feat: Add migrator outgoing IP to authorized networks

mortenlj · tronghn · mortenlj · commit 87fa1ae5bdce · 2024-09-12T13:49:07.000+02:00
Co-authored-by: Trong Nguyen &lt;trong.huu.nguyen@nav.no&gt;
diff --git a/README.md b/README.md
@@ -135,4 +135,3 @@ It is recommended to set the following environment variables:
 |------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `DEVELOPMENT_MODE_SKIP_BACKUP=true`      | Skip creating backups. These take long to create, and if developing, the backup is probably not needed.                                                                        |
 | `DEVELOPMENT_MODE_UNSAFE_PASSWORD=true`  | During setup/promotion, the password for the `postgres` user is changed. This setting makes the password always be `testpassword`.                                             |
-| `DEVELOPMENT_MODE_ADD_AUTH_NETWORK=true` | Parts of setup/promotion requires connecting to the instances. This settings adds the outgoing IP of the machine running setup/promote to authorized networks on the instance. |
diff --git a/cmd/cleanup/main.go b/cmd/cleanup/main.go
@@ -81,25 +81,32 @@ func main() {
 		os.Exit(9)
 	}
 
+	mgr.Logger.Info("deleting authorized networks")
+	err = instance.CleanupAuthNetworks(ctx, target, mgr)
+	if err != nil {
+		mgr.Logger.Error("failed to cleanup authorized networks", "error", err)
+		os.Exit(10)
+	}
+
 	mgr.Logger.Info("deleting SQL SSL Certificates used during migration")
 	err = mgr.SqlSslCertClient.DeleteCollection(ctx, v1.ListOptions{
 		LabelSelector: "migrator.nais.io/cleanup=" + cfg.ApplicationName,
 	})
 	if err != nil {
 		mgr.Logger.Error("failed to delete SQL SSL Certificates", "error", err)
-		os.Exit(10)
+		os.Exit(11)
 	}
 
 	helperName, err := common_main.HelperName(cfg.ApplicationName)
 	if err != nil {
 		mgr.Logger.Error("failed to get helper name", "error", err)
-		os.Exit(11)
+		os.Exit(12)
 	}
 
 	mgr.Logger.Info("deleting Network Policy used during migration")
 	err = mgr.K8sClient.NetworkingV1().NetworkPolicies(cfg.Namespace).Delete(ctx, helperName, v1.DeleteOptions{})
 	if err != nil {
 		mgr.Logger.Error("failed to delete Network Policy", "error", err)
-		os.Exit(12)
+		os.Exit(13)
 	}
 }
diff --git a/hack/env b/hack/env
@@ -8,4 +8,3 @@ TARGET_INSTANCE_NAME=db-tester-name-${NUM}
 
 DEVELOPMENT_MODE_SKIP_BACKUP=true
 DEVELOPMENT_MODE_UNSAFE_PASSWORD=true
-DEVELOPMENT_MODE_ADD_AUTH_NETWORK=true
diff --git a/internal/pkg/config/develop.go b/internal/pkg/config/develop.go
@@ -6,7 +6,4 @@ type Development struct {
 
 	// Sets an unsafe, pre-defined password for postgres user
 	UnsafePassword bool `env:"UNSAFE_PASSWORD"`
-
-	// Looks up outgoing PrimaryIp via https://api.ipify.org and adds it to the authorized networks for instances
-	AddAuthNetwork bool `env:"ADD_AUTH_NETWORK"`
 }
diff --git a/internal/pkg/instance/instance.go b/internal/pkg/instance/instance.go
@@ -19,12 +19,14 @@ import (
 	"net/http"
 	"os"
 	"os/user"
+	"strings"
 	"time"
 )
 
 const (
-	dummyAppImage = "europe-north1-docker.pkg.dev/nais-io/nais/images/kafka-debug:latest"
-	updateRetries = 3
+	dummyAppImage              = "europe-north1-docker.pkg.dev/nais-io/nais/images/kafka-debug:latest"
+	updateRetries              = 3
+	migrationAuthNetworkPrefix = "migrator:"
 )
 
 func CreateInstance(ctx context.Context, cfg *config.Config, source *resolved.Instance, gcpProject *resolved.GcpProject, databaseName string, mgr *common_main.Manager) (*resolved.Instance, error) {
@@ -145,14 +147,11 @@ func prepareSourceInstanceWithRetries(ctx context.Context, cfg *config.Config, s
 	}
 	sourceSqlInstance.Spec.Settings.IpConfiguration.AuthorizedNetworks = appendAuthNetIfNotExists(sourceSqlInstance, authNetwork)
 
-	if cfg.Development.AddAuthNetwork {
-		authNetwork, err = createDevelopmentAuthNetwork()
-		if err != nil {
-			return err
-		}
-
-		sourceSqlInstance.Spec.Settings.IpConfiguration.AuthorizedNetworks = appendAuthNetIfNotExists(sourceSqlInstance, authNetwork)
+	authNetwork, err = createMigratorAuthNetwork()
+	if err != nil {
+		return err
 	}
+	sourceSqlInstance.Spec.Settings.IpConfiguration.AuthorizedNetworks = appendAuthNetIfNotExists(sourceSqlInstance, authNetwork)
 
 	setFlag(sourceSqlInstance, "cloudsql.enable_pglogical")
 	setFlag(sourceSqlInstance, "cloudsql.logical_decoding")
@@ -208,16 +207,14 @@ func prepareTargetInstanceWithRetries(ctx context.Context, cfg *config.Config, t
 
 	targetSqlInstance.Spec.Settings.BackupConfiguration.Enabled = ptr.To(false)
 
-	if cfg.Development.AddAuthNetwork {
-		var authNetwork v1beta1.InstanceAuthorizedNetworks
-		authNetwork, err = createDevelopmentAuthNetwork()
-		if err != nil {
-			return err
-		}
-
-		targetSqlInstance.Spec.Settings.IpConfiguration.AuthorizedNetworks = appendAuthNetIfNotExists(targetSqlInstance, authNetwork)
+	var authNetwork v1beta1.InstanceAuthorizedNetworks
+	authNetwork, err = createMigratorAuthNetwork()
+	if err != nil {
+		return err
 	}
 
+	targetSqlInstance.Spec.Settings.IpConfiguration.AuthorizedNetworks = appendAuthNetIfNotExists(targetSqlInstance, authNetwork)
+
 	_, err = mgr.SqlInstanceClient.Update(ctx, targetSqlInstance)
 	if err != nil {
 		if k8s_errors.IsConflict(err) && retries > 0 {
@@ -296,12 +293,35 @@ func DeleteInstance(ctx context.Context, instanceName string, gcpProject *resolv
 	return nil
 }
 
-func createDevelopmentAuthNetwork() (v1beta1.InstanceAuthorizedNetworks, error) {
+func CleanupAuthNetworks(ctx context.Context, target *resolved.Instance, mgr *common_main.Manager) error {
+	return cleanupAuthNetworksWithRetries(ctx, target, mgr, updateRetries)
+}
+
+func cleanupAuthNetworksWithRetries(ctx context.Context, target *resolved.Instance, mgr *common_main.Manager, retries int) error {
+	targetSqlInstance, err := mgr.SqlInstanceClient.Get(ctx, target.Name)
+	if err != nil {
+		return fmt.Errorf("failed to get target instance: %w", err)
+	}
+
+	targetSqlInstance.Spec.Settings.IpConfiguration.AuthorizedNetworks = removeMigrationAuthNetwork(targetSqlInstance)
+
+	_, err = mgr.SqlInstanceClient.Update(ctx, targetSqlInstance)
+	if err != nil {
+		if k8s_errors.IsConflict(err) && retries > 0 {
+			mgr.Logger.Info("retrying update of target instance", "remaining_retries", retries)
+			return cleanupAuthNetworksWithRetries(ctx, target, mgr, retries-1)
+		}
+		return err
+	}
+	return nil
+}
+
+func createMigratorAuthNetwork() (v1beta1.InstanceAuthorizedNetworks, error) {
 	outgoingIp, err := getOutgoingIp()
 	if err != nil {
 		return v1beta1.InstanceAuthorizedNetworks{}, err
 	}
-	name, err := getDeveloperName()
+	name, err := getNetworkName()
 	if err != nil {
 		return v1beta1.InstanceAuthorizedNetworks{}, err
 	}
@@ -313,7 +333,7 @@ func createDevelopmentAuthNetwork() (v1beta1.InstanceAuthorizedNetworks, error)
 	return authNetwork, nil
 }
 
-func getDeveloperName() (string, error) {
+func getNetworkName() (string, error) {
 	u, err := user.Current()
 	if err != nil {
 		return "", err
@@ -324,7 +344,7 @@ func getDeveloperName() (string, error) {
 		return "", err
 	}
 
-	return fmt.Sprintf("%s@%s", u.Username, h), nil
+	return fmt.Sprintf("%s%s@%s", migrationAuthNetworkPrefix, u.Username, h), nil
 }
 
 func getOutgoingIp() (string, error) {
@@ -345,6 +365,17 @@ func getOutgoingIp() (string, error) {
 	return string(data), nil
 }
 
+func removeMigrationAuthNetwork(sqlInstance *v1beta1.SQLInstance) []v1beta1.InstanceAuthorizedNetworks {
+	newAuthNetworks := make([]v1beta1.InstanceAuthorizedNetworks, 0)
+	for _, network := range sqlInstance.Spec.Settings.IpConfiguration.AuthorizedNetworks {
+		if strings.HasPrefix(migrationAuthNetworkPrefix, *network.Name) {
+			continue
+		}
+		newAuthNetworks = append(newAuthNetworks, network)
+	}
+	return newAuthNetworks
+}
+
 func appendAuthNetIfNotExists(sqlInstance *v1beta1.SQLInstance, authNetwork v1beta1.InstanceAuthorizedNetworks) []v1beta1.InstanceAuthorizedNetworks {
 	for _, network := range sqlInstance.Spec.Settings.IpConfiguration.AuthorizedNetworks {
 		if network.Value == authNetwork.Value {
diff --git a/internal/pkg/netpol/netpol.go b/internal/pkg/netpol/netpol.go
@@ -42,16 +42,12 @@ func CreateNetworkPolicy(ctx context.Context, cfg *config.Config, source *resolv
 			},
 			Egress: []v1.NetworkPolicyEgressRule{{
 				To: []v1.NetworkPolicyPeer{
-					{
-						IPBlock: &v1.IPBlock{
-							CIDR: fmt.Sprintf("%s/32", source.PrimaryIp),
-						},
-					},
-					{
-						IPBlock: &v1.IPBlock{
-							CIDR: fmt.Sprintf("%s/32", target.PrimaryIp),
-						},
-					},
+					makeIPBlock(source.PrimaryIp),
+					makeIPBlock(target.PrimaryIp),
+					// IPs for api.ipify.org
+					makeIPBlock("104.26.13.205"),
+					makeIPBlock("104.26.12.205"),
+					makeIPBlock("172.67.74.152"),
 				},
 			}},
 			PolicyTypes: []v1.PolicyType{v1.PolicyTypeEgress},
@@ -72,3 +68,11 @@ func CreateNetworkPolicy(ctx context.Context, cfg *config.Config, source *resolv
 
 	return nil
 }
+
+func makeIPBlock(ip string) v1.NetworkPolicyPeer {
+	return v1.NetworkPolicyPeer{
+		IPBlock: &v1.IPBlock{
+			CIDR: fmt.Sprintf("%s/32", ip),
+		},
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -8,4 +8,3 @@ TARGET_INSTANCE_NAME=db-tester-name-${NUM}`
`8`	`8`
`9`	`9`	`DEVELOPMENT_MODE_SKIP_BACKUP=true`
`10`	`10`	`DEVELOPMENT_MODE_UNSAFE_PASSWORD=true`
`11`		`-DEVELOPMENT_MODE_ADD_AUTH_NETWORK=true`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,4 @@ type Development struct {`
`6`	`6`
`7`	`7`	`// Sets an unsafe, pre-defined password for postgres user`
`8`	`8`	UnsafePassword bool `env:"UNSAFE_PASSWORD"`
`9`		`-`
`10`		`- // Looks up outgoing PrimaryIp via https://api.ipify.org and adds it to the authorized networks for instances`
`11`		- AddAuthNetwork bool `env:"ADD_AUTH_NETWORK"`
`12`	`9`	`}`