Demonstrate F5 bigip capabilites as an ingress to openshift with telemetry streaming and Prometheus
- F5 BIG-IP 14.1.0.3-0.0.6 (or greater) with LTM AVR and ASM modules licensed and provisioned
- RedHat Ansible 2.8
-
This demo assumes an openshift environemnt is built, and the jumphost linux has access to the environment (kube config file is populated in the default directory)
-
The jumphost must be able to connect to your specified BIG-IP.
-
prepare the jumphost to run the ansible playbook with the follow commands
git clone https://github.com/yossi-r/openshift-ts.git
cd openshift-ts
./install-ubuntu-dependencies.sh # This will install the linux dependencies required to run Docker and Ansible.
- run the ansible playboook with the following command
./deploy.sh
- If you would like to generate traffic to the Juice Shop site, use following command from the jumphost. The first argument is the destination Virtual Server configured for Juice Shop. The second argument is the number of times the traffic generation script should run.
./run-load.sh http://juice-shop.cisroutes.dc1.example.com 10
- To attack the Juice Shop site scanning for security vulnerabilities, use this example command from the jumphost. The first argument is the destination Virtual Server configured for Juice Shop.
./run-attack.sh http://juice-shop.cisroutes.dc1.example.com
The F5 Automation Toolchain packages used in this project are Application Services 3, Declarative Onboarding and Telemetry Streaming. The default variables in the Ansible Playbook are configured to use specific tagged releases for each of these packages. The default values can be seen here. You can also specify that you would like Ansible to fetch the latest release, no matter the tag using the <package name>_use_latest
variables per package.
The following is a high-level flow of the steps taken when preparing for and executing this playbook. (* denotes steps that are not currently implemented for you):
- Git pull Ansible workbooks *
- Build Ubuntu host *
- Install Ubuntu dependencies
- Configure BIG-IPs
- Install Application Services 3 (AS3)
- Install Telemetry Streaming (TS)
- Deploy monitoring containers
- Grafana
- API call to install GeoLocation map plugin
- API call to add datasources
- API call to import JSON dashboard
- Graphite & StatsD
- ElasticSearch
- API call to build the index
- API call to set the query size and fieldsize
- API call to set field settings
- Grafana
- Deploy Juice-shop application to openshift and publish a route
- Demo!
- Send automated requests to Juice Shop application
- Execute OWASP ZAP to discover and exploit vulnerabilities in Juice Shop application
- Show working Juice Shop web site
- Show Grafana dashboard
The following are the actual steps needed to execute the demo:
- Boot up images
- Ssh into BIG-IP and run the following
tmsh
modify auth user admin prompt-for-password
save sys config
quit
- Ssh into Ubuntu server and run the following
git clone https://github.com/yossi-r/openshift-ts.git
cd openshift-ts
- Run
./install-ubuntu-dependencies.sh
- Run
./deploy.sh
- Run load script:
./run-load.sh http://10.1.10.20 10
- Run attack script:
./run-attack.sh http://10.1.10.20
Variables can be overridden in a number of locations in the playbooks. Primarily, the variables are set in the inventory.yml file. To learn about variable precendence in Ansible, see the user guide.
Variable Name | Description | Required |
---|---|---|
ansible_connection | Connection type used when connecting to the Ubuntu host. | * |
ansible_user | User name with which to login to the Ubuntu server via ssh. | * |
ansible_become | determines if privilege escalation is used while issuing Ansible tasks on the Ubuntu server. | * |
app_server_address | The address that is assigned to the Juice Shop and Grafana Virtual Server pool members. If the add_ubuntu_interface variable is set to true, this address will also be assigned to the eth1 interface of the Ubuntu server. |
* |
Variable Name | Description | Required |
---|---|---|
ansible_connection | Instructs ansible to suppress the use of ssh when connecting to this host. More info here. |
* |
app_server_gateway | The gateway address to be used when creating the additional interface on the Ubuntu server. |
|
add_ubuntu_interface | Boolean to add an optional network interface (eth1) to the Ubuntu server using the NetPlan role. |
Variable Name | Description | Required |
---|---|---|
bigip_provider | BIG-IP management connection information. Documented here. |
* |
bigip_validate_certs | Determines whether or not a TLS certificate is validated when connecting to the BIG-IP's management API for the scope of the Ansible plays. |
* |
bigip_domain | Used when building the FQDN portion of the BIG-IP host name as well as the DNS search suffix. |
* |
bigip_hostname | Fully qualified host name of the BIG-IP. | * |
bigip_ntp_server | A comma-separated double-quoted list of NTP servers that the BIG-IP should use. | * |
bigip_ntp_timezone | The name of the NTP timezone. See the TZ database name column on this page for examples. |
* |
bigip_dns_server | A quoted IP address of your DNS server. | * |
bigip_dns_search | The DNS search domain. | * |
bigip_external_self_ip | The BIG-IPs self-ip address on the external interface. | * |
bigip_internal_self_ip | The BIG-IPs self-ip address on the internal interface. | * |
juiceshop_virtual_address | The IP address of the Juice Shop Virtual Server that will be created. | * |
grafana_virtual_address | The IP address of the Grafana Virtual Server that will be created. | * |
log_pool | The IP address of the Virtual Server and looging pool that the LTM Request Policy and ASM Logs will target. Recommended to use an IP address on the Internal network, as it is not needed to be accessed publically. |
* |
bigip_license | The license key for the BIG-IP. If not specified, the BIG-IP will not be licensed when the playbook runs. |
- Thanks to aknot242 a lot of his work on https://github.com/aknot242/ansible-uber-demo is used in this demo