Merge branch 'alonitac:main' into Networking-nishant

ansible_workdir/ansible.Jenkinsfile

@@ -0,0 +1,45 @@
+pipeline {
+    agent any
+
+    environment {
+        PATH = "/var/lib/jenkins/.local/bin:${env.PATH}"
+        ANSIBLE_HOST_KEY_CHECKING = 'False'
+    }
+
+    parameters {
+        string(name: 'serverGroup', defaultValue: 'all')
+        choice(name: 'region', choices: ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'eu-central-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'eu-north-1'])
+    }
+
+    stages {
+        stage("Init") {
+            steps {
+                sh 'python3 -m pip install ansible'
+                sh 'ansible-galaxy collection install community.general'
+            }
+        }
+
+        stage("Generate Inventory") {
+            steps {
+                sh 'aws ec2 describe-instances --region ${region} --filters "Name=tag:serverGroup,Values=${serverGroup}" --query "Reservations[].Instances[]" > hosts.json'
+                sh 'python3 ansible_inv_gen.py'
+            }
+        }
+
+        stage('Check') {
+            steps {
+                sh ''
+            }
+        }
+
+        stage('Play') {
+            steps {
+                withCredentials([sshUserPrivateKey(credentialsId: '<ssh-credentials-id>', usernameVariable: 'ssh_user', keyFileVariable: 'privatekey')]) {
+                    sh '''
+                    ansible-playbook site.yaml --extra-vars "hosts=${serverGroup}" --user=${ssh_user} -i hosts --private-key ${privatekey}
+                    '''
+                }
+            }
+        }
+    }
+}

ansible_workdir/hosts

@@ -0,0 +1,3 @@
+[webserver]
+web1 ansible_host=13.51.201.17 ansible_user=ec2-user ansible_port=23
+web2 ansible_host=16.171.29.176 ansible_user=ec2-user ansible_port=23

ansible_workdir/templates/auditd_rules.j2

@@ -0,0 +1,2 @@
+-a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=500 -F auid!=-1 -F dir=/root/ -F key=touching_root
+-a always,exit -F arch=b64 -F euid=0 -S execve -F key=using_sudo

ansible_workdir/templates/sshd_config.j2

@@ -0,0 +1,146 @@
+#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+Port {{ sshd_port }}
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin {{ permit_root_login }}
+#StrictModes yes
+MaxAuthTries {{ max_auth_tries }}
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PermitEmptyPasswords {{ empty_pass }}
+PasswordAuthentication {{ pass_auth }}
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+KerberosAuthentication no
+
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
+# problems.
+UsePAM yes
+
+AllowAgentForwarding {{ agent_fwd }}
+AllowTcpForwarding {{ tcp_fwd }}
+#GatewayPorts no
+
+X11Forwarding {{ x11_fwd }}
+
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation sandbox
+
+PermitUserEnvironment {{ user_envs }}
+
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+
+PermitTunnel {{ permit_tunnel }}
+
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# override default of no subsystems
+Subsystem sftp	/usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
+AuthorizedKeysCommandUser ec2-instance-connect

ansible_workdir/vars/ubuntu_ssh_vars.yaml

@@ -0,0 +1,10 @@
+sshd_port: 22
+permit_root_login: 'no'
+max_auth_tries: '3'
+empty_pass: 'no'
+pass_auth: 'no'
+agent_fwd: 'no'
+tcp_fwd: 'no'
+x11_fwd: 'no'
+user_envs: 'no'
+permit_tunnel: 'no'

finale.md

@@ -0,0 +1,71 @@
+# Final Project Extension Ideas
+
+### DevSecOps
+
+Embed DevSecOps tool to the CI/CD pipeline:
+
+- [safety](https://pyup.io/safety/) to scan vulnerabilities in Python packages.
+- [Bandit](https://bandit.readthedocs.io/en/latest/) to find security issues in your Python code.
+- [Pre-commit](https://pre-commit.com/) to enforce some policy before committing a new code.
+- [Black](https://github.com/psf/black) as a linting tool.
+- [Chef InSpec](https://docs.chef.io/inspec/) to apply security and compliance policies.
+
+
+### Jenkins
+
+- Implement load testing in the PR testing pipeline.
+- Create a [Jenkins shared library](https://www.jenkins.io/blog/2017/02/15/declarative-notifications/#moving-notifications-to-shared-library).
+- Send email notifications to users
+
+### AWS
+
+- Protect your service using [WAF](https://aws.amazon.com/waf/) or [Shield](https://aws.amazon.com/shield/).
+- Any other shiny service that interesting you...
+
+### K8S
+
+- Deploy some interesting Helm Chart in the cluster (Jenkins, etc...).
+- Write your app YAMLs as Helm Chart.
+- Run some [CronJob](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/) in the cluster.
+- Use [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) to deploy your app.
+- Implement some interesting [ArgoWF](https://argoproj.github.io/argo-workflows/).
+- Experimenting with [Calico](https://projectcalico.docs.tigera.io/about/about-calico) to implement network security in the cluster.
+- Experimenting with [Istio](https://istio.io/) to implement a service mesh.
+- Expose your app through a secured HTTPS.
+- Implement Pod identity in EKS instead using the EC2 IAM role.
+
+### Terraform
+
+- Provision the app infrastructure as a code.
+- Built a dedicated "IaaC" pipeline in Jenkins
+
+### Ansible
+
+- Use some [devsec.hardening Ansible](https://github.com/dev-sec/ansible-collection-hardening) collection to harden the system
+
+### Monitoring
+
+- Deploy [Prometheus](https://prometheus.io/) in K8S.
+- Enable backup/restore to from [ElasticSearch to S3](https://www.elastic.co/guide/en/elasticsearch/reference/current/snapshot-restore.html).
+- Build some Kibana dashboard
+- Improve the logs stream from the k8s cluster to Elasticsearch
+- Create some [alerts in Grafana](https://grafana.com/docs/grafana/latest/alerting/) (e.g. high CPU rate, container restarts many times etc...)
+
+# DevOps Tools Bazaar
+
+- [Argo CD](https://argoproj.github.io/argo-cd/)
+- [Vault](https://www.vaultproject.io/docs)
+- [Nexus](https://help.sonatype.com/repomanager3)
+- [Argo Workflow](https://argoproj.github.io/argo/)
+- [Logstash](https://www.elastic.co/guide/en/logstash/current/index.html)
+- [Vagrant](https://www.vagrantup.com/docs)
+- [Prometheus Alertmanager](https://prometheus.io/docs/alerting/alertmanager/)
+- [Terraform with Azure](https://learn.hashicorp.com/collections/terraform/azure-get-started)
+- [Helm](https://helm.sh/docs/)
+- [KEDA](https://keda.sh/docs/)
+- [Istio](https://istio.io/latest/docs/)
+- [Calico](https://docs.projectcalico.org/)
+- [Chef](https://docs.chef.io/)
+- [SonarQube](https://docs.sonarqube.org/)
+- [Snyk](https://docs.snyk.io/)
+- [Karpenter](https://karpenter.sh/)

k8s-manifests/game2048.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: 2048-game
+spec:
+  selector:
+    matchLabels:
+      app: 2048-game
+  replicas: 1 # tells deployment to run 2 pods matching the template
+  template:
+    metadata:
+      labels:
+        app: 2048-game
+    spec:
+      containers:
+      - name: 2048-game
+        image: alexwhen/docker-2048:latest
+        ports:
+        - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mygame
+spec:
+  selector:
+    app: 2048-game
+  ports:
+    - port: 5858
+      targetPort: 80

k8s-manifests/grafana-values.yaml

@@ -0,0 +1,16 @@
+persistence:
+  enabled: true
+  size: 5Gi
+
+env:
+  GF_DASHBOARDS_VERSIONS_TO_KEEP: '10'
+
+datasources:
+  datasources.yaml:
+      apiVersion: 1
+      datasources:
+        - name: CloudWatch
+          type: cloudwatch
+          jsonData:
+            authType: default
+            defaultRegion: us-east-2

k8s-manifests/simple-flask.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: simple-flask
+spec:
+  selector:
+    matchLabels:
+      app: simple-flask
+  replicas: 6
+  template:
+    metadata:
+      labels:
+        app: simple-flask
+    spec:
+      containers:
+      - name: simple-flask
+        image: 854171615125.dkr.ecr.us-east-2.amazonaws.com/alonit-simple-flask:0.1
+        ports:
+        - containerPort: 8080
+        readinessProbe:
+          httpGet:
+            path: /status
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 3
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: myflask
+spec:
+  selector:
+    app: simple-flask
+  ports:
+    - port: 8080
+      targetPort: 8080