← Back to all posts

Enhance Public Worker Capabilities for IP-Restricted VCS Access

Prospect requests an enhancement to Spacelift's Public Worker capabilities to enable seamless access to IP-whitelisted Source Code Management systems like Bitbucket Cloud. The desired outcome is for a Public Worker to be able to successfully clone/fetch code from a VCS repository that requires IP whitelisting.

The most viable technical approach would be to allow users to configure how the code checkout step is performed, specifically enabling it to go through a designated proxy server.This could potentially be facilitated by:

  • Enhancements around the Preparing phase: Allowing secure injection of environment variables or providing dedicated hook points specifically designed for network/proxy configuration before the Git clone operation occurs.

  • A dedicated setting within the VCS integration configuration in Spacelift for specifying proxy details and securely managing credentials for repositories requiring proxied access.

Workaround
1. Creating a custom Docker image with hardcoded proxy credentials: This was rejected due to the significant security risk of embedding sensitive username/password for a proxy server within a publicly accessible Docker image repository. 2. Migrating Terraform repositories to a different workspace without IP restrictions: This is an undesirable operational overhead and might conflict with existing organizational policies or repository structures. 3. Using Private Workers: This is not a cost-effective solution for our use case, as it significantly increases operational costs compared to leveraging the Public Worker pool.
Problem
Prospect encounters a significant blocker when attempting to integrate their source code repository hosted on Bitbucket Cloud, as it enforces IP whitelisting for security reasons. Public Workers connect from dynamic IP addresses that are not predictable or static, making it impossible to add them to our Bitbucket Cloud's IP allow list. This prevents them from using the public workers for stacks that have repos connected.

Please authenticate to join the conversation.

Upvoters
Status

❌ Rejected

Board

πŸ’‘ Feature Requests

Tags

VCS

Date

10 months ago

Subscribe to post

Get notified by email when there are changes.