# GSP --- ## What is GSP * A Kubernetes distribution designed to evolve with the common needs of GDS programmes running digital services. * A preconfigured suite of components making it easy to adopt best practices of continuous delivery, obserability, availability, security. --- ## This Quarter missions... * Supporting Verify Eidas * Reducing the amount of stuff we manage * Developing GSP Local * Improving our release process * Planning for GSP in a post "gsp team" world --- ## "manage less" Migration to EKS-based control-plane * Much less terraform to maintain! * Control-plane upgrades! * Node upgrades from AWS provided AMIs! --- ## "manage less" Migration to single cluster per-programme * Significantly less complex; no sharing of config between clusters * Significantly more user friendly; single grafana for a programme, single authentication setup etc --- ## "manage less" Use concourse for more * Dropped our custom fork of Flux (signature checking) * Improved visibility of deployment rollout to teams * Simplified access to concourse (gsp namespace == concourse team) --- ## "manage less" Switched from cert-manager to ACM * No need to run cert-manager (let's encrypt component) * Arrg `Ctl+Z` `Ctl+Z` DCS will need mutual TLS support!!! --- ## GSP Local Alpha * Deploy the full GSP stack to a locally provisioned kubernetes cluster so that people can develop applications/deployment configs without needing a "real" cluster * Learn more about what users need from their local environments --- ## GSP Local Alpha * Modified GSP so that we can disable AWS specific bits * Did some DNS hackery so that you can simulate ingress * Created a startup script to provision a local cluster * Exposed an insecure Sandbox HSM for wiring up to local --- ## GSP Local Alpha ...with Kubernetes in Docker (Kind): * Fast provisioning, stable * Problems running concourse (docker in garden in docker in docker in VM on OS X) * Maybe revisit later? --- ## GSP Local Alpha ...with minikube (OS X hyperkit): * Pretty fast, stable * Fights with the Cisco AnyConnect client * But everything works! * Tested with user research --- ## Release pipeline The Canary Test: * Is the docker registry working... canary ok? * Is the notary/clair working... canary ok? * Is the concourse working... canary ok? * Is the ingress routing working... canary ok? * Is the alert routing working... canary ok? * Is the prometheus working... canary ok? --- ## Release pipeline * Log shipping Tests: * Are pod logs getting shipped to cloudwatch for storage? * Conformance Tests: * Is the kubernetes platform acting as it should? * Nearly there: New pipeline to produce releases before rolling out to other clusters. --- ## Release pipeline Closed up holes in our "two-eyes" process (stop pushing various things to docker hub by hand!) --- ## Supporting Verify Eidas Migrating deployments to new EKS-based GSP * 3x clusters -> 1x cluster * Improved build, release, deploy pipelines --- ## Supporting Verify Eidas Restricting access * Decentralize cluster config repos gsp-teams -> verify-cluster-config * admin/sre/dev roles now configured via git (two-eyes) * removing aws admin access --- ## Supporting Verify Eidas Lock. It. Down. * Migrated our routing system from Nginx to Istio * Restricting data exfiltration paths * Mutual TLS / authentication --- ## Supporting Verify Eidas Protective monitoring (around HSM) * Logs, lambdas, lambdas and logs * Fighting VPC flow logs --- ## Supporting Verify Eidas Architecture / Consulting / Support * Helping refactoring applications/pki to conform to eidas spec * Helping with architecture of "multi-country" node --- ## Supporting Verify Eidas automating cloudhsm pki/metadata * Automate PKI using non-extractable keys in HSM * Certificate generation * Signed SAML metadata XML --- ## Supporting Verify Eidas * Connected to Netherlands! --- ## GSP CE v1.0.0 "community edition" ### If there won't be a team, who builds the platform? You do. We built a great base to build upon, it's now up to all of us to keep it evolving. --- ### Firebreak... Looking for a firebreak task?... we have some fun issues/spikes: #### https://github.com/alphagov/gsp