Closed Bug 1525746 Opened 7 years ago Closed 7 years ago

Create a IP-restricted internet-facing Zeus vserver for ship-it

Categories

(Infrastructure & Operations :: Infrastructure: Other, task)

Product:
Infrastructure & Operations
Component:
Infrastructure: Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ericz, Assigned: ashish)

References

Details

As per https://bugzilla.mozilla.org/show_bug.cgi?id=1520588#c8, Releng wants a way to talk to ship-it.mozilla.org from AWS. Ship-it is behind VPN currently, fronted by the internal Zeus cluster, so to satisfy this I think we'd need a internet-facing Zeus vserver on the external cluster with a protection class or similar that restricts access to the single specified IP.

See Also: → 1520588

Do we need to have separate settings for the prod (ship-it.mozilla.org) and dev (ship-it-dev.allizom.org) instances?

FWIW, the shipitv2 production environment will need to talk to shipitv1 from a separate IP from the one I provided, so we'll need two IPs to be whitelisted.

I'm ready to turn this on. Before I do, I have some questions:

  1. Does ship-it-mdc1.mozilla.org sound good? We can't use ship-it.mozilla.org, since that's already in internal DNS. Best I know, we don't do split views for the same host.
  2. Could you provide the IPs that need to be whitelisted?
  3. This change will open up an internal service to the internet (IP-restricted, but external nevertheless). Before we do that, can we get a go-ahead from EIS to ensure the new risk is covered?

Thanks!

Assignee: infra → ashish
Status: NEW → ASSIGNED

(In reply to Ashish Vijayaram [:ashish] from comment #3)

I'm ready to turn this on. Before I do, I have some questions:

  1. Does ship-it-mdc1.mozilla.org sound good? We can't use ship-it.mozilla.org, since that's already in internal DNS. Best I know, we don't do split views for the same host.

I think that should be fine, we can change what the script talks to. :rail can you confirm?

  1. Could you provide the IPs that need to be whitelisted?

Of course.

35.197.23.59 will be the source traffic coming from our non-production environment.
35.233.228.88 will be the source of traffic coming from our production environment.

  1. This change will open up an internal service to the internet (IP-restricted, but external nevertheless). Before we do that, can we get a go-ahead from EIS to ensure the new risk is covered?

Not sure who the point of contact is in EIS, but SecOps should probably okay this too. :ulfr is this okay?

Thanks!

Flags: needinfo?(rail)
Flags: needinfo?(jvehent)

I was slightly confused by comment 0, but :autrilla clarified: this flow is for ship-it v2, hosted in gcp, to talk to ship-it v1, hosted in mdc1 to complete the migration from v1 to v2. It will be closed as soon as ship-it v1 is decommd.

r+

Flags: needinfo?(jvehent)

(In reply to Adrian Utrilla [:autrilla] from comment #4)

(In reply to Ashish Vijayaram [:ashish] from comment #3)

I'm ready to turn this on. Before I do, I have some questions:

  1. Does ship-it-mdc1.mozilla.org sound good? We can't use ship-it.mozilla.org, since that's already in internal DNS. Best I know, we don't do split views for the same host.

I think that should be fine, we can change what the script talks to. :rail
can you confirm?

WFM. We can change the DNS when we retire ship-it v1.

Flags: needinfo?(rail)

Alright, this is ready - ship-it-mdc1.mozilla.org. Access is restricted to the two IPs in Comment 4.

Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.