Transition to using secrets in Key Vault.

This does the following:

- Removes references to the atst-override.ini file, now deprecated.
- Adds all non-secret data that was managed in the override file to the
  relevant K8s ConfigMaps.
- Adds additional documentation explaining out use of Key Vault for
  secrets management.
This commit is contained in:
dandds 2019-12-05 14:56:07 -05:00
parent f8c31e4dcf
commit ec638d6b01
5 changed files with 53 additions and 72 deletions

View File

@ -37,35 +37,6 @@ If you are satisfied with the output from the diff, you can apply the new config
## Secrets and Configuration
### atst-overrides.ini
Production configuration values are provided to the ATAT Flask app by writing an `atst-overrides.ini` file to the running Docker container. This file is stored as a Kubernetes secret. It contains configuration information for the database connection, mailer, etc.
To update the configuration, you can do the following:
```
kubectl -n atat get secret atst-config-ini -o=jsonpath='{.data.override\.ini}' | base64 --decode > override.ini
```
This base64 decodes the secret and writes it to a local file called `override.ini`. Make any necessary config changes to that file.
To apply the new config, first delete the existing copy of the secret:
```
kubectl -n atat delete secret atst-config-ini
```
Then create a new copy of the secret from your updated copy:
```
kubectl -n atat create secret generic atst-config-ini --from-file=./override.ini
```
Notes:
- Be careful not to check the override.ini file into source control.
- Be careful not to overwrite one CSP cluster's config with the other's. This will break everything.
### nginx-htpasswd
If the site is running in dev mode, the `/login-dev` endpoint is available. This endpoint is protected by basic HTTP auth. To create a new password file, run:
@ -178,11 +149,32 @@ az keyvault secret set --vault-name <VAULT NAME> --name <NAME OF PARAM> --value
```
---
# Secrets Management
Secrets, keys, and certificates are managed from Azure Key Vault. These items are mounted into the containers at runtime using the FlexVol implementation described below.
The following are mounted into the NGINX container in the atst pod:
- The TLS certs for the site
- The DH parameter for TLS connections
These are mounted into every instance of the Flask application container (the atst container, the celery worker, etc.):
- The Azure storage key used to access blob storage (AZURE_STORAGE_KEY)
- The password for the SMTP server used to send mail (MAIL_PASSWORD)
- The Postgres database user password (PGPASSWORD)
- The Redis user password (REDIS_PASSWORD)
- The Flask secret key used for session signing and generating CSRF tokens (SECRET_KEY)
Secrets should be added to Key Vault with the following naming pattern: [branch/environment]-[all-caps config setting name]. Note that Key Vault does not support underscores. Substitute hyphens. For example, the config setting for the SMTP server password is MAIL_SERVER. The corresponding secret name in Key Vault is "master-MAIL-SERVER" for the credential used in the primary environment.These secrets are mounted into the containers via FlexVol.
To add or manage secrets, keys, and certificates in Key Vault, see the [documentation](https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli).
# Setting Up FlexVol for Secrets
## Preparing Azure Environment
A Key Vault will need to be created. Save it's full id (the full path) for use later.
A Key Vault will need to be created. Save its full id (the full path) for use later.
## Preparing Cluster

View File

@ -6,15 +6,28 @@ metadata:
namespace: atat
data:
ASSETS_URL: https://atat-cdn.azureedge.net/
AZURE_ACCOUNT_NAME: atat
AZURE_TO_BUCKET_NAME: task-order-pdfs
BLOB_STORAGE_URL: https://atat.blob.core.windows.net/
CAC_URL: https://auth-staging.atat.code.mil/login-redirect
CDN_ORIGIN: https://azure.atat.code.mil
CELERY_DEFAULT_QUEUE: celery-master
CSP: azure
DEBUG: 0
FLASK_ENV: master
LOG_JSON: "true"
OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
MAIL_PORT: 587
MAIL_SENDER: postmaster@atat.code.mil
MAIL_SERVER: smtp.mailgun.org
MAIL_TLS: "true"
OVERRIDE_CONFIG_DIRECTORY: /config
PGAPPNAME: atst
PGDATABASE: staging
PGHOST: atat-db.postgres.database.azure.com
PGPORT: 5432
PGSSLMODE: verify-full
PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt
PGUSER: atat_master@atat-db
REDIS_HOST: atat.redis.cache.windows.net:6380
REDIS_TLS: "true"
STATIC_URL: https://atat-cdn.azureedge.net/static/

View File

@ -5,9 +5,25 @@ metadata:
name: atst-worker-envvars
namespace: atat
data:
AZURE_ACCOUNT_NAME: atat
AZURE_TO_BUCKET_NAME: task-order-pdfs
CAC_URL: https://auth-staging.atat.code.mil/login-redirect
CELERY_DEFAULT_QUEUE: celery-master
DISABLE_CRL_CHECK: "True"
DEBUG: 0
DISABLE_CRL_CHECK: "true"
MAIL_PORT: 587
MAIL_SENDER: postmaster@atat.code.mil
MAIL_SERVER: smtp.mailgun.org
MAIL_TLS: "true"
OVERRIDE_CONFIG_DIRECTORY: /config
PGAPPNAME: atst
PGDATABASE: staging
PGHOST: atat-db.postgres.database.azure.com
PGPORT: 5432
PGSSLMODE: verify-full
PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt
PGUSER: atat_master@atat-db
REDIS_HOST: atat.redis.cache.windows.net:6380
REDIS_TLS: "true"
SERVER_NAME: azure.atat.code.mil
TZ: UTC

View File

@ -34,9 +34,6 @@ spec:
- configMapRef:
name: atst-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: nginx-client-ca-bundle
mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
subPath: client-ca-bundle.pem
@ -81,13 +78,6 @@ spec:
- name: nginx-secret
mountPath: "/etc/ssl/"
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: nginx-client-ca-bundle
configMap:
name: nginx-client-ca-bundle
@ -195,22 +185,12 @@ spec:
- configMapRef:
name: atst-worker-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
- name: flask-secret
mountPath: "/config"
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: pgsslrootcert
configMap:
name: pgsslrootcert
@ -270,22 +250,12 @@ spec:
- configMapRef:
name: atst-worker-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
- name: flask-secret
mountPath: "/config"
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: pgsslrootcert
configMap:
name: pgsslrootcert

View File

@ -32,21 +32,11 @@ spec:
- configMapRef:
name: atst-worker-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: crls-vol
mountPath: "/opt/atat/atst/crls"
- name: flask-secret
mountPath: "/config"
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: crls-vol
persistentVolumeClaim:
claimName: crls-vol-claim