Request VLAN join of jik2hd-prod and iowaey-prod namespaces with egress IP config (JHI-1281) about platform-services HOT 15 CLOSED

Part of epic #172.

from platform-services.

Ready when you are. Just name a date/time you'd like this applied.

Needs a PR to https://github.com/bcgov-c/devops-platform-operations-docs/blob/master/custom-projects/RSBC.md as well.

from platform-services.

Great I will confirm the date and time.

FYI I don't have access to the devops-platform-operations-docs repo. Let me know if you'd like me to create a PR.. I think I will need view access to it. I'm already in the bcgov-c org.

from platform-services.

@agahchen, @mitovskaol this looks like an extension (to production) of a specific security initiative that leveraged Aporeto for intra-namespace policy controls. With Aporeto currently disabled in the Pathfinder cluster, joining the namespaces would remove the existing intra-namespace security controls, with no replacement available.

Related issues:
#426
#210

Is there a documented design in place to push this initiative forward without the additional security policies available through aporeto that I'm not aware of?

from platform-services.

Hi @sbarre-esit we're ready to apply this in jik2hd-prod environment on May 14 (tomorrow.) I've scheduled a time with you for May 14 @ 3:30pm. Let me know if this will work for you.

I've booked 1/2 hr for the following tasks:

• Steve to update VLAN config for jik2hd-prod and iowaey-prod
• Steve to update jik2hd-prod static egress IP
• Ayo (RSI ops lead) to verify that the production environment is back to functioning state.
• Steve to assist with troubleshoot / revert the changes if required

FYI @vesselofgold (Ayo.)

Thank you,
David

from platform-services.

Let me know if this will work for you.

It does.

oc get netnamespaces | grep -E "jik2hd|iowaey" | grep prod
oc adm pod-network join-projects --to=jik2hd-prod iowaey-prod
oc get netnamespaces | grep -E "jik2hd|iowaey" | grep prod
oc patch netnamespace jik2hd-prod -p '{"egressIPs": ["142.34.143.190"]}'

from platform-services.

As discussed with @agahchen RoadSafetyBC will re-confirm their decision to implement the connection between the namesapces in the absence of Aporeto protection and will work with @sbarre-esit to pick a time to implement the change in production.

from platform-services.

Hi @mitovskaol and @sbarre-esit, we have completed our internal discussion last week with endorsement from Jennifer Dowd to go forward with this request. FYI, there are two alternative options identified in our design decision ticket JHI-1355 (Approach to enabling and securing the Hub to BI API connection in PROD without Aporeto on OpenShift 3 Platform (for RSI-1402)), but this is the preferred option. I can forward a copy of our design decision ticket to you if required.

We are hoping to implement this production change as soon as possible. I've scheduled a half-hour block with Steve (cc Olena) for 4pm today (May 26). Let me know if there's a scheduling conflict. We will require Steve's availability to apply the change and to be available until we can verify that production is back to operating mode.

Thanks,
David

from platform-services.

Thank you for the update @agahchen

from platform-services.

@sbarre-esit can you please confirm that 4pm today works for you?

from platform-services.

Confirmed

from platform-services.

Great thank you both. Chat with you at 4pm @sbarre-esit via Skype. We can begin once our production system has been gracefully stopped.

from platform-services.

This has been completed and validated successfully. Thank you @sbarre-esit.

from platform-services.

Protip for the future, remove the externalIP from the project before joining, then add back to both projects after, else OCP gets confused.

from platform-services.

Completed

from platform-services.