[NE-27439] public facing nginx ingress protected by fastly

[korenlev]

…fastly
need help on secrets

[korenlev]

adding @alexmolev for visibility on the WAF effort

PR tested to deploy fine

with:

helm upgrade -i saas-manager cloudify-manager-worker -n saas-manager -f cloudify-manager-worker/values.saas_manager.dev.yaml --set nginx.fastly.accesskeyid=c58a1da9-9504-4600-bc98-170b7c665347 --set nginx.fastly.secretaccesskey=hxEt8ReHbqGVrxgj6tMlu3JIy8aWR03m91l5viZ4RRw

using pre-deployed secrets (not using terragrunt templating, just helm) !

issues to pick up on now related to nginx code and fastly :

Fastly container inside the cloudify manager pod comes up with RPC listen:

2024/04/14 16:23:45.614904 Signal Sciences Agent 4.53.0 starting as user sigsci with PID 1, Max open files=65535, Max data size=unlimited, Max address space=unlimited, Max stack size=8388608
2024/04/14 16:23:45.634367 =====================================================
2024/04/14 16:23:45.634379 Agent: cloudify-manager-worker-0
2024/04/14 16:23:45.634382 System: alpine 3.19.1 (linux 5.10.213-201.855.amzn2.x86_64)
2024/04/14 16:23:45.634385 Memory: 6.704G / 7.462G RAM available
2024/04/14 16:23:45.634388 CPU: 2 MaxProcs (1 workers) / 2 CPU cores available
2024/04/14 16:23:45.634390 =====================================================
2024/04/14 16:23:45.810093 Updated "datacenters" data: 2024.1.23+165947
2024/04/14 16:23:46.074723 Updated "geolite2-country" data: 2024.4.3-12.04.13
2024/04/14 16:23:46.077769 Updated "apple-privacy-relay" data: 2024.3.22+160621
2024/04/14 16:23:46.200912 Enabling request processing
2024/04/14 16:23:46.206084 Started RPC listener on "unix:/sigsci/tmp/sigsci.sock"

but Fastly managed service does not get nor list the requests to the manager pod !

i have kept k8s-secrets encrypted , please decrypt first with sops to use and test
at the end k8s-secrets needs to revert to original (the alternative function used by terragrunt)

[tikhon-opsfleet]

Just started to review but looks like I have not enough context for purpose of this.
I have couple of general questions before we can proceed:

1. Why we need this fork from community cloudify chart? Not sure if we support it.
2. Why community cloudify chart need fastly? Pretty sure we are not using it in any of our internal installations.
3. I see dev/test/prod values there with hosts like "saas-manager.pub.nativeedge.dell.com" inside but I'm pretty sure we are not using this chart for saas-manager. Something was changed?
4. This is public repo so we need to be extremely wariness about any things committed inside it. Even if it is not secret data formally better to not leak any information about our internal infrastructure (like aws account id) if possible.

[tikhon-opsfleet]

We should not use things like this inside the helm chart. If you want to encrypt something using 3rd-party tool - you need to do it in override values outside chart.
Also this is a public repo, even if we have secrets encrypted some information from this file should not be public-available like AWS KMS ARN, which includes AWS account ID (non-secret but can be used for reduce attack surface).

[tikhon-opsfleet]

why "fusion" if it is community cloudify?