Setting UP new bastions¶
The oq-tools suite depends on a common package, nflx-oqcache, to maintain a local cache of AWS assets that the bastion can access. The cache is built by querying a dedicated Edda deployment for each AWS account. If you are creating bastions for a brand new account, the oqcache project will need to be updated with the appropriate Edda hostnames.
Update nflx-oqcache package¶
- Confirm with Insight Engineering that an Edda cluster has been deployed for the new account
- You can also check Spinnaker, https://spinnaker.prod.netflix.net/#/applications/edda/clusters
- Fork the oqcache repo at
https://stash.corp.netflix.com/projects/IAE/repos/nflx-oqcache/browse
- Update the /root/apps/aws/nflx-oqcache/nflx-oqcache.yml file with the new account info. If you’re creating a bastion for the ‘dmztest’ account, you would add the following under the accounts: section
dmztest: url: 'http://edda-{accountnumber}.{0}.test.netflix.net:7001/api/v2' url_format_params: - 'region'
- Update the /nflx-oqcache/oqcache/config.py to add the new account name(s) to the ACCOUNTS tuple
- Commit changes to the stash repo
- Submit a Pull Request to merge the changes into the master branch.
- Review and merge the pull request.
Prepare the bastion repo and your workstation¶
- Fork bastion repo and clone it to your local workstation
https://stash.corp.netflix.com/projects/IAE/repos/bastion/browse - Install pre-req to your workstation.
Note
Gnu-sed, casserrole-get-keys and metatron packages are required and need to be installed in your local workstation. A pre-req install script is inluded in the tools directory of the bastion project folder. Install the pre-req using:
$bastion_project_folder/tools/install_mac_prereq.sh
-
Create some temp folders to store the ssh-keys, encrypted metatron keys in your local system.
mkdir /tmp/ssh-keys cd /tmp/ssh-keys mkdir -p root/metatron
-
Copy the SSH Keys from thesecret [go/secret] to temp folder. Search the keys by the account number. The keys are named like nf-keypair-
-region.pem -
Save the keys to the temp directory. Make sure the key names are like: nf-keypair-
-region.pem. Rename the keys if required. -
Encrypt the keys . For each key run the following command
for i in $(ls nf*) ; do metatron encrypt -p bastion nf-keypair-<account_number>-region.pem ; done
-
The encrypted keys are copied to root/metatron/encrypted in the temp folder
-
Note down the location of temp folder. We need this location for the next command
-
From bastion_project_root folder, run tools/add_new_bastion.sh script. Follow the instructions. This script will:
- Modify all the Global files / bastion common files
- Modify all the new account’s bastion specific files
- Copy the encrypted ssh-keys from temp location to the bastion repo
-
Commit your changes to stash repo.
- Submit a Pull Request to merge the changes into the master branch.
Cache the aws credentials¶
- Create ~/.aws/default_roles file with following content.
{ "awsmanagement_poweruser" : true, "awsprod_dns_admin" : true, "awstest_user" : true }
- Cache your aws credentials using casserole-get-keys command.
$ casserole-get-keys
Create AWS resources:¶
- Run the tools/create_nic_r53.py command. This script will:
- Create the required NIC cards for each account
- Tag the NICS with cluster name, hostname, etc..
- Create required Route53 entries in MGMT, PROD and DEV accounts.
$ ./create_nic_r53.py --help
usage: create_nic_r53.py [-h] --name NAME --prod-number PROD_NUMBER
--test-number TEST_NUMBER [--region REGION]
[--env ENV]
Create Network Cards and Route53 entries for Bastions
optional arguments:
-h, --help show this help message and exit
--name NAME, -n NAME AWS account Name
--prod-number PROD_NUMBER, -p PROD_NUMBER
AWS Prod Account Number
--test-number TEST_NUMBER, -t TEST_NUMBER
AWS test Account Number
--region REGION, -r REGION
AWS region. Default is us-west-2
--env ENV, -e ENV Default value is [test, prod]
Eg:
./create_nic_r53.py -n <account_name> -p <prod_account_number> \
-t <test_account_number> -e [test|prod]
Launch the new bastions from Spinnaker¶
https://spinnaker.prod.netflix.net/#/applications/bastion/executions