Revert "Extensive cleanup after instance NAT removal"

This reverts commit 2cd156d.

Author: Duologic

.rubocop_todo.yml

@@ -35,6 +35,7 @@ Metrics/MethodLength:
 # Blacklist: (?-mix:(^|\s)(EO[A-Z]{1}|END)(\s|$))
 Naming/HeredocDelimiterNaming:
   Exclude:
+    - 'bin/gcloud-nats-by-zone'
     - 'bin/generate-latest-gce-images'
     - 'bin/write-config-files'
 

assets/nat/var/tmp/nat-conntracker-confs/fail2ban-action-iptables-blocktype.local

@@ -0,0 +1,2 @@
+[Init]
+blocktype = DROP

assets/nat/var/tmp/nat-conntracker-confs/fail2ban-filter-nat-conntracker.conf

@@ -0,0 +1,6 @@
+[Definition]
+failregex = ^.*time=\S+ level=WARNING over threshold=\d+ src=<HOST> dst=\S+ count=\d+.*$
+ignoreregex =
+
+[Init]
+journalmatch = _SYSTEMD_UNIT=nat-conntracker.service

assets/nat/var/tmp/nat-conntracker-confs/fail2ban-jail-nat-conntracker.conf

@@ -0,0 +1,9 @@
+[nat-conntracker]
+backend = systemd
+banaction = iptables-allports
+bantime = 30
+chain = FORWARD
+enabled = true
+ignoreip = 127.0.0.1/8 10.10.0.0/16
+maxretry = 1
+protocol = all

assets/nat/var/tmp/nat-conntracker-confs/fail2ban.local

@@ -0,0 +1,2 @@
+[Definition]
+logtarget = SYSLOG

assets/nat/var/tmp/nftables.conf

@@ -0,0 +1,10 @@
+table ip nat {
+        chain prerouting {
+                type nat hook prerouting priority 0; policy accept;
+        }
+
+        chain postrouting {
+                type nat hook postrouting priority 100; policy accept;
+                masquerade
+        }
+}

bin/gce-export-net

@@ -31,9 +31,12 @@ def main
   command = %W[#{terraform} state rm] + (
     %w[
       aws_route53_record.bastion-b
+      aws_route53_record.nat-b
       google_compute_address.bastion-b
       google_compute_address.bastion[0]
+      google_compute_address.nat-b
       google_compute_firewall.allow_internal
+      google_compute_firewall.allow_jobs_nat
       google_compute_firewall.allow_public_icmp
       google_compute_firewall.allow_public_ssh
       google_compute_firewall.deny_target_ip

bin/gce-import-net

@@ -49,6 +49,7 @@ def main
   {
     'google_compute_address.bastion[0]' => 'bastion-b',
     'google_compute_firewall.allow_internal' => 'allow-internal',
+    'google_compute_firewall.allow_jobs_nat' => 'allow-jobs-nat',
     'google_compute_firewall.allow_public_icmp' => 'allow-public-icmp',
     'google_compute_firewall.allow_public_ssh' => 'allow-public-ssh',
     'google_compute_firewall.deny_target_ip' => 'deny-target-ip',

bin/gcloud-nats-by-zone

@@ -0,0 +1,95 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'json'
+
+NOTSET = '<notset>'
+
+def main(argv: ARGV)
+  return usage if $stdin.tty? || argv.include?('-h') || argv.include?('--help')
+
+  in_args = JSON.parse($stdin.read)
+  zones = in_args.fetch('zones', '').split(',').map(&:strip).reject(&:empty?)
+  count = Integer(in_args.fetch('count', zones.length))
+  project = in_args.fetch('project')
+  region = in_args.fetch('region')
+  retries = Integer(in_args.fetch('retries', '4'))
+  retry_sleep = Integer(in_args.fetch('retry_sleep', '120'))
+  accounting = %w[1 yes on true].include?(
+    ENV.fetch(
+      'ACCOUNTING', in_args.fetch('accounting', true)
+    ).to_s
+  )
+  retried = 0
+
+  instances = {}
+  while retried <= retries
+    instances = fetch_nats_by_zone(zones, count, project, region)
+    break unless accounting
+    break if instances.length == count
+
+    warn(
+      "#{$PROGRAM_NAME}: sleeping=#{retry_sleep}s " \
+      "instances_length=#{instances.length} count=#{count}"
+    )
+
+    sleep(retry_sleep)
+    retried += 1
+  end
+
+  $stdout.puts(JSON.pretty_generate(instances))
+  0
+end
+
+def fetch_nats_by_zone(zones, count, project, region)
+  instances = {}
+  instances_command = %w[
+    gcloud compute instance-groups list-instances
+  ]
+
+  zones.each do |zone|
+    (count / zones.length).times do |count_index|
+      full_command = instances_command + %W[
+        nat-#{zone}-#{count_index + 1}
+        --project=#{project}
+        --zone=#{region}-#{zone}
+        --format="value(instance)"
+      ]
+      instance_name = `#{full_command.join(' ')}`.strip
+      next if instance_name.empty?
+
+      instances["nat-#{zone}-#{count_index + 1}"] = %W[
+        projects
+        #{project}
+        zones
+        #{region}-#{zone}
+        instances
+        #{instance_name}
+      ].join('/')
+    rescue StandardError => e
+      warn e
+    end
+  end
+
+  instances
+end
+
+def usage
+  warn <<~EOF
+    Usage: #{$PROGRAM_NAME} [-h|--help]
+
+    Print a mapping of {zone}-{index}=>{instance-id} given a JSON blob
+    containing the following arguments provided via stdin:
+
+    accounting - boolean controlling count check and retries, default=false
+    count - total number of expected instances, default=zones.length
+    project - the gcloud project name *REQUIRED*
+    region - the region in which to look for nat instances *REQUIRED*
+    retries - number of total retries, default=4
+    retry_sleep - sleep interval between retries, default=120
+    zones - a comma-delimited list of zones within the region
+  EOF
+  2
+end
+
+exit(main) if $PROGRAM_NAME == __FILE__

bin/gcloud-recreate-nat-instances

@@ -0,0 +1,92 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'optparse'
+require 'json'
+
+def main
+  options = { env: '', noop: false }
+  OptionParser.new do |opts|
+    opts.banner = <<~BANNER
+      Usage: gcloud-recreate-nat-instances [options]
+
+      Recreates the NAT instances managed by the instance groups specified using
+      the GCE_NAT_GROUPS environment variable.  Also requires GCE_NAT_PROJECT
+      and GCE_NAT_REGION to be set.
+
+    BANNER
+
+    opts.on('-E', '--env=ENV_FILE') do |f|
+      options[:env] = f.strip
+    end
+
+    opts.on('-n', '--noop') do
+      options[:noop] = true
+    end
+
+    opts.on('--help') do
+      puts opts
+      exit
+    end
+  end.parse!
+
+  env = Hash[ENV]
+  env.merge!(source_env(options[:env])) unless options[:env].empty?
+
+  project = env.fetch('GCE_NAT_PROJECT')
+  region = env.fetch('GCE_NAT_REGION')
+  groups = env.fetch('GCE_NAT_GROUPS').split(',').map(&:strip)
+
+  groups_zones = groups.map do |group|
+    [group, "#{region}-#{group.split('-').fetch(1)}"]
+  end
+  groups_zones = Hash[groups_zones]
+
+  groups_zones.each do |instance_group, zone|
+    instance_list = list_instances(instance_group, zone, project)
+    instances = instance_list.map { |r| r.fetch('instance').split('/').last }
+    command = %W[
+      gcloud compute instance-groups managed recreate-instances
+      #{instance_group} --zone=#{zone} --project=#{project}
+      --instances=#{instances.join(',')}
+    ]
+    run_command(command, options.fetch(:noop))
+  end
+
+  0
+end
+
+def list_instances(instance_group, zone, project)
+  command = %W[
+    gcloud compute instance-groups list-instances
+    #{instance_group}
+    --zone=#{zone}
+    --project=#{project}
+    --format=json
+  ]
+  JSON.parse(`#{command.join(' ')}`)
+end
+
+def run_command(command, noop)
+  if noop
+    puts "---> NOOP: #{command.join(' ').inspect}"
+  else
+    puts "---> RUNNING: #{command.join(' ').inspect}"
+    system(*command)
+  end
+end
+
+def source_env(env_file)
+  base_env = `bash -c 'printenv'`.split($RS).map do |l|
+    l.strip.split('=', 2)
+  end
+  base_env = Hash[base_env]
+  sourced_env = `bash -c "source #{env_file}; printenv"`.split($RS).map do |l|
+    l.strip.split('=', 2)
+  end
+  sourced_env = Hash[sourced_env]
+  base_env.keys.each { |k| sourced_env.delete(k) }
+  sourced_env
+end
+
+exit(main) if $PROGRAM_NAME == __FILE__

bin/generate-latest-docker-image-tags

@@ -32,6 +32,8 @@ def main
   end
 
   %w[
+    gesund
+    nat-conntracker
     worker
   ].each do |image|
     tag = latest_docker_image_tag("travisci/#{image}")

bin/nat-conntracker-configure

@@ -0,0 +1,88 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'json'
+require 'net/http'
+require 'net/https'
+require 'optparse'
+
+def main
+  options = {
+    app: '',
+    dst_ignore: [],
+    heroku_api_hostname: 'api.heroku.com',
+    heroku_api_key: ENV.fetch('HEROKU_API_KEY', ''),
+    src_ignore: []
+  }
+
+  OptionParser.new do |opts|
+    opts.on(
+      '-a', '--app=APP',
+      'name of nat-conntracker heroku app'
+    ) { |v| options[:app] = v.strip }
+
+    opts.on(
+      '-d', '--dst-ignore=CIDRS',
+      'comma-delimited list of destination CIDRs to ignore'
+    ) { |v| options[:dst_ignore] = v.split(',').map(&:strip) }
+
+    opts.on(
+      '-s', '--src-ignore=CIDRS',
+      'comma-delimited list of source CIDRs to ignore'
+    ) { |v| options[:src_ignore] = v.split(',').map(&:strip) }
+
+    opts.on(
+      '--heroku-api-hostname=HOSTNAME',
+      'hostname of Heroku API from which to fetch stuff'
+    ) { |v| options[:heroku_api_hostname] = v.strip }
+
+    opts.on(
+      '--heroku-api-key=KEY',
+      'API key to use with Heroku API'
+    ) { |v| options[:heroku_api_key] = v.strip }
+  end.parse!
+
+  expand_private!(options[:dst_ignore])
+  expand_private!(options[:src_ignore])
+
+  unless Array(options[:dst_ignore]).empty?
+    dst_command = %W[
+      trvs redis-cli #{options[:app]} REDIS_URL SADD nat-conntracker:dst-ignore
+    ] + Array(options[:dst_ignore])
+    warn("---> #{dst_command.join(' ')}")
+    system(*dst_command)
+  end
+
+  unless Array(options[:src_ignore]).empty?
+    src_command = %W[
+      trvs redis-cli #{options[:app]} REDIS_URL SADD nat-conntracker:src-ignore
+    ] + Array(options[:src_ignore])
+    warn("---> #{src_command.join(' ')}")
+    system(*src_command)
+  end
+
+  0
+end
+
+def expand_private!(cidrs)
+  cidrs.map! do |cidr|
+    if cidr == 'private'
+      PRIVATE_SUBNETS
+    else
+      cidr
+    end
+  end
+  cidrs.flatten!
+  cidrs
+end
+
+PRIVATE_SUBNETS = %w[
+  10.0.0.0/8
+  127.0.0.0/8
+  169.254.0.0/16
+  172.16.0.0/12
+  192.0.2.0/24
+  192.168.0.0/16
+].freeze
+
+exit(main) if $PROGRAM_NAME == __FILE__

bin/write-config-files

@@ -36,6 +36,16 @@ def main(argv: ARGV)
     )
   end
 
+  if opts[:write_nat]
+    fwrite(
+      'config/nat.env',
+      trvs_gen(
+        "#{opts[:infra]}-nat", opts[:env_short],
+        pro: true, prefix: "#{opts[:infra].upcase}_NAT"
+      )
+    )
+  end
+
   {
     'config/travis-org.env' => "travis-#{opts[:env_short]}",
     'config/travis-build-org.env' => "travis-build-#{opts[:env_short]}",
@@ -104,7 +114,8 @@ def parse_argv(argv)
     job_board_host: '',
     amqp_url_com_varname: '',
     amqp_url_org_varname: '',
-    write_bastion: false
+    write_bastion: false,
+    write_nat: false
   }
 
   OptionParser.new do |o|
@@ -143,6 +154,10 @@ def parse_argv(argv)
     o.on('--write-bastion') do
       opts[:write_bastion] = true
     end
+
+    o.on('--write-nat') do
+      opts[:write_nat] = true
+    end
   end.parse(argv)
 
   opts