GitHub provider (#190)

* Add Github Provider --------- Signed-off-by: Moulick Aggarwal <[email protected]> Co-authored-by: Moulick Aggarwal <[email protected]>
Moulick · Nov 7, 2023 · 08f732a · 08f732a
1 parent 52db2a7
commit 08f732a
Show file tree

Hide file tree

Showing 15 changed files with 887 additions and 387 deletions.
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -182,7 +182,7 @@ docker_manifests:
       - quay.io/moulick/{{ .ProjectName }}:latest-armv7
       # - quay.io/moulick/{{ .ProjectName }}:latest-armv6
 
-  # Github Container Registry
+  # GitHub Container Registry
   - name_template: ghcr.io/moulick/{{ .ProjectName }}:{{ .Tag }}
     image_templates:
       - ghcr.io/moulick/{{ .ProjectName }}:{{ .Tag }}-amd64

diff --git a/Dockerfile b/Dockerfile
@@ -14,6 +14,7 @@ RUN go mod download -x
 # Copy the go source
 COPY main.go main.go
 COPY api/ api/
+COPY utils/ utils/
 COPY controllers/ controllers/
 
 # Build

diff --git a/Makefile b/Makefile
@@ -35,11 +35,12 @@ JSONNET ?= $(LOCALBIN)/jsonnet
 JSONNET_FMT ?= $(LOCALBIN)/jsonnetfmt
 
 ## Tool Versions
-ENVTEST_K8S_VERSION = 1.27.1
-KUSTOMIZE_VERSION ?= v5.1.0
+ENVTEST_K8S_VERSION ?= 1.27.1
+SETUP_ENVTEST_VERSION ?= latest
+KUSTOMIZE_VERSION ?= v5.1.1
 CONTROLLER_GEN_VERSION ?= v0.12.0
 JSONNET_VERSION ?= v0.20.0
-YQ_VERSION ?= v4.34.1
+YQ_VERSION ?= v4.35.1
 GINKGO_VERSION ?= $(shell cat $(GO_MOD) | grep github.com/onsi/ginkgo | awk '{print $$2}')
 GOJQ_VERSION ?= v0.12.13
 
@@ -233,7 +234,7 @@ gojq: $(LOCALBIN) ## Download gojq locally if necessary.
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
-	@test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+	@test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@$(SETUP_ENVTEST_VERSION)
 
 .PHONY: ginkgo
 ginkgo: $(LOCALBIN) ## Download ginkgo locally if necessary.

diff --git a/api/v1beta1/ipwhitelistconfig_types.go b/api/v1beta1/ipwhitelistconfig_types.go
@@ -45,18 +45,31 @@ type Providers struct {
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`
 	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:Enum=akamai;cloudflare;fastly
-	Type string `json:"type"`
+	// +kubebuilder:validation:Enum=akamai;cloudflare;fastly;github
+	Type ProviderName `json:"type"`
 	// +kubebuilder:validation:Optional
 	Akamai AkamaiProvider `json:"akamai,omitempty"`
 	// +kubebuilder:validation:Optional
 	Cloudflare CloudflareProvider `json:"cloudflare,omitempty"`
 	// +kubebuilder:validation:Optional
 	Fastly FastlyProvider `json:"fastly,omitempty"`
+	// +kubebuilder:validation:Optional
+	Github GithubProvider `json:"github,omitempty"`
 }
 
+type ProviderName string
+
+const (
+	Cloudflare ProviderName = "cloudflare"
+	Akamai     ProviderName = "akamai"
+	Fastly     ProviderName = "fastly"
+	Github     ProviderName = "github"
+)
+
 type CloudflareProvider struct {
 	// +kubebuilder:validation:Required
+	// +kubebuilder:default="https://api.cloudflare.com/client/v4/ips"
+	// JsonApi is the URL of cloudflare to query for the list of IPs
 	JsonApi string `json:"jsonApi"`
 }
 
@@ -65,6 +78,22 @@ type FastlyProvider struct {
 	JsonApi string `json:"jsonApi"`
 }
 
+// GithubProvider is a provider for the github meta API
+// +kubebuilder:validation:Optional
+type GithubProvider struct {
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="https://api.github.com/meta"
+	JsonApi string `json:"jsonApi,omitempty"`
+
+	// Services are names of sections with IP addresses in the api.github.com/meta like "hooks", "web", "api", "actions" etc
+	// +kubebuilder:validation:Required
+	Services []string `json:"services,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="2022-11-28"
+	APIVersion string `json:"apiVersion,omitempty"`
+}
+
 // IPGroup is a group of IPs with a set expiration time
 type IPGroup struct {
 	// +kubebuilder:validation:Required

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/ingress.security.moulick_ipwhitelistconfigs.yaml b/config/crd/bases/ingress.security.moulick_ipwhitelistconfigs.yaml
@@ -162,6 +162,9 @@ spec:
                     cloudflare:
                       properties:
                         jsonApi:
+                          default: https://api.cloudflare.com/client/v4/ips
+                          description: JsonApi is the URL of cloudflare to query for
+                            the list of IPs
                           type: string
                       required:
                       - jsonApi
@@ -173,13 +176,32 @@ spec:
                       required:
                       - jsonApi
                       type: object
+                    github:
+                      description: GithubProvider is a provider for the github meta
+                        API
+                      properties:
+                        apiVersion:
+                          default: "2022-11-28"
+                          type: string
+                        jsonApi:
+                          default: https://api.github.com/meta
+                          type: string
+                        services:
+                          description: Services are names of sections with IP addresses
+                            in the api.github.com/meta like "hooks", "web", "api",
+                            "actions" etc
+                          items:
+                            type: string
+                          type: array
+                      type: object
                     name:
                       type: string
                     type:
                       enum:
                       - akamai
                       - cloudflare
                       - fastly
+                      - github
                       type: string
                   required:
                   - name

diff --git a/config/samples/github-provider.yaml b/config/samples/github-provider.yaml
@@ -0,0 +1,70 @@
+---
+apiVersion: ingress.security.moulick/v1beta1
+kind: IPWhitelistConfig
+metadata:
+  name: ipwhitelist-ruleset
+spec:
+  whitelistAnnotation: "ingress.kubernetes.io/whitelist-source-range"
+  rules:
+    - name: admin
+      selector:
+        matchExpressions:
+          - key: ipwhitelist-type
+            operator: In
+            values:
+              - "admin"
+      ipGroupSelector:
+        - admin
+        - devopsVPN
+        - siteA-vpn
+      providerSelector:
+        - name: source
+        # - name: akamai-site-shield
+    - name: internal
+      selector:
+        matchExpressions:
+          - key: ipwhitelist-type
+            operator: In
+            values:
+              - tooling
+              - siteA-vpn
+      ipGroupSelector:
+        - admin
+        - devopsVPN
+    - name: public
+      selector:
+        matchLabels:
+          ipwhitelist-type: customerFacing
+      providerSelector:
+        - name: source
+    - name: devopsOnly
+      selector:
+        matchLabels:
+          ipwhitelist-type: "devopsOnly"
+      ipGroupSelector:
+        - devopsVPN
+  ipGroups:
+    - name: admin
+      cidrs:
+        - 192.169.0.1/32
+        - 10.0.3.4/18
+      expires: 2025-12-11T16:32:29Z
+    - name: public
+      cidrs:
+        - 0.0.0.0/0
+        - ::/0
+      expires: 2025-12-11T16:32:29Z
+    - name: devopsVPN
+      cidrs:
+        - 176.34.201.164/32
+      expires: 2025-12-11T16:32:29Z
+    - name: siteA-vpn
+      cidrs:
+        - 156.75.1.1/24
+      expires: 2025-12-11T16:32:29Z
+  providers:
+    - name: source
+      type: github
+      github:
+        services:
+          - hooks