From ebd967086db5ccafeb0781efa1e95faae572365d Mon Sep 17 00:00:00 2001 From: John Jediny Date: Wed, 7 Sep 2022 14:30:06 -0400 Subject: [PATCH] cloud.gov deployment (#7611) * cloud.gov deployment Adds example manifest.yml file and docs covering steps to deploy fleetdm to cloud.gov * rename manifest rename manifest and small edits --- docs/Deploying/cloudgov.md | 108 ++++++++++++++++++++++++++++++++++ manifest.yml.cloudgov.example | 39 ++++++++++++ 2 files changed, 147 insertions(+) create mode 100644 docs/Deploying/cloudgov.md create mode 100644 manifest.yml.cloudgov.example diff --git a/docs/Deploying/cloudgov.md b/docs/Deploying/cloudgov.md new file mode 100644 index 0000000000..73001f94b2 --- /dev/null +++ b/docs/Deploying/cloudgov.md @@ -0,0 +1,108 @@ +# Deploying to Cloud.gov (Cloud Foundry) + +Cloud.gov is a [FEDRAMP moderate Platform-as-a-Service +(PaaS)](https://marketplace.fedramp.gov/#!/product/18f-cloudgov?sort=productName). This repository +includes a sample [manifest.yml.example](https://github.com/fleetdm/fleet/blob/main/manifest.yml.cloudgov.example) file ready to be pushed and run the +latest version of fleetdm as a container. Make a copy of the example file and update the key +values as appropriate. + +1. `cp manifest.yml.cloudgov.example manifest.yml` + +2. Setup a cloud.gov account - https://cloud.gov/docs/getting-started/accounts/ + +3. Install the cf-cli - https://cloud.gov/docs/getting-started/setup/ + +4. From your local fleetdm source directory. +``` +git clone https://github.com/fleetdm/fleet +cd fleet +cf login -a api.fr.cloud.gov --sso + +# Follow the link to copy the Temporary Authentication Code when prompted +``` +5. Setup a demo application space +``` +cf target -o sandbox-gsa create-space fleetdm-rename +``` + +6. Create database(s) +``` +# Update manifest.yml file to rename application and database key names to match commands below. + +cf marketplace +cf create-service aws-rds medium-mysql fleetdm-mysql +cf create-service aws-elasticache-redis redis-dev fleetdm-redis +cf create-service-key fleetdm-db-rename fleetdm-db-test-key +cf push +``` + +**You will be returned the URL for your new test instance to navigate to.** + +> Note: This is only for demonstration purposes, in order to run a production level federal/FISMA system. You will need to contact the [cloud.gov program](https://cloud.gov) and consult your organization's security team (for risk assessment and an Authority to Operate). + +## Using jq to map service credentials + +Cloud foundry injects an environmental variable [`$VCAP_SERVICES`](https://docs.cloudfoundry.org/devguide/deploy-apps/environment-variable.html#VCAP-SERVICES) which is available within the +container. fleetdm uses jq to map service injected credentials to the [standard fleetdm environment +variables](https://fleetdm.com/docs/deploying/configuration#using-only-environment-variables). + +```json +{ + "aws-rds": [ + { + "label": "aws-rds", + "provider": null, + "plan": "medium-mysql", + "name": "fleetdm-db", + "tags": [ + "database", + "RDS" + ], + "instance_guid": "guid", + "instance_name": "fleetdm-db", + "binding_guid": "guid", + "binding_name": null, + "credentials": { + "db_name": "db_name", + "host": "host", + "name": "name", + "password": "password", + "port": "3306", + "uri": "mysql://username:password@hostname:port/db_name", + "username": "username" + }, + "syslog_drain_url": null, + "volume_mounts": [] + } + ], + "aws-elasticache-redis": [ + { + "label": "aws-elasticache-redis", + "provider": null, + "plan": "redis-dev", + "name": "fleetdm-redis", + "tags": [ + "redis", + "Elasticache", + "AWS" + ], + "instance_guid": "guid", + "instance_name": "fleetdm-redis", + "binding_guid": "guid", + "binding_name": null, + "credentials": { + "current_redis_engine_version": "version", + "host": "host", + "hostname": "hostname", + "password": "password", + "port": "port", + "uri": "redis://:address:port" + }, + "syslog_drain_url": null, + "volume_mounts": [] + } + ] +} +``` + + \ No newline at end of file diff --git a/manifest.yml.cloudgov.example b/manifest.yml.cloudgov.example new file mode 100644 index 0000000000..65b236f56b --- /dev/null +++ b/manifest.yml.cloudgov.example @@ -0,0 +1,39 @@ +applications: +- name: fleetdm + memory: 512m + disk_quota: 2g + instances: 1 + timeout: 120 + health-check-type: process + command: | + export FLEET_MYSQL_USERNAME=$( echo $VCAP_SERVICES | jq -r '.["aws-rds"][].credentials.username') && \ + export FLEET_MYSQL_ADDRESS=$( echo $VCAP_SERVICES | jq -r '.["aws-rds"][].credentials.host') && \ + export FLEET_MYSQL_DATABASE=$( echo $VCAP_SERVICES | jq -r '.["aws-rds"][].credentials.db_name') && \ + export FLEET_MYSQL_PASSWORD=$( echo $VCAP_SERVICES | jq -r '.["aws-rds"][].credentials.password') && \ + export FLEET_REDIS_ADDRESS=$( echo $VCAP_SERVICES | jq -r '.["aws-elasticache-redis"][].credentials.host + ":" + .["aws-elasticache-redis"][].credentials.port') && \ + export FLEET_REDIS_PASSWORD$( echo $VCAP_SERVICES | jq -r '.["aws-elasticache-redis"][].credentials.password') && \ + fleet prepare --no-prompt=true db && \ + fleet serve + docker: + image: fleetdm/fleet:latest + services: + - fleetdm-mysql + - fleetdm-redis + env: + FLEET_LOGGING_JSON: true + FLEET_LOGGING_DEBUG: true + FLEET_REDIS_USE_TLS: true + FLEET_SERVER_TLS: false + FLEET_REDIS_CONNECT_RETRY_ATTEMPTS: 3 + # FLEET_FIREHOSE_STATUS_STREAM: FALSE + # FLEET_FIREHOSE_RESULT_STREAM: + # FLEET_FIREHOSE_REGION: + # FLEET_OSQUERY_STATUS_LOG_PLUGIN" + # FLEET_OSQUERY_RESULT_LOG_PLUGIN" + # FLEET_VULNERABILITIES_DATABASES_PATH: + # FLEET_OSQUERY_ENABLE_ASYNC_HOST_PROCESSING: + # FLEET_S3_BUCKET: + # FLEET_S3_PREFIX: + # FLEET_LICENSE_KEY: + +# Add the following to the command if needed # printenv && \