Add daily egress connectivity allow list generation

Introduces an optional egress capture capability that builds and
maintains docs/EGRESS_ALLOWLIST.yaml — a list of outbound connections
(DNS name, protocol, port) made by the Landing Zone VM during a full
deployment. Normal CI runs are completely unaffected.

How it works: OpenSnitch runs on the Landing Zone in accept-all + log
mode. After deployment, logs are collected, RFC1918 and loopback
destinations are filtered out, and the remainder is rendered as a
sorted YAML allow list. The daily egress-capture workflow calls the
existing e2e-deployment workflow for both connected and disconnected
modes with capture enabled, then diffs the result against the current
allow list. If anything changed, it opens a PR automatically.

For iterating on the capture tooling itself without waiting for a full
e2e run, /test capture-infra triggers the same pipeline through
infra-verify. To preview allow list changes on a PR branch,
/test capture-egress runs a dry-run and posts the diff as a comment.

https://redhat.atlassian.net/browse/MGMT-23743

Signed-off-by: Rafa Porres Molina <rporresm@redhat.com>
Assisted-by: Claude Sonnet 4.6

Author: rporres

.github/TRIGGER_CAPTURE_E2E

@@ -0,0 +1 @@
+# TEMPORARY — delete before merging

.github/TRIGGER_CAPTURE_INFRA

@@ -0,0 +1 @@
+Fri Apr 24 12:26:27 CEST 2026

.github/workflows/e2e-deployment.yml

@@ -10,6 +10,30 @@ name: E2E Deployment
 # selecting which modes to run, skipping cleanup, and sending Slack notifications.
 
 on:
+  workflow_call:
+    inputs:
+      run-connected:
+        type: boolean
+        default: true
+      run-disconnected:
+        type: boolean
+        default: true
+      storage-plugin:
+        type: string
+        default: 'lvms'
+      skip-cleanup:
+        type: boolean
+        default: false
+      capture-egress:
+        type: boolean
+        default: false
+    outputs:
+      egress-artifact-connected:
+        description: "Artifact name for connected egress logs (empty if not captured)"
+        value: ${{ jobs.e2e-connected.outputs.egress-artifact }}
+      egress-artifact-disconnected:
+        description: "Artifact name for disconnected egress logs (empty if not captured)"
+        value: ${{ jobs.e2e-disconnected.outputs.egress-artifact }}
   schedule:
     # Run daily at 10:00 PM EST (03:00 UTC)
     - cron: '0 3 * * *'
@@ -113,6 +137,16 @@ jobs:
               echo "storage_plugins_connected=[\"${PLUGIN}\"]" >> $GITHUB_OUTPUT
             fi
             echo "Manual trigger - E2E will run (${PLUGIN})" | tee -a $GITHUB_STEP_SUMMARY
+          elif [[ "${{ github.event_name }}" == "workflow_call" ]]; then
+            echo "should_run=true" >> $GITHUB_OUTPUT
+            PLUGIN="${{ inputs.storage-plugin || 'lvms' }}"
+            echo "storage_plugins=[\"${PLUGIN}\"]" >> $GITHUB_OUTPUT
+            if [[ "$PLUGIN" == "odf" ]]; then
+              echo "storage_plugins_connected=[\"lvms\"]" >> $GITHUB_OUTPUT
+            else
+              echo "storage_plugins_connected=[\"${PLUGIN}\"]" >> $GITHUB_OUTPUT
+            fi
+            echo "Called as reusable workflow — E2E will run (${PLUGIN})" | tee -a $GITHUB_STEP_SUMMARY
           elif [[ "${{ github.event_name }}" == "schedule" ]]; then
             echo "should_run=true" >> $GITHUB_OUTPUT
             echo "storage_plugins=[\"lvms\"]" >> $GITHUB_OUTPUT
@@ -149,9 +183,12 @@ jobs:
     needs: check-e2e-needed
     if: >-
       needs.check-e2e-needed.outputs.should_run == 'true' &&
-      (github.event_name != 'workflow_dispatch' || inputs.run-connected == true)
+      (github.event_name != 'workflow_dispatch' || inputs.run-connected == true) &&
+      (github.event_name != 'workflow_call' || inputs.run-connected != false)
     runs-on: [self-hosted, enclave-large]
     timeout-minutes: 210
+    outputs:
+      egress-artifact: ${{ steps.egress_upload.outputs.artifact-id != '' && format('egress-logs-connected-{0}-{1}', env.ENCLAVE_CLUSTER_NAME, github.run_id) || '' }}
 
     strategy:
       fail-fast: false
@@ -238,6 +275,13 @@ jobs:
           make -f Makefile.ci provision-landing-zone
           echo "Landing Zone provisioned" >> $GITHUB_STEP_SUMMARY
 
+      - name: Setup OpenSnitch for egress capture
+        if: inputs.capture-egress == true
+        run: |
+          echo "## Setting up OpenSnitch" >> $GITHUB_STEP_SUMMARY
+          make -f Makefile.ci setup-opensnitch
+          echo "OpenSnitch running on Landing Zone" >> $GITHUB_STEP_SUMMARY
+
       - name: Install Enclave Lab
         run: |
           echo "## Installing Enclave Lab" >> $GITHUB_STEP_SUMMARY
@@ -336,6 +380,20 @@ jobs:
         id: verify_cluster
         run: make -f Makefile.ci verify-cluster
 
+      - name: Collect egress logs
+        if: inputs.capture-egress == true && !cancelled()
+        run: make -f Makefile.ci collect-egress-logs
+
+      - name: Upload egress logs
+        if: inputs.capture-egress == true && !cancelled()
+        id: egress_upload
+        uses: actions/upload-artifact@v4
+        with:
+          name: egress-logs-connected-${{ env.ENCLAVE_CLUSTER_NAME }}-${{ github.run_id }}
+          path: artifacts/egress/
+          retention-days: 7
+          if-no-files-found: warn
+
       - name: Collect artifacts
         if: always()
         uses: ./.github/actions/collect-artifacts
@@ -413,7 +471,10 @@ jobs:
           GH_TOKEN: ${{ github.token }}
 
       - name: Cleanup infrastructure
-        if: always() && (github.event_name != 'workflow_dispatch' || inputs.skip-cleanup != true)
+        if: >-
+          always() &&
+          !((github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') &&
+            inputs.skip-cleanup == true)
         run: |
           echo "## Cleanup Infrastructure" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
@@ -440,7 +501,10 @@ jobs:
           fi
 
       - name: Cleanup skipped notice
-        if: always() && github.event_name == 'workflow_dispatch' && inputs.skip-cleanup == true
+        if: >-
+          always() &&
+          (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') &&
+          inputs.skip-cleanup == true
         run: |
           echo "## Cleanup Skipped" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
@@ -562,9 +626,12 @@ jobs:
     needs: check-e2e-needed
     if: >-
       needs.check-e2e-needed.outputs.should_run == 'true' &&
-      (github.event_name != 'workflow_dispatch' || inputs.run-disconnected == true)
+      (github.event_name != 'workflow_dispatch' || inputs.run-disconnected == true) &&
+      (github.event_name != 'workflow_call' || inputs.run-disconnected != false)
     runs-on: ${{ matrix.storage-plugin == 'odf' && fromJSON('["self-hosted", "enclave-large", "odf"]') || fromJSON('["self-hosted", "enclave-large"]') }}
     timeout-minutes: ${{ github.event_name == 'schedule' && 600 || 360 }}
+    outputs:
+      egress-artifact: ${{ steps.egress_upload.outputs.artifact-id != '' && format('egress-logs-disconnected-{0}-{1}', env.ENCLAVE_CLUSTER_NAME, github.run_id) || '' }}
 
     strategy:
       fail-fast: false
@@ -651,6 +718,13 @@ jobs:
           make -f Makefile.ci provision-landing-zone
           echo "Landing Zone provisioned" >> $GITHUB_STEP_SUMMARY
 
+      - name: Setup OpenSnitch for egress capture
+        if: inputs.capture-egress == true
+        run: |
+          echo "## Setting up OpenSnitch" >> $GITHUB_STEP_SUMMARY
+          make -f Makefile.ci setup-opensnitch
+          echo "OpenSnitch running on Landing Zone" >> $GITHUB_STEP_SUMMARY
+
       - name: Install Enclave Lab
         run: |
           echo "## Installing Enclave Lab" >> $GITHUB_STEP_SUMMARY
@@ -758,6 +832,20 @@ jobs:
           echo "### Mirror Registry Status" >> $GITHUB_STEP_SUMMARY
           ssh $SSH_OPTS cloud-user@$LZ_IP "podman ps --filter name=quay --format 'table {{.Names}}\t{{.Status}}'" >> $GITHUB_STEP_SUMMARY || true
 
+      - name: Collect egress logs
+        if: inputs.capture-egress == true && !cancelled()
+        run: make -f Makefile.ci collect-egress-logs
+
+      - name: Upload egress logs
+        if: inputs.capture-egress == true && !cancelled()
+        id: egress_upload
+        uses: actions/upload-artifact@v4
+        with:
+          name: egress-logs-disconnected-${{ env.ENCLAVE_CLUSTER_NAME }}-${{ github.run_id }}
+          path: artifacts/egress/
+          retention-days: 7
+          if-no-files-found: warn
+
       - name: Collect artifacts
         if: always()
         uses: ./.github/actions/collect-artifacts
@@ -835,7 +923,10 @@ jobs:
           GH_TOKEN: ${{ github.token }}
 
       - name: Cleanup infrastructure
-        if: always() && (github.event_name != 'workflow_dispatch' || inputs.skip-cleanup != true)
+        if: >-
+          always() &&
+          !((github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') &&
+            inputs.skip-cleanup == true)
         run: |
           echo "## Cleanup Infrastructure" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
@@ -862,7 +953,10 @@ jobs:
           fi
 
       - name: Cleanup skipped notice
-        if: always() && github.event_name == 'workflow_dispatch' && inputs.skip-cleanup == true
+        if: >-
+          always() &&
+          (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') &&
+          inputs.skip-cleanup == true
         run: |
           echo "## Cleanup Skipped" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY

.github/workflows/egress-capture.yml

@@ -0,0 +1,94 @@
+name: Egress Capture
+
+# Runs the full e2e deployment for both connected and disconnected modes with
+# OpenSnitch enabled, analyzes captured traffic, and either opens a PR to update
+# docs/EGRESS_ALLOWLIST.yaml (daily schedule) or posts a diff (dry-run / slash command).
+
+on:
+  schedule:
+    # Run daily at 1:00 AM EST (06:00 UTC), after the nightly e2e (03:00 UTC)
+    - cron: '0 6 * * *'
+  pull_request:
+    paths:
+      - '.github/TRIGGER_CAPTURE_E2E'
+  workflow_dispatch:
+    inputs:
+      run-connected:
+        type: boolean
+        default: true
+        description: 'Capture egress for connected mode'
+      run-disconnected:
+        type: boolean
+        default: true
+        description: 'Capture egress for disconnected mode'
+      dry-run:
+        type: boolean
+        default: true
+        description: 'Show diff only; do not create a PR'
+      pr-number:
+        type: string
+        default: ''
+        description: 'PR number to comment on (set by slash command)'
+
+permissions:
+  contents: read
+  checks: write
+
+jobs:
+  run-e2e-connected:
+    if: github.event_name == 'schedule' || inputs.run-connected != false
+    uses: ./.github/workflows/e2e-deployment.yml
+    with:
+      run-connected: true
+      run-disconnected: false
+      storage-plugin: lvms
+      skip-cleanup: false
+      capture-egress: true
+    secrets: inherit
+
+  run-e2e-disconnected:
+    if: github.event_name == 'schedule' || inputs.run-disconnected != false
+    uses: ./.github/workflows/e2e-deployment.yml
+    with:
+      run-connected: false
+      run-disconnected: true
+      storage-plugin: lvms
+      skip-cleanup: false
+      capture-egress: true
+    secrets: inherit
+
+  update-allowlist:
+    name: Update egress allow list
+    needs: [run-e2e-connected, run-e2e-disconnected]
+    if: always() && !cancelled()
+    runs-on: [self-hosted, pr-validation]
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Download connected egress logs
+        uses: actions/download-artifact@v4
+        with:
+          pattern: egress-logs-connected-*
+          path: egress-logs/connected/
+          merge-multiple: true
+        continue-on-error: true
+
+      - name: Download disconnected egress logs
+        uses: actions/download-artifact@v4
+        with:
+          pattern: egress-logs-disconnected-*
+          path: egress-logs/disconnected/
+          merge-multiple: true
+        continue-on-error: true
+
+      - name: Analyze and update allow list
+        env:
+          DRY_RUN: ${{ github.event_name == 'schedule' && 'false' || inputs.dry-run }}
+          PR_NUMBER: ${{ inputs.pr-number }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: scripts/egress/update_allowlist.sh

.github/workflows/infra-verify.yml

@@ -2,6 +2,11 @@ name: Infrastructure Verification
 
 on:
   workflow_dispatch:
+    inputs:
+      capture-egress:
+        type: boolean
+        default: false
+        description: 'Install OpenSnitch, capture egress traffic, and upload allow list YAML (smoke test)'
   pull_request:
     types: [opened, synchronize, reopened]
   merge_group:
@@ -31,6 +36,17 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      # TEMPORARY: enable egress capture via trigger file (remove before merging)
+      - name: '[TEMP] Check egress capture trigger'
+        id: egress_trigger
+        run: |
+          if [ -f ".github/TRIGGER_CAPTURE_INFRA" ]; then
+            echo "enabled=true" >> $GITHUB_OUTPUT
+            echo "Egress capture enabled via trigger file" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "enabled=false" >> $GITHUB_OUTPUT
+          fi
+
       - name: Generate unique cluster name
         id: cluster_name
         uses: ./.github/actions/setup-cluster-name
@@ -131,6 +147,13 @@ jobs:
           make -f Makefile.ci provision-landing-zone
           echo "✅ Landing Zone provisioned" >> $GITHUB_STEP_SUMMARY
 
+      - name: Setup OpenSnitch for egress capture
+        if: inputs.capture-egress == true || steps.egress_trigger.outputs.enabled == 'true'
+        run: |
+          echo "## Setting up OpenSnitch" >> $GITHUB_STEP_SUMMARY
+          make -f Makefile.ci setup-opensnitch
+          echo "OpenSnitch running on Landing Zone" >> $GITHUB_STEP_SUMMARY
+
       - name: Install Enclave Lab (Connected Mode)
         id: install_enclave
         run: |
@@ -140,6 +163,22 @@ jobs:
 
           ENCLAVE_DEPLOYMENT_MODE=connected make -f Makefile.ci install-enclave 2>&1 | tee step-logs/03-install-enclave.log
 
+      - name: Collect egress logs
+        if: (inputs.capture-egress == true || steps.egress_trigger.outputs.enabled == 'true') && !cancelled()
+        run: make -f Makefile.ci collect-egress-logs
+
+      - name: Analyze egress and generate allow list
+        if: (inputs.capture-egress == true || steps.egress_trigger.outputs.enabled == 'true') && !cancelled()
+        run: |
+          python3 scripts/egress/analyze_egress.py \
+            artifacts/egress/opensnitch-connections.json.gz infra \
+            > egress-allowlist-infra.yaml
+          cat egress-allowlist-infra.yaml
+          echo "## Egress Allow List (smoke test — infra only)" >> $GITHUB_STEP_SUMMARY
+          echo '```yaml' >> $GITHUB_STEP_SUMMARY
+          cat egress-allowlist-infra.yaml >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+
       - name: Collect step logs
         if: always()
         env:
@@ -161,6 +200,8 @@ jobs:
           path: |
             ci-artifacts/
             step-logs/
+            egress-allowlist-infra.yaml
+            artifacts/egress/
           retention-days: 7
 
       - name: Cleanup infrastructure