diff --git a/chart/Chart.yaml b/chart/Chart.yaml index c4023b62c74c7074c13d5a953f6dd2246b8882f1..1823696a68cd5884e920b94be3489690227d3093 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: anchore-engine -version: 1.9.5-bb.0 +version: 1.9.5-bb.1 appVersion: 0.8.1 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/chart/README.md b/chart/README.md index 0368e3a58d524993d5d39901766abbc9d4a7782c..420b1b8d58de4f114f5d96be426f3cd8cca92bee 100644 --- a/chart/README.md +++ b/chart/README.md @@ -110,6 +110,8 @@ stringData: matches your original license file. ``` +P1 has a license that can be used for dev - this license is located [here](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/snippets/73). To make use of it you will need to SOPS decrypt it with your AWS Coder credentials. + Once you have added the license to this location make sure to re-encrypt your secret file. In your un-encrypted values file - `configmap.yaml` add the following to enable Enterprise Global: @@ -153,6 +155,10 @@ stringData: externalEndpoint: "redis://:@hostname:port" ``` +### Enable SSO + +Big Bang has provided an automated way to configure SSO with Keycloak via the Helm chart. To enable and configure SSO follow the instructions in the main KEYCLOAK document. + ## Installing on OpenShift The [upstream chart README](https://github.com/anchore/anchore-charts/tree/master/stable/anchore-engine#installing-on-openshift) provides additional details on how to deploy to OpenShift. Necessary values are also included in the values file in this repo. diff --git a/chart/templates/bigbang/sso/configure-sso.yaml b/chart/templates/bigbang/sso/configure-sso.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8e6ada3d17dcaf42388a23a02dc138cef28b1d4e --- /dev/null +++ b/chart/templates/bigbang/sso/configure-sso.yaml @@ -0,0 +1,68 @@ +{{- if .Values.sso.enabled }} +# Job to perform integration of SSO to Anchore +apiVersion: batch/v1 +kind: Job +metadata: + name: configure-sso + annotations: + "helm.sh/hook": post-install +spec: + template: + metadata: + name: configure-sso + annotations: + sidecar.istio.io/inject: 'false' + spec: + # imagePullSecrets: + # - name: repo1-registry-read-creds + containers: + - name: configure-sso + image: {{ .Values.anchoreEnterpriseGlobal.image }} + command: + - /bin/sh + - -c + - | + set -ex + cd "/tmp" + + # Extract SAML URL and name + SSO_NAME=$(grep -oP '^\s*"name"\s*:\s*"\K(.*)(?=",?\s*$)' anchore-sso.json) + IDP_URL=$(grep -oP '^\s*"idp_metadata_url"\s*:\s*"\K(.*)(?=",?\s*$)' anchore-sso.json) + + # Wait for the given SAML IdP metadata url to exist and give data back + while [ $(curl -sw '%{http_code}' "${IDP_URL}" -o /dev/null) -ne 200 ]; do + echo "Waiting for IdP metadata..." + sleep 10; + done + + echo "IdP URL is live..." + + # Wait for Anchore Engine API to go live + while [ $(curl -sw '%{http_code}' "http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.apiPort }}/v1/swagger.json" -o /dev/null) -ne 200 ]; do + echo "Waiting for Anchore API..." + sleep 10; + done + + echo "Anchore Engine is live..." + + # If a SAML IdP doesn't exist with the given name, add this. Otherwise update the existing entry + if [ $(curl -sw '%{http_code}' -u "admin:${ANCHORE_ADMIN_PASSWORD}" "http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.apiPort }}/v1/saml/idps/${SSO_NAME}" -o /dev/null) -ne 200 ]; then + echo "Applying SAML config to Anchore..." + curl -vvv --fail -u "admin:${ANCHORE_ADMIN_PASSWORD}" -d "@anchore-sso.json" -H "Content-Type: application/json" http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.apiPort }}/v1/saml/idps + else + echo "SAML config already exists, updating..." + curl -vvv --fail -u "admin:${ANCHORE_ADMIN_PASSWORD}" -d "@anchore-sso.json" -H "Content-Type: application/json" --request PUT "http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.apiPort }}/v1/saml/idps/${SSO_NAME}" + fi + envFrom: + - secretRef: + name: {{ template "anchore-engine.fullname" . }} + volumeMounts: + - name: anchore-sso + mountPath: "/tmp" + readOnly: true + volumes: + - name: anchore-sso + secret: + secretName: anchore-sso + restartPolicy: OnFailure +{{- end }} diff --git a/chart/templates/bigbang/sso/sso-secret.yaml b/chart/templates/bigbang/sso/sso-secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7ea3f87b0fde70315e948cd5c735fac6b3b61902 --- /dev/null +++ b/chart/templates/bigbang/sso/sso-secret.yaml @@ -0,0 +1,32 @@ +{{- if .Values.sso.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: anchore-sso + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: sso-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: anchore-enterprise + app.kubernetes.io/component: sso + annotations: + "helm.sh/hook": pre-install +type: Opaque +stringData: + {{ with .Values.sso }} + anchore-sso.json: |- + { + "name": "{{ .name }}", + "enabled": {{ .enabled }}, + "acs_https_port": {{ .acsHttpsPort }}, + "sp_entity_id": "{{ .spEntityId }}", + "acs_url": "{{ .acsUrl }}", + "default_account": "{{ .defaultAccount }}", + "default_role": "{{ .defaultRole }}", + "require_signed_assertions": {{ .requireSignedAssertions }}, + "require_signed_response": {{ .requireSignedResponse }}, + "idp_metadata_url": "{{ .idpMetadataUrl }}" + } + {{- end }} +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 88773e30102c7a7cef3b4c281facef5318c07ad8..2a0c2c98a549310f22af0cd56d43b9f39e8cc9de 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -10,6 +10,20 @@ istio: enterpriseLicenseYaml: | FULL LICENSE YAML (must be indented) +# Enable/disable Keycloak SSO integration +# If enabled, also enable OAuth - anchoreGlobal.oauthEnabled - and make sure anchoreGlobal.saml.secret is set to anchore-sso +sso: + enabled: false + name: "keycloak" + acsHttpsPort: -1 + spEntityId: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore" + acsUrl: "https://anchore.bigbang.dev/service/sso/auth/keycloak" + defaultAccount: "user" + defaultRole: "read-write" + requireSignedAssertions: false + requireSignedResponse: true + idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor" + # Upstream Anchore Values # ----------------------- @@ -196,7 +210,7 @@ anchoreGlobal: privateKeyName: Null publicKeyName: Null - oauthEnabled: false + oauthEnabled: false # true if using SSO oauthTokenExpirationSeconds: 3600 # Set this to True to enable storing user passwords only as secure hashes in the db. This can dramatically increase CPU usage if you diff --git a/docs/BBCHANGES.md b/docs/BBCHANGES.md index c4ab9c32a98b11251ea5aedbb59b8662b4e610a8..ca63bbefea57b81c2d1b50f1b02a747e48d91090 100644 --- a/docs/BBCHANGES.md +++ b/docs/BBCHANGES.md @@ -8,7 +8,7 @@ This provides a log of these changes to make updates from upstream faster. ## Big Bang Modifications -Added at the top of the values file are changes to support Istio and automated license creation. +Added at the top of the values file are changes to support Istio, automated license creation, and SSO. ```yaml # Big Bang Values @@ -20,12 +20,26 @@ istio: enterpriseLicenseYaml: | FULL LICENSE YAML (must be indented) + +sso: + enabled: false + name: "keycloak" + acsHttpsPort: -1 + spEntityId: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore" + acsUrl: "https://anchore.bigbang.dev/service/sso/auth/keycloak" + defaultAccount: "user" + defaultRole: "read-write" + requireSignedAssertions: false + requireSignedResponse: true + idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor" ``` All chart changes are located under the `chart/templates/bigbang` directory. In summary: - Creation of virtual services for the UI and API - Automated creation of the license secret +- Creation of an SSO secret with the above SSO values +- Automation of SSO configuration through a k8s job As additional Big Bang changes are made they should be added in these spots and this doc updated to reflect that. @@ -100,7 +114,7 @@ anchore-feeds-db: host all all all md5 ``` -Finally the redis startup command must be edited to use the Ironbank entrypoint: +The redis startup command must be edited to use the Ironbank entrypoint: ```yaml anchore-ui-redis: @@ -108,3 +122,12 @@ anchore-ui-redis: master: command: "docker-entrypoint.sh" ``` + +To support SSO + Istio the RBAC container needs an additional env set: + +```yaml +anchoreEnterpriseRbac: + extraEnv: + - name: AUTHLIB_INSECURE_TRANSPORT + value: "true" +``` diff --git a/docs/KEYCLOAK.md b/docs/KEYCLOAK.md new file mode 100644 index 0000000000000000000000000000000000000000..dc30efafbd76af19905232da9b6840a02ade7e7b --- /dev/null +++ b/docs/KEYCLOAK.md @@ -0,0 +1,74 @@ +# Anchore Keycloak Integration + +This document summarizes helm values and manual steps that are required to integrate with Keycloak. + +## Configuration Steps + +These are the items you need to do to configure Keycloak and Anchore for SSO in your Big Bang installation. + +### Keycloak Configuration + +#### Prerequisites + +Keycloak is configured with a working Realm including Groups and Users. + +#### Keycloak Client Setup + +You will first need to set up the Keycloak client that can be used by Anchore. + +[See here for an example.](https://docs.anchore.com/current/docs/overview/sso/examples/keycloak/) + +### Anchore Configuration + +First make sure that your values will properly enable the UI - this requires toggling enterprise global on as well as the UI. For additional help on this, walk through the `chart/README` file. + +The config changes needed for SSO/Keycloak in Anchore are embedded in the helm chart and require values to be set. + +Set the values for your Anchore helm chart following the guide and example below. These should be encrypted due to their potentially sensitive nature (add then to your `secrets.enc.yaml` file). + +```yaml +stringData: + values.yaml: |- + addons: + anchore: + values: + sso: + enabled: true + name: "keycloak" # This should always be keycloak + acsHttpsPort: -1 # This is the HTTPS port to the UI, default -1/443 + spEntityId: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore" # This is the client ID from keycloak + acsUrl: "https://anchore.bigbang.dev/service/sso/auth/keycloak" # This is the link to your ACS, should only need to change hostname + defaultAccount: "user" # This is the user account Keycloak users will be mapped to + defaultRole: "read-write" # This is the role users will be given + requireSignedAssertions: false # This should always be false for Keycloak + requireSignedResponse: true # This should always be true for Keycloak + idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor" # This is the URL for the SAML descriptor from your Keycloak instance +``` + +For more details on the values being set here, view the "Anchore SSO Reference" below. + +NOTE: Local development makes use of login.dsop.io and the necessary values are committed in the values.yaml files in the repo and visible above. + +In addition you will need to enable OAuth through the following values, setting up your SAML config with keys for OAuth to be enabled, which can be added to your values in `configmap.yaml`: + +```yaml +anchoreGlobal: + saml: + # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value + # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs. + secret: "secret-name" + privateKeyName: "private-key-name" + publicKeyName: "public-key-name" + + oauthEnabled: true +``` + +For development you can set this secret to "sso-secret" but this should be a real secret for prod use. + +## Additional References + +[Anchore SSO Reference](https://anchore.com/blog/feature-series-anchore-enterprise-2-1-sso/) - This includes the process to set up Keycloak integration manually. Our Helm chart automates this process through API calls. + +[Anchore SSO Mapping](https://docs.anchore.com/current/docs/overview/sso/mapping/) - This doc discusses how users are mapped from an SSO into Anchore's users/priveleges. + +[Anchore + Keycloak Example](https://docs.anchore.com/current/docs/overview/sso/examples/keycloak/) - An example from Anchore of how to set up the Keycloak client. diff --git a/docs/README.md b/docs/README.md index 11034af753648ac58bef6c8527b2632263d2375a..99fdd52b558bd1c095c172e8147927971f707c0d 100644 --- a/docs/README.md +++ b/docs/README.md @@ -6,6 +6,7 @@ This repo contains Big Bang's implementation of Anchore. This includes the upstr - [Metrics](./metrics.md) - [Big Bang Modifications](./BBCHANGES.md) +- [Keycloak](./KEYCLOAK.md) # Structure