HAProxy TLS Setup

[StevenBarre]

This has transitioned to working on setting up TLS certs in the HAProxy on the nodes as Aporeto isn't coming back in OCP3.

Old description

https://trello.com/c/MFl9i4VC/157-aporeto-proxy-setup

We want to be able to use HAProxy running an Enforcer deamon to bridge traffic from OCP to Zone B servers

https://app.zenhub.com/workspaces/devsecops-5d545ae6999dd23f582aac62/issues/bcdevops/platform-services/383

SCTASK0097323

• Create a playbook
• Test with Clecio
• Test with JAG
• [x] Validation from Nick C and Justin H

[StevenBarre]

Scope has changed to getting TLS set up on Clecios haproxies.

[StevenBarre]

Waiting on response form Clecio

[mitovskaol]

@cvarjao Can you please get back to @tbaker1313 on this. Thank you!

[cvarjao]

@tbaker1313 's time seems very scarce, and so is mine. we can't seem to find a time to connect for some troubleshooting

[tbaker1313]

Hi Clecio, sorry these last days have been busy with building some new nodes. Will reach out tomorrow to troubleshoot, I think I see the cert issue.

[cvarjao]

@sbarre-esit , @tbaker1313 , I think the description of these issue may be incorrect. We are NOT using any enforcer daemon, it is just HAProxy, right? or is that another ticket?

[StevenBarre]

Correct, the Aporeto enforcer daemon is turned off. But its the same hsots, and we've been billing the time against the same drawdown as the "Install Aporeto proxies" work was.

[StevenBarre]

Updated Title and description

[mitovskaol]

Will be reaching out to Clecio to understand his requirements/timelines better

[wmhutchison]

Will reach out this week to Tim Baker to perform a warm hand-over of over-all status, what's been done/etc.

[wmhutchison]

Reached out to Clecio to coordinate a date/time we can meet on discussing formally defining what is "done" as a viable definition, and if it's been reached yet with work to date performed by Tim Baker, or if there's more to do - waiting to hear back from him to confirm when we can meet and discuss this.

[wmhutchison]

Initial discussion with Clecio stated that for now, the ball is in their court and not ours. Our work is not yet done however since we still have PROD servers that have yet to be setup for Clecio and the involved Ministry.

Starting work on a formalized definition of done factoring in feedback from Clecio and Tim Baker so that we can add a check-list to this task that will more accurately reflect where we stand on this request.

[wmhutchison]

Request is to have a meeting opened between William, Clecio, Justin and Olena for sometime on Friday August 13th to both review how this solution is set to fulfill the current users' needs as well as how this solution could scale to be used for other business cases.

[wmhutchison]

Dropped the ball on this one, hadn't done the requested meeting invite in a timely fashion.

Will first need to revisit with Olena/Justin regarding meeting solution preference. If they want to use MS Teams for this, then they will need to be the ones to create the meeting, since DXC MS Teams is not by default directly compatible with the BC Gov solution, but we at DXC are able to join a formal meeting link from BCGov (not an adhoc meeting or chat creation, learned that the hard way when collaborating previously with Shelly Han).

Followed up with Clecio via email as well today about this too - waiting for a response as well since Rocket Chat hasn't been the best for getting back from him on updates.

[wmhutchison]

@tosazuwa Been asked by Olena for your assistance in helping me create an MS Teams invite for myself, Clecio Varjao, Olena and Justin Hewitt for the purpose of discussing the work-around solution originally started between Platform team and some stakeholders Clecio is involved with for a "Plan B" option if we have a no-go with Aporeto in OCP4.

While I cannot create MS Teams invites usable by all stakeholders, my Outlook does at least allow me to check calendar availability, so for now, please create a meeting invite for the mentioned individuals for September 3rd 2020 between 2:00pm and 3:00pm. Olena was looking for a Friday meeting but Clecio is on flex for September 4th.

Thanks!

[wmhutchison]

Neglected to properly follow through on this, in retrospect using just Github to reach out to Tolu wasn't the best choice.

Currently reviewing Outlook calendar for a suitable window and attempting to re-schedule with a tad more lead-time. Will still need Tolu to create the MS Teams meeting since I cannot do that. September 11th at 11:00am is thus far looking promising.

[tosazuwa]

@wmhutchison , Happy to help. Didnt get the Aug 27th notification. I will book this now

[wmhutchison]

@tosazuwa Thanks. Meeting invite received, subject/description is good enough for involved parties to know what's being discussed since people invited are familiar with the overall situation with Aporeto.

[wmhutchison]

Nothing new to report. Meeting scheduled for the morning of September 11th 2020.

[wmhutchison]

Follow-up meeting scheduled for September 24th to take place after the weekly prioritization meeting.

[mitovskaol]

The discussion took place on Sep 24. It was decided that the security level provided by the HA Proxy/TLS solution (Plan B for when Aporeto is unavailable) is not satisfactory. One additional measure that can bring the security level up would be to implement a sidecar inside a pod connecting to the HA proxy. However, at this moment there is no capacity to further investigate this approach, especially considering that Service Mesh is a more appropriate long term solution that the team is more interested in exploring. https://app.zenhub.com/workspaces/openshift-4-build-out-5db73142897668000144f22b/issues/bcdevops/openshift4-rollout/91

This ticket will now be closed and the "Aporeto in Zone B" alternative solution in the future will be developed using Service Mesh.