Merge pull request #1262 from ministryofjustice/feature/LGA-2991-hide…

…-non-prod LGA-2991 - Disable indexing and whitelisting of Non-Production environments
ministryofjustice · May 13, 2024 · 2be4145 · 2be4145
2 parents d07f294 + 1bb5881
commit 2be4145
Show file tree

Hide file tree

Showing 9 changed files with 52 additions and 0 deletions.
diff --git a/.circleci/define_build_environment_variables b/.circleci/define_build_environment_variables
@@ -13,3 +13,5 @@ if [ "$CIRCLE_BRANCH" == "master" ]; then
 else
   export TARGET_TAGS=$IMAGE_TAG,$safe_git_branch
 fi
+
+export PINGDOM_IPS=`python3 bin/pingdom_ips.py`
diff --git a/bin/pingdom_ips.py b/bin/pingdom_ips.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+import re
+import requests
+import sys
+
+
+def get_pingdom_probe_ips():
+    ip_list = []
+    pingdom_link = "https://my.pingdom.com/probes/ipv4"
+    pingdom_ips = requests.get(pingdom_link).text.split()
+    parsed_pingdom_ip_list = ["".join([ip.strip(), "/32"]) for ip in pingdom_ips]
+    regex = r"^(?:[0-9]{1,3}\.){3}[0-9]{1,3}/32$"
+
+    for ip in parsed_pingdom_ip_list:
+        if re.match(regex, ip) is not None:
+            ip_list.append(ip)
+    return ip_list
+
+
+if __name__ == "__main__":
+    ips = r"\,".join(get_pingdom_probe_ips())
+    sys.stdout.write(ips)
diff --git a/bin/production_deploy.sh b/bin/production_deploy.sh
@@ -13,5 +13,6 @@ helm upgrade cla-public \
   --set ingress.cluster.weight=${INGRESS_CLUSTER_WEIGHT} \
   --set image.repository=$DOCKER_REPOSITORY \
   --set image.tag=$IMAGE_TAG \
+  --set-string pingdomIPs=$PINGDOM_IPS \
   --force \
   --install
diff --git a/bin/staging_deploy.sh b/bin/staging_deploy.sh
@@ -13,5 +13,6 @@ helm upgrade cla-public \
   --set ingress.cluster.weight=${INGRESS_CLUSTER_WEIGHT} \
   --set image.repository=$DOCKER_REPOSITORY \
   --set image.tag=$IMAGE_TAG \
+  --set-string pingdomIPs=$PINGDOM_IPS \
   --force \
   --install
diff --git a/bin/staging_multideploy.sh b/bin/staging_multideploy.sh
@@ -17,5 +17,6 @@ helm upgrade $CLEANED_BRANCH_NAME \
   --set image.repository=$DOCKER_REPOSITORY \
   --set image.tag=$IMAGE_TAG \
   --set dashboard.enabled=false \
+  --set-string pingdomIPs=$PINGDOM_IPS \
   --force \
   --install
diff --git a/helm_deploy/cla-public/templates/_helpers.tpl b/helm_deploy/cla-public/templates/_helpers.tpl
@@ -99,3 +99,7 @@ in an appropriate format
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{- define "cla-public.whitelist" -}}
+{{ join "," .Values.ingress.whitelist }},{{- .Values.pingdomIPs }}
+{{- end -}}
diff --git a/helm_deploy/cla-public/templates/ingress.yaml b/helm_deploy/cla-public/templates/ingress.yaml
@@ -26,6 +26,13 @@ metadata:
       SecRuleRemoveById 942230
       SecRuleRemoveById 930120
       SecRuleRemoveById 933210
+    {{- if .Values.ingress.addNoIndexResponseHeader }}
+    nginx.ingress.kubernetes.io/server-snippet: |
+      add_header X-Robots-Tag "noindex, nofollow";
+    {{- end }}
+    {{- if .Values.ingress.whitelist }}
+    nginx.ingress.kubernetes.io/whitelist-source-range: "{{ include "cla-public.whitelist" . }}"
+    {{- end }}
 spec:
   ingressClassName: "modsec"
   tls:

diff --git a/helm_deploy/cla-public/values-production.yaml b/helm_deploy/cla-public/values-production.yaml
@@ -12,6 +12,8 @@ replicaCount: 2
 ingress:
   enabled: true
   secretName: tls-certificate
+  addNoIndexResponseHeader: false
+  whitelist: false
 
 envVars:
   GDS_GA_ID:

diff --git a/helm_deploy/cla-public/values.yaml b/helm_deploy/cla-public/values.yaml
@@ -28,6 +28,18 @@ ingress:
     name: ~
     weight: ~
   tls: []
+  addNoIndexResponseHeader: true
+  whitelist:
+    # Cisco Anyconnect (Dom1) / ARK data centre
+    - 194.33.192.0/25
+    - 194.33.196.0/25
+    # HGS
+    - 84.43.86.100/32
+    # GlobalProtect VPN (Digital Mac)
+    - 18.169.147.172/32
+    - 35.176.93.186/32
+    - 18.130.148.126/32
+    - 35.176.148.126/32
 
 envVars:
   MAINTENANCE_MODE: