[Reverse Proxy / EKS] Validate solution approach using Traefik

[jhouse-solvd]

Product Outline

Application Hosting and Deployment using Container Orchestration

Service Doc

Reverse Proxy

High-Level User Story

As a DevOps engineer on the Platform Operations team, I need to test the networking configuration of reverse proxy in EKS.

Note: The goal of this epic is to validate the solution approach using Traefik.

Hypothesis or Bet

If we test the networking configuration, then we expect to be able to compare the performance with the existing implementation of reverse proxy in BRD.

OKR

O3. Platform security and stability approach is comprehensive, on par with industry leaders

Definition of done

What must be true in order for you to consider this epic complete?

• The performance of revproxy running in EKS using Traefik has been demonstrated is working via cURL (demo for the Ops team internally is fine).
• Data has been gathered that describes the performance: measure the request latency (using cURL) with revproxy on EC2, then on EKS with Traefik.
• If the performance is good, and we decide to move forward with this solution, then: A security review has been requested before we bring up this service using this pattern.

[jhouse-solvd]

To be able to compare, we will need to understand the baseline performance of the reverse proxy in BRD.

Some high-level thoughts on helpful metrics:

For the reverse proxy in BRD:

• Latency of requests
• Avg # of requests over time
• Maximum # of requests
• Memory consumed per request
• CPU consumed per request

For the reverse proxy in EKS using Traefik

• Latency of requests
  • BE requests
  • FE requests
  • External services
• Load testing based on data collected for the reverse proxy in BRD (above)

[mleclerc00]

all the upfront issues that we were seeing with revproxy are now fixed

if you run

curl -L --header "revproxy-eks: true" dev-api.va.gov
curl -L --header "revproxy-eks: true" dev.va.gov

or use something like modheader in your browser to modify the header passed along with your request it will toss you through the eks revproxy https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj?hl=en

The listener rule on the dev revproxy alb will point at the eks revproxy when it captures the header revproxy-eks: true

[rbeckwith-oddball]

Commands used to generate the result files: (for i in {1..10}; do httpstat dev-api.va.gov --header 'revproxy-eks:true' ; sleep 10 ; done)>> ~/tmp/with_header.txt (for i in {1..10}; do httpstat dev-api.va.gov ; sleep 10 ; done)>> ~/tmp/without_header.txt

• With header
• Without header

[jhouse-solvd]

This is done. See https://github.com/department-of-veterans-affairs/va.gov-team-sensitive/issues/365 for pending security review.