search

GSA-TTS / cg-egress-proxy

Provides controlled egress for apps in a restricted-egress cloud.gov space
Other
12 stars 4 forks source link

Enable New Relic connections #15

Closed rahearn closed 1 year ago

rahearn commented 1 year ago

This PR does 2 things:

1) includes native TLS termination work @mogul started in #9 2) includes 61443 in the list of allowed ports.

For reasons I'm not entirely clear on, New Relic (at least the python flavor) cannot connect to its collector without the proxy allowing connections to itself in addition to gov-collector.newrelic.com. Adding *.apps.internal can be done for each app in their allow.acl file, but the ports change needs to be made here.

rahearn commented 1 year ago

I verified this works in notify's sandbox environment for both new relic and AWS service connections. Marking as ready for review but I'll also be deploying it to our staging environment soon if we want a longer run of use before merging.

btylerburton commented 1 year ago

I tagged @GSA/data-gov-support for a review of this. Will regroup on the ramifications to data.gov systems for moving this to the GSA-TTS org as @mogul has suggested.

robert-bryson commented 1 year ago

Looks like a lot of great work here, nice job!

I'm trying to follow along at home and it looks like this would do away with managing certs within the proxy. On datagov we have an action that restarts egress daily as there was historically an issue with certs expiring. Admittedly, we haven't revisited this issue, but this may allow us to remove that.

mogul commented 1 year ago

I'm trying to follow along at home and it looks like this would do away with managing certs within the proxy. On datagov we have an action that restarts egress daily as there was historically an issue with certs expiring. Admittedly, we haven't revisited this issue, but this may allow us to remove that.

You should not have seen that issue recurring since this earlier fix that Ryan submitted!

rahearn commented 1 year ago

@mogul and/or @btylerburton did we get our approving rights figured out on this repo yet?

mogul commented 1 year ago

I added @GSA-TTS/cg-contributors as Admin on the repository, and I left an approval, which seems to count:

image

The PR still wants a review from the data.gov team. I wasn't able to cancel that request, but I don't think it's actually blocking merge. Instead: image