Add Azure build system IP addresses to MaxCDN configuration

[ryandesign (Ryan Carsten Schmidt)]

We are now using Azure as an additional build system in addition to Travis CI.

But we have configured the packages-private zone at MaxCDN to allow connections only from Travis CI's published list of IP addresses.

We need to add Azure's IP addresses to that configuration too so the Azure build can benefit from pre-compiled nondistributable archives too. I ​previously mentioned this on the infra mailing list but we forgot to do anything about it.

Does anybody know where the list of Azure IP addresses is?

[l2dy (Zero King)]

See ​https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted#agent-ip-ranges. They might add new IP ranges every week though.

[ryandesign (Ryan Carsten Schmidt)]

They're currently not publishing their Mac server IPs. But looking at the CDN log I found an IP address they're using and added it to the allowed list.

[neverpanic (Clemens Lang)]

We are no longer using MaxCDN.

[ryandesign (Ryan Carsten Schmidt)]

But therefore we need to add those IPs directly to the packages-private server. I think I already did that, using the IP I found above, but if they ever change the IP or if we ever find an official list of published IPs we should use that.

[neverpanic (Clemens Lang)]

Sounds to me like we should really be using a different mechanism, like a password only available to the CI system.

[ryandesign (Ryan Carsten Schmidt)]

I don't know if we had the ability to configure password-protected realms using our former CDN. We do now, since we no longer have the CDN, but we are looking for a new CDN so we may want to wait and see what capabilities it has before we make changes.

Also, I don't know how to give the CI system a password that users would not be able to see.

[neverpanic (Clemens Lang)]

We can configure secrets in the CI, but only PRs opened from the same repo would have access to them, so that probably doesn't help us as much as I thought initially :/