internet (DOM1)
+    - "194.33.197.0/25"    # ARK internet (DOM1)
+    - "195.59.75.0/24"     # ARK internet (DOM1)
+    - "194.33.248.0/29"    # ARK Corsham Internet Egress Vodafone
+    - "194.33.249.0/29"    # ARK Corsham Internet Egress Vodafone
+    - "62.25.106.209/32"   # OMNI
+    - "195.92.40.49/32"    # OMNI
+    - "62.25.109.197/32"   # Quantum
+    - "195.92.38.16/28"    # Quantum
+    - "212.137.36.230/32"  # Quantum
+    - "78.33.10.50/31"     # Unilink AOVPN
+    - "78.33.10.52/30"     # Unilink AOVPN
+    - "78.33.10.56/30"     # Unilink AOVPN
+    - "78.33.10.60/32"     # Unilink AOVPN
+    - "78.33.32.99/32"     # Unilink AOVPN
+    - "78.33.32.100/30"    # Unilink AOVPN
+    - "78.33.32.104/30"    # Unilink AOVPN
+    - "78.33.32.108/32"    # Unilink AOVPN
+    - "83.98.63.176/29"    # Unilink AOVPN
+    - "194.75.210.216/29"  # Unilink AOVPN
+    - "217.138.45.109/32"  # Unilink AOVPN
+    - "217.138.45.110/32"  # Unilink AOVPN