From cc92f722c32b605e65337104d870436e167c075f Mon Sep 17 00:00:00 2001 From: agilecohix Date: Wed, 18 Apr 2018 12:27:07 -0400 Subject: [PATCH 1/3] Added k8s README --- kubernetes/README.md | 63 ++++++++++++++++++++++++++++++ kubernetes/op-scim-deployment.yaml | 4 +- kubernetes/op-scim-service.yaml | 9 ++++- kubernetes/redis-service.yaml | 2 +- 4 files changed, 73 insertions(+), 5 deletions(-) create mode 100644 kubernetes/README.md diff --git a/kubernetes/README.md b/kubernetes/README.md new file mode 100644 index 0000000..3646118 --- /dev/null +++ b/kubernetes/README.md @@ -0,0 +1,63 @@ +# Deploying the 1Password SCIM Bridge on Kubernetes + +This example explains how to deploy the 1Passwrd SCIM bridge on Kubernetes running on Google Cloud Platform, but the basic principles can be applied to any Kubernetes cluster. + +## Create your DNS record + +The 1Password SCIM bridge requires SSL/TLS in order to communicate with your IdP. You must create a DNS record that points to your Kubernetes load balancer. This is a chicken and egg problem, as we need the load balancer before we can create the record. Please follow all of the steps until the load balancer has been created, then create your DNS record, but _do not attempt to perform a provisioning sync before the DNS records have been propogated_. The record must exist and the SCIM Bridge server must be running in order for LetsEncrypt to issue a certificate. + +## Deploy redis + +Use the `redis-deployment.yaml` and `redis.yaml` files with kubectl to deploy redis. If you have an existing redis instance, skip this step. + +Example: +``` +kubectl apply -f redis-deployment.yaml +kubectl apply -f redis.yaml +``` + +This will deploy a single redis instance listening on Kubernetes internal DNS `redis:6379`, which the SCIM Bridge will use for caching during operation. A redis instance is required when using the SCIM Bridge. + +## Create your `scimsession` Kubernetes secret + +Firstly, use the `create-session-file.sh` script on your local machine to create a scimsession file. This script uses a Docker container to run the `op-scim init` command and writes the scimsession file back to your local machine using a mounted volume. Your bearer token will be printed to the console. + +The scimsession file is equivalent to your account key and master password when combined with the bearer token, therefore they should never be stored in the same place. + +Example: +``` +create-session-file.sh +[account sign-in] +Bearer token: jafewnqrrupcnoiqj0829fe209fnsoudbf02efsdo +``` +This script is an interactive setup of your 1Password account. It is reccomended to save the bearer token in 1Password within an account _other than the provision manager's_. + +Next, we must create a Kubernetes secret containing the scimsession file. Using kubectl, we can read the scimsession file and create the secret in one command: +``` +kubectl create secret generic scimsession --from-file=./scimsession +``` +Make sure to pass the filepath of the scimsession file that was created by the `create-session-file.sh` script. + +## Deploy the SCIM bridge + +Using the `op-scim-deployment.yaml` and `op-scim-service.yaml` files, deploy the 1Password SCIM bridge to your Kubernetes cluster. + +NOTE: In order to obtain an SSL/TLS certificate for your SCIM Bridge instance, you must include a domain name in the `containers.args` field in the `op-scim-deployment.yaml` file. This will only succeed if a DNS record exists that points to your GCP load balancer. Please read the section about DNS records at the beginning of this example. + +NOTE: If you are using an existing redis instance that is not running on `redis:6379`, change the `--redis-host` and add a `--redis-port` flag to `containers.args` in the deployment yaml file. + +Example: +``` +kubectl apply -f op-scim-deployment.yaml +kubectl apply -f op-scim-service.yaml +``` + +These files configure the 1Password SCIM Bridge to connect to the redis instance indicated by the args, and it deploys a GCP load balancer to handle traffic on ports 80 and 443. Traffic on :80 is needed to perform the LetsEncrypt certificate challenges, after which all SCIM traffic will be served on :443 + +NOTE: Port 80 on the load balancer is forwarded to :8080 on the SCIM Bridge, and port 443 is forwarded to :8443. + +At this point you should create your DNS record using the external IP address of the load balancer and wait for it to propogate. + +Once the record is propogated, you can test your instance by requesting `https://[your-domain]/scim/Users`, with the header `Authorization: Bearer [bearer token]` which should return a list of the users in your 1Password account. + +You can now continue with the administration guide to configure your IdP to enable provisioning with your SCIM Bridge. diff --git a/kubernetes/op-scim-deployment.yaml b/kubernetes/op-scim-deployment.yaml index b863d05..5fb5c9a 100644 --- a/kubernetes/op-scim-deployment.yaml +++ b/kubernetes/op-scim-deployment.yaml @@ -16,7 +16,7 @@ spec: - name: op-scim image: onepassword/scim:latest command: ["./op-scim"] - args: ["--redis-host=redis-service", "--session=/secret/scimsession"] + args: ["--redis-host=redis-service", "--session=/secret/scimsession", "--letsencrypt-domain={YOUR-DOMAIN-HERE}"] ports: - containerPort: 3002 volumeMounts: @@ -25,7 +25,7 @@ spec: readOnly: false env: - name: update - value: "1" + value: "2" volumes: - name: scimsession secret: diff --git a/kubernetes/op-scim-service.yaml b/kubernetes/op-scim-service.yaml index 86de807..33b225a 100644 --- a/kubernetes/op-scim-service.yaml +++ b/kubernetes/op-scim-service.yaml @@ -1,14 +1,19 @@ apiVersion: v1 kind: Service metadata: - name: op-scim-service + name: op-scim labels: app: op-scim spec: type: LoadBalancer ports: - protocol: TCP + name: tls port: 443 - targetPort: 3002 + targetPort: 8443 + - protocol: TCP + name: http + port: 80 + targetPort: 8080 selector: app: op-scim \ No newline at end of file diff --git a/kubernetes/redis-service.yaml b/kubernetes/redis-service.yaml index c6d47a1..8c96dc1 100644 --- a/kubernetes/redis-service.yaml +++ b/kubernetes/redis-service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: redis-service + name: redis labels: app: redis spec: From 35b1de554df9ab6970221adc6c1ebf9f63ca260c Mon Sep 17 00:00:00 2001 From: agilecohix Date: Wed, 18 Apr 2018 13:20:04 -0400 Subject: [PATCH 2/3] Added kubernetes link to main README --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 0ed140b..7b06845 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ # 1Password.com SCIM Bridge deployment examples Here you can find configuration files and best practice instructions for deploying the 1Password SCIM Bridge on various public and priavte clouds. + +To deply on Kubernetes, read the [Kubernetes example](https://github.com/1Password/scim-examples/tree/master/kubernetes) + +More deployment examples are coming soon, including AWS, Docker Compose/Swarm, and bare metal. From 975fddcb0efad55230047733daa6cba323caeef0 Mon Sep 17 00:00:00 2001 From: agilecohix Date: Wed, 18 Apr 2018 13:22:09 -0400 Subject: [PATCH 3/3] Fixed redis host and port in example --- kubernetes/README.md | 2 +- kubernetes/op-scim-deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/README.md b/kubernetes/README.md index 3646118..a63167c 100644 --- a/kubernetes/README.md +++ b/kubernetes/README.md @@ -44,7 +44,7 @@ Using the `op-scim-deployment.yaml` and `op-scim-service.yaml` files, deploy the NOTE: In order to obtain an SSL/TLS certificate for your SCIM Bridge instance, you must include a domain name in the `containers.args` field in the `op-scim-deployment.yaml` file. This will only succeed if a DNS record exists that points to your GCP load balancer. Please read the section about DNS records at the beginning of this example. -NOTE: If you are using an existing redis instance that is not running on `redis:6379`, change the `--redis-host` and add a `--redis-port` flag to `containers.args` in the deployment yaml file. +NOTE: If you are using an existing redis instance that is not running on `redis:6379`, add the `--redis-host=[host]` and `--redis-port=[port]` flags to `containers.args` in the deployment yaml file. Example: ``` diff --git a/kubernetes/op-scim-deployment.yaml b/kubernetes/op-scim-deployment.yaml index 5fb5c9a..4f6f2ee 100644 --- a/kubernetes/op-scim-deployment.yaml +++ b/kubernetes/op-scim-deployment.yaml @@ -16,7 +16,7 @@ spec: - name: op-scim image: onepassword/scim:latest command: ["./op-scim"] - args: ["--redis-host=redis-service", "--session=/secret/scimsession", "--letsencrypt-domain={YOUR-DOMAIN-HERE}"] + args: ["--session=/secret/scimsession", "--letsencrypt-domain={YOUR-DOMAIN-HERE}"] ports: - containerPort: 3002 volumeMounts: