From 3a52a47869c4b71f59e15e448098bf4b40e704d9 Mon Sep 17 00:00:00 2001 From: siasin Date: Tue, 17 Sep 2024 17:26:42 +0200 Subject: [PATCH] update secret baseline --- .secrets.baseline | 58 +++- platform/ecs/README-ecs-compose-x.md | 189 ++++++++++ .../docker-compose-http-service-connect.yaml | 325 ++++++++++++++++++ 3 files changed, 567 insertions(+), 5 deletions(-) create mode 100644 platform/ecs/README-ecs-compose-x.md create mode 100644 platform/ecs/docker-compose-http-service-connect.yaml diff --git a/.secrets.baseline b/.secrets.baseline index 89b88ec..77f884a 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2024-08-27T06:40:44Z", + "generated_at": "2024-09-17T15:24:13Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -310,7 +310,6 @@ "authentication/Keycloak/openldap/ldap-custom-ssl-secret.yaml": [ { "hashed_secret": "470bf8b666f65eb413930e55a2153b2e6d6334b0", - "is_secret": false, "is_verified": false, "line_number": 8, "type": "Base64 High Entropy String", @@ -318,7 +317,6 @@ }, { "hashed_secret": "641ad3b66231e0f477088e711306cd1fdf1e5626", - "is_secret": false, "is_verified": false, "line_number": 11, "type": "Base64 High Entropy String", @@ -326,7 +324,6 @@ }, { "hashed_secret": "03b4a6482aeaf6e6aa3c2639db6e1c9b728e7b49", - "is_secret": false, "is_verified": false, "line_number": 13, "type": "Base64 High Entropy String", @@ -336,7 +333,6 @@ "authentication/Keycloak/openldap/openldap-customldif.yaml": [ { "hashed_secret": "3e6e3eece5e10a4c903489f501c049b2c54094c4", - "is_secret": false, "is_verified": false, "line_number": 8, "type": "Base64 High Entropy String", @@ -1205,6 +1201,58 @@ "verified_result": null } ], + "platform/ecs/README-ecs-compose-x.md": [ + { + "hashed_secret": "f7a650098d23ab9e1348956a181ad78def09fff4", + "is_secret": false, + "is_verified": false, + "line_number": 56, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "1d064a26284fe7e4a9162b75bc4910c073b6f20c", + "is_secret": false, + "is_verified": false, + "line_number": 73, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "ee6d75b0e9dd89083901685b135e7221f66acffe", + "is_secret": false, + "is_verified": false, + "line_number": 83, + "type": "Secret Keyword", + "verified_result": null + } + ], + "platform/ecs/docker-compose-http-service-connect.yaml": [ + { + "hashed_secret": "fd1daf2e350a06b865f4a1e17bb39183b806c1e9", + "is_secret": false, + "is_verified": false, + "line_number": 106, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "d70e5b0d083e6cc53e717156da879907f191e036", + "is_secret": false, + "is_verified": false, + "line_number": 241, + "type": "Secret Keyword", + "verified_result": null + }, + { + "hashed_secret": "018f4d7f06cb8626e1756452581373e05ae41c56", + "is_secret": false, + "is_verified": false, + "line_number": 256, + "type": "Secret Keyword", + "verified_result": null + } + ], "platform/eks/README.md": [ { "hashed_secret": "8b712744eee080d5fe6048e4f589235d00435559", diff --git a/platform/ecs/README-ecs-compose-x.md b/platform/ecs/README-ecs-compose-x.md new file mode 100644 index 0000000..e7e50a6 --- /dev/null +++ b/platform/ecs/README-ecs-compose-x.md @@ -0,0 +1,189 @@ +# 1. Pre-requisite + +To deploy ODM containers on AWS ECS Fargate from docker-compose files, you must meet the following requirements: + + * Install the latest version of [AWS Cli](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). + * Install the latest version of Podman. + * Ensure you have an [AWS Account](https://aws.amazon.com/getting-started/). + * Ensure that you have python3.6+ and later version. + * Install [ECS Compose-x](https://github.com/compose-x/ecs_composex?tab=readme-ov-file#installation), preferably in a virtual environment. + * Ensure that you have an existing internet-facing Elastic Load balancer and a VPC with public subnets [setup](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-manage-subnets.html). + +# 2. Prepare your environment for the ODM installation + +## Login to AWS + +``` +export REGION= +export AWSACCOUNTID= +aws ecr get-login-password --region ${REGION} | podman login --username AWS --password-stdin ${AWSACCOUNTID}.dkr.ecr.${REGION}.amazonaws.com +``` + +## Create RDS Database +``` +aws rds create-db-instance \ + --db-instance-identifier "odm-rds" \ + --db-name "odmdb" \ + --engine 'postgres' \ + --engine-version '13' \ + --auto-minor-version-upgrade \ + --allocated-storage 50 \ + --max-allocated-storage 100 \ + --db-instance-class 'db.t3.large' \ + --master-username "odmusername" \ + --master-user-password "odmpassword" \ + --port "5432" \ + --publicly-accessible \ + --storage-encrypted \ + --tags Key=project,Value=odm +``` + +## Create a secret for the Entitled registry +To get access to the ODM material, you must have an IBM entitlement registry key to pull the images from the IBM Entitled registry. +It will be used in the next step of this tutorial. + +### a. Retrieve your entitled registry key + - Log in to [MyIBM Container Software Library](https://myibm.ibm.com/products-services/containerlibrary) with the IBMid and password that are associated with the entitled software. + + - In the Container software library tile, verify your entitlement on the View library page, and then go to *Get entitlement key* to retrieve the key. + +### b. Create a JSON file + +Create a `token.json` file with that format. +```json +{ + "username":"cp", + "password":"" +} +``` + +### c. Create the secret in ASW Secrets Manager: + +- Create the secret using the following AWS Cli command. For more information, see [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html). + +``` +aws secretsmanager create-secret \ + --name IBMCPSecret \ + --secret-string file://token.json +``` + +*Result*: +``` +{ + "ARN": "arn:aws:secretsmanager:::secret:IBMCPSecret-YYYYY", + "Name": "IBMCPSecret", + "VersionId": "..." +} +``` +- Note down the secret's ARN. You will assign it to the `x-aws-pull_credentials` custom extension along with the image URI of the ODM service in the docker-compose file. +For example: +``` + my-odm-decisioncenter: + image: cp.icr.io/cp/cp4a/odm/odm-decisioncenter:8.12.0.1-amd64 + x-aws-pull_credentials: "arn:aws:secretsmanager:::secret:IBMCPSecret-YYYYY" + ... +``` +## Create S3 bucket and IAM policy for IBM licensing service + +- Make sure to create a S3 buckets in AWS for storing the IBM software license usage data. The name of the bucket must follow the `ibm-license-service-` pattern. + +- Add a new IAM policy with read and write access, and define it on the S3 bucket. + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Statement1", + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject" + ], + "Resource": "arn:aws:s3:::ibm-license-service-/*" + } + ] +} +``` + +- You will assign this policy to the `x-aws-policies` custom extension of each service in the docker-compose file. +``` + x-aws-policies: + - arn:aws:iam:::policy/ +``` + +For more information, see [Tracking license usage on AWS ECS Fargate](https://www.ibm.com/docs/en/cloud-paks/foundational-services/3.23?topic=platforms-tracking-license-usage-aws-ecs-fargate). + + +## Initialize ECS Compose-X + +You will need to setup some permissions to validate the templates with AWS CloudFormation, Lookup AWS resources and etc when using ECS Compose-X commands. For more information about the configuration, see [AWS Account configuration](https://github.com/compose-x/ecs_composex/blob/main/docs/requisites.rst#aws-account-configuration) and [Permissions to upload files to S3](https://github.com/compose-x/ecs_composex/blob/main/docs/requisites.rst#permissions-to-upload-files-to-s3). If your AWS account has administrator permissions, then it is not required to do so. + +Upon setting up the appropriate permissions, run this command which enables some ECS settings and create a default S3 bucket [required by ECS Compose-X](https://github.com/compose-x/ecs_composex/blob/main/docs/requisites.rst#aws-ecs-settings): +``` +ecs-compose-x init +``` + +Result: +``` +2024-06-19 11:39:37 [ INFO] ECS Setting awsvpcTrunking set to 'enabled' +2024-06-19 11:39:37 [ INFO] ECS Setting serviceLongArnFormat set to 'enabled' +2024-06-19 11:39:37 [ INFO] ECS Setting taskLongArnFormat set to 'enabled' +2024-06-19 11:39:37 [ INFO] ECS Setting containerInstanceLongArnFormat set to 'enabled' +2024-06-19 11:39:37 [ INFO] ECS Setting containerInsights set to 'enabled' +2024-06-19 11:39:38 [ INFO] Bucket ecs-composex-- successfully created. +``` + +*NOTE*: A S3 bucket will automatically be created. It is used to store the generated CFN templates when running `ecs-compose-x` commands. + +# 3. Deploy ODM to AWS ECS Fargate + +## a. Edit docker-compose.yaml + +- Download the [docker-compose.yaml](docker-compose.yaml) and save this content in your working dir. +- Edit the file and assign the appropriate values in the all ``. + +## b. Create the AWS CloudFormation stacks + +- Run the following command to generate the AWS CloudFormation (CFN) templates, validate the templates, and create the stacks in CFN. + +``` +ecs-compose-x up -n -b -f docker-compose-http-service-connect.yaml -d outputdir +``` + +- Sign in to the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation/home?) to monitor the stacks (root, CloudMap, IAM, elbv2, service networking, and ODM) creation status. + +- If all the stacks complete without error, access to [Elastic Container Service](https://console.aws.amazon.com/ecs/v2/home?) to look for the newly created cluster named ``. + +- Click on the cluster and you shall find the service with ODM and IBM licensing service containers running: + +## c. Access ODM services: + +- Access to [EC2 Loadbalancer](https://console.aws.amazon.com/ec2/home?#LoadBalancers:) console. +- Click on the load balancer that you have defined in your docker-compose file. +- Verify that the listener rules for the ODM services are added and the target groups are in healthy state. +- Copy the loadbalancer DNS name. +- The URLs for the ODM components are as follows: + - http://:81/decisioncenter + - http://:81/res + - http://:81/DecisionService + - http://:81/DecisionRunner + + +## 4. Cleaup AWS CloudFormation stack + +To remove the base stack and its nested stack, there are 2 options. + +### 1. AWS CloudFormation console: +- Access to the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation/home?). +- Select the base stack `` and click `Delete` button. + +### 2. AWS Cli command + +```console +aws --region cloudformation delete-stack \ +--stack-name +``` + + + diff --git a/platform/ecs/docker-compose-http-service-connect.yaml b/platform/ecs/docker-compose-http-service-connect.yaml new file mode 100644 index 0000000..3f76467 --- /dev/null +++ b/platform/ecs/docker-compose-http-service-connect.yaml @@ -0,0 +1,325 @@ +version: "3.8" + +# To create a namespace in CloudMap required by Service Connect +x-cloudmap: + PrivateNamespace: + Name: odm-namespace + +# To declare that the network for the ODM applications is via PublicSubnets +networks: + application: + x-vpc: PublicSubnets + +# To use an existing VPC +x-vpc: + Lookup: + VpcId: + Tags: + - Name: + AppSubnets: {} + PublicSubnets: + Tags: + - : + PrivateSubnets: {} + StorageSubnets: {} + +# To setup Listener rules on existing internet-facing Loadbalancer +x-elbv2: + public-alb: + Lookup: + loadbalancer: + Tags: + Name: + MacroParameters: + Ingress: + ExtSources: + - IPv4: "0.0.0.0/0" + Description: ANY + Properties: + Scheme: internet-facing + Type: application + Listeners: + # Declare a HTTP port and the access paths for each ODM components + - Port: 81 + Protocol: HTTP + Targets: + - name: odm:my-odm-decisionserverconsole + access: /res + - name: odm:my-odm-decisionserverconsole + access: /res/* + - name: odm:my-odm-decisioncenter + access: /decisioncenter + - name: odm:my-odm-decisioncenter + access: /decisioncenter/* + - name: odm:my-odm-decisioncenter + access: /decisioncenter-api/* + - name: odm:my-odm-decisionrunner + access: /DecisionRunner + - name: odm:my-odm-decisionrunner + access: /DecisionRunner/* + - name: odm:my-odm-decisionserverruntime + access: /DecisionService + - name: odm:my-odm-decisionserverruntime + access: /DecisionService/* + Services: + odm:my-odm-decisionserverconsole: + port: 9080 + protocol: HTTP + healthcheck: 9080:HTTP:/res/login.jsf:200 + odm:my-odm-decisioncenter: + port: 9060 + protocol: HTTP + healthcheck: 9060:HTTP:/decisioncenter/healthCheck:200 + odm:my-odm-decisionrunner: + port: 9081 + protocol: HTTP + healthcheck: 9081:HTTP:/DecisionRunner:302 + odm:my-odm-decisionserverruntime: + port: 9082 + protocol: HTTP + healthcheck: 9082:HTTP:/DecisionService:302 + +services: + my-odm-decisionserverconsole: + image: cp.icr.io/cp/cp4a/odm/odm-decisionserverconsole:8.12.0.1-amd64 + x-aws-pull_credentials: "arn:aws:secretsmanager:eu-west-3::secret:IBMCPSecret-XXXXXX" + # Optional: Set to true, to enable execute command and access the container + x-ecs: + EnableExecuteCommand: true + # To enable Service Connect with "Client and server" option + x-network: + AssignPublicIp: true + x-ecs_connect: + MacroParameters: + service_ports: + tcp_1883: + DnsName: my-odm-decisionserverconsole + CloudMapServiceName: odm-decisionserverconsole-service + x-cloudmap: PrivateNamespace + restart: always + networks: + - application + ports: + - 9080 + - 1883/tcp + environment: + - USERS_PASSWORD=odmAdmin + - HTTP_PORT=9080 + - DB_TYPE=postgres + - DB_USER=YYYYYY + - DB_PASSWORD=XXXXXX + - DB_NAME=odmdb + - DB_SERVER_NAME=odm-rds.XXXXXX.REGION.rds.amazonaws.com + labels: + - productName=IBM Operational Decision Manager + - productID=e32af5770e06427faae142993c691048 + - productVersion=8.12.0.1 + - productMetric=FREE + - productChargedContainers=decisionserverconsole + logging: + driver: "awslogs" + x-aws-policies: + - arn:aws:iam:::policy/ + deploy: + resources: + limits: + cpus: '1' + memory: 512M + reservations: + cpus: '0.5' + memory: 512M + labels: + ecs.task.family: odm + expose: + - 1883/tcp + healthcheck: + test: ["CMD", "curl", "-k", "-f", "http://localhost:9080/res/login.jsf"] + interval: 30s + timeout: 5s + retries: 5 + start_period: 50s + + my-odm-decisioncenter: + image: cp.icr.io/cp/cp4a/odm/odm-decisioncenter:8.12.0.1-amd64 + x-aws-pull_credentials: "arn:aws:secretsmanager:eu-west-3::secret:IBMCPSecret-XXXXXX" + x-ecs: + EnableExecuteCommand: true + restart: always + networks: + - application + environment: + - DECISIONSERVERCONSOLE_PORT=9080 + - DECISIONRUNNER_PORT=9081 + - HTTP_PORT=9060 + - DECISION_MODEL_DISABLED=true + - DB_TYPE=postgres + - DB_USER=YYYYYY + - DB_PASSWORD=XXXXXX + - DB_NAME=odmdb + - DB_SERVER_NAME=odm-rds.XXXXXX.REGION.rds.amazonaws.com + + logging: + driver: "awslogs" + x-aws-policies: + - arn:aws:iam:::policy/ + ports: + - 9060 + labels: + - productName=IBM Operational Decision Manager + - productID=b1a07d4dc0364452aa6206bb6584061d + - productVersion=8.12.0.1 + - productMetric=PROCESSOR_VALUE_UNIT + - productChargedContainers=decisioncenter + deploy: + replicas: 1 + resources: + limits: + cpus: '2' + memory: 4G + reservations: + cpus: '1' + memory: 1G + labels: + ecs.task.family: odm + healthcheck: + test: ["CMD", "curl", "-k", "-f", "http://localhost:9060/decisioncenter/healthCheck"] + interval: 30s + timeout: 5s + retries: 5 + start_period: 50s + + my-odm-decisionrunner: + image: cp.icr.io/cp/cp4a/odm/odm-decisionrunner:8.12.0.1-amd64 + x-aws-pull_credentials: "arn:aws:secretsmanager:eu-west-3::secret:IBMCPSecret-XXXXXX" + x-ecs: + EnableExecuteCommand: true + restart: always + networks: + - application + labels: + - productName=IBM Operational Decision Manager - Non Prod + - productID=e32af5770e06427faae142993c691048 + - productVersion=8.12.0.1 + - productMetric=PROCESSOR_VALUE_UNIT + - productChargedContainers=decisionrunner + depends_on: + my-odm-decisionserverconsole: + condition: service_healthy + environment: + - RES_URL=http://test-odm-odm-decisioncenter-alb-540600390.eu-west-3.elb.amazonaws.com:81/res + - HTTP_PORT=9081 + - DB_TYPE=postgres + - DB_USER=YYYYYY + - DB_PASSWORD=XXXXXX + - DB_NAME=odmdb + - DB_SERVER_NAME=odm-rds.XXXXXX.REGION.rds.amazonaws.com + logging: + driver: "awslogs" + x-aws-policies: + - arn:aws:iam:::policy/ + ports: + - 9081 + deploy: + resources: + limits: + cpus: '1' + memory: 1G + reservations: + cpus: '1' + memory: 1G + labels: + ecs.task.family: odm + healthcheck: + test: ["CMD", "curl", "-k", "-f", "http://localhost:9081/DecisionRunner"] + interval: 30s + timeout: 5s + retries: 5 + start_period: 50s + + my-odm-decisionserverruntime: + image: cp.icr.io/cp/cp4a/odm/odm-decisionserverruntime:8.12.0.1-amd64 + x-aws-pull_credentials: "arn:aws:secretsmanager:eu-west-3::secret:IBMCPSecret-XXXXXX" + x-network: + Ingress: + Services: + - Name: odm:my-odm-decisionserverconsole + x-ecs: + EnableExecuteCommand: true + restart: always + networks: + - application + environment: + - DECISIONSERVERCONSOLE_NAME=my-odm-decisionserverconsole + - HTTP_PORT=9082 + - DB_TYPE=postgres + - DB_USER=YYYYYY + - DB_PASSWORD=XXXXXX + - DB_NAME=odmdb + - DB_SERVER_NAME=odm-rds.XXXXXX.REGION.rds.amazonaws.com + labels: + - productName=IBM Operational Decision Manager + - productID=b1a07d4dc0364452aa6206bb6584061d + - productVersion=8.12.0.1 + - productMetric=PROCESSOR_VALUE_UNIT + - productChargedContainers=decisionserverruntime + logging: + driver: "awslogs" + x-aws-policies: + - arn:aws:iam:::policy/ + depends_on: + my-odm-decisionserverconsole: + condition: service_healthy + ports: + - 9082 + deploy: + resources: + limits: + cpus: '1' + memory: 1G + reservations: + cpus: '1' + memory: 1G + labels: + ecs.task.family: odm + healthcheck: + test: ["CMD", "curl", "-k", "-f", "http://localhost:9082/DecisionService"] + interval: 30s + timeout: 5s + retries: 5 + start_period: 50s + + # IBM License Service - https://www.ibm.com/docs/en/was-liberty/base?topic=container-tracking-liberty-license-use-aws-ecs-fargate + ibm-license-usage-logger-for-fargate: + image: quay.io/opencloudio/ibm-license-usage-logger-for-fargate:latest + x-ecs: + EnableExecuteCommand: true + restart: always + networks: + - application + labels: + - productID=33687f02f10b4475aa7236f4cd2f94e6 + - productMetric=FREE + - productName="IBM License Usage Logger for Fargate" + environment: + - AWS_S3_BUCKET_NAME=ibm-license-service- + - AWS_S3_HTTPS_ENABLED=true + logging: + driver: "awslogs" + x-aws-policies: + - arn:aws:iam:::policy/ + deploy: + resources: + limits: + cpus: '1' + memory: 512M + reservations: + cpus: '0.5' + memory: 512M + labels: + ecs.task.family: odm + healthcheck: + test: ["CMD-SHELL", "./check-health.sh || exit 1"] + interval: 30s + timeout: 10s + retries: 5 + start_period: 300s/Users/siasintay/work/odm-k8s/odm-docker-kubernetes/cpsecret.json \ No newline at end of file