[spike: 5d] Demonstrate AppMesh working with TLS end-to-end (with nodes) #3123

mogul · 2021-04-21T18:06:58Z

User Story

In order to evaluate whether the AWS AppMesh option is viable for implementing pod-to-pod TLS, the data.gov team wants to spend up to 5 days implementing the AWS-documented example.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

GIVEN we have spent 3 days of effort here
WHEN we discuss the outcome
THEN we know whether we should try spiking on other options instead.

Background

See issue GSA-TTS/datagov-brokerpak-eks#8

Security Considerations (required)

None, this is a spike... Outcome is not expected to be in production-ready condition.

Sketch

[Notes or a checklist reflecting our understanding of the selected approach]

Walk through deploying the yelb example (skipping Step 5 since we don't care about traffic-shaping).
Add certificate management/TLS
- Demonstrate non-TLS traffic into the AppMesh gateway (using NLB or ALB, whatever works; no longer have ALB controller, no longer have ingress-nginx)
- Add TLS to the load-balancer.

mogul · 2021-04-30T00:26:16Z

@srinirei said:

I pushed the code to a new branch appmesh-eks-nlb and created the script in terraform folder with the name "script-eks-appmesh-nlb.sh". Please checkout and let me know if you have any questions.

mogul · 2021-04-30T17:08:04Z

@chris-macdermaid said:

I was able to walk through the script and get the app stood up with Route53 and the NLB. For the most part, there weren't any issues except the namespace on line 207 which should be yelb instead of yelb-appserver and I ran into an issue attaching the GatewayRoute to the yelb-ui virtual service with kubectl, but was able to do it in the UI. To not have to tear down the working version, I ran this in a sandbox where I had some leftover credits. https://appmesh-getting-started-eks.cm-data-management.com/

@srinirei said:

Thank you Chris for the confirmation. I have corrected the namespace. I will be adding the Fargate version soon.

mogul · 2021-04-30T17:28:22Z

Further work with AppMesh picks up in this issue from here out.

mogul assigned chris-macdermaid and srinirei Apr 21, 2021

mogul changed the title ~~[spike: 3d] Strip nginx-ingress out of the EKS ingress path~~ [spike: 3d] Demonstrate AppMesh working with Fargate (simplest case) Apr 28, 2021

mogul changed the title ~~[spike: 3d] Demonstrate AppMesh working with Fargate (simplest case)~~ [spike: 3d] Demonstrate AppMesh working with TLS end-to-end (with nodes) Apr 28, 2021

mogul changed the title ~~[spike: 3d] Demonstrate AppMesh working with TLS end-to-end (with nodes)~~ [spike: 5d] Demonstrate AppMesh working with TLS end-to-end (with nodes) Apr 28, 2021

mogul mentioned this issue Apr 28, 2021

[spike:Xd] Demonstrate AppMesh working with Fargate #3169

Closed

1 task

mogul added this to the Sprint 20210429 milestone Apr 29, 2021

mogul closed this as completed Apr 30, 2021

mogul added this to data.gov team board Dec 4, 2021

mogul moved this to Done in data.gov team board Dec 4, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[spike: 5d] Demonstrate AppMesh working with TLS end-to-end (with nodes) #3123

[spike: 5d] Demonstrate AppMesh working with TLS end-to-end (with nodes) #3123

mogul commented Apr 21, 2021 •

edited

Loading

mogul commented Apr 30, 2021

mogul commented Apr 30, 2021

mogul commented Apr 30, 2021

[spike: 5d] Demonstrate AppMesh working with TLS end-to-end (with nodes) #3123

[spike: 5d] Demonstrate AppMesh working with TLS end-to-end (with nodes) #3123

Comments

mogul commented Apr 21, 2021 • edited Loading

User Story

Acceptance Criteria

Background

Security Considerations (required)

Sketch

mogul commented Apr 30, 2021

mogul commented Apr 30, 2021

mogul commented Apr 30, 2021

mogul commented Apr 21, 2021 •

edited

Loading