Merge branch 'doc-arch-twistlock-301' into 'master'

Doc arch twistlock 301 See merge request platform-one/big-bang/bigbang!412

Merge branch 'doc-arch-twistlock-301' into 'master'
65316959 · joshwolf · f7f9733f · 306768f7 · 65316959
Commit 65316959 authored 3 years ago by joshwolf
--- a/charter/packages/twistlock/Architecture.md
+++ b/charter/packages/twistlock/Architecture.md
+# Twistlock
+## Overview
+[Twistlock Administration Guide](https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/welcome/getting_started.html)
+## Contents
+[Developer Guide](docs/developer-guide.md)
+## Big Bang Touchpoints
+```mermaid
+graph LR
+  subgraph "Twistlock"
+    twistlockpods("Twistlock Pod(s)")
+    twistlockservice{{Twistlock Console}} --> twistlockpods("TwistlockPod(s)")
+  end   
+  subgraph "Ingress"
+    ig(Ingress Gateway) --"App Port"--> twistlockservice
+  end  
+  subgraph "Logging"
+    twistlockpods("Twistlock Pod(s)") --"Logs"--> fluent(Fluentbit) --> logging-ek-es-http
+    logging-ek-es-http{{Elastic Service<br />logging-ek-es-http}} --> elastic[(Elastic Storage)]
+  end
+  subgraph "Monitoring"
+    svcmonitor("Service Monitor") --"Metrics Port"--> twistlockservice
+    Prometheus --> svcmonitor("Service Monitor")
+  end
+```
+### UI
+Twistlock Console serves as the user interface within Twistlock. The graphical
+user interface (GUI) lets you define policy, configure and control your Twistlock deployment, and view the overall health (from a security perspective) of your container environment
+### Install Defender
+In Bigbang the  twistlock defender is installed manual.
+Follow the document to install defender as a daemonset.
+https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/-/blob/main/README.md
+### Storage
+Twistlock Console requires access to persistent storage \
+Persistent storage values can be set/modified  in the bigbang chart:
+```yaml
+console:
+  persistence:
+    size: 100Gi
+    accessMode: ReadWriteOnce
+```
+### Database
+N/A
+### Istio Configuration
+Istio is disabled in the twistlock chart by default and can be enabled by setting the following values in the bigbang chart:
+```yaml
+hostname: bigbang.dev
+istio:
+  enabled: true
+```
+NOTE: In  BigBang twistlock istio.enabled : true only exposes twistlock console to VirtualService.  The defender installation for twistlock in BigBang  is manual. By default, all traffic between the twistlock Defender and the console is TLS encrypted.
+## Monitoring
+Twistlock Prometheus metrics collection is implemented following the documentation:
+[Twistlock Prometheus Integration]<https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/audit/prometheus.html>\
+Monitoring is disabled in the twistlock chart by default and can be enabled by setting the following values in the bigbang chart:
+```yaml
+monitoring:
+  enabled: true
+```
+## High Availability
+Twistlock uses orchestrators built-in high availability capabilities.
+## Single Sign on (SSO)
+SSO can be configured for twistlock  manually using the documentation provided. \
+[Twistlock SSO Integration](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/-/blob/main/docs/KEYCLOAK.md)
+## Licensing
+Twistlock deployment requires license to operate. Enter your license key in the twistlock console. \
+[TwistLock  License Documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition-admin/welcome/licensing.html) 
+### Health Checks
+Twistlock provides API endpoints to monitor the health and availability of deployed components  at `/api/v1/_ping` \
+Example command: curl -u admin:Password ‘https:<console-ip>:8083/api/ v1/_ping