[IBCDPE-1095] Secure cluster ingress for telemetry data #40
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… are not shared with control plane
spacelift-int-sagebionetworks
bot
temporarily deployed
to
spacelift/dpe-dev-kubernetes-deployments
BryanFauble
commented
Oct 23, 2024
deployments/stacks/dpe-auth0/main.tf
Outdated
Comment on lines
1
to
43
| # Used to create the Auth0 resources for the DPE stack | ||
| resource "auth0_resource_server" "k8s-cluster-telemetry" { | ||
| name = "${var.cluster_name}-telemetry" | ||
| identifier = "${var.cluster_name}-telemetry" | ||
| signing_alg = "RS256" | ||
|
|
||
| allow_offline_access = false | ||
| token_lifetime = 86400 | ||
| skip_consent_for_verifiable_first_party_clients = true | ||
| # https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/resource_server_scopes | ||
| # Says to use the following, however it errors out: | ||
| # This object has no argument, nested block, or exported attribute named "scopes". | ||
| # lifecycle { | ||
| # ignore_changes = [scopes] | ||
| # } | ||
| } | ||
|
|
||
| resource "auth0_client" "oauth2_clients" { | ||
| for_each = { for client in var.auth0_clients : client.name => client } | ||
|
|
||
| name = each.value.name | ||
| description = each.value.description | ||
| app_type = each.value.app_type | ||
|
|
||
| jwt_configuration { | ||
| alg = "RS256" | ||
| } | ||
| } | ||
|
|
||
| resource "auth0_client_credentials" "client_secrets" { | ||
| for_each = { for client in auth0_client.oauth2_clients : client.name => client } | ||
|
|
||
| client_id = auth0_client.oauth2_clients[each.key].id | ||
| authentication_method = "client_secret_post" | ||
| } | ||
|
|
||
| resource "auth0_client_grant" "access_to_k8s_cluster" { | ||
| for_each = { for client in var.auth0_clients : client.name => client } | ||
|
|
||
| client_id = auth0_client.oauth2_clients[each.key].id | ||
| audience = auth0_resource_server.k8s-cluster-telemetry.identifier | ||
| scopes = [] | ||
| } |
There was a problem hiding this comment.
This creates a few items in Auth0.
an API that each client is granted access to:
The applications where each has a unique client ID and client secret. These will be added to the machines where data is going to be exported out of in order to implement the client credential exchange:
BryanFauble
commented
Oct 23, 2024
Comment on lines
105
to
109
| cluster_issuer_name = "selfsigned" | ||
| # To determine more elegant ways to fill in these values, for example, if we have | ||
| # a pre-defined DNS name for the cluster (https://sagebionetworks.jira.com/browse/IT-3931) | ||
| ssl_hostname = var.ssl_hostname | ||
| auth0_jwks_uri = var.auth0_jwks_uri |
There was a problem hiding this comment.
Depends on https://sagebionetworks.jira.com/browse/IT-3931 to move away from selfsigned certs
Base automatically changed from
ibcdpe-1097-shrink-vpc-subnets
to
signoz-testing
October 25, 2024 16:26
spacelift-int-sagebionetworks
bot
temporarily deployed
to
spacelift/root-spacelift-administrative-stack
BryanFauble
commented
Oct 28, 2024
deployments/main.tf
Outdated
Comment on lines
40
to
74
| vpc_cidr_block = "10.52.16.0/20" | ||
| public_subnet_cidrs = ["10.52.16.0/24", "10.52.17.0/24"] | ||
| vpc_cidr_block = "10.52.16.0/20" | ||
| # A public subnet is required for each AZ in which the worker nodes are deployed | ||
| public_subnet_cidrs = ["10.52.16.0/24", "10.52.17.0/24", "10.52.19.0/24"] | ||
| private_subnet_cidrs_eks_control_plane = ["10.52.18.0/28", "10.52.18.16/28"] | ||
| azs_eks_control_plane = ["us-east-1a", "us-east-1b"] | ||
|
|
||
| private_subnet_cidrs_eks_worker_nodes = ["10.52.20.0/22", "10.52.24.0/22", "10.52.28.0/22"] | ||
| azs_eks_worker_nodes = ["us-east-1a", "us-east-1b", "us-east-1c"] | ||
| private_subnet_cidrs_eks_worker_nodes = ["10.52.28.0/22", "10.52.24.0/22", "10.52.20.0/22"] | ||
| azs_eks_worker_nodes = ["us-east-1c", "us-east-1b", "us-east-1a"] | ||
|
|
||
| enable_cluster_ingress = true | ||
| enable_otel_ingress = true | ||
| ssl_hostname = "a09a38cc5a8d6497ea69c6bf6318701b-1974793757.us-east-1.elb.amazonaws.com" | ||
| auth0_jwks_uri = "https://dev-57n3awu5je6q653y.us.auth0.com/.well-known/jwks.json" | ||
| } |
There was a problem hiding this comment.
The juggling of this is an unfortunate side affect of how the VPC module creates subnets in specific AZs. By doing this it allows us to:
- Create 3 public subnets in each AZ
- Create 2 private subnets in a, and b for the eks control plane
- Create 3 private subnets in each AZ for the private worker nodes.
Why this is needed:
- In order for the AWS load balancer to forward traffic to a private subnet, there needs to be a public subnet in that AZ.
- Worker nodes can be deployed to all 3 AZs, and because of this when a pod was scheduled into the c subnet, the load balancer could not forward traffic to that instance.
spacelift-int-sagebionetworks
bot
temporarily deployed
to
spacelift/dpe-dev-auth0
spacelift-int-sagebionetworks
bot
temporarily deployed
to
spacelift/dpe-dev-auth0
spacelift-int-sagebionetworks
bot
temporarily deployed
to
spacelift/root-spacelift-administrative-stack
BryanFauble
commented
Oct 30, 2024
| aws_account_id = "631692904429" | ||
| region = "us-east-1" | ||
|
|
||
| cluster_name = "dpe-k8-sandbox" | ||
| vpc_name = "dpe-sandbox" | ||
|
|
||
| vpc_cidr_block = "10.52.16.0/20" |
There was a problem hiding this comment.
My comment keeps getting deleted, here is a link explaining why this change was made: #40 (comment)
* Upgrade airflow to latest helm chart and airflow:2.9.3
* Set up SMTP settings with test email & Move to lets encrypt
|
Merging this PR to collapse this mess of PR dependencies |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem:
Solution:
Testing:
TODO:
/telemetry/v1/...