yogsototh/deft
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
deft/notes/deploy_new_environment_staging.org
Yann Esposito (Yogsototh) 0110eee062
save
2024-02-01 15:16:14 +01:00

7.8 KiB
Raw Permalink Blame History

Deploy New Environment

tags
source

Start the node with one admin [still needed]

Dependencies:

  • [ops] all DB runnings: (riemann, ES, Postgres, Redis, etc…)
  • [ops] configure the node to use DBFixtures, then remove db-fixture service from bootstrap.cfg then restart the node. If configured correctly the DB will now contain an admin user. The org must have the following additional scopes: cisco, iroh-admin, iroh-master, global-intel.
  • IROH / IROH-Async is running

Engineering Admin Access [still needed]

  • [ops] Provide VPN Access to the new Environment
  • [ops] Must create the first accounts for every engineer involved in the initial configuration of the new environment

Support Provisioning (via PIAM) [not needed anymore]

  • [ops] update Vault with the OAuth2 client creds from PIAM
  • [engineering] configure PIAM Universal Provisioning in IROH (URLs, etc…)

assumptions:

  • we will have OAuth2 client creds from PIAM configured.
  • PIAM configured their server to point to the new URL for the Universal Provisioning API
  • We will use the PIAM Universal Provisioning

Support essential XDR modules (DI, CSC, SE, SXO, SCA, SSX)

Deploy a Private Intel (CTIA) node [still needed]

  • [ops] This is needed for most integrations (DI SE).
  • [engineering] updated the URL in tenzin-config with the new private-intel URL

SXO (cc @Mark)

Onboarding (todo) [still needed]

  • dependency: SXO: will provide an onboarding API URL
  • [engineering] Onboarding configuration in config.edn. Ask Automation to provide the onboarding URL.

Module Type (cc @Matthieu) [Replicated]

  • [engineering] Creating the SXO Module Type, with the correct URLs, configuration

OAuth2 Client [Replicated]

  • [engineering] Create an IROH OAuth2 client for SXO. Copy the values from other deployed environment except replace the redirect URI. In particular, take care of the audiences, it should be configured with allow-partial-user-scopes? to true. This client must be trusted. Add the client-id to the list of trusted clients by using the admin API /admin/oauth/

DI

OAuth2 Client [Replicated]

Create an IROH OAuth2 client for DI. Copy the values from other deployed environment except replace the redirect URI. In particular, take care of the audiences, it should be configured with allow-partial-user-scopes? to true as well as org-level-authorization?.

This client must be trusted. Add the client-id to the list of trusted clients by using the admin API /admin/oauth/

Module Type creation (cc @Matthieu) [Replicated]

Onboarding [still needed or DI should route using geo from the JWT]

Onboarding configuration in config.edn. Ask DI to provide the onboarding URL.

SCA

OAuth2 Client [replicated]

Create an IROH OAuth2 client for DI. Copy the values from other deployed environment except replace the redirect URI. In particular, take care of the audiences, it should be configured with allow-partial-user-scopes? to true.

This client must be trusted. Add the client-id to the list of trusted clients by using the admin API /admin/oauth/

module conf (cc @Matthieu) [Replicated]

Onboarding [SCA route using JWT or still needed]

Onboarding configuration in config.edn. Ask SCA to provide the onboarding URL.

SSX

OAuth2 client (claim aliases) [Replicated]

  1. Ask SSX to deploy a Stage Environment and provide the corresponding URLs: In the rest of this doc we suppose it will be:

    but SSX could provide some different URLs to use.

  2. Create a dedicated Org for SSX
  3. Via the API directly, create a new API Client using the following payload. Notice some value could change depending on the SSX configuration of the prefixes. You need to ask SSX what are the expected IdP Mapping they would like. I took on me that if a user login via AMP (CSA) SSX expect the tenant claim to be AMP-STA.

Then you should create a client via the API with the following

{
    "scopes": ["integration", "private-intel", "admin", "profile", "inspect", "iroh-master",
               "iroh-auth", "sse", "users", "casebook", "orbital", "enrich", "oauth", "global-intel",
               "collect", "response", "ui-settings", "openid", "ao"],
    "description": "NEW Environment for Security Services Exchange Admin Console",
    "redirects": [
        "https://admin.sta.sse.itd.cisco.com/*/*",
        "https://admin.sta.sse.itd.cisco.com/*/*/*",
        "https://admin.sta.sse.itd.cisco.com/*",
        "https://admin.sta.sse.itd.cisco.com/*/*/*/*",
        "https://devops.sta.sse.itd.cisco.com/*/*",
        "https://devops.sta.sse.itd.cisco.com/*/*/*",
        "https://devops.sta.sse.itd.cisco.com/*",
        "https://devops.sta.sse.itd.cisco.com/*/*/*/*",
        "https://devops.sta.sse.itd.cisco.com"
    ],
    "availability": "everyone",
    "access-token-lifetime-in-sec": 86400,
    "id-token-lifetime-in-sec": 86400,
    "name": "sse-ui-new-client",
    "grants": ["auth-code"],
    "client-type": "confidential",

    "id-token-aliases": [
        {
            "alias": "spId",
            "case-value": {
                "sxso": "SXSO",
                "idb-tg": "TG-STA",
                "idb-amp": "AMP-STA"
            },
            "default-value": "AMP-STA",
            "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
        },
        {
            "alias": "spId",
            "case-value": {
                "sxso": "SXSO",
                "idb-tg": "TG-STA",
                "idb-amp": "AMP-STA"
            },
            "claim-to-alias": "idp-mapping-idp"
        },
        {
            "alias": "spId",
            "case-value": {
                "sxso": "SXSO",
                "idb-tg": "TG-STA",
                "idb-amp": "AMP-STA"
            },
            "claim-to-alias": "old-idp-mapping-idp"
        },
        {
            "alias": "companyId",
            "replace-value": [
                [
                    "^threatgrid[:]",
                    ""
                ]
            ],
            "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
        },
        {
            "alias": "companyId",
            "replace-value": [
                [
                    "^threatgrid[:]",
                    ""
                ]
            ],
            "claim-to-alias": "idp-mapping-organization-id"
        },
        {
            "alias": "companyId",
            "replace-value": [
                [
                    "^threatgrid[:]",
                    ""
                ]
            ],
            "claim-to-alias": "old-idp-mapping-organization-id"
        },
        {
            "alias": "companyName",
            "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
        },
        {
            "alias": "user_name",
            "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
        },
        {
            "alias": "user_email",
            "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
        },
        {
            "alias": "role",
            "case-value": {
                "admin": "admin",
                "master": "admin",
                "iroh-admin": "admin"
            },
            "default-value": "user",
            "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
        }
    ]
}

Once the client is created. Go to the admin API, and bless the client to approve it. Also still via the Admin API, add the client to the trusted clients.

Ask QA to verify cross launch is working as expected for the 3 IdPs.

UI

  • Check the registration UI would still work
  • Check some URLs with normal frontend