Temporary allow access to your cloud infrastructure by signaling the gatekeeper. Allowing your build pipeline to deploy behind a firewall.
| Provider | Product Name | Required Environment Variables |
|---|---|---|
| Vultr | Firewall | VULTR_PERSONAL_ACCESS_TOKEN, VULTR_FIREWALL_ID |
| Digitalocean | Cloud Firewalls | DIGITALOCEAN_PERSONAL_ACCESS_TOKEN, DIGITALOCEAN_FIREWALL_ID |
| AWS | EC2 Security Groups | AWS_ACCESS_KEY, AWS_SECRET_KEY, AWS_REGION, AWS_SECURITY_GROUP_ID |
| AWS | VPC Network ACLs | AWS_ACCESS_KEY, AWS_SECRET_KEY, AWS_REGION, AWS_NETWORK_ACL_ID |
- Download a release binary or use a Docker image
- Retrieve your cloud provider API keys. DigitalOcean even has docs for this.
- Configure your application by passing environment variables. See these examples below:
Docker:
docker run -p 8080:8080 -e DIGITALOCEAN_PERSONAL_ACCESS_TOKEN=REPLACE_ME -e DIGITALOCEAN_FIREWALL_ID=REPLACE_ME nstapelbroek/gatekeeper:latest
Standalone binary:
DIGITALOCEAN_PERSONAL_ACCESS_TOKEN=REPLACE_ME DIGITALOCEAN_FIREWALL_ID=REPLACE_ME ./gatekeeper
After installing and running the application you can fire an HTTP POST towards it to temporary whitelist your given IP at the cloud provider. By default the gatekeeper will open TCP port 22 (for SSH). You can change the port of protocol in the configuration.
A simple example:
curl -X POST http://localhost:8080You can configure the timeout or ip address per request basis by sending it as a form-encoded or json payload. The example below will use your public IP:
curl -X POST -s -d 'ip='$(curl -s https://ifconfig.co/ip)'&timeout=60' http://localhost:8080Although this tool is meant to be very simple, you can configure it to your needs by changing some variables.
| Variable Name | Default value | Notes |
|---|---|---|
| APP_ENV | release | Used to control the verbosity of log lines. Only release and debug are used. |
| HTTP_AUTH_USERNAME | Used with to HTTP_AUTH_PASSWORD to shield the application with http basic auth. |
|
| HTTP_AUTH_PASSWORD | See HTTP_AUTH_USENAME. Both values have to be provided. |
|
| HTTP_PORT | 8080 | Controls on which port the HTTP server will start. |
| RULE_CLOSE_TIMEOUT | 120 | When no timeout value is given on a request, this value in seconds will be used. Use 0 to permanently allow the IP address. |
| RULE_PORTS | TCP:22 | A comma separated list of ports to unblock on a request. Use a - to indicate a range. For example: TCP:20-22,UDP:20-22. |
If you wish to help building gatekeeper you can start with:
- Fork and clone the repository
- Install dependencies with
go mod tidy - Optionally you can install additional tooling like golangci-lint
- Start building! You can find some inspiration for changes in the issues or project board