Skip to content

Commit

Permalink
Merge pull request #116 from xytian315/issue-102-update-byoc-doc
Browse files Browse the repository at this point in the history 
update byoc doc
  • Loading branch information
@phenixblue
phenixblue authored Jan 21, 2022
2 parents b78170b + 3c8ef3d commit b751766
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 36 deletions.
28 changes: 16 additions & 12 deletions app/magtape-init/magtape-init.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -542,25 +542,29 @@ def write_tls_pair(
logging.info(
f'Using existing secret "{secret_name}" in namespace "{namespace}"'
)
logging.info("Waiting for race winning pod to startup")
if not magtape_tls_byoc:
logging.info("Waiting for race winning pod to startup")

start_time = datetime.datetime.now()
race_winner_pod = ""
start_time = datetime.datetime.now()
race_winner_pod = ""

while (
race_winner_pod == "" or (datetime.datetime.now() - start_time).seconds < 30
):
while (
race_winner_pod == ""
or (datetime.datetime.now() - start_time).seconds < 30
):

logging.info("Still waiting for race winning pod to startup")
logging.info("Still waiting for race winning pod to startup")

if "magtape/updated-by-pod" in tls_secret.metadata.labels:
if "magtape/updated-by-pod" in tls_secret.metadata.labels:

race_winner_pod = tls_secret.metadata.labels["magtape/updated-by-pod"]
break
race_winner_pod = tls_secret.metadata.labels[
"magtape/updated-by-pod"
]
break

else:
else:

time.sleep(5)
time.sleep(5)

else:

Expand Down
54 changes: 30 additions & 24 deletions docs/install.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,22 +6,21 @@ We've tried to build a decent amount of flexibility into MagTape. While the simp

NOTE: The following environment variable are defined in the `magtape-env-cm.yaml` manifest and can be used to customize MagTape's behavior.

| Variable | Description | Values |
|--- |--- |--- |
| `FLASK_ENV` | The operation environment for Flask | `production` or `development` |
| `MAGTAPE_DENY_LEVEL` | Controls the level of denial for checks. Please see section above on Deny Level | `LOW`, `MED`, or `HIGH` |
| `MAGTAPE_LOG_LEVEL` | The log level to use | `INFO` or `DEBUG` |
| `MAGTAPE_CLUSTER_NAME` | The name of the Kubernetes Cluster where the webhook is deployed | `test-cluster` |
| `MAGTAPE_TLS_SECRET` | **OPTIONAL** - Overrides the default secret (`magtape-tls`) for BYOC (Bring Your Own Cert) scenarios| <name_of_secret> (STRING) |
| `MAGTAPE_K8S_EVENTS_ENABLED` | Controls whether or not Kubernetes events are generated within the target namespace for policy failures | `TRUE` or `FALSE` |
| `MAGTAPE_SLACK_ENABLED` | Controls whether or not the webhook sends Slack notifications | `TRUE` or `FALSE` |
| `MAGTAPE_SLACK_PASSIVE` | Controls whether or not Slack alerts are sent for checks that fail, but aren't denied due to the DENY_LEVEL setting | `TRUE` or `FALSE` |
| `MAGTAPE_SLACK_WEBHOOK_URL_BASE` | **OPTIONAL** - Overrides the base domain (`hooks.slack.com`) for the Slack Incoming Webhook URL. Used for airgapped environments where a forwarding/proxying service may be needed | `slack-proxy.example.com` |
| `MAGTAPE_SLACK_WEBHOOK_URL_DEFAULT` | The URL for the Slack Incoming Webhook. | `https://hooks.slack.com/services/XXXXXXXX/XXXXXXXX/XXXXXXXXXXXXXXXXXX` |
| `MAGTAPE_SLACK_USER` | The user the Slack alerts should be sent as | `mtbot` |
| `MAGTAPE_SLACK_ICON` | The emoji to use for the user icon in the alert | `:magtape:` |
| `OPA_BASE_URL` | The base URL used to contact the OPA API | `http://localhost:8181` |
| `OPA_K8S_PATH` | The common path to reference all Kubernetes based OPA policies | `/v0/data/magtape` |
| Variable | Description | Values |
| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- |
| `FLASK_ENV` | The operation environment for Flask | `production` or `development` |
| `MAGTAPE_DENY_LEVEL` | Controls the level of denial for checks. Please see section above on Deny Level | `LOW`, `MED`, or `HIGH` |
| `MAGTAPE_LOG_LEVEL` | The log level to use | `INFO` or `DEBUG` |
| `MAGTAPE_CLUSTER_NAME` | The name of the Kubernetes Cluster where the webhook is deployed | `test-cluster` |
| `MAGTAPE_K8S_EVENTS_ENABLED` | Controls whether or not Kubernetes events are generated within the target namespace for policy failures | `TRUE` or `FALSE` |
| `MAGTAPE_SLACK_ENABLED` | Controls whether or not the webhook sends Slack notifications | `TRUE` or `FALSE` |
| `MAGTAPE_SLACK_PASSIVE` | Controls whether or not Slack alerts are sent for checks that fail, but aren't denied due to the DENY_LEVEL setting | `TRUE` or `FALSE` |
| `MAGTAPE_SLACK_WEBHOOK_URL_BASE` | **OPTIONAL** - Overrides the base domain (`hooks.slack.com`) for the Slack Incoming Webhook URL. Used for airgapped environments where a forwarding/proxying service may be needed | `slack-proxy.example.com` |
| `MAGTAPE_SLACK_WEBHOOK_URL_DEFAULT` | The URL for the Slack Incoming Webhook. | `https://hooks.slack.com/services/XXXXXXXX/XXXXXXXX/XXXXXXXXXXXXXXXXXX` |
| `MAGTAPE_SLACK_USER` | The user the Slack alerts should be sent as | `mtbot` |
| `MAGTAPE_SLACK_ICON` | The emoji to use for the user icon in the alert | `:magtape:` |
| `OPA_BASE_URL` | The base URL used to contact the OPA API | `http://localhost:8181` |
| `OPA_K8S_PATH` | The common path to reference all Kubernetes based OPA policies | `/v0/data/magtape` |

## Installation

Expand All @@ -31,11 +30,11 @@ The kustomize layout uses overlays to allow for flexibility in configuration (ie

You can find some generic examples of using kustomize overlays to manage per environment configuration in the following directories:

| DIRECTORY | DESCRIPTION |
|--- |--- |
| `deploy/manifests` | The base YAML manifests |
| `deploy/overlays/development` | Development environment specific substitutions |
| `deploy/overlays/production` | Production environment specific substitutions |
| DIRECTORY | DESCRIPTION |
| ----------------------------- | ---------------------------------------------- |
| `deploy/manifests` | The base YAML manifests |
| `deploy/overlays/development` | Development environment specific substitutions |
| `deploy/overlays/production` | Production environment specific substitutions |

Once the proper edits have been made you can generate the YAML manifests:

Expand Down Expand Up @@ -72,14 +71,21 @@ NOTE: A TLS Cert and Key need to be generated for the Webhook. MagTape has an in

By default MagTape will handle creation and rotation of the required TLS cert/key automatically. In cases where you need to BYOC, you can adjust the configuration.

### Specify a different secret name
### Create the secret

Reference the `MAGTAPE_TLS_SECRET` option in the [configuration options](#configuration-options) section.
Create the secret name called `magtape-tls` with the annotation `magtape-byoc` in the `magtape-system` namespace. The `cert.pem`, `key.pem` must be provided in the data field of the secret. This secret must exist prior to installing MagTape.

```shell
kubectl create secret generic magtape-tls --from-file=cert.pem=<path/to/cert.pem> --from-file=key.pem=<path/to/key.pem> --namespace magtape-system
kubectl annotate secret magtape-tls magtape-byoc=<VALUE>
```
### Root CA

The VWC (Validating Webhook Configuration) needs to be configured with a cert bundle that includes the CA that signed the certificate and key used to secure the MagTape API. For now MagTape assumes this CA certificate exists in the `magtape-tls-ca` secret deployed within the `magtape-system` namespace. This secret must exist prior to installing MagTape.
The VWC (Validating Webhook Configuration) needs to be configured with a cert bundle that includes the CA that signed the certificate and key used to secure the MagTape API. For now MagTape assumes this CA certificate exists in the `magtape-tls-ca` secret deployed within the `magtape-system` namespace. The `rootca.pem` must be provided in the data field of the secret. This secret must exist prior to installing MagTape.

```shell
kubectl create secret generic magtape-tls-ca --from-file=rootca.pem=</path/to/rootca.pem> --namespace magtape-system
```
No validation is done currently to ensure the specified CA actually signed the cert and key used to secure MagTape's API. We plan to add this validation in a future release.

## VWC Template
Expand Down

0 comments on commit b751766

Please sign in to comment.