fix(helm chart): allow egress to auth providers (#970)

* fix(helm chart): allow egress to auth providers * Increase Azure AD allowlist to match https://docs.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud * Allows customisation of azure AD domains
2022-08-29 12:10:37 +01:00 · 2022-08-29 12:10:37 +01:00 · 23bc801eb0
--- a/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml
+++ b/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml
@ -60,6 +60,33 @@ spec:
              # email server
 {{ include "speckle.networkpolicy.dns.email.cilium" $ | indent 14 }}
 {{- end }}
+{{- if .Values.server.auth.google.enabled }}
+              # google auth
+              - matchName: 'accounts.google.com'
+              - matchName: 'www.googleapis.com'
+{{- end }}
+{{- if .Values.server.auth.github.enabled }}
+              # github auth
+              - matchName: 'github.com'
+              - matchName: 'api.github.com'
+{{- end }}
+{{- if .Values.server.auth.azure_ad.enabled }}
+              # azure ad auth
+              - matchPattern: '*.login.microsoftonline.com'
+              - matchPattern: '*.aadcdn.msftauth.net'
+              - matchPattern: '*.logincdn.msftauth.net'
+              - matchPattern: '*.login.live.com'
+              - matchPattern: '*.msauth.net'
+              - matchPattern: '*.aadcdn.microsoftonline-p.com'
+              - matchPattern: '*.microsoftonline-p.com'
+              - matchPattern: '*.account.microsoft.com'
+              - matchPattern: '*.bmx.azure.com'
+              - matchPattern: '*.subscriptionrp.trafficmanager.net'
+              - matchPattern: '*.signup.azure.com'
+              - matchName: 'login.microsoftonline.com'
+              - matchName: 'login.windows.net'
+{{ include "speckle.renderTpl" (dict "value" .Values.server.auth.azure_ad.networkPolicy.domains "context" $ ) | indent 14 }}
+{{- end }}
 {{ include "speckle.networkpolicy.dns.postgres.cilium" $ | indent 14 }}
 {{ include "speckle.networkpolicy.dns.redis.cilium" $ | indent 14 }}
 {{ include  "speckle.networkpolicy.dns.blob_storage.cilium" $ | indent 14 }}
@ -83,6 +110,47 @@ spec:
 {{- if .Values.server.email.enabled }}
    # email server
 {{ include "speckle.networkpolicy.egress.email.cilium" $ | indent 4 }}
+{{- end }}
+{{- if .Values.server.auth.google.enabled }}
+    # google auth
+    - toFQDNs:
+        - matchName: 'accounts.google.com'
+        - matchName: 'www.googleapis.com'
+      toPorts:
+        - ports:
+            - port: '443'
+              protocol: TCP
+{{- end }}
+{{- if .Values.server.auth.github.enabled }}
+    # github auth
+    - toFQDNs:
+        - matchName: 'github.com'
+        - matchName: 'api.github.com'
+      toPorts:
+        - ports:
+            - port: '443'
+              protocol: TCP
+{{- end }}
+{{- if .Values.server.auth.azure_ad.enabled }}
+    # azure ad auth
+    - toFQDNs:
+        - matchPattern: '*.login.microsoftonline.com'
+        - matchPattern: '*.aadcdn.msftauth.net'
+        - matchPattern: '*.logincdn.msftauth.net'
+        - matchPattern: '*.login.live.com'
+        - matchPattern: '*.msauth.net'
+        - matchPattern: '*.aadcdn.microsoftonline-p.com'
+        - matchPattern: '*.microsoftonline-p.com'
+        - matchPattern: '*.account.microsoft.com'
+        - matchPattern: '*.bmx.azure.com'
+        - matchPattern: '*.subscriptionrp.trafficmanager.net'
+        - matchPattern: '*.signup.azure.com'
+        - matchName: 'login.microsoftonline.com'
+        - matchName: 'login.windows.net'
+{{ include "speckle.renderTpl" (dict "value" .Values.server.auth.azure_ad.additional_domains "context" $ ) | indent 8 }}
+      toPorts:
+            - port: {{ default 443 .Values.server.auth.azure_ad.port | quote }}
+              protocol: TCP
 {{- end }}
    # postgres
 {{ include "speckle.networkpolicy.egress.postgres.cilium" $ | indent 4 }}
--- a/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml
+++ b/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml
@ -30,6 +30,16 @@ spec:
      ports:
        - port: 443
 {{- end }}
+{{- if ( or .Values.server.auth.google.enabled .Values.server.auth.github.enabled .Values.server.auth.azure_ad.enabled ) }}
+    - to:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+          # except to kubernetes pods or services
+          except:
+            - 10.0.0.0/8
+      ports:
+        - port: 443
+{{- end }}
 {{- if .Values.server.sentry_dns }}
    # sentry.io https://docs.sentry.io/product/security/ip-ranges/#event-ingestion
    - to:
--- a/utils/helm/speckle-server/values.yaml
+++ b/utils/helm/speckle-server/values.yaml
@ -369,6 +369,12 @@ server:
      ## @param server.auth.azure_ad.client_id This is the ID for Speckle that you have registered with Azure
      ##
      client_id: ''
+      ## @param server.auth.azure_ad.additional_domains List of `matchName` or `matchPattern` maps for domains that should be allow-listed for egress in Network Policy. https://docs.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud are enabled by default.
+      ##
+      additional_domains: []
+      ## @param server.auth.azure_ad.port Port on server to connect to. Used to allow egress in Network Policy. Defaults to 443
+      ##
+      port: 443
  ## @extra server.email Speckle can communicate with users via email, providing account verification and notification.
  ##
  email: