From 4ea82eb2d8551b2c22d33caf0ce5c030d95a03f5 Mon Sep 17 00:00:00 2001 From: Kristy Tian Date: Mon, 10 Jan 2022 22:44:38 -0800 Subject: [PATCH 1/4] update byoc doc --- docs/install.md | 64 ++++++++++++++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 24 deletions(-) diff --git a/docs/install.md b/docs/install.md index f7c5c50..28eabcf 100644 --- a/docs/install.md +++ b/docs/install.md @@ -6,22 +6,21 @@ We've tried to build a decent amount of flexibility into MagTape. While the simp NOTE: The following environment variable are defined in the `magtape-env-cm.yaml` manifest and can be used to customize MagTape's behavior. -| Variable | Description | Values | -|--- |--- |--- | -| `FLASK_ENV` | The operation environment for Flask | `production` or `development` | -| `MAGTAPE_DENY_LEVEL` | Controls the level of denial for checks. Please see section above on Deny Level | `LOW`, `MED`, or `HIGH` | -| `MAGTAPE_LOG_LEVEL` | The log level to use | `INFO` or `DEBUG` | -| `MAGTAPE_CLUSTER_NAME` | The name of the Kubernetes Cluster where the webhook is deployed | `test-cluster` | -| `MAGTAPE_TLS_SECRET` | **OPTIONAL** - Overrides the default secret (`magtape-tls`) for BYOC (Bring Your Own Cert) scenarios| (STRING) | -| `MAGTAPE_K8S_EVENTS_ENABLED` | Controls whether or not Kubernetes events are generated within the target namespace for policy failures | `TRUE` or `FALSE` | -| `MAGTAPE_SLACK_ENABLED` | Controls whether or not the webhook sends Slack notifications | `TRUE` or `FALSE` | -| `MAGTAPE_SLACK_PASSIVE` | Controls whether or not Slack alerts are sent for checks that fail, but aren't denied due to the DENY_LEVEL setting | `TRUE` or `FALSE` | -| `MAGTAPE_SLACK_WEBHOOK_URL_BASE` | **OPTIONAL** - Overrides the base domain (`hooks.slack.com`) for the Slack Incoming Webhook URL. Used for airgapped environments where a forwarding/proxying service may be needed | `slack-proxy.example.com` | -| `MAGTAPE_SLACK_WEBHOOK_URL_DEFAULT` | The URL for the Slack Incoming Webhook. | `https://hooks.slack.com/services/XXXXXXXX/XXXXXXXX/XXXXXXXXXXXXXXXXXX` | -| `MAGTAPE_SLACK_USER` | The user the Slack alerts should be sent as | `mtbot` | -| `MAGTAPE_SLACK_ICON` | The emoji to use for the user icon in the alert | `:magtape:` | -| `OPA_BASE_URL` | The base URL used to contact the OPA API | `http://localhost:8181` | -| `OPA_K8S_PATH` | The common path to reference all Kubernetes based OPA policies | `/v0/data/magtape` | +| Variable | Description | Values | +| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- | +| `FLASK_ENV` | The operation environment for Flask | `production` or `development` | +| `MAGTAPE_DENY_LEVEL` | Controls the level of denial for checks. Please see section above on Deny Level | `LOW`, `MED`, or `HIGH` | +| `MAGTAPE_LOG_LEVEL` | The log level to use | `INFO` or `DEBUG` | +| `MAGTAPE_CLUSTER_NAME` | The name of the Kubernetes Cluster where the webhook is deployed | `test-cluster` | +| `MAGTAPE_K8S_EVENTS_ENABLED` | Controls whether or not Kubernetes events are generated within the target namespace for policy failures | `TRUE` or `FALSE` | +| `MAGTAPE_SLACK_ENABLED` | Controls whether or not the webhook sends Slack notifications | `TRUE` or `FALSE` | +| `MAGTAPE_SLACK_PASSIVE` | Controls whether or not Slack alerts are sent for checks that fail, but aren't denied due to the DENY_LEVEL setting | `TRUE` or `FALSE` | +| `MAGTAPE_SLACK_WEBHOOK_URL_BASE` | **OPTIONAL** - Overrides the base domain (`hooks.slack.com`) for the Slack Incoming Webhook URL. Used for airgapped environments where a forwarding/proxying service may be needed | `slack-proxy.example.com` | +| `MAGTAPE_SLACK_WEBHOOK_URL_DEFAULT` | The URL for the Slack Incoming Webhook. | `https://hooks.slack.com/services/XXXXXXXX/XXXXXXXX/XXXXXXXXXXXXXXXXXX` | +| `MAGTAPE_SLACK_USER` | The user the Slack alerts should be sent as | `mtbot` | +| `MAGTAPE_SLACK_ICON` | The emoji to use for the user icon in the alert | `:magtape:` | +| `OPA_BASE_URL` | The base URL used to contact the OPA API | `http://localhost:8181` | +| `OPA_K8S_PATH` | The common path to reference all Kubernetes based OPA policies | `/v0/data/magtape` | ## Installation @@ -31,11 +30,11 @@ The kustomize layout uses overlays to allow for flexibility in configuration (ie You can find some generic examples of using kustomize overlays to manage per environment configuration in the following directories: -| DIRECTORY | DESCRIPTION | -|--- |--- | -| `deploy/manifests` | The base YAML manifests | -| `deploy/overlays/development` | Development environment specific substitutions | -| `deploy/overlays/production` | Production environment specific substitutions | +| DIRECTORY | DESCRIPTION | +| ----------------------------- | ---------------------------------------------- | +| `deploy/manifests` | The base YAML manifests | +| `deploy/overlays/development` | Development environment specific substitutions | +| `deploy/overlays/production` | Production environment specific substitutions | Once the proper edits have been made you can generate the YAML manifests: @@ -72,13 +71,30 @@ NOTE: A TLS Cert and Key need to be generated for the Webhook. MagTape has an in By default MagTape will handle creation and rotation of the required TLS cert/key automatically. In cases where you need to BYOC, you can adjust the configuration. -### Specify a different secret name +### Create the secret -Reference the `MAGTAPE_TLS_SECRET` option in the [configuration options](#configuration-options) section. +Create the secret name called `magtape-tls` with the annotation `magtape-byoc` in the `magtape-system` namespace. The `cert.pem`, `key.pem` must be provided in the data field of the secret. This secret must exist prior to install MagTape. + +The following YAML contains an example of the secret +```yaml +apiVersion: v1 +data: + cert.pem: "..." + key.pem: "..." +kind: Secret +metadata: + annotations: + magtape-byoc: "" + labels: + app: magtape + name: magtape-tls + namespace: magtape-system +type: tls +``` ### Root CA -The VWC (Validating Webhook Configuration) needs to be configured with a cert bundle that includes the CA that signed the certificate and key used to secure the MagTape API. For now MagTape assumes this CA certificate exists in the `magtape-tls-ca` secret deployed within the `magtape-system` namespace. This secret must exist prior to installing MagTape. +The VWC (Validating Webhook Configuration) needs to be configured with a cert bundle that includes the CA that signed the certificate and key used to secure the MagTape API. For now MagTape assumes this CA certificate exists in the `magtape-tls-ca` secret deployed within the `magtape-system` namespace. The `rootca.pem` must be provided in the data field of the secret. This secret must exist prior to install MagTape. No validation is done currently to ensure the specified CA actually signed the cert and key used to secure MagTape's API. We plan to add this validation in a future release. From c06ce1130291fc9f3bd3b99d1c0de8fa7f0289bb Mon Sep 17 00:00:00 2001 From: Kristy Tian Date: Fri, 14 Jan 2022 14:33:07 -0800 Subject: [PATCH 2/4] update install.md --- docs/install.md | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/docs/install.md b/docs/install.md index 28eabcf..71ca605 100644 --- a/docs/install.md +++ b/docs/install.md @@ -73,29 +73,19 @@ By default MagTape will handle creation and rotation of the required TLS cert/ke ### Create the secret -Create the secret name called `magtape-tls` with the annotation `magtape-byoc` in the `magtape-system` namespace. The `cert.pem`, `key.pem` must be provided in the data field of the secret. This secret must exist prior to install MagTape. +Create the secret name called `magtape-tls` with the annotation `magtape-byoc` in the `magtape-system` namespace. The `cert.pem`, `key.pem` must be provided in the data field of the secret. This secret must exist prior to installing MagTape. -The following YAML contains an example of the secret -```yaml -apiVersion: v1 -data: - cert.pem: "..." - key.pem: "..." -kind: Secret -metadata: - annotations: - magtape-byoc: "" - labels: - app: magtape - name: magtape-tls - namespace: magtape-system -type: tls +```shell +kubectl create secret generic magtape-tls --from-file=cert.pem= --from-file=key.pem= --namespace magtape-system +kubectl annotate secret magtape-tls magtape-byoc= ``` - ### Root CA -The VWC (Validating Webhook Configuration) needs to be configured with a cert bundle that includes the CA that signed the certificate and key used to secure the MagTape API. For now MagTape assumes this CA certificate exists in the `magtape-tls-ca` secret deployed within the `magtape-system` namespace. The `rootca.pem` must be provided in the data field of the secret. This secret must exist prior to install MagTape. +The VWC (Validating Webhook Configuration) needs to be configured with a cert bundle that includes the CA that signed the certificate and key used to secure the MagTape API. For now MagTape assumes this CA certificate exists in the `magtape-tls-ca` secret deployed within the `magtape-system` namespace. The `rootca.pem` must be provided in the data field of the secret. This secret must exist prior to installing MagTape. +```shell +kubectl create secret generic magtape-tls-ca --from-file=rootca.pem= --namespace magtape-system +``` No validation is done currently to ensure the specified CA actually signed the cert and key used to secure MagTape's API. We plan to add this validation in a future release. ## VWC Template From a7f7bb779e2c650dd35b8139bf9cf55dd851512a Mon Sep 17 00:00:00 2001 From: Kristy Tian Date: Fri, 14 Jan 2022 14:35:07 -0800 Subject: [PATCH 3/4] update magtape-init to not to check secret updated-by-pod label when byoc --- app/magtape-init/magtape-init.py | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/app/magtape-init/magtape-init.py b/app/magtape-init/magtape-init.py index 589a107..e8182c0 100755 --- a/app/magtape-init/magtape-init.py +++ b/app/magtape-init/magtape-init.py @@ -542,25 +542,26 @@ def write_tls_pair( logging.info( f'Using existing secret "{secret_name}" in namespace "{namespace}"' ) - logging.info("Waiting for race winning pod to startup") + if not magtape_tls_byoc: + logging.info("Waiting for race winning pod to startup") - start_time = datetime.datetime.now() - race_winner_pod = "" + start_time = datetime.datetime.now() + race_winner_pod = "" - while ( - race_winner_pod == "" or (datetime.datetime.now() - start_time).seconds < 30 - ): + while ( + race_winner_pod == "" or (datetime.datetime.now() - start_time).seconds < 30 + ): - logging.info("Still waiting for race winning pod to startup") + logging.info("Still waiting for race winning pod to startup") - if "magtape/updated-by-pod" in tls_secret.metadata.labels: + if "magtape/updated-by-pod" in tls_secret.metadata.labels: - race_winner_pod = tls_secret.metadata.labels["magtape/updated-by-pod"] - break + race_winner_pod = tls_secret.metadata.labels["magtape/updated-by-pod"] + break - else: + else: - time.sleep(5) + time.sleep(5) else: From 3c8ef3d74cdfa4f5f60ac970dc9584e118102e8e Mon Sep 17 00:00:00 2001 From: Kristy Tian Date: Fri, 21 Jan 2022 10:07:03 -0800 Subject: [PATCH 4/4] change the format after runing black to lint python --- app/magtape-init/magtape-init.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/app/magtape-init/magtape-init.py b/app/magtape-init/magtape-init.py index e8182c0..af982cf 100755 --- a/app/magtape-init/magtape-init.py +++ b/app/magtape-init/magtape-init.py @@ -549,14 +549,17 @@ def write_tls_pair( race_winner_pod = "" while ( - race_winner_pod == "" or (datetime.datetime.now() - start_time).seconds < 30 + race_winner_pod == "" + or (datetime.datetime.now() - start_time).seconds < 30 ): logging.info("Still waiting for race winning pod to startup") if "magtape/updated-by-pod" in tls_secret.metadata.labels: - race_winner_pod = tls_secret.metadata.labels["magtape/updated-by-pod"] + race_winner_pod = tls_secret.metadata.labels[ + "magtape/updated-by-pod" + ] break else: