This blog will go through the steps of a simple CI/CD pipeline to manage a IBM Security Verify Access container (Kubernetes/OpenShift) deployment.
First, we will use the `verify_access_autoconf` python project to configure Verify Access and create a snapshot file; then we will use the Verify Access Operator to deploy the generated snapshot to the required runtime containers to an OpenShift cluster.
Prerequisite:
-
Generate PKI + required configuration files.
There is a configuration file provided to configure a deployment and set-up a demonstration WebSEAL instance. The provided configuration file relies on two certificates (.pem files) in the pki directory, one for the LDAP connection, and one for the HVDB connection. Deploying these databases is beyond the scope of this blog.
-
Install required python packages
Time estimate: 30 mins
Configuring Verify Access
Create containers using template + any required infrastructure (LDAP server + HVDB). A sample OpenShift template is provided here to deploy the core Verify Access containers. it is expected that the LDAP and HVDB services have already been created.
oc process -f oshift-isva-standalone-template.yaml \
-p APP_NAME='verify-access-demo' \
-p ISVA_VERSION='10.0.5.0' \
-p CONFIG_SERVICE='isvaconfig' \
-p RUNTIME_SERVICE='isvaruntime' \
-p WEBSEAL_SERVICE='isvawebeal' \
-p DSC_SERVICE='isvadsc' \
-p CONFIG_ID='cfgsvc' \
-p CONFIG_PW='betterThanPassw0rd' \
-p ISVA_IMAGE_NAME='icr.io/isva/verify-access' \
-p TIMEZONE='Etc/UTC' \
-p SERVICE_ACCOUNT='verifyaccess' \
| oc create -f -
Update properties file for your deployment. A demo properties file is provided to run the provided config.yaml file. You will likely need to update the ISVA_MGMT_BASE_URL property to the DNS/IP address of the configuration container. In a demo this can easily be achieved by port-forwarding the configuration pod from kubernetes/openshift to a local (127.x.x.x) address.
Run the python automated configuration tool from this directory:
source autoconf.properties && python -m verify_access_autoconf
Upload snapshot to Operator
Once you have verified that your deployment has been successfully configured, you will need to upload the generated snapshot to the Operator’s snapshot manager service. This service is authenticated, so first you will have to retrieve the username, password and URL that the snapshot manager is configured to use.
Next you will need to upload the snapshot. the simplest way to do this is to use the configuration (LMI) Verify Access container to upload the snapshot to the Operator.
An example bash script is provided to read the Operator’s secret and upload the snapshot. Tu run the script you will need to provide the name of the configuration container, as well as the name of the snapshot to upload, eg:
bash upload_snapshot_to_operator.sh isvaconfig-8694c5fb66 isva_10.0.6.0_published.snapshot
Deploy Verify Access Operator
Use template to deploy snapshot generated in previous steps to required runtime containers. The following code snippet uses this template Do deploy an ibmsecurityverifyaccess CRD for each type of runtime service.
oc process -f oshift-isva-operator-template.yaml \
-p APP_NAME='verify-access-operator-demo' \
-p ISVA_BASE_IMAGE_NAME='icr.io/isva/verify-access' \
-p SERVICE_ACCOUNT='verifyaccess' \
-p ISVA_VERSION='10.0.5.0' \
-p INSTANCE='default' \
-p SNAPSHOT='published' \
-p LANGUAGE='en_US.utf8' \
-p WRP_REPLICAS='1' \
-p RUNTIME_REPLICAS='1' \
-p DSC_REPLICAS='1' \
| oc create -f -