From 5e8a44bee33d356e88d44fc562c9bf3148b509fe Mon Sep 17 00:00:00 2001
From: smerle33 <stephane.merle+jenkins@gmail.com>
Date: Thu, 12 Dec 2024 16:32:51 +0100
Subject: [PATCH 1/2] chore(updatecli): add azure-public-db-vnet in the
 manifest

---
 updatecli/updatecli.d/restricted-ips.yaml | 43 +++++++++++++++++++++--
 1 file changed, 41 insertions(+), 2 deletions(-)

diff --git a/updatecli/updatecli.d/restricted-ips.yaml b/updatecli/updatecli.d/restricted-ips.yaml
index e00ced6..56f3d99 100644
--- a/updatecli/updatecli.d/restricted-ips.yaml
+++ b/updatecli/updatecli.d/restricted-ips.yaml
@@ -1,4 +1,4 @@
-name: Update list of IPs restricted to VPN access only
+name: Update list of IPs restricted to VPN access only & update vnets
 
 scms:
   default:
@@ -20,7 +20,13 @@ sources:
       # Outbound IPs are also public "inbound" IPs for EC2 instances
       # The 2nd element is the IPv4 (1st is IPv6)
       key: .aws\.ci\.jenkins\.io.outbound_ips.controller.[1]
-
+  azure-public-db-vnet:
+    kind: json
+    spec:
+      file: https://reports.jenkins.io/jenkins-infra-data-reports/azure-net.json
+      key: .vnets.public-db-vnet.[0]
+    transformers:
+      - trimsuffix: '/21'
 targets:
   openvpn-cli-config:
     name: Update ci.jenkins.io public IP in the YAML configuration of our OpenVPN CLI
@@ -58,6 +64,39 @@ targets:
         # aws.ci.jenkins.io VM
         push "route {{ source "aws-ci-jenkins-io" }} 255.255.255.255"
     scmid: default
+  openvpn-cli-config-public-db-vnet:
+    name: Update public-db vnet IP in the YAML configuration of our OpenVPN CLI
+    kind: yaml
+    sourceid: azure-public-db-vnet
+    spec:
+      file: config.yaml
+      # That is a rather fragile pattern. TODO: improve our CLI to use maps instead of arrays
+      key: $.networks[0].routes[2]
+    transformers:
+      - addsuffix: '/21'
+    scmid: default
+  ccd-user-configs-public-db-vnet:
+    name: Update public-db vnet IP in the user CCD routing configurations
+    kind: file
+    disablesourceinput: true
+    spec:
+      files:
+        - cert/ccd/private/danielbeck
+        - cert/ccd/private/dduportal
+        - cert/ccd/private/kevingrdj
+        - cert/ccd/private/krisstern
+        - cert/ccd/private/markewaite
+        - cert/ccd/private/notmyfault
+        - cert/ccd/private/smerle
+        - cert/ccd/private/timja
+        - cert/ccd/private/wfollonier
+      matchpattern: |
+        # public-db vnet
+        push "route (.*) 255\.255\..*\..*"
+      replacepattern: |
+        # public-db vnet
+        push "route {{ source "azure-public-db-vnet" }} 255.255.248.0"
+    scmid: default
 
 actions:
   default:

From 4bbc64141ccb13caf4b489858eac4faf9fed4a3a Mon Sep 17 00:00:00 2001
From: smerle33 <stephane.merle+jenkins@gmail.com>
Date: Thu, 12 Dec 2024 18:34:06 +0100
Subject: [PATCH 2/2] chore(updatecli/ip/vnet) add a netmask calculation to
 update both ci ip and public-db vnet

---
 updatecli/scripts/netmask.sh              | 20 +++++++++++++
 updatecli/updatecli.d/restricted-ips.yaml | 35 ++++++++++++++---------
 2 files changed, 42 insertions(+), 13 deletions(-)
 create mode 100644 updatecli/scripts/netmask.sh

diff --git a/updatecli/scripts/netmask.sh b/updatecli/scripts/netmask.sh
new file mode 100644
index 0000000..073512c
--- /dev/null
+++ b/updatecli/scripts/netmask.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# Return netmask for a given network and CIDR.
+# Convert CIDR suffix to netmask
+cidr_to_netmask() {
+    local cidr=$1
+    local mask=(0 0 0 0)
+    for ((i=0; i<cidr; i++)); do
+        mask[i/8]=$((mask[i/8] + (1 << (7 - i % 8))))
+    done
+    echo "${mask[0]}.${mask[1]}.${mask[2]}.${mask[3]}"
+}
+# Extract IP address and CIDR suffix
+ip=$(cut -d'/' -f1 <<< "$1")
+suffix=$(cut -d'/' -f2 <<< "$1")
+
+# Convert CIDR suffix to netmask
+netmask=$(cidr_to_netmask "${suffix}")
+
+# echo result
+echo "${ip} ${netmask}"
diff --git a/updatecli/updatecli.d/restricted-ips.yaml b/updatecli/updatecli.d/restricted-ips.yaml
index 56f3d99..ed7b2b7 100644
--- a/updatecli/updatecli.d/restricted-ips.yaml
+++ b/updatecli/updatecli.d/restricted-ips.yaml
@@ -13,27 +13,38 @@ scms:
       branch: "{{ .github.branch }}"
 
 sources:
-  aws-ci-jenkins-io:
+  aws-ci-jenkins-io-cidr:
     kind: json
     spec:
       file: https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json
       # Outbound IPs are also public "inbound" IPs for EC2 instances
       # The 2nd element is the IPv4 (1st is IPv6)
       key: .aws\.ci\.jenkins\.io.outbound_ips.controller.[1]
-  azure-public-db-vnet:
+    transformers:
+      - addsuffix: '/32'
+  aws-ci-jenkins-io-netmask:
+    kind: shell
+    dependson:
+      - aws-ci-jenkins-io-cidr
+    spec:
+      command: bash ./updatecli/scripts/netmask.sh {{ source "aws-ci-jenkins-io-cidr" }}
+  azure-public-db-vnet-cidr:
     kind: json
     spec:
       file: https://reports.jenkins.io/jenkins-infra-data-reports/azure-net.json
       key: .vnets.public-db-vnet.[0]
-    transformers:
-      - trimsuffix: '/21'
+  azure-public-db-vnet-netmask:
+    kind: shell
+    dependson:
+      - azure-public-db-vnet-cidr
+    spec:
+      command: bash ./updatecli/scripts/netmask.sh {{ source "azure-public-db-vnet-cidr" }}
+
 targets:
   openvpn-cli-config:
     name: Update ci.jenkins.io public IP in the YAML configuration of our OpenVPN CLI
     kind: yaml
-    sourceid: aws-ci-jenkins-io
-    transformers:
-      - addsuffix: '/32'
+    sourceid: aws-ci-jenkins-io-cidr
     spec:
       file: config.yaml
       # That is a rather fragile pattern. TODO: improve our CLI to use maps instead of arrays
@@ -59,21 +70,19 @@ targets:
         - cert/ccd/private/wfollonier
       matchpattern: |
         # aws.ci.jenkins.io VM
-        push "route (.*) 255.255.255.255"
+        push "route (.*) 255\.255\..*\..*"
       replacepattern: |
         # aws.ci.jenkins.io VM
-        push "route {{ source "aws-ci-jenkins-io" }} 255.255.255.255"
+        push "route {{ source "aws-ci-jenkins-io-netmask" }}"
     scmid: default
   openvpn-cli-config-public-db-vnet:
     name: Update public-db vnet IP in the YAML configuration of our OpenVPN CLI
     kind: yaml
-    sourceid: azure-public-db-vnet
+    sourceid: azure-public-db-vnet-cidr
     spec:
       file: config.yaml
       # That is a rather fragile pattern. TODO: improve our CLI to use maps instead of arrays
       key: $.networks[0].routes[2]
-    transformers:
-      - addsuffix: '/21'
     scmid: default
   ccd-user-configs-public-db-vnet:
     name: Update public-db vnet IP in the user CCD routing configurations
@@ -95,7 +104,7 @@ targets:
         push "route (.*) 255\.255\..*\..*"
       replacepattern: |
         # public-db vnet
-        push "route {{ source "azure-public-db-vnet" }} 255.255.248.0"
+        push "route {{ source "azure-public-db-vnet-netmask" }}"
     scmid: default
 
 actions: