Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[IBCDPE-1095] Signoz move to lets encrypt #45

Merged
merged 10 commits into from
Nov 5, 2024
Merged

[IBCDPE-1095] Signoz move to lets encrypt #45

merged 10 commits into from
Nov 5, 2024

Conversation

BryanFauble
Copy link
Contributor

Problem:

  1. We were using self-signed SSL certs (A security issue) for TLS termination at the cluster gateway
  2. We did not have a domain to point to

Solution:

  1. Khai on the IT side created a domain for us to use (sagedpe.org) and he pointed (dev.sagedpe.org) using a CNAME to the load balancer serving traffic in the DNT DEV AWS account.
  2. I am pointing the cluster issuer at let's encrypt.

Testing:

  1. I verified that this setup was able to solve the ACME challenge and issue a cert: https://letsencrypt.org/docs/challenge-types/#http-01-challenge
    image
    image

@BryanFauble BryanFauble requested a review from a team as a code owner November 4, 2024 22:31
@BryanFauble BryanFauble mentioned this pull request Nov 4, 2024
Closed
BryanFauble
BryanFauble commented Nov 4, 2024
View reviewed changes
modules/envoy-gateway/main.tf
Comment on lines -66 to -74
- target:
kind: SecurityPolicy
patch: |-
- op: replace
path: /spec/jwt/providers
value:
- name: auth0
remoteJWKS:
uri: ${var.auth0_jwks_uri}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was causing us issues to apply a blanket SecurityPolicy at the gateway to require JWT be provided due to the nature of how the ACME challenge needs to be solved:
https://letsencrypt.org/docs/challenge-types/#http-01-challenge

Because JWT was required the traffic to solve the challenge was being rejected due to HTTP 401.

Instead, we will expect that security policies will be individually applied to all HTTP Routes that are created for the cluster - Like what is already in place for the telemetry endpoints: Like what is shown in this file

@BryanFauble BryanFauble requested a review from zaro0508 November 4, 2024 22:34
@BryanFauble BryanFauble merged commit 556a4ba into signoz-alert-manager Nov 5, 2024
2 of 9 checks passed
@BryanFauble BryanFauble deleted the ibcdpe-1095-signoz-move-to-lets-encrypt branch November 5, 2024 20:36
@BryanFauble
Copy link
Contributor Author

Merging this PR to collapse this mess of PR dependencies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zaro0508 zaro0508 Awaiting requested review from zaro0508

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@BryanFauble