From e6e821a9ef5021765e8858a6f0055658c7c1fd80 Mon Sep 17 00:00:00 2001 From: Kyle Brennan Date: Wed, 21 Aug 2024 09:09:46 -0400 Subject: [PATCH] Tolerate https scheme & update docs (#8) * Tolerate https scheme & update docs Private networks may need to have the policy updated for VPC endpoints, otherwise gitpod-network-check will fail. * Cleanup --- gitpod-network-check/README.md | 71 +++++++++++++++++++ gitpod-network-check/cmd/checks.go | 16 ++++- .../gitpod-network-check.yaml | 6 +- 3 files changed, 89 insertions(+), 4 deletions(-) diff --git a/gitpod-network-check/README.md b/gitpod-network-check/README.md index d856537..d0333df 100644 --- a/gitpod-network-check/README.md +++ b/gitpod-network-check/README.md @@ -100,3 +100,74 @@ A CLI to check if your network setup is suitable for the installation of Gitpod. INFO[0122] ✅ Security group 'sg-0a6119dcb6a564fc1' deleted INFO[0122] ✅ Security group 'sg-07373362953212e54' deleted ``` + +## FAQ + +If the EC2 instances are timing out, or you cannot connect to them with Session Manager, be sure to add the following policies. + +For the ssm vpc endpoint, add the following policy: + +```json +{ + "Effect": "Allow", + "Action": [ + "*" + ], + "Resource": [ + "*" + ], + "Principal": { + "AWS": [ + "*" + ] + }, + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": "arn:aws:iam:::role/GitpodNetworkCheck" + } + } +}, +{ + "Effect": "Allow", + "Action": [ + "*" + ], + "Resource": [ + "*" + ], + "Principal": { + "AWS": [ + "*" + ] + }, + "Condition": { + "StringEquals": { + "ec2:InstanceProfile": "arn:aws:iam:::instance-profile/GitpodNetworkCheck" + } + } +} +``` + +For the ec2messages and ssmmessages vpc endpoints, add the following policy: + +```json +{ + "Effect": "Allow", + "Action": [ + "*" + ], + "Resource": [ + "*" + ], + "Principal": { + "AWS": [ + "*" + ] + }, + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": "arn:aws:iam:::role/GitpodNetworkCheck" + } + } +} +``` diff --git a/gitpod-network-check/cmd/checks.go b/gitpod-network-check/cmd/checks.go index d37b2c2..a306144 100644 --- a/gitpod-network-check/cmd/checks.go +++ b/gitpod-network-check/cmd/checks.go @@ -5,6 +5,7 @@ import ( "encoding/base64" "errors" "fmt" + "net/url" "slices" "sort" "strings" @@ -129,7 +130,20 @@ var checkCommand = &cobra.Command{ // nolint:gochecknoglobals httpHosts := map[string]string{} for _, v := range networkConfig.HttpsHosts { host := strings.TrimSpace(v) - httpHosts[host] = fmt.Sprintf("https://%s", host) + parsedUrl, err := url.Parse(host) + if err != nil { + log.Warnf("🚧 Invalid Host: %s, skipping due to error: %v", host, err) + continue + } + + if parsedUrl.Scheme == "" { + httpHosts[host] = fmt.Sprintf("https://%s", host) + } else if parsedUrl.Scheme == "https" { + httpHosts[host] = parsedUrl.Host + } else { + log.Warnf("🚧 Unsupported scheme: %s, skipping test for %s", parsedUrl.Scheme, host) + continue + } } if len(httpHosts) > 0 { log.Infof("ℹī¸ Checking if hosts can be reached with HTTPS from ec2 instances in the main subnets") diff --git a/gitpod-network-check/gitpod-network-check.yaml b/gitpod-network-check/gitpod-network-check.yaml index 6faa16e..c54d092 100644 --- a/gitpod-network-check/gitpod-network-check.yaml +++ b/gitpod-network-check/gitpod-network-check.yaml @@ -1,5 +1,5 @@ log-level: debug # Options: debug, info, warning, error region: eu-central-1 -main-subnets: subnet-0a195092eb78c7674, subnet-05db6651c2ef39639 -pod-subnets: subnet-00a5f0d10253fb33c, subnet-09f658fd789fc9b84 -https-hosts: accounts.google.com, github.com +main-subnets: subnet-017c6a80f4879d851, subnet-0215744d52cd1c01f +pod-subnets: subnet-00a118009d1d572a5, subnet-062288af00ba50d86 +https-hosts: accounts.google.com, https://github.com \ No newline at end of file