search

BCDevOps / OpenShift4-Migration

Scripts and info for Ministry teams migration from OpenShift 3.11 to 4.x
Apache License 2.0
3 stars 0 forks source link

Does OCP4 have a internal DNS Wildcard? #72

Closed StevenBarre closed 2 years ago

StevenBarre commented 3 years ago

In OCP3 there was a DNS wildcard for *.pathfinder.bcgov, is there an equivalent for OCP4?

As of Jan 27th 2021 there is now a DNS record for *.silver.devops.bcgov pointing at the same load balanced VIP as *.apps.silver.devops.gov.bc.ca.

Warnings

This exists to smooth like-for-like migrations from OCP3 and is not a recommended long-term architecture.

Using cluster named DNS entries like *.silver.devops.bcgov or *.apps.silver.devops.gov.bc.ca makes future changes to your apps more complex as target clusters change. It is better to get a subdomain of gov.bc.ca (e.g. myapp.gov.bc.ca or a "vanity name" e.g. myapp.ca if this is the team's preferences) that is owned and managed by your application team and can be easily repointed should you later move to the GOLD cluster, or to a Azure based cluster. Subdomains of gov.bc.ca can be public or an internal myapp.myministry.gov.bc.ca.

The default TLS cert used by the router is for *.apps.silver.devops.gov.bc.ca and does not list *.silver.devops.bcgov since 2015 TLS certs signed by publicly trusted certificate authorities are not allowed to list internal DNS names. https://cabforum.org/internal-names/ . Your application will either need to ignore the invalid cert, or use a custom self-signed cert added to your route. https://docs.openshift.com/container-platform/4.5/networking/routes/secured-routes.html

Internal DNS names provide very little additional security over the public DNS names. As the IP of the OCP ingress is on the public internet, and it just routes based on Host: headers, it is very easy to add a entry to your local /etc/hosts file and access an internal DNS named application. myobscureapp.apps.silver.devops.gov.bc.ca is equally obscure and un guessable as myobscureapp.silver.devops.bcgov for an attacker trying to find your route if it's not published publicly.

rloisell commented 3 years ago

I would like to comment that the general barrier to a myapp.gov.bc.ca vanity domain is that it requires GCPE approvals, and is often a challenge to acquire without a supporting business case (for the naming selected). Mapping under a ministry subdomain myapp.ministry.gov.bc.ca does not have that same barrier to entry and is often an option within the control of each ministry.

CC: @juhewitt

PS. Thank you for enabling migrations while we address issues with how to approach this in the new cluster.

juhewitt commented 3 years ago

@rloisell I'm working on getting some support from GCPE on specific language and standards, that I co-created with them for transparency sakes. everything you wrote is exactly by design... once you get your subdomain in place through GCPE, you are on your way for all subdomains within... it's the first one... so trying to see if I can get some language to set expectations to make it easier for everyone