Merge pull request #2052 from weather-gov/jt/api-interop-layer-privat…

…e-comms api interop layer: setup private comms
weather-gov · Nov 7, 2024 · 6002509 · 6002509
2 parents baf28a4 + c788b9e
commit 6002509
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/docs/dev/api-interop-layer.md b/docs/dev/api-interop-layer.md
@@ -31,3 +31,34 @@ needed in order to render a location forecast.
 Flow diagram of how it works:
 
 ![](diagrams/interop-layer-point.png)
+
+## Production setup
+
+By default, dev instances of the API interop layer are public. If we wish to
+make the API interop layer private (that is, not accessible from outside) for a
+given environment, then we have to set up [secure container-to-container
+networking](https://cloud.gov/docs/management/container-to-container/#configuring-secure-container-to-container-networking)
+on cloud.gov.
+
+First, we want to make the API interop layer accessible internally via `apps.internal`:
+
+    cf map-route api-weathergov-$NAME apps.internal --hostname api-weathergov-$NAME
+
+And tunnel all internal access via TCP port 61443 (SSL/TLS).
+
+    cf add-network-policy weathergov-$NAME api-weathergov-$NAME --protocol tcp --port 61443
+
+Optionally, you may want to unmap and/or remove the older route if extant:
+
+    cf unmap-route api-weathergov-$NAME app.cloud.gov --hostname api-weathergov-$NAME
+    cf delete-orphaned-routes # or delete the route explicitly
+
+Finally, configure the manifest.yml with the appropriate settings. The interop
+layer should have its `route` set to `api-weathergov-$NAME.apps.internal`, while
+the Drupal instance should have the environment variable `API_INTEROP_URL` set
+to the tunneled port: `https://api-weathergov-$NAME.apps.internal:61443`.
+
+To confirm that secure container-to-container networking is properly set up, you
+can `cf ssh` in the instance, make sure `$API_INTEROP_URL` is updated to use
+port 61443, and then `curl -v $API_INTEROP_URL`. This should result in a
+`{"ok":true}` response from the API interop layer.
diff --git a/manifests/manifest-james.yaml b/manifests/manifest-james.yaml
@@ -9,7 +9,7 @@ default_config: &defaults
   env:
     PHP_INI_SCAN_DIR: /home/vcap/app/php/etc/:/home/vcap/app/php/etc/php.ini.d/
     NEWRELIC_LICENSE: ((newrelic-license))
-    API_INTEROP_URL: https://api-weathergov-james.app.cloud.gov
+    API_INTEROP_URL: https://api-weathergov-james.apps.internal:61443
   services:
     - database
     - storage
@@ -48,6 +48,6 @@ applications:
       API_INTEROP_NAME: james
     health-check-type: process
     path: ../api-interop-layer
-    random-route: false
+    route: api-weathergov-james.apps.internal
     services:
       - database