Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[IBCDPE-1095] Signoz move to lets encrypt #45

Merged
merged 10 commits into from
Nov 5, 2024
Merged

[IBCDPE-1095] Signoz move to lets encrypt #45

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
d090f60
Point to lets encrypt staging
BryanFauble Nov 4, 2024
b86191f
Merge branch 'main' into signoz-move-to-lets-encrypt-staging
BryanFauble Nov 4, 2024
d04e529
Remove auth0_domain
BryanFauble Nov 4, 2024
c08c572
Point at lets encrypt prod
BryanFauble Nov 4, 2024
b9f9949
Remove security policy at gateway level
BryanFauble Nov 4, 2024
2db7f0d
Merge branch 'signoz-move-to-lets-encrypt-staging' into ibcdpe-1095-s…
BryanFauble Nov 4, 2024
2e1d511
Upgrade HTTP connections to HTTPS with a redirect
BryanFauble Nov 5, 2024
ce790e5
Remove the need for email domains to be set
BryanFauble Nov 5, 2024
7e9ac5b
Move token lifecycle to 1.25 days from 1 day
BryanFauble Nov 5, 2024
483a798
Merge branch 'signoz-alert-manager' into ibcdpe-1095-signoz-move-to-l…
BryanFauble Nov 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 3 additions & 5 deletions deployments/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,11 +69,9 @@ module "dpe-sandbox-spacelift-development" {

enable_cluster_ingress = true
enable_otel_ingress = true
ssl_hostname = "a09a38cc5a8d6497ea69c6bf6318701b-1974793757.us-east-1.elb.amazonaws.com"

auth0_jwks_uri = "https://dev-sage-dpe.us.auth0.com/.well-known/jwks.json"

ses_email_identities = ["aws-dpe-dev@sagebase.org"]
ssl_hostname = "dev.sagedpe.org"
auth0_jwks_uri = "https://dev-sage-dpe.us.auth0.com/.well-known/jwks.json"
ses_email_identities = ["aws-dpe-dev@sagebase.org"]
# Defines the email address that will be used as the sender of the email alerts
smtp_from = "aws-dpe-dev@sagebase.org"
}
Expand Down
7 changes: 2 additions & 5 deletions deployments/stacks/dpe-k8s-deployments/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,11 +105,8 @@ module "envoy-gateway" {
git_revision = var.git_revision
namespace = "envoy-gateway"
argo_deployment_name = "envoy-gateway"
cluster_issuer_name = "selfsigned"
# To determine more elegant ways to fill in these values, for example, if we have
# a pre-defined DNS name for the cluster (https://sagebionetworks.jira.com/browse/IT-3931)
ssl_hostname = var.ssl_hostname
auth0_jwks_uri = var.auth0_jwks_uri
cluster_issuer_name = "lets-encrypt-prod"
ssl_hostname = var.ssl_hostname
}

module "cert-manager" {
Expand Down
5 changes: 0 additions & 5 deletions deployments/stacks/dpe-k8s-deployments/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,6 @@ variable "auth0_jwks_uri" {
type = string
}

variable "auth0_domain" {
description = "Auth0 domain"
type = string
}

variable "smtp_user" {
description = "The SMTP user. Required if smtp_user, smtp_password, and smtp_from are set"
type = string
Expand Down
9 changes: 0 additions & 9 deletions modules/envoy-gateway/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,15 +63,6 @@ spec:
- op: replace
path: /metadata/name
value: ${var.cluster_issuer_name}
- target:
kind: SecurityPolicy
patch: |-
- op: replace
path: /spec/jwt/providers
value:
- name: auth0
remoteJWKS:
uri: ${var.auth0_jwks_uri}
Comment on lines -66 to -74
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was causing us issues to apply a blanket SecurityPolicy at the gateway to require JWT be provided due to the nature of how the ACME challenge needs to be solved:
https://letsencrypt.org/docs/challenge-types/#http-01-challenge

Because JWT was required the traffic to solve the challenge was being rejected due to HTTP 401.

Instead, we will expect that security policies will be individually applied to all HTTP Routes that are created for the cluster - Like what is already in place for the telemetry endpoints: Like what is shown in this file

destination:
server: 'https://kubernetes.default.svc'
namespace: ${var.namespace}
Expand Down
33 changes: 13 additions & 20 deletions modules/envoy-gateway/resources/cert-issuer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,18 @@
# To implement using something like letsencrypt
# apiVersion: cert-manager.io/v1
# kind: ClusterIssuer
# metadata:
# name: letsencrypt-staging
# spec:
# acme:
# server: https://acme-staging-v02.api.letsencrypt.org/directory
# email: "bryan.fauble@sagebase.org"
# privateKeySecretRef:
# name: letsencrypt-staging-account-key
# solvers:
# - http01:
# gatewayHTTPRoute:
# parentRefs:
# - kind: Gateway
# name: eg
# namespace: envoy-gateway
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned
name: lets-encrypt-prod
spec:
selfSigned: {}
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: "dpe@sagebase.org"
privateKeySecretRef:
name: letsencrypt-prod-account-key
solvers:
- http01:
gatewayHTTPRoute:
parentRefs:
- kind: Gateway
name: eg
namespace: envoy-gateway
16 changes: 16 additions & 0 deletions modules/envoy-gateway/resources/http-to-https-redirect.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Upgrades HTTP requests to HTTPS
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: tls-redirect
spec:
parentRefs:
- name: eg
sectionName: http
hostnames:
- "*.sagedpe.org"
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
2 changes: 1 addition & 1 deletion modules/envoy-gateway/resources/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ resources:
- envoy-proxy.yaml
- gateway.yaml
- traffic-policy.yaml
- security-policy.yaml
- http-to-https-redirect.yaml
14 changes: 0 additions & 14 deletions modules/envoy-gateway/resources/security-policy.yaml
View file
Open in desktop

This file was deleted.

5 changes: 0 additions & 5 deletions modules/envoy-gateway/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,3 @@ variable "ssl_hostname" {
description = "The hostname to use for the SSL certificate"
type = string
}

variable "auth0_jwks_uri" {
description = "The JWKS URI for Auth0"
type = string
}