diff --git a/deploy/README.md b/deploy/README.md index 25380293..c0683ae0 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -37,35 +37,6 @@ If you are satisfied with the output from the diff, you can apply the new config ## Secrets and Configuration -### atst-overrides.ini - -Production configuration values are provided to the ATAT Flask app by writing an `atst-overrides.ini` file to the running Docker container. This file is stored as a Kubernetes secret. It contains configuration information for the database connection, mailer, etc. - -To update the configuration, you can do the following: - -``` -kubectl -n atat get secret atst-config-ini -o=jsonpath='{.data.override\.ini}' | base64 --decode > override.ini -``` - -This base64 decodes the secret and writes it to a local file called `override.ini`. Make any necessary config changes to that file. - -To apply the new config, first delete the existing copy of the secret: - -``` -kubectl -n atat delete secret atst-config-ini -``` - -Then create a new copy of the secret from your updated copy: - -``` -kubectl -n atat create secret generic atst-config-ini --from-file=./override.ini -``` - -Notes: - -- Be careful not to check the override.ini file into source control. -- Be careful not to overwrite one CSP cluster's config with the other's. This will break everything. - ### nginx-htpasswd If the site is running in dev mode, the `/login-dev` endpoint is available. This endpoint is protected by basic HTTP auth. To create a new password file, run: @@ -178,11 +149,32 @@ az keyvault secret set --vault-name --name --value ``` --- +# Secrets Management + +Secrets, keys, and certificates are managed from Azure Key Vault. These items are mounted into the containers at runtime using the FlexVol implementation described below. + +The following are mounted into the NGINX container in the atst pod: + +- The TLS certs for the site +- The DH parameter for TLS connections + +These are mounted into every instance of the Flask application container (the atst container, the celery worker, etc.): + +- The Azure storage key used to access blob storage (AZURE_STORAGE_KEY) +- The password for the SMTP server used to send mail (MAIL_PASSWORD) +- The Postgres database user password (PGPASSWORD) +- The Redis user password (REDIS_PASSWORD) +- The Flask secret key used for session signing and generating CSRF tokens (SECRET_KEY) + +Secrets should be added to Key Vault with the following naming pattern: [branch/environment]-[all-caps config setting name]. Note that Key Vault does not support underscores. Substitute hyphens. For example, the config setting for the SMTP server password is MAIL_SERVER. The corresponding secret name in Key Vault is "master-MAIL-SERVER" for the credential used in the primary environment.These secrets are mounted into the containers via FlexVol. + +To add or manage secrets, keys, and certificates in Key Vault, see the [documentation](https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli). + # Setting Up FlexVol for Secrets ## Preparing Azure Environment -A Key Vault will need to be created. Save it's full id (the full path) for use later. +A Key Vault will need to be created. Save its full id (the full path) for use later. ## Preparing Cluster diff --git a/deploy/azure/atst-envvars-configmap.yml b/deploy/azure/atst-envvars-configmap.yml index d6bd60ef..8907493d 100644 --- a/deploy/azure/atst-envvars-configmap.yml +++ b/deploy/azure/atst-envvars-configmap.yml @@ -6,15 +6,28 @@ metadata: namespace: atat data: ASSETS_URL: https://atat-cdn.azureedge.net/ + AZURE_ACCOUNT_NAME: atat + AZURE_TO_BUCKET_NAME: task-order-pdfs BLOB_STORAGE_URL: https://atat.blob.core.windows.net/ + CAC_URL: https://auth-staging.atat.code.mil/login-redirect CDN_ORIGIN: https://azure.atat.code.mil CELERY_DEFAULT_QUEUE: celery-master CSP: azure + DEBUG: 0 FLASK_ENV: master LOG_JSON: "true" - OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini + MAIL_PORT: 587 + MAIL_SENDER: postmaster@atat.code.mil + MAIL_SERVER: smtp.mailgun.org + MAIL_TLS: "true" + OVERRIDE_CONFIG_DIRECTORY: /config + PGAPPNAME: atst + PGDATABASE: staging + PGHOST: atat-db.postgres.database.azure.com + PGPORT: 5432 PGSSLMODE: verify-full PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt + PGUSER: atat_master@atat-db REDIS_HOST: atat.redis.cache.windows.net:6380 REDIS_TLS: "true" STATIC_URL: https://atat-cdn.azureedge.net/static/ diff --git a/deploy/azure/atst-worker-envvars-configmap.yml b/deploy/azure/atst-worker-envvars-configmap.yml index c3522f70..ab10c118 100644 --- a/deploy/azure/atst-worker-envvars-configmap.yml +++ b/deploy/azure/atst-worker-envvars-configmap.yml @@ -5,9 +5,25 @@ metadata: name: atst-worker-envvars namespace: atat data: + AZURE_ACCOUNT_NAME: atat + AZURE_TO_BUCKET_NAME: task-order-pdfs + CAC_URL: https://auth-staging.atat.code.mil/login-redirect CELERY_DEFAULT_QUEUE: celery-master - DISABLE_CRL_CHECK: "True" + DEBUG: 0 + DISABLE_CRL_CHECK: "true" + MAIL_PORT: 587 + MAIL_SENDER: postmaster@atat.code.mil + MAIL_SERVER: smtp.mailgun.org + MAIL_TLS: "true" + OVERRIDE_CONFIG_DIRECTORY: /config + PGAPPNAME: atst + PGDATABASE: staging + PGHOST: atat-db.postgres.database.azure.com + PGPORT: 5432 PGSSLMODE: verify-full PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt + PGUSER: atat_master@atat-db + REDIS_HOST: atat.redis.cache.windows.net:6380 + REDIS_TLS: "true" SERVER_NAME: azure.atat.code.mil TZ: UTC diff --git a/deploy/azure/azure.yml b/deploy/azure/azure.yml index cf91cf58..8fe7fd87 100644 --- a/deploy/azure/azure.yml +++ b/deploy/azure/azure.yml @@ -34,9 +34,6 @@ spec: - configMapRef: name: atst-envvars volumeMounts: - - name: atst-config - mountPath: "/opt/atat/atst/atst-overrides.ini" - subPath: atst-overrides.ini - name: nginx-client-ca-bundle mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem" subPath: client-ca-bundle.pem @@ -81,13 +78,6 @@ spec: - name: nginx-secret mountPath: "/etc/ssl/" volumes: - - name: atst-config - secret: - secretName: atst-config-ini - items: - - key: override.ini - path: atst-overrides.ini - mode: 0644 - name: nginx-client-ca-bundle configMap: name: nginx-client-ca-bundle @@ -195,22 +185,12 @@ spec: - configMapRef: name: atst-worker-envvars volumeMounts: - - name: atst-config - mountPath: "/opt/atat/atst/atst-overrides.ini" - subPath: atst-overrides.ini - name: pgsslrootcert mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" subPath: pgsslrootcert.crt - name: flask-secret mountPath: "/config" volumes: - - name: atst-config - secret: - secretName: atst-config-ini - items: - - key: override.ini - path: atst-overrides.ini - mode: 0644 - name: pgsslrootcert configMap: name: pgsslrootcert @@ -270,22 +250,12 @@ spec: - configMapRef: name: atst-worker-envvars volumeMounts: - - name: atst-config - mountPath: "/opt/atat/atst/atst-overrides.ini" - subPath: atst-overrides.ini - name: pgsslrootcert mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt" subPath: pgsslrootcert.crt - name: flask-secret mountPath: "/config" volumes: - - name: atst-config - secret: - secretName: atst-config-ini - items: - - key: override.ini - path: atst-overrides.ini - mode: 0644 - name: pgsslrootcert configMap: name: pgsslrootcert diff --git a/deploy/azure/crls-sync.yaml b/deploy/azure/crls-sync.yaml index c2a07327..5fdcd7b8 100644 --- a/deploy/azure/crls-sync.yaml +++ b/deploy/azure/crls-sync.yaml @@ -32,21 +32,11 @@ spec: - configMapRef: name: atst-worker-envvars volumeMounts: - - name: atst-config - mountPath: "/opt/atat/atst/atst-overrides.ini" - subPath: atst-overrides.ini - name: crls-vol mountPath: "/opt/atat/atst/crls" - name: flask-secret mountPath: "/config" volumes: - - name: atst-config - secret: - secretName: atst-config-ini - items: - - key: override.ini - path: atst-overrides.ini - mode: 0644 - name: crls-vol persistentVolumeClaim: claimName: crls-vol-claim