From 08a8d82052b981f8542d60feaae65df81b7eec42 Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Fri, 12 Jul 2024 15:03:27 -0700 Subject: [PATCH] docs: add additional args (#3369) * docs: add additional args * docs: remove default cis hardening * docs: correction * docs: fix typo --------- Co-authored-by: Lenny Chen --- .../clusters/edge/architecture.md | 2 +- docs/docs-content/clusters/edge/edge.md | 2 +- .../edgeforge-workflow/edgeforge-workflow.md | 9 ++-- .../edgeforge-workflow/palette-canvos/arg.md | 43 +++++++++++-------- 4 files changed, 31 insertions(+), 25 deletions(-) diff --git a/docs/docs-content/clusters/edge/architecture.md b/docs/docs-content/clusters/edge/architecture.md index 408a6f65f5..c5bc854768 100644 --- a/docs/docs-content/clusters/edge/architecture.md +++ b/docs/docs-content/clusters/edge/architecture.md @@ -17,7 +17,7 @@ The following are architectural highlights of Palette-provisioned Edge native cl - Configurable Kubernetes API servers to work with virtual IP address (VIP) or Dynamic DNS. -- Edge artifacts hardened by default according to +- Edge artifacts hardened according to [Center for Internet Security (CIS) standards](https://www.cisecurity.org/cis-benchmarks). - Edge supports adding multiple devices to the site to form a multi-node Kubernetes cluster. diff --git a/docs/docs-content/clusters/edge/edge.md b/docs/docs-content/clusters/edge/edge.md index 5191b0e8b4..d0d6e0be34 100644 --- a/docs/docs-content/clusters/edge/edge.md +++ b/docs/docs-content/clusters/edge/edge.md @@ -32,7 +32,7 @@ The following are some highlights of the comprehensive Palette Edge Solution: - Distro-agnostic Kubernetes and OS -- Edge artifacts hardened by default according to +- Edge artifacts hardened according to [Center for Internet Security (CIS) standards](https://www.cisecurity.org/cis-benchmarks). - Secured remote troubleshooting diff --git a/docs/docs-content/clusters/edge/edgeforge-workflow/edgeforge-workflow.md b/docs/docs-content/clusters/edge/edgeforge-workflow/edgeforge-workflow.md index ae1ece85c7..f1ffde2fea 100644 --- a/docs/docs-content/clusters/edge/edgeforge-workflow/edgeforge-workflow.md +++ b/docs/docs-content/clusters/edge/edgeforge-workflow/edgeforge-workflow.md @@ -51,10 +51,11 @@ EdgeForge contains the following critical components: - Edge Provider Container Images. -The EdgeForge process applies Center for Information System (CIS) hardening to the Edge artifacts by default. This means -we implement the guidelines and solutions provided by CIS to secure your systems automatically. The code for how we -achieve CIS hardening is open-source, available in the -[CanvOS repository](https://github.com/spectrocloud/CanvOS/tree/main/cis-harden). +You can apply Center for Information System (CIS) hardening to the Edge artifacts with the `CIS_HARDENING` argument in +your `.arg` file, which implements the guidelines and solutions provided by CIS to secure your systems automatically. +For more information about available arguments in `.arg`, refer to +[Edge Artifacts Build Configuration](./palette-canvos/arg.md). The code for how we achieve CIS hardening is open-source, +available in the [CanvOS repository](https://github.com/spectrocloud/CanvOS/tree/main/cis-harden). ### Edge Installer ISO diff --git a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/arg.md b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/arg.md index b8463ed0a4..8cfe21458b 100644 --- a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/arg.md +++ b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/arg.md @@ -11,22 +11,27 @@ tags: ["edge"] During the EdgeForge process, you provide an **.arg** document that contains a list of parameters to configure the build of both the provider images and the Edge Installer ISO. This page lists the parameters available in the **.arg** file. -| **Argument** | **Description** | **Allowed Values** | -| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | -| `ARCH` | Architecture of the image. Required. | `amd64`, `arm64`. | -| `AUTO_ENROLL_SECUREBOOT_KEYS` | Determines whether to auto enroll keys used for Trusted Boot. | `true`, `false`. Default is `false`. | -| `CUSTOM_TAG` | A custom tag for the provider images. This custom tag will be appended to the `IMAGE_REGISTRY` and `IMAGE_REPO` parameters to form the full image tag. | Lowercase alphanumeric string without spaces. | -| `FIPS_ENABLED` | Whether to generate FIPS compliant binaries. | `true`, `false.` Default is `false` | -| `HTTP_PROXY` | URL of the HTTP Proxy server. | URL string. | -| `HTTPS_PROXY` | URL of the HTTPS Proxy server. | URL string. | -| `IMAGE_REGISTRY` | The image registry to use for tagging the generated provider images. Required. | Your image registry hostname, without `http` or `https`
Example: docker.io/spectrocloud. | -| `IMAGE_REPO` | The image repository to use for tagging the generated provider images. Required. | Your image repository name. | -| `INCLUDE_MS_SECUREBOOT_KEYS` | Whether to include Microsoft's secure boot keys in the set of keys to enroll in your device for secure boot. Almost every machine requires these keys. | `true`, `false`. Default is `true`. | -| `ISO_NAME` | Name of the Installer ISO file. Required. | Lowercase alphanumeric string without spaces. The characters `-` and `_` are allowed. | -| `IS_UKI` | Determines whether to build a Unified Kernel Image (UKI) to enabled Trusted Boot. Refer to [Trusted Boot](../../trusted-boot/trusted-boot.md) for more information. | `true`, `false`. Default is `false`. | -| `K8S_DISTRIBUTION` | Kubernetes distribution. | ` k3s`, `rke2`, `kubeadm`, `kubeadm-fips`. | -| `NO_PROXY` | URLS that should be excluded from the proxy. | Comma-separated URL string. | -| `OS_DISTRIBUTION` | OS distribution. | `ubuntu`, `opensuse-leap`, `rhel`. | -| `OS_VERSION` | OS version. This applies to Ubuntu only. | `20`, `22`. | -| `PROXY_CERT_PATH` | Absolute path of the SSL Proxy certificate in the PEM format. | Absolute path string. | -| `UPDATE_KERNEL` | Determines whether to upgrade the Kernel version to the latest from the upstream OS provider. | `true`, `false`. | +| **Argument** | **Description** | **Allowed Values** | +| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------- | +| `ARCH` | Architecture of the image. Required. | `amd64`, `arm64`. | +| `AUTO_ENROLL_SECUREBOOT_KEYS` | Determines whether to auto enroll keys used for Trusted Boot. | `true`, `false`. Default is `false`. | +| `CIS_HARDENING` | Whether to harden Edge artifacts according to [Center for Internet Security (CIS) standards](https://www.cisecurity.org/cis-benchmarks). | `true`, `false`, Default is `false`. | +| `CLUSTERCONFIG` | Path to a cluster definition file. For more information refer to [Export Cluster Definition](../../local-ui/cluster-management/export-cluster-definition.md). | URL string. | +| `CUSTOM_TAG` | A custom tag for the provider images. This custom tag will be appended to the `IMAGE_REGISTRY` and `IMAGE_REPO` parameters to form the full image tag. | Lowercase alphanumeric string without spaces. | +| `FIPS_ENABLED` | Whether to generate FIPS compliant binaries. | `true`, `false.` Default is `false` | +| `HTTP_PROXY` | URL of the HTTP Proxy server. | URL string. | +| `HTTPS_PROXY` | URL of the HTTPS Proxy server. | URL string. | +| `IMAGE_REGISTRY` | The image registry to use for tagging the generated provider images. Required. | Your image registry hostname, without `http` or `https`
Example: docker.io/spectrocloud. | +| `IMAGE_REPO` | The image repository to use for tagging the generated provider images. Required. | Your image repository name. | +| `INCLUDE_MS_SECUREBOOT_KEYS` | Whether to include Microsoft's secure boot keys in the set of keys to enroll in your device for secure boot. Almost every machine requires these keys. | `true`, `false`. Default is `true`. | +| `ISO_NAME` | Name of the Installer ISO file. Required. | Lowercase alphanumeric string without spaces. The characters `-` and `_` are allowed. | +| `IS_UKI` | Determines whether to build a Unified Kernel Image (UKI) to enabled Trusted Boot. Refer to [Trusted Boot](../../trusted-boot/trusted-boot.md) for more information. | `true`, `false`. Default is `false`. | +| `K8S_DISTRIBUTION` | Kubernetes distribution. | ` k3s`, `rke2`, `kubeadm`, `kubeadm-fips`. | +| `MY_ORG` | Name of the org to use during secure boot key generation. For more information, refer to [Generate Keys](../../trusted-boot/keys/generate-keys.md). | String. | +| `NO_PROXY` | URLS that should be excluded from the proxy. | Comma-separated URL string. | +| `OS_DISTRIBUTION` | Operating System (OS) distribution. | `ubuntu`, `opensuse-leap`, `rhel`. | +| `OS_VERSION` | OS version. This applies to Ubuntu only. | `20`, `22`. | +| `PROXY_CERT_PATH` | Absolute path of the SSL Proxy certificate in the PEM format. | Absolute path string. | +| `UBUNTU_PRO_KEY` | Subscription key to a Ubuntu Pro subscription. A Ubuntu Pro subscription is needed to generate FIPS-compliant Edge artifacts with Ubuntu as the OS. | String. | +| `UKI_BRING_YOUR_OWN_KEYS` | Whether to use your own Certificate Authority (CA) to generate secure boot keys. For more information, refer to the Generate Keys using an Existing CA tab in [Generate Keys](../../trusted-boot/keys/generate-keys.md). | `false` | +| `UPDATE_KERNEL` | Determines whether to upgrade the Kernel version to the latest from the upstream OS provider. | `true`, `false`. |