feat: Add IP blacklist functionality

.internal-ci/helm/consensus-node-config/templates/node-ingress-blacklist-configmap.yaml

@@ -0,0 +1,10 @@
+# Copyright (c) 2018-2022 The MobileCoin Foundation
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "consensusNodeConfig.fullname" . }}-ingress-blacklist
+  labels:
+    {{- include "consensusNodeConfig.labels" . | nindent 4 }}
+data:
+  BLACKLIST_ENABLED: {{ .Values.global.blacklist.enabled | squote }}
+  BLACKLIST_PATTERN: {{ .Values.global.blacklist.pattern | squote }}

.internal-ci/helm/consensus-node-config/values.yaml

@@ -59,3 +59,9 @@ global:
     # Add signed tokens.json with --set-file=global.node.tokensConfig.tokensSignedJson=tokens.signed.json
     # tokensConfig:
     #   tokensSignedJson: |-
+
+  ### Enable haproxy IP blacklist for ingress
+  # pattern is the object in the configmap shared between infra-haproxy-blacklist and haproxy kubernetes-ingress
+  blacklist:
+    enabled: false
+    pattern: patterns/blocked-countries

.internal-ci/helm/consensus-node/templates/_helpers.tpl

@@ -65,6 +65,10 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{ include "consensusNode.fullname" . }}-tokens-config
 {{- end }}
 
+{{- define "consensusNode.ingressBlacklist.configMap.name" -}}
+{{ include "consensusNode.fullname" . }}-ingress-blacklist
+{{- end }}
+
 {{/*
 peer and client hostnames - we need this for ingress.
 lookup name from configmap if we have created the objects in consensus-node-config separately.
@@ -117,3 +121,19 @@ lookup name from configmap if we have created the objects in consensus-node-conf
     {{- tpl .Values.mcCoreCommonConfig.mobileCoinNetwork.partner . }}
   {{- end }}
 {{- end }}
+
+{{- define "consensusNode.blacklist.enabled" -}}
+  {{- if eq .Values.consensusNodeConfig.enabled false }}
+    {{- (lookup "v1" "ConfigMap" .Release.Namespace (include "consensusNode.ingressBlacklist.configMap.name" .)).data.BLACKLIST_ENABLED | default "false" }}
+  {{- else }}
+    {{- tpl .Values.global.blacklist.enabled . }}
+  {{- end }}
+{{- end }}
+
+{{- define "consensusNode.blacklist.pattern" -}}
+  {{- if eq .Values.consensusNodeConfig.enabled false }}
+    {{- (lookup "v1" "ConfigMap" .Release.Namespace (include "consensusNode.ingressBlacklist.configMap.name" .)).data.BLACKLIST_PATTERN | default "" }}
+  {{- else }}
+    {{- tpl .Values.global.blacklist.pattern . }}
+  {{- end }}
+{{- end }}

.internal-ci/helm/consensus-node/templates/client-grpc-attest-ingress.yaml

@@ -11,6 +11,9 @@ metadata:
     {{- if .Values.node.client.attest.rateLimits.enabled }}
     {{- toYaml .Values.node.client.attest.rateLimits.annotations | nindent 4 }}
     {{- end }}
+    {{- if (include "consensusNode.blacklist.enabled" .) }}
+    haproxy.org/blacklist: {{ include "consensusNode.blacklist.pattern" . }}
+    {{- end }}
     {{- toYaml .Values.node.client.ingress.annotations | nindent 4 }}
   labels:
     {{- include "consensusNode.labels" . | nindent 4 }}

.internal-ci/helm/consensus-node/templates/client-grpc-ingress.yaml

@@ -7,6 +7,9 @@ metadata:
     {{- if .Values.global.certManagerClusterIssuer }}
     cert-manager.io/cluster-issuer: {{ .Values.global.certManagerClusterIssuer }}
     {{- end }}
+    {{- if (include "consensusNode.blacklist.enabled" .) }}
+    haproxy.org/blacklist: {{ include "consensusNode.blacklist.pattern" . }}
+    {{- end }}
     {{- toYaml .Values.node.client.ingress.annotations | nindent 4 }}
   labels:
     {{- include "consensusNode.labels" . | nindent 4 }}

.internal-ci/helm/consensus-node/templates/gateway-ingress.yaml

@@ -7,6 +7,9 @@ metadata:
     {{- if .Values.global.certManagerClusterIssuer }}
     cert-manager.io/cluster-issuer: {{ .Values.global.certManagerClusterIssuer }}
     {{- end }}
+    {{- if (include "consensusNode.blacklist.enabled" .) }}
+    haproxy.org/blacklist: {{ include "consensusNode.blacklist.pattern" . }}
+    {{- end }}
     {{- toYaml .Values.grpcGateway.ingress | nindent 4}}
   labels:
     {{- include "consensusNode.labels" . | nindent 4 }}

.internal-ci/helm/consensus-node/templates/peer-grpc-ingress.yaml

@@ -7,6 +7,9 @@ metadata:
     {{- if .Values.global.certManagerClusterIssuer }}
     cert-manager.io/cluster-issuer: {{ .Values.global.certManagerClusterIssuer }}
     {{- end }}
+    {{- if (include "consensusNode.blacklist.enabled" .) }}
+    haproxy.org/blacklist: {{ include "consensusNode.blacklist.pattern" . }}
+    {{- end }}
     {{- toYaml .Values.node.peer.ingress.annotations | nindent 4 }}
   labels:
     {{- include "consensusNode.labels" . | nindent 4 }}

.internal-ci/helm/consensus-node/values.yaml

@@ -29,6 +29,10 @@ global:
     #   tokensSignedJson: |-
     #     { json }
 
+  blacklist:
+    enabled: false
+    pattern: patterns/blocked-countries
+
 ### Enable to launch child chart to create node required configMaps and secrets.
 #   See helm/consensus-node-config/values.yaml for config details.
 consensusNodeConfig:
@@ -41,7 +45,7 @@ consensusNodeConfig:
       hostname: ''
     txSourceUrl: ''
     msgSignerKey:
-     privateKey: ''
+      privateKey: ''
 
 ### Enable to launch child chart to create core common configMaps and secrets.
 #   See helm/mc-core-common-config/values.yaml for config details.

.internal-ci/helm/fog-services-config/templates/fog-ingress-blacklist-configmap.yaml

@@ -0,0 +1,10 @@
+# Copyright (c) 2018-2022 The MobileCoin Foundation
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: fog-ingress-blacklist
+  labels:
+    {{- include "fogServicesConfig.labels" . | nindent 4 }}
+data:
+  BLACKLIST_ENABLED: {{ .Values.global.blacklist.enabled | squote }}
+  BLACKLIST_PATTERN: {{ .Values.global.blacklist.pattern | squote }}

.internal-ci/helm/fog-services-config/values.yaml

@@ -1,6 +1,12 @@
 # Copyright (c) 2018-2022 The MobileCoin Foundation
 fullnameOverride: ''
 
+# Shared by all charts in the dependency tree
+global:
+  blacklist:
+    enabled: false
+    pattern: patterns/blocked-countries
+
 fogRecoveryDatabaseReader:
   configMap:
     # Default to a TF or external created ConfigMap

.internal-ci/helm/fog-services/templates/_helpers.tpl

@@ -150,3 +150,19 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{- $salt }}
 {{- end }}
+
+{{- define "fogServices.blacklist.enabled" -}}
+  {{- if eq .Values.fogServicesConfig.enabled false }}
+    {{- (lookup "v1" "ConfigMap" .Release.Namespace "fog-ingress-blacklist").data.BLACKLIST_ENABLED | default "false" }}
+  {{- else }}
+    {{- tpl .Values.global.blacklist.enabled . }}
+  {{- end }}
+{{- end }}
+
+{{- define "fogServices.blacklist.pattern" -}}
+  {{- if eq .Values.fogServicesConfig.enabled false }}
+    {{- (lookup "v1" "ConfigMap" .Release.Namespace "fog-ingress-blacklist").data.BLACKLIST_PATTERN | default "" }}
+  {{- else }}
+    {{- tpl .Values.global.blacklist.pattern . }}
+  {{- end }}
+{{- end }}

.internal-ci/helm/fog-services/templates/fog-ledger-grpc-ingress.yaml

@@ -10,7 +10,10 @@ metadata:
     {{- if .Values.global.certManagerClusterIssuer }}
     cert-manager.io/cluster-issuer: {{ .Values.global.certManagerClusterIssuer }}
     {{- end }}
-    {{ toYaml (tpl .Values.fogLedger.ingress.grpc.annotations . | fromYaml)| nindent 4 }}
+    {{- if (include "fogServices.blacklist.enabled" .) }}
+    haproxy.org/blacklist: {{ include "fogServices.blacklist.pattern" . }}
+    {{- end }}
+    {{ toYaml (tpl .Values.fogLedger.ingress.grpc.annotations . | fromYaml) | nindent 4 }}
 spec:
   tls:
   - hosts:

.internal-ci/helm/fog-services/templates/fog-ledger-http-ingress.yaml

@@ -10,7 +10,10 @@ metadata:
     {{- if .Values.global.certManagerClusterIssuer }}
     cert-manager.io/cluster-issuer: {{ .Values.global.certManagerClusterIssuer }}
     {{- end }}
-    {{ toYaml (tpl .Values.fogLedger.ingress.http.annotations . | fromYaml)| nindent 4 }}
+    {{- if (include "fogServices.blacklist.enabled" .) }}
+    haproxy.org/blacklist: {{ include "fogServices.blacklist.pattern" . }}
+    {{- end }}
+    {{ toYaml (tpl .Values.fogLedger.ingress.http.annotations . | fromYaml) | nindent 4 }}
 spec:
   tls:
   - hosts:

.internal-ci/helm/fog-services/templates/fog-report-grpc-ingress.yaml

@@ -13,6 +13,9 @@ metadata:
     {{- if $.Values.global.certManagerClusterIssuer }}
     cert-manager.io/cluster-issuer: {{ $.Values.global.certManagerClusterIssuer }}
     {{- end }}
+    {{- if (include "fogServices.blacklist.enabled" $) }}
+    haproxy.org/blacklist: {{ include "fogServices.blacklist.pattern" $ }}
+    {{- end }}
     {{- toYaml $.Values.fogReport.ingress.grpc.annotations | nindent 4 }}
 spec:
   tls:

.internal-ci/helm/fog-services/templates/fog-report-http-ingress.yaml

@@ -13,6 +13,9 @@ metadata:
     {{- if $.Values.global.certManagerClusterIssuer }}
     cert-manager.io/cluster-issuer: {{ $.Values.global.certManagerClusterIssuer }}
     {{- end }}
+    {{- if (include "fogServices.blacklist.enabled" $) }}
+    haproxy.org/blacklist: {{ include "fogServices.blacklist.pattern" $ }}
+    {{- end }}
     {{- toYaml $.Values.fogReport.ingress.http.annotations | nindent 4 }}
 spec:
   tls:

.internal-ci/helm/fog-services/templates/fog-view-grpc-ingress.yaml

@@ -10,7 +10,10 @@ metadata:
     {{- if .Values.global.certManagerClusterIssuer }}
     cert-manager.io/cluster-issuer: {{ .Values.global.certManagerClusterIssuer }}
     {{- end }}
-    {{ toYaml (tpl .Values.fogView.ingress.grpc.annotations . | fromYaml)| nindent 4 }}
+    {{- if (include "fogServices.blacklist.enabled" .) }}
+    haproxy.org/blacklist: {{ include "fogServices.blacklist.pattern" . }}
+    {{- end }}
+    {{ toYaml (tpl .Values.fogView.ingress.grpc.annotations . | fromYaml) | nindent 4 }}
 spec:
   tls:
   - hosts:

.internal-ci/helm/fog-services/templates/fog-view-http-ingress.yaml

@@ -10,7 +10,10 @@ metadata:
     {{- if .Values.global.certManagerClusterIssuer }}
     cert-manager.io/cluster-issuer: {{ .Values.global.certManagerClusterIssuer }}
     {{- end }}
-    {{ toYaml (tpl .Values.fogView.ingress.http.annotations . | fromYaml)| nindent 4 }}
+    {{- if (include "fogServices.blacklist.enabled" .) }}
+    haproxy.org/blacklist: {{ include "fogServices.blacklist.pattern" . }}
+    {{- end }}
+    {{ toYaml (tpl .Values.fogView.ingress.http.annotations . | fromYaml) | nindent 4 }}
 spec:
   tls:
   - hosts:

.internal-ci/helm/fog-services/values.yaml

@@ -23,6 +23,9 @@ image:
 
 global:
   certManagerClusterIssuer: letsencrypt-production-http
+  blacklist:
+    enabled: false
+    pattern: patterns/blocked-countries
 
 ### Fog Report Service
 fogReport:

.internal-ci/helm/mc-core-dev-env-setup/values.yaml

@@ -33,6 +33,10 @@ global:
     tokensConfig:
       tokensSignedJson: ""
 
+  blacklist:
+    enabled: false
+    pattern: patterns/blocked-countries
+
 mcCoreCommonConfig:
   enabled: true
   fullnameOverride: mc-core-common-config
@@ -49,8 +53,6 @@ mcCoreCommonConfig:
     - client: '{{ printf "node3.%s.development.mobilecoin.com:443" .Release.Namespace }}'
       txSourceUrl: '{{ with .Values.global.node.ledgerDistribution }}{{ printf "https://s3-%s.amazonaws.com/%s/%s/" .awsRegion .s3Bucket (printf "node3.%s.development.mobilecoin.com" $.Release.Namespace) }}{{ end }}'
 
-
-
 consensusNodeConfig1:
   enabled: true
   fullnameOverride: consensus-node-1