[internal-gateway][router-resolver] Move internal gateway off of rout…

…er-resolver and router (#10212)

* [internal-gateway] use kube dns and https always instead of router-resolver and router

* [router-resolver] remove router-resolver

* [internal-gateway] explicitly show commented out ssl-config-proxy

Makefile

@@ -14,7 +14,7 @@ check-hail:
 
 .PHONY: check-services
 check-services: check-auth check-batch check-ci check-gear check-memory \
-  check-notebook check-query check-router-resolver check-scorecard check-web-common \
+  check-notebook check-query check-scorecard check-web-common \
   check-atgu check-website
 
 .PHONY: check-auth
@@ -49,10 +49,6 @@ check-notebook:
 check-query:
 	$(MAKE) -C query check
 
-.PHONY: check-router-resolver
-check-router-resolver:
-	$(MAKE) -C router-resolver check
-
 .PHONY: check-scorecard
 check-scorecard:
 	$(MAKE) -C scorecard check

dev-docs/hail-for-new-engineers.md

@@ -181,11 +181,9 @@ Every developer and every pull request test job also has a namespace. Developer
 accessible at https://internal.hail.is/DEVELOPER_USERNAME/SERVICE/ . Unlike the default namespace,
 every other namespace has exactly one database (containing all tables from each service's database).
 
-The default namespace includes three services that are hand-deployed and do not exist in other
-namespaces: gateway, internal-gateway, and router-resolver. All traffic from the Internet enters the
-cluster through the gateway which routes traffic to the appropriate namespace and service. All
-traffic from the Batch workers enters through the internal-gateway. The router-resolver assists the
-gateway in routing.
+All incoming traffic passes through either gateway or internal-gateway which route requests to
+the appropriate namespace and service. Traffic from the Internet enters the cluster through gateway,
+while traffic from Batch workers enters through internal-gateway.
 
 
 [^1]: https://www.who.int/genomics/geneticsVSgenomics/en/

dev-docs/hail-overview.md

@@ -105,7 +105,6 @@ Services (see below for descriptions):
 * $HAIL/notebook: notebook and workshop services
 * $HAIL/query
 * $HAIL/router
-* $HAIL/router-resolver
 * $HAIL/scorecard
 * $HAIL/site
 
@@ -141,7 +140,7 @@ This section is not complete.
   heap called a region value.  Annotation also sometimes refer to just
   the JVM object representation.  Explicitly managed off-(Java-)heap
   values are also referred to as "unsafe".
-  
+
 * is.hail.asm4s: The Hail Query optimizer generates JVM bytecode to
   implement queries.  asm4s is a high-level Scala interface for
   generating JVM bytecode.
@@ -266,17 +265,14 @@ There is a collection of libraries to facilitate service development:
   indirection: gateway forwards requests to the router in the correct
   namespace, and the router forwards requests to the correct service.
 
-* router-resolver: router-resolver verifies whether or not a request
-  is allowed to be forwarded to its destination namespace.
-
 * scorecard: scorecard implements the developer status board found at
   https://scorecard.hail.is/.
 
 * site: site implements the main Hail website https://hail.is/
   including the landing page and Hail Query and Hail Batch
   documentation.
 
-There are two types of services: regular and infrastructure.
-Deployment of regular services is managed by ci.  Infrastructure
-services are currently managed by hand.  The infrastructure services
-include: gateway, internal-gateway and router-resolver.
+There are two types of services: managed and unmanaged.
+CI handles deployment of managed services, while unmanaged services
+are deployed by hand using their respective Makefiles. The
+unmanaged services are gateway and internal-gateway.

internal-gateway/internal-gateway.nginx.conf

@@ -10,35 +10,20 @@ map $http_x_forwarded_proto $updated_scheme {
 
 limit_req_zone global zone=limit:1m rate=45r/s;
 
-map $maybe_router_scheme $router_scheme {
-    default $maybe_router_scheme;
-    ''      http;
-}
-
 server {
     server_name internal.hail;
     client_max_body_size 50m;
     listen 80;
     listen [::]:80;
 
-    location = /router_scheme {
-        internal;
-        resolver kube-dns.kube-system.svc.cluster.local;
-        proxy_pass https://router-resolver.default.svc.cluster.local/router-scheme/$namespace;
-        include /ssl-config/ssl-config-proxy.conf;
-    }
-
     location ~ ^/([^/]+)/([^/]+) {
     	limit_req zone=limit burst=20 nodelay;
 
         set $namespace $1;
         set $service $2;
 
-        auth_request /router_scheme;
-        auth_request_set $maybe_router_scheme $upstream_http_x_router_scheme;
-
         resolver kube-dns.kube-system.svc.cluster.local;
-        proxy_pass $router_scheme://router.$namespace.svc.cluster.local;
+        proxy_pass https://$service.$namespace.svc.cluster.local;
 
         proxy_set_header Host $service.internal;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -50,21 +35,22 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
 
-        # we do not verify namepsaced routers
+        # we do not verify namespaced services
         # include /ssl-config/ssl-config-proxy.conf;
     }
 }
 
 server {
-    server_name hail;
+    server_name ~^(?<service>[\w-]+)\.hail$;
     client_max_body_size 50m;
     listen 80 default_server;
     listen [::]:80 default_server;
 
     location / {
     	limit_req zone=limit burst=20 nodelay;
 
-        proxy_pass https://router/;
+        resolver kube-dns.kube-system.svc.cluster.local;
+        proxy_pass https://$service.default.svc.cluster.local;
 
         proxy_set_header Host $http_host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -86,24 +72,14 @@ server {
     listen 443 ssl;
     listen [::]:443 ssl;
 
-    location = /router_scheme {
-        internal;
-        resolver kube-dns.kube-system.svc.cluster.local;
-        proxy_pass https://router-resolver.default.svc.cluster.local/router-scheme/$namespace;
-        include /ssl-config/ssl-config-proxy.conf;
-    }
-
     location ~ ^/([^/]+)/([^/]+) {
         limit_req zone=limit burst=20 nodelay;
 
         set $namespace $1;
         set $service $2;
 
-        auth_request /router_scheme;
-        auth_request_set $maybe_router_scheme $upstream_http_x_router_scheme;
-
         resolver kube-dns.kube-system.svc.cluster.local;
-        proxy_pass $router_scheme://router.$namespace.svc.cluster.local;
+        proxy_pass https://$service.$namespace.svc.cluster.local;
 
         proxy_set_header Host $service.internal;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -115,21 +91,22 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
 
-        # we do not verify namepsaced routers
+        # we do not verify namespaced services
         # include /ssl-config/ssl-config-proxy.conf;
     }
 }
 
 server {
-    server_name hail;
+    server_name ~^(?<service>[\w-]+)\.hail$;
     client_max_body_size 50m;
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;
 
     location / {
         limit_req zone=limit burst=20 nodelay;
 
-        proxy_pass https://router/;
+        resolver kube-dns.kube-system.svc.cluster.local;
+        proxy_pass https://$service.default.svc.cluster.local;
 
         proxy_set_header Host $http_host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;