From fda908ab9f4e1cdf75666064db1c7989857ce9c2 Mon Sep 17 00:00:00 2001 From: ale8k Date: Wed, 16 Oct 2024 09:30:57 +0100 Subject: [PATCH 1/7] Initial security hardening doc --- how-to/index.rst | 8 +++++ how-to/security_hardening.rst | 60 +++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 how-to/security_hardening.rst diff --git a/how-to/index.rst b/how-to/index.rst index 616e8e2..cb7ce12 100644 --- a/how-to/index.rst +++ b/how-to/index.rst @@ -31,3 +31,11 @@ Observability :maxdepth: 1 Integrate with the Canonical Observability Stack + +Security +-------- + +.. toctree:: + :maxdepth: 1 + + Harden your JIMM deployment \ No newline at end of file diff --git a/how-to/security_hardening.rst b/how-to/security_hardening.rst new file mode 100644 index 0000000..a1d3bdc --- /dev/null +++ b/how-to/security_hardening.rst @@ -0,0 +1,60 @@ +JAAS: Security Hardening +======================= +JIMM, the service at the centre of JAAS can be hardened in a number of ways. This +document details how you can harden the security of your JAAS deployment. + +CORS +---- +To set CORS on JIMM, use the configuration option "cors-allowed-origins". + +LEGO & NGINX Ingress Integrator +------------------------ +The NGINX ingress integator is a a charm responsible for creating Kubernetes ingress rules, +these rules can be hardened via TLS and the charm provides a means to do so. See `here `__. + +Our LEGO charms provide certificates for charms from a desired ACME server and can be integrated +with the integrator to enable TLS at the ingress level. See `here `__. + +You will require a domain that your ACME is aware of and an nginx ingress controller installed +on your Kubernetes cluster. + +With JAAS deployed, you can deploy both LEGO and the Inregator, and integrate your LEGO charm deployment +to your ingress integrator, and then the ingress integrator to JIMM to enable TLS ingress for + +Identity Provider +----------------- +JAAS uses the Canonical Identity Platform for authentication. The communication between JAAS +and the identity platform can be secured via TLS. + +You will require the identity Platform and the self-signed-certificates charm deployed. +See `here `__ for deploying the identity platform. + +Your identity platform will require TLS enabled via the `self signed certificates charm `__. + +Using JIMM's receive-ca-cer integration, you can now relate to the self-signed-certificates charm +to enabled TLS between the identity platform and JIMM. + +OpenFGA +------- +JIMM uses OpenFGA for authorisation and currently, the OpenFGA charm does not support TLS. + +Vault +----- +TLS is enabled by default when communicating with the Vault charm. + +JIMM uses Vault for storing cloud credentials, JWKS, and other secrets. + +Juju Controllers +---------------- +TLS is enabled by default when communicating with controllers. + +When adding a Juju controller to JIMM, the self signed certificate of the controller is given to +JIMM. + + +PostgreSQL +---------- +JIMM uses PostgreSQL as its persistent storage layer. The communication between PostgeSQL can be encrypted +via TLS. To enable TLS for charmed Postgresql you can follow this `guide `__. + + As of October 2024, you need to manually restart JIMM if you enable TLS on Postgres after having related the JIMM and PostgreSQL charms. From 52652c92ae7263c0c77231daf1ac86338ecfe78e Mon Sep 17 00:00:00 2001 From: ale8k Date: Wed, 16 Oct 2024 10:04:19 +0100 Subject: [PATCH 2/7] spelling checks --- .custom_wordlist.txt | 5 ++++- how-to/security_hardening.rst | 18 +++++++++--------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/.custom_wordlist.txt b/.custom_wordlist.txt index f00243c..4bdbbd2 100644 --- a/.custom_wordlist.txt +++ b/.custom_wordlist.txt @@ -12,6 +12,7 @@ CLI CN config CORS +cors CSRF Diátaxis DNS @@ -31,6 +32,8 @@ HMAC https IAM IdP +integrator +Integrator init installable JAAS @@ -119,4 +122,4 @@ webhook Websocket Xbox XSRF -YAML \ No newline at end of file +YAML diff --git a/how-to/security_hardening.rst b/how-to/security_hardening.rst index a1d3bdc..3437b1b 100644 --- a/how-to/security_hardening.rst +++ b/how-to/security_hardening.rst @@ -1,5 +1,5 @@ JAAS: Security Hardening -======================= +======================== JIMM, the service at the centre of JAAS can be hardened in a number of ways. This document details how you can harden the security of your JAAS deployment. @@ -8,17 +8,17 @@ CORS To set CORS on JIMM, use the configuration option "cors-allowed-origins". LEGO & NGINX Ingress Integrator ------------------------- -The NGINX ingress integator is a a charm responsible for creating Kubernetes ingress rules, +------------------------------- +The NGINX Ingress Integrator is a a charm responsible for creating Kubernetes ingress rules, these rules can be hardened via TLS and the charm provides a means to do so. See `here `__. Our LEGO charms provide certificates for charms from a desired ACME server and can be integrated with the integrator to enable TLS at the ingress level. See `here `__. -You will require a domain that your ACME is aware of and an nginx ingress controller installed +You will require a domain that your ACME is aware of and an NGINX ingress controller installed on your Kubernetes cluster. -With JAAS deployed, you can deploy both LEGO and the Inregator, and integrate your LEGO charm deployment +With JAAS deployed, you can deploy both LEGO and the integrator, and integrate your LEGO charm deployment to your ingress integrator, and then the ingress integrator to JIMM to enable TLS ingress for Identity Provider @@ -31,7 +31,7 @@ See `here `__. -Using JIMM's receive-ca-cer integration, you can now relate to the self-signed-certificates charm +Using JIMM's receive-ca-cert integration, you can now relate to the self-signed-certificates charm to enabled TLS between the identity platform and JIMM. OpenFGA @@ -54,7 +54,7 @@ JIMM. PostgreSQL ---------- -JIMM uses PostgreSQL as its persistent storage layer. The communication between PostgeSQL can be encrypted -via TLS. To enable TLS for charmed Postgresql you can follow this `guide `__. +JIMM uses PostgreSQL as its persistent storage layer. The communication between PostgreSQL can be encrypted +via TLS. To enable TLS for charmed PostgreSQL you can follow this `guide `__. - As of October 2024, you need to manually restart JIMM if you enable TLS on Postgres after having related the JIMM and PostgreSQL charms. + As of October 2024, you need to manually restart JIMM if you enable TLS on PostgreSQL after having related the JIMM and PostgreSQL charms. From 73aafa5305c964d300253a795401b2c2a8056d71 Mon Sep 17 00:00:00 2001 From: ale8k Date: Wed, 16 Oct 2024 10:10:33 +0100 Subject: [PATCH 3/7] pr comments --- how-to/security_hardening.rst | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/how-to/security_hardening.rst b/how-to/security_hardening.rst index 3437b1b..a2c7ed3 100644 --- a/how-to/security_hardening.rst +++ b/how-to/security_hardening.rst @@ -5,10 +5,18 @@ document details how you can harden the security of your JAAS deployment. CORS ---- +Cross-Origin Resource Sharing (`CORS `__) +is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) +other than its own from which a browser should permit loading resources. CORS also relies on +a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin +resource, in order to check that the server will permit the actual request. In that preflight, +the browser sends headers that indicate the HTTP method and headers that will be used in the +actual request. + To set CORS on JIMM, use the configuration option "cors-allowed-origins". -LEGO & NGINX Ingress Integrator -------------------------------- +Ingress TLS +----------- The NGINX Ingress Integrator is a a charm responsible for creating Kubernetes ingress rules, these rules can be hardened via TLS and the charm provides a means to do so. See `here `__. From 5d47956ebc891018a8e81805f4e7c49fbaa6b6c8 Mon Sep 17 00:00:00 2001 From: ale8k Date: Wed, 16 Oct 2024 10:13:19 +0100 Subject: [PATCH 4/7] reove extra space --- how-to/security_hardening.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/how-to/security_hardening.rst b/how-to/security_hardening.rst index a2c7ed3..6f9ec57 100644 --- a/how-to/security_hardening.rst +++ b/how-to/security_hardening.rst @@ -59,7 +59,6 @@ TLS is enabled by default when communicating with controllers. When adding a Juju controller to JIMM, the self signed certificate of the controller is given to JIMM. - PostgreSQL ---------- JIMM uses PostgreSQL as its persistent storage layer. The communication between PostgreSQL can be encrypted From 6a8d5ab6ffb90143787bd9876cfa36aee58bf621 Mon Sep 17 00:00:00 2001 From: ale8k Date: Wed, 16 Oct 2024 10:47:23 +0100 Subject: [PATCH 5/7] pr comments --- .custom_wordlist.txt | 3 --- how-to/index.rst | 2 +- how-to/security_hardening.rst | 34 +++++++++++++++++++++------------- 3 files changed, 22 insertions(+), 17 deletions(-) diff --git a/.custom_wordlist.txt b/.custom_wordlist.txt index 4bdbbd2..7a4a338 100644 --- a/.custom_wordlist.txt +++ b/.custom_wordlist.txt @@ -12,7 +12,6 @@ CLI CN config CORS -cors CSRF Diátaxis DNS @@ -32,8 +31,6 @@ HMAC https IAM IdP -integrator -Integrator init installable JAAS diff --git a/how-to/index.rst b/how-to/index.rst index cb7ce12..f9e40d9 100644 --- a/how-to/index.rst +++ b/how-to/index.rst @@ -38,4 +38,4 @@ Security .. toctree:: :maxdepth: 1 - Harden your JIMM deployment \ No newline at end of file + Harden JIMM deployment \ No newline at end of file diff --git a/how-to/security_hardening.rst b/how-to/security_hardening.rst index 6f9ec57..3190cc5 100644 --- a/how-to/security_hardening.rst +++ b/how-to/security_hardening.rst @@ -3,17 +3,20 @@ JAAS: Security Hardening JIMM, the service at the centre of JAAS can be hardened in a number of ways. This document details how you can harden the security of your JAAS deployment. +.. hint:: + As a reference on JAAS security overview, check out :doc:`this <../reference/security>` topic. + CORS ---- Cross-Origin Resource Sharing (`CORS `__) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on -a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin -resource, in order to check that the server will permit the actual request. In that preflight, +a mechanism by which browsers make a "pre-flight" request to the server hosting the cross-origin +resource, in order to check that the server will permit the actual request. In that pre-flight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request. -To set CORS on JIMM, use the configuration option "cors-allowed-origins". +To set CORS on JIMM, use the configuration option ``cors-allowed-origins``. Ingress TLS ----------- @@ -27,28 +30,28 @@ You will require a domain that your ACME is aware of and an NGINX ingress contro on your Kubernetes cluster. With JAAS deployed, you can deploy both LEGO and the integrator, and integrate your LEGO charm deployment -to your ingress integrator, and then the ingress integrator to JIMM to enable TLS ingress for +to your ingress integrator, and then the ingress integrator to JIMM to enable TLS ingress for your deployment. Identity Provider ----------------- JAAS uses the Canonical Identity Platform for authentication. The communication between JAAS -and the identity platform can be secured via TLS. +and the Identity Platform can be secured via TLS. -You will require the identity Platform and the self-signed-certificates charm deployed. +You will require the Identity Platform and the ``self-signed-certificates`` charm deployed. See `here `__ for deploying the identity platform. -Your identity platform will require TLS enabled via the `self signed certificates charm `__. +Your Identity Platform will require TLS enabled via the `self-signed certificates charm `__. -Using JIMM's receive-ca-cert integration, you can now relate to the self-signed-certificates charm +Using JIMM's ``receive-ca-cert integration``, you can now relate to the self-signed-certificates charm to enabled TLS between the identity platform and JIMM. OpenFGA ------- -JIMM uses OpenFGA for authorisation and currently, the OpenFGA charm does not support TLS. +JIMM uses OpenFGA for authorisation and currently, the OpenFGA charm does not support TLS. See `here `__. Vault ----- -TLS is enabled by default when communicating with the Vault charm. +TLS is enabled by default when communicating with the Vault charm. See `here `__. JIMM uses Vault for storing cloud credentials, JWKS, and other secrets. @@ -56,12 +59,17 @@ Juju Controllers ---------------- TLS is enabled by default when communicating with controllers. -When adding a Juju controller to JIMM, the self signed certificate of the controller is given to +When adding a Juju controller to JIMM, the self-signed certificate of the controller is given to JIMM. +.. hint:: + Checkout :doc:`this <../how-to/add_controller>` topic for adding controllers to JAAS. + + PostgreSQL ---------- -JIMM uses PostgreSQL as its persistent storage layer. The communication between PostgreSQL can be encrypted +JIMM uses PostgreSQL as its persistent storage layer. The communication with PostgreSQL can be encrypted via TLS. To enable TLS for charmed PostgreSQL you can follow this `guide `__. - As of October 2024, you need to manually restart JIMM if you enable TLS on PostgreSQL after having related the JIMM and PostgreSQL charms. +.. hint:: + As of October 2024, you need to manually restart JIMM if you enable TLS on PostgreSQL after having related the JIMM and PostgreSQL charms. From 04b7196c7c0b8599091c29fb1af53fa85145a506 Mon Sep 17 00:00:00 2001 From: ale8k Date: Wed, 16 Oct 2024 10:57:39 +0100 Subject: [PATCH 6/7] move ingress tls doc --- how-to/index.rst | 3 ++- how-to/security_hardening.rst | 12 +----------- how-to/setup_ingress_with_tls.rst | 13 +++++++++++++ 3 files changed, 16 insertions(+), 12 deletions(-) create mode 100644 how-to/setup_ingress_with_tls.rst diff --git a/how-to/index.rst b/how-to/index.rst index f9e40d9..57e64b7 100644 --- a/how-to/index.rst +++ b/how-to/index.rst @@ -38,4 +38,5 @@ Security .. toctree:: :maxdepth: 1 - Harden JIMM deployment \ No newline at end of file + Harden JIMM deployment + Setup Ingress with TLS \ No newline at end of file diff --git a/how-to/security_hardening.rst b/how-to/security_hardening.rst index 3190cc5..3ffe599 100644 --- a/how-to/security_hardening.rst +++ b/how-to/security_hardening.rst @@ -20,17 +20,7 @@ To set CORS on JIMM, use the configuration option ``cors-allowed-origins``. Ingress TLS ----------- -The NGINX Ingress Integrator is a a charm responsible for creating Kubernetes ingress rules, -these rules can be hardened via TLS and the charm provides a means to do so. See `here `__. - -Our LEGO charms provide certificates for charms from a desired ACME server and can be integrated -with the integrator to enable TLS at the ingress level. See `here `__. - -You will require a domain that your ACME is aware of and an NGINX ingress controller installed -on your Kubernetes cluster. - -With JAAS deployed, you can deploy both LEGO and the integrator, and integrate your LEGO charm deployment -to your ingress integrator, and then the ingress integrator to JIMM to enable TLS ingress for your deployment. +Please refer :doc:`here <../how-to/setup_ingress_with_tls>`. Identity Provider ----------------- diff --git a/how-to/setup_ingress_with_tls.rst b/how-to/setup_ingress_with_tls.rst new file mode 100644 index 0000000..ad201e9 --- /dev/null +++ b/how-to/setup_ingress_with_tls.rst @@ -0,0 +1,13 @@ +JAAS: Setup Ingress with TLS +============================ +The NGINX Ingress Integrator is a a charm responsible for creating Kubernetes ingress rules, +these rules can be hardened via TLS and the charm provides a means to do so. See `here `__. + +Our LEGO charms provide certificates for charms from a desired ACME server and can be integrated +with the integrator to enable TLS at the ingress level. See `here `__. + +You will require a domain that your ACME is aware of and an NGINX ingress controller installed +on your Kubernetes cluster. + +With JAAS deployed, you can deploy both LEGO and the integrator, and integrate your LEGO charm deployment +to your ingress integrator, and then the ingress integrator to JIMM to enable TLS ingress for your deployment. \ No newline at end of file From 1c84292a3159d3a4ebcc9ff7dd32b866855de188 Mon Sep 17 00:00:00 2001 From: ale8k Date: Wed, 16 Oct 2024 11:02:59 +0100 Subject: [PATCH 7/7] pr comments --- how-to/security_hardening.rst | 5 ++--- how-to/setup_ingress_with_tls.rst | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/how-to/security_hardening.rst b/how-to/security_hardening.rst index 3ffe599..9fc4660 100644 --- a/how-to/security_hardening.rst +++ b/how-to/security_hardening.rst @@ -20,7 +20,7 @@ To set CORS on JIMM, use the configuration option ``cors-allowed-origins``. Ingress TLS ----------- -Please refer :doc:`here <../how-to/setup_ingress_with_tls>`. +Please refer :doc:`here <./setup_ingress_with_tls>`. Identity Provider ----------------- @@ -53,8 +53,7 @@ When adding a Juju controller to JIMM, the self-signed certificate of the contro JIMM. .. hint:: - Checkout :doc:`this <../how-to/add_controller>` topic for adding controllers to JAAS. - + Checkout :doc:`this <./add_controller>` topic for adding controllers to JAAS. PostgreSQL ---------- diff --git a/how-to/setup_ingress_with_tls.rst b/how-to/setup_ingress_with_tls.rst index ad201e9..2e5703a 100644 --- a/how-to/setup_ingress_with_tls.rst +++ b/how-to/setup_ingress_with_tls.rst @@ -1,6 +1,6 @@ JAAS: Setup Ingress with TLS ============================ -The NGINX Ingress Integrator is a a charm responsible for creating Kubernetes ingress rules, +The NGINX Ingress Integrator is a charm responsible for creating Kubernetes ingress rules, these rules can be hardened via TLS and the charm provides a means to do so. See `here `__. Our LEGO charms provide certificates for charms from a desired ACME server and can be integrated