Sync Cloudflare network ranges #8389
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Sync Cloudflare network ranges | |
on: # yamllint disable-line rule:truthy | |
workflow_dispatch: | |
schedule: | |
- cron: "0 0 * * *" | |
jobs: | |
sync: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Process YAML | |
run: | | |
# renovate depName=mikefarah/yq | |
wget -O /tmp/yq https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64 | |
chmod +x /tmp/yq | |
readarray -d '' nets < <(curl -sS https://www.cloudflare.com/ips-v4/ | sort) | |
readarray -d '' netsv6 < <(curl -sS https://www.cloudflare.com/ips-v6/ | sort) | |
nets+=$(printf '\n%s' "${netsv6[@]}") | |
cilium_nets=$(printf '"%s", ' ${nets[@]}) | |
/tmp/yq eval --inplace ".spec.ingress[1].fromCIDR = [ ${cilium_nets%,*} ]" infra/ingress-nginx/ciliumnetworkpolicy.yaml | |
ingress_nets=$(printf '%s,' ${nets[@]}) | |
ingress_nets="${ingress_nets%,*}" | |
/tmp/yq eval --inplace ".spec.values.controller.config.proxy-real-ip-cidr = \"${ingress_nets}\"" infra/ingress-nginx/helmrelease.yaml | |
- name: Create pull request for cloudflare network range update | |
uses: peter-evans/create-pull-request@v5 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
branch: "cf/update-nets" | |
delete-branch: true | |
title: "update cloudflare network ranges" | |
signoff: true | |
committer: "${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>" | |
author: "${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>" | |
assignees: "rxbn" | |
commit-message: "update cloudflare network ranges" | |
body: | | |
Cloudflare IP ranges: https://www.cloudflare.com/ips/ | |
labels: cf/ip-ranges |