Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial security hardening doc #65

Merged
merged 7 commits into from
Oct 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .custom_wordlist.txt
Original file line number Diff line number Diff line change
Expand Up @@ -119,4 +119,4 @@ webhook
Websocket
Xbox
XSRF
YAML
YAML
9 changes: 9 additions & 0 deletions how-to/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,12 @@ Observability
:maxdepth: 1

Integrate with the Canonical Observability Stack <integrate_with_cos>

Security
--------

.. toctree::
:maxdepth: 1

Harden JIMM deployment <security_hardening>
Setup Ingress with TLS <setup_ingress_with_tls>
64 changes: 64 additions & 0 deletions how-to/security_hardening.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
JAAS: Security Hardening
========================
JIMM, the service at the centre of JAAS can be hardened in a number of ways. This
ale8k marked this conversation as resolved.
Show resolved Hide resolved
document details how you can harden the security of your JAAS deployment.

.. hint::
As a reference on JAAS security overview, check out :doc:`this <../reference/security>` topic.

CORS
----
Cross-Origin Resource Sharing (`CORS <https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>`__)
is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port)
other than its own from which a browser should permit loading resources. CORS also relies on
a mechanism by which browsers make a "pre-flight" request to the server hosting the cross-origin
resource, in order to check that the server will permit the actual request. In that pre-flight,
the browser sends headers that indicate the HTTP method and headers that will be used in the
actual request.

To set CORS on JIMM, use the configuration option ``cors-allowed-origins``.

Ingress TLS
-----------
Please refer :doc:`here <./setup_ingress_with_tls>`.

Identity Provider
-----------------
JAAS uses the Canonical Identity Platform for authentication. The communication between JAAS
and the Identity Platform can be secured via TLS.

You will require the Identity Platform and the ``self-signed-certificates`` charm deployed.
See `here <https://charmhub.io/topics/canonical-identity-platform/tutorials/e2e-tutorial>`__ for deploying the identity platform.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this guide seems to suggest the self signed certs.. maybe that's enough and we just add the bits that are needed to relate jimm to self-signed-certs

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

responded on other comment


Your Identity Platform will require TLS enabled via the `self-signed certificates charm <https://charmhub.io/self-signed-certificates>`__.

Using JIMM's ``receive-ca-cert integration``, you can now relate to the self-signed-certificates charm
to enabled TLS between the identity platform and JIMM.

OpenFGA
-------
JIMM uses OpenFGA for authorisation and currently, the OpenFGA charm does not support TLS. See `here <https://charmhub.io/openfga-k8s>`__.

Vault
-----
TLS is enabled by default when communicating with the Vault charm. See `here <https://charmhub.io/vault?channel=1.16/stable>`__.

JIMM uses Vault for storing cloud credentials, JWKS, and other secrets.

Juju Controllers
----------------
TLS is enabled by default when communicating with controllers.

When adding a Juju controller to JIMM, the self-signed certificate of the controller is given to
JIMM.

.. hint::
Checkout :doc:`this <./add_controller>` topic for adding controllers to JAAS.

PostgreSQL
----------
JIMM uses PostgreSQL as its persistent storage layer. The communication with PostgreSQL can be encrypted
via TLS. To enable TLS for charmed PostgreSQL you can follow this `guide <https://charmhub.io/postgresql-k8s/docs/t-enable-tls?channel=14/stable>`__.

.. hint::
As of October 2024, you need to manually restart JIMM if you enable TLS on PostgreSQL after having related the JIMM and PostgreSQL charms.
13 changes: 13 additions & 0 deletions how-to/setup_ingress_with_tls.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
JAAS: Setup Ingress with TLS
============================
The NGINX Ingress Integrator is a charm responsible for creating Kubernetes ingress rules,
these rules can be hardened via TLS and the charm provides a means to do so. See `here <https://charmhub.io/nginx-ingress-integrator>`__.

Our LEGO charms provide certificates for charms from a desired ACME server and can be integrated
with the integrator to enable TLS at the ingress level. See `here <https://charmhub.io/httprequest-lego-k8s>`__.

You will require a domain that your ACME is aware of and an NGINX ingress controller installed
on your Kubernetes cluster.

With JAAS deployed, you can deploy both LEGO and the integrator, and integrate your LEGO charm deployment
to your ingress integrator, and then the ingress integrator to JIMM to enable TLS ingress for your deployment.
Loading