Release 04/15/2020

Top News - MOADSD-NG-SERVER and CONFIGURATOR

MOADSD-NG is now easier to setup and use! There's no need for a dedicated Ansible server or patching multiple yaml files anymore to setup and manage the environment. Therefore, proudly announcing the new MOADSD-NG-SERVER and the CONFIGURATOR.

• The MOADSD-NG-SERVER creates a Docker container with everything already built in to run and manage MOADSD-NG. It is designed to work on Mac OS X with Docker for Mac and Linux. Windows support is pending but will come, likely. Please follow the Link to the server and work quickly through the instructions.
• With the help of the CONFIGURATOR, there is no need to edit multiple yaml files anymore. Only one single file needs to be maintained by you, containing only the differences to the default values. Everything else will get generated, which includes some checks for a potential misconfiguration. The CONFIGURATOR is built in to MOADSD-NG. An example configuration can be reviewed here: Link

Headline News

• Updated the wiki to describe the setup and orchestration with Ansible using Python3. This updates includes especially changes on setting up the Ansible server itself.

• Added a simple demo app Troopers for Jenkins & Smart Check demos.

  • https://github.com/mawinkler/troopers
    • Troppers can be admired as demoapp-<0-0-0-0>.nip.io.
    • Be sure to change 0-0-0-0 to the public IP of your jumphost but written with dashes instead of dots.

• Integrated Cloud One Application Security demo capabilities. For this two additional apps were added.

  • https://github.com/mawinkler/c1-app-sec-djangonv
    • Django will be accessible as demoapp1-<0-0-0-0>.nip.io
  • https://github.com/mawinkler/c1-app-sec-moneyx
    • MoneyX will be accessible as demoapp2-<0-0-0-0>.nip.io
  • Ensure to have the following variables defined in your configuration.yml (site_secrets.yml):
    • application_security_key: < GROUP CREDENTIALS KEY >
    • application_security_secret: < GROUP CREDENTIALS SECRET >

• Bumped Jenkins to version 2.204.2 LTS with chart 1.9.19

• Our Jenkins is now able to manage GitHub WebHooks. To enable this you need to define the Personal Access Token from GitHub as a secret within Jenkins. This is done automatically by MOADSD-NG, but you need to define the token within your configuration.yml (site_secrets.yml) before running jenkins_create_credentials.yml.

  • jenkins_github_access_token: < GITHUB ACCESS TOKEN FOR JENKINS >

  Additionally, as of now, go to Manage Jenkins -> Configure System and down to 'GitHub Servers'. Hit 'Add GitHub Server'

  • Name - doesn't matter
  • API URL - https://api.github.com
  • Credentials - choose github-access-token
  • Manage Hooks - checked

  Hit 'Test Connection' to make sure everything is kosher.

• GitLab on Kubernetes is now functional, finally! GitLab does require a load balancer being available for the cluster, which in case of MOADSD-NG needs to be cloud independent. For that reason, the cluster now provides one :). GitLab is currently only deployed and not preconfigured.

  • Ensure to have the following variables defined in your configuration.yml (site_secrets.yml):
    • gitlab_runner_registration_token: <GITLAB RUNNER REGISTRATION TOKEN - YOU GET IT WITHIN GITLAB>
    • When first logging in to GitLab get the runners registration token and paste it to your site_secrets.yml. Then run deploy_gitlab_runnners.yml as usual.

• The cluster registry and load balancer became an intrinsic component of the MOADSD-NG cluster. Therefore both are now being deployed always when the kubernetes cluster itself is deployed.

• Introducing Prometheus and Grafana to MOADSD-NG! Prometheus as the default datasource is already preconfigured. Just add some dashboards from the Grafana library or use the ones provided in the dashboard-directory of MOADSD-NG.

• Bumped Kubernetes to 1.17

  • Please re-fork the demo apps you're using since the kubernetes api has changed in 1.17. Alternatively manually update your app.yml of the respective app.

• Bumped Rook-Ceph to 1.2 and integrated the Ceph Dashboard

• Created dedicated roles for Rook-Ceph and Helm.

• MOADSD-NG is now defaulting to DSaaS.

  • Ensure to have the following variables defined in your configuration.yml (site_secrets.yml):
    • deepsecurity_tenant_id: <DSaaS TENANT ID>
    • deepsecurity_token: <DSaaS TOKEN>

• Integrated a new role for Open Policy Agent.

  • If you choose to deploy opa, test cases to play with the rego policies are automatically created within the directory opa-tests on the kubernetes master.
  • To enable OPA add site_deploy_opa: yes to your configuration.yml.
  • OPA by default is configured to allow all but you can deploy any rego policy you want.

The "one more thing" thing

• patch_docker is not required anymore. After resuming the environment just run jenkins_create_credentials to renew the credentials and kubernetes config within Jenkins.
• terminate now just terminates everything besides the jumphost. This comes in handy if you are using publicly trusted certificates. When recreating the environtment just execute site as usual. The already existing jumphost will be reused. If you want to completely terminate the environment, execute terminate_site.
• Streamlined the menu.
• Cleanup for disassiocated EIPs on AWS now implemented.
• Upgraded the instance types on AWS from t2 to t3 which improves site setup drastically.
• Hopefully fixed the permission problems within Jenkins.
• Jenkins is now using a better, self made Jenkins JNLP Slave Docker Image which is currently provided on my Docker Hub. Build playbook is within roles/jenkins/tasks.
• Fixed the unnecessary and breaking space within the Jenkins slave pod label.
• GitLab on Docker is now removed.