Transition to using secrets in Key Vault.
This does the following: - Removes references to the atst-override.ini file, now deprecated. - Adds all non-secret data that was managed in the override file to the relevant K8s ConfigMaps. - Adds additional documentation explaining out use of Key Vault for secrets management.
This commit is contained in:
parent
f8c31e4dcf
commit
ec638d6b01
@ -37,35 +37,6 @@ If you are satisfied with the output from the diff, you can apply the new config
|
||||
|
||||
## Secrets and Configuration
|
||||
|
||||
### atst-overrides.ini
|
||||
|
||||
Production configuration values are provided to the ATAT Flask app by writing an `atst-overrides.ini` file to the running Docker container. This file is stored as a Kubernetes secret. It contains configuration information for the database connection, mailer, etc.
|
||||
|
||||
To update the configuration, you can do the following:
|
||||
|
||||
```
|
||||
kubectl -n atat get secret atst-config-ini -o=jsonpath='{.data.override\.ini}' | base64 --decode > override.ini
|
||||
```
|
||||
|
||||
This base64 decodes the secret and writes it to a local file called `override.ini`. Make any necessary config changes to that file.
|
||||
|
||||
To apply the new config, first delete the existing copy of the secret:
|
||||
|
||||
```
|
||||
kubectl -n atat delete secret atst-config-ini
|
||||
```
|
||||
|
||||
Then create a new copy of the secret from your updated copy:
|
||||
|
||||
```
|
||||
kubectl -n atat create secret generic atst-config-ini --from-file=./override.ini
|
||||
```
|
||||
|
||||
Notes:
|
||||
|
||||
- Be careful not to check the override.ini file into source control.
|
||||
- Be careful not to overwrite one CSP cluster's config with the other's. This will break everything.
|
||||
|
||||
### nginx-htpasswd
|
||||
|
||||
If the site is running in dev mode, the `/login-dev` endpoint is available. This endpoint is protected by basic HTTP auth. To create a new password file, run:
|
||||
@ -178,11 +149,32 @@ az keyvault secret set --vault-name <VAULT NAME> --name <NAME OF PARAM> --value
|
||||
```
|
||||
---
|
||||
|
||||
# Secrets Management
|
||||
|
||||
Secrets, keys, and certificates are managed from Azure Key Vault. These items are mounted into the containers at runtime using the FlexVol implementation described below.
|
||||
|
||||
The following are mounted into the NGINX container in the atst pod:
|
||||
|
||||
- The TLS certs for the site
|
||||
- The DH parameter for TLS connections
|
||||
|
||||
These are mounted into every instance of the Flask application container (the atst container, the celery worker, etc.):
|
||||
|
||||
- The Azure storage key used to access blob storage (AZURE_STORAGE_KEY)
|
||||
- The password for the SMTP server used to send mail (MAIL_PASSWORD)
|
||||
- The Postgres database user password (PGPASSWORD)
|
||||
- The Redis user password (REDIS_PASSWORD)
|
||||
- The Flask secret key used for session signing and generating CSRF tokens (SECRET_KEY)
|
||||
|
||||
Secrets should be added to Key Vault with the following naming pattern: [branch/environment]-[all-caps config setting name]. Note that Key Vault does not support underscores. Substitute hyphens. For example, the config setting for the SMTP server password is MAIL_SERVER. The corresponding secret name in Key Vault is "master-MAIL-SERVER" for the credential used in the primary environment.These secrets are mounted into the containers via FlexVol.
|
||||
|
||||
To add or manage secrets, keys, and certificates in Key Vault, see the [documentation](https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli).
|
||||
|
||||
# Setting Up FlexVol for Secrets
|
||||
|
||||
## Preparing Azure Environment
|
||||
|
||||
A Key Vault will need to be created. Save it's full id (the full path) for use later.
|
||||
A Key Vault will need to be created. Save its full id (the full path) for use later.
|
||||
|
||||
## Preparing Cluster
|
||||
|
||||
|
@ -6,15 +6,28 @@ metadata:
|
||||
namespace: atat
|
||||
data:
|
||||
ASSETS_URL: https://atat-cdn.azureedge.net/
|
||||
AZURE_ACCOUNT_NAME: atat
|
||||
AZURE_TO_BUCKET_NAME: task-order-pdfs
|
||||
BLOB_STORAGE_URL: https://atat.blob.core.windows.net/
|
||||
CAC_URL: https://auth-staging.atat.code.mil/login-redirect
|
||||
CDN_ORIGIN: https://azure.atat.code.mil
|
||||
CELERY_DEFAULT_QUEUE: celery-master
|
||||
CSP: azure
|
||||
DEBUG: 0
|
||||
FLASK_ENV: master
|
||||
LOG_JSON: "true"
|
||||
OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
|
||||
MAIL_PORT: 587
|
||||
MAIL_SENDER: postmaster@atat.code.mil
|
||||
MAIL_SERVER: smtp.mailgun.org
|
||||
MAIL_TLS: "true"
|
||||
OVERRIDE_CONFIG_DIRECTORY: /config
|
||||
PGAPPNAME: atst
|
||||
PGDATABASE: staging
|
||||
PGHOST: atat-db.postgres.database.azure.com
|
||||
PGPORT: 5432
|
||||
PGSSLMODE: verify-full
|
||||
PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt
|
||||
PGUSER: atat_master@atat-db
|
||||
REDIS_HOST: atat.redis.cache.windows.net:6380
|
||||
REDIS_TLS: "true"
|
||||
STATIC_URL: https://atat-cdn.azureedge.net/static/
|
||||
|
@ -5,9 +5,25 @@ metadata:
|
||||
name: atst-worker-envvars
|
||||
namespace: atat
|
||||
data:
|
||||
AZURE_ACCOUNT_NAME: atat
|
||||
AZURE_TO_BUCKET_NAME: task-order-pdfs
|
||||
CAC_URL: https://auth-staging.atat.code.mil/login-redirect
|
||||
CELERY_DEFAULT_QUEUE: celery-master
|
||||
DISABLE_CRL_CHECK: "True"
|
||||
DEBUG: 0
|
||||
DISABLE_CRL_CHECK: "true"
|
||||
MAIL_PORT: 587
|
||||
MAIL_SENDER: postmaster@atat.code.mil
|
||||
MAIL_SERVER: smtp.mailgun.org
|
||||
MAIL_TLS: "true"
|
||||
OVERRIDE_CONFIG_DIRECTORY: /config
|
||||
PGAPPNAME: atst
|
||||
PGDATABASE: staging
|
||||
PGHOST: atat-db.postgres.database.azure.com
|
||||
PGPORT: 5432
|
||||
PGSSLMODE: verify-full
|
||||
PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt
|
||||
PGUSER: atat_master@atat-db
|
||||
REDIS_HOST: atat.redis.cache.windows.net:6380
|
||||
REDIS_TLS: "true"
|
||||
SERVER_NAME: azure.atat.code.mil
|
||||
TZ: UTC
|
||||
|
@ -34,9 +34,6 @@ spec:
|
||||
- configMapRef:
|
||||
name: atst-envvars
|
||||
volumeMounts:
|
||||
- name: atst-config
|
||||
mountPath: "/opt/atat/atst/atst-overrides.ini"
|
||||
subPath: atst-overrides.ini
|
||||
- name: nginx-client-ca-bundle
|
||||
mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
|
||||
subPath: client-ca-bundle.pem
|
||||
@ -81,13 +78,6 @@ spec:
|
||||
- name: nginx-secret
|
||||
mountPath: "/etc/ssl/"
|
||||
volumes:
|
||||
- name: atst-config
|
||||
secret:
|
||||
secretName: atst-config-ini
|
||||
items:
|
||||
- key: override.ini
|
||||
path: atst-overrides.ini
|
||||
mode: 0644
|
||||
- name: nginx-client-ca-bundle
|
||||
configMap:
|
||||
name: nginx-client-ca-bundle
|
||||
@ -195,22 +185,12 @@ spec:
|
||||
- configMapRef:
|
||||
name: atst-worker-envvars
|
||||
volumeMounts:
|
||||
- name: atst-config
|
||||
mountPath: "/opt/atat/atst/atst-overrides.ini"
|
||||
subPath: atst-overrides.ini
|
||||
- name: pgsslrootcert
|
||||
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
||||
subPath: pgsslrootcert.crt
|
||||
- name: flask-secret
|
||||
mountPath: "/config"
|
||||
volumes:
|
||||
- name: atst-config
|
||||
secret:
|
||||
secretName: atst-config-ini
|
||||
items:
|
||||
- key: override.ini
|
||||
path: atst-overrides.ini
|
||||
mode: 0644
|
||||
- name: pgsslrootcert
|
||||
configMap:
|
||||
name: pgsslrootcert
|
||||
@ -270,22 +250,12 @@ spec:
|
||||
- configMapRef:
|
||||
name: atst-worker-envvars
|
||||
volumeMounts:
|
||||
- name: atst-config
|
||||
mountPath: "/opt/atat/atst/atst-overrides.ini"
|
||||
subPath: atst-overrides.ini
|
||||
- name: pgsslrootcert
|
||||
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
||||
subPath: pgsslrootcert.crt
|
||||
- name: flask-secret
|
||||
mountPath: "/config"
|
||||
volumes:
|
||||
- name: atst-config
|
||||
secret:
|
||||
secretName: atst-config-ini
|
||||
items:
|
||||
- key: override.ini
|
||||
path: atst-overrides.ini
|
||||
mode: 0644
|
||||
- name: pgsslrootcert
|
||||
configMap:
|
||||
name: pgsslrootcert
|
||||
|
@ -32,21 +32,11 @@ spec:
|
||||
- configMapRef:
|
||||
name: atst-worker-envvars
|
||||
volumeMounts:
|
||||
- name: atst-config
|
||||
mountPath: "/opt/atat/atst/atst-overrides.ini"
|
||||
subPath: atst-overrides.ini
|
||||
- name: crls-vol
|
||||
mountPath: "/opt/atat/atst/crls"
|
||||
- name: flask-secret
|
||||
mountPath: "/config"
|
||||
volumes:
|
||||
- name: atst-config
|
||||
secret:
|
||||
secretName: atst-config-ini
|
||||
items:
|
||||
- key: override.ini
|
||||
path: atst-overrides.ini
|
||||
mode: 0644
|
||||
- name: crls-vol
|
||||
persistentVolumeClaim:
|
||||
claimName: crls-vol-claim
|
||||
|
Loading…
x
Reference in New Issue
Block a user