feat: allow multi configs for resources

config.go

@@ -74,6 +74,27 @@ func (c *Configuration) load(reload ...bool) *Configuration {
 	a.RedisCache = nil
 	a.CosmosDb = nil
 
+	// load extra resource configs
+	resourceConfigs, err := ioutil.ReadDir("config/resources/")
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	var rc Configuration
+	for _, resourceConfig := range resourceConfigs {
+		if !resourceConfig.IsDir() {
+			yamlFile, err := ioutil.ReadFile("config/resources/" + resourceConfig.Name())
+			if err != nil {
+				log.Fatalf("config.load(): %v ", err)
+			}
+			err = yaml.Unmarshal(yamlFile, &rc)
+			if err != nil {
+				log.Fatalf("config.load(): %v", err)
+			}
+			c.Resources = append(c.Resources, rc.Resources...)
+		}
+	}
+
 	// load resources
 	for _, resource := range c.Resources {
 		switch strings.ToLower(resource.Cloud) {
@@ -195,5 +216,9 @@ func (c *Configuration) watchForConfigChanges() {
 	if err != nil {
 		log.Fatal(err)
 	}
+	err = watcher.Add("config/resources")
+	if err != nil {
+		log.Fatal(err)
+	}
 	<-done
 }

config/resources/app1.yaml

@@ -0,0 +1,12 @@
+resources:
+  - cloud: azure
+    type: cosmosdb
+    subscription_id: notreal-not-real-not-notreal
+    resource_group: app1-notreal-rg
+    name: app1-notrealcosmosdb
+    ip_whitelist: # https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-the-azure-portal
+      - 104.42.195.92
+      - 40.76.54.131
+      - 52.176.6.30
+      - 52.169.50.45
+      - 52.187.184.26

config/resources/app2.yaml

@@ -0,0 +1,13 @@
+resources:
+  - cloud: azure
+    type: storageaccount
+    subscription_id: notreal-not-real-not-notreal
+    resource_group: app2-notreal-rg
+    name: app2notrealstorage
+    group:
+      - b111111a-b11a-111a-bb11-1a111aaa11a11 # group object id
+  - cloud: azure
+    type: keyvault
+    subscription_id: notreal-not-real-not-notreal
+    resource_group: app2-notreal-rg
+    name: app2notrealkeyvault

helm/ip-whitelister/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm/ip-whitelister/README.md

@@ -19,6 +19,11 @@ kubectl apply -f ip-whitelister-secrets.yaml
 
 3. Configure your `values.yaml`
 ```yaml
+image:
+  repository: alecpinson/ip-whitelister
+  pullPolicy: IfNotPresent
+  tag: "latest"
+
 ingress:
   enabled: true
   className: ""
@@ -41,7 +46,7 @@ envFrom:
   - secretRef:
       name: ip-whitelister-secrets
 
-# config
+# mounted to /app/config/config.yaml
 config: |
   url: https://<same-as-above-ingress-host>
 
@@ -89,10 +94,42 @@ config: |
   ip_whitelist:
     - 85.0.0.0/24 # my company proxy addresses 1
     - 200.0.0.0/24 # my company proxy addresses 2
+
+# mounted to /app/config/resources/
+resource_configs:
+  - name: app1.yaml
+    config: |
+      resources:
+        - cloud: azure
+          type: cosmosdb
+          subscription_id: notreal-not-real-not-notreal
+          resource_group: app1-notreal-rg
+          name: app1-notrealcosmosdb
+          ip_whitelist: # https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-the-azure-portal
+            - 104.42.195.92
+            - 40.76.54.131
+            - 52.176.6.30
+            - 52.169.50.45
+            - 52.187.184.26
+  - name: app2.yaml
+    config: |
+      resources:
+        - cloud: azure
+          type: storageaccount
+          subscription_id: notreal-not-real-not-notreal
+          resource_group: app2-notreal-rg
+          name: app2notrealstorage
+          group:
+            - b111111a-b11a-111a-bb11-1a111aaa11a11 # group object id
+        - cloud: azure
+          type: keyvault
+          subscription_id: notreal-not-real-not-notreal
+          resource_group: app2-notreal-rg
+          name: app2notrealkeyvault
 ```
 
 4. Deploy to your Kubernetes cluster
 ```
-helm upgrade ip-whitelister https://github.com/alec-pinson/ip-whitelister/releases/download/v1.0.4/helm-chart-ip-whitelister-0.3.0.tgz --install --wait -f values.yaml
+helm upgrade ip-whitelister https://github.com/alec-pinson/ip-whitelister/releases/download/v1.0.8/helm-chart-ip-whitelister-0.4.0.tgz --install --wait -f values.yaml
 ```
 

helm/ip-whitelister/templates/config.yaml

@@ -7,3 +7,19 @@ metadata:
 data:
   config.yaml: |
 {{ .Values.config | nindent 4 }}
+
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "ip-whitelister.fullname" . }}-resources
+  labels:
+    {{- include "ip-whitelister.labels" . | nindent 4 }}
+data:
+{{- if .Values.resource_configs }}
+  {{- range $id, $resource := .Values.resource_configs }}
+  {{ $resource.name }}: |-
+{{ $resource.config | indent 4 }}
+  {{- end }}
+{{- end }}

helm/ip-whitelister/templates/deployment.yaml

@@ -48,6 +48,8 @@ spec:
           volumeMounts:
             - name: config
               mountPath: /app/config
+            - name: config-resources
+              mountPath: /app/config/resources
           livenessProbe:
             httpGet:
               path: /
@@ -62,6 +64,9 @@ spec:
         - name: config
           configMap:
             name: {{ include "ip-whitelister.fullname" . }}
+        - name: config-resources
+          configMap:
+            name: {{ include "ip-whitelister.fullname" . }}-resources
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

helm/ip-whitelister/values.yaml

@@ -87,7 +87,7 @@ envFrom:
   # - secretRef:
   #     name: ip-whitelister-secrets
 
-# config
+# mounted to /app/config/config.yaml
 config: |
   # App registration must have access to the Azure resources + Admin Consent for AzureAD
   # Client Secret is set via env variable 'CLIENT_SECRET'
@@ -155,3 +155,35 @@ config: |
   ip_whitelist:
     - 85.0.0.0/24 # my company proxy addresses 1
     - 200.0.0.0/24 # my company proxy addresses 2
+
+# mounted to /app/config/resources/
+resource_configs:
+  - name: app1.yaml
+    config: |
+      resources:
+        - cloud: azure
+          type: cosmosdb
+          subscription_id: notreal-not-real-not-notreal
+          resource_group: app1-notreal-rg
+          name: app1-notrealcosmosdb
+          ip_whitelist: # https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-the-azure-portal
+            - 104.42.195.92
+            - 40.76.54.131
+            - 52.176.6.30
+            - 52.169.50.45
+            - 52.187.184.26
+  - name: app2.yaml
+    config: |
+      resources:
+        - cloud: azure
+          type: storageaccount
+          subscription_id: notreal-not-real-not-notreal
+          resource_group: app2-notreal-rg
+          name: app2notrealstorage
+          group:
+            - b111111a-b11a-111a-bb11-1a111aaa11a11 # group object id
+        - cloud: azure
+          type: keyvault
+          subscription_id: notreal-not-real-not-notreal
+          resource_group: app2-notreal-rg
+          name: app2notrealkeyvault

whitelist.go

@@ -3,6 +3,7 @@ package main
 import (
 	"log"
 	"net"
+	"os"
 	"strings"
 	"time"
 )
@@ -16,7 +17,9 @@ func (*Whitelist) init() {
 	c.load()
 
 	// connect to redis database
-	r.connect(c.Redis)
+	if !r.connect(c.Redis) {
+		os.Exit(1)
+	}
 
 	// enable ttl check on whitelisted ips
 	go w.ttl()