Skip to content

Commit

Permalink
fix(trusted.ci): allow crawler to publish to pkg VM (and allow to pub…
Browse files Browse the repository at this point in the history 
…lish to archives) (#896)

WIP
  • Loading branch information
@smerle33
smerle33 authored Dec 3, 2024
1 parent 83b2747 commit da8e3b7
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 2 deletions.
6 changes: 4 additions & 2 deletions locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,10 @@ locals {
}

external_services = {
"updates.jenkins.io" = "52.202.51.185"
"s390x.jenkins.io" = "148.100.84.76"
"updates.jenkins.io" = "52.202.51.185"
"s390x.jenkins.io" = "148.100.84.76"
"pkg.origin.jenkins.io" = "52.202.51.185"
"archives.jenkins.io" = "46.101.121.132"
}

# Ref. https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses
Expand Down
32 changes: 32 additions & 0 deletions trusted.ci.jenkins.io.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,38 @@ resource "azurerm_network_security_rule" "allow_out_many_from_trusted_ephemeral_
resource_group_name = azurerm_resource_group.trusted_ci_jenkins_io_controller_jenkins_sponsorship.name
network_security_group_name = module.trusted_ci_jenkins_io_azurevm_agents_jenkins_sponsorship.ephemeral_agents_nsg_name
}
resource "azurerm_network_security_rule" "allow_out_many_from_trusted_ephemeral_agents_to_pkg" {
provider = azurerm.jenkins-sponsorship
name = "allow-out-many-from-ephemeral-agents-to-pkg"
priority = 4055
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = [
"22", # SSH (for rsync)
]
source_address_prefixes = data.azurerm_subnet.trusted_ci_jenkins_io_sponsorship_ephemeral_agents.address_prefixes
destination_address_prefix = local.external_services["pkg.origin.jenkins.io"]
resource_group_name = azurerm_resource_group.trusted_ci_jenkins_io_controller_jenkins_sponsorship.name
network_security_group_name = module.trusted_ci_jenkins_io_azurevm_agents_jenkins_sponsorship.ephemeral_agents_nsg_name
}
resource "azurerm_network_security_rule" "allow_out_many_from_trusted_ephemeral_agents_to_archive" {
provider = azurerm.jenkins-sponsorship
name = "allow-out-many-from-ephemeral-agents-to-archive"
priority = 4060
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = [
"22", # SSH (for rsync)
]
source_address_prefixes = data.azurerm_subnet.trusted_ci_jenkins_io_sponsorship_ephemeral_agents.address_prefixes
destination_address_prefix = local.external_services["archives.jenkins.io"]
resource_group_name = azurerm_resource_group.trusted_ci_jenkins_io_controller_jenkins_sponsorship.name
network_security_group_name = module.trusted_ci_jenkins_io_azurevm_agents_jenkins_sponsorship.ephemeral_agents_nsg_name
}
# Ignore the rule as it does not detect the IP restriction to only update.jenkins.io"s host
#trivy:ignore:azure-network-no-public-egress
resource "azurerm_network_security_rule" "allow_outbound_ssh_from_permanent_agent_to_updatecenter" {
Expand Down

0 comments on commit da8e3b7

Please sign in to comment.