Skip to content

Instantly share code, notes, and snippets.

@micahlee

micahlee/workflow.md

Last active January 15, 2019 16:12
Show Gist options
  • Save micahlee/61e9b4fae56726e3e5e3e6d22d8b25bc to your computer and use it in GitHub Desktop.
Save micahlee/61e9b4fae56726e3e5e3e6d22d8b25bc to your computer and use it in GitHub Desktop.
Download ZIP
CF Policy Updates
Raw
workflow.md

CF Policy Updates

Policy for CF structure

  1. Define and load policy branch for Cloud Foundry

    # cf.yml
- !policy
   id: cf
   annotations:
     description: Base policy branch for all Cloud Foundry resources
    $ conjur policy load root cf.yml
Loaded policy 'root'
{
  "created_roles": {
  },
  "version": 1
}

  2. Define and load policy branch for Foundation, Org, and Space

    # foundation.yml
- !policy
  id: MyFoundation
  body:
  - !policy
    id: MyOrganization
    body:
    - !layer
      annotations:
        # Optional, forward looking to CF authenticator
        cf-guid: 09a605e5-0a62-4d30-86d2-e70500389716
    
    - !policy
      id: MySpace
      body:
      - !layer
        annotations:
          # Optional, forward looking to CF authenticator
          cf-guid: cffde7d1-9778-42e3-9ad0-2751525edc6b
      
    # Add the space layer to the organization layer
    - !grant
      role: !layer
      member: !layer MySpace
    $ conjur policy load cf foundation.yml
Loaded policy 'cf'
{
  "created_roles": {
  },
  "version": 1
}

  3. Define and load policy for the application

    # application.yml
- !policy
  id: MyApplication
  body: 
  - !layer
    annotations:
      # Optional, forward looking to CF authenticator
      cf-guid: 58ff95fd-6efe-42b0-abdc-4fb76d1f7917
  
# Add the application layer to the space
- !grant
  role: !layer
  member: !layer MyApplication
    $ conjur policy load cf/MyFoundation/MyOrganization/MySpace application.yml
{
  "created_roles": {
  },
  "version": 1
}

Policy for Service Broker credentials

Each space will need credentials for the CF Cloud Controller API

  1. Define and load the policy for the service broker hosts and cloud controller credentials 
    # service-broker.yaml
- !host conjur-service-broker

- &variables
   - !variable cloud-controller-id
   - !variable cloud-controller-secret
   
- !permit
  resource: *variables
  privileges: [ read, execute ]
  roles: !host service-broker
    $ conjur policy load cf/MyFoundation/MyOrganization/MySpace service-broker.yml
Loaded policy 'cf/MyFoundation/MyOrganization/MySpace'
{
  "created_roles": {
    "cucumber:host:cf/MyFoundation/MyOrganization/MySpace/conjur-service-broker": {
      "id": "cucumber:host:cf/MyFoundation/MyOrganization/MySpace/conjur-service-broker",
      "api_key": "zgz40h8kzm4t3y6zwsw3fjap0m1rg0kmj7t5syr3ehdec5deqpg5"
    }
  },
  "version": 3
}

Service Broker Binding Policy

When an application is bound to the service broker, it adds a host to the application layer.

- !host 7a261501-e0c9-4f27-9c55-3943b0e6cabe # Binding ID

- !grant
  role: !layer
  member: !host 7a261501-e0c9-4f27-9c55-3943b0e6cabe
$ conjur policy load cf/MyFoundation/MyOrganization/MySpace/MyApplication binding.yml
Loaded policy 'cf/MyFoundation/MyOrganization/MySpace/MyApplication'
{
  "created_roles": {
    "cucumber:host:cf/MyFoundation/MyOrganization/MySpace/MyApplication/7a261501-e0c9-4f27-9c55-3943b0e6cabe": {
      "id": "cucumber:host:cf/MyFoundation/MyOrganization/MySpace/MyApplication/7a261501-e0c9-4f27-9c55-3943b0e6cabe",
      "api_key": "3y02nay2tpbdpr197wnntsbq6pp2s3y9k7yptdf8x4dzgtytfcp"
    }
  },
  "version": 1
}
@jtuttle
Copy link

jtuttle commented Jan 15, 2019

Are the CF Cloud Controller API credentials meant to be for the auditor role? If so, shouldn't the "Service Broker Binding Policy" be using these credentials to retrieve the application name for the host instead of using the Binding GUID?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment