Issue #810 Security docs out of date

Signed-off-by: cgoveas <cassandra.goveas@dell.com>

control_plane/roles/webui_awx/tasks/install_awx.yml

@@ -1,4 +1,4 @@
-# Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -59,11 +59,28 @@
   command: "kubectl config set-context --current --namespace={{ awx_namespace }}"
   changed_when: false
 
+- name: Installing jq package
+  package:
+    name: jq
+    state: present
+
 - name: Deploying awx-operator
   command: make deploy
   changed_when: false
   args:
     chdir: "{{ awx_operator_folder }}"
+  environment:
+    NAMESPACE: "{{ awx_namespace }}"
+
+- name: Waiting for awx operator deployment {This might take 10-15 minutes}
+  block:
+    - name: Waiting for awx-operator deployment to be up and running
+      command: kubectl wait --for=condition=available deployment awx-operator-controller-manager -n {{ awx_namespace }} --timeout={{ awx_operator_time }}
+      changed_when: false 
+  rescue:
+    - name: Display failure message
+      debug:
+        msg: "{{ operator_deployment_failure }}"
 
 - name: Get K8s pods
   command: "kubectl get pods -n {{ awx_namespace }}"
@@ -103,15 +120,16 @@
   when: "'custom-awx-ee' not in docker_images.stdout"
   retries: "{{ min_retries }}"
 
-- name: Waiting for awx-operator deployment to be up and running
-  command: kubectl wait --for=condition=available deployment awx-operator-controller-manager -n {{ awx_namespace }} --timeout={{ awx_operator_time }}
-  changed_when: false
-
 - name: Deploy awx
   command: "kubectl apply -f {{ awx_yml_file_path }}"
   changed_when: true
   when: not k8s_pods.stdout | regex_search('awx-([A-Za-z0-9]{10})-([A-Za-z0-9]{5})')
 
+- name: Wait for awx pods to get created
+  wait_for:
+    timeout: "{{ awx_wait_time }}"
+  when: not k8s_pods.stdout | regex_search('awx-([A-Za-z0-9]{10})-([A-Za-z0-9]{5})')
+
 - name: Install awxkit using pip3
   pip:
     name: awxkit
@@ -122,18 +140,12 @@
   changed_when: true
   register: installation_status
 
-- name: Wait for awx pods to get created
-  wait_for:
-    timeout: "{{ awx_wait_time }}"
-  when: not k8s_pods.stdout | regex_search('awx-([A-Za-z0-9]{10})-([A-Za-z0-9]{5})')
-
 - name: Fails if the pods go into ImagePullBackOff state
   block:
     - name: Waiting for awx deployment to be up and running
       command: kubectl wait --for=condition=available deployment awx -n {{ awx_namespace }} --timeout={{ awx_deployment_time }}
       changed_when: false
-
   rescue:
     - name: Display failure message
       debug:
-        msg: "{{ deployment_failure_msg }}"
+        msg: "{{ deployment_failure_msg }}"

control_plane/roles/webui_awx/vars/main.yml

@@ -36,6 +36,7 @@ readiness_probe_initial: "initialDelaySeconds: 5"
 readiness_probe_final: "initialDelaySeconds: 300"
 awx_operator_time: 900s
 awx_deployment_time: 1500s
+operator_deployment_failure: "AWX Operator deployment failed due to awx operator pod is in crashloopbackoff state"
 
 # Usage: configure_settings.yml
 awx_port: 8052
@@ -54,7 +55,7 @@ awx_ui_msg: "AWX Upgrading"
 return_status: 200
 max_retries: 20
 max_delay: 15
-awx_ui_wait_time: 30
+awx_ui_wait_time: 200
 
 # Usage: check_prerequisites.yml
 min_retries: 2

docs/INSTALL_OMNIA.md

@@ -75,15 +75,25 @@ __Note:__ After the Omnia repository is cloned, a folder named __omnia__ is crea
 
 2. Change the directory to __omnia__: `cd omnia`
 
-3. In the `omnia_config.yml` file, provide the following details.  
-	a. The **k8s_version** variable specifies the Kubernetes version which will be installed on the manager and compute nodes. By default, it is set to **1.16.7**. Edit this variable to change the version. Supported versions are 1.16.7 and 1.19.3.  
-	b. The variable `login_node_required` is set to "true" by default to configure the login node. To configure the login node, edit the following variables:
-	* domain_name: Domain name you intend to configure.
-	* realm_name: A realm name is often, but not always, the upper case version of the name of the DNS domain over which it presides.
-	* directory_manager_password: Password of the Directory Manager with full access to the directory for system management tasks.
-	* ipa_admin_password: "admin" user password for the IPA server.  
+3. In the `omnia_config.yml` file, provide the following details:  
+
+| Parameter Name             | Default Value | Additional Information                                                                                                                                                                                                                               |
+|----------------------------|---------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| mariadb_password           | password      | Password used to access the Slurm database. <br> Required Length: 8   characters <br> The password must not contain -,\, ',"                                                                                                                         |
+| k8s_version                | 1.16.7        | Kuberenetes Version <br> Accepted Values: "1.16.7" or   "1.19.3"                                                                                                                                                                                     |
+| k8s_cni                    | calico        | CNI type used by Kuberenetes. <br> Accepted values: calico, flannel                                                                                                                                                                                  |
+| k8s_pod_network_cidr       | 10.244.0.0/16 | Kubernetes pod network CIDR                                                                                                                                                                                                                          |
+| docker_username            |               | Username to login to Docker. A kubernetes secret will be created and   patched to the service account in default namespace. <br> This value is   optional but suggested to avoid docker pull limit issues                                            |
+| docker_password            |               | Password to login to Docker <br> This value is mandatory if a   docker_username is provided                                                                                                                                                          |
+| ansible_config_file_path   | /etc/ansible  | Path where the ansible.cfg file can be found. <br> If `dnf` is   used, the default value is valid. If `pip` is used, the variable must be set   manually                                                                                             |
+| login_node_required        | TRUE          | Boolean indicating whether the login node is required or not                                                                                                                                                                                         |
+| domain_name                | omnia.test    | Sets the intended domain name                                                                                                                                                                                                                        |
+| realm_name                 | OMNIA.TEST    | Sets the intended realm name                                                                                                                                                                                                                         |
+| directory_manager_password |               | Password authenticating admin level access to the Directory for system   management tasks. It will be added to the instance of directory server   created for IPA. <br> Required Length: 8 characters. <br> The   password must not contain -,\, '," |
+| ipa_admin_password         |               | IPA server admin password                                                                                                                                                                                                                            |
 	
-	If you do not want to configure the login node, then you can set the `login_node_required` variable to "false". Without the login node, Slurm jobs can be scheduled only through the manager node.
+	
+__NOTE:__  Without the login node, Slurm jobs can be scheduled only through the manager node.
 
 4. Create an inventory file in the *omnia* folder. Add login node IP address under the *[login_node]* group, manager node IP address under the *[manager]* group, compute node IP addresses under the *[compute]* group, and NFS node IP address under the *[nfs_node]* group. A template file named INVENTORY is provided in the *omnia\docs* folder.  
 	**NOTE**: Ensure that all the four groups (login_node, manager, compute, nfs_node) are present in the template, even if the IP addresses are not updated under login_node and nfs_node groups. 

docs/INSTALL_OMNIA_CONTROL_PLANE.md

@@ -113,8 +113,8 @@ To configure the login node, edit the following variables:
 	* **directory_manager_password**: Password of the Directory Manager with full access to the directory for system management tasks.
 	* **ipa_admin_password**: "admin" user password for the IPA server.
 * Provide passwords for mariaDB Database (for Slurm accounting), Kubernetes Pod Network CIDR, Kubernetes CNI under *mariadb_password* and *k8s_cni* respectively.  
-* To deploy FreeIPA on the Management Station, use the steps provided [here](docs\Security\Enable_Security_ManagementStation.md).
-* To deploy Grafana on the Management Station, use the steps provided [here](docs\Telemetry_Visualization\Visualization.md).
+* To deploy FreeIPA on the Management Station, use the steps provided [here](..\docs\Security\Enable_Security_ManagementStation.md).
+* To deploy Grafana on the Management Station, use the steps provided [here](..\docs\Telemetry_Visualization\Visualization.md).
 
 >> **Note**:
 >> * Supported values for Kubernetes CNI are calico and flannel. The default value of CNI considered by Omnia is calico.	

docs/Security/Enable_Security_ManagementStation.md

@@ -6,20 +6,27 @@ Omnia uses FreeIPA to enable security features like authorisation and access con
 
 Set the parameter 'enable_security_support' to true in `base_vars.yml`
 
-## Prerequisites Before Enabling FreeIPA:
+## Prerequisites Before Enabling Security:
 * Enter the relevant values in `security_vars.yml`:
 
-| Parameter Name | Default Value | Additional Information                                                                                           |
-|----------------|---------------|------------------------------------------------------------------------------------------------------------------|
-| domain_name    | omnia.test    | The domain name should not contain an underscore ( _ )                                                           |
-| realm_name     | omnia.test    | The realm name should follow the following rules per https://www.freeipa.org/page/Deployment_Recommendations <br> * The realm name must not conflict with any other existing Kerberos realm name (e.g. name used by Active Directory). <br> * The realm name should be upper-case (EXAMPLE.COM) version of primary DNS domain name (example.com).  |
+|  Parameter Name        |  Default Value  |  Additional Information                                                                                                                                                                                                                                                                                                                                      |
+|------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|  domain_name           |  omnia.test     |  The domain name should not contain   an underscore ( _ )                                                                                                                                                                                                                                                                                                    |
+|  realm_name            |  OMNIA.TEST     |  The realm name should follow the   following rules per https://www.freeipa.org/page/Deployment_Recommendations   <br> * The realm name must not conflict with any other existing   Kerberos realm name (e.g. name used by Active Directory). <br> * The   realm name should be upper-case (EXAMPLE.COM) version of primary DNS domain   name (example.com). |
+| max_failures           | 3               | Failures allowed before lockout. <br> This value cannot currently   be changed.                                                                                                                                                                                                                                                                              |
+| failure_reset_interval | 60              | Period (in seconds) after which the number of failed login attempts is   reset <br> Accepted Values: 30-60                                                                                                                                                                                                                                                   |
+| lockout_duration       | 10              | Period (in seconds) for which users are locked out. <br> Accepted   Values: 5-10                                                                                                                                                                                                                                                                             |
+| session_timeout        | 180             | Period (in seconds) after which idle users get logged out automatically   <br> Accepted Values: 30-90                                                                                                                                                                                                                                                        |
+| alert_email_address    |                 | Email address used for sending alerts in case of authentication failure   <br> If this variable is left blank, authentication failure alerts will   be disabled.                                                                                                                                                                                             |
+| allow_deny             | Allow           | This variable sets whether the user list is Allowed or Denied. <br>   Accepted Values: Allow, Deny                                                                                                                                                                                                                                                           |
+| user                   |                 | Array of users that are allowed or denied based on the `allow_deny`   value. Multiple users must be separated by a space.                                                                                                                                                                                                                                    |
 
 * Enter the relevant values in `login_vars.yml`:
 
 | Parameter Name             | Default Value | Additional Information                                                                           |
 |----------------------------|---------------|--------------------------------------------------------------------------------------------------|
-| directory_manager_password |               | Password of the Directory Manager with full access to the directory for system management tasks. |
-| ipa_admin_password         |               | "admin" user password for the IPA server                                                         |
+| ms_directory_manager_password |               | Password of the Directory Manager with full access to the directory for system management tasks. |
+| ms_ipa_admin_password         |               | "admin" user password for the IPA server                                                         |
 
 
 ## Log Aggregation via Grafana
@@ -34,12 +41,12 @@ Set the parameter 'enable_security_support' to true in `base_vars.yml`
 
 Loki uses basic regex based syntax to filter for specific jobs, dates or timestamps.
 
-* Select the Explore ![Explore Icon](Telemetry_Visualization/Images/ExploreIcon.PNG) tab to select control-plane-loki from the drop down.
+* Select the Explore ![Explore Icon](../Telemetry_Visualization/Images/ExploreIcon.PNG) tab to select control-plane-loki from the drop down.
 * Using [LogQL queries](https://grafana.com/docs/loki/latest/logql/log_queries/), all logs in `/var/log` can be accessed using filters (Eg: `{job=”Omnia”}` )
 
 ## Viewing Logs on the Dashboard
 
-All log files can be viewed via the Dashboard tab (![Dashboard Icon](Telemetry_Visualization/Images/DashBoardIcon.PNG)). The Default Dashboard displays `omnia.log` and `syslog`. Custom dashboards can be created per user requirements.
+All log files can be viewed via the Dashboard tab (![Dashboard Icon](../Telemetry_Visualization/Images/DashBoardIcon.PNG)). The Default Dashboard displays `omnia.log` and `syslog`. Custom dashboards can be created per user requirements.
 
 Below is a list of all logs available to Loki and can be accessed on the dashboard:
 
@@ -49,7 +56,7 @@ Below is a list of all logs available to Loki and can be accessed on the dashboa
 | syslogs            | /var/log/messages                         | System Logging               | This log is configured by Default                                                                  |
 | Audit Logs         | /var/log/audit/audit.log                  | All Login Attempts           | This log is configured by Default                                                                  |
 | CRON logs          | /var/log/cron                             | CRON Job Logging             | This log is configured by Default                                                                  |
-| Pods logs          | /var/log/pods/*/*/*log                    | k8s pods                     | This log is configured by Default                                                                  |
+| Pods logs          | /var/log/pods/ * / * / * log                    | k8s pods                     | This log is configured by Default                                                                  |
 | Access Logs        | /var/log/dirsrv/slapd-<Realm Name>/access | Directory Server Utilization | This log is available when FreeIPA is set up ( ie when   enable_security_support is set to 'true') |
 | Error Log          | /var/log/dirsrv/slapd-<Realm Name>/errors | Directory Server Errors      | This log is available when FreeIPA is set up ( ie when   enable_security_support is set to 'true') |
 | CA Transaction Log | /var/log/pki/pki-tomcat/ca/transactions   | FreeIPA PKI Transactions     | This log is available when FreeIPA is set up ( ie when   enable_security_support is set to 'true') |