Adding GCS as a policy-library store for on-GKE #356

kevensen · 2019-10-25T22:01:46Z

Removed the default policy_library_repository_url
Added policy_library_sync_enabled for on_gke examples
Added Workload Identity for config-validator
Corrected some Helm variables per the config-validator chart
on-GCE generates a private SSH key. on-GKE also behaves the same if a private ssh key file is not provided.

Tests:

on_gke_end_to_end - config-validator disabled && git-sync disabled --> forseti deploys and config validator does not, no keys are created
on_gke_end_to_end - config-validator disabled && git-sync enabled --> forseti deploys and config validator does not, no keys are created
on_gke_end_to_end - config-validator enabled && git-sync disabled --> forseti deploys && config validator deploys && policy is pulled from GCS && no keys created
on_gke_end_to_end - config-validator enabled && git-sync disabled && policy_library_url --> forseti deploys && config validator deploys && policy is pulled from Git && no keys created
on_gke_end_to_end - config-validator enabled && git-sync enabled --> forseti deploys && config validator deploys && SSH key is generated
on_gke_end_to_end - config-validator enabled && git-sync enabled && SSH key filename is provided--> forseti deploys && config validator deploys && public ssh-key output matches existing public key.
on_gke_end_to_end [5.0.0 --> 5.1.0] - With config-validator enabled (and git-sync) and upgrade to 5.1.0(?) maintains functionality. This is the periodic config-validator.

kevensen · 2019-10-25T22:08:55Z

Addresses #341

kevensen · 2019-10-25T22:35:08Z

Need to test

on_gke example with git-sync enabled. Then update policies and ensure pod deletes and restarts.

gkowalski-google

LGTM. Please create a ticket to support branch configuration on GCE.

gkowalski-google · 2019-10-29T13:45:16Z

examples/on_gke/README.md

@@ -69,7 +69,9 @@ In order to operate with the Service Account you must activate the following API
 | k8s\_tiller\_sa\_name | The Kubernetes Service Account used by Tiller | string | `"tiller"` | no |
 | network | The VPC where the Forseti client and server will be created | string | `"default"` | no |
 | org\_id | GCP Organization ID that Forseti will have purview over | string | n/a | yes |
-| policy\_library\_repository\_url | The git repository containing the policy-library. | string | `"https://github.com/forseti-security/policy-library"` | no |
+| policy\_library\_repository\_branch | The specific git branch containing the policies. | string | `"master"` | no |


Currently the GCE behavior is hard-coded to master branch. It's fine to support different branches, but if we do it for GKE, then we should do the same for GCE. That would mean a change here: https://github.com/forseti-security/forseti-security/blob/master/install/gcp/scripts/initialize_forseti_services.sh#L55

kevensen · 2019-10-30T17:25:23Z

Opened #366

Adding GCS as a policy-library store for on-GKE

1c43e7b

kevensen requested review from aaron-lane, hshin-g and morgante as code owners October 25, 2019 22:01

googlebot added the cla: yes label Oct 25, 2019

kevensen added 2 commits October 25, 2019 15:04

Adding variables to the examples

5f9d324

Update readme

ac62beb

kevensen mentioned this pull request Oct 25, 2019

Adding support for policy-libraries stored in GCS. forseti-security/helm-charts#46

Merged

kevensen added 4 commits October 28, 2019 10:39

moving tls keys around. fixed some variables

5a6669d

Merge branch 'master' into policy-library-improvements

1194bbe

moved tls key

dffaaaf

docs and lint

097ef5a

kevensen requested a review from gkowalski-google October 28, 2019 22:30

kevensen mentioned this pull request Oct 29, 2019

[WEBSITE] Updates for GKE Policy Library Enhancements forseti-security/forseti-security#3381

Merged

1 task

Merge branch 'master' into policy-library-improvements

aa74176

gkowalski-google approved these changes Oct 30, 2019

View reviewed changes

hshin-g approved these changes Oct 30, 2019

View reviewed changes

kevensen merged commit 3347e7a into forseti-security:master Oct 30, 2019

kevensen mentioned this pull request Nov 1, 2019

Make the Options for Policy Library Sync to Be Consistent #341

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Adding GCS as a policy-library store for on-GKE #356

Adding GCS as a policy-library store for on-GKE #356

kevensen commented Oct 25, 2019 •

edited

Loading

kevensen commented Oct 25, 2019

kevensen commented Oct 25, 2019

gkowalski-google left a comment

gkowalski-google Oct 29, 2019

kevensen commented Oct 30, 2019

Adding GCS as a policy-library store for on-GKE #356

Adding GCS as a policy-library store for on-GKE #356

Conversation

kevensen commented Oct 25, 2019 • edited Loading

kevensen commented Oct 25, 2019

kevensen commented Oct 25, 2019

gkowalski-google left a comment

Choose a reason for hiding this comment

gkowalski-google Oct 29, 2019

Choose a reason for hiding this comment

kevensen commented Oct 30, 2019

kevensen commented Oct 25, 2019 •

edited

Loading