Sunday, 26 May 2024

Create an Automator Config key

 Create an Automator Config key

Open a command line interface and generate a 256-bit AES key in URL-encoded format using one of the methods below, depending on your operating system:

Generate a Key

openssl rand -base64 32

Save the resulting value produced by this command for Step (3).

Example of generated key value in Mac/Linux
Example of generated key value in PowerShell

(2) Create a Container App

From Azure, create a new Container App.

Create a Container App

  • Select or create a new Resource Group

  • Set the Container App Name to "keeperautomator" or whatever you prefer

  • Select the region where you would like the service hosted

  • Create a new Apps Environment or select an existing environment

  • Click Next : Container >

(3) Setup Container Details

In the "Container" step, make the following selections:

  • Uncheck the "Use quickstart image"

  • Select "Docker Hub or other registries"

  • Select "Public"

  • Select Registry login server as docker.io

  • Set the Image and tag as keeper/automator:latest

  • For CPU and Memory, 0.5 CPU cores and 1Gi memory is sufficient, but this can be updated based on your volume of new device logins.

  • Create an environment variable called AUTOMATOR_CONFIG_KEY with the value from Step 1 above of the setup guide.

  • Create an environment variable called AUTOMATOR_PORT with the value of 8089

  • Create an environment variable called SSL_MODE with the value of none

  • Click "Next : Bindings >"

  • Click "Next : Ingress >"

(4) Ingress Setup

On the Ingress setup screen, select the following:

  • Enable Ingress

  • Ingress traffic Accepting traffic from anywhere (we'll modify this in a later step)

  • Ingress type HTTP

  • Target port set to 8089

(5) Create Container App

Click "Review + Create" and then click "Create"

After a few minutes, the container app will be created and automatically start up.

Clicking on "Go to Resource" will take you to the container environment.

Go to resource

(6) Customize the Ingress Setup

To restrict communications to the Keeper Automator service, click on the "Ingress" link on the left side of the screen.

  • Click on "Ingress"

  • Select "Allow traffic from IPs configured below, deny all other traffic"

  • Click "Add" to add two of Keeper's IPs and any of your IPs required for testing the service.

  • Click Save

Ingress Setup
Keeper Tenant RegionIP1IP2

US

54.208.20.102/32

34.203.159.189/32

US GovCloud

18.252.135.74/32

18.253.212.59/32

EU

52.210.163.45/32

54.246.185.95/32

AU

3.106.40.41/32

54.206.208.132/32

CA

35.182.216.11/32

15.223.136.134/32

JP

54.150.11.204/32

52.68.53.105/32

(7) Set up Scaling, Health Probes and Volume Mount

In order to prevent Azure from downscaling to zero instances, it's important to set the minimum number of instances to 1.

  • Click on "Scale and replicas"

  • Click "Edit and deploy"

  • Click on the "Scale" tab

  • For now, let's set the Min / max both to 1.

Min and Max replicas

  • Next, click on the "Container" tab, click on the container image name

  • Click on the "Health probes" tab on the upper right

Under "Liveness probes":

  • Enable liveness probes

  • Transport: HTTP

  • Path: /health

  • Port: 8089

  • Initial delay seconds: 5

  • Period seconds: 30

Liveness probes

Under "Startup probes":

  • Enable startup probes

  • Transport: HTTP

  • Path: /health

  • Port: 8089

  • Initial delay seconds: 5

  • Period seconds: 30

Startup probes

Under "Volume Mounts":

  • Select "Ephemeral Storage"

  • Add volume name automatordata

  • Add Mount Path as /usr/mybin/config

Volume mounts

Finish the configuration

  • Click on Save

  • Then click on Create to build the new configuration

  • After a few minutes, the new containers should start up

(8) Retrieve the Application URL

From the Overview section of the Container App, on the right side is the "Application URL" that was assigned. Copy this and use this Application URL in the next step.

For example, https://craigautomator1.xyx-1234.azurecontainerapps.io

Retrieve the Application URL

(9) Login to Keeper Commander

Keeper Commander is required to perform the final step of Automator configuration. This can be run from anywhere, it does not need to be installed on the server.

On your workstation or server, install Keeper Commander CLI. The installation instructions including binary installers are here: https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup After Commander is installed, launch Keeper Commander, or from an existing terminal you can type keeper shell to open the session, then login using the login command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node. 

$ keeper shell

My Vault> login admin@company.com

  _  __  
 | |/ /___ ___ _ __  ___ _ _ 
 | ' </ -_) -_) '_ \/ -_) '_|
 |_|\_\___\___| .__/\___|_|
 v16.x.xxx    |_|

 password manager & digital vault

Logging in to Keeper Commander
Enter password for admin@company.com
Password: ********************
Successfully authenticated with Master Password
Syncing...
Decrypted [58] record(s)

My Vault>

(10) Create the Automator

Create the Automator using a series of commands, starting with automator create

My Vault> automator create --name "My Automator" --node "Azure Cloud"

The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.

Automator Create

The output of the command will display the Automator settings, including metadata from the identity provider.

                    Automator ID: 1477468749950
                            Name: My Automator
                             URL: 
                         Enabled: No
                     Initialized: No
                          Skills: Device Approval

Note that the "URL" is not populated yet. This is the Application URL from Step 8.

Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team, team_for_user and device).

automator edit --url https://<application URL> --skill=team --skill=team_for_user --skill=device "My Automator"

Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:

automator setup "My Automator"

Initialize the Automator with the new configuration

automator init "My Automator"

Enable the service

automator enable "My Automator"

At this point, the configuration is complete.

For external health checks, you can use the below URL:

https://<server>/health

Example curl command:

$ curl https://craigautomator1.xyz.azurecontainerapps.io/health
OK
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)