Merge pull request #1 from creativice/feature/basic-auth

Add basic k8s components

.dockerignore

@@ -0,0 +1,5 @@
+node_modules/
+.j1-integration/
+dist/
+.env
+.eslintcache

Dockerfile

@@ -0,0 +1,14 @@
+FROM node:12-alpine
+
+WORKDIR .
+
+# node-gyp/python3 requirement
+RUN apk add g++ make python
+
+COPY package.json yarn.lock ./
+
+RUN yarn install --production
+
+COPY . .
+
+CMD ["yarn", "collect"]

configs/clusterRole.yml

@@ -0,0 +1,37 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: 'true'
+  labels:
+  name: test-read-only
+  namespace: default
+rules:
+  - apiGroups:
+      - ''
+    resources: ['*']
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources: ['*']
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources: ['*']
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - batch
+    resources: ['*']
+    verbs:
+      - get
+      - list
+      - watch

configs/clusterRoleBinding.yml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: test-binding
+subjects:
+  - kind: ServiceAccount
+    name: cluster-sa
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: test-read-only
+  apiGroup: rbac.authorization.k8s.io

configs/createSecret.yml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: jupiterone-integration-secret
+type: Opaque
+data:
+  # base64 encoded values
+  # could use better key-names I'm just unsure of guidelines on that at the moment
+  jaccountid: <base64encoded jupiterone account id>
+  japikey: <base64encoded jupiterone api key>
+  integrationid: <base64encoded integration id>

configs/cronjobCluster.yaml

@@ -0,0 +1,42 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: integration-deployment-cron
+  labels:
+    app: integration-cron
+spec:
+  schedule: "*/60 * * * *" # Schedule to run every 10 minutes
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: cluster-sa
+          containers:
+          - name: integration
+            image: my-new-image
+            imagePullPolicy: IfNotPresent
+            env:
+              # could use better name, but for now:
+              # ACCESS_TYPE can either be "namespace" or "cluster"
+              - name: ACCESS_TYPE
+                value: 'cluster'
+              # If ACCESS_TYPE === "namespace"
+              # This needs to contain its name
+              - name: NAMESPACE
+                value: 'default'
+              - name: JUPITERONE_ACCOUNT_ID
+                valueFrom:
+                  secretKeyRef:
+                    name: jupiterone-integration-secret
+                    key: jaccountid
+              - name: JUPITERONE_API_KEY
+                valueFrom:
+                  secretKeyRef:jone-secret
+                    name: jupiterone-integration-secret
+                    key: japikey
+              - name: INTEGRATION_INSTANCE_ID
+                valueFrom:
+                  secretKeyRef:
+                    name: jupiterone-integration-secret
+                    key: integrationid
+          restartPolicy: Never

configs/cronjobNamespace.yaml

@@ -0,0 +1,42 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: integration-deployment-cron
+  labels:
+    app: integration-cron
+spec:
+  schedule: "*/60 * * * *" # Schedule to run every 10 minutes
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: namespace-sa
+          containers:
+          - name: integration
+            image: my-new-image
+            imagePullPolicy: IfNotPresent
+            env:
+              # could use better name, but for now:
+              # ACCESS_TYPE can either be "namespace" or "cluster"
+              - name: ACCESS_TYPE
+                value: 'namespace'
+              # If ACCESS_TYPE === "namespace"
+              # This needs to contain its name
+              - name: NAMESPACE
+                value: 'default'
+              - name: JUPITERONE_ACCOUNT_ID
+                valueFrom:
+                  secretKeyRef:
+                    name: jupiterone-integration-secret
+                    key: jaccountid
+              - name: JUPITERONE_API_KEY
+                valueFrom:
+                  secretKeyRef:
+                    name: jupiterone-integration-secret
+                    key: japikey
+              - name: INTEGRATION_INSTANCE_ID
+                valueFrom:
+                  secretKeyRef:
+                    name: jupiterone-integration-secret
+                    key: integrationid
+          restartPolicy: Never

configs/deploymentCluster.yml

@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: integration-deployment
+  labels:
+    app: integration
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: integration
+  template:
+    metadata:
+      labels:
+        app: integration
+    spec:
+      serviceAccountName: cluster-sa
+      containers:
+        - name: integration
+          image: my-new-image
+          imagePullPolicy: IfNotPresent
+          env:
+            # could use better name, but for now:
+            # ACCESS_TYPE can either be "namespace" or "cluster"
+            - name: ACCESS_TYPE
+              value: 'cluster'
+            # If ACCESS_TYPE === "namespace"
+            # This needs to contain its name
+            - name: NAMESPACE
+              value: 'default'
+            - name: JUPITERONE_ACCOUNT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: jupiterone-integration-secret
+                  key: jaccountid
+            - name: JUPITERONE_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: jupiterone-integration-secret
+                  key: japikey
+            - name: INTEGRATION_INSTANCE_ID
+              valueFrom:
+                secretKeyRef:
+                  name: jupiterone-integration-secret
+                  key: integrationid

configs/deploymentNamespace.yml

@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: integration-deployment
+  labels:
+    app: integration
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: integration
+  template:
+    metadata:
+      labels:
+        app: integration
+    spec:
+      serviceAccountName: namespace-sa
+      containers:
+        - name: integration
+          image: my-new-image
+          imagePullPolicy: IfNotPresent
+          env:
+            # could use better name, but for now:
+            # ACCESS_TYPE can either be "namespace" or "cluster"
+            - name: ACCESS_TYPE
+              value: 'namespace'
+            # If ACCESS_TYPE === "namespace"
+            # This needs to contain its name
+            - name: NAMESPACE
+              value: 'default'
+            - name: JUPITERONE_ACCOUNT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: jupiterone-integration-secret
+                  key: jaccountid
+            - name: JUPITERONE_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: jupiterone-integration-secret
+                  key: japikey
+            - name: INTEGRATION_INSTANCE_ID
+              valueFrom:
+                secretKeyRef:
+                  name: jupiterone-integration-secret
+                  key: integrationid

configs/exampleJob.yml

@@ -0,0 +1,40 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: integration-job
+spec:
+  template:
+    spec:
+      serviceAccountName: cluster-sa
+      containers:
+        - name: integration
+          image: my-new-image
+          imagePullPolicy: IfNotPresent
+          env:
+            # could use better name, but for now:
+            # ACCESS_TYPE can either be "namespace" or "cluster"
+            - name: ACCESS_TYPE
+              value: 'cluster'
+            # If ACCESS_TYPE === "namespace"
+            # This needs to contain its name
+            - name: NAMESPACE
+              value: 'default'
+            - name: IS_RUNNING_TEST
+              value: 'false'
+            - name: JUPITERONE_ACCOUNT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: jupiterone-integration-secret
+                  key: jaccountid
+            - name: JUPITERONE_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: jupiterone-integration-secret
+                  key: japikey
+            - name: INTEGRATION_INSTANCE_ID
+              valueFrom:
+                secretKeyRef:
+                  name: jupiterone-integration-secret
+                  key: integrationid
+      restartPolicy: Never
+  backoffLimit: 4

docs/development.md

@@ -22,7 +22,80 @@ for new developers picking up your work.
 
 ## Authentication
 
-Supply details here for information on how to authenticate with a provider so
-that developers have an idea of what's needed to hit APIs. It may be useful to
-provide explanations for each value specified in
-[../src/instanceConfigFields.json](../src/instanceConfigFields.json).
+### RBAC
+
+This integration expects a service account with either specific namespace
+read-only access or cluster-wide read-only access.
+
+### Creating service account with namespace read-only access
+
+1. Create a new service account
+
+`kubectl create sa namespace-sa`
+
+2. Assign namespace read-only access
+
+`kubectl create rolebinding namespace-sa-view --clusterrole=view --serviceaccount=default:namespace-sa --namespace=default`
+
+### Creating service account with cluster-wide read-only access
+
+1. Create a new service account
+
+`kubectl create sa cluster-sa`
+
+2. Assign cluster-wide read-only access
+
+`kubectl apply -f ./configs/clusterRole.yml`
+
+`kubectl apply -f ./configs/clusterRoleBinding.yml`
+
+If using a different service account name or different namespace name, make sure
+to use the correct name in both the commands/yml listed above.
+
+### Secrets
+
+The integration requires you to store `jupiterone account id`,
+`jupiterone api key` and `integration id` as secrets that will be read by the
+pod.
+
+Update the `./configs/createSecret.yml` with base64 encoded values.
+
+### Building the image and running the integration
+
+1. Make sure the kubernetes is set-up/running.
+
+If you want to build a docker image locally that's also visible to the
+minikube/kubernetes, do the following:
+
+1. `eval $(minikube docker-env)`
+2. `docker build -t my-new-image .` (will be replaced later with a better name
+   if we're sure we want to proceed with this authentication method)
+
+To deploy the built image as a pod:
+
+a) To create deployment for a service account with namespace read-only access
+`kubectl apply -f ./configs/deploymentNamespace.yml`
+
+b) To create deployment for a service account with entire cluster read-only
+access `kubectl apply -f ./configs/deploymentCluster.yml`
+
+To check if the deployment has been created: `kubectl get deployment`
+
+To check if the pod has been created: `kubectl get pods`
+
+To see the logs: `kubectl logs <pod name>`
+
+To restart everything:
+
+1. Delete the deployment `kubectl delete deployment <name>`
+
+2. Re-deploy using step from the above
+
+To delete service account:
+`kubectl delete serviceaccount -n <namespace> <serviceaccount>`
+
+To start cronjob(s) `kubectl apply -f ./configs/cronjob(Cluster|Namespace).yml`
+
+To list cronjobs `kubectl get cronjobs`
+
+To delete cronjob `kubectl delete cronjob <name>`