fix: wpb-22439 offline-vm-setup script to manage VMs wiab-staging

.github/pull_request_template.md

@@ -25,6 +25,7 @@ Fixes ${ISSUE_URL}
 Add one or more labels to trigger offline builds:
 - `build-default` - Full production build (ansible, terraform, all packages)
 - `build-demo` - Demo/WIAB build
+- `build-wiab-staging` - WIAB-staging build
 - `build-min` - Minimal build (fastest, essential charts only)
 - `build-all` - Run all three builds
 

.github/workflows/offline.yml

@@ -9,21 +9,22 @@
 #   - No label: No builds run (must add label to trigger builds)
 #   - 'build-default': Builds only default profile
 #   - 'build-demo': Builds only demo profile
+#   - 'build-wiab-staging' - Builds only wiab-staging profile
 #   - 'build-min': Builds only min profile
 #   - 'build-all': Explicitly builds all profiles (useful for workflow changes)
 #
 # Push to master/develop: Always builds all profiles regardless of labels
 #
 on:
   push:
-    branches: [master, develop]
+    branches: ["**"]
     tags: [v*]
     paths-ignore:
       - "*.md"
       - "**/*.md"
   pull_request:
     types: [synchronize, reopened, labeled]
-    branches: [master, develop]
+    branches: ["**"]
     paths-ignore:
       - "*.md"
       - "**/*.md"
@@ -32,9 +33,9 @@ jobs:
   build-default:
     name: Build default profile
     if: |
-      github.event_name == 'push' ||
       contains(github.event.pull_request.labels.*.name, 'build-all') ||
-      contains(github.event.pull_request.labels.*.name, 'build-default')
+      contains(github.event.pull_request.labels.*.name, 'build-default') ||
+      contains(github.event.pull_request.labels.*.name, 'build-wiab-staging')
     runs-on:
       group: wire-server-deploy
     outputs:
@@ -72,6 +73,27 @@ jobs:
           AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}'
           AWS_REGION: "eu-west-1"
 
+  verify-default:
+    name: Verify default profile
+    needs: build-default
+    if: |
+      contains(github.event.pull_request.labels.*.name, 'build-all') ||
+      contains(github.event.pull_request.labels.*.name, 'build-default')
+    runs-on:
+      group: wire-server-deploy
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: true
+      - uses: cachix/install-nix-action@v27
+      - uses: cachix/cachix-action@v15
+        with:
+          name: wire-server
+          signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}"
+
+      - name: Install nix environment
+        run: nix-env -f default.nix -iA env
+
       - name: Install terraform
         uses: hashicorp/setup-terraform@v3
         with:
@@ -89,6 +111,45 @@ jobs:
         env:
           HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
 
+  # verify wiab-staging profile
+  verify-wiab-staging:
+    name: Verify wiab staging profile
+    needs: build-default
+    if: |
+      contains(github.event.pull_request.labels.*.name, 'build-all') ||
+      contains(github.event.pull_request.labels.*.name, 'build-wiab-staging')
+    runs-on:
+      group: wire-server-deploy
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: true
+      - uses: cachix/install-nix-action@v27
+      - uses: cachix/cachix-action@v15
+        with:
+          name: wire-server
+          signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}"
+
+      - name: Install nix environment
+        run: nix-env -f default.nix -iA env
+
+      - name: Install terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "^1.3.7"
+          terraform_wrapper: false
+
+      - name: Deploy offline wiab-staging environment to hetzner
+        run: ./offline/cd_staging.sh
+        env:
+          HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
+
+      - name: Clean up hetzner wiab-staging environment; just in case
+        if: always()
+        run: (cd terraform/examples/wiab-staging-hetzner ; terraform init && terraform destroy -auto-approve)
+        env:
+          HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
+
   # Build container in parallel
   build-container:
     name: Build container
@@ -118,7 +179,6 @@ jobs:
   build-demo:
     name: Build demo profile
     if: |
-      github.event_name == 'push' ||
       contains(github.event.pull_request.labels.*.name, 'build-all') ||
       contains(github.event.pull_request.labels.*.name, 'build-demo')
     runs-on:
@@ -179,7 +239,6 @@ jobs:
   build-min:
     name: Build min profile
     if: |
-      github.event_name == 'push' ||
       contains(github.event.pull_request.labels.*.name, 'build-all') ||
       contains(github.event.pull_request.labels.*.name, 'build-min')
     runs-on:

ansible/files/wiab_server_nftables.conf.j2

@@ -0,0 +1,79 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+define KUBENODE1_IP = {{ kubenode1_ip }}
+define KUBENODE2_IP = {{ kubenode2_ip }}
+define KUBENODE3_IP = {{ kubenode3_ip }}
+define CALLING_NODE_IP   = {{ kubenode3_ip }}
+define INF_WAN    = {{ ansible_default_ipv4.interface }}
+define INF_VIRT = "virbr0"
+
+table inet filter {
+  chain block_definitions {
+    ct state established,related accept
+    ct state invalid drop
+    tcp flags != syn ct state new counter drop
+    counter drop
+#    log prefix "DROP " counter drop
+  }
+  chain INPUT {
+    type filter hook input priority 0;
+    ip protocol icmp icmp type echo-request counter accept
+    iifname { lo, $INF_VIRT } counter accept
+    tcp dport 22 counter accept comment "{{ wire_comment }} SSH incoming"
+    jump block_definitions
+  }
+  chain FORWARD {
+    type filter hook forward priority 0;
+    iifname $INF_VIRT oifname $INF_WAN counter accept comment "{{ wire_comment }} allow internet for internal VMs, needed fo things like letsencrypt cert issue"
+    iifname $INF_VIRT oifname $INF_VIRT counter accept comment "{{ wire_comment }} allow traffic between VMs"
+    iifname $INF_WAN oifname $INF_VIRT ct status dnat counter accept comment "{{ wire_comment }} allow DNAT forward from external interface to $INF_VIRT"
+    iifname docker0 oifname $INF_VIRT counter accept
+    jump block_definitions
+  }
+  chain OUTPUT {
+    type filter hook output priority 0;
+    policy accept;
+  }
+}
+table ip nat {
+  chain PREROUTING {
+    type nat hook prerouting priority -100;
+
+    # HTTP load balancing across kubenodes using numgen map (dnat target)
+    iifname { $INF_WAN, $INF_VIRT } tcp dport 80 fib daddr type local counter \
+      dnat to numgen random mod 3 map { \
+        0 : $KUBENODE1_IP, \
+        1 : $KUBENODE2_IP, \
+        2 : $KUBENODE3_IP \
+      }:31772 comment "{{ wire_comment }} HTTP ingress LB"
+
+    # HTTPS load balancing across kubenodes using numgen map (dnat target)
+    iifname { $INF_WAN, $INF_VIRT } tcp dport 443 fib daddr type local counter \
+      dnat to numgen random mod 3 map { \
+        0 : $KUBENODE1_IP, \
+        1 : $KUBENODE2_IP, \
+        2 : $KUBENODE3_IP \
+      }:31773 comment "{{ wire_comment }} HTTPS ingress LB"
+
+    iifname { $INF_WAN, $INF_VIRT } tcp dport 3478 fib daddr type local counter dnat to $CALLING_NODE_IP comment "{{ wire_comment }} COTURN control TCP"
+    iifname { $INF_WAN, $INF_VIRT } udp dport 3478 fib daddr type local counter dnat to $CALLING_NODE_IP comment "{{ wire_comment }} COTURN control UDP"
+
+    iifname { $INF_WAN, $INF_VIRT } udp dport 32768-65535 fib daddr type local counter dnat to $CALLING_NODE_IP comment "{{ wire_comment }} Calling UDP range"
+
+    fib daddr type local counter jump DOCKER
+  }
+  chain POSTROUTING {
+    type nat hook postrouting priority 100;
+    oifname != docker0 ip saddr 172.17.0.0/16 counter masquerade
+    oifname $INF_WAN counter masquerade comment "{{ wire_comment }} masquerade outgoing traffic"
+  }
+  chain DOCKER {
+    iifname docker0 counter return
+  }
+  chain OUTPUT {
+    type nat hook output priority -100; policy accept;
+    ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
+  }
+}