Hi,

The trend seems to be IaC, Automation, Ansible and Cloud right now.

It would be interesting if anyone in the community has done something in this area around ISAM.
The f5 product has the possibility to use a declarative model for managing the software. Is that coming to ISAM?

https://www.f5.com/company/blog/in-container-land-declarative-configuration-is-king

------------------------------
Regards Mikael
------------------------------

Hi Mikael,

Access Manager has a REST interface for configuration and we have an (OpenSource) Ansible framework to drive this for declarative configuration model.  A number of advocates of this are members of this community and I'm sure they will pitch in with their view on the effectiveness of this deployment approach (spoiler: it is very positive ;).

Access Manager supports deployment in containers.  I have created blogs and cookbooks for deployment on Native Docker, Kubernetes (with and without Helm), and on Red Hat OpenShift.  Have a look in the Blogs section of this site.

One final item related to this.  IBM has recently released a Tech Preview of an "IBM Application Gateway" which is a lightweight application proxy based on the Access Manager Reverse Proxy.  This only runs as a container.  Configuration is via YAML.  It is designed to work with our IBM Cloud Identity product.  I have started on some assets for this which you can find here: https://github.com/jonpharry/iag.  A cookbook is coming...

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri January 03, 2020 04:46 AM
From: Mikael Lindblad
Subject: Infrastructure as Code

Hi,

The trend seems to be IaC, Automation, Ansible and Cloud right now.

It would be interesting if anyone in the community has done something in this area around ISAM.
The f5 product has the possibility to use a declarative model for managing the software. Is that coming to ISAM?

https://www.f5.com/company/blog/in-container-land-declarative-configuration-is-king

------------------------------
Regards Mikael
------------------------------

Docker version of ISAM is great, but maybe it is possible to do some small changes to make it more Kubernetes friendly:

Configuration files could be implemented as configmap so it can be changed with the kubernetes API
Certificate database should use tls secrets (so it can be managed natively by cert-manager)
Ingress controller support (so the junctions are made by annotations in Kubernetes).


------------------------------
Øyvind Bergerud
------------------------------

Original Message:
Sent: Fri January 03, 2020 05:05 AM
From: Jon Harry
Subject: Infrastructure as Code

Hi Mikael,

Access Manager has a REST interface for configuration and we have an (OpenSource) Ansible framework to drive this for declarative configuration model.  A number of advocates of this are members of this community and I'm sure they will pitch in with their view on the effectiveness of this deployment approach (spoiler: it is very positive ;).

Access Manager supports deployment in containers.  I have created blogs and cookbooks for deployment on Native Docker, Kubernetes (with and without Helm), and on Red Hat OpenShift.  Have a look in the Blogs section of this site.

One final item related to this.  IBM has recently released a Tech Preview of an "IBM Application Gateway" which is a lightweight application proxy based on the Access Manager Reverse Proxy.  This only runs as a container.  Configuration is via YAML.  It is designed to work with our IBM Cloud Identity product.  I have started on some assets for this which you can find here: https://github.com/jonpharry/iag.  A cookbook is coming...

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri January 03, 2020 04:46 AM
From: Mikael Lindblad
Subject: Infrastructure as Code

Hi,

The trend seems to be IaC, Automation, Ansible and Cloud right now.

It would be interesting if anyone in the community has done something in this area around ISAM.
The f5 product has the possibility to use a declarative model for managing the software. Is that coming to ISAM?

https://www.f5.com/company/blog/in-container-land-declarative-configuration-is-king

------------------------------
Regards Mikael
------------------------------

I think Øyvind you underestimate the level of effort to achieve that.
To have ISAM as a native docker app would require a significant re-write of the whole stack as pulling configuration from configmap/secrets is a huge change.

Currently the API is used to push config settings into ISAM, and the API for the most part is compatible when running in docker vs the VM appliance.

So I don't think IBM would be spending too much time moving all the configuration for ISAM into native docker/kube since then configuration and management of ISAM would be vastly different between the Docker and VM instances.

------------------------------
Peter Lambrechtsen
------------------------------

Original Message:
Sent: Fri January 03, 2020 06:40 AM
From: Øyvind Bergerud
Subject: Infrastructure as Code

Docker version of ISAM is great, but maybe it is possible to do some small changes to make it more Kubernetes friendly:

Configuration files could be implemented as configmap so it can be changed with the kubernetes API
Certificate database should use tls secrets (so it can be managed natively by cert-manager)
Ingress controller support (so the junctions are made by annotations in Kubernetes).


------------------------------
Øyvind Bergerud

Original Message:
Sent: Fri January 03, 2020 05:05 AM
From: Jon Harry
Subject: Infrastructure as Code

Hi Mikael,

Access Manager has a REST interface for configuration and we have an (OpenSource) Ansible framework to drive this for declarative configuration model.  A number of advocates of this are members of this community and I'm sure they will pitch in with their view on the effectiveness of this deployment approach (spoiler: it is very positive ;).

Access Manager supports deployment in containers.  I have created blogs and cookbooks for deployment on Native Docker, Kubernetes (with and without Helm), and on Red Hat OpenShift.  Have a look in the Blogs section of this site.

One final item related to this.  IBM has recently released a Tech Preview of an "IBM Application Gateway" which is a lightweight application proxy based on the Access Manager Reverse Proxy.  This only runs as a container.  Configuration is via YAML.  It is designed to work with our IBM Cloud Identity product.  I have started on some assets for this which you can find here: https://github.com/jonpharry/iag.  A cookbook is coming...

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri January 03, 2020 04:46 AM
From: Mikael Lindblad
Subject: Infrastructure as Code

Hi,

The trend seems to be IaC, Automation, Ansible and Cloud right now.

It would be interesting if anyone in the community has done something in this area around ISAM.
The f5 product has the possibility to use a declarative model for managing the software. Is that coming to ISAM?

https://www.f5.com/company/blog/in-container-land-declarative-configuration-is-king

------------------------------
Regards Mikael
------------------------------

Hi

I was going to share that indeed some in this community are very successful, including ourselves, in the deployment/automation of ISAM Virtual Appliances with the open source ibmsecurity project along with Ansible/Git. Then I realized that question is geared towards ISAM for Docker which we have no experience as for now.

But let me say that irrespective of the underlying platform of your choice (Docker or Virtual Appliance), we are managing our ISAM VA infrastructure from the ground-up with Ansible. We have an internal  Manifesto policy of not allowing any change using the LMI and we try at all cost to stick with that. Also, everything is in Git: Our deployment topology architecture, WRP topologies, baseline configuration (Virtual Appliance, PS, WRP, Liberty), and various platform contents (SAML, OAuth, Junctions, ACL), just name it.

We did have to build a bit of "framework" on top to fit our needs, but we are using the published IBM Security Python code and Ansible roles pretty much un-modified, in addition to some custom roles that we maintain on our end for needs specific to us.

And with now Docker boing a focus on the ibmsecurity open source community, it can only get better.

------------------------------
Sylvain Gilbert
------------------------------

Original Message:
Sent: Fri January 03, 2020 05:05 AM
From: Jon Harry
Subject: Infrastructure as Code

Hi Mikael,

Access Manager has a REST interface for configuration and we have an (OpenSource) Ansible framework to drive this for declarative configuration model.  A number of advocates of this are members of this community and I'm sure they will pitch in with their view on the effectiveness of this deployment approach (spoiler: it is very positive ;).

Access Manager supports deployment in containers.  I have created blogs and cookbooks for deployment on Native Docker, Kubernetes (with and without Helm), and on Red Hat OpenShift.  Have a look in the Blogs section of this site.

One final item related to this.  IBM has recently released a Tech Preview of an "IBM Application Gateway" which is a lightweight application proxy based on the Access Manager Reverse Proxy.  This only runs as a container.  Configuration is via YAML.  It is designed to work with our IBM Cloud Identity product.  I have started on some assets for this which you can find here: https://github.com/jonpharry/iag.  A cookbook is coming...

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri January 03, 2020 04:46 AM
From: Mikael Lindblad
Subject: Infrastructure as Code

Hi,

The trend seems to be IaC, Automation, Ansible and Cloud right now.

It would be interesting if anyone in the community has done something in this area around ISAM.
The f5 product has the possibility to use a declarative model for managing the software. Is that coming to ISAM?

https://www.f5.com/company/blog/in-container-land-declarative-configuration-is-king

------------------------------
Regards Mikael
------------------------------