ChrisMcGowan
commented
6 months ago So prometheus is setup to allow any opsuaa authed user to access - we need to scope down that access.
- In opsuaa add a new group called
prometheus-supportwith commentSupport members access to prometheushere: https://github.com/cloud-gov/cg-deploy-opslogin/blob/05e96ba9245149e0cb41ac5a96a2eb4d9bec2736/manifest.yml#L318 - Under scope add
prometheus-support,concourse.pages, andconcourse.adminhere: https://github.com/cloud-gov/cg-deploy-opslogin/blob/05e96ba9245149e0cb41ac5a96a2eb4d9bec2736/manifest.yml#L440-L449 - Deploy opsuaa
- In deploy-prometheus add the scope
prometheus-support,concourse.pages, andconcourse.adminhere: https://github.com/cloud-gov/cg-deploy-prometheus/blob/803e0b099335d84bcf64edac07a6cc8bc50e3c3c/bosh/manifest.yml#L313 - Deploy prometheus
- In cg-scripts modify
make-pages-ops-adminto addd user to groupprometheus-support: https://github.com/cloud-gov/cg-scripts/blob/main/make-pages-ops-admin.sh#L42 - Take the
make-ops-viewerscript in cg-scripts and make a new script file calledmake-prometheus-supportand replace here https://github.com/cloud-gov/cg-scripts/blob/main/make-ops-viewer.sh#L42 withprometheus-support. Remember to runchmod +xon the script before commit to the repo
For testing all this, you can do the following to make sure all the pieces work manually:
- From tooling jumphost auth to opsa uua using
cg-scrips/uaa/login - Use
uaacto create theprometheus-supportgroup - Use
uaacto modify theprometheus-stagingclient to add the scope - Use
bosh manifestcommand to get theprometheus-stagingmanifest, make the changes there and manualbosh deploy - Test with someone not
concourse-adminorpages-adminto see if they can auth/get in to the stage envirnment and if not add them to the group usinguaacand test to validate they get in - Test that normal platfrom/pages folks still have access
Check/verify if the new Concourse Viewer access gives Prometheus/Grafana access