-
Notifications
You must be signed in to change notification settings - Fork 40
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a source IP allowlist for user-facing services
- Add database table and updates with an allowlist of IPs. This is currently structured as a table with one row, and an array of INETs as the allowlist. Includes a CHECK constraint that the list is not empty -- NULL is used to indicate the lack of an allowlist. - Add Nexus API for viewing / updating allowlist. Also does basic sanity checks on the list, most importantly that the source IP the request came from is _on_ the list. VPC firewall rules are updated after the database has been updated successfully. - Add the allowlist to wicket example config file, and plumb through wicket UI, client, server, and into bootstrap agent. - Add the allowlist into the rack initialization request, and insert it into the database during Nexus's internal server handling of that request. - Read allowlist and convert to firewall rules when plumbing any service firewall rules to sled agents. This works by modifying existing firewall rules for the internal service VPC. The host filters should always be empty here, so this is simple and well-defined. It also lets us keep the right protocol and port filters on the rules. - Add method for waiting on this plumbing _before_ starting Nexus's external server, to ensure the IP allowlist is set before anything can reach Nexus. - Add background task in Nexus for ensuring service VPC rules only. This runs pretty infrequently now (5 minutes), but the allowlist should only be updated very rarely. - Include allowlist default on deserialization in the sled-agent, so that it applies to existing customer installations that've already been RSS'd. - Note: This also relaxes the regular expression we've been using for IPv6 networks. It was previously checking only for ULAs, while we now need it to represent any valid network. Adds tests for the regex too.
- Loading branch information
Showing
67 changed files
with
1,718 additions
and
58 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.