[updatecli] Track GitHub SSH in bound IPs allowed from our controllers and agents

[dduportal]

Service(s)

cert.ci.jenkins.io, ci.jenkins.io, infra.ci.jenkins.io, release.ci.jenkins.io, trusted.ci.jenkins.io

Summary

In https://github.com/jenkins-infra/shared-tools/blob/3612af5941ad4f991dd5f731e91c27c1394f0477/terraform/modules/azure-jenkinsinfra-azurevm-agents/main.tf#L81, we define a network firewall rule which allow outbound SSH from our VM agents to any SSH server.

We want to restrict this list to only the GitHub git endpoints to avoid cloning repositories from other sources.

This will also be needed soon in the new ci.jenkins.io AWS instance.

• Update the attribute destination_address_prefix to destination_address_prefixes (include the values). See its doc at https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#destination_address_prefixes-1.
  • The new value must be the list from the GitHub Meta API endpoint (object git)
• Add an updatecli manifest to track the list of IPs (same kind of update than https://github.com/jenkins-infra/kubernetes-management/blob/main/updatecli/updatecli.d/allowed-github-hooks-ips.yaml but with a different sub attribute)

Reproduction steps

No response

[jayfranco999]

Update:

jenkins-infra/shared-tools#160 updates the attribute destination_address_prefix to destination_address_prefixes with the list of GitHub git end points.

Next steps include tracking the list of ips in destination_address_prefixes with updatecli