Skip to content

Audit with platform 1.1.0 #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
elizabethhealy wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Audit with platform 1.1.0 #135

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
24200e4
audit w/ istio auth
elizabethhealy Sep 21, 2023
facfc13
update the readme
elizabethhealy Sep 21, 2023
b34c5e6
Merge branch 'main' into audit-with-platform-1.1
elizabethhealy Feb 8, 2024
1b8c7db
get everything working smoothly, add install script and example values
elizabethhealy Feb 8, 2024
776593e
upgrade to 0.2.0
elizabethhealy Feb 8, 2024
a9b8651
update readme
elizabethhealy Feb 8, 2024
7ceec14
typo
elizabethhealy Feb 9, 2024
7103574
change audit output to same namespace naming
elizabethhealy Feb 9, 2024
34d9a4e
fix vsvc service naming
elizabethhealy Feb 12, 2024
55fed54
add external base url override to script
elizabethhealy Feb 12, 2024
dd3dea1
add to readme and bump audit image version
Mar 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added audit-api-0.2.0.tgz
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion audit-api/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
version: 0.2.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
84 changes: 62 additions & 22 deletions audit-api/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,29 +6,31 @@
| ------------------ | ----------------- | ------------------------------- |
| `image.repository` | Image repository | `ghcr.io/virtru-corp/audit-api` |
| `image.pullPolicy` | Image Pull Policy | `Always` |
| `image.tag` | Image tag | `0.22.0-8057e1b` |
| `image.tag` | Image tag | `0.23.0` |

### imagePullSecrets Image Pull Secrets - Overrides Global

| Name | Description | Value |
| -------------------------- | ---------------------- | ---------------------- |
| `imagePullSecrets[0].name` | Image Pull Secret Name | `platform-pull-secret` |
| Name | Description | Value |
| -------------------------- | ---------------------- | ----------------------- |
| `imagePullSecrets[0].name` | Image Pull Secret Name | `audit-api-pull-secret` |

### Deployment Parameters

| Name | Description | Value |
| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ---------------- |
| `nameOverride` | Override name of the chart | `""` |
| `fullnameOverride` | Override the full name of the chart | `""` |
| `config.db.host` | Postgresql DB Host | `postgresql` |
| `config.db.user` | Postgresql DB Username | `audit_manager` |
| `config.db.port` | Postgresql DB Port | `5432` |
| `config.db.dbName` | Postgresql DB Name | `audit_database` |
| `config.db.sslMode` | Postgresql SSL Mode | `disable` |
| `config.secrets.dbPassword` | Postgresql Database password - used if `config.existingSecret` is blank | `nil` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` |
| Name | Description | Value |
| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ---------------- |
| `nameOverride` | Override name of the chart | `""` |
| `fullnameOverride` | Override the full name of the chart | `""` |
| `config.db.host` | Postgresql DB Host | `postgresql` |
| `config.db.user` | Postgresql DB Username | `audit_manager` |
| `config.db.port` | Postgresql DB Port | `5432` |
| `config.db.dbName` | Postgresql DB Name | `audit_database` |
| `config.db.sslMode` | Postgresql SSL Mode | `disable` |
| `config.platform.disableInternalAuth` | disable internal service auth | `true` |
| `config.platform.defaultOrgId` | orgId used for queries | `nil` |
| `config.secrets.dbPassword` | Postgresql Database password - used if `config.existingSecret` is blank | `nil` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` |

### podAnnotations Pod K8S Annotations

Expand All @@ -45,13 +47,35 @@
| `service.type` | type of service to create | `ClusterIP` |
| `service.port` | port to expose | `8080` |

### Istio AuthN/Z Parameters

| Name | Description | Value |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------------- | ------------------------- |
| `istioAuth.enabled` | Turn on/off istio authentication configuration for services defined by the `istioAuth.policies` configuration | `true` |
| `istioAuth.internalJWTURL` | Whether to compute and use internal keycloak jwks uri - default false | `true` |
| `istioAuth.oidc.oidcExternalBaseUrl` | The external base url of the oidc provider | `https://shp.example.com` |
| `istioAuth.oidc.oidcUrlPath` | The path added to the base url to reach the oidc provider | `auth` |
| `istioAuth.oidc.keycloakRealm` | If using keycloak - the realm name | `tdf` |

### Secret Generation Parameters

| Name | Description | Value |
| ----------------------------------------------- | ------------------------------------------------------------------------- | -------------- |
| `secrets.imageCredentials` | Map of key (pull name) to auth information. Each key creates a pull cred | |
| `secrets.imageCredentials.pull-secret` | Container registry auth for "install name"-pull-secret | |
| `secrets.imageCredentials.pull-secret.registry` | Registry repo | `ghcr.io` |
| `secrets.imageCredentials.pull-secret.username` | Registry Auth username | `username` |
| `secrets.imageCredentials.pull-secret.password` | Registry Auth password | `password` |
| `secrets.imageCredentials.pull-secret.email` | Registry Auth email | `nope@nah.com` |

### Ingress Configuration

| Name | Description | Value |
| --------------------- | ---------------------------------- | ------- |
| `ingress.enabled` | Enable ingress controller resource | `false` |
| `ingress.className` | Ingress controller class name | `""` |
| `ingress.annotations` | Ingress annotations | `{}` |
| Name | Description | Value |
| ------------------------- | ---------------------------------- | ------- |
| `ingress.enabled` | Enable ingress controller resource | `false` |
| `ingress.existingGateway` | Use an existing istio gateway | `nil` |
| `ingress.className` | Ingress controller class name | `""` |
| `ingress.annotations` | Ingress annotations | `{}` |

### ingress.hosts Ingress hostnames

Expand All @@ -72,3 +96,19 @@
| Name | Description | Value |
| ----------------- | --------------------------------------------- | ------ |
| `tags.fluent-bit` | Tag for fluent-bit dependency default is true | `true` |

### Fluent Bit Configuration (optional)
if you would like to enable fluentbit to send audit events to splunk, you can adjust the fluentbit config in the values.yaml file. You'll want to add an additional output plugin to the fluentbit config. The following is an example of how to add a splunk output plugin to the fluentbit config:

```yaml
[OUTPUT]
Name splunk
Match audit
Port 8088
Host <splunk-host>
TLS On
TLS.Verify Off
Splunk_Token <splunk-token>
splunk_send_raw On
```
For more information on how to configure fluentbit and splunk, please refer to the [fluentbit documentation](https://docs.fluentbit.io/manual/pipeline/outputs/splunk#configuration-parameters)
66 changes: 66 additions & 0 deletions audit-api/example/deploy-with-istio.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# Image Pull Username . e.g. GHCR Personal Access Token
imagePullUsername="changeme"
# Image pull username
imagePullPAT="changeme"
# Hostname for ingress
ingressHostname=""
# Scale istiod downt to 0 then back up to 1
scaleIstio=false

chartRepo="virtru-charts"
auditChart="${chartRepo}/audit-api"
# For local install change to chart-version.tgz
# auditChart="../../audit-api-0.1.0.tgz"
# Is the platform in the same cluster as the audit-api deployment
while getopts "u:p:o:d:h:i" arg; do
case $arg in
u)
imagePullUsername=${OPTARG}
;;
p)
imagePullPAT=${OPTARG}
;;
o)
overrideValues=${OPTARG}
;;
d)
chartsLocalDir=${OPTARG}
;;
h)
ingressHostname=${OPTARG}
;;
i)
scaleIstio=true
;;
esac
done

if [ ! -z "$chartsLocalDir" ]; then
echo "Using local charts from ${chartsLocalDir}"
auditChart="${chartsLocalDir}/audit-api-*.tgz"
fi


echo "Deploying to hostname=${ingressHostname} with chart overrides = ${overrideValues}"

externalBaseUrl="https://${ingressHostname}"

echo "#1 Deploy audit-api Service"
helm upgrade --install -n $ns --create-namespace \
--set "secrets.imageCredentials.pull-secret.name"="ghcr" \
--set "secrets.imageCredentials.pull-secret.username"="${imagePullUsername}" \
--set "secrets.imageCredentials.pull-secret.password"="${imagePullPAT}" \
--set "secrets.imageCredentials.pull-secret.email"="nope@nah.com" \
--set "secrets.imageCredentials.pull-secret.registry"="ghcr.io" \
--set "istioAuth.oidc.oidcExternalBaseUrl"="${externalBaseUrl}" \
-f $overrideValues \
audit-api $auditChart

echo "#2 Wait for audit-api deployment rollout"
kubectl rollout status --watch --timeout=120s deployment/audit-api -n $ns


if $scaleIstio; then
kubectl scale deployment istiod -n istio-system --replicas=0
kubectl scale deployment istiod -n istio-system --replicas=1
fi
14 changes: 14 additions & 0 deletions audit-api/example/example-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
postresPassword: &postgresPassword "changeme"

config:
secrets:
dbPassword: *postgresPassword

# using existing platform istio gateway
# (format if in different namespace: namespace/gateway-name)
ingress:
existingGateway: platform-gateway

fluent-bit:
autoscaling:
maxReplicas: 1
24 changes: 23 additions & 1 deletion audit-api/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Platform Ingress gateway name
{{- if .Values.ingress.existingGateway -}}
{{ .Values.ingress.existingGateway }}
{{- else -}}
{{ printf "%s-gateway" .Values.ingress.name }}
{{ printf "%s-gateway" ( include "common.lib.name" . ) }}
{{- end }}
{{- end }}

Expand All @@ -28,3 +28,25 @@ Platform Ingress gateway name
{{- printf "%s" ( .Values.ingress.istioIngressNS | default "istio-ingress" ) }}
{{- end }}

{{/*
Create OIDC External Url
*/}}
{{- define "platform.oidc.externalUrl" }}
{{- if .Values.istioAuth.oidc.oidcUrlPath }}
{{- printf "%s/%s" .Values.istioAuth.oidc.oidcExternalBaseUrl .Values.istioAuth.oidc.oidcUrlPath }}
{{- else }}
{{- default .Values.istioAuth.oidc.oidcExternalBaseUrl }}
{{- end }}
{{- end }}

{{- define "platform.auth.issuer" -}}
{{- printf "%s/realms/%s" ( include "platform.oidc.externalUrl" . ) ( .Values.istioAuth.oidc.keycloakRealm | default "tdf" ) }}
{{- end -}}

{{- define "platform.auth.jwksUri" -}}
{{- if .Values.istioAuth.internalJWTURL -}}
{{ printf "http://keycloak-http.%s.svc.cluster.local/auth/realms/%s/protocol/openid-connect/certs" .Release.Namespace ( .Values.istioAuth.oidc.keycloakRealm | default "tdf" ) }}
{{- else -}}
{{ printf "%s/protocol/openid-connect/certs" (include "platform.auth.issuer" . ) }}
{{- end -}}
{{- end -}}
3 changes: 3 additions & 0 deletions audit-api/templates/audit-api-cm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,11 @@ metadata:
app: audit-api
data:
POSTGRES_HOST: {{ (coalesce .Values.config.db.host) | quote }}
POSTGRES_READER: {{ (coalesce .Values.config.db.reader) | quote }}
POSTGRES_USER: {{ .Values.config.db.user | quote }}
POSTGRES_PORT: {{ (coalesce .Values.config.db.port) | quote }}
POSTGRES_DB: {{ .Values.config.db.dbName | quote }}
POSTGRES_SSLMODE: {{ .Values.config.db.sslMode | quote }}
SELF_HOSTED_PLATFORM: "true"
PLATFORM_DISABLE_AUTH: {{ .Values.image.disableInternalAuth | default "true" | quote }}
CONFIG_ORG_ID: {{ .Values.config.platform.defaultOrgId | default "00000000-0000-0000-0000-000000000000" | quote }}
43 changes: 43 additions & 0 deletions audit-api/templates/audit-auth.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{{- if .Values.istioAuth.enabled }}
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: audit-jwt-authentication
spec:
selector:
matchLabels:
{{- include "common.lib.selectorLabels" . | nindent 6 }}

jwtRules:
- issuer: {{ include "platform.auth.issuer" $ | quote }}
jwksUri: {{ include "platform.auth.jwksUri" $ | quote }}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: audit-external
spec:
selector:
matchLabels:
{{- include "common.lib.selectorLabels" . | nindent 6 }}
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["*"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: audit-internal
spec:
selector:
matchLabels:
{{- include "common.lib.selectorLabels" . | nindent 6 }}
action: ALLOW
rules:
- from:
- source:
namespaces: [ {{ $.Release.Namespace }} ]
---
{{- end }}
33 changes: 16 additions & 17 deletions audit-api/templates/audit-vsvc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,22 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: audit-vsvc
name: {{ include "common.lib.fullname" . }}
spec:
gateways:
- {{ include "platform.ingress.gateway" . }}
gateways: [{{ include "platform.ingress.gateway" . }}]
hosts:
- '*'
- '*'
http:
- match:
- uri:
prefix: /audit/
- uri:
prefix: /audit
name: audit
rewrite:
uri: /
route:
- destination:
host: audit-api
port:
number: 8080
- match:
- uri:
prefix: /audit/
- uri:
prefix: /audit
name: audit
rewrite:
uri: /
route:
- destination:
host: audit-api
port:
number: {{ .Values.service.port }}
9 changes: 4 additions & 5 deletions audit-api/templates/ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "audit-api.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
Expand All @@ -15,9 +14,9 @@ apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
name: {{ include "common.lib.fullname" . }}
labels:
{{- include "audit-api.labels" . | nindent 4 }}
{{- include "common.lib.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
Expand Down Expand Up @@ -49,11 +48,11 @@ spec:
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
name: {{ include "common.lib.fullname" . }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
serviceName: {{ include "common.lib.fullname" . }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
Expand Down
13 changes: 13 additions & 0 deletions audit-api/templates/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,16 @@ type: Opaque
stringData:
POSTGRES_PASSWORD: {{ .Values.config.secrets.dbPassword | quote }}
---
{{- if ( .Values.secrets.imageCredentials ) -}}
{{- range $k, $v := .Values.secrets.imageCredentials }}
{{- with $ -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.lib.name" . }}-{{ $k }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" $v.registry $v.username $v.password $v.email (printf "%s:%s" $v.username $v.password | b64enc) | b64enc }}
{{- end }}
{{- end }}
{{- end }}
Loading