https for internal dashboards and Grafana

[JSACol]

The RT dashboards and grafana instances currently communicate using http, but require authentication for login.

This presents a little bit of a security issue as the open nature of http means it is possible for any actor on the network in question to snoop the login credentials and gain access to the RT control dashboards.

We propose a change to https in order to mitigate some of these issues. This will require installation of certificates in the flask servers.

Cheers
Joakim

[iszulcdeepsense]

As I think about it, the best practice seems to be implementing HTTPS at the system's first public entry point, while allowing internal apps to run on HTTP. This approach, known as TLS termination, ensures that all externally exposed applications use HTTPS while keeping internal apps simple and independent.
For Kubernetes, you can see an example of how to set this up here: https://kubernetes.github.io/ingress-nginx/examples/tls-termination/.
This way, it separates concerns into 2 tasks: handling TLS termination at the edge and maintaining straightforward HTTP communication internally at Racetrack.
Using HTTPS throughout the entire system from the start wouldn't be as straightforward, as it requires a legitimate HTTPS certificate (with a correct renewal process) for a registered DNS domain, which complicates local testing or even makes it impossible.
Instead, I'm more inclined to keep this responsibility outside of Racetrack, as it is the common problem.

[JSACol]

I see your point @iszulcdeepsense

However a castle is only as secure as its weakest gate - and big castles have lots of openings in weird places.

Here we share a single VPN between several countries and hundreds of non technical users. This gives our Cybersecurity department a bit of a headache.

Perhaps one way of hardening this would be to isolate the relevant containers in a separate network which would only be accessible through a direct ssh tunnel with specific port forwarding so the services are not exposed on our network at large...

Cheers
Joakim

[LookACastle]

If the issue here is the certificate, would it make it simpler if Racetrack gave up on handling the certificate (basically saying that that's the racetrack operators job), and instead was able to use a certificate it was given? So Racetrack can simply say "I can see that you've given me a certificate" on startup, start in https mode with that certificate naively, and offload all the work with CA's and the certificate covering the correct things, to the operators.

Is that even technically feasible? I feel like it should be...

[iszulcdeepsense]

Right. The best way to do it is to assume the certificate was given, then we can direct users to a place where it needs be placed in Racetrack. I may create a tutorial document explaining how to do this for the third-party tools we're using. Since we rely heavily on the external tools like Grafana, it makes sense to refer to their official documentation.