Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Monitoring and alerting for private environments #1467

Closed
13 of 20 tasks
weatherhog opened this issue Oct 4, 2022 · 4 comments
Closed
13 of 20 tasks

Monitoring and alerting for private environments #1467

weatherhog opened this issue Oct 4, 2022 · 4 comments
Assignees
@TheoBrigitte
Labels
epic/capa-proxy kind/epic team/atlas Team Atlas topic/customer-happiness topic/monitoring

Comments

@weatherhog
Copy link

weatherhog commented Oct 4, 2022
edited by TheoBrigitte
Loading

Context

Our customer Talanx wants to have an environment which uses a central HTTP(S) Proxy so that they have a central point to block traffic if they need to.

Access between MCs and WCs will be done via VPC endpoints. No peering or public endpoints. Access to or from the outside will only be possible via their Transit Gateway (network and routing will be setup by the kaas team). Egress must go through a proxy.

see https://github.com/giantswarm/talanx/issues/26 and #1424

Goal

We need to make sure our current monitoring and alerting setup works as expected for this environment. This implies both that our monitoring works on this new CAPA provider, and that our components support using a proxy for outgoing traffic.

  1. Ensure monitoring works on CAPA
  2. Ensure monitoring works behind a proxy

TODOs

CAPA Test installations are on Golem
@weatherhog weatherhog added the team/atlas Team Atlas label Oct 4, 2022
@weatherhog weatherhog moved this to Near Term (1-3 months) in Roadmap Oct 4, 2022
@QuentinBisson
Copy link

@TheoBrigitte can you duplicate the issues so we have them for capa and capa private envs?

@TheoBrigitte
Copy link
Member

Testing environment

goat MC for CAPA private environment is ready for testing, but ⚠️ storage is not ready yet ⚠️

region: eu-north-1
installation name: goat
Its currently uses CUSTOM BRANCHES for most of the main components (capa-app-collection,config , management-cluster-fleet so if you need to change something you need to use these branches.)
Its using self-signed private certificates for ingress endpoints like dex, athena so if you wanna use opsctl login goat you need to add custom CA to trusted CA on your OS, for now this is manual work - see attached CA cert in the thread
The DNS is "public" so you should be able to resolve it anywhere but the IPs are private so you need a VPN in order to interact with the cluster.
SSH is not working yet
ALL pods running on MC should have injected ENVs variables with proxy configuration, but this means the app needs to support this (edited)

custom CA

-----BEGIN CERTIFICATE-----
MIIBeDCCAR6gAwIBAgIQcOnvOyWdUuUqpLsMNL5tiDAKBggqhkjOPQQDAjAcMRow
GAYDVQQDExFnaWdhbnRpYy5pbnRlcm5hbDAeFw0yMjExMjUxMzI5MzBaFw0yMzAy
MjMxMzI5MzBaMBwxGjAYBgNVBAMTEWdpZ2FudGljLmludGVybmFsMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEOl9V9jyNQGa/sU3u1u/+aJzwd3QsqcX+6yRX+x5T
JCJu42JGr5SMS/ADKZ4r1jJlR1VaOVQc44qFcr32uukxGKNCMEAwDgYDVR0PAQH/
BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOuLlRMgSfzNiufdQobp
dvsOy3pYMAoGCCqGSM49BAMCA0gAMEUCIQCMrhseZjoIBbgrWfQN9zmyZLgNj16H
9jxviHyTKRt0wwIgDSuGg5D7k2ui24RB7cOqCn+XURTuHGeWfmq2nnLLrPQ=
-----END CERTIFICATE-----

source: https://gigantic.slack.com/archives/C04AJ5FJHEK/p1669392073238199

Proxy interface

When running behind a proxy, it is required for outgoing traffic to go through the proxy to reach out to the public internet. This is achieved by injecting proxy environment variables into pods. Application then need to make sure those are supported where needed.

Overall concept comes from Golang httpproxy library
RFC (still a pull request): https://github.com/giantswarm/rfc/pull/50/files
Example PR (how Proxy environment variables are used): https://github.com/giantswarm/kiam-app/pull/127/files
App require secret to be enabled, example: https://github.com/giantswarm/default-apps-aws/blob/master/helm/default-apps-aws/values.yaml#L129

Addition

For any additional info reach out to : #wg-private-capa-testing

@TheoBrigitte TheoBrigitte mentioned this issue Nov 29, 2022
Closed
@TheoBrigitte TheoBrigitte moved this from Near Term (1-3 months) to Mid Term (3-6 months) in Roadmap Dec 6, 2022
@TheoBrigitte TheoBrigitte self-assigned this Dec 6, 2022
@TheoBrigitte TheoBrigitte mentioned this issue Dec 27, 2022
Closed
@TheoBrigitte TheoBrigitte mentioned this issue Jan 5, 2023
Closed
2 tasks
@puja108 puja108 moved this from Mid Term (3-6 months) to Ready Soon (<4 weeks) in Roadmap Feb 9, 2023
@QuentinBisson
Copy link

@TheoBrigitte are we done here?

@TheoBrigitte
Copy link
Member

Yes we are done here.

@github-project-automation github-project-automation bot moved this from Ready Soon (<4 weeks) to Released 🎉 in Roadmap Mar 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TheoBrigitte TheoBrigitte

Labels
epic/capa-proxy kind/epic team/atlas Team Atlas topic/customer-happiness topic/monitoring
Projects
Roadmap
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@QuentinBisson @TheoBrigitte @weatherhog