diff --git a/.github/workflows/deploy-dev-from-branch.yml b/.github/workflows/deploy-dev-from-branch.yml index 2208d248..88a07703 100644 --- a/.github/workflows/deploy-dev-from-branch.yml +++ b/.github/workflows/deploy-dev-from-branch.yml @@ -39,3 +39,4 @@ jobs: slack_alert_webhook: ${{ secrets.SLACK_ALERT_WEBHOOK }} azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} notify_api_key: ${{ secrets.NOTIFY_API_KEY }} + limit_whitelist: ${{ secrets.LIMIT_WHITELIST }} diff --git a/.github/workflows/deploy-staged.yml b/.github/workflows/deploy-staged.yml index 7509cc0e..fe0cdf52 100644 --- a/.github/workflows/deploy-staged.yml +++ b/.github/workflows/deploy-staged.yml @@ -30,6 +30,7 @@ jobs: slack_alert_webhook: ${{ secrets.SLACK_ALERT_WEBHOOK }} azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} notify_api_key: ${{ secrets.NOTIFY_API_KEY }} + limit_whitelist: ${{ secrets.LIMIT_WHITELIST }} deploy-preprod: uses: "./.github/workflows/reusable-push-and-deploy.yml" @@ -47,6 +48,7 @@ jobs: slack_alert_webhook: ${{ secrets.SLACK_ALERT_WEBHOOK }} azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} notify_api_key: ${{ secrets.NOTIFY_API_KEY }} + limit_whitelist: ${{ secrets.LIMIT_WHITELIST }} notify-preprod-success: needs: deploy-preprod @@ -88,6 +90,7 @@ jobs: slack_alert_webhook: ${{ secrets.SLACK_ALERT_WEBHOOK }} azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} notify_api_key: ${{ secrets.NOTIFY_API_KEY }} + limit_whitelist: ${{ secrets.LIMIT_WHITELIST }} post-deploy: name: "Post-deploy admin" diff --git a/.github/workflows/reusable-push-and-deploy.yml b/.github/workflows/reusable-push-and-deploy.yml index 68d77247..a11df3a6 100644 --- a/.github/workflows/reusable-push-and-deploy.yml +++ b/.github/workflows/reusable-push-and-deploy.yml @@ -38,6 +38,9 @@ on: notify_api_key: description: "api key for the gds notify service" required: true + limit_whitelist: + description: "string of comma delimited subnets" + required: true jobs: push-and-deploy: @@ -128,6 +131,7 @@ jobs: NOTIFY_SENDER_TEMPLATE_ID: ${{ vars.NOTIFY_SENDER_TEMPLATE_ID }} NOTIFY_DATA_CATALOGUE_TEMPLATE_ID: ${{ vars.NOTIFY_DATA_CATALOGUE_TEMPLATE_ID }} DATA_CATALOGUE_EMAIL: ${{ vars.DATA_CATALOGUE_EMAIL }} + LIMIT_WHITELIST: ${{ secrets.LIMIT_WHITELIST }} run: | cat deployments/templates/deployment.yml | envsubst > deployments/deployment.yml diff --git a/deployments/templates/ingress.yml b/deployments/templates/ingress.yml index c2ee8b54..2691ea58 100644 --- a/deployments/templates/ingress.yml +++ b/deployments/templates/ingress.yml @@ -5,8 +5,7 @@ metadata: annotations: external-dns.alpha.kubernetes.io/set-identifier: find-moj-data-ingress-${NAMESPACE}-green external-dns.alpha.kubernetes.io/aws-weight: "100" - nginx.ingress.kubernetes.io/limit-whitelist: | - 217.33.148.210/32,35.177.252.195/32,81.134.202.29/32,35.178.209.113/32,3.8.51.207/32,35.177.252.54/32,194.33.192.0/25,194.33.196.0/25,35.176.93.186/32,51.149.250.0/24,51.149.249.0/29,51.149.249.32/29,194.33.248.0/29,194.33.249.0/29,194.33.200.0/21,194.33.216.0/24,194.33.217.0/24,194.33.218.0/24,128.77.75.64/26,20.49.214.199/32,20.49.214.228/32,20.26.11.71/32,20.26.11.108/32 + nginx.ingress.kubernetes.io/limit-whitelist: ${{ LIMIT_WHITELIST }} nginx.ingress.kubernetes.io/limit-rps: "200" nginx.ingress.kubernetes.io/enable-modsecurity: "true" nginx.ingress.kubernetes.io/modsecurity-snippet: |