From 0009bf5338c846f7304d5241189442a20b0a286d Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Mon, 17 Jul 2023 13:48:19 +1000 Subject: [PATCH 01/14] initial space commit --- resources/terraform/f5xc-aws-polsup/README.md | 15 +++++++++++++++ resources/terraform/f5xc-aws-polsup/main.tf | 0 resources/terraform/f5xc-aws-polsup/outputs.tf | 0 resources/terraform/f5xc-aws-polsup/variables.tf | 0 resources/terraform/f5xc-aws-polsup/versions.tf | 0 5 files changed, 15 insertions(+) create mode 100644 resources/terraform/f5xc-aws-polsup/README.md create mode 100644 resources/terraform/f5xc-aws-polsup/main.tf create mode 100644 resources/terraform/f5xc-aws-polsup/outputs.tf create mode 100644 resources/terraform/f5xc-aws-polsup/variables.tf create mode 100644 resources/terraform/f5xc-aws-polsup/versions.tf diff --git a/resources/terraform/f5xc-aws-polsup/README.md b/resources/terraform/f5xc-aws-polsup/README.md new file mode 100644 index 0000000..c33de77 --- /dev/null +++ b/resources/terraform/f5xc-aws-polsup/README.md @@ -0,0 +1,15 @@ +[![license](https://img.shields.io/github/license/f5devcentral/adaptiveapps)](../../LICENSE) +[![standard-readme compliant](https://img.shields.io/badge/readme%20style-standard-brightgreen.svg?style=flat-square)](https://github.com/RichardLitt/standard-readme) + +# DevSecOps with PolicySupervisor + +## Table of Contents + +
+Click to expand. + +
+ +## TODO + +- [ ] `README.md` diff --git a/resources/terraform/f5xc-aws-polsup/main.tf b/resources/terraform/f5xc-aws-polsup/main.tf new file mode 100644 index 0000000..e69de29 diff --git a/resources/terraform/f5xc-aws-polsup/outputs.tf b/resources/terraform/f5xc-aws-polsup/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/resources/terraform/f5xc-aws-polsup/variables.tf b/resources/terraform/f5xc-aws-polsup/variables.tf new file mode 100644 index 0000000..e69de29 diff --git a/resources/terraform/f5xc-aws-polsup/versions.tf b/resources/terraform/f5xc-aws-polsup/versions.tf new file mode 100644 index 0000000..e69de29 -- GitLab From 1334df2190a2b59038994e1a35fddabe5dc61daa Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Mon, 17 Jul 2023 14:11:40 +1000 Subject: [PATCH 02/14] updates for PolicySupervisor AWS EKS & BIG-IP CIS --- .../f5xc-aws-icap/aws-secrets.tfvars | 3 +++ ...es_system_f5xc-icap_kubeconfig_global.yaml | 20 +++++++++++++++++++ .../README.md | 0 .../main.tf | 0 .../outputs.tf | 0 .../variables.tf | 0 .../versions.tf | 0 7 files changed, 23 insertions(+) create mode 100644 resources/terraform/f5xc-aws-icap/aws-secrets.tfvars create mode 100644 resources/terraform/f5xc-aws-icap/ves_system_f5xc-icap_kubeconfig_global.yaml rename resources/terraform/{f5xc-aws-polsup => polsup-eks-cis}/README.md (100%) rename resources/terraform/{f5xc-aws-polsup => polsup-eks-cis}/main.tf (100%) rename resources/terraform/{f5xc-aws-polsup => polsup-eks-cis}/outputs.tf (100%) rename resources/terraform/{f5xc-aws-polsup => polsup-eks-cis}/variables.tf (100%) rename resources/terraform/{f5xc-aws-polsup => polsup-eks-cis}/versions.tf (100%) diff --git a/resources/terraform/f5xc-aws-icap/aws-secrets.tfvars b/resources/terraform/f5xc-aws-icap/aws-secrets.tfvars new file mode 100644 index 0000000..1c55247 --- /dev/null +++ b/resources/terraform/f5xc-aws-icap/aws-secrets.tfvars @@ -0,0 +1,3 @@ +aws_access_key = "AKIAUDDKQQFGCT25WQZC" +aws_secret_key = "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" +ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKBTZPM67SHZ1V9URDUlwZLlgGf1l0znMrMdf0muAJCnTNHf8MS9VI3Ep4UPAAXVfd03eflwDK0PT1sI1ICYmYlDr/X7dtclT0s8pcxE/Nn1wkkDcvzhT8WslHJZv0KYavE7q4UEzFZpfJ6qcv9Vd/twYQIkei9YfB6vycAbF6u3uuNIaV5aJ7ZcDiBpaRLklhn9AyYJj2VGbaV0mNPO9rRoI5zNWtWfpj5FFTxYvkZMTP11bvWzF0nvOmdBYQYUtrQtpyR0J9WcoDiOjaZ/zxJXv1uMRShDHDi8C1b9wvhyrKfzuNRNBZHy2HIzfojD6bM2TNbBAHH2mbCkpt4yTVeMMzY3mi3wuMaekw4BvJmBi3s8Dgyhart3XBvuz2BBI3TyWnNM5NAN4oIIVmY6rnAw4kpJ6dS/cvjUsQ/bhi4XoMgcOiqJ1bFf43uzeaJrKb7aivPwD9QNtCK/ZgxFEVk4BUPgv95/RieUXG/j78dM3hx4OhDZQ0OwuBVt3MQT8= m.kennedy@C02G20XKML85" \ No newline at end of file diff --git a/resources/terraform/f5xc-aws-icap/ves_system_f5xc-icap_kubeconfig_global.yaml b/resources/terraform/f5xc-aws-icap/ves_system_f5xc-icap_kubeconfig_global.yaml new file mode 100644 index 0000000..0e123cb --- /dev/null +++ b/resources/terraform/f5xc-aws-icap/ves_system_f5xc-icap_kubeconfig_global.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +clusters: +- cluster: + certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZGakNDQXY2Z0F3SUJBZ0lSQUpFckNFclBEQmluVS9iV0xpV25YMW93RFFZSktvWklodmNOQVFFTEJRQXcKVHpFTE1Ba0dBMVVFQmhNQ1ZWTXhLVEFuQmdOVkJBb1RJRWx1ZEdWeWJtVjBJRk5sWTNWeWFYUjVJRkpsYzJWaApjbU5vSUVkeWIzVndNUlV3RXdZRFZRUURFd3hKVTFKSElGSnZiM1FnV0RFd0hoY05NakF3T1RBME1EQXdNREF3CldoY05NalV3T1RFMU1UWXdNREF3V2pBeU1Rc3dDUVlEVlFRR0V3SlZVekVXTUJRR0ExVUVDaE1OVEdWMEozTWcKUlc1amNubHdkREVMTUFrR0ExVUVBeE1DVWpNd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFSwpBb0lCQVFDN0FoVW96UGFnbE5NUEV1eU5WWkxEK0lMeG1hWjZRb2luWFNhcXRTdTV4VXl4cjQ1citYWElvOWNQClI1UVVWVFZYako2b29qa1o5WUk4UXFsT2J2VTd3eTdiamNDd1hQTlpPT2Z0ejJud1dnc2J2c0NVSkNXSCtqZHgKc3hQbkhLemhtKy9iNUR0RlVrV1dxY0ZUempUSVV1NjFydTJQM21CdzRxVlVxN1p0RHBlbFFEUnJLOU84WnV0bQpOSHo2YTR1UFZ5bVorREFYWGJweWIvdUJ4YTNTaGxnOUY4Zm5DYnZ4Sy9lRzNNSGFjVjNVUnVQTXJTWEJpTHhnClozVm1zL0VZOTZKYzVsUC9Pb2kyUjZYL0V4anFtQWwzUDUxVCtjOEI1ZldtY0JjVXIyT2svNW16azUzY1U2Y0cKL2tpRkhhRnByaVYxdXhQTVVnUDE3VkdoaTlzVkFnTUJBQUdqZ2dFSU1JSUJCREFPQmdOVkhROEJBZjhFQkFNQwpBWVl3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdJR0NDc0dBUVVGQndNQk1CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkJRdXN4ZTNXRmJMcmxBSlFPWWZyNTJMRk1MR01COEdBMVVkSXdRWU1CYUEKRkhtMFdlWjd0dVhrQVhPQUNJaklHbGoyNlp0dU1ESUdDQ3NHQVFVRkJ3RUJCQ1l3SkRBaUJnZ3JCZ0VGQlFjdwpBb1lXYUhSMGNEb3ZMM2d4TG1rdWJHVnVZM0l1YjNKbkx6QW5CZ05WSFI4RUlEQWVNQnlnR3FBWWhoWm9kSFJ3Ck9pOHZlREV1WXk1c1pXNWpjaTV2Y21jdk1DSUdBMVVkSUFRYk1Ca3dDQVlHWjRFTUFRSUJNQTBHQ3lzR0FRUUIKZ3Q4VEFRRUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUNBUUNGeWs1SFBxUDNoVVNGdk5WbmVMS1lZNjExVFI2VwpQVE5sY2xRdGdhRHF3KzM0SUw5ZnpMZHdBTGR1Ty9aZWxON2tJSittNzR1eUErZWl0Ulk4a2M2MDdUa0M1M3dsCmlrZm1aVzQvUnZUWjhNNlVLKzVVemhLOGpDZEx1TUdZTDZLdnpYR1JTZ2kzeUxnamV3UXRDUGtJVno2RDJRUXoKQ2tjaGVBbUNKOE1xeUp1NXpsenlaTWpBdm5uQVQ0NXRSQXhla3JzdTk0c1E0ZWdkUkNuYldTRHRZN2toK0JJbQpsSk5Yb0IxbEJNRUtJcTRRRFVPWG9SZ2ZmdURnaGplMVdyRzlNTCtIYmlzcS95Rk9Hd1hEOVJpWDhGNnN3Nlc0CmF2QXV2RHN6dWU1TDNzejg1SytFQzRZL3dGVkROdlpvNFRZWGFvNlowZitsUUtjMHQ4RFFZemsxT1hWdThycDIKeUpNQzZhbExiQmZPREFMWnZZSDduN2RvMUFabHM0STlkMVA0am5rRHJRb3hCM1VxUTloVmwzTEVLUTczeEYxTwp5SzVHaEREWDhvVmZHS0Y1dStkZWNJc0g0WWFUdzdtUDNHRnhKU3F2MyswbFVGSm9pNUxjNWRhMTQ5cDkwSWRzCmhDRXhyb0wxKzdtcnlJa1hQZUZNNVRnTzlyMHJ2WmFCRk92VjJ6MGdwMzVaMCtMNFdQbGJ1RWpOL2x4UEZpbisKSGxVanI4Z1JzSTNxZkpPUUZ5LzlyS0lKUjBZLzhPbXd0LzhvVFdneTFtZGVIbW1qazdqMW5Zc3ZDOUpTUTZadgpNbGRsVFRLQjN6aFRoVjErWFdZcDZyamQ1SlcxemJWV0VrTE54RTdHSlRoRVVHM3N6Z0JWR1A3cFNXVFVUc3FYCm5MUmJ3SE9vcTdoSHdnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRmF6Q0NBMU9nQXdJQkFnSVJBSUlRejdEU1FPTlpSR1BndTJPQ2l3QXdEUVlKS29aSWh2Y05BUUVMQlFBdwpUekVMTUFrR0ExVUVCaE1DVlZNeEtUQW5CZ05WQkFvVElFbHVkR1Z5Ym1WMElGTmxZM1Z5YVhSNUlGSmxjMlZoCmNtTm9JRWR5YjNWd01SVXdFd1lEVlFRREV3eEpVMUpISUZKdmIzUWdXREV3SGhjTk1UVXdOakEwTVRFd05ETTQKV2hjTk16VXdOakEwTVRFd05ETTRXakJQTVFzd0NRWURWUVFHRXdKVlV6RXBNQ2NHQTFVRUNoTWdTVzUwWlhKdQpaWFFnVTJWamRYSnBkSGtnVW1WelpXRnlZMmdnUjNKdmRYQXhGVEFUQmdOVkJBTVRERWxUVWtjZ1VtOXZkQ0JZCk1UQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUszb0pIUDBGRGZ6bTU0clZ5Z2MKaDc3Y3Q5ODRrSXh1UE9aWG9IajNkY0tpL3ZWcWJ2WUFUeWpiM21pR2JFU1R0ckZqL1JRU2E3OGYwdW94bXlGKwowVE04dWtqMTNYbmZzN2ovRXZFaG1rdkJpb1p4YVVwbVpteVBmanh3djYwcElnYno1TURtZ0s3aVM0KzNtWDZVCkE1L1RSNWQ4bVVnalUrZzRyazhLYjRNdTBVbFhqSUIwdHRvdjBEaU5ld053SVJ0MThqQTgrbyt1M2RwanErc1cKVDhLT0VVdCt6d3ZvLzdWM0x2U3llMHJnVEJJbERIQ05BeW1nNFZNazdCUFo3aG0vRUxOS2pEK0pvMkZSM3F5SApCNVQwWTNIc0x1SnZXNWlCNFlsY05IbHNkdTg3a0dKNTV0dWttaThteGRBUTRRN2UyUkNPRnZ1Mzk2ajN4K1VDCkI1aVBOZ2lWNStJM2xnMDJkWjc3RG5LeEhadThBL2xKQmRpQjNRVzBLdFpCNmF3QmRwVUtEOWpmMWIwU0h6VXYKS0JkczBwakJxQWxrZDI1SE43ck9yRmxlYUoxL2N0YUp4UVpCS1Q1WlB0MG05U1RKRWFkYW8weEFIMGFobWJXbgpPbEZ1aGp1ZWZYS25FZ1Y0V2UwK1VYZ1ZDd09QamRBdkJiSStlMG9jUzNNRkV2ekc2dUJRRTN4RGszU3p5blRuCmpoOEJDTkF3MUZ0eE5yUUh1c0V3TUZ4SXQ0STdtS1o5WUlxaW95bUN6THE5Z3dRYm9vTURRYUhXQmZFYndyYncKcUh5R08wYW9TQ3FJM0hhYWRyOGZhcVU5R1kvck9QTmszc2dyRFFvby8vZmI0aFZDMUNMUUoxM2hlZjRZNTNDSQpyVTdtMllzNnh0MG5VVzcvdkdUMU0wTlBBZ01CQUFHalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WCkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlI1dEZubWU3Ymw1QUZ6Z0FpSXlCcFk5dW1iYmpBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FnRUFWUjlZcWJ5eXFGRFFETEhZR21rZ0p5a0lyR0YxWElwdStJTGxhUy9WOWxaTAp1Ymh6RUZuVElaZCs1MHh4KzdMU1lLMDVxQXZxRnlGV2hmRlFEbG5yenVCWjZickpGZStHblkrRWdQYms2WkdRCjNCZWJZaHRGOEdhVjBueHZ3dW83N3gvUHk5YXVKL0dwc01pdS9YMSttdm9pQk92LzJYL3FrU3Npc1JjT2ovS0sKTkZ0WTJQd0J5VlM1dUNiTWlvZ3ppVXd0aER5QzMrNldWd1c2TEx2M3hMZkhUanVDdmpISUluTnprdEhDZ0tRNQpPUkF6STRKTVBKK0dzbFdZSGI0cGhvd2ltNTdpYXp0WE9vSndUZHdKeDRuTENnZE5iT2hkanNudnpxdkh1N1VyClRrWFdTdEFtek9WeXlnaHFwWlhqRmFIM3BPM0pMRitsKy8rc0tBSXV2dGQ3dStOeGU1QVcwd2RlUmxOOE53ZEMKak5QRWxwelZtYlVxNEpVYWdFaXVURGtIenN4SHBGS1ZLN3E0KzYzU00xTjk1UjFOYmRXaHNjZENiK1pBSnpWYwpveWkzQjQzbmpUT1E1eU9mKzFDY2VXeEcxYlFWczVadWZwc01sanE0VWkwLzFsdmgrd2pDaFA0a3FLT0oycXhxCjRSZ3FzYWhEWVZ2VEg5dzdqWGJ5TGVpTmRkOFhNMnc5VS90N3kwRmYvOXlpMEdFNDRaYTRyRjJMTjlkMTFUUEEKbVJHdW5VSEJjbldFdmdKQlFsOW5KRWlVMFpzbnZnYy91YmhQZ1hSUjRYcTM3WjBqNHI3ZzFTZ0VFend4QTU3ZAplbXlQeGdjWXhuL2VSNDQvS0o0RUJzK2xWRFIzdmV5Sm0ra1hROTliMjEvK2poNVhvczFBblg1aUl0cmVHQ2M9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdFekNDQS91Z0F3SUJBZ0lRZlZ0UkpyUjJ1aEhiZEJZTHZGTU5wekFOQmdrcWhraUc5dzBCQVF3RkFEQ0IKaURFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDazVsZHlCS1pYSnpaWGt4RkRBU0JnTlZCQWNUQzBwbApjbk5sZVNCRGFYUjVNUjR3SEFZRFZRUUtFeFZVYUdVZ1ZWTkZVbFJTVlZOVUlFNWxkSGR2Y21zeExqQXNCZ05WCkJBTVRKVlZUUlZKVWNuVnpkQ0JTVTBFZ1EyVnlkR2xtYVdOaGRHbHZiaUJCZFhSb2IzSnBkSGt3SGhjTk1UZ3gKTVRBeU1EQXdNREF3V2hjTk16QXhNak14TWpNMU9UVTVXakNCanpFTE1Ba0dBMVVFQmhNQ1IwSXhHekFaQmdOVgpCQWdURWtkeVpXRjBaWElnVFdGdVkyaGxjM1JsY2pFUU1BNEdBMVVFQnhNSFUyRnNabTl5WkRFWU1CWUdBMVVFCkNoTVBVMlZqZEdsbmJ5Qk1hVzFwZEdWa01UY3dOUVlEVlFRREV5NVRaV04wYVdkdklGSlRRU0JFYjIxaGFXNGcKVm1Gc2FXUmhkR2x2YmlCVFpXTjFjbVVnVTJWeWRtVnlJRU5CTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBMW5NejF0YzhJTkFBMGhkRnVOWStCNkkveDBIdU1qREpzR3o5OUovTEVwZ1BMVCtOClRRRU1nZzhYZjJJdTZiaEllZnNXZzA2dDF6SWxrN2NIdjdsUVA2bE13MEFxNlRuLzJZSEtIeFl5UWRxQUpya2oKZW9jZ0h1UC9JSm84bFVSdmgzVUdrRUMwTXBNV0NSQUlJejdTM1ljUGIxMVJGR29LYWNWUEFYSnB6OU9UVEcwRQpvS01iZ242eG1ybnR4WjdGTjNpZm1nZzArMVl1V01RSkRnWmtXN3czM1BHZktHaW9WckNTbzF5ZnU0aVlDQnNrCkhhc3doYTZ2c0M2ZWVwM0J3RUljNGdMdzZ1QkswdStRRHJUQlFCYndiNFZDU21UM3BEQ2cvcjh1b3lkYWpvdFkKdUszREdSZUVZKzF2VnYyRHkyQTB4SFMrNXAzYjRlVGx5Z3hmRlFJREFRQUJvNElCYmpDQ0FXb3dId1lEVlIwagpCQmd3Rm9BVVUzbS9XcW9yU3M5VWdPSFltOENkOHJJRFpzc3dIUVlEVlIwT0JCWUVGSTJNWHNSVXJZcmhkK21iCitac0Y0YmdCaldIaE1BNEdBMVVkRHdFQi93UUVBd0lCaGpBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQU1CMEcKQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBYkJnTlZIU0FFRkRBU01BWUdCRlVkSUFBdwpDQVlHWjRFTUFRSUJNRkFHQTFVZEh3UkpNRWN3UmFCRG9FR0dQMmgwZEhBNkx5OWpjbXd1ZFhObGNuUnlkWE4wCkxtTnZiUzlWVTBWU1ZISjFjM1JTVTBGRFpYSjBhV1pwWTJGMGFXOXVRWFYwYUc5eWFYUjVMbU55YkRCMkJnZ3IKQmdFRkJRY0JBUVJxTUdnd1B3WUlLd1lCQlFVSE1BS0dNMmgwZEhBNkx5OWpjblF1ZFhObGNuUnlkWE4wTG1OdgpiUzlWVTBWU1ZISjFjM1JTVTBGQlpHUlVjblZ6ZEVOQkxtTnlkREFsQmdnckJnRUZCUWN3QVlZWmFIUjBjRG92CkwyOWpjM0F1ZFhObGNuUnlkWE4wTG1OdmJUQU5CZ2txaGtpRzl3MEJBUXdGQUFPQ0FnRUFNcjlodlE1SXcwL0gKdWtkTitKeDRHUUhjRXgyQWIvekRjTFJTbWpFem1sZFMrekdlYTZUdlZLcUpqVUFYYVBnUkVIelN5ckh4VlliSAo3ck0ya1liMk9WRy9ScjhQb0xxMDkzNUp4Q28yRjU3a2FEbDZyNVJPVm0reWV6dS9Db2E5emNWM0hBTzRPTEdpCkgxOSsyNHJjUmtpMmFBclBzclcwNGpUa1o2azRaZ2xlMHJqOG5TZzZGMEFud25KT0tmMGhQSHpQRS91V0xNVXgKUlAwVDdkV2JxV2xvZDN6dTRmK2srVFk0Q0ZNNW9vUTBuQm56dmc2czFTUTM2eU9vZU5EVDUrK1NSMlJpT1NMdgp4dmNSdmlLRnhtWkVKQ2FPRURLTnlKT3VCNTZEUGkvWitmVkdqbU8rd2VhMDNLYk5JYWlHQ3BYWkxvVW1HdjM4CnNiWlhRbTJWMFRQMk9SUUdna0U0OVk5WTNJQmJwTlY5bFhqOXA1di8vY1dvYWFzbTU2ZWtCWWRicWJlNG95QUwKbDZsRmhkMnppK1dKTjQ0cERmd0dGL1k0UUE1QzVCSUcrM3Z6eGhGb1l0L2ptUFFUMkJWUGk3RnAyUkJndkdRcQo2akczNUxXak9oU2JKdU1MZS8wQ2pyYVp3VGlYV1RiMnFIU2loclplNjhaazZzK2dvL2x1bnJvdEViYUdtQWhZCkxjbXNKV1R5WG5XME9NR3VmMXBHZytwUnlyYnhtUkUxYTZWcWU4WUFzT2Y0dm1TeXJjakM4YXpqVWVxa2srQjUKeU9HQlFNa0tXK0VTUE1GZ0t1T1h3SWxDeXBUUFJwZ1NhYnVZME1MVERYSkxSMjdsazhReUtHT0hRK1N3TWo0SwowMHUvSTVzVUtVRXJtZ1Fma3kzeHh6bElQSzFhRW44PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlGM2pDQ0E4YWdBd0lCQWdJUUFmMXRNUHlqeWxHb0c3eGtEalVETFRBTkJna3Foa2lHOXcwQkFRd0ZBRENCCmlERUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2s1bGR5QktaWEp6WlhreEZEQVNCZ05WQkFjVEMwcGwKY25ObGVTQkRhWFI1TVI0d0hBWURWUVFLRXhWVWFHVWdWVk5GVWxSU1ZWTlVJRTVsZEhkdmNtc3hMakFzQmdOVgpCQU1USlZWVFJWSlVjblZ6ZENCU1UwRWdRMlZ5ZEdsbWFXTmhkR2x2YmlCQmRYUm9iM0pwZEhrd0hoY05NVEF3Ck1qQXhNREF3TURBd1doY05Nemd3TVRFNE1qTTFPVFU1V2pDQmlERUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlYKQkFnVENrNWxkeUJLWlhKelpYa3hGREFTQmdOVkJBY1RDMHBsY25ObGVTQkRhWFI1TVI0d0hBWURWUVFLRXhWVQphR1VnVlZORlVsUlNWVk5VSUU1bGRIZHZjbXN4TGpBc0JnTlZCQU1USlZWVFJWSlVjblZ6ZENCU1UwRWdRMlZ5CmRHbG1hV05oZEdsdmJpQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ0FFbVVYTmc3RDJ3aXowS3hYRFhidHpTZlRUSzFRZzJIaXFpQk5DUzFrQ2R6T2laL01QYW5zOXMvQgozUEhUc2RaN055Z1JLMGZhT2NhOE9obTBYNmE5ZloyalkwSzJkdktwT3l1UitPSnYwT3dXSUpBSlB1TG9kTWtZCnRKSFVZbVRiZjZNRzhZZ1lhcEFpUEx6K0UvQ0hGSHYyNUIrTzFPUlJ4aEZuUmdoUnk0WVVWRCs4TS81K2JKei8KRnAwWXZWR09OYWFuWnNoeVo5c2hackhVbTNnRHdGQTY2TXp3M0x5ZVRQNnZCWlkxSDFkYXQvL08rVDIzTExiMgpWTjNJNXhJNlRhNU1pcmRjbXJTM0lEM0tmeUkwcm40N2FHWUJST2NCVGtaVG16Tmc5NVMrVXplUWMwUHpNc05UCjc5dXEvblJPYWNkcmpHQ1Qzc1RIRE4vaE1xN01renRSZUpWbmkrNDlWdjRNMEdrUEd3L3pKU1pyTTIzM2JrZjYKYzBQbGZnNmxackVwZkRLRVkxV0p4QTNCazFRd0dST3MwMzAzcCt0ZE9tdzFYTnRCMXhMYXFVa0wzOWlBaWdtVApZbzYxWnM4bGlNMkV1TEUvcERrUDJRS2U2eEpNbFh6emF3V3BYaGFEekxobjR1Z1RuY3hiZ3ROTXMrMWIvOTdsCmM2d2pPeTBBdnpWVmRBbEoyRWxZR24rU051WlJrZzd6Sm4wY1RSZTh5ZXhESnRDL1FWOUFxVVJFOUpublY0ZWUKVUI5WFZLZysvWFJqTDdGUVpRbm1XRUl1UXhwTXRQQWxSMW42QkI2VDFDWkdTbENCc3Q2K2VMZjhaeFhoeVZlRQpIZzlqMXVsaXV0WmZWUzdxWE1Zb0NBUWxPYmdPSzZueVRKY2NCejhOVXZYdDd5K0NEd0lEQVFBQm8wSXdRREFkCkJnTlZIUTRFRmdRVVUzbS9XcW9yU3M5VWdPSFltOENkOHJJRFpzc3dEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEcKQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVNQlFBRGdnSUJBRnpVZkEzUDl3RjlRWmxsREhQRgpVcC9MK00rWkJuOGIya01WbjU0Q1ZWZVdGUEZTUENlSGxDanRIem9CTjZKMi9GTlF3SVNieG10T3Vvd2hUNktPClZXS1I4MmtWMkx5STQ4U3FDLzN2cU9sTFZTb0dJRzFWZUNrWjdsOHdYRXNrRVZYL0pKcHVYaW9yN2d0Tm4zLzMKQVRpVUZKVkRCd243WUtudUhLc1NqS0NhWHFlWWFsbHRpejhJKzhqUlJhOFlGV1NRRWc5ektDN0Y0aVJPL0Zqcwo4UFJGL2lLejZ5K08wdGxGWVFYQmwyK29kbktQaTR3MnI3OE5CYzV4amVhbWJ4OXNwbkZpeGRqUWczSU04V2NSCmlReWNFMHh5Tk4rODFYSGZxbkhkNGJsc2pEd1NYV1hhdlZjU3RrTnIvK1hlVFdZUlVjK1pydXdYdHVoeGtZemUKU2Y3ZE5YR2lGU2VVSE05aDR5YTdiNk5uSlNGZDV0MGRDeTVvR3p1Q3IreURaNFhVbUZGMHNibVpnSW4vZjNnWgpYSGxLWUM2U1FLNU1OeW9zeWNkaXlBNWQ5elpieXVBbEpRRzAzUm9IbkhjQVA5RGMxZXc5MVBxN1A4eUYxbTkvCnFTM2Z1UUwzOVplYXRUWGF3MmV3aDBxcEtKNGpqdjljSjJ2aHNFL3pCKzRBTHRSWmg4dFNRWlhxOUVmWDdtUkIKVlh5TldRS1YzV0tkd3JudVdpaDBoS1didDVESERBZmY5WWsyZERMV0tNR3dzQXZnbkV6REhOYjg0Mm0xUjBhQgpMNktDcTlOalJIREVqZjh0TTdxdGozdTFjSWl1UGhuUFFDalkvTWlRdTEyWkl2VlM1bGpGSDRneFErNklIZGZHCmpqeERhaDJuR041OVBSYnhZdm5La0tqOQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCgoK + server: https://f5-big-ip.console.ves.volterra.io/api/k8s/namespaces/system/site/f5xc-icap + name: f5xc-icap +contexts: +- context: + cluster: f5xc-icap + namespace: default + user: m.kennedy@f5.com + name: f5xc-icap +current-context: f5xc-icap +kind: Config +preferences: {} +users: +- user: + client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZBVENDQXVtZ0F3SUJBZ0lRQlZYNStQc2E5a284VGNEZnNOMVY2REFOQmdrcWhraUc5dzBCQVFzRkFEQ0IKdGpFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oYkdsbWIzSnVhV0V4RkRBU0JnTlZCQWNUQzFOaApiblJoSUVOc1lYSmhNUjh3SFFZRFZRUUtFeFpXYjJ4MFpYSnlZU0JGWkdkbElGTmxjblpwWTJWek1TQXdIZ1lEClZRUUxFeGRKYm1aeVlYTjBjblZqZEhWeVpTQlRaV04xY21sMGVURTVNRGNHQTFVRUF4TXdVRkpQUkNBdElGUmwKYm1GdWRDQlZjMlZ5SUVObGNuUnBabWxqWVhSbElFbHpjM1ZwYm1jZ1EwRWdMU0IyTWk0eE1CNFhEVEl6TURjeApNekExTXpBMU9Wb1hEVEl6TURjek1UQTFNekExT1Zvd0xqRVJNQThHQTFVRUNoTUlkbTlzZEdWeWNtRXhHVEFYCkJnTlZCQU1URUZWVFJWSXRRMFZTVkVsR1NVTkJWRVV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUM0Q2lDaVI5OU56bVhTM29ua3BIQjJUbFRnVHZyZXdLS2c2RGJ0b2RCSW1uZWJSZVB3UmFPMQpaTDdNMmFkU0NiZHJ2SzVqUGlFQlVHRit6SkswRS9jNUREQjdkNlVSZ2l6ZmZ2czRQU3FpWGk0RGxTdVhtUDRGCnpyTS9xRGpQbGxPNVJLc3RLRXoyL1ZjWmpsNjg0MEFQR09RbSs0RUM2N2ZDYXRHL2xzOStyRXUvQUEraW5iRDYKeHc5WXc3L1ZkMmgzdStFdGZlZmQ5YWRqdUIzdjJwaHFINm15Rkl4NW91TVAxRUs0cFBIWjZxbnRVZmZDenkzSgpSTGRySkpoVHhOM1lpb05DY0pTSlF1QU4vS0w3eEhzQnFlMjIvekZ6blJ0QTlVRk5YQVZzeGs2dEQ2UkZ3bzdPCkpSY2NNSmZlcEh6S05PS2drem1TQmhVT2drdHBRTmt6QWdNQkFBR2pnWkV3Z1k0d0RnWURWUjBQQVFIL0JBUUQKQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQjBHQTFVZERnUVdCQlJZQkF6MUdWcmhTMHdhbjVGegpTVGx4MGdqQW5qQWlCZ3dyQmdFRUFZT2hEZ0VCQVFFRUVnUVFiUzVyWlc1dVpXUjVRR1kxTG1OdmJUQWtCZ3dyCkJnRUVBWU9oRGdFQkFRSUVGQVFTWmpVdFltbG5MV2x3TFdka2VYaG1iblZ0TUEwR0NTcUdTSWIzRFFFQkN3VUEKQTRJQ0FRQ0hIT1ppQ09EcVNUK2dEQmNVaU9yeTlkQ1VjQ0IxcjR0R2hJWlR1Q2F2aWRVZkNKSURIWXpDWTNBKwpiR0hLZFY0bWRkOXZ5OVhnNnJ1RkVrVExqdG9kdWd6YWhzS1ExdUZhWkYzVUE1OGNZaUJRTnFxY1Bhc0N1NlhyCmlkdFl3SU5pVHpWL2Y3ajJudEV0cmVvQTZ1dzMzbHB3OUo5WE9NSWlLY1BzeGVwUjFYaW9OMklBR3dlVGIxRU4KWHovSnJmdFdhczAvN1MyZHJMVExyc2dISlkrYmtiNitmbVhLeG84empsbWNNZTN1MEt1RlRxUnQyWWR5bklLeQpGdXpVczV6MUNEdEZEUVlCTVAySmJ1UFdxOWJxdlVBUU9BM2hVY1h0UHc0RXZyM3BNdUtYL3cyVjlieDYzVW1hCkRCYVpCSXI0KzBDQWJiSDIyd0pMa0ZqbVFxdXFoZjhlNnkvMTVpZFg0cFYzY3ZzOC90d1haZGhuK0RVNmE2Z0UKSE1idnpRTUdpWDYwSitacU1XUjJZMmpGU1dNUFRtem9YR2luUXlQV2NZWkluQXAxekVYSUxoNjNySnlwbnNkRwpOQm12Yi9vaS9SUVJvT2J0NE1UY3pnb1lXQ2ZEejA1ZXZTRTZtNDFGeEV3d1I3ZFduNEVXcHJ5cFVoVUhlL1RuCjNjMG0wN25xRDlMNi9DRVF2VDA2MzhOUy9vU2pDV2I0R0J4eVg2aExUODJoakxaSFVKY0tMSEt1aHd4T3JtankKVzNnLzNldGY5Y1BJVzZpUHI2QURrWTRwSGlOZmxKK0NMa0RVOTlUOWhHOW91dGU1cTVaTFREaTRCM2F5YzY3KwpGNWFyR1VQRllmR2E0MENrUWdPSDhFdTM3Tlg1dDVIR1hhYnRBdHdxbkpPSFJQd0pUQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdjVENDQkZtZ0F3SUJBZ0lSQUlZODBLYkdKKy9LdEN4YXpJNEZmbVl3RFFZSktvWklodmNOQVFFTEJRQXcKZ2JFeEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTVJRd0VnWURWUVFIRXd0VApZVzUwWVNCRGJHRnlZVEVmTUIwR0ExVUVDaE1XVm05c2RHVnljbUVnUldSblpTQlRaWEoyYVdObGN6RWdNQjRHCkExVUVDeE1YU1c1bWNtRnpkSEoxWTNSMWNtVWdVMlZqZFhKcGRIa3hOREF5QmdOVkJBTVRLMUJTVDBRZ0xTQlUKWlc1aGJuUWdWWE5sY2lCRFpYSjBhV1pwWTJGMFpTQlNiMjkwSUVOQklDMGdkakl3SGhjTk1qQXdOakV4TVRVMQpOekUwV2hjTk1qVXdOakV4TVRVMU56RTBXakNCdGpFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oCmJHbG1iM0p1YVdFeEZEQVNCZ05WQkFjVEMxTmhiblJoSUVOc1lYSmhNUjh3SFFZRFZRUUtFeFpXYjJ4MFpYSnkKWVNCRlpHZGxJRk5sY25acFkyVnpNU0F3SGdZRFZRUUxFeGRKYm1aeVlYTjBjblZqZEhWeVpTQlRaV04xY21sMAplVEU1TURjR0ExVUVBeE13VUZKUFJDQXRJRlJsYm1GdWRDQlZjMlZ5SUVObGNuUnBabWxqWVhSbElFbHpjM1ZwCmJtY2dRMEVnTFNCMk1pNHhNSUlDSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQWc4QU1JSUNDZ0tDQWdFQTBWRHEKaHQ1S1h1a1JHQkRObkVvK1lrVHFlZkpLUXZMZ0hJUkFHOWsxYkFEV3djMHorRWZWeTRtZmhaMW5LelI2aXZybwpaaDI0TW9Jb1dmNlFoUS95QWs1NEk3dnVjTS94MW9nVWhZTk05c0xwNVU0cDExOXp6OEZSMEtvVGduUDNGbzZoCnFHK0dkUWNKazExME9KVXNHNE9wdlhSQmpQK0UxL29EdjhEYkhEV2RRcWkrVjJMN2NaMzJMSm5DNXFPS0ZiOE8KSmNlRUdCbUJiMnIyamxMMncwejdjSDZlV2J5WWEwSVpLbzd6d3NqblBNSnhWRUtvSW0yMEpXaUdOd0xVeEZTcQpOM0hwOEtkR1BaK0Y3TnNrOHFIa1dMU0dINjZrYU9ocjdpWW5pN3Y0WWR1UzJDS0ZNR1Vad0g2SDczK3kyeEpECmRic0FCcFlTWGJBdEgyRG1UMnBCU0pGUXZGSTNNVEUyVTBsQ0ZNSktCbFIwcnFJUVhmTW96WXluQUkwT1dvdGcKY3Q4bDJLcDludU9RQUlGam1ySkxwMFBFREhob0szRDBLSU5aV0pNYzlKb0llQ1dla0ZUcU40YmVCcFFrRmhRNApUd3ZHQzQ2NHZDUXRGcGFTVkltdTFzYmRlVHdXMFo5eVRWV3NvSTBSdDZSUHJrZlplTnMxc3BkMm5vc0oyOXFZCk1aS2F5aytQeUNieS9BU2c2a1ZnZlJjWVNPRXh2UnM1djRzb041dG5DQ3Bod3RpNHMyRWtoNHR4Zmo2SEZnSS8KWVBqQ2pHaWhwcnhubUVjN2xJSXRVckhqbVhyTTZlWjQxVTJuOU5EQVdMajNwNEkyZDg0ZDEvTnhPSmRqU1A0MgpRUmFIcERQSTJIeVJWR2tqZ29nMGdWS1JsUE9WMmhQVGFiSjFESWtDQXdFQUFhTjlNSHN3RGdZRFZSMFBBUUgvCkJBUURBZ0tFTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3V0FZSUt3WUJCUVVIQVFFRVREQktNRWdHQ0NzR0FRVUYKQnpBQmhqeHZZM053TG5abGN5NXBieTlRVWs5RUlDMGdWR1Z1WVc1MElGVnpaWElnUTJWeWRHbG1hV05oZEdVZwpTWE56ZFdsdVp5QkRRU0F0SUhZeUxqRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnSUJBTnR0djlRd0J6SWYzQ05aClpSTHcwQUx1akZGeWI0MklPb1I3UE5qMjBMc0ZrUkdoWHFPZ254aFR0aGU0RVhHTndvSmR5T0FYZkNWWGxzc2gKNTQrb0NBQ3d3NWpneDJKVkw5Q0pQUHAxVkFWSFlray9xYXdZVFF0Nk54OWdLcTlnbndqRjBCN1Uxc3NHSVJmagpwRzk4MjA3TVNuSkM3elRwOXRaazlRU3VHK3FHc1d5TU00Skx4Z2FaT2dpRFBGTFZmTW1RcXVUaTg1Z2FNd0dNCmdHcW9aeWZNNzNFUkUxNUFrQjJRTjlvb2hKcTNETG90TStGS2dLdGUvWnBybk5Od094MVVOcmcyaFNsU011MUMKeDJ2Rm9KQkZ5SGpiQnk1MFpYV2Rzd2pjWW1xVFZIWU02ZkhOUXBVbE5TVElUYlQ1VjJVVGVGVzZwQ2tYT0NnZgp4SnZlQXY3Q2xWOTJLRjIwNWdMNFFCQzV3T2RPWFBJa0tCNFZYZmRmREg4YXdOMjMrVFhGWlN0djhxeUQ0aWpMCnNSOXIra3UrMndHWk5MYjJJNlY3Zkl5dFlQTjBpRGhKSnVaWDl2a1dmaHJOK2JuOHVvNkFwT0xnNzlSSEczUDMKUVJXQmtoQW0wZitiM2g0NUpxT2xtamphNFpCRmJ0WitGWU5UV2JVS2IvNjNSQ3p2K000WDBJbFdFU2RBSW1qbAovVTQ1QUpqa2lkcEw0RE13N0J1U1FFRUkvb2NEOFNnZmw3OXhmZ0tZa0N2Y28rbW9UQWZTcVFsR3dSdlA3SWNqCjlLQlhwUTJRV1JvQkZhUW13cy8wcTJsZ0R0aSt6YktxWVF4ZlEzSTFXMlpQU0hTRURxRVZxNUdhRXh2RUNIODIKZVhpMFJNSk10Z0FpYzhpSVQzMUJVbFpYcXlDRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlHWnpDQ0JFK2dBd0lCQWdJUkFKN2dVMDU4ZkNVTHhnOWdYS3VhRUo0d0RRWUpLb1pJaHZjTkFRRUxCUUF3CmdiRXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJRXdwRFlXeHBabTl5Ym1saE1SUXdFZ1lEVlFRSEV3dFQKWVc1MFlTQkRiR0Z5WVRFZk1CMEdBMVVFQ2hNV1ZtOXNkR1Z5Y21FZ1JXUm5aU0JUWlhKMmFXTmxjekVnTUI0RwpBMVVFQ3hNWFNXNW1jbUZ6ZEhKMVkzUjFjbVVnVTJWamRYSnBkSGt4TkRBeUJnTlZCQU1USzFCU1QwUWdMU0JVClpXNWhiblFnVlhObGNpQkRaWEowYVdacFkyRjBaU0JTYjI5MElFTkJJQzBnZGpJd0hoY05NakF3TmpFeE1UVTEKTnpFeldoY05NelV3TmpFeE1UVTFOekV6V2pDQnNURUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2tOaApiR2xtYjNKdWFXRXhGREFTQmdOVkJBY1RDMU5oYm5SaElFTnNZWEpoTVI4d0hRWURWUVFLRXhaV2IyeDBaWEp5CllTQkZaR2RsSUZObGNuWnBZMlZ6TVNBd0hnWURWUVFMRXhkSmJtWnlZWE4wY25WamRIVnlaU0JUWldOMWNtbDAKZVRFME1ESUdBMVVFQXhNclVGSlBSQ0F0SUZSbGJtRnVkQ0JWYzJWeUlFTmxjblJwWm1sallYUmxJRkp2YjNRZwpRMEVnTFNCMk1qQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU54dk9TVngyMW9yCnFSTWc5ZjNkL3pRQTZ0OVNQd01yZkVPMW5uUHdNRjlhd1NJVHYvM2FZVnhCYWp4elo4SHJWUjFnTXloNERkSE0KVEtoUjRSUUhBS0pWTjdPNlNnTjlvN0svdzFrbEtiZFo5aFNQUkZ4TkI4b05zNmwrQ3VvOW9rb2N1dGFEeDROcQpPZkFjMzVqSW9oSUd5bWN5Tm85LzlsZVBkSytwRUswa0kweHQrMXRRd1VDRkNhRWZ3a3dOY09xU09HTXdZQUhNCllvMGVocFdCdUhQRVREN0Q2RkF4b0p1Tkw5cEVBVHZuRlFPcFo0MzBOejhlRWtEcDRrL2xHR2U5aS95d1RhVGIKd3c2bG1NMkEzMENPRVRXckE5b0NPZWNHOUFYVXoyU0I4RWR1OEZwOVJENTdKMTkvdWlHc1krYlVvVmNpeGN0ZwprYk5QbzBtVlhqZFZLZkpXbWZDMGZLbk03WlQ4bE5ZdDBFcUk3QVpBVnJaZGdpdDJScEpoNFY3Y2xKaGY4ZVFSCktDaHlqelRBeU94cDdsWmFkTVZodnI5Q1JiZStGTEIxYmRIQkhKc2FjRUhLMlhmbDloNnJ0VzJMUXZLQ3JDbW8KamdWejhQeWZ3OHpWQ0pBa00zVncySmZwZWc2TTVHdysvSFhvREdGK3FzbDVEVjNidGYwL1E1MnJEVVNyNUFjbApYTEVuM3kxQlM2TWQrbm9NL3FZbG1Na3Y3WWU5MDlScVQ2Um9aanFJbXc4NHhQNnhiSG1YT2Z1cy9FTnI4NTJlCm5aRDdSY040V3V4VTZQWE15ZUpuVnRpaE5HTG5hK3VEWXg0V0FNc3VIdlVQakR2RFNyRkNObEFhTkg3NkJYd0sKd0M2L25DSkZPZ0llNzBMTndPdnNXL1l1aXhrZk5kSExBZ01CQUFHamVEQjJNQTRHQTFVZER3RUIvd1FFQXdJQwpoREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NRk1HQ0NzR0FRVUZCd0VCQkVjd1JUQkRCZ2dyQmdFRkJRY3dBWVkzCmIyTnpjQzUyWlhNdWFXOHZVRkpQUkNBdElGUmxibUZ1ZENCVmMyVnlJRU5sY25ScFptbGpZWFJsSUZKdmIzUWcKUTBFZ0xTQjJNakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBMnlZM00rZldLZHpERVo1SWg3UE51bGtZYXpjYwpINnpVM0JnTCtVVG9RSTJqTnd2bW9vcDlEdytWZWlCN3NYVTBwWjVxejZ4WEJSMTFrQTVRZmVZMWNRWEN5Y00vCkRPRE1VUytma2lhNG1uR2pwTnVoYXZuYUVBRGRacEdMUzQwZE9QbWFoT0NjcFBvN0RMNWZIdUJFTmJqZThkUWYKREZOTzNhWkVqcjd6TjZJbncxL0ZTN2VkaXVwR3hmTXhreFN6QWtsVURkM0N5VGp1czdYNzlPM0krS1JDUDQ0bQpyeUNuZnRtdmg2bk5oeU1qdnRxSWoyeXVtNTJUT0dXMW5uWmlmYWhHNEtNd2JGbkI5d3lpS0pIV2tOaFNydUFPCmpKeEgwbEt0N1lKQ0JCS1B6TlBmTVNEN0NudXAxNFBIcFRPQjBtcUxOcEJTVzU4aUlQVzd0d2J2U3VPWWR1b1YKMFFFbktYdUFzbVZwNTZuSTIzSEo0aGF5U0xHZHFTRUNpZmRnZlN3V1pOREZEYUZrZ21ibUZWZWdzR2IyemwvKwpNUVhMc1MreFpNalZ6ZG1kMFBnWmxBNkhodTRVNXA2R3dUMmlWdFZNNlVZUjQwaDdRdXVmaG5uNVpNeStvRUdDCkpwK2JaWXhyck5Gb1lnaEdpN1ZpY0pmbFIwb3B0eGNTc2dJTnVmWlBvR0RVdWMyUHJnVmkzZWtUU2FTRWUrem4KRWo2V0YyTmhjOHJyWW5PWUowRXJ1T1UxU0xmeWJDKzl2eTJaZXJ6LzN6eU5jaGFBVitjenZhdGhUQkJ4ZGxBSwpIaS9iSWhlbGFXWWxxck1tNldvZlp1VHlQbU02NUY5R0oyWXI5NlQrMkRxRCtxbE9zRE5vU1pWcVdZUW9ZcDRlCmQwaUgyL0pGRmdKSFhDZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + client-key-data: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzRDaUNpUjk5TnptWFMKM29ua3BIQjJUbFRnVHZyZXdLS2c2RGJ0b2RCSW1uZWJSZVB3UmFPMVpMN00yYWRTQ2JkcnZLNWpQaUVCVUdGKwp6SkswRS9jNUREQjdkNlVSZ2l6ZmZ2czRQU3FpWGk0RGxTdVhtUDRGenJNL3FEalBsbE81UktzdEtFejIvVmNaCmpsNjg0MEFQR09RbSs0RUM2N2ZDYXRHL2xzOStyRXUvQUEraW5iRDZ4dzlZdzcvVmQyaDN1K0V0ZmVmZDlhZGoKdUIzdjJwaHFINm15Rkl4NW91TVAxRUs0cFBIWjZxbnRVZmZDenkzSlJMZHJKSmhUeE4zWWlvTkNjSlNKUXVBTgovS0w3eEhzQnFlMjIvekZ6blJ0QTlVRk5YQVZzeGs2dEQ2UkZ3bzdPSlJjY01KZmVwSHpLTk9LZ2t6bVNCaFVPCmdrdHBRTmt6QWdNQkFBRUNnZ0VBSGhKa1BBckJHRFpEam0zdE1Pa1Z0SjhldGZyeHp5TEJtc2ZzUWNRUkErd0oKamR1aENvcGhNbFgxNmdSejdLOGR3NEwwZm5tUkZ3L2YvbXpGcnBzY2t4RWFLRWZuNGJFdG9vOWQxQUN2K0x2KwozM2hUdzlVQjhrZW1JOGxadWNITWlHeTBzN3BFRStVQzJIQXZyQm1qUnFtVjQ0WWJ2SWh4REZtUlVGeFUwZjVrCnZFTWs1bGpBaGRGRUN3WmpwUUZ0VjNrTmZZZHJENlR0MjIxaHc3SlUrek5wZmxWRGVUUFRRZ3FHSXEwVk9qaUcKZkZGTXkreDVBN0s1S3A0RWZ3QzhPWTh4S3RkalI3cTk1cEc4WUVsNWphVFR3dHBKVXpIL3JYbHNqN1dvc2VzUApZUndPN1h2cGU5YldKd3p2bDlPNGdaWVRaN0laNVFUN3c1SDVaekx0b1FLQmdRRHNwUEE0aVUrNm9xY05UbCsxCjBZUnpkV2hwQ2NtU3N5OXVSZG94cU0vNlZOaFNYQTZOMlVRbU4veXVCYWsyQmJqWnYrVGZ5UGVLdU85UzdIakEKMTFHbXZvL3pzVWl0NnRwUkNKVmdmRjl1WnFyK29yWkRzNjRCSThWWjJZWDVFVWxSSWZ0Zmo5MTRydEtPdHY3UwpiOTZiTVl0N3FyM3hHSHZkQ2QrRzBDRDlPd0tCZ1FESEY3Uy9QSzE0SjhyYnpOakRjWjZYeVZ0ZCtQaUx3alhUCjMrL2ZKcnYvc2FsV3NFNUdVU1dYZFNITDRJamtaK1FXRndZRVM4c09WVlVKaGx0SXduYitzVWowWnJPaXYwbFUKbkpPcmtrU2ExYWJZMXFlSEtIdUpQYmg0TXdldTRTejhmTVBaSVEyREUwZzR1a29MVUxNcHRvZTRFZ1doYlBYYgpMN1JhK0VzMGFRS0JnUURyUFZyL0dLQ0ZLME5jMnRnUjZlRDgxVzJoWFBWZ08zZWU2eGxuM0NSQytTekJVbm0xClVKR0tYSVYyaUhJWkhiOFAxczR5RjVqYjhkTVdYN1A2SHhFdjdLYzAzTHNmQ0NOV0FtNWJwOGRGL0JGbloyQkEKRk5HWW1IS0tTczMvTmN2b054dW5kMS8xby9Qem9yM1ZleGVTdHNHdGdhR25sV3NyNDdDc1Z5RTBHUUtCZ0VhSwowc016eDY4Y1FsZHhGSmpqaURMMTZJYTZjYTVyYU5FaXRvWlYzaVR5R1RNYkV4RDlMWm1scWd6b0NQa05DcGI5CkgyZWtSMVZUek9hc0VXb05aVVpISUxkZ01HUUk3UDJxNFBQWXhyQXA1WTFOT1Z5OWJsQXBhMVJEbUlSUlNyUkgKck1raFdmMUlkcjJLM0RONEs1TXJGcG1VNFNQYVRKNldINHhnRDUySkFvR0FiVFkyR3RXOHh3SnhwZ2VTUzZ5Mgoxdy9CZkY5clowQ0EwWm45MnFKZUwxL3l5Qi9POWxTdjdTeXZxZFI3QTNLUjZnSWd1enV1aU85OU8zVldDTDR3Cm5neGpraVZmRUZMYU0xVG9iOFdQL2NBTWpPZXd6WGpnTG1NekVTdFZlZUxRZlhua09FcmVqWWllbFBxNFVPMHkKV1NNSEtNT21WbW16R1FMQ2ovaVptTHM9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + name: m.kennedy@f5.com diff --git a/resources/terraform/f5xc-aws-polsup/README.md b/resources/terraform/polsup-eks-cis/README.md similarity index 100% rename from resources/terraform/f5xc-aws-polsup/README.md rename to resources/terraform/polsup-eks-cis/README.md diff --git a/resources/terraform/f5xc-aws-polsup/main.tf b/resources/terraform/polsup-eks-cis/main.tf similarity index 100% rename from resources/terraform/f5xc-aws-polsup/main.tf rename to resources/terraform/polsup-eks-cis/main.tf diff --git a/resources/terraform/f5xc-aws-polsup/outputs.tf b/resources/terraform/polsup-eks-cis/outputs.tf similarity index 100% rename from resources/terraform/f5xc-aws-polsup/outputs.tf rename to resources/terraform/polsup-eks-cis/outputs.tf diff --git a/resources/terraform/f5xc-aws-polsup/variables.tf b/resources/terraform/polsup-eks-cis/variables.tf similarity index 100% rename from resources/terraform/f5xc-aws-polsup/variables.tf rename to resources/terraform/polsup-eks-cis/variables.tf diff --git a/resources/terraform/f5xc-aws-polsup/versions.tf b/resources/terraform/polsup-eks-cis/versions.tf similarity index 100% rename from resources/terraform/f5xc-aws-polsup/versions.tf rename to resources/terraform/polsup-eks-cis/versions.tf -- GitLab From e1a03cc6c79a921b19d377ca200e76ae8e95efed Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Mon, 17 Jul 2023 15:01:16 +1000 Subject: [PATCH 03/14] addtions of juice-shop manifests --- resources/k8s-manifests/f5xc-icap/notes.md | 16 +- .../juice-shop/juice-shop-deployment.yaml | 16 ++ .../juice-shop/juice-shop-service.yaml | 12 + .../terraform/aws-eks-cbip-cis/README.md | 2 +- resources/terraform/f5xc-aws-icap/as_built.md | 3 +- .../terraform/f5xc-aws-polsup/as_built.md | 0 resources/terraform/f5xc-aws-polsup/main.tf | 240 ++++++++++++++++++ .../f5xc-aws-polsup/min-iam-policy.json | 105 ++++++++ .../terraform/f5xc-aws-polsup/variables.tf | 66 +++++ .../terraform/f5xc-aws-polsup/versions.tf | 30 +++ 10 files changed, 485 insertions(+), 5 deletions(-) create mode 100644 resources/k8s-manifests/juice-shop/juice-shop-deployment.yaml create mode 100644 resources/k8s-manifests/juice-shop/juice-shop-service.yaml create mode 100644 resources/terraform/f5xc-aws-polsup/as_built.md create mode 100644 resources/terraform/f5xc-aws-polsup/min-iam-policy.json diff --git a/resources/k8s-manifests/f5xc-icap/notes.md b/resources/k8s-manifests/f5xc-icap/notes.md index 25969db..e00fa82 100644 --- a/resources/k8s-manifests/f5xc-icap/notes.md +++ b/resources/k8s-manifests/f5xc-icap/notes.md @@ -18,6 +18,15 @@ https://community.f5.com/t5/technical-forum/i-just-want-to-use-the-relative-uri- https://community.f5.com/t5/technical-articles/icap-204-response-frequently-asked-questions/ta-p/290391 https://f5-k8s-ctfd.docs.emea.f5se.com/en/latest/class7/module1/module1.html https://github.com/nergalex/f5-aks-kic-lab-admin/tree/master/playbooks/roles/poc-opswat +https://github.com/nakadaisuke/volterra-tutorial + + +## vmware references + +https://github.com/vmware/govmomi/tree/main +https://cloud-provider-vsphere.sigs.k8s.io/tutorials/deploying_cpi_with_multi_dc_vc_aka_zones.html +https://blah.cloud/kubernetes/creating-an-ubuntu-18-04-lts-cloud-image-for-cloning-on-vmware/ +https://rpi4cluster.com/ ## F5XC CE Deployment notes: @@ -51,17 +60,18 @@ docker push :/: - [Cisco-Talos](https://github.com/Cisco-Talos/clamav-docker) - [UKHomeOffice ClamAV (Legacy)](https://github.com/UKHomeOffice/docker-clamav/blob/master/Dockerfile) - [UKHomeOffice ClamAV](https://github.com/UKHomeOffice/clamav-http/blob/master/clamav/Dockerfile) - +- [ClamAV REST API k8s](https://github.com/benzino77/clamav-rest-api/tree/master) # TODO -- [ ] migrate `f5xc-icap` into two modules +- [x] migrate `f5xc-icap` into two modules * vk8s provisionin * clamav deployment -- [ ] declaritaive kubeconfig for k8s manifest +- [x] declaritaive kubeconfig for k8s manifest - [ ] add gitflow steps to readme for * image build/packer/docker * push to ghcr.io or private for edge clamav + # Random Thoughts diff --git a/resources/k8s-manifests/juice-shop/juice-shop-deployment.yaml b/resources/k8s-manifests/juice-shop/juice-shop-deployment.yaml new file mode 100644 index 0000000..992274c --- /dev/null +++ b/resources/k8s-manifests/juice-shop/juice-shop-deployment.yaml @@ -0,0 +1,16 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: juice-shop +spec: + template: + metadata: + labels: + app: juice-shop + spec: + containers: + - name: juice-shop + image: bkimminich/juice-shop + selector: + matchLabels: + app: juice-shop \ No newline at end of file diff --git a/resources/k8s-manifests/juice-shop/juice-shop-service.yaml b/resources/k8s-manifests/juice-shop/juice-shop-service.yaml new file mode 100644 index 0000000..f90f702 --- /dev/null +++ b/resources/k8s-manifests/juice-shop/juice-shop-service.yaml @@ -0,0 +1,12 @@ +kind: Service +apiVersion: v1 +metadata: + name: juice-shop +spec: + type: NodePort + selector: + app: juice-shop + ports: + - name: http + port: 8000 + targetPort: 3000 \ No newline at end of file diff --git a/resources/terraform/aws-eks-cbip-cis/README.md b/resources/terraform/aws-eks-cbip-cis/README.md index 426377a..af1388a 100644 --- a/resources/terraform/aws-eks-cbip-cis/README.md +++ b/resources/terraform/aws-eks-cbip-cis/README.md @@ -69,7 +69,7 @@ Ensure that you have installed the following tools in your Mac or Windows Laptop > **Note**: The policy resource is set as `*` to allow all resources, this is not a recommended practice. -You can find the policy [here](min-iam-policy.json) +You can find the policy [here](../f5xc-aws-polsup/min-iam-policy.json) ### Deployment Steps diff --git a/resources/terraform/f5xc-aws-icap/as_built.md b/resources/terraform/f5xc-aws-icap/as_built.md index e7ef805..1868bd3 100644 --- a/resources/terraform/f5xc-aws-icap/as_built.md +++ b/resources/terraform/f5xc-aws-icap/as_built.md @@ -65,4 +65,5 @@ k delete -f ukoffice-clamav.yaml -n aatt-solutions --kubeconfig ~/Downloads/ves_ ## TODO - [ ] deploy https/https application f5xc load balancer/nginx ingress -- [ ] validate auto-connet for appstack \ No newline at end of file +- [ ] validate auto-connet for appstack +- [ ] association with k8s api access for f5xc managed k8s local api access. \ No newline at end of file diff --git a/resources/terraform/f5xc-aws-polsup/as_built.md b/resources/terraform/f5xc-aws-polsup/as_built.md new file mode 100644 index 0000000..e69de29 diff --git a/resources/terraform/f5xc-aws-polsup/main.tf b/resources/terraform/f5xc-aws-polsup/main.tf index e69de29..bce1d5e 100644 --- a/resources/terraform/f5xc-aws-polsup/main.tf +++ b/resources/terraform/f5xc-aws-polsup/main.tf @@ -0,0 +1,240 @@ +provider "aws" { + region = local.region +} + +provider "kubernetes" { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } +} + +provider "helm" { + kubernetes { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } + } +} + +data "aws_availability_zones" "available" { + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} + +resource "random_id" "id" { + byte_length = 2 +} + +locals { + region = var.region + vpc_cidr = var.vpc_cidr + azs = slice(data.aws_availability_zones.available.names, 0, 3) + + build = random_id.id.hex + name = coalesce(var.name, local.build) + # var.cluster_name is for Terratest + cluster_name = coalesce(var.cluster_name, local.name) + + # Mapping + cluster_version = var.cluster_version + metrics_server = true + aws_load_balancer_controller = true + cert_manager = true + cloudwatch_metrics = true + vpa = true + kubecost = true + + tags = { + Owner = var.owner + Application = var.app + } +} + +#--------------------------------------------------------------- +# EKS Blueprints +#--------------------------------------------------------------- + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 19.13" + + cluster_name = local.cluster_name + cluster_version = local.cluster_version + cluster_endpoint_public_access = true + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + cluster_addons = { + coredns = {} + kube-proxy = {} + vpc-cni = {} + } + + eks_managed_node_groups = { + (local.cluster_name) = { + node_group_name = "managed-ondemand" + instance_types = [var.instance] + min_size = 3 + max_size = 3 + desired_size = 3 + subnet_ids = module.vpc.private_subnets + } + } + + tags = local.tags +} + + +module "eks_blueprints_addons" { + source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.32.1" + + eks_cluster_id = module.eks.cluster_name + eks_cluster_endpoint = module.eks.cluster_endpoint + eks_cluster_version = module.eks.cluster_version + eks_oidc_provider = module.eks.oidc_provider + eks_oidc_provider_arn = module.eks.oidc_provider_arn + + # Add-ons + enable_amazon_eks_aws_ebs_csi_driver = true + amazon_eks_aws_ebs_csi_driver_config = { + most_recent = true + kubernetes_version = local.cluster_version + resolve_conflicts = "OVERWRITE" + } + enable_aws_load_balancer_controller = true + aws_load_balancer_controller_helm_config = { + service_account = "aws-lb-sa" + } + enable_cert_manager = true + enable_metrics_server = true + + tags = local.tags +} + +module "ebs_csi_driver_irsa" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.20" + + role_name_prefix = "${module.eks.cluster_name}-ebs-csi-driver-" + + attach_ebs_csi_policy = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"] + } + } + + tags = local.tags +} + +module "vpc_cni_irsa" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.20" + + role_name_prefix = "${module.eks.cluster_name}-vpc-cni-" + + attach_vpc_cni_policy = true + vpc_cni_enable_ipv4 = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:aws-node"] + } + } + + tags = local.tags +} + +#--------------------------------------------------------------- +# Supporting Resources +#--------------------------------------------------------------- + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 10)] + database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 20)] + + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + + # using the database subnet method since it allows a public route + create_database_subnet_group = true + create_database_subnet_route_table = true + create_database_internet_gateway_route = true + + # Manage so we can name + manage_default_network_acl = true + default_network_acl_tags = { Name = "${local.name}-default" } + manage_default_route_table = true + default_route_table_tags = { Name = "${local.name}-default" } + manage_default_security_group = true + default_security_group_tags = { Name = "${local.name}-default" } + + public_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = 1 + } + + tags = local.tags +} + +#--------------------------------------------------------------- +# F5/NGINX Resources +#--------------------------------------------------------------- + +module "jumphost" { + source = "../modules/jumphost" + + prefix = local.name + region = var.region + vpc_id = module.vpc.vpc_id + public_subnets = module.vpc.database_subnets + random = local.build + ec2_key = var.ec2_key +} + +module "big-ip" { + source = "../modules/bigip" + + projectPrefix = local.name + random = local.build + region = var.region + vpcId = module.vpc.vpc_id + mgmt_subnet_ids = module.vpc.database_subnets + f5_username = var.f5_username + f5_password = var.f5_password + ec2_key_name = var.ec2_key + eks_cluster_sg = module.eks.cluster_security_group_id + eks_node_sg = module.eks.node_security_group_id +} diff --git a/resources/terraform/f5xc-aws-polsup/min-iam-policy.json b/resources/terraform/f5xc-aws-polsup/min-iam-policy.json new file mode 100644 index 0000000..cf716ea --- /dev/null +++ b/resources/terraform/f5xc-aws-polsup/min-iam-policy.json @@ -0,0 +1,105 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:AllocateAddress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateInternetGateway", + "ec2:CreateNatGateway", + "ec2:CreateNetworkAclEntry", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:DeleteInternetGateway", + "ec2:DeleteNatGateway", + "ec2:DeleteNetworkAclEntry", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:DeleteSubnet", + "ec2:DeleteTags", + "ec2:DeleteVpc", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeNatGateways", + "ec2:DescribeNetworkAcls", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcClassicLink", + "ec2:DescribeVpcClassicLinkDnsSupport", + "ec2:DescribeVpcs", + "ec2:DetachInternetGateway", + "ec2:DisassociateRouteTable", + "ec2:ModifySubnetAttribute", + "ec2:ModifyVpcAttribute", + "ec2:ReleaseAddress", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "eks:CreateAddon", + "eks:CreateCluster", + "eks:CreateNodegroup", + "eks:DeleteAddon", + "eks:DeleteCluster", + "eks:DeleteNodegroup", + "eks:DescribeAddon", + "eks:DescribeAddonVersions", + "eks:DescribeCluster", + "eks:DescribeNodegroup", + "iam:AddRoleToInstanceProfile", + "iam:AttachRolePolicy", + "iam:CreateInstanceProfile", + "iam:CreateOpenIDConnectProvider", + "iam:CreatePolicy", + "iam:CreateRole", + "iam:CreateServiceLinkedRole", + "iam:DeleteInstanceProfile", + "iam:DeleteOpenIDConnectProvider", + "iam:DeletePolicy", + "iam:DeleteRole", + "iam:DetachRolePolicy", + "iam:GetInstanceProfile", + "iam:GetOpenIDConnectProvider", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfilesForRole", + "iam:ListPolicyVersions", + "iam:ListRolePolicies", + "iam:PassRole", + "iam:RemoveRoleFromInstanceProfile", + "iam:TagInstanceProfile", + "kms:CreateAlias", + "kms:CreateKey", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:EnableKeyRotation", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListResourceTags", + "kms:PutKeyPolicy", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ], + "Resource": "*" + } + ] +} diff --git a/resources/terraform/f5xc-aws-polsup/variables.tf b/resources/terraform/f5xc-aws-polsup/variables.tf index e69de29..7514748 100644 --- a/resources/terraform/f5xc-aws-polsup/variables.tf +++ b/resources/terraform/f5xc-aws-polsup/variables.tf @@ -0,0 +1,66 @@ +# tflint-ignore: terraform_unused_declarations +variable "cluster_name" { + description = "Name of cluster - used by Terratest for e2e test automation" + type = string + default = "f5xc-icap" +} + +variable "cluster_version" { + description = "The Version of Kubernetes to deploy" + type = string + default = "1.25" +} + +variable "region" { + description = "Name of AWS deployment region" + type = string + default = "ap-southeast-2" +} + +variable "vpc_cidr" { + description = "CIDR of deployment VPC" + type = string + default = "10.0.0.0/16" +} + +variable "name" { + description = "Name prefix of deployment" + type = string + default = "f5xc-icap" +} + +variable "owner" { + description = "Deployment owner" + type = string + default = "f5-aatt" +} + +variable "instance" { + description = "Deployment EC2 instance type" + type = string + default = "t3.xlarge" +} + +variable "app" { + description = "Deployment Application" + type = string + default = "OTel AstroShop" +} + +variable "ec2_key" { + description = "EC2 Deployment Keypair" + type = string + default = "mkennedy@f5" +} + +variable "f5_username" { + description = "User name for the BIG-IP (Note: currently not used. Defaults to 'admin' based on AMI" + type = string + default = "admin" +} + +variable "f5_password" { + description = "BIG-IP Password or Secret ARN (value should be ARN of secret when aws_secretmanager_auth = true, ex. arn:aws:secretsmanager:us-west-2:1234:secret:bigip-secret-abcd)" + type = string + default = "Default12345!" +} \ No newline at end of file diff --git a/resources/terraform/f5xc-aws-polsup/versions.tf b/resources/terraform/f5xc-aws-polsup/versions.tf index e69de29..df4e90b 100644 --- a/resources/terraform/f5xc-aws-polsup/versions.tf +++ b/resources/terraform/f5xc-aws-polsup/versions.tf @@ -0,0 +1,30 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.4.1" + } + volterra = { + source = "volterraedge/volterra" + # version = "0.7.1" + version = ">= 0.7" + } + } + + # ## Used for end-to-end testing on project; update to suit your needs + # backend "s3" { + # bucket = "terraform-ssp-github-actions-state" + # region = "us-west-2" + # key = "e2e/eks-cluster-with-new-vpc/terraform.tfstate" + # } +} \ No newline at end of file -- GitLab From 2dfca15a2c80da65580da0b35967ff90b8a6cb0b Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Mon, 17 Jul 2023 15:07:03 +1000 Subject: [PATCH 04/14] additions of juice-shop manifests --- resources/terraform/polsup-eks-cis/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/terraform/polsup-eks-cis/README.md b/resources/terraform/polsup-eks-cis/README.md index c33de77..4b37458 100644 --- a/resources/terraform/polsup-eks-cis/README.md +++ b/resources/terraform/polsup-eks-cis/README.md @@ -1,7 +1,7 @@ [![license](https://img.shields.io/github/license/f5devcentral/adaptiveapps)](../../LICENSE) [![standard-readme compliant](https://img.shields.io/badge/readme%20style-standard-brightgreen.svg?style=flat-square)](https://github.com/RichardLitt/standard-readme) -# DevSecOps with PolicySupervisor +# PolicySupervisor with F5 BIG-IP AWAF & AWS EKS ## Table of Contents -- GitLab From 1e9514597924205cf04b2c8dfa65799bad52cece Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Mon, 17 Jul 2023 15:15:17 +1000 Subject: [PATCH 05/14] PolicySupervisor NGINX/NAP & AWS EKS --- resources/terraform/polsup-eks-nginx/README.md | 15 +++++++++++++++ resources/terraform/polsup-eks-nginx/main.tf | 0 resources/terraform/polsup-eks-nginx/outputs.tf | 0 resources/terraform/polsup-eks-nginx/variables.tf | 0 resources/terraform/polsup-eks-nginx/versions.tf | 0 5 files changed, 15 insertions(+) create mode 100644 resources/terraform/polsup-eks-nginx/README.md create mode 100644 resources/terraform/polsup-eks-nginx/main.tf create mode 100644 resources/terraform/polsup-eks-nginx/outputs.tf create mode 100644 resources/terraform/polsup-eks-nginx/variables.tf create mode 100644 resources/terraform/polsup-eks-nginx/versions.tf diff --git a/resources/terraform/polsup-eks-nginx/README.md b/resources/terraform/polsup-eks-nginx/README.md new file mode 100644 index 0000000..c33de77 --- /dev/null +++ b/resources/terraform/polsup-eks-nginx/README.md @@ -0,0 +1,15 @@ +[![license](https://img.shields.io/github/license/f5devcentral/adaptiveapps)](../../LICENSE) +[![standard-readme compliant](https://img.shields.io/badge/readme%20style-standard-brightgreen.svg?style=flat-square)](https://github.com/RichardLitt/standard-readme) + +# DevSecOps with PolicySupervisor + +## Table of Contents + +
+Click to expand. + +
+ +## TODO + +- [ ] `README.md` diff --git a/resources/terraform/polsup-eks-nginx/main.tf b/resources/terraform/polsup-eks-nginx/main.tf new file mode 100644 index 0000000..e69de29 diff --git a/resources/terraform/polsup-eks-nginx/outputs.tf b/resources/terraform/polsup-eks-nginx/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/resources/terraform/polsup-eks-nginx/variables.tf b/resources/terraform/polsup-eks-nginx/variables.tf new file mode 100644 index 0000000..e69de29 diff --git a/resources/terraform/polsup-eks-nginx/versions.tf b/resources/terraform/polsup-eks-nginx/versions.tf new file mode 100644 index 0000000..e69de29 -- GitLab From 38891ec0f1e4e1f31d38922583f9d6a6056abb4e Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Mon, 17 Jul 2023 15:16:52 +1000 Subject: [PATCH 06/14] additions of juice-shop manifests --- resources/terraform/polsup-eks-cis/README.md | 80 +++++++++++++++++++ .../terraform/polsup-eks-cis/as_built.md | 61 ++++++++++++++ 2 files changed, 141 insertions(+) create mode 100644 resources/terraform/polsup-eks-cis/as_built.md diff --git a/resources/terraform/polsup-eks-cis/README.md b/resources/terraform/polsup-eks-cis/README.md index 4b37458..a6253d2 100644 --- a/resources/terraform/polsup-eks-cis/README.md +++ b/resources/terraform/polsup-eks-cis/README.md @@ -1,15 +1,95 @@ [![license](https://img.shields.io/github/license/f5devcentral/adaptiveapps)](../../LICENSE) [![standard-readme compliant](https://img.shields.io/badge/readme%20style-standard-brightgreen.svg?style=flat-square)](https://github.com/RichardLitt/standard-readme) + # PolicySupervisor with F5 BIG-IP AWAF & AWS EKS + +___ ## Table of Contents
Click to expand. +- [Background](#background) +- [Value](#value) +- [Prerequisites](#prerequisites) +- [Installation](#installation) +- [Configuration](#configuration) +- [Decommission](#decommission) +- [TODO](#todo) +- [Contributing](#contributing) +- [License](#license) +- [Credits](#credits) +
+___ +## Background + + +___ +## Value + + +___ +## Prerequisites + + +___ +## Installation + + +___ +## Configuration + + +___ +## Decommission + + +___ ## TODO - [ ] `README.md` + + +___ +## Support + +The contents of this repository are meant to serve as examples and are not covered by F5 support. +If you come across a bug or other issue when using these recipes, please open a GitHub issue to help our team keep track +of content that needs improvement. +Note, the code in this repository is community supported and is not supported by F5 Inc. For a complete list of +supported projects please reference [SUPPORT.md](../../SUPPORT.md). + + +___ +## Community Code of Conduct + +Please refer to the [F5 DevCentral Community Code of Conduct](../../code_of_conduct.md). + + +___ +## License + +The contents of this repository are made available under two license. +All documentation, specifically any Markdown files, is licensed under +[CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode). +Everything else is licensed under [Apache 2.0](../../LICENSE). + + +___ +## Copyright + +Copyright 2014-2022 F5 Networks Inc. + + +___ +## Contributing + +See [the contributing file](../../CONTRIBUTING.md)! + + +___ +## Credits \ No newline at end of file diff --git a/resources/terraform/polsup-eks-cis/as_built.md b/resources/terraform/polsup-eks-cis/as_built.md new file mode 100644 index 0000000..e6bab7f --- /dev/null +++ b/resources/terraform/polsup-eks-cis/as_built.md @@ -0,0 +1,61 @@ +# AsBuilt Raw PolicySupervisor with cBIP/CIS/EKS + +## WorkFlow + +This is a quick how to for readme; + +### Deploy AWS EKS and BIG-IP EC2 Infrastructure + +1. Set `AWS_REGION` & `AWS_TOKEN` + +2. After GitClone/Get, update `TFVARS`, then +```shell +terraform init --upgrade +``` + +3. Validate; +```shell +terraform validate +``` + +4. Build; +```shell +terraform apply -auto-approve +``` + +5. Update `~/.kube/config`; +```shell +aws eks --region update-kubeconfig --name +``` + +6. Connect/Update BIG-IP admin password; +```shell +ssh -i ~/.ssh/id_rsa admin@ +tmsh modify auth password admin +``` + +7. Connect/Create CIS BIG-IP Partition; +```shell +tmsh create auth partition cispartition +tmsh save sys config +exit +``` + +8. Add CIS/k8s secret creds; +```shell +kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password= +``` + +9. Deploy RBAC for CIS/k8s with ServiceAccount; +```shell +kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/rbac/clusterrole.yaml +``` + + +### `bigip-ctl-cis` Deployment Preparation + +10. Update `src/k8s-manifests/cis/as3.yaml` to reflect the *selfIP* of the BIG-IP Virtual Server; + * Replace `"virtualAddresses": ["{$selfIP}"],` with the VS IP. For single NIC, this is the self IP address. + +11. Update `src/k8s-manifests/cis/cis-deployment.yaml` to reflect the Public ManagementIP of the BIG-IP; + * Replace `"--bigip-url=https://{$mgmtPublicIP}:8443"` with the ManagementIP. For single NIC, this is the self IP address. \ No newline at end of file -- GitLab From 7e6a3d190981e09230480459dec9219432076cf2 Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Mon, 17 Jul 2023 15:22:16 +1000 Subject: [PATCH 07/14] base commit for NAP & AWS EKS --- .../terraform/polsup-eks-nginx/README.md | 81 ++++++- .../terraform/polsup-eks-nginx/as_built.md | 29 +++ resources/terraform/polsup-eks-nginx/main.tf | 226 ++++++++++++++++++ .../polsup-eks-nginx/min-iam-policy.json | 105 ++++++++ .../terraform/polsup-eks-nginx/outputs.tf | 65 +++++ .../terraform/polsup-eks-nginx/variables.tf | 54 +++++ .../terraform/polsup-eks-nginx/versions.tf | 25 ++ 7 files changed, 584 insertions(+), 1 deletion(-) create mode 100644 resources/terraform/polsup-eks-nginx/as_built.md create mode 100644 resources/terraform/polsup-eks-nginx/min-iam-policy.json diff --git a/resources/terraform/polsup-eks-nginx/README.md b/resources/terraform/polsup-eks-nginx/README.md index c33de77..df9d97a 100644 --- a/resources/terraform/polsup-eks-nginx/README.md +++ b/resources/terraform/polsup-eks-nginx/README.md @@ -1,15 +1,94 @@ [![license](https://img.shields.io/github/license/f5devcentral/adaptiveapps)](../../LICENSE) [![standard-readme compliant](https://img.shields.io/badge/readme%20style-standard-brightgreen.svg?style=flat-square)](https://github.com/RichardLitt/standard-readme) -# DevSecOps with PolicySupervisor +# PolicySupervisor with NGINX NAP & AWS EKS + +___ ## Table of Contents
Click to expand. +- [Background](#background) +- [Value](#value) +- [Prerequisites](#prerequisites) +- [Installation](#installation) +- [Configuration](#configuration) +- [Decommission](#decommission) +- [TODO](#todo) +- [Contributing](#contributing) +- [License](#license) +- [Credits](#credits) +
+___ +## Background + + +___ +## Value + + +___ +## Prerequisites + + +___ +## Installation + + +___ +## Configuration + + +___ +## Decommission + + +___ ## TODO - [ ] `README.md` + + +___ +## Support + +The contents of this repository are meant to serve as examples and are not covered by F5 support. +If you come across a bug or other issue when using these recipes, please open a GitHub issue to help our team keep track +of content that needs improvement. +Note, the code in this repository is community supported and is not supported by F5 Inc. For a complete list of +supported projects please reference [SUPPORT.md](../../SUPPORT.md). + + +___ +## Community Code of Conduct + +Please refer to the [F5 DevCentral Community Code of Conduct](../../code_of_conduct.md). + + +___ +## License + +The contents of this repository are made available under two license. +All documentation, specifically any Markdown files, is licensed under +[CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode). +Everything else is licensed under [Apache 2.0](../../LICENSE). + + +___ +## Copyright + +Copyright 2014-2022 F5 Networks Inc. + + +___ +## Contributing + +See [the contributing file](../../CONTRIBUTING.md)! + + +___ +## Credits \ No newline at end of file diff --git a/resources/terraform/polsup-eks-nginx/as_built.md b/resources/terraform/polsup-eks-nginx/as_built.md new file mode 100644 index 0000000..1077bfa --- /dev/null +++ b/resources/terraform/polsup-eks-nginx/as_built.md @@ -0,0 +1,29 @@ +# AsBuilt Raw PolicySupervisor with cBIP/CIS/EKS + +## WorkFlow + +This is a quick how to for readme; + +### Deploy AWS EKS and NGINX NAP Infrastructure + +1. Set `AWS_REGION` & `AWS_TOKEN` + +2. After GitClone/Get, update `TFVARS`, then +```shell +terraform init --upgrade +``` + +3. Validate; +```shell +terraform validate +``` + +4. Build; +```shell +terraform apply -auto-approve +``` + +5. Update `~/.kube/config`; +```shell +aws eks --region update-kubeconfig --name +``` \ No newline at end of file diff --git a/resources/terraform/polsup-eks-nginx/main.tf b/resources/terraform/polsup-eks-nginx/main.tf index e69de29..7eb4865 100644 --- a/resources/terraform/polsup-eks-nginx/main.tf +++ b/resources/terraform/polsup-eks-nginx/main.tf @@ -0,0 +1,226 @@ +provider "aws" { + region = local.region +} + +provider "kubernetes" { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } +} + +provider "helm" { + kubernetes { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } + } +} + +data "aws_availability_zones" "available" { + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} + +resource "random_id" "id" { + byte_length = 2 +} + +locals { + region = var.region + vpc_cidr = var.vpc_cidr + azs = slice(data.aws_availability_zones.available.names, 0, 3) + + build = random_id.id.hex + name = coalesce(var.name, local.build) + # var.cluster_name is for Terratest + cluster_name = coalesce(var.cluster_name, local.name) + + # Mapping + cluster_version = var.cluster_version + metrics_server = true + aws_load_balancer_controller = true + cert_manager = true + cloudwatch_metrics = true + vpa = true + kubecost = true + + tags = { + Owner = var.owner + Application = var.app + } +} + + +#--------------------------------------------------------------- +# EKS Blueprints +#--------------------------------------------------------------- + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 19.13" + + cluster_name = local.cluster_name + cluster_version = local.cluster_version + cluster_endpoint_public_access = true + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + cluster_addons = { + coredns = {} + kube-proxy = {} + vpc-cni = {} + } + + eks_managed_node_groups = { + (local.cluster_name) = { + node_group_name = "managed-ondemand" + instance_types = [var.instance] + min_size = 3 + max_size = 3 + desired_size = 3 + subnet_ids = module.vpc.private_subnets + } + } + + tags = local.tags +} + + +module "eks_blueprints_addons" { + source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.32.1" + + eks_cluster_id = module.eks.cluster_name + eks_cluster_endpoint = module.eks.cluster_endpoint + eks_cluster_version = module.eks.cluster_version + eks_oidc_provider = module.eks.oidc_provider + eks_oidc_provider_arn = module.eks.oidc_provider_arn + + # Add-ons + enable_amazon_eks_aws_ebs_csi_driver = true + amazon_eks_aws_ebs_csi_driver_config = { + most_recent = true + kubernetes_version = local.cluster_version + resolve_conflicts = "OVERWRITE" + } + enable_aws_load_balancer_controller = true + aws_load_balancer_controller_helm_config = { + service_account = "aws-lb-sa" + } + enable_cert_manager = true + enable_metrics_server = true + + tags = local.tags +} + +module "ebs_csi_driver_irsa" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.20" + + role_name_prefix = "${module.eks.cluster_name}-ebs-csi-driver-" + + attach_ebs_csi_policy = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"] + } + } + + tags = local.tags +} + +module "vpc_cni_irsa" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.20" + + role_name_prefix = "${module.eks.cluster_name}-vpc-cni-" + + attach_vpc_cni_policy = true + vpc_cni_enable_ipv4 = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:aws-node"] + } + } + + tags = local.tags +} + +#--------------------------------------------------------------- +# Supporting Resources +#--------------------------------------------------------------- + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 10)] + database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 20)] + + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + + # using the database subnet method since it allows a public route + create_database_subnet_group = true + create_database_subnet_route_table = true + create_database_internet_gateway_route = true + + # Manage so we can name + manage_default_network_acl = true + default_network_acl_tags = { Name = "${local.name}-default" } + manage_default_route_table = true + default_route_table_tags = { Name = "${local.name}-default" } + manage_default_security_group = true + default_security_group_tags = { Name = "${local.name}-default" } + + public_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = 1 + } + + tags = local.tags +} + +#--------------------------------------------------------------- +# F5/NGINX Resources +#--------------------------------------------------------------- + +module "jumphost" { + source = "../modules/jumphost" + + prefix = local.name + region = var.region + vpc_id = module.vpc.vpc_id + public_subnets = module.vpc.database_subnets + random = local.build + ec2_key = var.ec2_key +} \ No newline at end of file diff --git a/resources/terraform/polsup-eks-nginx/min-iam-policy.json b/resources/terraform/polsup-eks-nginx/min-iam-policy.json new file mode 100644 index 0000000..cf716ea --- /dev/null +++ b/resources/terraform/polsup-eks-nginx/min-iam-policy.json @@ -0,0 +1,105 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:AllocateAddress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateInternetGateway", + "ec2:CreateNatGateway", + "ec2:CreateNetworkAclEntry", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:DeleteInternetGateway", + "ec2:DeleteNatGateway", + "ec2:DeleteNetworkAclEntry", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:DeleteSubnet", + "ec2:DeleteTags", + "ec2:DeleteVpc", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeNatGateways", + "ec2:DescribeNetworkAcls", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcClassicLink", + "ec2:DescribeVpcClassicLinkDnsSupport", + "ec2:DescribeVpcs", + "ec2:DetachInternetGateway", + "ec2:DisassociateRouteTable", + "ec2:ModifySubnetAttribute", + "ec2:ModifyVpcAttribute", + "ec2:ReleaseAddress", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "eks:CreateAddon", + "eks:CreateCluster", + "eks:CreateNodegroup", + "eks:DeleteAddon", + "eks:DeleteCluster", + "eks:DeleteNodegroup", + "eks:DescribeAddon", + "eks:DescribeAddonVersions", + "eks:DescribeCluster", + "eks:DescribeNodegroup", + "iam:AddRoleToInstanceProfile", + "iam:AttachRolePolicy", + "iam:CreateInstanceProfile", + "iam:CreateOpenIDConnectProvider", + "iam:CreatePolicy", + "iam:CreateRole", + "iam:CreateServiceLinkedRole", + "iam:DeleteInstanceProfile", + "iam:DeleteOpenIDConnectProvider", + "iam:DeletePolicy", + "iam:DeleteRole", + "iam:DetachRolePolicy", + "iam:GetInstanceProfile", + "iam:GetOpenIDConnectProvider", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfilesForRole", + "iam:ListPolicyVersions", + "iam:ListRolePolicies", + "iam:PassRole", + "iam:RemoveRoleFromInstanceProfile", + "iam:TagInstanceProfile", + "kms:CreateAlias", + "kms:CreateKey", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:EnableKeyRotation", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListResourceTags", + "kms:PutKeyPolicy", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ], + "Resource": "*" + } + ] +} diff --git a/resources/terraform/polsup-eks-nginx/outputs.tf b/resources/terraform/polsup-eks-nginx/outputs.tf index e69de29..40ca997 100644 --- a/resources/terraform/polsup-eks-nginx/outputs.tf +++ b/resources/terraform/polsup-eks-nginx/outputs.tf @@ -0,0 +1,65 @@ +output "vpc_private_subnet_cidr" { + description = "VPC private subnet CIDR" + value = module.vpc.private_subnets_cidr_blocks +} + +output "vpc_public_subnet_cidr" { + description = "VPC public subnet CIDR" + value = module.vpc.public_subnets_cidr_blocks +} + +output "vpc_management_subnet_cidr" { + description = "VPC Management subnet CIDR" + value = module.vpc.database_subnets_cidr_blocks +} + +output "vpc_cidr" { + description = "VPC CIDR" + value = module.vpc.vpc_cidr_block +} +/* +output "eks_cluster_name" { + description = "EKS cluster ID" + value = module.eks_blueprints_addons.eks_cluster_name +} + +output "eks_managed_nodegroups" { + description = "EKS managed node groups" + value = module.eks_blueprints.managed_node_groups +} + +output "eks_managed_nodegroup_ids" { + description = "EKS managed node group ids" + value = module.eks_blueprints.managed_node_groups_id +} + +output "eks_managed_nodegroup_arns" { + description = "EKS managed node group arns" + value = module.eks_blueprints.managed_node_group_arn +} + +output "eks_managed_nodegroup_role_name" { + description = "EKS managed node group role name" + value = module.eks_blueprints.managed_node_group_iam_role_names +} + +output "eks_managed_nodegroup_status" { + description = "EKS managed node group status" + value = module.eks_blueprints.managed_node_groups_status +} + +output "configure_kubectl" { + description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" + value = module.eks_blueprints.configure_kubectl +} +*/ +# Region used for Terratest +output "region" { + description = "AWS region" + value = local.region +} + +output "jumpbox_public_dns" { + description = "Public DNS address of Jumpbox" + value = module.jumphost.public_dns +} diff --git a/resources/terraform/polsup-eks-nginx/variables.tf b/resources/terraform/polsup-eks-nginx/variables.tf index e69de29..10af7f0 100644 --- a/resources/terraform/polsup-eks-nginx/variables.tf +++ b/resources/terraform/polsup-eks-nginx/variables.tf @@ -0,0 +1,54 @@ +# tflint-ignore: terraform_unused_declarations +variable "cluster_name" { + description = "Name of cluster - used by Terratest for e2e test automation" + type = string + default = "polsup-nap" +} + +variable "cluster_version" { + description = "The Version of Kubernetes to deploy" + type = string + default = "1.25" +} + +variable "region" { + description = "Name of AWS deployment region" + type = string + default = "ap-southeast-2" +} + +variable "vpc_cidr" { + description = "CIDR of deployment VPC" + type = string + default = "10.0.0.0/16" +} + +variable "name" { + description = "Name prefix of deployment" + type = string + default = "polsup-nap" +} + +variable "owner" { + description = "Deployment owner" + type = string + default = "f5-aatt" +} + +variable "instance" { + description = "Deployment EC2 instance type" + type = string + default = "t3.xlarge" +} + +variable "app" { + description = "Deployment Application" + type = string + default = "OTel AstroShop" +} + +variable "ec2_key" { + description = "EC2 Deployment Keypair" + type = string + default = "mjk-aatt-fy23q2" +} diff --git a/resources/terraform/polsup-eks-nginx/versions.tf b/resources/terraform/polsup-eks-nginx/versions.tf index e69de29..a967321 100644 --- a/resources/terraform/polsup-eks-nginx/versions.tf +++ b/resources/terraform/polsup-eks-nginx/versions.tf @@ -0,0 +1,25 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.4.1" + } + } + + # ## Used for end-to-end testing on project; update to suit your needs + # backend "s3" { + # bucket = "terraform-ssp-github-actions-state" + # region = "us-west-2" + # key = "e2e/eks-cluster-with-new-vpc/terraform.tfstate" + # } +} -- GitLab From b3128c890e1f4ba24bc6b713d2c2ada3f4bc30ac Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Mon, 17 Jul 2023 15:27:40 +1000 Subject: [PATCH 08/14] housekeeping on README.md --- resources/README.md | 3 ++- resources/terraform/README.md | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/resources/README.md b/resources/README.md index 8e022ae..0acd568 100644 --- a/resources/README.md +++ b/resources/README.md @@ -23,7 +23,8 @@ * [`cis`](./k8s-manifests/cis/) are the required kubectl manifests files for BIG-IP CIS installation * [`ingresslink`](./k8s-manifests/ingresslink/) are the required kubectl manifest files for CIS/IngressLink installation * [`datadog`](./k8s-manifests/datadog/) are the datadog agent manifest files. -* [`f5xc-icap`](./k8s-manifests/f5xc-icap/) is a F5XC ICAP deployment based upon clamAV from [UKHomeOffice](https://github.com/UKHomeOffice/clamav-http) +* [`f5xc-icap`](./k8s-manifests/f5xc-icap/) is a F5XC ICAP deployment based upon clamAV +* [`juice-shop`](./k8s-manifests/juice-shop) are service and deployment manifests for OWASP JuiceShop [`docker-builds`](./docker) contains the various `dockerbuild` files for demostacks diff --git a/resources/terraform/README.md b/resources/terraform/README.md index 6b1c028..fa57a0b 100644 --- a/resources/terraform/README.md +++ b/resources/terraform/README.md @@ -8,4 +8,7 @@ Located in this path are the terraform modules used for AATT Resources; * [`f5-shop-demo`](./f5xc-shop-demo/) is the Online vK8s shop demo * [`modules`](./modules/) are a WIP for supporting modules to simplify stacks * [`aws-microservices`](./aws-microservices/) is a WIP for turnkey ModernApplication (microservices) workloads - * [`f5xc-icap`](./f5xc-icap/) is a vk8s clamAV http/api deployment \ No newline at end of file + * [`f5xc-icap`](./f5xc-icap/) is a vk8s clamAV http/api deployment for F5XC Regional Edges (RE) + * [`f5xc-aws-icap`](./f5xc-aws-icap/) is a vk8s clamAV http/api deployment for F5XC Customer Edges (CE) in AWS + * [`polsup-eks-cis`](./polsup-eks-cis/) is a JuiceShop deployment using AWS EKS and BIG-IP AWAF & CIS for PolicySupervisor + * [`polsup-eks-nap`](./polsup-eks-nap/) is a JuiceShop deployment using AWS EKS and NGINX KIC & NAP for PolicySupervisor \ No newline at end of file -- GitLab From 50f6a6ae12afc677073bb2c38389634954f2c4e7 Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Mon, 17 Jul 2023 15:28:53 +1000 Subject: [PATCH 09/14] housekeeping on README.md --- resources/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/resources/README.md b/resources/README.md index 0acd568..4fc2b11 100644 --- a/resources/README.md +++ b/resources/README.md @@ -11,6 +11,9 @@ * [`modules`](./terraform/modules/) are a WIP for supporting modules to simplify stacks * [`aws-microservices`](./terraform/aws-microservices/) is a WIP for turnkey ModernApplication (microservices) workloads * [`f5xc-icap`](./terraform/f5xc-icap/) is a vk8s clamAV http/api deployment + * [`f5xc-aws-icap`](./terraform/f5xc-aws-icap/) is a vk8s clamAV http/api deployment for F5XC Customer Edges (CE) in AWS + * [`polsup-eks-cis`](./terraform/polsup-eks-cis/) is a JuiceShop deployment using AWS EKS and BIG-IP AWAF & CIS for PolicySupervisor + * [`polsup-eks-nap`](./terraform/polsup-eks-nap/) is a JuiceShop deployment using AWS EKS and NGINX KIC & NAP for PolicySupervisor [`helm-values`](./helm-values/) is the required helm values for the OTel/NGINX IngressController Astro demostack -- GitLab From f080c9bde0a2b37949cdf7454d60b684d047b32f Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Mon, 17 Jul 2023 15:38:57 +1000 Subject: [PATCH 10/14] housekeeping on README.md --- README.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index a707d91..11e33fd 100644 --- a/README.md +++ b/README.md @@ -29,14 +29,18 @@ Find out more about adaptive applications on [F5's Website](https://www.f5.com/c ## Resource Inventory -| Resource | Description | Used By | -|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------| -| [F5 NGINX Management Suite](resources/f5-nginx-management-suite) | Terraform and Ansible artifacts to deploy F5 NGINX Management Suite to virtual machines | [Deploy API to NGINX Management Suite](solutions/deploy-api-to-f5-nginx-management-suite) | -| [F5 DistributedCloud & AWS EKS](resources/f5xc-vk8s-mk8s-nlb/) | Deployment instructions and artifacts to demonstrate Kubernetes multi-cluster resiliency | [Multi-Cluster Application Resilience](solutions/k8s-mutlicluster-resilency/) | -| [F5 NGINX & AWS EKS](resources/terraform/aws-eks-nginx-kic/) | Deployment instructions and artifacts to demonstrate OpenTelemetry using NGINX & EKS | TBA | -| [F5 BIG-IP CIS & AWS EKS](resources/terraform/aws-eks-cbip-cis/) | Deployment instructions and artifacts to demonstrate OpenTelemetry using F5 BIG-IP CIS & EKS | TBA | -| [F5 IngressLink & AWS EKS](resources/terraform/aws-eks-cbip-ingresslink/) | Deployment instructions and artifacts to demonstrate OpenTelemetry using F5 BIG-IP/NGINX IngressLink & EKS | TBA | -| [F5 DistributedCloud](resources/terraform/f5xc-icap/) | Deployment instructions and artifacts to demonstrate clamAV ICAP vk8s deployment to F5XC | TBA | +| Resource | Description | Used By | +|---------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------| +| [F5 NGINX Management Suite](resources/f5-nginx-management-suite) | Terraform & Ansible artifacts to deploy F5 NGINX Management Suite to virtual machines | [Deploy API to NGINX Management Suite](solutions/deploy-api-to-f5-nginx-management-suite) | +| [F5 DistributedCloud & AWS EKS](resources/f5xc-vk8s-mk8s-nlb/) | Deployment instructions & artifacts to deploy Kubernetes multi-cluster resiliency | [Multi-Cluster Application Resilience](solutions/k8s-mutlicluster-resilency/) | +| [F5 NGINX & AWS EKS](resources/terraform/aws-eks-nginx-kic/) | Deployment instructions & artifacts to deploy OpenTelemetry using NGINX & EKS | TBA | +| [F5 BIG-IP CIS & AWS EKS](resources/terraform/aws-eks-cbip-cis/) | Deployment instructions & artifacts to deploy OpenTelemetry using F5 BIG-IP CIS & EKS | TBA | +| [F5 IngressLink & AWS EKS](resources/terraform/aws-eks-cbip-ingresslink/) | Deployment instructions & artifacts to deploy OpenTelemetry using F5 BIG-IP/NGINX IngressLink & EKS | TBA | +| [F5 DistributedCloud RE's](resources/terraform/f5xc-icap/) | Deployment instructions & artifacts to deploy clamAV ICAP vk8s deployment to F5XC for RE's | TBA | +| [F5 DistributedCloud CE's](resources/terraform/f5xc-aws-icap/) | Deployment instructions & artifacts to deploy clamAV ICAP vk8s deployment to F5XC for CE's | TBA | +| [F5 PolicySupervisor (AWAF)](resources/terraform/polsup-eks-cis/) | Deployment instructions & artifacts to deploy PolicySupervisor with JuiceShop using AWS EKS & BIG-IP AWAF | TBA | +| [F5 PolicySupervisor (NAP)](resources/terraform/polsup-eks-nap/) | Deployment instructions & artifacts to deploy PolicySupervisor with JuiceShop using AWS EKS & NGINX NAP | TBA | + ## Support -- GitLab From 71cd2dd3dc629b1b80c50ffeb4cb80a69360cc3d Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Tue, 18 Jul 2023 11:52:35 +1000 Subject: [PATCH 11/14] updates to CIS PolSup --- ...es_system_f5xc-icap_kubeconfig_global.yaml | 20 -- resources/terraform/polsup-eks-cis/main.tf | 241 ++++++++++++++++++ .../polsup-eks-cis/min-iam-policy.json | 105 ++++++++ resources/terraform/polsup-eks-cis/outputs.tf | 80 ++++++ .../terraform/polsup-eks-cis/variables.tf | 66 +++++ .../terraform/polsup-eks-cis/versions.tf | 29 +++ 6 files changed, 521 insertions(+), 20 deletions(-) delete mode 100644 resources/terraform/f5xc-aws-icap/ves_system_f5xc-icap_kubeconfig_global.yaml create mode 100644 resources/terraform/polsup-eks-cis/min-iam-policy.json diff --git a/resources/terraform/f5xc-aws-icap/ves_system_f5xc-icap_kubeconfig_global.yaml b/resources/terraform/f5xc-aws-icap/ves_system_f5xc-icap_kubeconfig_global.yaml deleted file mode 100644 index 0e123cb..0000000 --- a/resources/terraform/f5xc-aws-icap/ves_system_f5xc-icap_kubeconfig_global.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -clusters: -- cluster: - certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZGakNDQXY2Z0F3SUJBZ0lSQUpFckNFclBEQmluVS9iV0xpV25YMW93RFFZSktvWklodmNOQVFFTEJRQXcKVHpFTE1Ba0dBMVVFQmhNQ1ZWTXhLVEFuQmdOVkJBb1RJRWx1ZEdWeWJtVjBJRk5sWTNWeWFYUjVJRkpsYzJWaApjbU5vSUVkeWIzVndNUlV3RXdZRFZRUURFd3hKVTFKSElGSnZiM1FnV0RFd0hoY05NakF3T1RBME1EQXdNREF3CldoY05NalV3T1RFMU1UWXdNREF3V2pBeU1Rc3dDUVlEVlFRR0V3SlZVekVXTUJRR0ExVUVDaE1OVEdWMEozTWcKUlc1amNubHdkREVMTUFrR0ExVUVBeE1DVWpNd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFSwpBb0lCQVFDN0FoVW96UGFnbE5NUEV1eU5WWkxEK0lMeG1hWjZRb2luWFNhcXRTdTV4VXl4cjQ1citYWElvOWNQClI1UVVWVFZYako2b29qa1o5WUk4UXFsT2J2VTd3eTdiamNDd1hQTlpPT2Z0ejJud1dnc2J2c0NVSkNXSCtqZHgKc3hQbkhLemhtKy9iNUR0RlVrV1dxY0ZUempUSVV1NjFydTJQM21CdzRxVlVxN1p0RHBlbFFEUnJLOU84WnV0bQpOSHo2YTR1UFZ5bVorREFYWGJweWIvdUJ4YTNTaGxnOUY4Zm5DYnZ4Sy9lRzNNSGFjVjNVUnVQTXJTWEJpTHhnClozVm1zL0VZOTZKYzVsUC9Pb2kyUjZYL0V4anFtQWwzUDUxVCtjOEI1ZldtY0JjVXIyT2svNW16azUzY1U2Y0cKL2tpRkhhRnByaVYxdXhQTVVnUDE3VkdoaTlzVkFnTUJBQUdqZ2dFSU1JSUJCREFPQmdOVkhROEJBZjhFQkFNQwpBWVl3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdJR0NDc0dBUVVGQndNQk1CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkJRdXN4ZTNXRmJMcmxBSlFPWWZyNTJMRk1MR01COEdBMVVkSXdRWU1CYUEKRkhtMFdlWjd0dVhrQVhPQUNJaklHbGoyNlp0dU1ESUdDQ3NHQVFVRkJ3RUJCQ1l3SkRBaUJnZ3JCZ0VGQlFjdwpBb1lXYUhSMGNEb3ZMM2d4TG1rdWJHVnVZM0l1YjNKbkx6QW5CZ05WSFI4RUlEQWVNQnlnR3FBWWhoWm9kSFJ3Ck9pOHZlREV1WXk1c1pXNWpjaTV2Y21jdk1DSUdBMVVkSUFRYk1Ca3dDQVlHWjRFTUFRSUJNQTBHQ3lzR0FRUUIKZ3Q4VEFRRUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUNBUUNGeWs1SFBxUDNoVVNGdk5WbmVMS1lZNjExVFI2VwpQVE5sY2xRdGdhRHF3KzM0SUw5ZnpMZHdBTGR1Ty9aZWxON2tJSittNzR1eUErZWl0Ulk4a2M2MDdUa0M1M3dsCmlrZm1aVzQvUnZUWjhNNlVLKzVVemhLOGpDZEx1TUdZTDZLdnpYR1JTZ2kzeUxnamV3UXRDUGtJVno2RDJRUXoKQ2tjaGVBbUNKOE1xeUp1NXpsenlaTWpBdm5uQVQ0NXRSQXhla3JzdTk0c1E0ZWdkUkNuYldTRHRZN2toK0JJbQpsSk5Yb0IxbEJNRUtJcTRRRFVPWG9SZ2ZmdURnaGplMVdyRzlNTCtIYmlzcS95Rk9Hd1hEOVJpWDhGNnN3Nlc0CmF2QXV2RHN6dWU1TDNzejg1SytFQzRZL3dGVkROdlpvNFRZWGFvNlowZitsUUtjMHQ4RFFZemsxT1hWdThycDIKeUpNQzZhbExiQmZPREFMWnZZSDduN2RvMUFabHM0STlkMVA0am5rRHJRb3hCM1VxUTloVmwzTEVLUTczeEYxTwp5SzVHaEREWDhvVmZHS0Y1dStkZWNJc0g0WWFUdzdtUDNHRnhKU3F2MyswbFVGSm9pNUxjNWRhMTQ5cDkwSWRzCmhDRXhyb0wxKzdtcnlJa1hQZUZNNVRnTzlyMHJ2WmFCRk92VjJ6MGdwMzVaMCtMNFdQbGJ1RWpOL2x4UEZpbisKSGxVanI4Z1JzSTNxZkpPUUZ5LzlyS0lKUjBZLzhPbXd0LzhvVFdneTFtZGVIbW1qazdqMW5Zc3ZDOUpTUTZadgpNbGRsVFRLQjN6aFRoVjErWFdZcDZyamQ1SlcxemJWV0VrTE54RTdHSlRoRVVHM3N6Z0JWR1A3cFNXVFVUc3FYCm5MUmJ3SE9vcTdoSHdnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRmF6Q0NBMU9nQXdJQkFnSVJBSUlRejdEU1FPTlpSR1BndTJPQ2l3QXdEUVlKS29aSWh2Y05BUUVMQlFBdwpUekVMTUFrR0ExVUVCaE1DVlZNeEtUQW5CZ05WQkFvVElFbHVkR1Z5Ym1WMElGTmxZM1Z5YVhSNUlGSmxjMlZoCmNtTm9JRWR5YjNWd01SVXdFd1lEVlFRREV3eEpVMUpISUZKdmIzUWdXREV3SGhjTk1UVXdOakEwTVRFd05ETTQKV2hjTk16VXdOakEwTVRFd05ETTRXakJQTVFzd0NRWURWUVFHRXdKVlV6RXBNQ2NHQTFVRUNoTWdTVzUwWlhKdQpaWFFnVTJWamRYSnBkSGtnVW1WelpXRnlZMmdnUjNKdmRYQXhGVEFUQmdOVkJBTVRERWxUVWtjZ1VtOXZkQ0JZCk1UQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUszb0pIUDBGRGZ6bTU0clZ5Z2MKaDc3Y3Q5ODRrSXh1UE9aWG9IajNkY0tpL3ZWcWJ2WUFUeWpiM21pR2JFU1R0ckZqL1JRU2E3OGYwdW94bXlGKwowVE04dWtqMTNYbmZzN2ovRXZFaG1rdkJpb1p4YVVwbVpteVBmanh3djYwcElnYno1TURtZ0s3aVM0KzNtWDZVCkE1L1RSNWQ4bVVnalUrZzRyazhLYjRNdTBVbFhqSUIwdHRvdjBEaU5ld053SVJ0MThqQTgrbyt1M2RwanErc1cKVDhLT0VVdCt6d3ZvLzdWM0x2U3llMHJnVEJJbERIQ05BeW1nNFZNazdCUFo3aG0vRUxOS2pEK0pvMkZSM3F5SApCNVQwWTNIc0x1SnZXNWlCNFlsY05IbHNkdTg3a0dKNTV0dWttaThteGRBUTRRN2UyUkNPRnZ1Mzk2ajN4K1VDCkI1aVBOZ2lWNStJM2xnMDJkWjc3RG5LeEhadThBL2xKQmRpQjNRVzBLdFpCNmF3QmRwVUtEOWpmMWIwU0h6VXYKS0JkczBwakJxQWxrZDI1SE43ck9yRmxlYUoxL2N0YUp4UVpCS1Q1WlB0MG05U1RKRWFkYW8weEFIMGFobWJXbgpPbEZ1aGp1ZWZYS25FZ1Y0V2UwK1VYZ1ZDd09QamRBdkJiSStlMG9jUzNNRkV2ekc2dUJRRTN4RGszU3p5blRuCmpoOEJDTkF3MUZ0eE5yUUh1c0V3TUZ4SXQ0STdtS1o5WUlxaW95bUN6THE5Z3dRYm9vTURRYUhXQmZFYndyYncKcUh5R08wYW9TQ3FJM0hhYWRyOGZhcVU5R1kvck9QTmszc2dyRFFvby8vZmI0aFZDMUNMUUoxM2hlZjRZNTNDSQpyVTdtMllzNnh0MG5VVzcvdkdUMU0wTlBBZ01CQUFHalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WCkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlI1dEZubWU3Ymw1QUZ6Z0FpSXlCcFk5dW1iYmpBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FnRUFWUjlZcWJ5eXFGRFFETEhZR21rZ0p5a0lyR0YxWElwdStJTGxhUy9WOWxaTAp1Ymh6RUZuVElaZCs1MHh4KzdMU1lLMDVxQXZxRnlGV2hmRlFEbG5yenVCWjZickpGZStHblkrRWdQYms2WkdRCjNCZWJZaHRGOEdhVjBueHZ3dW83N3gvUHk5YXVKL0dwc01pdS9YMSttdm9pQk92LzJYL3FrU3Npc1JjT2ovS0sKTkZ0WTJQd0J5VlM1dUNiTWlvZ3ppVXd0aER5QzMrNldWd1c2TEx2M3hMZkhUanVDdmpISUluTnprdEhDZ0tRNQpPUkF6STRKTVBKK0dzbFdZSGI0cGhvd2ltNTdpYXp0WE9vSndUZHdKeDRuTENnZE5iT2hkanNudnpxdkh1N1VyClRrWFdTdEFtek9WeXlnaHFwWlhqRmFIM3BPM0pMRitsKy8rc0tBSXV2dGQ3dStOeGU1QVcwd2RlUmxOOE53ZEMKak5QRWxwelZtYlVxNEpVYWdFaXVURGtIenN4SHBGS1ZLN3E0KzYzU00xTjk1UjFOYmRXaHNjZENiK1pBSnpWYwpveWkzQjQzbmpUT1E1eU9mKzFDY2VXeEcxYlFWczVadWZwc01sanE0VWkwLzFsdmgrd2pDaFA0a3FLT0oycXhxCjRSZ3FzYWhEWVZ2VEg5dzdqWGJ5TGVpTmRkOFhNMnc5VS90N3kwRmYvOXlpMEdFNDRaYTRyRjJMTjlkMTFUUEEKbVJHdW5VSEJjbldFdmdKQlFsOW5KRWlVMFpzbnZnYy91YmhQZ1hSUjRYcTM3WjBqNHI3ZzFTZ0VFend4QTU3ZAplbXlQeGdjWXhuL2VSNDQvS0o0RUJzK2xWRFIzdmV5Sm0ra1hROTliMjEvK2poNVhvczFBblg1aUl0cmVHQ2M9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdFekNDQS91Z0F3SUJBZ0lRZlZ0UkpyUjJ1aEhiZEJZTHZGTU5wekFOQmdrcWhraUc5dzBCQVF3RkFEQ0IKaURFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDazVsZHlCS1pYSnpaWGt4RkRBU0JnTlZCQWNUQzBwbApjbk5sZVNCRGFYUjVNUjR3SEFZRFZRUUtFeFZVYUdVZ1ZWTkZVbFJTVlZOVUlFNWxkSGR2Y21zeExqQXNCZ05WCkJBTVRKVlZUUlZKVWNuVnpkQ0JTVTBFZ1EyVnlkR2xtYVdOaGRHbHZiaUJCZFhSb2IzSnBkSGt3SGhjTk1UZ3gKTVRBeU1EQXdNREF3V2hjTk16QXhNak14TWpNMU9UVTVXakNCanpFTE1Ba0dBMVVFQmhNQ1IwSXhHekFaQmdOVgpCQWdURWtkeVpXRjBaWElnVFdGdVkyaGxjM1JsY2pFUU1BNEdBMVVFQnhNSFUyRnNabTl5WkRFWU1CWUdBMVVFCkNoTVBVMlZqZEdsbmJ5Qk1hVzFwZEdWa01UY3dOUVlEVlFRREV5NVRaV04wYVdkdklGSlRRU0JFYjIxaGFXNGcKVm1Gc2FXUmhkR2x2YmlCVFpXTjFjbVVnVTJWeWRtVnlJRU5CTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBMW5NejF0YzhJTkFBMGhkRnVOWStCNkkveDBIdU1qREpzR3o5OUovTEVwZ1BMVCtOClRRRU1nZzhYZjJJdTZiaEllZnNXZzA2dDF6SWxrN2NIdjdsUVA2bE13MEFxNlRuLzJZSEtIeFl5UWRxQUpya2oKZW9jZ0h1UC9JSm84bFVSdmgzVUdrRUMwTXBNV0NSQUlJejdTM1ljUGIxMVJGR29LYWNWUEFYSnB6OU9UVEcwRQpvS01iZ242eG1ybnR4WjdGTjNpZm1nZzArMVl1V01RSkRnWmtXN3czM1BHZktHaW9WckNTbzF5ZnU0aVlDQnNrCkhhc3doYTZ2c0M2ZWVwM0J3RUljNGdMdzZ1QkswdStRRHJUQlFCYndiNFZDU21UM3BEQ2cvcjh1b3lkYWpvdFkKdUszREdSZUVZKzF2VnYyRHkyQTB4SFMrNXAzYjRlVGx5Z3hmRlFJREFRQUJvNElCYmpDQ0FXb3dId1lEVlIwagpCQmd3Rm9BVVUzbS9XcW9yU3M5VWdPSFltOENkOHJJRFpzc3dIUVlEVlIwT0JCWUVGSTJNWHNSVXJZcmhkK21iCitac0Y0YmdCaldIaE1BNEdBMVVkRHdFQi93UUVBd0lCaGpBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQU1CMEcKQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBYkJnTlZIU0FFRkRBU01BWUdCRlVkSUFBdwpDQVlHWjRFTUFRSUJNRkFHQTFVZEh3UkpNRWN3UmFCRG9FR0dQMmgwZEhBNkx5OWpjbXd1ZFhObGNuUnlkWE4wCkxtTnZiUzlWVTBWU1ZISjFjM1JTVTBGRFpYSjBhV1pwWTJGMGFXOXVRWFYwYUc5eWFYUjVMbU55YkRCMkJnZ3IKQmdFRkJRY0JBUVJxTUdnd1B3WUlLd1lCQlFVSE1BS0dNMmgwZEhBNkx5OWpjblF1ZFhObGNuUnlkWE4wTG1OdgpiUzlWVTBWU1ZISjFjM1JTVTBGQlpHUlVjblZ6ZEVOQkxtTnlkREFsQmdnckJnRUZCUWN3QVlZWmFIUjBjRG92CkwyOWpjM0F1ZFhObGNuUnlkWE4wTG1OdmJUQU5CZ2txaGtpRzl3MEJBUXdGQUFPQ0FnRUFNcjlodlE1SXcwL0gKdWtkTitKeDRHUUhjRXgyQWIvekRjTFJTbWpFem1sZFMrekdlYTZUdlZLcUpqVUFYYVBnUkVIelN5ckh4VlliSAo3ck0ya1liMk9WRy9ScjhQb0xxMDkzNUp4Q28yRjU3a2FEbDZyNVJPVm0reWV6dS9Db2E5emNWM0hBTzRPTEdpCkgxOSsyNHJjUmtpMmFBclBzclcwNGpUa1o2azRaZ2xlMHJqOG5TZzZGMEFud25KT0tmMGhQSHpQRS91V0xNVXgKUlAwVDdkV2JxV2xvZDN6dTRmK2srVFk0Q0ZNNW9vUTBuQm56dmc2czFTUTM2eU9vZU5EVDUrK1NSMlJpT1NMdgp4dmNSdmlLRnhtWkVKQ2FPRURLTnlKT3VCNTZEUGkvWitmVkdqbU8rd2VhMDNLYk5JYWlHQ3BYWkxvVW1HdjM4CnNiWlhRbTJWMFRQMk9SUUdna0U0OVk5WTNJQmJwTlY5bFhqOXA1di8vY1dvYWFzbTU2ZWtCWWRicWJlNG95QUwKbDZsRmhkMnppK1dKTjQ0cERmd0dGL1k0UUE1QzVCSUcrM3Z6eGhGb1l0L2ptUFFUMkJWUGk3RnAyUkJndkdRcQo2akczNUxXak9oU2JKdU1MZS8wQ2pyYVp3VGlYV1RiMnFIU2loclplNjhaazZzK2dvL2x1bnJvdEViYUdtQWhZCkxjbXNKV1R5WG5XME9NR3VmMXBHZytwUnlyYnhtUkUxYTZWcWU4WUFzT2Y0dm1TeXJjakM4YXpqVWVxa2srQjUKeU9HQlFNa0tXK0VTUE1GZ0t1T1h3SWxDeXBUUFJwZ1NhYnVZME1MVERYSkxSMjdsazhReUtHT0hRK1N3TWo0SwowMHUvSTVzVUtVRXJtZ1Fma3kzeHh6bElQSzFhRW44PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlGM2pDQ0E4YWdBd0lCQWdJUUFmMXRNUHlqeWxHb0c3eGtEalVETFRBTkJna3Foa2lHOXcwQkFRd0ZBRENCCmlERUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2s1bGR5QktaWEp6WlhreEZEQVNCZ05WQkFjVEMwcGwKY25ObGVTQkRhWFI1TVI0d0hBWURWUVFLRXhWVWFHVWdWVk5GVWxSU1ZWTlVJRTVsZEhkdmNtc3hMakFzQmdOVgpCQU1USlZWVFJWSlVjblZ6ZENCU1UwRWdRMlZ5ZEdsbWFXTmhkR2x2YmlCQmRYUm9iM0pwZEhrd0hoY05NVEF3Ck1qQXhNREF3TURBd1doY05Nemd3TVRFNE1qTTFPVFU1V2pDQmlERUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlYKQkFnVENrNWxkeUJLWlhKelpYa3hGREFTQmdOVkJBY1RDMHBsY25ObGVTQkRhWFI1TVI0d0hBWURWUVFLRXhWVQphR1VnVlZORlVsUlNWVk5VSUU1bGRIZHZjbXN4TGpBc0JnTlZCQU1USlZWVFJWSlVjblZ6ZENCU1UwRWdRMlZ5CmRHbG1hV05oZEdsdmJpQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRQ0FFbVVYTmc3RDJ3aXowS3hYRFhidHpTZlRUSzFRZzJIaXFpQk5DUzFrQ2R6T2laL01QYW5zOXMvQgozUEhUc2RaN055Z1JLMGZhT2NhOE9obTBYNmE5ZloyalkwSzJkdktwT3l1UitPSnYwT3dXSUpBSlB1TG9kTWtZCnRKSFVZbVRiZjZNRzhZZ1lhcEFpUEx6K0UvQ0hGSHYyNUIrTzFPUlJ4aEZuUmdoUnk0WVVWRCs4TS81K2JKei8KRnAwWXZWR09OYWFuWnNoeVo5c2hackhVbTNnRHdGQTY2TXp3M0x5ZVRQNnZCWlkxSDFkYXQvL08rVDIzTExiMgpWTjNJNXhJNlRhNU1pcmRjbXJTM0lEM0tmeUkwcm40N2FHWUJST2NCVGtaVG16Tmc5NVMrVXplUWMwUHpNc05UCjc5dXEvblJPYWNkcmpHQ1Qzc1RIRE4vaE1xN01renRSZUpWbmkrNDlWdjRNMEdrUEd3L3pKU1pyTTIzM2JrZjYKYzBQbGZnNmxackVwZkRLRVkxV0p4QTNCazFRd0dST3MwMzAzcCt0ZE9tdzFYTnRCMXhMYXFVa0wzOWlBaWdtVApZbzYxWnM4bGlNMkV1TEUvcERrUDJRS2U2eEpNbFh6emF3V3BYaGFEekxobjR1Z1RuY3hiZ3ROTXMrMWIvOTdsCmM2d2pPeTBBdnpWVmRBbEoyRWxZR24rU051WlJrZzd6Sm4wY1RSZTh5ZXhESnRDL1FWOUFxVVJFOUpublY0ZWUKVUI5WFZLZysvWFJqTDdGUVpRbm1XRUl1UXhwTXRQQWxSMW42QkI2VDFDWkdTbENCc3Q2K2VMZjhaeFhoeVZlRQpIZzlqMXVsaXV0WmZWUzdxWE1Zb0NBUWxPYmdPSzZueVRKY2NCejhOVXZYdDd5K0NEd0lEQVFBQm8wSXdRREFkCkJnTlZIUTRFRmdRVVUzbS9XcW9yU3M5VWdPSFltOENkOHJJRFpzc3dEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEcKQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVNQlFBRGdnSUJBRnpVZkEzUDl3RjlRWmxsREhQRgpVcC9MK00rWkJuOGIya01WbjU0Q1ZWZVdGUEZTUENlSGxDanRIem9CTjZKMi9GTlF3SVNieG10T3Vvd2hUNktPClZXS1I4MmtWMkx5STQ4U3FDLzN2cU9sTFZTb0dJRzFWZUNrWjdsOHdYRXNrRVZYL0pKcHVYaW9yN2d0Tm4zLzMKQVRpVUZKVkRCd243WUtudUhLc1NqS0NhWHFlWWFsbHRpejhJKzhqUlJhOFlGV1NRRWc5ektDN0Y0aVJPL0Zqcwo4UFJGL2lLejZ5K08wdGxGWVFYQmwyK29kbktQaTR3MnI3OE5CYzV4amVhbWJ4OXNwbkZpeGRqUWczSU04V2NSCmlReWNFMHh5Tk4rODFYSGZxbkhkNGJsc2pEd1NYV1hhdlZjU3RrTnIvK1hlVFdZUlVjK1pydXdYdHVoeGtZemUKU2Y3ZE5YR2lGU2VVSE05aDR5YTdiNk5uSlNGZDV0MGRDeTVvR3p1Q3IreURaNFhVbUZGMHNibVpnSW4vZjNnWgpYSGxLWUM2U1FLNU1OeW9zeWNkaXlBNWQ5elpieXVBbEpRRzAzUm9IbkhjQVA5RGMxZXc5MVBxN1A4eUYxbTkvCnFTM2Z1UUwzOVplYXRUWGF3MmV3aDBxcEtKNGpqdjljSjJ2aHNFL3pCKzRBTHRSWmg4dFNRWlhxOUVmWDdtUkIKVlh5TldRS1YzV0tkd3JudVdpaDBoS1didDVESERBZmY5WWsyZERMV0tNR3dzQXZnbkV6REhOYjg0Mm0xUjBhQgpMNktDcTlOalJIREVqZjh0TTdxdGozdTFjSWl1UGhuUFFDalkvTWlRdTEyWkl2VlM1bGpGSDRneFErNklIZGZHCmpqeERhaDJuR041OVBSYnhZdm5La0tqOQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCgoK - server: https://f5-big-ip.console.ves.volterra.io/api/k8s/namespaces/system/site/f5xc-icap - name: f5xc-icap -contexts: -- context: - cluster: f5xc-icap - namespace: default - user: m.kennedy@f5.com - name: f5xc-icap -current-context: f5xc-icap -kind: Config -preferences: {} -users: -- user: - client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZBVENDQXVtZ0F3SUJBZ0lRQlZYNStQc2E5a284VGNEZnNOMVY2REFOQmdrcWhraUc5dzBCQVFzRkFEQ0IKdGpFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oYkdsbWIzSnVhV0V4RkRBU0JnTlZCQWNUQzFOaApiblJoSUVOc1lYSmhNUjh3SFFZRFZRUUtFeFpXYjJ4MFpYSnlZU0JGWkdkbElGTmxjblpwWTJWek1TQXdIZ1lEClZRUUxFeGRKYm1aeVlYTjBjblZqZEhWeVpTQlRaV04xY21sMGVURTVNRGNHQTFVRUF4TXdVRkpQUkNBdElGUmwKYm1GdWRDQlZjMlZ5SUVObGNuUnBabWxqWVhSbElFbHpjM1ZwYm1jZ1EwRWdMU0IyTWk0eE1CNFhEVEl6TURjeApNekExTXpBMU9Wb1hEVEl6TURjek1UQTFNekExT1Zvd0xqRVJNQThHQTFVRUNoTUlkbTlzZEdWeWNtRXhHVEFYCkJnTlZCQU1URUZWVFJWSXRRMFZTVkVsR1NVTkJWRVV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUM0Q2lDaVI5OU56bVhTM29ua3BIQjJUbFRnVHZyZXdLS2c2RGJ0b2RCSW1uZWJSZVB3UmFPMQpaTDdNMmFkU0NiZHJ2SzVqUGlFQlVHRit6SkswRS9jNUREQjdkNlVSZ2l6ZmZ2czRQU3FpWGk0RGxTdVhtUDRGCnpyTS9xRGpQbGxPNVJLc3RLRXoyL1ZjWmpsNjg0MEFQR09RbSs0RUM2N2ZDYXRHL2xzOStyRXUvQUEraW5iRDYKeHc5WXc3L1ZkMmgzdStFdGZlZmQ5YWRqdUIzdjJwaHFINm15Rkl4NW91TVAxRUs0cFBIWjZxbnRVZmZDenkzSgpSTGRySkpoVHhOM1lpb05DY0pTSlF1QU4vS0w3eEhzQnFlMjIvekZ6blJ0QTlVRk5YQVZzeGs2dEQ2UkZ3bzdPCkpSY2NNSmZlcEh6S05PS2drem1TQmhVT2drdHBRTmt6QWdNQkFBR2pnWkV3Z1k0d0RnWURWUjBQQVFIL0JBUUQKQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQjBHQTFVZERnUVdCQlJZQkF6MUdWcmhTMHdhbjVGegpTVGx4MGdqQW5qQWlCZ3dyQmdFRUFZT2hEZ0VCQVFFRUVnUVFiUzVyWlc1dVpXUjVRR1kxTG1OdmJUQWtCZ3dyCkJnRUVBWU9oRGdFQkFRSUVGQVFTWmpVdFltbG5MV2x3TFdka2VYaG1iblZ0TUEwR0NTcUdTSWIzRFFFQkN3VUEKQTRJQ0FRQ0hIT1ppQ09EcVNUK2dEQmNVaU9yeTlkQ1VjQ0IxcjR0R2hJWlR1Q2F2aWRVZkNKSURIWXpDWTNBKwpiR0hLZFY0bWRkOXZ5OVhnNnJ1RkVrVExqdG9kdWd6YWhzS1ExdUZhWkYzVUE1OGNZaUJRTnFxY1Bhc0N1NlhyCmlkdFl3SU5pVHpWL2Y3ajJudEV0cmVvQTZ1dzMzbHB3OUo5WE9NSWlLY1BzeGVwUjFYaW9OMklBR3dlVGIxRU4KWHovSnJmdFdhczAvN1MyZHJMVExyc2dISlkrYmtiNitmbVhLeG84empsbWNNZTN1MEt1RlRxUnQyWWR5bklLeQpGdXpVczV6MUNEdEZEUVlCTVAySmJ1UFdxOWJxdlVBUU9BM2hVY1h0UHc0RXZyM3BNdUtYL3cyVjlieDYzVW1hCkRCYVpCSXI0KzBDQWJiSDIyd0pMa0ZqbVFxdXFoZjhlNnkvMTVpZFg0cFYzY3ZzOC90d1haZGhuK0RVNmE2Z0UKSE1idnpRTUdpWDYwSitacU1XUjJZMmpGU1dNUFRtem9YR2luUXlQV2NZWkluQXAxekVYSUxoNjNySnlwbnNkRwpOQm12Yi9vaS9SUVJvT2J0NE1UY3pnb1lXQ2ZEejA1ZXZTRTZtNDFGeEV3d1I3ZFduNEVXcHJ5cFVoVUhlL1RuCjNjMG0wN25xRDlMNi9DRVF2VDA2MzhOUy9vU2pDV2I0R0J4eVg2aExUODJoakxaSFVKY0tMSEt1aHd4T3JtankKVzNnLzNldGY5Y1BJVzZpUHI2QURrWTRwSGlOZmxKK0NMa0RVOTlUOWhHOW91dGU1cTVaTFREaTRCM2F5YzY3KwpGNWFyR1VQRllmR2E0MENrUWdPSDhFdTM3Tlg1dDVIR1hhYnRBdHdxbkpPSFJQd0pUQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdjVENDQkZtZ0F3SUJBZ0lSQUlZODBLYkdKKy9LdEN4YXpJNEZmbVl3RFFZSktvWklodmNOQVFFTEJRQXcKZ2JFeEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTVJRd0VnWURWUVFIRXd0VApZVzUwWVNCRGJHRnlZVEVmTUIwR0ExVUVDaE1XVm05c2RHVnljbUVnUldSblpTQlRaWEoyYVdObGN6RWdNQjRHCkExVUVDeE1YU1c1bWNtRnpkSEoxWTNSMWNtVWdVMlZqZFhKcGRIa3hOREF5QmdOVkJBTVRLMUJTVDBRZ0xTQlUKWlc1aGJuUWdWWE5sY2lCRFpYSjBhV1pwWTJGMFpTQlNiMjkwSUVOQklDMGdkakl3SGhjTk1qQXdOakV4TVRVMQpOekUwV2hjTk1qVXdOakV4TVRVMU56RTBXakNCdGpFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oCmJHbG1iM0p1YVdFeEZEQVNCZ05WQkFjVEMxTmhiblJoSUVOc1lYSmhNUjh3SFFZRFZRUUtFeFpXYjJ4MFpYSnkKWVNCRlpHZGxJRk5sY25acFkyVnpNU0F3SGdZRFZRUUxFeGRKYm1aeVlYTjBjblZqZEhWeVpTQlRaV04xY21sMAplVEU1TURjR0ExVUVBeE13VUZKUFJDQXRJRlJsYm1GdWRDQlZjMlZ5SUVObGNuUnBabWxqWVhSbElFbHpjM1ZwCmJtY2dRMEVnTFNCMk1pNHhNSUlDSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQWc4QU1JSUNDZ0tDQWdFQTBWRHEKaHQ1S1h1a1JHQkRObkVvK1lrVHFlZkpLUXZMZ0hJUkFHOWsxYkFEV3djMHorRWZWeTRtZmhaMW5LelI2aXZybwpaaDI0TW9Jb1dmNlFoUS95QWs1NEk3dnVjTS94MW9nVWhZTk05c0xwNVU0cDExOXp6OEZSMEtvVGduUDNGbzZoCnFHK0dkUWNKazExME9KVXNHNE9wdlhSQmpQK0UxL29EdjhEYkhEV2RRcWkrVjJMN2NaMzJMSm5DNXFPS0ZiOE8KSmNlRUdCbUJiMnIyamxMMncwejdjSDZlV2J5WWEwSVpLbzd6d3NqblBNSnhWRUtvSW0yMEpXaUdOd0xVeEZTcQpOM0hwOEtkR1BaK0Y3TnNrOHFIa1dMU0dINjZrYU9ocjdpWW5pN3Y0WWR1UzJDS0ZNR1Vad0g2SDczK3kyeEpECmRic0FCcFlTWGJBdEgyRG1UMnBCU0pGUXZGSTNNVEUyVTBsQ0ZNSktCbFIwcnFJUVhmTW96WXluQUkwT1dvdGcKY3Q4bDJLcDludU9RQUlGam1ySkxwMFBFREhob0szRDBLSU5aV0pNYzlKb0llQ1dla0ZUcU40YmVCcFFrRmhRNApUd3ZHQzQ2NHZDUXRGcGFTVkltdTFzYmRlVHdXMFo5eVRWV3NvSTBSdDZSUHJrZlplTnMxc3BkMm5vc0oyOXFZCk1aS2F5aytQeUNieS9BU2c2a1ZnZlJjWVNPRXh2UnM1djRzb041dG5DQ3Bod3RpNHMyRWtoNHR4Zmo2SEZnSS8KWVBqQ2pHaWhwcnhubUVjN2xJSXRVckhqbVhyTTZlWjQxVTJuOU5EQVdMajNwNEkyZDg0ZDEvTnhPSmRqU1A0MgpRUmFIcERQSTJIeVJWR2tqZ29nMGdWS1JsUE9WMmhQVGFiSjFESWtDQXdFQUFhTjlNSHN3RGdZRFZSMFBBUUgvCkJBUURBZ0tFTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3V0FZSUt3WUJCUVVIQVFFRVREQktNRWdHQ0NzR0FRVUYKQnpBQmhqeHZZM053TG5abGN5NXBieTlRVWs5RUlDMGdWR1Z1WVc1MElGVnpaWElnUTJWeWRHbG1hV05oZEdVZwpTWE56ZFdsdVp5QkRRU0F0SUhZeUxqRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnSUJBTnR0djlRd0J6SWYzQ05aClpSTHcwQUx1akZGeWI0MklPb1I3UE5qMjBMc0ZrUkdoWHFPZ254aFR0aGU0RVhHTndvSmR5T0FYZkNWWGxzc2gKNTQrb0NBQ3d3NWpneDJKVkw5Q0pQUHAxVkFWSFlray9xYXdZVFF0Nk54OWdLcTlnbndqRjBCN1Uxc3NHSVJmagpwRzk4MjA3TVNuSkM3elRwOXRaazlRU3VHK3FHc1d5TU00Skx4Z2FaT2dpRFBGTFZmTW1RcXVUaTg1Z2FNd0dNCmdHcW9aeWZNNzNFUkUxNUFrQjJRTjlvb2hKcTNETG90TStGS2dLdGUvWnBybk5Od094MVVOcmcyaFNsU011MUMKeDJ2Rm9KQkZ5SGpiQnk1MFpYV2Rzd2pjWW1xVFZIWU02ZkhOUXBVbE5TVElUYlQ1VjJVVGVGVzZwQ2tYT0NnZgp4SnZlQXY3Q2xWOTJLRjIwNWdMNFFCQzV3T2RPWFBJa0tCNFZYZmRmREg4YXdOMjMrVFhGWlN0djhxeUQ0aWpMCnNSOXIra3UrMndHWk5MYjJJNlY3Zkl5dFlQTjBpRGhKSnVaWDl2a1dmaHJOK2JuOHVvNkFwT0xnNzlSSEczUDMKUVJXQmtoQW0wZitiM2g0NUpxT2xtamphNFpCRmJ0WitGWU5UV2JVS2IvNjNSQ3p2K000WDBJbFdFU2RBSW1qbAovVTQ1QUpqa2lkcEw0RE13N0J1U1FFRUkvb2NEOFNnZmw3OXhmZ0tZa0N2Y28rbW9UQWZTcVFsR3dSdlA3SWNqCjlLQlhwUTJRV1JvQkZhUW13cy8wcTJsZ0R0aSt6YktxWVF4ZlEzSTFXMlpQU0hTRURxRVZxNUdhRXh2RUNIODIKZVhpMFJNSk10Z0FpYzhpSVQzMUJVbFpYcXlDRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlHWnpDQ0JFK2dBd0lCQWdJUkFKN2dVMDU4ZkNVTHhnOWdYS3VhRUo0d0RRWUpLb1pJaHZjTkFRRUxCUUF3CmdiRXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJRXdwRFlXeHBabTl5Ym1saE1SUXdFZ1lEVlFRSEV3dFQKWVc1MFlTQkRiR0Z5WVRFZk1CMEdBMVVFQ2hNV1ZtOXNkR1Z5Y21FZ1JXUm5aU0JUWlhKMmFXTmxjekVnTUI0RwpBMVVFQ3hNWFNXNW1jbUZ6ZEhKMVkzUjFjbVVnVTJWamRYSnBkSGt4TkRBeUJnTlZCQU1USzFCU1QwUWdMU0JVClpXNWhiblFnVlhObGNpQkRaWEowYVdacFkyRjBaU0JTYjI5MElFTkJJQzBnZGpJd0hoY05NakF3TmpFeE1UVTEKTnpFeldoY05NelV3TmpFeE1UVTFOekV6V2pDQnNURUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2tOaApiR2xtYjNKdWFXRXhGREFTQmdOVkJBY1RDMU5oYm5SaElFTnNZWEpoTVI4d0hRWURWUVFLRXhaV2IyeDBaWEp5CllTQkZaR2RsSUZObGNuWnBZMlZ6TVNBd0hnWURWUVFMRXhkSmJtWnlZWE4wY25WamRIVnlaU0JUWldOMWNtbDAKZVRFME1ESUdBMVVFQXhNclVGSlBSQ0F0SUZSbGJtRnVkQ0JWYzJWeUlFTmxjblJwWm1sallYUmxJRkp2YjNRZwpRMEVnTFNCMk1qQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU54dk9TVngyMW9yCnFSTWc5ZjNkL3pRQTZ0OVNQd01yZkVPMW5uUHdNRjlhd1NJVHYvM2FZVnhCYWp4elo4SHJWUjFnTXloNERkSE0KVEtoUjRSUUhBS0pWTjdPNlNnTjlvN0svdzFrbEtiZFo5aFNQUkZ4TkI4b05zNmwrQ3VvOW9rb2N1dGFEeDROcQpPZkFjMzVqSW9oSUd5bWN5Tm85LzlsZVBkSytwRUswa0kweHQrMXRRd1VDRkNhRWZ3a3dOY09xU09HTXdZQUhNCllvMGVocFdCdUhQRVREN0Q2RkF4b0p1Tkw5cEVBVHZuRlFPcFo0MzBOejhlRWtEcDRrL2xHR2U5aS95d1RhVGIKd3c2bG1NMkEzMENPRVRXckE5b0NPZWNHOUFYVXoyU0I4RWR1OEZwOVJENTdKMTkvdWlHc1krYlVvVmNpeGN0ZwprYk5QbzBtVlhqZFZLZkpXbWZDMGZLbk03WlQ4bE5ZdDBFcUk3QVpBVnJaZGdpdDJScEpoNFY3Y2xKaGY4ZVFSCktDaHlqelRBeU94cDdsWmFkTVZodnI5Q1JiZStGTEIxYmRIQkhKc2FjRUhLMlhmbDloNnJ0VzJMUXZLQ3JDbW8KamdWejhQeWZ3OHpWQ0pBa00zVncySmZwZWc2TTVHdysvSFhvREdGK3FzbDVEVjNidGYwL1E1MnJEVVNyNUFjbApYTEVuM3kxQlM2TWQrbm9NL3FZbG1Na3Y3WWU5MDlScVQ2Um9aanFJbXc4NHhQNnhiSG1YT2Z1cy9FTnI4NTJlCm5aRDdSY040V3V4VTZQWE15ZUpuVnRpaE5HTG5hK3VEWXg0V0FNc3VIdlVQakR2RFNyRkNObEFhTkg3NkJYd0sKd0M2L25DSkZPZ0llNzBMTndPdnNXL1l1aXhrZk5kSExBZ01CQUFHamVEQjJNQTRHQTFVZER3RUIvd1FFQXdJQwpoREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NRk1HQ0NzR0FRVUZCd0VCQkVjd1JUQkRCZ2dyQmdFRkJRY3dBWVkzCmIyTnpjQzUyWlhNdWFXOHZVRkpQUkNBdElGUmxibUZ1ZENCVmMyVnlJRU5sY25ScFptbGpZWFJsSUZKdmIzUWcKUTBFZ0xTQjJNakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBMnlZM00rZldLZHpERVo1SWg3UE51bGtZYXpjYwpINnpVM0JnTCtVVG9RSTJqTnd2bW9vcDlEdytWZWlCN3NYVTBwWjVxejZ4WEJSMTFrQTVRZmVZMWNRWEN5Y00vCkRPRE1VUytma2lhNG1uR2pwTnVoYXZuYUVBRGRacEdMUzQwZE9QbWFoT0NjcFBvN0RMNWZIdUJFTmJqZThkUWYKREZOTzNhWkVqcjd6TjZJbncxL0ZTN2VkaXVwR3hmTXhreFN6QWtsVURkM0N5VGp1czdYNzlPM0krS1JDUDQ0bQpyeUNuZnRtdmg2bk5oeU1qdnRxSWoyeXVtNTJUT0dXMW5uWmlmYWhHNEtNd2JGbkI5d3lpS0pIV2tOaFNydUFPCmpKeEgwbEt0N1lKQ0JCS1B6TlBmTVNEN0NudXAxNFBIcFRPQjBtcUxOcEJTVzU4aUlQVzd0d2J2U3VPWWR1b1YKMFFFbktYdUFzbVZwNTZuSTIzSEo0aGF5U0xHZHFTRUNpZmRnZlN3V1pOREZEYUZrZ21ibUZWZWdzR2IyemwvKwpNUVhMc1MreFpNalZ6ZG1kMFBnWmxBNkhodTRVNXA2R3dUMmlWdFZNNlVZUjQwaDdRdXVmaG5uNVpNeStvRUdDCkpwK2JaWXhyck5Gb1lnaEdpN1ZpY0pmbFIwb3B0eGNTc2dJTnVmWlBvR0RVdWMyUHJnVmkzZWtUU2FTRWUrem4KRWo2V0YyTmhjOHJyWW5PWUowRXJ1T1UxU0xmeWJDKzl2eTJaZXJ6LzN6eU5jaGFBVitjenZhdGhUQkJ4ZGxBSwpIaS9iSWhlbGFXWWxxck1tNldvZlp1VHlQbU02NUY5R0oyWXI5NlQrMkRxRCtxbE9zRE5vU1pWcVdZUW9ZcDRlCmQwaUgyL0pGRmdKSFhDZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - client-key-data: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzRDaUNpUjk5TnptWFMKM29ua3BIQjJUbFRnVHZyZXdLS2c2RGJ0b2RCSW1uZWJSZVB3UmFPMVpMN00yYWRTQ2JkcnZLNWpQaUVCVUdGKwp6SkswRS9jNUREQjdkNlVSZ2l6ZmZ2czRQU3FpWGk0RGxTdVhtUDRGenJNL3FEalBsbE81UktzdEtFejIvVmNaCmpsNjg0MEFQR09RbSs0RUM2N2ZDYXRHL2xzOStyRXUvQUEraW5iRDZ4dzlZdzcvVmQyaDN1K0V0ZmVmZDlhZGoKdUIzdjJwaHFINm15Rkl4NW91TVAxRUs0cFBIWjZxbnRVZmZDenkzSlJMZHJKSmhUeE4zWWlvTkNjSlNKUXVBTgovS0w3eEhzQnFlMjIvekZ6blJ0QTlVRk5YQVZzeGs2dEQ2UkZ3bzdPSlJjY01KZmVwSHpLTk9LZ2t6bVNCaFVPCmdrdHBRTmt6QWdNQkFBRUNnZ0VBSGhKa1BBckJHRFpEam0zdE1Pa1Z0SjhldGZyeHp5TEJtc2ZzUWNRUkErd0oKamR1aENvcGhNbFgxNmdSejdLOGR3NEwwZm5tUkZ3L2YvbXpGcnBzY2t4RWFLRWZuNGJFdG9vOWQxQUN2K0x2KwozM2hUdzlVQjhrZW1JOGxadWNITWlHeTBzN3BFRStVQzJIQXZyQm1qUnFtVjQ0WWJ2SWh4REZtUlVGeFUwZjVrCnZFTWs1bGpBaGRGRUN3WmpwUUZ0VjNrTmZZZHJENlR0MjIxaHc3SlUrek5wZmxWRGVUUFRRZ3FHSXEwVk9qaUcKZkZGTXkreDVBN0s1S3A0RWZ3QzhPWTh4S3RkalI3cTk1cEc4WUVsNWphVFR3dHBKVXpIL3JYbHNqN1dvc2VzUApZUndPN1h2cGU5YldKd3p2bDlPNGdaWVRaN0laNVFUN3c1SDVaekx0b1FLQmdRRHNwUEE0aVUrNm9xY05UbCsxCjBZUnpkV2hwQ2NtU3N5OXVSZG94cU0vNlZOaFNYQTZOMlVRbU4veXVCYWsyQmJqWnYrVGZ5UGVLdU85UzdIakEKMTFHbXZvL3pzVWl0NnRwUkNKVmdmRjl1WnFyK29yWkRzNjRCSThWWjJZWDVFVWxSSWZ0Zmo5MTRydEtPdHY3UwpiOTZiTVl0N3FyM3hHSHZkQ2QrRzBDRDlPd0tCZ1FESEY3Uy9QSzE0SjhyYnpOakRjWjZYeVZ0ZCtQaUx3alhUCjMrL2ZKcnYvc2FsV3NFNUdVU1dYZFNITDRJamtaK1FXRndZRVM4c09WVlVKaGx0SXduYitzVWowWnJPaXYwbFUKbkpPcmtrU2ExYWJZMXFlSEtIdUpQYmg0TXdldTRTejhmTVBaSVEyREUwZzR1a29MVUxNcHRvZTRFZ1doYlBYYgpMN1JhK0VzMGFRS0JnUURyUFZyL0dLQ0ZLME5jMnRnUjZlRDgxVzJoWFBWZ08zZWU2eGxuM0NSQytTekJVbm0xClVKR0tYSVYyaUhJWkhiOFAxczR5RjVqYjhkTVdYN1A2SHhFdjdLYzAzTHNmQ0NOV0FtNWJwOGRGL0JGbloyQkEKRk5HWW1IS0tTczMvTmN2b054dW5kMS8xby9Qem9yM1ZleGVTdHNHdGdhR25sV3NyNDdDc1Z5RTBHUUtCZ0VhSwowc016eDY4Y1FsZHhGSmpqaURMMTZJYTZjYTVyYU5FaXRvWlYzaVR5R1RNYkV4RDlMWm1scWd6b0NQa05DcGI5CkgyZWtSMVZUek9hc0VXb05aVVpISUxkZ01HUUk3UDJxNFBQWXhyQXA1WTFOT1Z5OWJsQXBhMVJEbUlSUlNyUkgKck1raFdmMUlkcjJLM0RONEs1TXJGcG1VNFNQYVRKNldINHhnRDUySkFvR0FiVFkyR3RXOHh3SnhwZ2VTUzZ5Mgoxdy9CZkY5clowQ0EwWm45MnFKZUwxL3l5Qi9POWxTdjdTeXZxZFI3QTNLUjZnSWd1enV1aU85OU8zVldDTDR3Cm5neGpraVZmRUZMYU0xVG9iOFdQL2NBTWpPZXd6WGpnTG1NekVTdFZlZUxRZlhua09FcmVqWWllbFBxNFVPMHkKV1NNSEtNT21WbW16R1FMQ2ovaVptTHM9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K - name: m.kennedy@f5.com diff --git a/resources/terraform/polsup-eks-cis/main.tf b/resources/terraform/polsup-eks-cis/main.tf index e69de29..a498cc6 100644 --- a/resources/terraform/polsup-eks-cis/main.tf +++ b/resources/terraform/polsup-eks-cis/main.tf @@ -0,0 +1,241 @@ +provider "aws" { + region = local.region +} + +provider "kubernetes" { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } +} + +provider "helm" { + kubernetes { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } + } +} + +data "aws_availability_zones" "available" { + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} + +resource "random_id" "id" { + byte_length = 2 +} + +locals { + region = var.region + vpc_cidr = var.vpc_cidr + azs = slice(data.aws_availability_zones.available.names, 0, 3) + + build = random_id.id.hex + name = coalesce(var.name, local.build) + # var.cluster_name is for Terratest + cluster_name = coalesce(var.cluster_name, local.name) + + # Mapping + cluster_version = var.cluster_version + metrics_server = true + aws_load_balancer_controller = true + cert_manager = true + cloudwatch_metrics = true + vpa = true + kubecost = true + + tags = { + Owner = var.owner + Application = var.app + } +} + +#--------------------------------------------------------------- +# EKS Blueprints +#--------------------------------------------------------------- + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 19.13" + + cluster_name = local.cluster_name + cluster_version = local.cluster_version + cluster_endpoint_public_access = true + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + cluster_addons = { + coredns = {} + kube-proxy = {} + vpc-cni = {} + } + + eks_managed_node_groups = { + (local.cluster_name) = { + node_group_name = "managed-ondemand" + instance_types = [var.instance] + min_size = 3 + max_size = 3 + desired_size = 3 + subnet_ids = module.vpc.private_subnets + } + } + + tags = local.tags +} + + +module "eks_blueprints_addons" { + source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.32.1" + + eks_cluster_id = module.eks.cluster_name + eks_cluster_endpoint = module.eks.cluster_endpoint + eks_cluster_version = module.eks.cluster_version + eks_oidc_provider = module.eks.oidc_provider + eks_oidc_provider_arn = module.eks.oidc_provider_arn + + # Add-ons + enable_amazon_eks_aws_ebs_csi_driver = true + amazon_eks_aws_ebs_csi_driver_config = { + most_recent = true + kubernetes_version = local.cluster_version + resolve_conflicts = "OVERWRITE" + } + enable_aws_load_balancer_controller = true + aws_load_balancer_controller_helm_config = { + service_account = "aws-lb-sa" + } + enable_cert_manager = true + enable_metrics_server = true + + tags = local.tags +} + +module "ebs_csi_driver_irsa" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.20" + + role_name_prefix = "${module.eks.cluster_name}-ebs-csi-driver-" + + attach_ebs_csi_policy = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"] + } + } + + tags = local.tags +} + +module "vpc_cni_irsa" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.20" + + role_name_prefix = "${module.eks.cluster_name}-vpc-cni-" + + attach_vpc_cni_policy = true + vpc_cni_enable_ipv4 = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:aws-node"] + } + } + + tags = local.tags +} + +#--------------------------------------------------------------- +# Supporting Resources +#--------------------------------------------------------------- + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 10)] + database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 20)] + + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + + # using the database subnet method since it allows a public route + create_database_subnet_group = true + create_database_subnet_route_table = true + create_database_internet_gateway_route = true + + # Manage so we can name + manage_default_network_acl = true + default_network_acl_tags = { Name = "${local.name}-default" } + manage_default_route_table = true + default_route_table_tags = { Name = "${local.name}-default" } + manage_default_security_group = true + default_security_group_tags = { Name = "${local.name}-default" } + + public_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = 1 + } + + tags = local.tags +} + +#--------------------------------------------------------------- +# F5/NGINX Resources +#--------------------------------------------------------------- + +module "jumphost" { + source = "../modules/jumphost" + + prefix = local.name + region = var.region + vpc_id = module.vpc.vpc_id + public_subnets = module.vpc.database_subnets + random = local.build + ec2_key = var.ec2_key +} + +module "big-ip" { + source = "../modules/bigip" + + projectPrefix = local.name + random = local.build + region = var.region + vpcId = module.vpc.vpc_id + mgmt_subnet_ids = module.vpc.database_subnets + f5_username = var.f5_username + f5_password = var.f5_password + ec2_key_name = var.ec2_key + eks_cluster_sg = module.eks.cluster_security_group_id + eks_node_sg = module.eks.node_security_group_id +} + diff --git a/resources/terraform/polsup-eks-cis/min-iam-policy.json b/resources/terraform/polsup-eks-cis/min-iam-policy.json new file mode 100644 index 0000000..cf716ea --- /dev/null +++ b/resources/terraform/polsup-eks-cis/min-iam-policy.json @@ -0,0 +1,105 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:AllocateAddress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateInternetGateway", + "ec2:CreateNatGateway", + "ec2:CreateNetworkAclEntry", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:DeleteInternetGateway", + "ec2:DeleteNatGateway", + "ec2:DeleteNetworkAclEntry", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:DeleteSubnet", + "ec2:DeleteTags", + "ec2:DeleteVpc", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeNatGateways", + "ec2:DescribeNetworkAcls", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcClassicLink", + "ec2:DescribeVpcClassicLinkDnsSupport", + "ec2:DescribeVpcs", + "ec2:DetachInternetGateway", + "ec2:DisassociateRouteTable", + "ec2:ModifySubnetAttribute", + "ec2:ModifyVpcAttribute", + "ec2:ReleaseAddress", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "eks:CreateAddon", + "eks:CreateCluster", + "eks:CreateNodegroup", + "eks:DeleteAddon", + "eks:DeleteCluster", + "eks:DeleteNodegroup", + "eks:DescribeAddon", + "eks:DescribeAddonVersions", + "eks:DescribeCluster", + "eks:DescribeNodegroup", + "iam:AddRoleToInstanceProfile", + "iam:AttachRolePolicy", + "iam:CreateInstanceProfile", + "iam:CreateOpenIDConnectProvider", + "iam:CreatePolicy", + "iam:CreateRole", + "iam:CreateServiceLinkedRole", + "iam:DeleteInstanceProfile", + "iam:DeleteOpenIDConnectProvider", + "iam:DeletePolicy", + "iam:DeleteRole", + "iam:DetachRolePolicy", + "iam:GetInstanceProfile", + "iam:GetOpenIDConnectProvider", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfilesForRole", + "iam:ListPolicyVersions", + "iam:ListRolePolicies", + "iam:PassRole", + "iam:RemoveRoleFromInstanceProfile", + "iam:TagInstanceProfile", + "kms:CreateAlias", + "kms:CreateKey", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:EnableKeyRotation", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListResourceTags", + "kms:PutKeyPolicy", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ], + "Resource": "*" + } + ] +} diff --git a/resources/terraform/polsup-eks-cis/outputs.tf b/resources/terraform/polsup-eks-cis/outputs.tf index e69de29..26a88f3 100644 --- a/resources/terraform/polsup-eks-cis/outputs.tf +++ b/resources/terraform/polsup-eks-cis/outputs.tf @@ -0,0 +1,80 @@ +output "vpc_private_subnet_cidr" { + description = "VPC private subnet CIDR" + value = module.vpc.private_subnets_cidr_blocks +} + +output "vpc_public_subnet_cidr" { + description = "VPC public subnet CIDR" + value = module.vpc.public_subnets_cidr_blocks +} + +output "vpc_management_subnet_cidr" { + description = "VPC Management subnet CIDR" + value = module.vpc.database_subnets_cidr_blocks +} + +output "vpc_cidr" { + description = "VPC CIDR" + value = module.vpc.vpc_cidr_block +} + +output "eks_cluster_name" { + description = "EKS cluster ID" + value = module.eks.cluster_name +} +/* +output "eks_managed_nodegroups" { + description = "EKS managed node groups" + value = module.eks.node_groups +} + +output "eks_managed_nodegroup_ids" { + description = "EKS managed node group ids" + value = module.eks.managed_node_groups_id +} + +output "eks_managed_nodegroup_arns" { + description = "EKS managed node group arns" + value = module.eks.managed_node_group_arn +} + +output "eks_managed_nodegroup_role_name" { + description = "EKS managed node group role name" + value = module.eks.managed_node_group_iam_role_names +} + +output "eks_managed_nodegroup_status" { + description = "EKS managed node group status" + value = module.eks.managed_node_groups_status +} + +output "configure_kubectl" { + description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig" + value = module.eks.configure_kubectl +} +*/ +# Region used for Terratest +output "region" { + description = "AWS region" + value = local.region +} + +output "jumpbox_public_dns" { + description = "Public DNS address of Jumpbox" + value = module.jumphost.public_dns +} + +output "f5vm01_mgmt_private_ip" { + description = "f5vm01 management private IP address" + value = module.big-ip.f5vm01_mgmt_private_ip +} + +output "f5vm01_mgmt_public_ip" { + description = "f5vm01 management public IP address" + value = module.big-ip.f5vm01_mgmt_public_ip +} + +output "f5vm01_mgmt_pip_url" { + description = "f5vm01 management public URL" + value = "https://${module.big-ip.f5vm01_mgmt_public_ip}:8443" +} \ No newline at end of file diff --git a/resources/terraform/polsup-eks-cis/variables.tf b/resources/terraform/polsup-eks-cis/variables.tf index e69de29..9efb921 100644 --- a/resources/terraform/polsup-eks-cis/variables.tf +++ b/resources/terraform/polsup-eks-cis/variables.tf @@ -0,0 +1,66 @@ +# tflint-ignore: terraform_unused_declarations +variable "cluster_name" { + description = "Name of cluster - used by Terratest for e2e test automation" + type = string + default = "polsup-cis" +} + +variable "cluster_version" { + description = "The Version of Kubernetes to deploy" + type = string + default = "1.25" +} + +variable "region" { + description = "Name of AWS deployment region" + type = string + default = "ap-southeast-2" +} + +variable "vpc_cidr" { + description = "CIDR of deployment VPC" + type = string + default = "10.0.0.0/16" +} + +variable "name" { + description = "Name prefix of deployment" + type = string + default = "polsup-cis" +} + +variable "owner" { + description = "Deployment owner" + type = string + default = "f5-aatt" +} + +variable "instance" { + description = "Deployment EC2 instance type" + type = string + default = "t3.xlarge" +} + +variable "app" { + description = "Deployment Application" + type = string + default = "OWASP JuiceShop" +} + +variable "ec2_key" { + description = "EC2 Deployment Keypair" + type = string + default = "mkennedy@f5" +} + +variable "f5_username" { + description = "User name for the BIG-IP (Note: currently not used. Defaults to 'admin' based on AMI" + type = string + default = "admin" +} + +variable "f5_password" { + description = "BIG-IP Password or Secret ARN (value should be ARN of secret when aws_secretmanager_auth = true, ex. arn:aws:secretsmanager:us-west-2:1234:secret:bigip-secret-abcd)" + type = string + default = "Default12345!" +} diff --git a/resources/terraform/polsup-eks-cis/versions.tf b/resources/terraform/polsup-eks-cis/versions.tf index e69de29..62c74d3 100644 --- a/resources/terraform/polsup-eks-cis/versions.tf +++ b/resources/terraform/polsup-eks-cis/versions.tf @@ -0,0 +1,29 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.4.1" + } + volterra = { + source = "volterraedge/volterra" + version = ">= 0.7" + } + } + + # ## Used for end-to-end testing on project; update to suit your needs + # backend "s3" { + # bucket = "terraform-ssp-github-actions-state" + # region = "us-west-2" + # key = "e2e/eks-cluster-with-new-vpc/terraform.tfstate" + # } +} -- GitLab From bfe0c968df79fdd1d83dfae01bd6aac99bfc9e26 Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Tue, 18 Jul 2023 12:07:17 +1000 Subject: [PATCH 12/14] k8s manifests for cis/juice --- .../k8s-manifests/cis/{ => otel}/as3.yaml | 0 .../cis/{ => otel}/cis-deployment.yaml | 0 .../cis/{ => otel}/opentelemetry-demo.yaml | 0 .../cis/polsup/cis-deployment.yaml | 56 +++++++++++++++++++ .../cis/polsup/juice-shop-deployment.yaml | 16 ++++++ .../cis/polsup/juice-shop-service.yaml | 12 ++++ .../k8s-manifests/cis/polsup/polsup-as3.yaml | 48 ++++++++++++++++ 7 files changed, 132 insertions(+) rename resources/k8s-manifests/cis/{ => otel}/as3.yaml (100%) rename resources/k8s-manifests/cis/{ => otel}/cis-deployment.yaml (100%) rename resources/k8s-manifests/cis/{ => otel}/opentelemetry-demo.yaml (100%) create mode 100644 resources/k8s-manifests/cis/polsup/cis-deployment.yaml create mode 100644 resources/k8s-manifests/cis/polsup/juice-shop-deployment.yaml create mode 100644 resources/k8s-manifests/cis/polsup/juice-shop-service.yaml create mode 100644 resources/k8s-manifests/cis/polsup/polsup-as3.yaml diff --git a/resources/k8s-manifests/cis/as3.yaml b/resources/k8s-manifests/cis/otel/as3.yaml similarity index 100% rename from resources/k8s-manifests/cis/as3.yaml rename to resources/k8s-manifests/cis/otel/as3.yaml diff --git a/resources/k8s-manifests/cis/cis-deployment.yaml b/resources/k8s-manifests/cis/otel/cis-deployment.yaml similarity index 100% rename from resources/k8s-manifests/cis/cis-deployment.yaml rename to resources/k8s-manifests/cis/otel/cis-deployment.yaml diff --git a/resources/k8s-manifests/cis/opentelemetry-demo.yaml b/resources/k8s-manifests/cis/otel/opentelemetry-demo.yaml similarity index 100% rename from resources/k8s-manifests/cis/opentelemetry-demo.yaml rename to resources/k8s-manifests/cis/otel/opentelemetry-demo.yaml diff --git a/resources/k8s-manifests/cis/polsup/cis-deployment.yaml b/resources/k8s-manifests/cis/polsup/cis-deployment.yaml new file mode 100644 index 0000000..6f3f3ab --- /dev/null +++ b/resources/k8s-manifests/cis/polsup/cis-deployment.yaml @@ -0,0 +1,56 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: k8s-bigip-ctlr-deployment + namespace: kube-system +spec: +# DO NOT INCREASE REPLICA COUNT + replicas: 1 + selector: + matchLabels: + app: k8s-bigip-ctlr-deployment + template: + metadata: + labels: + app: k8s-bigip-ctlr-deployment + spec: + # Name of the Service Account bound to a Cluster Role with the required + # permissions + containers: + - name: k8s-bigip-ctlr + image: "f5networks/k8s-bigip-ctlr:2.7.1" + env: + - name: BIGIP_USERNAME + valueFrom: + secretKeyRef: + # Replace with the name of the Secret containing your login + # credentials + name: f5-bigip-ctlr-login + key: username + - name: BIGIP_PASSWORD + valueFrom: + secretKeyRef: + # Replace with the name of the Secret containing your login + # credentials + name: f5-bigip-ctlr-login + key: password + command: ["/app/bin/k8s-bigip-ctlr"] + args: [ + # See the k8s-bigip-ctlr documentation for information about + # all config options + # https://clouddocs.f5.com/containers/latest/ + "--bigip-username=$(BIGIP_USERNAME)", + "--bigip-password=$(BIGIP_PASSWORD)", + "--bigip-url=https://{$mgmtPublicIP}:8443", #Fill this with the BIG-IP's self IP address. Use https://IP:8443 for single NIC. + "--bigip-partition=cispartition", #Fill this with the name of the "create auth partition " you created previously. + "--pool-member-type=cluster", #Fill this with "cluster" if running in ClusterIP mode + #"--flannel-name=/Common/k8s-tunnel", #Uncomment this only when using ClusterIP mode. Replace k8s-tunnel with the name you created. + #"--custom-resource-mode=true", #Uncomment this only when deploying F5 ingresslink and as3 will not work + "--insecure", + "--log-as3-response=true", + "--log-level=DEBUG", + # for secure communication provide the internal ca certificates using config-map with below option and remove insecure parameter + #"--trusted-certs-cfgmap=", + ] + serviceAccount: bigip-ctlr + serviceAccountName: bigip-ctlr diff --git a/resources/k8s-manifests/cis/polsup/juice-shop-deployment.yaml b/resources/k8s-manifests/cis/polsup/juice-shop-deployment.yaml new file mode 100644 index 0000000..992274c --- /dev/null +++ b/resources/k8s-manifests/cis/polsup/juice-shop-deployment.yaml @@ -0,0 +1,16 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: juice-shop +spec: + template: + metadata: + labels: + app: juice-shop + spec: + containers: + - name: juice-shop + image: bkimminich/juice-shop + selector: + matchLabels: + app: juice-shop \ No newline at end of file diff --git a/resources/k8s-manifests/cis/polsup/juice-shop-service.yaml b/resources/k8s-manifests/cis/polsup/juice-shop-service.yaml new file mode 100644 index 0000000..f90f702 --- /dev/null +++ b/resources/k8s-manifests/cis/polsup/juice-shop-service.yaml @@ -0,0 +1,12 @@ +kind: Service +apiVersion: v1 +metadata: + name: juice-shop +spec: + type: NodePort + selector: + app: juice-shop + ports: + - name: http + port: 8000 + targetPort: 3000 \ No newline at end of file diff --git a/resources/k8s-manifests/cis/polsup/polsup-as3.yaml b/resources/k8s-manifests/cis/polsup/polsup-as3.yaml new file mode 100644 index 0000000..3dd4b64 --- /dev/null +++ b/resources/k8s-manifests/cis/polsup/polsup-as3.yaml @@ -0,0 +1,48 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: f5-cis-policysupervisor-demo + namespace: polsup-demo + labels: + #Note that mypartition-name, myhttp-vs, and web_pool names below must match the label in the k8 service yaml file. + f5type: virtual-server + as3: "true" +data: + template: | + { + "class": "AS3", + "declaration": { + "class": "ADC", + "schemaVersion": "3.20.0", + "label": "http", + "remark": "JuiceShop Microservices", + "polsup-demo": { + "class": "Tenant", + "frontendproxy": { + "class": "Application", + "template": "generic", + "vs-fep": { + "class": "Service_HTTP", + "remark": "OpenTelemetry Frontend Proxy Service", + "virtualPort": 80, + "virtualAddresses": [ + "{$selfIP}" + ], + "pool": "pl-fep" + }, + "pl-fep": { + "class": "Pool", + "monitors": [ + "http" + ], + "members": [ + { + "servicePort": 8000, + "serverAddresses": [] + } + ] + } + } + } + } + } -- GitLab From c5354769786c97538f2d7236fc0ba5e3fe524a6d Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Tue, 18 Jul 2023 13:14:04 +1000 Subject: [PATCH 13/14] validated eks/cbip deployment --- resources/terraform/polsup-eks-cis/README.md | 35 +++++++++++++++++++ .../terraform/polsup-eks-cis/as_built.md | 2 +- resources/terraform/polsup-eks-cis/outputs.tf | 2 +- .../terraform/polsup-eks-cis/variables.tf | 2 +- 4 files changed, 38 insertions(+), 3 deletions(-) diff --git a/resources/terraform/polsup-eks-cis/README.md b/resources/terraform/polsup-eks-cis/README.md index a6253d2..fcc1f12 100644 --- a/resources/terraform/polsup-eks-cis/README.md +++ b/resources/terraform/polsup-eks-cis/README.md @@ -44,6 +44,41 @@ ___ ## Configuration +The following *Inputs* are `defauls` that may be superseeded when `TFVARS` files are provided; + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [app](#input\_app) | Deployment Application | `string` | `"OWASP JuiceShop"` | no | +| [cluster\_name](#input\_cluster\_name) | Name of cluster - used by Terratest for e2e test automation | `string` | `"polsup-cis"` | no | +| [cluster\_version](#input\_cluster\_version) | The Version of Kubernetes to deploy | `string` | `"1.25"` | no | +| [ec2\_key](#input\_ec2\_key) | EC2 Deployment Keypair | `string` | `"mkennedy@f5"` | no | +| [f5\_password](#input\_f5\_password) | BIG-IP Password or Secret ARN (value should be ARN of secret when aws\_secretmanager\_auth = true, ex. arn:aws:secretsmanager:us-west-2:1234:secret:bigip-secret-abcd) | `string` | `"Default12345!"` | no | +| [f5\_username](#input\_f5\_username) | User name for the BIG-IP (Note: currently not used. Defaults to 'admin' based on AMI | `string` | `"admin"` | no | +| [instance](#input\_instance) | Deployment EC2 instance type | `string` | `"t3.xlarge"` | no | +| [name](#input\_name) | Name prefix of deployment | `string` | `"polsup-cis"` | no | +| [owner](#input\_owner) | Deployment owner | `string` | `"f5-aatt"` | no | +| [region](#input\_region) | Name of AWS deployment region | `string` | `"ap-southeast-2"` | no | +| [vpc\_cidr](#input\_vpc\_cidr) | CIDR of deployment VPC | `string` | `"10.0.0.0/16"` | no | + + +## Outputs + +| Name | Description | +|------|-------------| +| [eks\_cluster\_name](#output\_eks\_cluster\_name) | EKS cluster ID | +| [f5vm01\_mgmt\_pip\_url](#output\_f5vm01\_mgmt\_pip\_url) | f5vm01 management public URL | +| [f5vm01\_mgmt\_private\_ip](#output\_f5vm01\_mgmt\_private\_ip) | f5vm01 management private IP address | +| [f5vm01\_mgmt\_public\_ip](#output\_f5vm01\_mgmt\_public\_ip) | f5vm01 management public IP address | +| [jumpbox\_public\_dns](#output\_jumpbox\_public\_dns) | Public DNS address of Jumpbox | +| [region](#output\_region) | AWS region | +| [vpc\_cidr](#output\_vpc\_cidr) | VPC CIDR | +| [vpc\_management\_subnet\_cidr](#output\_vpc\_management\_subnet\_cidr) | VPC Management subnet CIDR | +| [vpc\_private\_subnet\_cidr](#output\_vpc\_private\_subnet\_cidr) | VPC private subnet CIDR | +| [vpc\_public\_subnet\_cidr](#output\_vpc\_public\_subnet\_cidr) | VPC public subnet CIDR | + + ___ ## Decommission diff --git a/resources/terraform/polsup-eks-cis/as_built.md b/resources/terraform/polsup-eks-cis/as_built.md index e6bab7f..81d1ef7 100644 --- a/resources/terraform/polsup-eks-cis/as_built.md +++ b/resources/terraform/polsup-eks-cis/as_built.md @@ -54,7 +54,7 @@ kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/ma ### `bigip-ctl-cis` Deployment Preparation -10. Update `src/k8s-manifests/cis/as3.yaml` to reflect the *selfIP* of the BIG-IP Virtual Server; +10. Update `src/k8s-manifests/cis/polsup/polsup-as3.yaml` to reflect the *selfIP* of the BIG-IP Virtual Server; * Replace `"virtualAddresses": ["{$selfIP}"],` with the VS IP. For single NIC, this is the self IP address. 11. Update `src/k8s-manifests/cis/cis-deployment.yaml` to reflect the Public ManagementIP of the BIG-IP; diff --git a/resources/terraform/polsup-eks-cis/outputs.tf b/resources/terraform/polsup-eks-cis/outputs.tf index 26a88f3..b4156d2 100644 --- a/resources/terraform/polsup-eks-cis/outputs.tf +++ b/resources/terraform/polsup-eks-cis/outputs.tf @@ -61,7 +61,7 @@ output "region" { output "jumpbox_public_dns" { description = "Public DNS address of Jumpbox" - value = module.jumphost.public_dns + value = module.jumphost.public_dns[0] } output "f5vm01_mgmt_private_ip" { diff --git a/resources/terraform/polsup-eks-cis/variables.tf b/resources/terraform/polsup-eks-cis/variables.tf index 9efb921..ea78f63 100644 --- a/resources/terraform/polsup-eks-cis/variables.tf +++ b/resources/terraform/polsup-eks-cis/variables.tf @@ -50,7 +50,7 @@ variable "app" { variable "ec2_key" { description = "EC2 Deployment Keypair" type = string - default = "mkennedy@f5" + default = "mjk-aatt-fy23q3" } variable "f5_username" { -- GitLab From b2c2d1331577f3a0c2dc09d46b93b7375fbfea76 Mon Sep 17 00:00:00 2001 From: Michael Kennedy Date: Tue, 18 Jul 2023 13:58:22 +1000 Subject: [PATCH 14/14] e2e cBIP/CIS/JuiceShop w/- AWAF --- .../cis/polsup/juice-shop-deployment.yaml | 16 --------- .../cis/polsup/juice-shop-service.yaml | 12 ------- .../k8s-manifests/cis/polsup/juiceshop.yaml | 35 +++++++++++++++++++ .../k8s-manifests/cis/polsup/polsup-as3.yaml | 13 ++++--- .../terraform/polsup-eks-cis/as_built.md | 17 ++++++++- 5 files changed, 57 insertions(+), 36 deletions(-) delete mode 100644 resources/k8s-manifests/cis/polsup/juice-shop-deployment.yaml delete mode 100644 resources/k8s-manifests/cis/polsup/juice-shop-service.yaml create mode 100644 resources/k8s-manifests/cis/polsup/juiceshop.yaml diff --git a/resources/k8s-manifests/cis/polsup/juice-shop-deployment.yaml b/resources/k8s-manifests/cis/polsup/juice-shop-deployment.yaml deleted file mode 100644 index 992274c..0000000 --- a/resources/k8s-manifests/cis/polsup/juice-shop-deployment.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - name: juice-shop -spec: - template: - metadata: - labels: - app: juice-shop - spec: - containers: - - name: juice-shop - image: bkimminich/juice-shop - selector: - matchLabels: - app: juice-shop \ No newline at end of file diff --git a/resources/k8s-manifests/cis/polsup/juice-shop-service.yaml b/resources/k8s-manifests/cis/polsup/juice-shop-service.yaml deleted file mode 100644 index f90f702..0000000 --- a/resources/k8s-manifests/cis/polsup/juice-shop-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: juice-shop -spec: - type: NodePort - selector: - app: juice-shop - ports: - - name: http - port: 8000 - targetPort: 3000 \ No newline at end of file diff --git a/resources/k8s-manifests/cis/polsup/juiceshop.yaml b/resources/k8s-manifests/cis/polsup/juiceshop.yaml new file mode 100644 index 0000000..178fec9 --- /dev/null +++ b/resources/k8s-manifests/cis/polsup/juiceshop.yaml @@ -0,0 +1,35 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: juice-shop +spec: + template: + metadata: + labels: + app: juice-shop + spec: + containers: + - name: juice-shop + image: bkimminich/juice-shop + selector: + matchLabels: + app: juice-shop +--- +kind: Service +apiVersion: v1 +metadata: + name: juice-shop + labels: + cis.f5.com/as3-tenant: polsup-demo #The following 3 labels need to match the AS3 declaration. + cis.f5.com/as3-app: juice-shop + cis.f5.com/as3-pool: pl-js +spec: + type: NodePort + selector: + app: juice-shop + ports: + - name: http + port: 3000 + targetPort: 3000 +--- \ No newline at end of file diff --git a/resources/k8s-manifests/cis/polsup/polsup-as3.yaml b/resources/k8s-manifests/cis/polsup/polsup-as3.yaml index 3dd4b64..7905f9d 100644 --- a/resources/k8s-manifests/cis/polsup/polsup-as3.yaml +++ b/resources/k8s-manifests/cis/polsup/polsup-as3.yaml @@ -2,7 +2,6 @@ kind: ConfigMap apiVersion: v1 metadata: name: f5-cis-policysupervisor-demo - namespace: polsup-demo labels: #Note that mypartition-name, myhttp-vs, and web_pool names below must match the label in the k8 service yaml file. f5type: virtual-server @@ -18,26 +17,26 @@ data: "remark": "JuiceShop Microservices", "polsup-demo": { "class": "Tenant", - "frontendproxy": { + "juice-shop": { "class": "Application", "template": "generic", - "vs-fep": { + "vs-js": { "class": "Service_HTTP", - "remark": "OpenTelemetry Frontend Proxy Service", + "remark": "JuiceShop Service", "virtualPort": 80, "virtualAddresses": [ "{$selfIP}" ], - "pool": "pl-fep" + "pool": "pl-js" }, - "pl-fep": { + "pl-js": { "class": "Pool", "monitors": [ "http" ], "members": [ { - "servicePort": 8000, + "servicePort": 3000, "serverAddresses": [] } ] diff --git a/resources/terraform/polsup-eks-cis/as_built.md b/resources/terraform/polsup-eks-cis/as_built.md index 81d1ef7..25e571e 100644 --- a/resources/terraform/polsup-eks-cis/as_built.md +++ b/resources/terraform/polsup-eks-cis/as_built.md @@ -58,4 +58,19 @@ kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/ma * Replace `"virtualAddresses": ["{$selfIP}"],` with the VS IP. For single NIC, this is the self IP address. 11. Update `src/k8s-manifests/cis/cis-deployment.yaml` to reflect the Public ManagementIP of the BIG-IP; - * Replace `"--bigip-url=https://{$mgmtPublicIP}:8443"` with the ManagementIP. For single NIC, this is the self IP address. \ No newline at end of file + * Replace `"--bigip-url=https://{$mgmtPublicIP}:8443"` with the ManagementIP. For single NIC, this is the self IP address. + + +### Deploy JuiceShop & BIG-IP CIS Definitions + +12. Create namespace & deploy Astro OTel microservices; +```shell +kubectl apply -f ../../k8s-manifests/cis/polsup/juiceshop.yaml +``` + +13. Create and deploy BIG-IP Container Ingress Service and application pods with `as3` definition; +```shell +kubectl create -f ../../k8s-manifests/cis/polsup/cis-deployment.yaml +sleep 10; +kubectl create -f ../../k8s-manifests/cis/polsup/polsup-as3.yaml +``` \ No newline at end of file -- GitLab