aaw icon indicating copy to clipboard operation
aaw copied to clipboard

Published 20 hours ago verified publisher icon StatCan

The vetting application URL in Dev is exposed to the internet

Open menmarc opened this issue 3 years ago • 3 comments

The vetting application URL in Dev (https://org-ces-system-disclosure-vetting.aaw-dev.cloud.statcan.ca/) is exposed to the internet which shouldn't happen. It should be internal to Statistiques Canada network. How can we fix this ?

menmarc avatar Jul 13 '22 17:07 menmarc

The ingress gateways for all aaw services are internet accessible - but they are behind azure login at least (not sure if that is GoC or StatCan only though).

A proposal to add additional ingresses is here: https://github.com/StatCan/daaas/issues/936 but no work has started on that yet.

vexingly avatar Jul 13 '22 20:07 vexingly

There is a virtual service named disclosure-vetting in dev that maps disclosure vetting to the ingress-general-system/general-istio-ingress-gateway-https, which is public facing (ignoring that dev is not supposed to be public; but that ingress will represent what is public facing in prod).

To make it like prod, you'll want to map it to the istio-system/protected-b-istio-ingress-gateway-https gateway instead so that it is exposed only to AAW and CAE environments. You'll probably need the DNS entry updated to point to the PB gateway instead.

This is also wrong in prod, so the same change should be made there. I recall us discussing this a while back.

zachomedia avatar Jul 13 '22 20:07 zachomedia

@zachomedia so, to not be public facing in DEV, "disclosure-vetting" should be mapped to istio-system/protected-b-istio-ingress-gateway-https ? (and then update the proper DNS)

menmarc avatar Jul 15 '22 18:07 menmarc

@zachomedia can you advise regarding the DNS entry for the protected-b gateway?

Looking at https://gitlab.k8s.cloud.statcan.ca/cloudnative/aaw/modules/terraform-azure-statcan-aaw-network/-/blob/main/dns.tf Blair added a dns record for org-ces-system-vetting-elastic, which we can do for this request... but it appears this was only done this way because the protected-b wildcard dns "*.protected-b" wasn't included in the cert for dev. Is this something we should be looking into fixing instead of the manual record? It would make it a lot easier to use the protected-b gateway with the wildcard dns for future requests!

vexingly avatar Sep 07 '22 19:09 vexingly

Added org-ces-system-disclosure-vetting.aaw-dev.cloud.statcan.ca as a virtual service on the protected-b ingress gateway: https://github.com/StatCan/aaw-argocd-manifests/blob/aaw-dev-cc-00/org-ces-system/disclosure-vetting/manifest.yaml

Added private dns records to the aaw platform merged in aaw-dev: https://gitlab.k8s.cloud.statcan.ca/cloudnative/aaw/terraform-advanced-analytics-workspaces-infrastructure/-/commit/9f6835247ad958532bff4cb98c0a322fcf5b0313

@menmarc can you make us a separate ticket to update prod as well (when the changes are all validated)?

vexingly avatar Sep 14 '22 22:09 vexingly

Dev url changed to https://org-ces-system-disclosure-vetting-dev.aaw-dev.cloud.statcan.ca and using the protb-ingress. This change is not expected in production as they want to service available from other networks i.e. internet.

vexingly avatar Oct 04 '22 18:10 vexingly

@vexingly The URL works but now the app is trying to get to https://login.microsoftonline.com/... for the auth screen which fails. Is there a way to open connection to that site ?

menmarc avatar Oct 04 '22 19:10 menmarc

Resolved by https://github.com/StatCan/daaas-private/issues/25, awaiting testing.

vexingly avatar Oct 18 '22 20:10 vexingly

I can now access the vetting app in Dev properly. It also seems not being reachable outside StatCan network. Thanks @vexingly

menmarc avatar Oct 19 '22 13:10 menmarc