YAML based configuration automation for IBM Security Verify Access
Project description
IBM Security Verify Access Configuration Automation
This repository is used to configure IBM Security Verify Access (ISVA) using a yaml file of the required configuration.
This project aims to be idempotent, ie if the configuration is run multiple times on the same appliance it should not break and should pick up any configuration changes in the yaml configuration file.
Documentation
Documentation for using this library can be found on Verify Access Automated Configurator's GitHub pages.
Example deployments
To get started several example deployments are available in the Examples directory. The example yaml files must be updated with deployment specific parameters, usually this is network addresses and ISVA activation codes.
Setup
Environment
ISVA_CONFIG_BASE= directory which contains the YAML configuration file as well as any http template pages, PKI, mapping rules, ect.ISVA_CONFIG_YAML= path to ISVA configuration yaml file. Path should be relative toISVA_CONFIG_BASEISVA_MGMT_BASE_URL= address to access ISVA LMI, eg. https://<isva appliance>:<isva port>. This property can also be specified in the configuration yaml file. If present, this property will take precedence.ISVA_MGMT_USER= The user to perform configuration as. If not supplied theadminuser is used.ISVA_MGMT_PWD= administrator password for the administrator account performing configuration. This property can also be specified in the configuration yaml file. If present, this property will take precedence.ISVA_MGMT_OLD_PWD= if a password change for the administrator account (eg. from the default) is required, the old password can be specified with this environment variable. If present the administrator's password will be changed fromMGMT_OLD_PASSWORDtoMGMT_PASSWORDISVA_KUBERNETES_YAML_CONFIG(optional) = path to Kubernetes configuration yaml for kubernetes deployments.- Note: If your kubernetes cluster requires mutual authentication (TLS) then a pem certificate file must also be available to ISVA Configurator
- Note: When run from a Kubernetes cluster a Service Account can be used in place of a YAML configuration file
Deployment
Local environment
IBM Security Verify Access Configuration Automation is simple to run locally.
- First the required python packages are installed from PyPi.
- Set the required environment variables
- a python interactive shell or python script can be used to configure appliances:
>>> import verify_access_autoconf
>>> verify_access_autoconf.configurator.configure()
Docker
IBM Security Verify Access Automated Configurator can also be run within a docker container. Use to Dockerfile to build a local docker image.
The docker container can be built and run with the following command executed from the top level directory of the configurator source code. When starting the container the required environment variables must be set and the docker container must be able to route to the ISVA appliances/containers which are to be configured.
docker build --no-cache --force-rm -t verify-access-configurator .
docker run --volume /path/to/config/yaml:/config --env "ISVA_CONFIGURATION_BASE_DIR=/config" --env ISVA_MGMT_BASE_URL="https://<mgmt address>:<mgmt port>" --env "ISVA_MGMT_PASSWORD=Passw0rd1!" verify-access-configurator
Kubernetes
IBM Security Verify Access Automated Configurator can be run from within a Kubernetes cluster. This is useful if there are routing issues between the deployment host and the kubernetes external addresses this option will allow for configuration using the kubernetes internal network.
Here is an example Kubernetes batch" object which deploys a container to apply a configuration to a cluster.
note This requires a user to create the
verify-configConfigMap object with the required configuration files plus any additional Secrets which are referenced.
apiVersion: batch/v1
kind: Job
metadata:
name: verify-access-configurator
spec:
template:
spec:
containers:
- name: verify-access-configurator
image: python3:latest
command: ["python3", "-m", "verify_access_autoconf"]
volumeMounts:
- name: verify-access-config
mountPath: /verify_access_config
env:
- name: ISVA_CONFIG_BASE
value: "/verify_access_config"
- name: ISVA_MGMT_BASE_URL
value: "https://isamconfig:9443"
- name: ISVA_MGMT_PASSWORD
value: "Passw0rd1!"
- name: ISVA_CONFIGURATOR_LOG_LEVEL
value: "ALL"
restartPolicy: Never
volumes:
- name: verify-access-config
configMap:
name: verify-access-config
initContainers:
- name: install-verify-access-autoconf
image: python3:latest
command: ["bash", "-c", "pip3 install verify-access-autoconf"]
backoffLimit: 4
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file verify_access_autoconf-0.3.5.tar.gz.
File metadata
- Download URL: verify_access_autoconf-0.3.5.tar.gz
- Upload date:
- Size: 78.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | df312480a8e22a89fdff0b110f78f604199c1131da4d10649fb8bced724ba8e2 |
|
| MD5 | a10236b101ca647a35bdfbe57c0f04a5 |
|
| BLAKE2b-256 | 544cd8f36e9823bdb2c2c3384a414a8cd97b5afa2163fd9cdb4cf14d76b13b01 |
File details
Details for the file verify_access_autoconf-0.3.5-py3-none-any.whl.
File metadata
- Download URL: verify_access_autoconf-0.3.5-py3-none-any.whl
- Upload date:
- Size: 81.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7aa80e64ebd49e89d83f913e4086f62889f9689dfe0daa0084b4926dae13c622 |
|
| MD5 | dfdde63d09e93fa74774da4240284ca8 |
|
| BLAKE2b-256 | beb2321d45ca418de6c00cb93b19c807a34f52b9b0a08e3d91c19c834b535ac7 |
