How to Automate Onboarding an Openshift cluster to Check Point CloudGuard Native

JaydenAung — Mon, 22 Mar 2021 06:32:03 GMT

(I'll be only maintaining this Original GitHub repo: https://github.com/jaydenaung/cloudguard-onboard-openshift)

This tutorial is details how to onboard Openshift cluster to CloudGuard native using automation scripts.

(Manual onboarding guide is here. The original repo is forked from Dean Houari's Repo.

Prerequisites

Register for a CloudGuard native account. https://secure.dome9.com/v2/register/invite
Generate CloudGuard API key and secret here https://secure.dome9.com/v2/settings/credentials

Run the following command:

git clone https://github.com/jaydenaung/cloudguard-onboard-openshift

Using automation scripts to automate the onboarding process

Bash Shell

Make sure that uid1000.json and cp-cloudguard-openshift.yaml are in the same directory as onboard-1.sh.
Edit variables and run onboard-1.sh to onboard the cluster.

    ./onboard-1.sh

Alternatively, you can follow the instructions below and execute command lines manually.

Python Script (Work in Progress))

You can use the python script onboard_oc_1.py to onboard or remove an OpenShift cluster to and from CloudGuard.

# Install requirements
pip3 install -r requirements.txt
# Execute script
python3 onboard_oc_1.py onboard

For cluster onboarding you will need to provide:

Your Cluster Name (e.g. my_cluster)
Namespace (e.g. checkpoint)
CloudGuard API Key (you can export environment variable CHKP_CLOUDGUARD_ID and script will detect it)
CloudGUard API Secret (you can export environment variable CHKP_CLOUDGUARD_SECRET and script will detect it)

For cluster removal you will need to provide:

The path to the yaml file that was generated during onboarding. The script will try to find a yaml file in the current directory.
CloudGuard API Key (Alternatively, can export environment variable CHKP_CLOUDGUARD_ID and the script will detect it)
CloudGUard API Secret (you can also export environment. variable CHKP_CLOUDGUARD_SECRET and the script will detect it.)

Verififcation

Log onto CloudGuard native and wait for the initial sync process to be completed.

Re: How to Automate Onboarding an Openshift cluster to Check Point CloudGuard Native

Thomas-Marko — Mon, 19 Apr 2021 06:46:38 GMT

Hi Jayden,

thank you for your work! I currently try to onboard my Lab OpenShift Cluster to Cloudguard. I managed to get the deployment running, but found some caveats.

First, I found a bug in your onboard-1.sh script: At line 9 you define a namespace variable, which is never used later on:

namespace="checkpoint"

Later in the script you use the name $myns, which was never defined before. For example in line 24:

oc create namespace $myns

Another issue I found, is located in line 43:

oc create -f uid1000.json --as system:admin

You use a lowercase filename, but the filename of the referenced file in the repo is UID1000.json, which won't work on case-sensitive filesystems.

I created a pull-request to address these issues.

Also there is a bug in this file: On line 18 you define the UID as a string, which has to be an integer:

"runAsUser": { "type": "MustRunAs", "uid": 1000 },

I also created a PR for that.

Currently I am stuck when creating the cluster via the CG API as I do not get the expected response from the API. When running the request via Postman or via curl, I see the the API sends an

HTTP/1.1 401 Invalid username or password

I doublechecked the API key I created for that at https://portal.checkpoint.com/dashboard/cloudguard#/v2/settings/credentials and I also tried it with a Service Account with the Kubernetes Agent role, but both did not work. I currently have an open SR for that.

Can you confirm, that https://portal.checkpoint.com/dashboard/cloudguard#/v2/settings/credentials is the correct location for creating an API key for onboarding the cluster?

Thanks!

Regards,
Thomas

topic Re: How to Automate Onboarding an Openshift cluster to Check Point CloudGuard Native in DevSecOps