From b77b0c0d5c6632cbf70e238aa4cea1ca09778ce8 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 7 Jan 2021 11:21:35 -0700 Subject: [PATCH 1/9] SSO commit --- .../templates/bigbang/anchore-vs.yaml | 44 ++++++++++++ .../templates/bigbang/sso/configure-sso.yaml | 68 +++++++++++++++++++ .../templates/bigbang/sso/sso-secret.yaml | 32 +++++++++ .../chart/stable/anchore-engine/values.yaml | 42 +++++++++--- docs/KEYCLOAK.md | 64 +++++++++++++++++ 5 files changed, 241 insertions(+), 9 deletions(-) create mode 100644 deployment/manifests/chart/stable/anchore-engine/templates/bigbang/anchore-vs.yaml create mode 100644 deployment/manifests/chart/stable/anchore-engine/templates/bigbang/sso/configure-sso.yaml create mode 100644 deployment/manifests/chart/stable/anchore-engine/templates/bigbang/sso/sso-secret.yaml create mode 100644 docs/KEYCLOAK.md diff --git a/deployment/manifests/chart/stable/anchore-engine/templates/bigbang/anchore-vs.yaml b/deployment/manifests/chart/stable/anchore-engine/templates/bigbang/anchore-vs.yaml new file mode 100644 index 0000000..7d348a9 --- /dev/null +++ b/deployment/manifests/chart/stable/anchore-engine/templates/bigbang/anchore-vs.yaml @@ -0,0 +1,44 @@ +--- +{{- if .Values.istio.enabled -}} +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: anchore-enterprise-ui-service + namespace: {{ .Release.Namespace }} +spec: + gateways: + - main.istio-system.svc.cluster.local + hosts: + - "anchore.{{ .Values.hostname }}" + http: + - match: + - uri: + prefix: / + route: + - destination: + port: + number: 80 + host: {{ .Release.Name }}-anchore-engine-enterprise-ui +{{- end }} +--- +{{- if .Values.istio.enabled -}} +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: anchore-engine-api-service + namespace: {{ .Release.Namespace }} +spec: + gateways: + - main.istio-system.svc.cluster.local + hosts: + - "anchore-api.{{ .Values.hostname }}" + http: + - match: + - uri: + prefix: / + route: + - destination: + port: + number: 8228 + host: {{ .Release.Name }}-anchore-engine-api +{{- end }} diff --git a/deployment/manifests/chart/stable/anchore-engine/templates/bigbang/sso/configure-sso.yaml b/deployment/manifests/chart/stable/anchore-engine/templates/bigbang/sso/configure-sso.yaml new file mode 100644 index 0000000..8e6ada3 --- /dev/null +++ b/deployment/manifests/chart/stable/anchore-engine/templates/bigbang/sso/configure-sso.yaml @@ -0,0 +1,68 @@ +{{- if .Values.sso.enabled }} +# Job to perform integration of SSO to Anchore +apiVersion: batch/v1 +kind: Job +metadata: + name: configure-sso + annotations: + "helm.sh/hook": post-install +spec: + template: + metadata: + name: configure-sso + annotations: + sidecar.istio.io/inject: 'false' + spec: + # imagePullSecrets: + # - name: repo1-registry-read-creds + containers: + - name: configure-sso + image: {{ .Values.anchoreEnterpriseGlobal.image }} + command: + - /bin/sh + - -c + - | + set -ex + cd "/tmp" + + # Extract SAML URL and name + SSO_NAME=$(grep -oP '^\s*"name"\s*:\s*"\K(.*)(?=",?\s*$)' anchore-sso.json) + IDP_URL=$(grep -oP '^\s*"idp_metadata_url"\s*:\s*"\K(.*)(?=",?\s*$)' anchore-sso.json) + + # Wait for the given SAML IdP metadata url to exist and give data back + while [ $(curl -sw '%{http_code}' "${IDP_URL}" -o /dev/null) -ne 200 ]; do + echo "Waiting for IdP metadata..." + sleep 10; + done + + echo "IdP URL is live..." + + # Wait for Anchore Engine API to go live + while [ $(curl -sw '%{http_code}' "http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.apiPort }}/v1/swagger.json" -o /dev/null) -ne 200 ]; do + echo "Waiting for Anchore API..." + sleep 10; + done + + echo "Anchore Engine is live..." + + # If a SAML IdP doesn't exist with the given name, add this. Otherwise update the existing entry + if [ $(curl -sw '%{http_code}' -u "admin:${ANCHORE_ADMIN_PASSWORD}" "http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.apiPort }}/v1/saml/idps/${SSO_NAME}" -o /dev/null) -ne 200 ]; then + echo "Applying SAML config to Anchore..." + curl -vvv --fail -u "admin:${ANCHORE_ADMIN_PASSWORD}" -d "@anchore-sso.json" -H "Content-Type: application/json" http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.apiPort }}/v1/saml/idps + else + echo "SAML config already exists, updating..." + curl -vvv --fail -u "admin:${ANCHORE_ADMIN_PASSWORD}" -d "@anchore-sso.json" -H "Content-Type: application/json" --request PUT "http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.apiPort }}/v1/saml/idps/${SSO_NAME}" + fi + envFrom: + - secretRef: + name: {{ template "anchore-engine.fullname" . }} + volumeMounts: + - name: anchore-sso + mountPath: "/tmp" + readOnly: true + volumes: + - name: anchore-sso + secret: + secretName: anchore-sso + restartPolicy: OnFailure +{{- end }} diff --git a/deployment/manifests/chart/stable/anchore-engine/templates/bigbang/sso/sso-secret.yaml b/deployment/manifests/chart/stable/anchore-engine/templates/bigbang/sso/sso-secret.yaml new file mode 100644 index 0000000..7ea3f87 --- /dev/null +++ b/deployment/manifests/chart/stable/anchore-engine/templates/bigbang/sso/sso-secret.yaml @@ -0,0 +1,32 @@ +{{- if .Values.sso.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: anchore-sso + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: sso-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: anchore-enterprise + app.kubernetes.io/component: sso + annotations: + "helm.sh/hook": pre-install +type: Opaque +stringData: + {{ with .Values.sso }} + anchore-sso.json: |- + { + "name": "{{ .name }}", + "enabled": {{ .enabled }}, + "acs_https_port": {{ .acsHttpsPort }}, + "sp_entity_id": "{{ .spEntityId }}", + "acs_url": "{{ .acsUrl }}", + "default_account": "{{ .defaultAccount }}", + "default_role": "{{ .defaultRole }}", + "require_signed_assertions": {{ .requireSignedAssertions }}, + "require_signed_response": {{ .requireSignedResponse }}, + "idp_metadata_url": "{{ .idpMetadataUrl }}" + } + {{- end }} +{{- end }} diff --git a/deployment/manifests/chart/stable/anchore-engine/values.yaml b/deployment/manifests/chart/stable/anchore-engine/values.yaml index ec578ba..fc6f1e3 100644 --- a/deployment/manifests/chart/stable/anchore-engine/values.yaml +++ b/deployment/manifests/chart/stable/anchore-engine/values.yaml @@ -1,10 +1,32 @@ # Default values for anchore_engine chart. +# Big Bang Values +# --------------- +hostname: bigbang.dev + +istio: + enabled: false + +# Enable/disable Keycloak SSO integration +# If enabled, also enable OAuth - anchoreGlobal.oauthEnabled - and make sure anchoreGlobal.saml.secret is set to anchore-sso +sso: + enabled: false + name: "keycloak" + acsHttpsPort: -1 + spEntityId: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore" + acsUrl: "https://anchore.bigbang.dev/service/sso/auth/keycloak" + defaultAccount: "user" + defaultRole: "read-write" + requireSignedAssertions: false + requireSignedResponse: true + idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor" + # Anchore engine has a dependency on Postgresql, configure here postgresql: # To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false' # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres # enabled: false + # image: registry1.dso.mil/ironbank/opensource/postgres/postgresql12:12.4 postgresUser: anchoreengine postgresPassword: anchore-postgres,123 postgresDatabase: anchore @@ -90,10 +112,10 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: docker.io/anchore/anchore-engine:v0.8.1 + image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:2.4.1 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry - imagePullSecretName: + imagePullSecretName: registry1-read-creds # Set this value to True to setup the chart for OpenShift deployment compatibility. openShiftDeployment: False @@ -166,7 +188,7 @@ anchoreGlobal: privateKeyName: Null publicKeyName: Null - oauthEnabled: false + oauthEnabled: false # true if using SSO oauthTokenExpirationSeconds: 3600 # Set this to True to enable storing user passwords only as secure hashes in the db. This can dramatically increase CPU usage if you @@ -532,11 +554,11 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v2.4.0 + image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:2.4.1 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username= --docker-password= --docker-email= - imagePullSecretName: anchore-enterprise-pullcreds + imagePullSecretName: registry1-read-creds # Configure the second postgres database instance for the enterprise feeds service. # Only utilized if anchoreEnterpriseGlobal.enabled: true @@ -646,9 +668,10 @@ anchoreEnterpriseRbac: enabled: true # Set extra environment variables. These will be set on all rbac containers. - extraEnv: [] - # - name: foo - # value: bar + # NOTE: Missing from the IronBank Dockerfile so must patch this here to work with istio. + extraEnv: + - name: AUTHLIB_INSECURE_TRANSPORT + value: "true" # Kubernetes service config - annotations & serviceType configs must be set in anchoreApi # Due to RBAC sharing a service with the general API. @@ -752,8 +775,9 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v2.4.0 + image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:2.4.1 imagePullPolicy: IfNotPresent + imagePullSecretName: registry1-read-creds # Set extra environment variables. These will be set on all UI containers. extraEnv: [] diff --git a/docs/KEYCLOAK.md b/docs/KEYCLOAK.md new file mode 100644 index 0000000..1e5676e --- /dev/null +++ b/docs/KEYCLOAK.md @@ -0,0 +1,64 @@ +# Anchore Keycloak Integration + +This document summarizes helm values and manual steps that are required to integrate with Keycloak. + +## Configuration Steps + +These are the items you need to do to configure Keycloak and Anchore for SSO in your Big Bang installation. + +### Keycloak Configuration + +#### Prerequisites + +Keycloak is configured with a working Realm including Groups and Users. + +#### Keycloak Client Setup + +You will first need to set up the Keycloak client that can be used by Anchore. + +[See here for an example.](https://docs.anchore.com/current/docs/overview/sso/examples/keycloak/) + +### Anchore Configuration + +To enable the Anchore UI you will need to have an enterprise license. P1 has a license that can be used for dev - +this license is located [here](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/snippets/73). +To make use of it you will need to SOPS decrypt it with your AWS Coder credentials. + +With your license file (either the decrypted dev license or other enterprise license) ensure the namespace is created and then +create the secret as follows: + +```bash +kubectl create secret generic anchore-enterprise-license --from-file='license.yaml=/PATH/TO/license.yaml' -n anchore +``` + +Make sure that your values will properly enable the UI - this requires toggling enterprise global on as well as the UI. + +The config changes needed for SSO/Keycloak in Anchore are embedded in the helm chart and require values to be set. + +Set the values for your Anchore helm chart following the guide and example below. + +```yaml +sso: + enabled: true + name: "keycloak" # This should always be keycloak + acsHttpsPort: -1 # This is the HTTPS port to the UI, default -1/443 + spEntityId: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore" # This is the client ID from keycloak + acsUrl: "https://anchore.bigbang.dev/service/sso/auth/keycloak" # This is the link to your ACS, should only need to change hostname + defaultAccount: "user" # This is the user account Keycloak users will be mapped to + defaultRole: "read-write" # This is the role users will be given + requireSignedAssertions: false # This should always be false for Keycloak + requireSignedResponse: true # This should always be true for Keycloak + idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor" # This is the URL for the SAML descriptor from your Keycloak instance +``` + +For more details on the values being set here, view the "Anchore SSO Reference" below. + +NOTE: Local development makes use of login.dsop.io and the necessary values are committed in the values.yaml files in the repo and visible above. + +## Additional References + +[Anchore SSO Reference](https://anchore.com/blog/feature-series-anchore-enterprise-2-1-sso/) - This includes the process to set up Keycloak integration manually. Our Helm chart automates this process through API calls. + +[Anchore SSO Mapping](https://docs.anchore.com/current/docs/overview/sso/mapping/) - This doc discusses how users are mapped from an SSO into Anchore's users/priveleges. + +[Anchore + Keycloak Example](https://docs.anchore.com/current/docs/overview/sso/examples/keycloak/) - An example from Anchore of how to set up the Keycloak client. -- GitLab From 3dd6f1e1b5f3b7aa66f12d36a205246435e97066 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 7 Jan 2021 12:14:31 -0700 Subject: [PATCH 2/9] Values not saved --- chart/values.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 1e95594..1563425 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -7,7 +7,6 @@ hostname: bigbang.dev istio: enabled: false -<<<<<<< HEAD # Enable/disable Keycloak SSO integration # If enabled, also enable OAuth - anchoreGlobal.oauthEnabled - and make sure anchoreGlobal.saml.secret is set to anchore-sso sso: @@ -22,14 +21,11 @@ sso: requireSignedResponse: true idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor" -======= ->>>>>>> main # Anchore engine has a dependency on Postgresql, configure here postgresql: # To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false' # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres # enabled: false - # image: registry1.dso.mil/ironbank/opensource/postgres/postgresql12:12.4 postgresUser: anchoreengine postgresPassword: anchore-postgres,123 postgresDatabase: anchore -- GitLab From 3297cf2beaf040fefe4aea1212a54dd0160c1626 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 7 Jan 2021 14:32:01 -0700 Subject: [PATCH 3/9] add keycloak doc --- docs/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/README.md b/docs/README.md index 47fc7dc..b4a80d7 100644 --- a/docs/README.md +++ b/docs/README.md @@ -6,6 +6,7 @@ Big Bang documentation, and the pipeline infrastructure (tests). This package sh ## Table Of contents - [Metrics](./metrics.md) +- [Keycloak](./KEYCLOAK.md) # Structure -- GitLab From f078650c04bdd172ae2714a0a30fb30ec48ce519 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 8 Jan 2021 14:22:33 -0700 Subject: [PATCH 4/9] fix license sso info --- docs/KEYCLOAK.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/docs/KEYCLOAK.md b/docs/KEYCLOAK.md index 1e5676e..01a21bb 100644 --- a/docs/KEYCLOAK.md +++ b/docs/KEYCLOAK.md @@ -24,13 +24,20 @@ To enable the Anchore UI you will need to have an enterprise license. P1 has a l this license is located [here](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/snippets/73). To make use of it you will need to SOPS decrypt it with your AWS Coder credentials. -With your license file (either the decrypted dev license or other enterprise license) ensure the namespace is created and then -create the secret as follows: +In your values file to enable to UI, these parameters must be set: -```bash -kubectl create secret generic anchore-enterprise-license --from-file='license.yaml=/PATH/TO/license.yaml' -n anchore +```yaml +enterpriseLicenseYaml: | + FULL LICENSE YAML (must be indented) +anchoreEnterpriseGlobal: + enabled: true +anchoreEnterpriseUi: + enabled: true ``` +For production the license value should be encyrpted, for local development it can be used plaintext as long as it isn't +committed to any repos. + Make sure that your values will properly enable the UI - this requires toggling enterprise global on as well as the UI. The config changes needed for SSO/Keycloak in Anchore are embedded in the helm chart and require values to be set. -- GitLab From 1b6921a08e5e63e43b2f6856c95fa2ce6e0aea78 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Mon, 11 Jan 2021 12:38:09 -0700 Subject: [PATCH 5/9] Update details on Keycloak config --- chart/README.md | 6 ++++++ docs/KEYCLOAK.md | 49 ++++++++++++++++++------------------------------ 2 files changed, 24 insertions(+), 31 deletions(-) diff --git a/chart/README.md b/chart/README.md index 2e02c02..6ea97bd 100644 --- a/chart/README.md +++ b/chart/README.md @@ -110,6 +110,8 @@ stringData: matches your original license file. ``` +P1 has a license that can be used for dev - this license is located [here](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/snippets/73). To make use of it you will need to SOPS decrypt it with your AWS Coder credentials. + Once you have added the license to this location make sure to re-encrypt your secret file. In your un-encrypted values file - `configmap.yaml` add the following to enable Enterprise Global: @@ -153,6 +155,10 @@ stringData: externalEndpoint: "redis://:@hostname:port" ``` +### Enable SSO + +Big Bang has provided an automated way to configure SSO with Keycloak via the Helm chart. To enable and configure SSO follow the instructions in the main KEYCLOAK document. + ## Installing on OpenShift The upstream chart READMEs provide additional details on how to deploy to OpenShift. Necessary values are also included in the values file in this repo. diff --git a/docs/KEYCLOAK.md b/docs/KEYCLOAK.md index 01a21bb..05db1f5 100644 --- a/docs/KEYCLOAK.md +++ b/docs/KEYCLOAK.md @@ -20,42 +20,29 @@ You will first need to set up the Keycloak client that can be used by Anchore. ### Anchore Configuration -To enable the Anchore UI you will need to have an enterprise license. P1 has a license that can be used for dev - -this license is located [here](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/snippets/73). -To make use of it you will need to SOPS decrypt it with your AWS Coder credentials. - -In your values file to enable to UI, these parameters must be set: - -```yaml -enterpriseLicenseYaml: | - FULL LICENSE YAML (must be indented) -anchoreEnterpriseGlobal: - enabled: true -anchoreEnterpriseUi: - enabled: true -``` - -For production the license value should be encyrpted, for local development it can be used plaintext as long as it isn't -committed to any repos. - -Make sure that your values will properly enable the UI - this requires toggling enterprise global on as well as the UI. +First make sure that your values will properly enable the UI - this requires toggling enterprise global on as well as the UI. For additional help on this, walk through the `chart/README` file. The config changes needed for SSO/Keycloak in Anchore are embedded in the helm chart and require values to be set. -Set the values for your Anchore helm chart following the guide and example below. +Set the values for your Anchore helm chart following the guide and example below. These should be encrypted due to their potentially sensitive nature (add then to your `secrets.enc.yaml` file). ```yaml -sso: - enabled: true - name: "keycloak" # This should always be keycloak - acsHttpsPort: -1 # This is the HTTPS port to the UI, default -1/443 - spEntityId: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore" # This is the client ID from keycloak - acsUrl: "https://anchore.bigbang.dev/service/sso/auth/keycloak" # This is the link to your ACS, should only need to change hostname - defaultAccount: "user" # This is the user account Keycloak users will be mapped to - defaultRole: "read-write" # This is the role users will be given - requireSignedAssertions: false # This should always be false for Keycloak - requireSignedResponse: true # This should always be true for Keycloak - idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor" # This is the URL for the SAML descriptor from your Keycloak instance +stringData: + values.yaml: |- + addons: + anchore: + values: + sso: + enabled: true + name: "keycloak" # This should always be keycloak + acsHttpsPort: -1 # This is the HTTPS port to the UI, default -1/443 + spEntityId: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore" # This is the client ID from keycloak + acsUrl: "https://anchore.bigbang.dev/service/sso/auth/keycloak" # This is the link to your ACS, should only need to change hostname + defaultAccount: "user" # This is the user account Keycloak users will be mapped to + defaultRole: "read-write" # This is the role users will be given + requireSignedAssertions: false # This should always be false for Keycloak + requireSignedResponse: true # This should always be true for Keycloak + idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor" # This is the URL for the SAML descriptor from your Keycloak instance ``` For more details on the values being set here, view the "Anchore SSO Reference" below. -- GitLab From 30abd91173d4f1e85ed5546d2d923fc8f7640a09 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Mon, 11 Jan 2021 16:10:31 -0700 Subject: [PATCH 6/9] oauth documentation --- docs/KEYCLOAK.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/KEYCLOAK.md b/docs/KEYCLOAK.md index 05db1f5..d57cba9 100644 --- a/docs/KEYCLOAK.md +++ b/docs/KEYCLOAK.md @@ -49,6 +49,22 @@ For more details on the values being set here, view the "Anchore SSO Reference" NOTE: Local development makes use of login.dsop.io and the necessary values are committed in the values.yaml files in the repo and visible above. +In addition you will need to enable OAuth through the following values, setting up your SAML config with keys for OAuth to be enabled: + +```yaml +anchoreGlobal: + saml: + # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value + # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs. + secret: "secret-name" + privateKeyName: "private-key-name" + publicKeyName: "public-key-name" + + oauthEnabled: true +``` + +For development you can set this secret to "sso-secret" but this should be a real secret for prod use. + ## Additional References [Anchore SSO Reference](https://anchore.com/blog/feature-series-anchore-enterprise-2-1-sso/) - This includes the process to set up Keycloak integration manually. Our Helm chart automates this process through API calls. -- GitLab From 1d86a291142563fe25854ef7e2c976109f1e774b Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Mon, 11 Jan 2021 16:11:11 -0700 Subject: [PATCH 7/9] configmap wording --- docs/KEYCLOAK.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/KEYCLOAK.md b/docs/KEYCLOAK.md index d57cba9..dc30efa 100644 --- a/docs/KEYCLOAK.md +++ b/docs/KEYCLOAK.md @@ -49,7 +49,7 @@ For more details on the values being set here, view the "Anchore SSO Reference" NOTE: Local development makes use of login.dsop.io and the necessary values are committed in the values.yaml files in the repo and visible above. -In addition you will need to enable OAuth through the following values, setting up your SAML config with keys for OAuth to be enabled: +In addition you will need to enable OAuth through the following values, setting up your SAML config with keys for OAuth to be enabled, which can be added to your values in `configmap.yaml`: ```yaml anchoreGlobal: -- GitLab From c664c06ac414ca6a14653863d647bf34cabb53a1 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 13 Jan 2021 09:01:25 -0700 Subject: [PATCH 8/9] SSO BB Mods doc --- docs/BBCHANGES.md | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/docs/BBCHANGES.md b/docs/BBCHANGES.md index c4ab9c3..ca63bbe 100644 --- a/docs/BBCHANGES.md +++ b/docs/BBCHANGES.md @@ -8,7 +8,7 @@ This provides a log of these changes to make updates from upstream faster. ## Big Bang Modifications -Added at the top of the values file are changes to support Istio and automated license creation. +Added at the top of the values file are changes to support Istio, automated license creation, and SSO. ```yaml # Big Bang Values @@ -20,12 +20,26 @@ istio: enterpriseLicenseYaml: | FULL LICENSE YAML (must be indented) + +sso: + enabled: false + name: "keycloak" + acsHttpsPort: -1 + spEntityId: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore" + acsUrl: "https://anchore.bigbang.dev/service/sso/auth/keycloak" + defaultAccount: "user" + defaultRole: "read-write" + requireSignedAssertions: false + requireSignedResponse: true + idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor" ``` All chart changes are located under the `chart/templates/bigbang` directory. In summary: - Creation of virtual services for the UI and API - Automated creation of the license secret +- Creation of an SSO secret with the above SSO values +- Automation of SSO configuration through a k8s job As additional Big Bang changes are made they should be added in these spots and this doc updated to reflect that. @@ -100,7 +114,7 @@ anchore-feeds-db: host all all all md5 ``` -Finally the redis startup command must be edited to use the Ironbank entrypoint: +The redis startup command must be edited to use the Ironbank entrypoint: ```yaml anchore-ui-redis: @@ -108,3 +122,12 @@ anchore-ui-redis: master: command: "docker-entrypoint.sh" ``` + +To support SSO + Istio the RBAC container needs an additional env set: + +```yaml +anchoreEnterpriseRbac: + extraEnv: + - name: AUTHLIB_INSECURE_TRANSPORT + value: "true" +``` -- GitLab From 77e102be38bd664616c7ab96bc230f3255e80aaf Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 13 Jan 2021 12:26:11 -0700 Subject: [PATCH 9/9] bump chart version for SSO add --- chart/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 1823696..a496967 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: anchore-engine -version: 1.9.5-bb.1 +version: 1.9.5-bb.2 appVersion: 0.8.1 description: Anchore container analysis and policy evaluation engine service keywords: -- GitLab