StatCan / aaw

Documentation for the Advanced Analytics Workspace Platform
https://statcan.github.io/aaw/
Other
69 stars 12 forks source link

The vetting application URL in Dev is exposed to the internet #1256

Closed menmarc closed 2 years ago

menmarc commented 2 years ago

The vetting application URL in Dev (https://org-ces-system-disclosure-vetting.aaw-dev.cloud.statcan.ca/) is exposed to the internet which shouldn't happen. It should be internal to Statistiques Canada network. How can we fix this ?

vexingly commented 2 years ago

The ingress gateways for all aaw services are internet accessible - but they are behind azure login at least (not sure if that is GoC or StatCan only though).

A proposal to add additional ingresses is here: https://github.com/StatCan/daaas/issues/936 but no work has started on that yet.

zachomedia commented 2 years ago

There is a virtual service named disclosure-vetting in dev that maps disclosure vetting to the ingress-general-system/general-istio-ingress-gateway-https, which is public facing (ignoring that dev is not supposed to be public; but that ingress will represent what is public facing in prod).

To make it like prod, you'll want to map it to the istio-system/protected-b-istio-ingress-gateway-https gateway instead so that it is exposed only to AAW and CAE environments. You'll probably need the DNS entry updated to point to the PB gateway instead.

This is also wrong in prod, so the same change should be made there. I recall us discussing this a while back.

menmarc commented 2 years ago

@zachomedia so, to not be public facing in DEV, "disclosure-vetting" should be mapped to istio-system/protected-b-istio-ingress-gateway-https ? (and then update the proper DNS)

vexingly commented 2 years ago

@zachomedia can you advise regarding the DNS entry for the protected-b gateway?

Looking at https://gitlab.k8s.cloud.statcan.ca/cloudnative/aaw/modules/terraform-azure-statcan-aaw-network/-/blob/main/dns.tf Blair added a dns record for org-ces-system-vetting-elastic, which we can do for this request... but it appears this was only done this way because the protected-b wildcard dns "*.protected-b" wasn't included in the cert for dev. Is this something we should be looking into fixing instead of the manual record? It would make it a lot easier to use the protected-b gateway with the wildcard dns for future requests!

vexingly commented 2 years ago

Added org-ces-system-disclosure-vetting.aaw-dev.cloud.statcan.ca as a virtual service on the protected-b ingress gateway: https://github.com/StatCan/aaw-argocd-manifests/blob/aaw-dev-cc-00/org-ces-system/disclosure-vetting/manifest.yaml

Added private dns records to the aaw platform merged in aaw-dev: https://gitlab.k8s.cloud.statcan.ca/cloudnative/aaw/terraform-advanced-analytics-workspaces-infrastructure/-/commit/9f6835247ad958532bff4cb98c0a322fcf5b0313

@menmarc can you make us a separate ticket to update prod as well (when the changes are all validated)?

vexingly commented 2 years ago

Dev url changed to https://org-ces-system-disclosure-vetting-dev.aaw-dev.cloud.statcan.ca and using the protb-ingress. This change is not expected in production as they want to service available from other networks i.e. internet.

menmarc commented 2 years ago

@vexingly The URL works but now the app is trying to get to https://login.microsoftonline.com/... for the auth screen which fails. Is there a way to open connection to that site ?

vexingly commented 2 years ago

Resolved by https://github.com/StatCan/daaas-private/issues/25, awaiting testing.

menmarc commented 2 years ago

I can now access the vetting app in Dev properly. It also seems not being reachable outside StatCan network. Thanks @vexingly