## Description Enable Egress Gateway support at the Bigbang Umbrella level and add support for all Bigbang packages. [P1BIGROCKS-2649](https://jira.il2.dso.mil/browse/P1BIGROCKS-2649) - Archived 23/12/29 Enabling Egressgateways for Istio provides several benefits: * Fine grained RBAC for `AuthorizationPolicies` for egress traffic * Ability to force all cluster egress to live on specific nodes in the cluster. This allows for better/stricter cloud securityGroups to be applied to normal cluster. ## Requirements/Scope - [ ] Provide ability to create `egresssgateway(s)`. This functionality currently exists today in the istio package, but abstraction at the umbrella level needed, to include creation of `Gateway` config CRDs. - [ ] Per package allow creation and templating of any number of `ServiceEntry` resources similar to wrapper allowing any number of istio resources or extra [NetworkPolicies](https://repo1.dso.mil/big-bang/product/packages/wrapper/-/blob/main/chart/values.yaml#L126). [See previous spike](https://repo1.dso.mil/big-bang/bigbang/-/issues/1386#note_1060674) for what `ServiceEntry` resources would look like. This is satisfied by [this epic](https://repo1.dso.mil/groups/big-bang/-/epics/160). - [ ] Per package allow creation and templating of any number of egress `VirtualService` resources via `istio.hardened.customServiceEntries` to force use of egressgateways for egress traffic. - [ ] Abstract the ability to tie service entries to egressgateways at the BigBang level to inject into namespaces for use by packages (similar to existing logic for ingressgateways/gateways). - [ ] Guide on how to use Egressgateways (i.e., creating `ServiceEntry` & `VirtualService` via `istio.hardened.customServiceEntries` for external fqdn routing to egressgateway). ## Out of Scope - Fine-grained RBAC via istio AuthorizationPolicies. https://docs-bigbang.dso.mil/latest/bigbang-training/docs/istio/docs/14-egress-policies/#Enforcing-egress-traffic-using-authorization-policies - Network policies conditionally enabled (when egress gateway(s) are deployed and enabled for a package) to allow egress only through egress gateway, irrespective of istio injection. https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations ## Duration As this epic will need to touch every package, estimate is 4 sprints or 8 weeks. ## Team The team responsible for completing the Epic, including any cross-functional or external teams. - Service Mesh ## Epic Team Members - TBD ## Dependencies - https://repo1.dso.mil/groups/big-bang/-/epics/160 ## Risks Any potential risks or obstacles that may impact the completion of the Epic. ## Acceptance Criteria See Requirements section above ## Related Issues and/or Epics - https://repo1.dso.mil/groups/big-bang/-/epics/160