Expose Scan:: registry/token: Change istio authorization policies to allow traffic to the registry endpoints#5970
Conversation
[ci] Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
[ci] Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
[ci] Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
[backport] ReminderPlease consider backporting to the following branches:
And your PR is currently against base branch: main. Note: Any PR comment containing [backport] will be considered for auto-backporting upon merge, |
| ) | ||
| muteTimeIntervals: [ ] | ||
| cloudArmor: | ||
| enabled: false |
There was a problem hiding this comment.
when should this be changed?
| maxRequestsBeforeHttp429: 0 | ||
| maxRequestsBeforeHttp429: 0 # Keeps scan completely closed to the public | ||
| tokenRegistry: | ||
| hostname: scan.sv-2.scratcha.global.canton.network.digitalasset.com |
There was a problem hiding this comment.
what should we set here / or should this be set in pulumi dynamically?
There was a problem hiding this comment.
hardcoding definitely won't work, so either you get rid of the need to set it or you need to set it from pulumi
| maxTokens: 10 | ||
| tokensPerFill: 5 | ||
| fillInterval: 60s | ||
| /registry/allocations/v1: |
There was a problem hiding this comment.
hm a bit unfortunate that we need to list all endpoints individually here. iirc we had some safeguards somewhere that ensures that we don't miss endpoints, can we extend them to cover this. In particular I'd like to avoid that we break this for token std v2.
There was a problem hiding this comment.
ah I see you've done that below already
| ) | ||
| muteTimeIntervals: [ ] | ||
| cloudArmor: | ||
| enabled: false |
| maxRequestsBeforeHttp429: 0 | ||
| maxRequestsBeforeHttp429: 0 # Keeps scan completely closed to the public | ||
| tokenRegistry: | ||
| hostname: scan.sv-2.scratcha.global.canton.network.digitalasset.com |
There was a problem hiding this comment.
hardcoding definitely won't work, so either you get rid of the need to set it or you need to set it from pulumi
| pathPrefix: /registry | ||
| throttleAcrossAllEndpointsAllIps: | ||
| withinIntervalSeconds: 60 | ||
| maxRequestsBeforeHttp429: 200 |
There was a problem hiding this comment.
what number do we currently get on the prod clusters? we need to make sure this is not lower than what people already expect.
| maxTokens: 10 | ||
| tokensPerFill: 5 | ||
| fillInterval: 60s | ||
| /registry/allocations/v1: |
There was a problem hiding this comment.
you're adding this to v0-acs.yaml. probably want a separate file instead, this is not about acs endpoints
| throttleAcrossAllEndpointsAllIps: | ||
| maxRequestsBeforeHttp429: 0 | ||
| withinIntervalSeconds: 60 | ||
| tokenRegistry: |
There was a problem hiding this comment.
you're enabling a global cloud armor limit but cloud armor is disabled. I was expecting we try to solve this in istio for now, is that not an option?
There was a problem hiding this comment.
try setting the limit low enough that you can easily trigger it during testing and see that you trigger it
3 participants
Fix #5946