Skip to main content

Making It Real — Quick Health Checks Under Zero‑Trust

"Trust is good. Verified, enforced trust is better."

What actually happened (in plain language)

We turned on strict “only talk if you’re allowed” rules in the cluster (zero‑trust). Then we did quick health checks to verify the essentials still work:

  • ✅ Identity works (SPIRE gives services their IDs)
  • ✅ Policy engine works (OPA answers and enforces rules)
  • ✅ Core services are up and can reach the message bus (NATS)
  • 📌 By design: you can’t poke services directly anymore; you go through the Gateway or explicitly allowed paths

Notes on proof

We keep the Chronicles story‑only—raw logs and screenshots live elsewhere in the repo for audits. If you want the gritty details, they’re available on request.

What we saw

  • “Default deny” is working: only the connections we listed are allowed
  • Random in‑cluster curls don’t work anymore—that’s on purpose; use the Gateway or port‑forward
  • Services report healthy and keep their connection to NATS; OPA replies to checks

What’s next

  1. Run simple “quick health checks” through the Gateway (security and energy endpoints)
  2. Capture metrics/traces in Grafana/Jaeger
  3. Tighten any remaining allow‑lists for Gateway → services if needed

Gateway update

  • ✅ .NET Gateway is deployed and has a Service in the cluster
  • 🔐 There’s an allow‑list that lets the Gateway talk to Orchestrator (8080), OPA (8181), and NATS (4222)

Quick health check tip: because of strict rules, generic curls may not reach the Gateway from inside the cluster. Use a temporary port‑forward when validating from your laptop:

  • Port‑forward: kubectl -n citadel port-forward deploy/citadel-citadelmesh-gateway 18090:8080
  • Check: open http://127.0.0.1:18090/, http://127.0.0.1:18090/api/status, and /health

Milestone Gate

To move forward, we check these simple things:

  • Zero‑trust rules didn’t break the basics (identity, policy, service health)
  • Safety and Orchestrator are still talking to NATS and OPA
  • We’re ready to run more Gateway checks and turn on charts/dashboards

Type APPROVED to continue, or tell us what needs to change.