Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SCHEMATIC-215] Enable ingress for SigNoz UI #51

Merged
merged 4 commits into from
Dec 5, 2024

Conversation

BryanFauble
Copy link
Contributor

@BryanFauble BryanFauble commented Dec 3, 2024

https://sagebionetworks.jira.com/browse/SCHEMATIC-215

Problem:

  1. SigNoz (Non-Enterprise) uses their own login mechanism that doesn't support SSO/SAML; We are reluctant to add JumpCloud SSO in-front of SigNoz as it will then require a 2-step login.
  2. The Sage VPN is a viable option that requires users to be on the Sage VPN. As such we need to create a route to access the UI and restrict it to the public IP address.

Solution:

  1. Creating a route in the Envoy Gateway to access the SigNoz UI.
  2. Enable proxy protocol on the AWS load balancer to support forwarding the real client IP address via the X-Forwarded-For header.
  3. Use an authorization SecurityPolicy to restrict access to the SigNoz HTTP route

Testing:

  • To deploy and test on k8s sandbox cluster
  • I verified that the URL is accessible via the dev url:

image

Comment on lines +27 to +47
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: signoz-ui-route
namespace: envoy-gateway
spec:
parentRefs:
- name: eg
rules:
- backendRefs:
- group: ""
kind: Service
name: signoz-frontend
namespace: signoz
port: 3301
weight: 1
matches:
- path:
type: PathPrefix
value: /
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SigNoz only supports working at the root URL of the domain it's running on. In favor of getting a solution I am going to use the ${environment}.sagedpe.org URLs. If we want to swap to using a different sub-domain later we'll be able to do that, for example Sage-Bionetworks-IT/organizations-infra#1302 shows what we might do on the Sage IT infra stack.

On this side it's going to be a larger shift (And why I didn't want to worry about doing it now). It's because we'll need to make sure that we request SSL certs from Let's Encrypt and make sure it all works with the Listeners in the Envoy Gateway.

@BryanFauble BryanFauble requested a review from zaro0508 December 3, 2024 19:36
@BryanFauble BryanFauble marked this pull request as ready for review December 3, 2024 20:16
@BryanFauble BryanFauble requested a review from a team as a code owner December 3, 2024 20:16
@@ -11,3 +11,22 @@ spec:
jwt:
providers: <replaced-by-kustomize>
authorization: <replaced-by-kustomize>
---
apiVersion: gateway.envoyproxy.io/v1alpha1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alpha version?

Copy link
Contributor Author

@BryanFauble BryanFauble Dec 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's the latest at the moment (https://gateway.envoyproxy.io/latest/api/extension_types/#gatewayenvoyproxyiov1alpha1)

The gateway itself is past the v1.x.x mark, but the APIs (aka definition of this YAML) are subject to updates. I've been impressed with the changes this project has been publishing out and they have smoothed out a bunch of rough edges for shaping traffic into the K8s cluster. I've worked with other tools like Istio, and Traefik Proxy before & were a huge pain to manage at the time.

Comment on lines +25 to +32
authorization:
defaultAction: Deny
rules:
- action: Allow
principal:
clientCIDRs:
# Public IP address for the Sage VPN. `/32` CIDR mask means a single IP address.
- 52.44.61.21/32
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i do't know about the rest but this looks like what we want.

Copy link
Contributor

@BWMac BWMac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@BryanFauble BryanFauble merged commit a51af6c into main Dec 5, 2024
3 checks passed
@BryanFauble BryanFauble deleted the schematic-215-expose-signoz-ui-behind-vpn branch December 5, 2024 18:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants