# IBM Verify Identity Access Configuration Automation
This repository is used to configure IBM Verify Identity Access (IVIA), and IBM Security Verify Access (ISVA) using a yaml file of the required configuration.
This project aims to be idempotent, ie if the configuration is run multiple times on the same appliance it should not break and should pick up any configuration changes in the yaml configuration file.
## Documentation
Documentation for using this library can be found on [Verify Identity Access Automated Configurator's GitHub pages](https://lachlan-ibm.github.io/ibmvia_autoconf/index.html).
## Example deployments
To get started several example deployments are available in the [Examples](examples/) directory. The example yaml files must be updated with deployment specific parameters, usually this is network addresses and IVIA activation codes.
# Setup
## Environment
- `IVIA_CONFIG_BASE` = directory which contains the YAML configuration file as well as any http template pages, PKI, mapping rules, ect.
- *depreciated* `ISVA_CONFIG_BASE` = directory which contains the YAML configuration file as well as any http template pages, PKI, mapping rules, ect.
- `IVIA_CONFIG_YAML` = path to IVIA configuration yaml file. Path should be relative to `IVIA_CONFIG_BASE`
- *depreciated* `ISVA_CONFIG_YAML` = path to IVIA configuration yaml file. Path should be relative to `IVIA_CONFIG_BASE`
- `IVIA_MGMT_BASE_URL` = address to access IVIA LMI, eg. https://\<isva appliance\>:\<isva port\>. This property can also be specified in the configuration yaml file. If present, this property will take precedence.
- *depreciated* `ISVA_MGMT_BASE_URL` = address to access IVIA LMI, eg. https://\<isva appliance\>:\<isva port\>. This property can also be specified in the configuration yaml file. If present, this property will take precedence.
- `IVIA_MGMT_USER` = The user to perform configuration as. If not supplied the `admin` user is used.
- *depreciated* `ISVA_MGMT_USER` = The user to perform configuration as. If not supplied the `admin` user is used.
- `IVIA_MGMT_PWD` = administrator password for the administrator account performing configuration. This property can also be specified in the configuration yaml file. If present, this property will take precedence.
- *depreciated* `ISVA_MGMT_PWD` = administrator password for the administrator account performing configuration. This property can also be specified in the configuration yaml file. If present, this property will take precedence.
- `IVIA_MGMT_OLD_PWD` = if a password change for the administrator account (eg. from the default) is required, the old password can be specified with this environment variable. If present the administrator's password will be changed from `MGMT_OLD_PASSWORD` to `MGMT_PASSWORD`
- *depreciated* `ISVA_MGMT_OLD_PWD` = if a password change for the administrator account (eg. from the default) is required, the old password can be specified with this environment variable. If present the administrator's password will be changed from `MGMT_OLD_PASSWORD` to `MGMT_PASSWORD`
- `IVIA_KUBERNETES_YAML_CONFIG` (optional) = path to Kubernetes configuration yaml for kubernetes deployments.
- Note: If your kubernetes cluster requires mutual authentication (TLS) then a pem certificate file must also be available to IBM VIA Configurator
- Note: When run from a Kubernetes cluster a Service Account can be used in place of a YAML configuration file
- *depreciated* `ISVA_KUBERNETES_YAML_CONFIG` (optional) = path to Kubernetes configuration yaml for kubernetes deployments.
## Deployment
### Local environment
IBM Verify Identity Access Configuration Automation is simple to run locally.
1. First the required python packages are installed from [PyPi](https://pypi.org/project/ibmvia-autoconf/).
2. Set the required environment variables
3. Invoke the python module from the command line.
```bash
python -m ibmvia_autoconf
```
### Docker
IBM Verify Identity Access Automated Configurator can also be run within a docker container. Use to [Dockerfile](Dockerfile) to build a local docker image.
The docker container can be built and run with the following command executed from the top level directory of the configurator source code. When starting the container the required environment variables must be set and the docker container must be able to route to the IVIA appliances/containers which are to be configured.
```
docker build --no-cache --force-rm -t verify-identity-access-configurator .
docker run --volume /path/to/config/yaml:/config --env "IVIA_CONFIGURATION_BASE_DIR=/config" --env IVIA_MGMT_BASE_URL="https://<mgmt address>:<mgmt port>" --env "IVIA_MGMT_PASSWORD=Passw0rd1!" verify-identity-access-configurator
```
### Kubernetes
IBM Verify Identity Access Automated Configurator can be run from within a Kubernetes cluster. This is useful if there are routing issues between the deployment host and the kubernetes external addresses this option will allow for configuration using the kubernetes internal network.
Here is an example Kubernetes batch" object which deploys a container to apply a configuration to a cluster.
> note This requires a user to create the `verify-config` ConfigMap object with the required configuration files plus any additional Secrets which are referenced as environment variables.
```
apiVersion: batch/v1
kind: Job
metadata:
name: verify-identity-access-configurator
spec:
template:
spec:
containers:
- name: verify-identity-access-configurator
image: python:latest
command:
- "bash"
- "-c"
- |
pip install ibmvia-autoconf
python3 -m ibmvia_autoconf
volumeMounts:
- name: verify-access-config-vol
mountPath: /verify_access_config
envFrom:
- secretRef:
name: verify-access-autoconf-env
restartPolicy: Never
volumes:
- name: verify-config
configMap:
- name: verify-access-config-vol
emptyDir: {}
initContainers:
- name: config-volume-builder
image: python:latest
volumeMounts:
- mountPath: /verify_access_config
name: verify-access-config-vol
- mountPath: /tmp/verify_access_config
name: verify-config
command:
- "bash"
- "-c"
- |
apt update && apt install -y unzip;
cp /tmp/verify_access_config/*.{p12,pem,yaml} /verify_access_config/
unzip /tmp/verify_access_config/mapping_rules.zip -d /verify_access_config/
backoffLimit: 4
```
# Building
To build locally:
```sh
mkdir .pyenv
virtualenv .pyenv
source .pyenv/bin/activate
pip install -r dev-requirements.txt
python setup.py sdist bdist_wheel
```
The generated wheel can then be installed into a docker container and used in any supported container runtime.
Raw data
{
"_id": null,
"home_page": null,
"name": "ibmvia-autoconf",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": null,
"keywords": "ivia, isva, isam, ibm verify, ibm verify identiy access, ibm security access manager, ibm security verify access",
"author": "Lachlan Gleeson",
"author_email": "lgleeson@au1.ibm.com",
"download_url": "https://files.pythonhosted.org/packages/9a/c4/a11bfc6f59be9f311b2a2ca4303b0a005f351cfea7b7e857c634cc4c8ec1/ibmvia_autoconf-0.3.6.tar.gz",
"platform": null,
"description": "# IBM Verify Identity Access Configuration Automation\nThis repository is used to configure IBM Verify Identity Access (IVIA), and IBM Security Verify Access (ISVA) using a yaml file of the required configuration. \n\nThis project aims to be idempotent, ie if the configuration is run multiple times on the same appliance it should not break and should pick up any configuration changes in the yaml configuration file.\n\n\n## Documentation\nDocumentation for using this library can be found on [Verify Identity Access Automated Configurator's GitHub pages](https://lachlan-ibm.github.io/ibmvia_autoconf/index.html).\n\n\n## Example deployments\nTo get started several example deployments are available in the [Examples](examples/) directory. The example yaml files must be updated with deployment specific parameters, usually this is network addresses and IVIA activation codes.\n\n# Setup\n## Environment\n- `IVIA_CONFIG_BASE` = directory which contains the YAML configuration file as well as any http template pages, PKI, mapping rules, ect.\n- *depreciated* `ISVA_CONFIG_BASE` = directory which contains the YAML configuration file as well as any http template pages, PKI, mapping rules, ect.\n- `IVIA_CONFIG_YAML` = path to IVIA configuration yaml file. Path should be relative to `IVIA_CONFIG_BASE`\n- *depreciated* `ISVA_CONFIG_YAML` = path to IVIA configuration yaml file. Path should be relative to `IVIA_CONFIG_BASE`\n- `IVIA_MGMT_BASE_URL` = address to access IVIA LMI, eg. https://\\<isva appliance\\>:\\<isva port\\>. This property can also be specified in the configuration yaml file. If present, this property will take precedence.\n- *depreciated* `ISVA_MGMT_BASE_URL` = address to access IVIA LMI, eg. https://\\<isva appliance\\>:\\<isva port\\>. This property can also be specified in the configuration yaml file. If present, this property will take precedence.\n- `IVIA_MGMT_USER` = The user to perform configuration as. If not supplied the `admin` user is used.\n- *depreciated* `ISVA_MGMT_USER` = The user to perform configuration as. If not supplied the `admin` user is used.\n- `IVIA_MGMT_PWD` = administrator password for the administrator account performing configuration. This property can also be specified in the configuration yaml file. If present, this property will take precedence.\n- *depreciated* `ISVA_MGMT_PWD` = administrator password for the administrator account performing configuration. This property can also be specified in the configuration yaml file. If present, this property will take precedence.\n- `IVIA_MGMT_OLD_PWD` = if a password change for the administrator account (eg. from the default) is required, the old password can be specified with this environment variable. If present the administrator's password will be changed from `MGMT_OLD_PASSWORD` to `MGMT_PASSWORD`\n- *depreciated* `ISVA_MGMT_OLD_PWD` = if a password change for the administrator account (eg. from the default) is required, the old password can be specified with this environment variable. If present the administrator's password will be changed from `MGMT_OLD_PASSWORD` to `MGMT_PASSWORD`\n- `IVIA_KUBERNETES_YAML_CONFIG` (optional) = path to Kubernetes configuration yaml for kubernetes deployments. \n - Note: If your kubernetes cluster requires mutual authentication (TLS) then a pem certificate file must also be available to IBM VIA Configurator\n - Note: When run from a Kubernetes cluster a Service Account can be used in place of a YAML configuration file\n- *depreciated* `ISVA_KUBERNETES_YAML_CONFIG` (optional) = path to Kubernetes configuration yaml for kubernetes deployments. \n\n## Deployment\n### Local environment\nIBM Verify Identity Access Configuration Automation is simple to run locally. \n1. First the required python packages are installed from [PyPi](https://pypi.org/project/ibmvia-autoconf/). \n2. Set the required environment variables\n3. Invoke the python module from the command line.\n```bash\npython -m ibmvia_autoconf\n```\n\n### Docker\nIBM Verify Identity Access Automated Configurator can also be run within a docker container. Use to [Dockerfile](Dockerfile) to build a local docker image.\n\nThe docker container can be built and run with the following command executed from the top level directory of the configurator source code. When starting the container the required environment variables must be set and the docker container must be able to route to the IVIA appliances/containers which are to be configured.\n\n```\ndocker build --no-cache --force-rm -t verify-identity-access-configurator .\n\ndocker run --volume /path/to/config/yaml:/config --env \"IVIA_CONFIGURATION_BASE_DIR=/config\" --env IVIA_MGMT_BASE_URL=\"https://<mgmt address>:<mgmt port>\" --env \"IVIA_MGMT_PASSWORD=Passw0rd1!\" verify-identity-access-configurator\n```\n\n\n### Kubernetes\nIBM Verify Identity Access Automated Configurator can be run from within a Kubernetes cluster. This is useful if there are routing issues between the deployment host and the kubernetes external addresses this option will allow for configuration using the kubernetes internal network.\n\nHere is an example Kubernetes batch\" object which deploys a container to apply a configuration to a cluster.\n> note This requires a user to create the `verify-config` ConfigMap object with the required configuration files plus any additional Secrets which are referenced as environment variables.\n\n```\napiVersion: batch/v1\nkind: Job\nmetadata:\n name: verify-identity-access-configurator\nspec:\n template:\n spec:\n containers:\n - name: verify-identity-access-configurator\n image: python:latest\n command: \n - \"bash\"\n - \"-c\"\n - |\n pip install ibmvia-autoconf\n python3 -m ibmvia_autoconf\n volumeMounts:\n - name: verify-access-config-vol\n mountPath: /verify_access_config\n envFrom:\n - secretRef:\n name: verify-access-autoconf-env\n restartPolicy: Never\n volumes:\n - name: verify-config\n configMap:\n - name: verify-access-config-vol\n emptyDir: {}\n initContainers:\n - name: config-volume-builder\n image: python:latest\n volumeMounts:\n - mountPath: /verify_access_config\n name: verify-access-config-vol\n - mountPath: /tmp/verify_access_config\n name: verify-config\n command:\n - \"bash\"\n - \"-c\"\n - |\n apt update && apt install -y unzip;\n cp /tmp/verify_access_config/*.{p12,pem,yaml} /verify_access_config/\n unzip /tmp/verify_access_config/mapping_rules.zip -d /verify_access_config/\n backoffLimit: 4\n```\n\n# Building\n\nTo build locally:\n```sh\nmkdir .pyenv\nvirtualenv .pyenv\nsource .pyenv/bin/activate\npip install -r dev-requirements.txt\npython setup.py sdist bdist_wheel\n```\nThe generated wheel can then be installed into a docker container and used in any supported container runtime.\n",
"bugtrack_url": null,
"license": "Apache2.0",
"summary": "YAML based configuration automation for IBM Verify Identity Access",
"version": "0.3.6",
"project_urls": {
"Documentation": "https://lachlan-ibm.github.io/ibmvia_autoconf",
"Homepage": "https://github.com/lachlan-ibm/ibmvia_autoconf",
"Source": "https://github.com/lachlan-ibm/ibmvia_autoconf",
"Tracker": "https://github.com/lachlan-ibm/ibmvia_autoconf/issues"
},
"split_keywords": [
"ivia",
" isva",
" isam",
" ibm verify",
" ibm verify identiy access",
" ibm security access manager",
" ibm security verify access"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "cd74b861a690976c47829548319d2e60e544eb52ed8f65a021f21af5b4033294",
"md5": "025032a3b0c6713d301b642cc1ee2391",
"sha256": "3105b8aa7cb8020e650daa4d4d2192141e97bd91c9d6fe710dbdb499edfdeda7"
},
"downloads": -1,
"filename": "ibmvia_autoconf-0.3.6-py3-none-any.whl",
"has_sig": false,
"md5_digest": "025032a3b0c6713d301b642cc1ee2391",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 92911,
"upload_time": "2025-01-12T23:10:24",
"upload_time_iso_8601": "2025-01-12T23:10:24.881964Z",
"url": "https://files.pythonhosted.org/packages/cd/74/b861a690976c47829548319d2e60e544eb52ed8f65a021f21af5b4033294/ibmvia_autoconf-0.3.6-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "9ac4a11bfc6f59be9f311b2a2ca4303b0a005f351cfea7b7e857c634cc4c8ec1",
"md5": "20743a7202197553f38e6118eec39519",
"sha256": "02cba58c4a4cc5bb9d10597f94bcce55dbea39a0ade112b6c20ee3375c043e54"
},
"downloads": -1,
"filename": "ibmvia_autoconf-0.3.6.tar.gz",
"has_sig": false,
"md5_digest": "20743a7202197553f38e6118eec39519",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 90559,
"upload_time": "2025-01-12T23:10:28",
"upload_time_iso_8601": "2025-01-12T23:10:28.155135Z",
"url": "https://files.pythonhosted.org/packages/9a/c4/a11bfc6f59be9f311b2a2ca4303b0a005f351cfea7b7e857c634cc4c8ec1/ibmvia_autoconf-0.3.6.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-01-12 23:10:28",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "lachlan-ibm",
"github_project": "ibmvia_autoconf",
"travis_ci": true,
"coveralls": false,
"github_actions": true,
"lcname": "ibmvia-autoconf"
}
JSON
