Merge "Add Security monkey audit service"
diff --git a/devops_portal/service/security_monkey.yml b/devops_portal/service/security_monkey.yml
new file mode 100644
index 0000000..3638e56
--- /dev/null
+++ b/devops_portal/service/security_monkey.yml
@@ -0,0 +1,10 @@
+parameters:
+ devops_portal:
+ config:
+ service:
+ securitymonkey:
+ configure_proxy: true
+ endpoint:
+ address: ${_param:haproxy_security_monkey_bind_host}
+ port: ${_param:haproxy_security_monkey_bind_port}
+ https: ${_param:haproxy_security_monkey_ssl:enabled}
diff --git a/docker/swarm/stack/security_monkey.yml b/docker/swarm/stack/security_monkey.yml
new file mode 100644
index 0000000..479b028
--- /dev/null
+++ b/docker/swarm/stack/security_monkey.yml
@@ -0,0 +1,35 @@
+parameters:
+ _param:
+ docker_security_monkey_api_replicas: 1
+ docker_security_monkey_scheduler_replicas: 1
+ docker_image_security_monkey_api: docker-sandbox.sandbox.mirantis.net/vstoiko/oss/security-monkey-api:3842.6
+ docker_image_security_monkey_scheduler: docker-sandbox.sandbox.mirantis.net/vstoiko/oss/security-monkey-scheduler:3842.6
+ security_monkey_db: secmonkey
+ docker:
+ client:
+ stack:
+ security_monkey:
+ environment:
+ SECURITY_MONKEY_POSTGRES_USER: ${_param:secmonkey_db_user}
+ SECURITY_MONKEY_POSTGRES_PASSWORD: ${_param:secmonkey_db_user_password}
+ SECURITY_MONKEY_POSTGRES_HOST: ${_param:secmonkey_db_host}
+ SECURITY_MONKEY_POSTGRES_PORT: ${_param:haproxy_postgresql_bind_port}
+ service:
+ api:
+ image: ${_param:docker_image_security_monkey_api}
+ deploy:
+ replicas: ${_param:docker_security_monkey_api_replicas}
+ restart_policy:
+ condition: any
+ ports:
+ - ${_param:haproxy_security_monkey_exposed_port}:${_param:haproxy_security_monkey_bind_port}
+ volumes:
+ - /srv/volumes/security_monkey:/var/log/security_monkey
+ scheduler:
+ image: ${_param:docker_image_security_monkey_scheduler}
+ deploy:
+ replicas: ${_param:docker_security_monkey_scheduler_replicas}
+ restart_policy:
+ condition: any
+ volumes:
+ - /srv/volumes/security_monkey:/var/log/security_monkey
\ No newline at end of file
diff --git a/glusterfs/client/volume/security_monkey.yml b/glusterfs/client/volume/security_monkey.yml
new file mode 100644
index 0000000..b008669
--- /dev/null
+++ b/glusterfs/client/volume/security_monkey.yml
@@ -0,0 +1,13 @@
+parameters:
+ _param:
+ security_monkey_glusterfs_service_host: ${_param:glusterfs_service_host}
+ glusterfs_node01_address: ${_param:cluster_node01_address}
+ glusterfs_node02_address: ${_param:cluster_node02_address}
+ glusterfs_node03_address: ${_param:cluster_node03_address}
+ glusterfs:
+ client:
+ volumes:
+ security_monkey:
+ path: /srv/volumes/security_monkey
+ server: ${_param:security_monkey_glusterfs_service_host}
+ opts: "defaults,backup-volfile-servers=${_param:glusterfs_node01_address}:${_param:glusterfs_node02_address}:${_param:glusterfs_node03_address}"
diff --git a/glusterfs/server/volume/security_monkey.yml b/glusterfs/server/volume/security_monkey.yml
new file mode 100644
index 0000000..478aec3
--- /dev/null
+++ b/glusterfs/server/volume/security_monkey.yml
@@ -0,0 +1,17 @@
+parameters:
+ glusterfs:
+ server:
+ volumes:
+ security_monkey:
+ storage: /srv/glusterfs/security_monkey
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/security_monkey
+ - ${_param:cluster_node02_address}:/srv/glusterfs/security_monkey
+ - ${_param:cluster_node03_address}:/srv/glusterfs/security_monkey
+ options:
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
diff --git a/haproxy/proxy/listen/oss/security_monkey.yml b/haproxy/proxy/listen/oss/security_monkey.yml
new file mode 100644
index 0000000..5498699
--- /dev/null
+++ b/haproxy/proxy/listen/oss/security_monkey.yml
@@ -0,0 +1,37 @@
+parameters:
+ _param:
+ haproxy_security_monkey_bind_host: ${_param:haproxy_bind_address}
+ haproxy_security_monkey_bind_port: 5001
+ haproxy_security_monkey_exposed_port: 15001
+ haproxy_security_monkey_ssl:
+ enabled: false
+ haproxy:
+ proxy:
+ listen:
+ security_monkey:
+ mode: http
+ options:
+ - httpchk GET /
+ balance: source
+ http_request:
+ - action: "add-header X-Forwarded-Proto https"
+ condition: "if { ssl_fc }"
+ sticks:
+ - http-check expect status 404
+ binds:
+ - address: ${_param:haproxy_security_monkey_bind_host}
+ port: ${_param:haproxy_security_monkey_bind_port}
+ ssl: ${_param:haproxy_security_monkey_ssl}
+ servers:
+ - name: ${_param:cluster_node01_name}
+ host: ${_param:cluster_node01_address}
+ port: ${_param:haproxy_security_monkey_exposed_port}
+ params: check
+ - name: ${_param:cluster_node02_name}
+ host: ${_param:cluster_node02_address}
+ port: ${_param:haproxy_security_monkey_exposed_port}
+ params: backup check
+ - name: ${_param:cluster_node03_name}
+ host: ${_param:cluster_node03_address}
+ port: ${_param:haproxy_security_monkey_exposed_port}
+ params: backup check
diff --git a/postgresql/client/security_monkey.yml b/postgresql/client/security_monkey.yml
new file mode 100644
index 0000000..65f1de2
--- /dev/null
+++ b/postgresql/client/security_monkey.yml
@@ -0,0 +1,26 @@
+parameters:
+ _param:
+ secmonkey_db_host: ${_param:haproxy_postgresql_bind_host}
+ secmonkey_db_port: ${_param:haproxy_postgresql_bind_port}
+ secmonkey_db_user: secmonkey
+ secmonkey_db_user_password: secmonkey
+ postgresql:
+ client:
+ server:
+ server01:
+ admin:
+ host: ${_param:secmonkey_db_host}
+ port: ${_param:secmonkey_db_port}
+ user: ${_param:postgresql_admin_user}
+ password: ${_param:postgresql_admin_user_password}
+ database:
+ secmonkey:
+ enabled: true
+ encoding: 'UTF8'
+ locale: 'en_US'
+ users:
+ - name: ${_param:secmonkey_db_user}
+ password: ${_param:secmonkey_db_user_password}
+ host: ${_param:secmonkey_db_host}
+ createdb: true
+ rights: all privileges