Closed menmarc closed 2 years ago
The ingress gateways for all aaw services are internet accessible - but they are behind azure login at least (not sure if that is GoC or StatCan only though).
A proposal to add additional ingresses is here: https://github.com/StatCan/daaas/issues/936 but no work has started on that yet.
There is a virtual service named disclosure-vetting
in dev that maps disclosure vetting to the ingress-general-system/general-istio-ingress-gateway-https
, which is public facing (ignoring that dev is not supposed to be public; but that ingress will represent what is public facing in prod).
To make it like prod, you'll want to map it to the istio-system/protected-b-istio-ingress-gateway-https
gateway instead so that it is exposed only to AAW and CAE environments. You'll probably need the DNS entry updated to point to the PB gateway instead.
This is also wrong in prod, so the same change should be made there. I recall us discussing this a while back.
@zachomedia so, to not be public facing in DEV, "disclosure-vetting" should be mapped to istio-system/protected-b-istio-ingress-gateway-https ? (and then update the proper DNS)
@zachomedia can you advise regarding the DNS entry for the protected-b gateway?
Looking at https://gitlab.k8s.cloud.statcan.ca/cloudnative/aaw/modules/terraform-azure-statcan-aaw-network/-/blob/main/dns.tf Blair added a dns record for org-ces-system-vetting-elastic, which we can do for this request... but it appears this was only done this way because the protected-b wildcard dns "*.protected-b"
wasn't included in the cert for dev. Is this something we should be looking into fixing instead of the manual record? It would make it a lot easier to use the protected-b gateway with the wildcard dns for future requests!
Added org-ces-system-disclosure-vetting.aaw-dev.cloud.statcan.ca as a virtual service on the protected-b ingress gateway: https://github.com/StatCan/aaw-argocd-manifests/blob/aaw-dev-cc-00/org-ces-system/disclosure-vetting/manifest.yaml
Added private dns records to the aaw platform merged in aaw-dev: https://gitlab.k8s.cloud.statcan.ca/cloudnative/aaw/terraform-advanced-analytics-workspaces-infrastructure/-/commit/9f6835247ad958532bff4cb98c0a322fcf5b0313
@menmarc can you make us a separate ticket to update prod as well (when the changes are all validated)?
Dev url changed to https://org-ces-system-disclosure-vetting-dev.aaw-dev.cloud.statcan.ca and using the protb-ingress. This change is not expected in production as they want to service available from other networks i.e. internet.
@vexingly The URL works but now the app is trying to get to https://login.microsoftonline.com/... for the auth screen which fails. Is there a way to open connection to that site ?
Resolved by https://github.com/StatCan/daaas-private/issues/25, awaiting testing.
I can now access the vetting app in Dev properly. It also seems not being reachable outside StatCan network. Thanks @vexingly
The vetting application URL in Dev (https://org-ces-system-disclosure-vetting.aaw-dev.cloud.statcan.ca/) is exposed to the internet which shouldn't happen. It should be internal to Statistiques Canada network. How can we fix this ?