jbrown-xentity
commented
1 year ago my bad, wrong ticket
Open nickumia-reisys opened 1 year ago
jbrown-xentity
commented
1 year ago my bad, wrong ticket
nickumia-reisys
commented
1 year ago Having explored a few options, I've decided that my original sketch is too complicated. It might be more logical to keep the same deployment procedure that we've been using for our other apps. Irrespective of this fact, the following steps need to be taken (admin -- @btylerburton @Jin-Sun-tts @jbrown-xentity):
development-ssb-egress spacemanagement-staging-egress spacemanagement-egress spaceSince we have the infrastructure already setup and optimized in this repo, I would suggest to add the ssb apps to this repo, but the two options are:
data.gov repo to include ssb-eks, ssb-smtp and ssb-solrcloud apps in the development-ssb-egress, management-staging-egress and management-egress spaces~datagov-ssb repo.
Create space-deployer accounts in egress spaces (@btylerburton @Jin-Sun-tts)
cf create-service cloud-gov-service-account space-deployer ci-deployer (development-ssb-egress)cf create-service cloud-gov-service-account space-deployer ci-deployer (management-staging-egress)cf create-service cloud-gov-service-account space-deployer ci-deployer (management-egress)cf create-service-key ci-deployer datagov-ssb-deployer (development-ssb-egress)cf create-service-key ci-deployer datagov-ssb-deployer (management-staging-egress)cf create-service-key ci-deployer datagov-ssb-deployer (management-egress)Each key needs to be added to the Github Secrets in datagov-ssb
development-ssb, management-staging and management.Next step (regardless of last decision) is to:
ssb-eksssb-smtpssb-solrcloud*Note: I would consolidate these lists if practical.
Deploy all egress apps:
Once the apps are deployed and functioning, I believe all that's left to do is:
cf add-network-policy ssb-eks proxy-gsa-datagov-management-ssb-eks -s management-egress -o gsa-datagov --protocol tcp --port 8080cf add-network-policy ssb-eks proxy-gsa-datagov-management-staging-ssb-eks -s management-staging-egress -o gsa-datagov --protocol tcp --port 8080cf add-network-policy ssb-eks proxy-gsa-datagov-development-ssb-ssb-eks -s development-ssb-egress -o gsa-datagov --protocol tcp --port 8080cf add-network-policy ssb-smtp proxy-gsa-datagov-management-ssb-smtp -s management-egress -o gsa-datagov --protocol tcp --port 8080cf add-network-policy ssb-smtp proxy-gsa-datagov-management-staging-ssb-smtp -s management-staging-egress -o gsa-datagov --protocol tcp --port 8080cf add-network-policy ssb-smtp proxy-gsa-datagov-development-ssb-ssb-smtp -s development-ssb-egress -o gsa-datagov --protocol tcp --port 8080cf add-network-policy ssb-solrcloud proxy-gsa-datagov-management-ssb-solrcloud -s management-egress -o gsa-datagov --protocol tcp --port 8080cf add-network-policy ssb-solrcloud proxy-gsa-datagov-management-staging-ssb-solrcloud -s management-staging-egress -o gsa-datagov --protocol tcp --port 8080cf add-network-policy ssb-solrcloud proxy-gsa-datagov-development-ssb-ssb-solrcloud -s development-ssb-egress -o gsa-datagov --protocol tcp --port 8080cf unbind-security-group public_networks_egress gsa-datagov development-ssb --lifecycle runningcf unbind-security-group public_networks_egress gsa-datagov management-staging --lifecycle runningcf unbind-security-group public_networks_egress gsa-datagov management --lifecycle runningAs a foreboding warning, we may have memory usages following this deployment. We have 39G of constant app allocation, with rolling restarts and recurring tasks, the usage gets really close to our 50G limit. This work will add ~1GB to our constant app allocation. I fear it being just enough to be causing more random failures.
nickumia-reisys
commented
1 year ago Documenting here, but I'm sure it will get lost again. For the current egress deployments to work, the ci-deployer key that is created in the non-egress space needs to be given additional permission to the egress space. @btylerburton was able to assign the correct permissions and we did it through the cloud.gov dashboard UI.
robert-bryson
commented
1 year ago After the huddle yesterday, I poked around a bit and found that (for Terraform Enterprise at least) there is a list of domains that need egress. I added those to the allow.acl but it still had the same issue creating the service.
I have still been able to ping domains not on the allow list from the ssb-solrcloud app so I am suspicious that egress is working correctly.
nickumia-reisys
commented
1 year ago The ssb egress deployment is supposed to be an identical copy of the data.gov egress deployment. While the deployment process was not formally documented anywhere (including the historical issue mentioned above), the following statements highlight the key points:
app in the main space.egress-proxy in the main-egress space.main space has the cloud.gov trusted_local_networks_egress security group applied to it.
main-egress space has the cloud.gov public_networks_egress security group applied to it.
app and the egress-proxy.
app must go through the egress-proxyproxy_url that informs the app of the url/username/password/port of the egress-proxy. On startup, the app converts the proxy_url to https_proxy to start enforcing it. The reason is because if https_proxy is set then it will cause problems during staging of the app. Below are a few relevant PRs/Issues:egress-proxy is: https://github.com/GSA/cg-egress-proxy/tree/main/proxyegress-proxy is scripted, but not automated.
egress-proxy, the network-policy and sets the proxy_url in the app
main and main-egress spaces. proxy_url variable in the app, deletes the network-policy and then restarts the app for the changes to take effectegress-proxy source code or (allow/deny) acls, the disable workflow MUST be run and then the enable workflow MUST be run. (This is a terrible design, but it's the current situation)egress-proxy./caddy stop./caddy startapp test the url or process that needs to talk to the domain.(Each broker app lives in cloud.gov) to create (services that live outside of cloud.gov) to be made available to (other apps in cloud.gov). For the following explanation, I will use the ssb-solrcloud broker app in development-ssb space as an example, but the same details apply to the rest of the brokers and all of the other spaces.
ssb-solrcloud app that exists in the development-ssb space.proxy-gsa-datagov-development-ssb-ssb-solrcloud app that exists in the development-ssb-egress space.test-solr service that exists (or will be created) in the development-ssb space.test-solr is created by running cf create-service solr-on-ecs base "test-solr" -c service-config.json -b "ssb-solrcloud-gsa-datagov-development-ssb" --wait in the development-ssb space.
service-config.json is copied from either catalog or inventory.ssb-solrcloud app.ssb-solrcloud app receives the request via the cloud-service-broker binary.cloud-service-broker binary then does some housekeeping and creates a terraform workspace in the attached DB.datagov-brokerpak-solr code.proxy-gsa-datagov-development-ssb-ssb-solrcloudtest-solr service on cloud.gov and accessible from other apps within its cloud.gov space.proxy-gsa-datagov-development-ssb-ssb-solrcloud proxy is for the ssb-solrcloud app and NOT the resources that represent Solr. ⭐ ⭐
proxy-gsa-datagov-development-ssb-ssb-solrcloud needs to allow the ssb-solrcloud app to talk to whoever to create the Solr, but it does not manage the Solr itself.The egress-proxy uses caddy as a reverse proxy to control egress traffic. There are few modules and plugins that help caddy do its job. The five main components that are relevant are:
Caddyfile .... not really relevant, just need to know it exists and is the configuration file.start.sh ... also not really relevant, does some certificate magic and stuff haha...profile does some acl stuff on startup.allow.acl are all of the domains that are allowed through.deny.acl are all of the domains explicitly denied.
allow or deny are implicitly denied, but there needs to be at least something in the deny.acl (learned from @robert-bryson)If you attempt to access something on the allowed list, you should get a 200. If you attempt to access something on the denied list, you should get a 403. When we say that the egress proxy is not doing what it was designed to do, essentially all domains are returning a 200.
Through trial and error, the farthest we've gotten is that the ssb-solrcloud app needs to talk to registry.terraform.io to download the vpc module. This most likely occurs during a terraform init. We've added all of the terraform specific routes, but have not seen the process get any further. This could be a compound issue with the problem highlighted by Appendix A, but it may or may not be related. We can access everything from the ssb-solrcloud app (container). But as I'm writing this, I'm wondering if there is a problem with the cloud-service-broker binary abstraction where it needs to be configured to talk to the egress proxy properly. The terraform process runs in the ssb-solrcloud app itself, it's not like a second layer of virtualization (at least I don't think so), so it shouldn't have any additional layers of abstraction to jump through (although it is a possibility). The reason I think this is unlikely is because sometimes the service retrieves some bytes, the connection just gets closed early... this is technically a lead, but not much to work with.
Given that we have not made it past the terraform init, we still don't know what's necessary for the terraform apply and as equally as important the terraform destroy. For eks, there may be additional dependencies since it uses helm and kubectl which downloads charts and other resources. @robert-bryson comment above highlights part of a solution, but it is not the entire solution.
All in all, this is a very complex technology stack with a lot of peculiarities, I will not call it elegant, but it is a wonder how it all works. I wish I could offer more help, but this is all that I have about the problem currently.
nickumia-reisys
commented
1 year ago List of possible issues (none of which I have been able to verify or deny)
nickumia-reisys
commented
1 year ago Investigated TF Possible Environment Variable workarounds.. Nothing seems to inhibit or support the use of an egress proxy. I have a hunch that terraform is not using the egress proxy properly. It seems like the egress proxy is working properly now in that domains in the allowed list are allowed and everything else is denied.
nickumia-reisys
commented
1 year ago I fear we may have to implement something like this 😢 😭 ... https://github.com/jasonwbarnett/terraform-registry-proxy
nickumia-reisys
commented
1 year ago Although looking through the code, it doesn't seem to have anything special in it... For the sake of trying the only known option found above, the following steps will be taken as a proof-of-concept:
terraform-registry-proxy.
development-ssb-egress space.proxy-gsa-datagov-development-ssb-ssb-solrcloud can talk to terraform-registry-proxy.terraform-registry-proxy for the terraform required providers.ssb-solrcloud in development-ssbnickumia-reisys
commented
1 year ago Ssoooooo.... super complicated proof-of-concept (shoutout to @btylerburton for helping me focus through a critical part!)
https://github.com/jasonwbarnett/terraform-registry-proxy
/health route to pass cloud.gov healthchecks
(in func main)
http.HandleFunc("/health", health)(somewhere at root) func health(w http.ResponseWriter, req *http.Request) { fmt.Fprintf(w, "hello\n") }
- I vendored go dependencies by using either `godep` or `dep` or some form of `mod` vendoring?
```bash
# https://github.com/golang/dep#installation
sudo apt-get install go-dep
dep init
dep ensure
# https://github.com/tools/godep#install
go get github.com/tools/godep
# mod vendoring?
go get ./...
go mod vendorcf push terraform-registry)
---
applications:
- name: terraform-registry
buildpacks:
- https://github.com/cloudfoundry/go-buildpack
routes:
- route: terraform-registry.apps.internal
- route: hashicorp-releases.apps.internal
health-check-type: http
health-check-http-endpoint: /health
health-check-invocation-timeout: 60
instances: 1
disk_quota: 2G
memory: 250M
# (note: the :8080 is super important to get it to work)
command: server -registry-proxy-host terraform-registry.apps.internal:8080 -release-proxy-host hashicorp-releases.apps.internal:8080
env:
GO_INSTALL_PACKAGE_SPEC: terraform-registry/servercf add-network-policy proxy-gsa-datagov-development-ssb-ssb-solrcloud terraform-registry -s development-ssb-egress -o gsa-datagov --protocol tcp --port 8080
cf add-network-policy ssb-solrcloud terraform-registry -s development-ssb-egress -o gsa-datagov --protocol tcp --port 8080proxy-gsa-datagov-development-ssb-ssb-solrcloud
allow.acl
api.replicated.com
get.replicated.com
registry-data.replicated.com
registry.replicated.com
*.quay.io
cdn.quay.io
quay-registry.s3.amazonaws.com
*.cloudfront.net
hub.docker.com
index.docker.io
auth.docker.io
registry-1.docker.io
download.docker.com
production.cloudflare.docker.com
install.terraform.io
releases.hashicorp.com
yy0ffni7mf-dsn.algolia.net
*.apps.internalcurl -I http://terraform-registry.apps.internal:8080/.well-known/terraform.jsonssb-solrcloud
datagov-brokerpak-solr source code,"hashicorp/aws" to "terraform-registry.apps.internal/hashicorp/aws""hashicorp/template" to "terraform-registry.apps.internal/hashicorp/template""terraform-aws-modules/vpc/aws" to "terraform-registry.apps.internal/terraform-aws-modules/vpc/aws"insecure = true to (aws) provider definition~~The terraform-registry proxy app is setup only for http use, so I tried to get the terraform code to send http requests to it, not https requests through the insecure = true configuration. It did not work. If we get terraform to send http requests, I have pretty high confidence that this will get it to work.~ However, I figured I would document this much for now while I still try other ways of getting it to work. All in all, if this does eventually work, we'll have to come up with a deployment framework for this new app terraform-registry which will be a separate headache altogether...
~This seems so close...!~
A list of references:
nickumia-reisys
commented
1 year ago Well... learning about terraform internals.. It seems like the discovery service can only be used with https.
It is strongly recommended to provide the discovery document for a hostname on the standard HTTPS port 443. However, in development environments this is not always possible or convenient, so Terraform allows a hostname to end with a port specification consisting of a colon followed by one or more decimal digits.
When a custom port number is present, the service on that port is expected to implement HTTPS and respond to the same fixed discovery path.
For day-to-day use it is strongly recommended not to rely on this mechanism and to instead provide the discovery document on the standard port, since this allows use of the most user-friendly hostname form.
With this information, it seems like the terraform-registry must be reworked to run on https... I don't think this is worth the effort (but I'll still try for now I guess). We would not only be incorporating another third-party service, but we would need to fork it to get it to work for us.
I don't know where to start with the alternative path of trying to include the vpc module so that terraform doesn't need to download anything. From my preliminary analysis, it seem like modules cannot be packaged in the buildpak in the same way as terraform sources and binaries.
nickumia-reisys
commented
1 year ago As more context, the thing that we are trying get to terraform is displayed in the following screenshot: As opposed to the providers which are all packaged in the broker, the modules are not..
Also note: This is just for the solr brokerpak. This would need to be done for the eks brokerpak too which has more modules..
nickumia-reisys
commented
1 year ago We could manually install the modules dir and disable the terraform call to HashiCorp-provided network services using the .terraformrc. This seems a bit hack-y though.. And then I'm not sure if there will be other things terraform will try to talk to and get blocked.
nickumia-reisys
commented
1 year ago As a summary of possible next steps:
terraform-registry and make it operate on httpsterraform-registry into egress-proxy (since egress-proxy is already handling ssl certs)egress-proxy and figure out if there's another solution to this problem... (I guess we could enable more logging in Caddy, but I'm still not convinced that we will determine the root of the problem)~
INFO as the lowest log level and it is already set to that level.
mogul
commented
1 year ago From way above:
But as I'm writing this, I'm wondering if there is a problem with the cloud-service-broker binary abstraction where it needs to be configured to talk to the egress proxy properly.
From googling, it looks like Terraform understands and uses HTTPS_PROXY. I'm wondering if this could be resolved by ensuring the HTTPS_PROXY env var is propagated all the way into the CSB's invocation of Terraform. (It looks like no env vars are propagated currently; I asked about that in the CF Slack.)
hkdctol
commented
1 year ago Awaiting some information from upstream on vendoring modules
nickumia-reisys
commented
1 year ago Ongoing discussion with upstream CSB Team: https://cloudfoundry.slack.com/archives/C0164KKEZGX/p1675103503770689
nickumia-reisys
commented
1 year ago As an update on discoveries and current sticking points:
modules are not currently packaged with the binaries which causes it to try to connect to the world and download them (giving the Failed to request discovery document: Get https://x.y.z/.well-known/terraform.json error)None of those solutions seem enticing to me, but I'll leave it up to the team to come up with more or decide from these.
jbrown-xentity
commented
1 year ago Summary Doc @hkdctol
hkdctol
commented
1 year ago ISSO advises we start work on AOR, at https://docs.google.com/document/d/11iNXSSk556VA1fhx6KaeYmw-qCktypjh/edit?usp=sharing&ouid=113511966954817069922&rtpof=true&sd=true
hkdctol
commented
1 year ago Draft AOR sent to ISSO
hkdctol
commented
1 year ago Met with ISSM on 8/9, this is pending CISO return from leave in a few weeks
rpalmer-gsa
commented
1 year ago @nickumia-reisys
Couple of questions:
Is this still going though the proxy with an Allow * from a domain standpoint, or not going though the proxy at all?
_"Accept that the module cannot be packaged and work on the actual HTTPSPROXY issue This requires more debugging of the CSB and analyzing what specific requests are being blocked/not handled properly or otherwise lost in translation."
If you send it though an Allow Any proxy and log the URLs would this be a means to populate the list of all URLS that are needed? Is this due to blocks, or is it due to usage of the proxy itself, its a little unclear from above.
nickumia-reisys
commented
1 year ago @rpalmer-gsa
Is this still going though the proxy with an Allow * from a domain standpoint, or not going though the proxy at all?
Currently, there are no egress applications set up. Is there a desire to have an Allow * proxy app?
If you send it though an Allow Any proxy and log the URLs would this be a means to populate the list of all URLS that are needed?
The issue is not "what are the domains/urls that need to get through".
Is this due to blocks, or is it due to usage of the proxy itself, its a little unclear from above.
The issue is that the CSB is not recognizing the proxy environment variables, so it doesn't know to send traffic through the proxy. Because all egress is disallowed except through the proxy, the requests do not leave the container at all.. I assume they get stuck at some network level "waiting to be sent" ...or... the container thinks it sent it and is waiting for a response that never comes.
hkdctol
commented
8 months ago Met with ISSM on 1/22 - he will follow up on AOR status
gujral-rei
commented
4 months ago Is this item up for review as part of the assessment?
User Story
In order to increase our security posture, the Data.gov SSB Team wants to implement an egress-proxy in conjunction with our SSB Apps (
ssb-solr,ssb-eksandssb-smtp).Acceptance Criteria
Background
Historical Issues/References
Security Considerations (required)
To satisfy POAM
Sketch