Skip to content

Commit

Permalink
docs: add additional args (#3369)
Browse files Browse the repository at this point in the history 
* docs: add additional args

* docs: remove default cis hardening

* docs: correction

* docs: fix typo

---------

Co-authored-by: Lenny Chen <[email protected]>
  • Loading branch information
@lennessyy
lennessyy and lennessyy authored Jul 12, 2024
1 parent b1f84c5 commit 08a8d82
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 25 deletions.
2 changes: 1 addition & 1 deletion docs/docs-content/clusters/edge/architecture.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ The following are architectural highlights of Palette-provisioned Edge native cl

- Configurable Kubernetes API servers to work with virtual IP address (VIP) or Dynamic DNS.

- Edge artifacts hardened by default according to
- Edge artifacts hardened according to
[Center for Internet Security (CIS) standards](https://www.cisecurity.org/cis-benchmarks).

- Edge supports adding multiple devices to the site to form a multi-node Kubernetes cluster.
Expand Down
2 changes: 1 addition & 1 deletion docs/docs-content/clusters/edge/edge.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ The following are some highlights of the comprehensive Palette Edge Solution:

- Distro-agnostic Kubernetes and OS

- Edge artifacts hardened by default according to
- Edge artifacts hardened according to
[Center for Internet Security (CIS) standards](https://www.cisecurity.org/cis-benchmarks).

- Secured remote troubleshooting
Expand Down
9 changes: 5 additions & 4 deletions docs/docs-content/clusters/edge/edgeforge-workflow/edgeforge-workflow.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,11 @@ EdgeForge contains the following critical components:

- Edge Provider Container Images.

The EdgeForge process applies Center for Information System (CIS) hardening to the Edge artifacts by default. This means
we implement the guidelines and solutions provided by CIS to secure your systems automatically. The code for how we
achieve CIS hardening is open-source, available in the
[CanvOS repository](https://github.com/spectrocloud/CanvOS/tree/main/cis-harden).
You can apply Center for Information System (CIS) hardening to the Edge artifacts with the `CIS_HARDENING` argument in
your `.arg` file, which implements the guidelines and solutions provided by CIS to secure your systems automatically.
For more information about available arguments in `.arg`, refer to
[Edge Artifacts Build Configuration](./palette-canvos/arg.md). The code for how we achieve CIS hardening is open-source,
available in the [CanvOS repository](https://github.com/spectrocloud/CanvOS/tree/main/cis-harden).

### Edge Installer ISO

Expand Down
43 changes: 24 additions & 19 deletions docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/arg.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,22 +11,27 @@ tags: ["edge"]
During the EdgeForge process, you provide an **.arg** document that contains a list of parameters to configure the build
of both the provider images and the Edge Installer ISO. This page lists the parameters available in the **.arg** file.

| **Argument** | **Description** | **Allowed Values** |
| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
| `ARCH` | Architecture of the image. Required. | `amd64`, `arm64`. |
| `AUTO_ENROLL_SECUREBOOT_KEYS` | Determines whether to auto enroll keys used for Trusted Boot. | `true`, `false`. Default is `false`. |
| `CUSTOM_TAG` | A custom tag for the provider images. This custom tag will be appended to the `IMAGE_REGISTRY` and `IMAGE_REPO` parameters to form the full image tag. | Lowercase alphanumeric string without spaces. |
| `FIPS_ENABLED` | Whether to generate FIPS compliant binaries. | `true`, `false.` Default is `false` |
| `HTTP_PROXY` | URL of the HTTP Proxy server. | URL string. |
| `HTTPS_PROXY` | URL of the HTTPS Proxy server. | URL string. |
| `IMAGE_REGISTRY` | The image registry to use for tagging the generated provider images. Required. | Your image registry hostname, without `http` or `https` <br /> Example: docker.io/spectrocloud. |
| `IMAGE_REPO` | The image repository to use for tagging the generated provider images. Required. | Your image repository name. |
| `INCLUDE_MS_SECUREBOOT_KEYS` | Whether to include Microsoft's secure boot keys in the set of keys to enroll in your device for secure boot. Almost every machine requires these keys. | `true`, `false`. Default is `true`. |
| `ISO_NAME` | Name of the Installer ISO file. Required. | Lowercase alphanumeric string without spaces. The characters `-` and `_` are allowed. |
| `IS_UKI` | Determines whether to build a Unified Kernel Image (UKI) to enabled Trusted Boot. Refer to [Trusted Boot](../../trusted-boot/trusted-boot.md) for more information. | `true`, `false`. Default is `false`. |
| `K8S_DISTRIBUTION` | Kubernetes distribution. | ` k3s`, `rke2`, `kubeadm`, `kubeadm-fips`. |
| `NO_PROXY` | URLS that should be excluded from the proxy. | Comma-separated URL string. |
| `OS_DISTRIBUTION` | OS distribution. | `ubuntu`, `opensuse-leap`, `rhel`. |
| `OS_VERSION` | OS version. This applies to Ubuntu only. | `20`, `22`. |
| `PROXY_CERT_PATH` | Absolute path of the SSL Proxy certificate in the PEM format. | Absolute path string. |
| `UPDATE_KERNEL` | Determines whether to upgrade the Kernel version to the latest from the upstream OS provider. | `true`, `false`. |
| **Argument** | **Description** | **Allowed Values** |
| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------- |
| `ARCH` | Architecture of the image. Required. | `amd64`, `arm64`. |
| `AUTO_ENROLL_SECUREBOOT_KEYS` | Determines whether to auto enroll keys used for Trusted Boot. | `true`, `false`. Default is `false`. |
| `CIS_HARDENING` | Whether to harden Edge artifacts according to [Center for Internet Security (CIS) standards](https://www.cisecurity.org/cis-benchmarks). | `true`, `false`, Default is `false`. |
| `CLUSTERCONFIG` | Path to a cluster definition file. For more information refer to [Export Cluster Definition](../../local-ui/cluster-management/export-cluster-definition.md). | URL string. |
| `CUSTOM_TAG` | A custom tag for the provider images. This custom tag will be appended to the `IMAGE_REGISTRY` and `IMAGE_REPO` parameters to form the full image tag. | Lowercase alphanumeric string without spaces. |
| `FIPS_ENABLED` | Whether to generate FIPS compliant binaries. | `true`, `false.` Default is `false` |
| `HTTP_PROXY` | URL of the HTTP Proxy server. | URL string. |
| `HTTPS_PROXY` | URL of the HTTPS Proxy server. | URL string. |
| `IMAGE_REGISTRY` | The image registry to use for tagging the generated provider images. Required. | Your image registry hostname, without `http` or `https` <br /> Example: docker.io/spectrocloud. |
| `IMAGE_REPO` | The image repository to use for tagging the generated provider images. Required. | Your image repository name. |
| `INCLUDE_MS_SECUREBOOT_KEYS` | Whether to include Microsoft's secure boot keys in the set of keys to enroll in your device for secure boot. Almost every machine requires these keys. | `true`, `false`. Default is `true`. |
| `ISO_NAME` | Name of the Installer ISO file. Required. | Lowercase alphanumeric string without spaces. The characters `-` and `_` are allowed. |
| `IS_UKI` | Determines whether to build a Unified Kernel Image (UKI) to enabled Trusted Boot. Refer to [Trusted Boot](../../trusted-boot/trusted-boot.md) for more information. | `true`, `false`. Default is `false`. |
| `K8S_DISTRIBUTION` | Kubernetes distribution. | ` k3s`, `rke2`, `kubeadm`, `kubeadm-fips`. |
| `MY_ORG` | Name of the org to use during secure boot key generation. For more information, refer to [Generate Keys](../../trusted-boot/keys/generate-keys.md). | String. |
| `NO_PROXY` | URLS that should be excluded from the proxy. | Comma-separated URL string. |
| `OS_DISTRIBUTION` | Operating System (OS) distribution. | `ubuntu`, `opensuse-leap`, `rhel`. |
| `OS_VERSION` | OS version. This applies to Ubuntu only. | `20`, `22`. |
| `PROXY_CERT_PATH` | Absolute path of the SSL Proxy certificate in the PEM format. | Absolute path string. |
| `UBUNTU_PRO_KEY` | Subscription key to a Ubuntu Pro subscription. A Ubuntu Pro subscription is needed to generate FIPS-compliant Edge artifacts with Ubuntu as the OS. | String. |
| `UKI_BRING_YOUR_OWN_KEYS` | Whether to use your own Certificate Authority (CA) to generate secure boot keys. For more information, refer to the Generate Keys using an Existing CA tab in [Generate Keys](../../trusted-boot/keys/generate-keys.md). | `false` |
| `UPDATE_KERNEL` | Determines whether to upgrade the Kernel version to the latest from the upstream OS provider. | `true`, `false`. |

0 comments on commit 08a8d82

Please sign in to comment.