Eirini and bits-service use the nip.io magic DNS service

[jandubois]

This is a DNS service that is not under the control of the CF foundation. It could break at any time. Even worse, a malicious owner could redirect registry.127.0.0.1.nip.io to a custom registry that ships an exploit into the cluster.

This will also not work in an air-gap installation.

$ ag nip.io
deploy/helm/kubecf/charts/bits/templates/bits-config.yaml
17:    public_endpoint: "https://bits.{{ index .Values.kube.external_ips 0 }}.nip.io"
25:    registry_endpoint: "https://registry.{{ index .Values.kube.external_ips 0 }}.nip.io"
61:        public_endpoint: https://blobstore.{{ index .Values.kube.external_ips 0 }}.nip.io

deploy/helm/kubecf/charts/eirini/templates/job-secret-smuggler.yaml
40:          value: "https://registry.{{ index .Values.kube.external_ips 0 }}.nip.io:6666"

deploy/helm/kubecf/charts/eirini/templates/configmap.yaml
18:      registry_address: "registry.{{ index .Values.kube.external_ips 0 }}.nip.io:6666"

deploy/helm/kubecf/templates/eirini.yaml
2:  {{- printf "{\"auths\": {\"registry.127.0.0.1.nip.io:31666\": {\"auth\": \"%s\"}}}" (printf "admin:%s" .Values.bits.secrets.BITS_SERVICE_SIGNING_USER_PASSWORD | b64enc) | b64enc }}
16:      - registry.127.0.0.1.nip.io

deploy/helm/kubecf/values.yaml
509:    DOMAIN: '127.0.0.1.nip.io:31666" #'
644:    DOMAIN: 127.0.0.1.nip.io