Skip to content

[NE-27439] public facing nginx ingress protected by fastly #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
korenlev wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[NE-27439] public facing nginx ingress protected by fastly #1

korenlev wants to merge 1 commit into from

Conversation

@korenlev
Copy link

@korenlev korenlev commented Apr 14, 2024

…fastly
need help on secrets

@korenlev korenlev changed the title [NE-27439] public facing api-service with nginx ingress protected by … [NE-27439] public facing nginx ingress protected by fastly Apr 14, 2024
@korenlev korenlev force-pushed the NE-27439-koren-fastly branch from b0087f2 to b6fb5fc Compare April 14, 2024 16:29
@korenlev korenlev requested a review from alexmolev April 14, 2024 16:32
@korenlev korenlev force-pushed the NE-27439-koren-fastly branch from b6fb5fc to e6840d1 Compare April 14, 2024 16:38
@korenlev
Copy link
Author

korenlev commented Apr 14, 2024
edited
Loading

adding @alexmolev for visibility on the WAF effort

PR tested to deploy fine

with:

helm upgrade -i saas-manager cloudify-manager-worker -n saas-manager -f cloudify-manager-worker/values.saas_manager.dev.yaml --set nginx.fastly.accesskeyid=c58a1da9-9504-4600-bc98-170b7c665347 --set nginx.fastly.secretaccesskey=hxEt8ReHbqGVrxgj6tMlu3JIy8aWR03m91l5viZ4RRw

using pre-deployed secrets (not using terragrunt templating, just helm) !

issues to pick up on now related to nginx code and fastly :

Fastly container inside the cloudify manager pod comes up with RPC listen:

2024/04/14 16:23:45.614904 Signal Sciences Agent 4.53.0 starting as user sigsci with PID 1, Max open files=65535, Max data size=unlimited, Max address space=unlimited, Max stack size=8388608
2024/04/14 16:23:45.634367 =====================================================
2024/04/14 16:23:45.634379 Agent: cloudify-manager-worker-0
2024/04/14 16:23:45.634382 System: alpine 3.19.1 (linux 5.10.213-201.855.amzn2.x86_64)
2024/04/14 16:23:45.634385 Memory: 6.704G / 7.462G RAM available
2024/04/14 16:23:45.634388 CPU: 2 MaxProcs (1 workers) / 2 CPU cores available
2024/04/14 16:23:45.634390 =====================================================
2024/04/14 16:23:45.810093 Updated "datacenters" data: 2024.1.23+165947
2024/04/14 16:23:46.074723 Updated "geolite2-country" data: 2024.4.3-12.04.13
2024/04/14 16:23:46.077769 Updated "apple-privacy-relay" data: 2024.3.22+160621
2024/04/14 16:23:46.200912 Enabling request processing
2024/04/14 16:23:46.206084 Started RPC listener on "unix:/sigsci/tmp/sigsci.sock"

but Fastly managed service does not get nor list the requests to the manager pod !

i have kept k8s-secrets encrypted , please decrypt first with sops to use and test
at the end k8s-secrets needs to revert to original (the alternative function used by terragrunt)

@korenlev korenlev force-pushed the NE-27439-koren-fastly branch from e6840d1 to 8c2ccc4 Compare April 14, 2024 16:57
tikhon-opsfleet
tikhon-opsfleet suggested changes Apr 15, 2024
View reviewed changes
Copy link

@tikhon-opsfleet tikhon-opsfleet left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just started to review but looks like I have not enough context for purpose of this.
I have couple of general questions before we can proceed:

  1. Why we need this fork from community cloudify chart? Not sure if we support it.
  2. Why community cloudify chart need fastly? Pretty sure we are not using it in any of our internal installations.
  3. I see dev/test/prod values there with hosts like "saas-manager.pub.nativeedge.dell.com" inside but I'm pretty sure we are not using this chart for saas-manager. Something was changed?
  4. This is public repo so we need to be extremely wariness about any things committed inside it. Even if it is not secret data formally better to not leak any information about our internal infrastructure (like aws account id) if possible.

cloudify-manager-worker/templates/k8s_secrets.yml
@@ -0,0 +1,109 @@
apiVersion: ENC[AES256_GCM,data:cUQ=,iv:hy/ZdP1le16X3DmD82wU1ESBUsmlVfWwtgDrl6QQyfs=,tag:tjK4GQ0ZpbkT4jsbJR6ICA==,type:str]
Copy link

@tikhon-opsfleet tikhon-opsfleet Apr 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should not use things like this inside the helm chart. If you want to encrypt something using 3rd-party tool - you need to do it in override values outside chart.
Also this is a public repo, even if we have secrets encrypted some information from this file should not be public-available like AWS KMS ARN, which includes AWS account ID (non-secret but can be used for reduce attack surface).

cloudify-manager-worker/templates/fastly-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: sigsci.fusion
Copy link

@tikhon-opsfleet tikhon-opsfleet Apr 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why "fusion" if it is community cloudify?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuvlar yuvlar Awaiting requested review from yuvlar

@bartoszkosciug bartoszkosciug Awaiting requested review from bartoszkosciug

@alexmolev alexmolev Awaiting requested review from alexmolev

1 more reviewer

@tikhon-opsfleet tikhon-opsfleet tikhon-opsfleet requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@korenlev @tikhon-opsfleet