Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Finalize egress work #1695

Closed
5 tasks done
cantsin opened this issue Nov 13, 2023 · 6 comments
Closed
5 tasks done

Finalize egress work #1695

cantsin opened this issue Nov 13, 2023 · 6 comments
Assignees
@neilmb
Labels
compliance documentation feature:infrastructure

Comments

@cantsin
Copy link
Member

cantsin commented Nov 13, 2023
edited
Loading

As part of Tock's compliance process, the capability for egress filtering is set up for cloud.gov deployments of Tock. We have set up egress spaces for both staging (which should always be on) and production (not on, but available), but more work needs to be done before we finalize egress for the entire stack:

  • Egress functionality does not seem to be stable. Production/staging sometimes breaks (for the former, maybe because of recycle-prod) and we'd like to do more testing as to why
  • Someone should run through the documentation and make sure it looks sane (especially the cloud.gov documentation), including re-creating egress from scratch in the space and adding more documentation around debugging (e.g., making sure caddy works locally)
  • We need more documentation on how to update and check the status of egress filtering
  • Because of the nature of egress, which involves sensitive variables, we don't have a good way to actually document our egress setup other than via documentation -- we could look at other projects and see how they address this

(added by @jduss4 )
@juliaklindpaintner juliaklindpaintner assigned jduss4 and unassigned jduss4 Nov 14, 2023
@juliaklindpaintner
Copy link
Member

Consider turning this into an epic for TLC crew purposes — will follow up!

@alexbielen
Copy link

@cantsin and @edwintorres :

Are you still looking for TLC Crew to help on this next increment (Dec 11 - 25)?

@edwintorres
Copy link
Member

@alexbielen yes that's correct

@jduss4
Copy link
Contributor

jduss4 commented Dec 21, 2023

I put in a little work running through the steps in the existing documentation and adding more to it here: #1706

@jduss4
Copy link
Contributor

jduss4 commented Dec 22, 2023

Unfortunately I was not able to complete this card before the break. However, during this time we the following:

  1. Built out the documentation
  2. Redeployed the staging versions of egress + tock and confirmed the behavior works for restricting egress
  3. Experimented (unsuccessfully) with removing the public-egress application security group from tock staging and identified a new area for investigation in the setup for New Relic

@jduss4 jduss4 removed their assignment Jan 8, 2024
@peterrowland peterrowland self-assigned this Jan 31, 2024
@neilmb neilmb mentioned this issue Mar 18, 2024
Merged
@cantsin
Copy link
Member Author

cantsin commented Apr 2, 2024

I think we can finally close this issue :) If anything comes up with egress in the future, I'll make a separate ticket. Many thanks to everyone involved!!

@cantsin cantsin closed this as completed Apr 2, 2024
@nateborr nateborr mentioned this issue Oct 3, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neilmb neilmb

Labels
compliance documentation feature:infrastructure
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@neilmb @peterrowland @jduss4 @cantsin @alexbielen @edwintorres @juliaklindpaintner