Transition to using secrets in Key Vault.
This does the following: - Removes references to the atst-override.ini file, now deprecated. - Adds all non-secret data that was managed in the override file to the relevant K8s ConfigMaps. - Adds additional documentation explaining out use of Key Vault for secrets management.
This commit is contained in:
parent
f8c31e4dcf
commit
ec638d6b01
@ -37,35 +37,6 @@ If you are satisfied with the output from the diff, you can apply the new config
|
|||||||
|
|
||||||
## Secrets and Configuration
|
## Secrets and Configuration
|
||||||
|
|
||||||
### atst-overrides.ini
|
|
||||||
|
|
||||||
Production configuration values are provided to the ATAT Flask app by writing an `atst-overrides.ini` file to the running Docker container. This file is stored as a Kubernetes secret. It contains configuration information for the database connection, mailer, etc.
|
|
||||||
|
|
||||||
To update the configuration, you can do the following:
|
|
||||||
|
|
||||||
```
|
|
||||||
kubectl -n atat get secret atst-config-ini -o=jsonpath='{.data.override\.ini}' | base64 --decode > override.ini
|
|
||||||
```
|
|
||||||
|
|
||||||
This base64 decodes the secret and writes it to a local file called `override.ini`. Make any necessary config changes to that file.
|
|
||||||
|
|
||||||
To apply the new config, first delete the existing copy of the secret:
|
|
||||||
|
|
||||||
```
|
|
||||||
kubectl -n atat delete secret atst-config-ini
|
|
||||||
```
|
|
||||||
|
|
||||||
Then create a new copy of the secret from your updated copy:
|
|
||||||
|
|
||||||
```
|
|
||||||
kubectl -n atat create secret generic atst-config-ini --from-file=./override.ini
|
|
||||||
```
|
|
||||||
|
|
||||||
Notes:
|
|
||||||
|
|
||||||
- Be careful not to check the override.ini file into source control.
|
|
||||||
- Be careful not to overwrite one CSP cluster's config with the other's. This will break everything.
|
|
||||||
|
|
||||||
### nginx-htpasswd
|
### nginx-htpasswd
|
||||||
|
|
||||||
If the site is running in dev mode, the `/login-dev` endpoint is available. This endpoint is protected by basic HTTP auth. To create a new password file, run:
|
If the site is running in dev mode, the `/login-dev` endpoint is available. This endpoint is protected by basic HTTP auth. To create a new password file, run:
|
||||||
@ -178,11 +149,32 @@ az keyvault secret set --vault-name <VAULT NAME> --name <NAME OF PARAM> --value
|
|||||||
```
|
```
|
||||||
---
|
---
|
||||||
|
|
||||||
|
# Secrets Management
|
||||||
|
|
||||||
|
Secrets, keys, and certificates are managed from Azure Key Vault. These items are mounted into the containers at runtime using the FlexVol implementation described below.
|
||||||
|
|
||||||
|
The following are mounted into the NGINX container in the atst pod:
|
||||||
|
|
||||||
|
- The TLS certs for the site
|
||||||
|
- The DH parameter for TLS connections
|
||||||
|
|
||||||
|
These are mounted into every instance of the Flask application container (the atst container, the celery worker, etc.):
|
||||||
|
|
||||||
|
- The Azure storage key used to access blob storage (AZURE_STORAGE_KEY)
|
||||||
|
- The password for the SMTP server used to send mail (MAIL_PASSWORD)
|
||||||
|
- The Postgres database user password (PGPASSWORD)
|
||||||
|
- The Redis user password (REDIS_PASSWORD)
|
||||||
|
- The Flask secret key used for session signing and generating CSRF tokens (SECRET_KEY)
|
||||||
|
|
||||||
|
Secrets should be added to Key Vault with the following naming pattern: [branch/environment]-[all-caps config setting name]. Note that Key Vault does not support underscores. Substitute hyphens. For example, the config setting for the SMTP server password is MAIL_SERVER. The corresponding secret name in Key Vault is "master-MAIL-SERVER" for the credential used in the primary environment.These secrets are mounted into the containers via FlexVol.
|
||||||
|
|
||||||
|
To add or manage secrets, keys, and certificates in Key Vault, see the [documentation](https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli).
|
||||||
|
|
||||||
# Setting Up FlexVol for Secrets
|
# Setting Up FlexVol for Secrets
|
||||||
|
|
||||||
## Preparing Azure Environment
|
## Preparing Azure Environment
|
||||||
|
|
||||||
A Key Vault will need to be created. Save it's full id (the full path) for use later.
|
A Key Vault will need to be created. Save its full id (the full path) for use later.
|
||||||
|
|
||||||
## Preparing Cluster
|
## Preparing Cluster
|
||||||
|
|
||||||
|
@ -6,15 +6,28 @@ metadata:
|
|||||||
namespace: atat
|
namespace: atat
|
||||||
data:
|
data:
|
||||||
ASSETS_URL: https://atat-cdn.azureedge.net/
|
ASSETS_URL: https://atat-cdn.azureedge.net/
|
||||||
|
AZURE_ACCOUNT_NAME: atat
|
||||||
|
AZURE_TO_BUCKET_NAME: task-order-pdfs
|
||||||
BLOB_STORAGE_URL: https://atat.blob.core.windows.net/
|
BLOB_STORAGE_URL: https://atat.blob.core.windows.net/
|
||||||
|
CAC_URL: https://auth-staging.atat.code.mil/login-redirect
|
||||||
CDN_ORIGIN: https://azure.atat.code.mil
|
CDN_ORIGIN: https://azure.atat.code.mil
|
||||||
CELERY_DEFAULT_QUEUE: celery-master
|
CELERY_DEFAULT_QUEUE: celery-master
|
||||||
CSP: azure
|
CSP: azure
|
||||||
|
DEBUG: 0
|
||||||
FLASK_ENV: master
|
FLASK_ENV: master
|
||||||
LOG_JSON: "true"
|
LOG_JSON: "true"
|
||||||
OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
|
MAIL_PORT: 587
|
||||||
|
MAIL_SENDER: postmaster@atat.code.mil
|
||||||
|
MAIL_SERVER: smtp.mailgun.org
|
||||||
|
MAIL_TLS: "true"
|
||||||
|
OVERRIDE_CONFIG_DIRECTORY: /config
|
||||||
|
PGAPPNAME: atst
|
||||||
|
PGDATABASE: staging
|
||||||
|
PGHOST: atat-db.postgres.database.azure.com
|
||||||
|
PGPORT: 5432
|
||||||
PGSSLMODE: verify-full
|
PGSSLMODE: verify-full
|
||||||
PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt
|
PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt
|
||||||
|
PGUSER: atat_master@atat-db
|
||||||
REDIS_HOST: atat.redis.cache.windows.net:6380
|
REDIS_HOST: atat.redis.cache.windows.net:6380
|
||||||
REDIS_TLS: "true"
|
REDIS_TLS: "true"
|
||||||
STATIC_URL: https://atat-cdn.azureedge.net/static/
|
STATIC_URL: https://atat-cdn.azureedge.net/static/
|
||||||
|
@ -5,9 +5,25 @@ metadata:
|
|||||||
name: atst-worker-envvars
|
name: atst-worker-envvars
|
||||||
namespace: atat
|
namespace: atat
|
||||||
data:
|
data:
|
||||||
|
AZURE_ACCOUNT_NAME: atat
|
||||||
|
AZURE_TO_BUCKET_NAME: task-order-pdfs
|
||||||
|
CAC_URL: https://auth-staging.atat.code.mil/login-redirect
|
||||||
CELERY_DEFAULT_QUEUE: celery-master
|
CELERY_DEFAULT_QUEUE: celery-master
|
||||||
DISABLE_CRL_CHECK: "True"
|
DEBUG: 0
|
||||||
|
DISABLE_CRL_CHECK: "true"
|
||||||
|
MAIL_PORT: 587
|
||||||
|
MAIL_SENDER: postmaster@atat.code.mil
|
||||||
|
MAIL_SERVER: smtp.mailgun.org
|
||||||
|
MAIL_TLS: "true"
|
||||||
|
OVERRIDE_CONFIG_DIRECTORY: /config
|
||||||
|
PGAPPNAME: atst
|
||||||
|
PGDATABASE: staging
|
||||||
|
PGHOST: atat-db.postgres.database.azure.com
|
||||||
|
PGPORT: 5432
|
||||||
PGSSLMODE: verify-full
|
PGSSLMODE: verify-full
|
||||||
PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt
|
PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt
|
||||||
|
PGUSER: atat_master@atat-db
|
||||||
|
REDIS_HOST: atat.redis.cache.windows.net:6380
|
||||||
|
REDIS_TLS: "true"
|
||||||
SERVER_NAME: azure.atat.code.mil
|
SERVER_NAME: azure.atat.code.mil
|
||||||
TZ: UTC
|
TZ: UTC
|
||||||
|
@ -34,9 +34,6 @@ spec:
|
|||||||
- configMapRef:
|
- configMapRef:
|
||||||
name: atst-envvars
|
name: atst-envvars
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: atst-config
|
|
||||||
mountPath: "/opt/atat/atst/atst-overrides.ini"
|
|
||||||
subPath: atst-overrides.ini
|
|
||||||
- name: nginx-client-ca-bundle
|
- name: nginx-client-ca-bundle
|
||||||
mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
|
mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
|
||||||
subPath: client-ca-bundle.pem
|
subPath: client-ca-bundle.pem
|
||||||
@ -81,13 +78,6 @@ spec:
|
|||||||
- name: nginx-secret
|
- name: nginx-secret
|
||||||
mountPath: "/etc/ssl/"
|
mountPath: "/etc/ssl/"
|
||||||
volumes:
|
volumes:
|
||||||
- name: atst-config
|
|
||||||
secret:
|
|
||||||
secretName: atst-config-ini
|
|
||||||
items:
|
|
||||||
- key: override.ini
|
|
||||||
path: atst-overrides.ini
|
|
||||||
mode: 0644
|
|
||||||
- name: nginx-client-ca-bundle
|
- name: nginx-client-ca-bundle
|
||||||
configMap:
|
configMap:
|
||||||
name: nginx-client-ca-bundle
|
name: nginx-client-ca-bundle
|
||||||
@ -195,22 +185,12 @@ spec:
|
|||||||
- configMapRef:
|
- configMapRef:
|
||||||
name: atst-worker-envvars
|
name: atst-worker-envvars
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: atst-config
|
|
||||||
mountPath: "/opt/atat/atst/atst-overrides.ini"
|
|
||||||
subPath: atst-overrides.ini
|
|
||||||
- name: pgsslrootcert
|
- name: pgsslrootcert
|
||||||
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
||||||
subPath: pgsslrootcert.crt
|
subPath: pgsslrootcert.crt
|
||||||
- name: flask-secret
|
- name: flask-secret
|
||||||
mountPath: "/config"
|
mountPath: "/config"
|
||||||
volumes:
|
volumes:
|
||||||
- name: atst-config
|
|
||||||
secret:
|
|
||||||
secretName: atst-config-ini
|
|
||||||
items:
|
|
||||||
- key: override.ini
|
|
||||||
path: atst-overrides.ini
|
|
||||||
mode: 0644
|
|
||||||
- name: pgsslrootcert
|
- name: pgsslrootcert
|
||||||
configMap:
|
configMap:
|
||||||
name: pgsslrootcert
|
name: pgsslrootcert
|
||||||
@ -270,22 +250,12 @@ spec:
|
|||||||
- configMapRef:
|
- configMapRef:
|
||||||
name: atst-worker-envvars
|
name: atst-worker-envvars
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: atst-config
|
|
||||||
mountPath: "/opt/atat/atst/atst-overrides.ini"
|
|
||||||
subPath: atst-overrides.ini
|
|
||||||
- name: pgsslrootcert
|
- name: pgsslrootcert
|
||||||
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
||||||
subPath: pgsslrootcert.crt
|
subPath: pgsslrootcert.crt
|
||||||
- name: flask-secret
|
- name: flask-secret
|
||||||
mountPath: "/config"
|
mountPath: "/config"
|
||||||
volumes:
|
volumes:
|
||||||
- name: atst-config
|
|
||||||
secret:
|
|
||||||
secretName: atst-config-ini
|
|
||||||
items:
|
|
||||||
- key: override.ini
|
|
||||||
path: atst-overrides.ini
|
|
||||||
mode: 0644
|
|
||||||
- name: pgsslrootcert
|
- name: pgsslrootcert
|
||||||
configMap:
|
configMap:
|
||||||
name: pgsslrootcert
|
name: pgsslrootcert
|
||||||
|
@ -32,21 +32,11 @@ spec:
|
|||||||
- configMapRef:
|
- configMapRef:
|
||||||
name: atst-worker-envvars
|
name: atst-worker-envvars
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: atst-config
|
|
||||||
mountPath: "/opt/atat/atst/atst-overrides.ini"
|
|
||||||
subPath: atst-overrides.ini
|
|
||||||
- name: crls-vol
|
- name: crls-vol
|
||||||
mountPath: "/opt/atat/atst/crls"
|
mountPath: "/opt/atat/atst/crls"
|
||||||
- name: flask-secret
|
- name: flask-secret
|
||||||
mountPath: "/config"
|
mountPath: "/config"
|
||||||
volumes:
|
volumes:
|
||||||
- name: atst-config
|
|
||||||
secret:
|
|
||||||
secretName: atst-config-ini
|
|
||||||
items:
|
|
||||||
- key: override.ini
|
|
||||||
path: atst-overrides.ini
|
|
||||||
mode: 0644
|
|
||||||
- name: crls-vol
|
- name: crls-vol
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
claimName: crls-vol-claim
|
claimName: crls-vol-claim
|
||||||
|
Loading…
x
Reference in New Issue
Block a user