chore(tests): Future-proof whitelist against Docker network changes (#9500)

This PR changes the security/whitelist superflag definition in docker
compose files and other places where docker cmds are issued. The change
is to the "all ipv4 addresses" CIDR definition (0.0.0.0/0).

Background: after updating Docker on my Mac, clients presented a new
175.x ip address that was not covered by the old set of CIDR
definitions.

Author: matthewmcneely

compose/compose.go

@@ -307,7 +307,7 @@ func getAlpha(idx int, raft string) service {
 		svc.Command += fmt.Sprintf(" --vmodule=%s", opts.Vmodule)
 	}
 	if opts.WhiteList {
-		svc.Command += ` --security "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;"`
+		svc.Command += ` --security "whitelist=0.0.0.0/0;"`
 	}
 	if opts.Acl {
 		svc.Command += ` --acl "secret-file=/secret/hmac;"`

dgraph/cmd/alpha/mutations_mode/docker-compose.yml

@@ -18,8 +18,8 @@ services:
         read_only: true
     command:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --my=alpha1:7080
-      --zero=zero1:5080,zero2:5080,zero3:5080 --logtostderr -v=2 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;" --limit "mutations=disallow;"
+      --zero=zero1:5080,zero2:5080,zero3:5080 --logtostderr -v=2 --security "whitelist=0.0.0.0/0;"
+      --limit "mutations=disallow;"
   alpha2:
     image: dgraph/dgraph:local
     working_dir: /data/alpha2
@@ -35,8 +35,8 @@ services:
         read_only: true
     command:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --my=alpha2:7080
-      --zero=zero1:5080,zero2:5080,zero3:5080 --logtostderr -v=2 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;" --limit "mutations=strict;"
+      --zero=zero1:5080,zero2:5080,zero3:5080 --logtostderr -v=2 --security "whitelist=0.0.0.0/0;"
+      --limit "mutations=strict;"
   alpha3:
     image: dgraph/dgraph:local
     working_dir: /data/alpha3
@@ -52,8 +52,8 @@ services:
         read_only: true
     command:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --my=alpha3:7080
-      --zero=zero1:5080,zero2:5080,zero3:5080 --logtostderr -v=2 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;" --limit "mutations=strict;"
+      --zero=zero1:5080,zero2:5080,zero3:5080 --logtostderr -v=2 --security "whitelist=0.0.0.0/0;"
+      --limit "mutations=strict;"
   zero1:
     image: dgraph/dgraph:local
     working_dir: /data/zero1

dgraph/docker-compose.yml

@@ -85,8 +85,7 @@ services:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --telemetry "reports=false;" --encryption
       "key-file=/dgraph-enc/enc-key;" --my=alpha1:7080 --zero=zero1:5080,zero2:5080,zero3:5080
       --expose_trace --profile_mode block --block_rate 10 --logtostderr -v=2 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;" --acl
-      "secret-file=/dgraph-acl/hmac-secret; access-ttl=20s;"
+      "whitelist=0.0.0.0/0;" --acl "secret-file=/dgraph-acl/hmac-secret; access-ttl=20s;"
 
   alpha2:
     image: dgraph/dgraph:local
@@ -115,8 +114,7 @@ services:
     command:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --encryption "key-file=/dgraph-enc/enc-key;"
       --my=alpha2:7080 --zero=zero1:5080,zero2:5080,zero3:5080 --expose_trace --profile_mode block
-      --block_rate 10 --logtostderr -v=2 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;" --acl
+      --block_rate 10 --logtostderr -v=2 --security "whitelist=0.0.0.0/0;" --acl
       "secret-file=/dgraph-acl/hmac-secret; access-ttl=20s;"
 
   alpha3:
@@ -146,8 +144,7 @@ services:
     command:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --encryption "key-file=/dgraph-enc/enc-key;"
       --my=alpha3:7080 --zero=zero1:5080,zero2:5080,zero3:5080 --expose_trace --profile_mode block
-      --block_rate 10 --logtostderr -v=2 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;" --acl
+      --block_rate 10 --logtostderr -v=2 --security "whitelist=0.0.0.0/0;" --acl
       "secret-file=/dgraph-acl/hmac-secret; access-ttl=20s;"
 
   alpha4:
@@ -177,8 +174,7 @@ services:
     command:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --encryption "key-file=/dgraph-enc/enc-key;"
       --my=alpha4:7080 --zero=zero1:5080,zero2:5080,zero3:5080 --expose_trace --profile_mode block
-      --block_rate 10 --logtostderr -v=2 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;" --acl
+      --block_rate 10 --logtostderr -v=2 --security "whitelist=0.0.0.0/0;" --acl
       "secret-file=/dgraph-acl/hmac-secret; access-ttl=20s;"
 
   alpha5:
@@ -208,8 +204,7 @@ services:
     command:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --encryption "key-file=/dgraph-enc/enc-key;"
       --my=alpha5:7080 --zero=zero1:5080,zero2:5080,zero3:5080 --expose_trace --profile_mode block
-      --block_rate 10 --logtostderr -v=2 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;" --acl
+      --block_rate 10 --logtostderr -v=2 --security "whitelist=0.0.0.0/0;" --acl
       "secret-file=/dgraph-acl/hmac-secret; access-ttl=20s;"
 
   alpha6:
@@ -239,8 +234,7 @@ services:
     command:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --encryption "key-file=/dgraph-enc/enc-key;"
       --my=alpha6:7080 --zero=zero1:5080,zero2:5080,zero3:5080 --expose_trace --profile_mode block
-      --block_rate 10 --logtostderr -v=2 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;" --acl
+      --block_rate 10 --logtostderr -v=2 --security "whitelist=0.0.0.0/0;" --acl
       "secret-file=/dgraph-acl/hmac-secret; access-ttl=20s;"
 
   minio:

dgraphtest/dgraph.go

@@ -235,10 +235,9 @@ func (a *alpha) cmd(c *LocalCluster) []string {
 		"--bindall", "--logtostderr", fmt.Sprintf("-v=%d", c.conf.verbosity)}
 
 	if c.lowerThanV21 {
-		acmd = append(acmd, `--whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16`, "--telemetry=false")
+		acmd = append(acmd, `--whitelist=0.0.0.0/0`, "--telemetry=false")
 	} else {
-		acmd = append(acmd, `--security=whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16`,
-			"--telemetry=reports=false;")
+		acmd = append(acmd, `--security=whitelist=0.0.0.0/0`, "--telemetry=reports=false;")
 	}
 
 	if c.conf.lambdaURL != "" {

graphql/e2e/admin_auth/poorman_auth/docker-compose.yml

@@ -34,5 +34,5 @@ services:
       service: alpha1
     command:
       /gobin/dgraph ${COVERAGE_OUTPUT} alpha --my=alpha1:7080 --zero=zero1:5080 --expose_trace
-      --profile_mode block --block_rate 10 --logtostderr -v=2 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16; token=itIsSecret;" --trace "ratio=1.0;"
+      --profile_mode block --block_rate 10 --logtostderr -v=2 --security "whitelist=0.0.0.0/0;
+      token=itIsSecret;" --trace "ratio=1.0;"

graphql/e2e/admin_auth/poorman_auth_with_acl/docker-compose.yml

@@ -38,6 +38,6 @@ services:
       service: alpha1
     command:
       /gobin/dgraph ${COVERAGE_OUTPUT} alpha --my=alpha1:7080 --zero=zero1:5080 --expose_trace
-      --profile_mode block --block_rate 10 --logtostderr -v=2 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16; token=itIsSecret;" --acl
-      "secret-file=/dgraph-acl/hmac-secret; access-ttl=3s;" --trace "ratio=1.0;"
+      --profile_mode block --block_rate 10 --logtostderr -v=2 --security "whitelist=0.0.0.0/0;
+      token=itIsSecret;" --acl "secret-file=/dgraph-acl/hmac-secret; access-ttl=3s;" --trace
+      "ratio=1.0;"

graphql/e2e/auth/debug_off/docker-compose.yml

@@ -34,5 +34,5 @@ services:
       service: alpha1
     command:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --zero=zero1:5080 --expose_trace --profile_mode block
-      --block_rate 10 --logtostderr -v=3 --my=alpha1:7080 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;" --trace "ratio=1.0;"
+      --block_rate 10 --logtostderr -v=3 --my=alpha1:7080 --security "whitelist=0.0.0.0/0;" --trace
+      "ratio=1.0;"

graphql/e2e/auth/docker-compose.yml

@@ -34,6 +34,5 @@ services:
       service: alpha1
     command:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --zero=zero1:5080 --expose_trace --profile_mode block
-      --block_rate 10 --logtostderr -v=3 --my=alpha1:7080 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;" --graphql "debug=true;" --trace
-      "ratio=1.0;"
+      --block_rate 10 --logtostderr -v=3 --my=alpha1:7080 --security "whitelist=0.0.0.0/0;"
+      --graphql "debug=true;" --trace "ratio=1.0;"

graphql/e2e/auth_closed_by_default/docker-compose.yml

@@ -34,6 +34,5 @@ services:
       service: alpha1
     command:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --zero=zero1:5080 --expose_trace --profile_mode block
-      --block_rate 10 --logtostderr -v=3 --my=alpha1:7080 --security
-      "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;" --graphql "debug=true;" --trace
-      "ratio=1.0;"
+      --block_rate 10 --logtostderr -v=3 --my=alpha1:7080 --security "whitelist=0.0.0.0/0;"
+      --graphql "debug=true;" --trace "ratio=1.0;"

graphql/e2e/custom_logic/docker-compose.yml

@@ -17,7 +17,7 @@ services:
         read_only: true
     command:
       /gobin/dgraph  ${COVERAGE_OUTPUT} alpha --my=alpha1:7080 --zero=zero1:5080 --logtostderr -v=2
-      --raft="idx=1;" --security "whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16;"
+      --raft="idx=1;" --security "whitelist=0.0.0.0/0;"
   zero1:
     image: dgraph/dgraph:local
     working_dir: /data/zero1