Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible support access coming from Concourse ? #216

Open
Tracked by #2836
ChrisMcGowan opened this issue Feb 12, 2024 · 2 comments
Open
Tracked by #2836

Possible support access coming from Concourse ? #216

ChrisMcGowan opened this issue Feb 12, 2024 · 2 comments
Assignees

Comments

@ChrisMcGowan
Copy link
Contributor

Check/verify if the new Concourse Viewer access gives Prometheus/Grafana access

@ChrisMcGowan
Copy link
Contributor Author

So prometheus is setup to allow any opsuaa authed user to access - we need to scope down that access.

  1. In opsuaa add a new group called prometheus-support with comment Support members access to prometheus here: https://github.com/cloud-gov/cg-deploy-opslogin/blob/05e96ba9245149e0cb41ac5a96a2eb4d9bec2736/manifest.yml#L318
  2. Under scope add prometheus-support, concourse.pages, and concourse.admin here: https://github.com/cloud-gov/cg-deploy-opslogin/blob/05e96ba9245149e0cb41ac5a96a2eb4d9bec2736/manifest.yml#L440-L449
  3. Deploy opsuaa
  4. In deploy-prometheus add the scope prometheus-support , concourse.pages, and concourse.admin here: https://github.com/cloud-gov/cg-deploy-prometheus/blob/803e0b099335d84bcf64edac07a6cc8bc50e3c3c/bosh/manifest.yml#L313
  5. Deploy prometheus
  6. In cg-scripts modify make-pages-ops-admin to addd user to group prometheus-support : https://github.com/cloud-gov/cg-scripts/blob/main/make-pages-ops-admin.sh#L42
  7. Take the make-ops-viewer script in cg-scripts and make a new script file called make-prometheus-support and replace here https://github.com/cloud-gov/cg-scripts/blob/main/make-ops-viewer.sh#L42 with prometheus-support. Remember to run chmod +x on the script before commit to the repo

For testing all this, you can do the following to make sure all the pieces work manually:

  • From tooling jumphost auth to opsa uua using cg-scrips/uaa/login
  • Use uaac to create the prometheus-support group
  • Use uaac to modify the prometheus-staging client to add the scope
  • Use bosh manifest command to get the prometheus-staging manifest, make the changes there and manual bosh deploy
  • Test with someone not concourse-admin or pages-admin to see if they can auth/get in to the stage envirnment and if not add them to the group using uaac and test to validate they get in
  • Test that normal platfrom/pages folks still have access

@ChrisMcGowan
Copy link
Contributor Author

This work is on-hold until this ticket is done: cloud-gov/oauth2-proxy-boshrelease#17

@rcgottlieb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants