KYPO CRP Deployment#

This page contains the steps that are needed to install and configure the KYPO Cyber Range Platform. You can clone the KYPO CRP Deployment Demo Repository via the following command.

git clone https://gitlab.ics.muni.cz/muni-kypo-crp/prototypes-and-examples/kypo-crp-demo.git

Prerequisites#

Install the following technology:

Technology	Installation	Version
Ansible	`apt install ansible`	2.9.6+
python3-passlib	`apt install python3-passlib`	1.7+
bcrypt	`pip3 install bcrypt`	3.2+

Configure#

Configure access to the OpenStack cloud.

Obtain Application Credentials.

Edit the following variables of an extra-vars.yml file using values obtained from the previous step.

# The URL of OpenStack Identity service API.
kypo_crp_os_auth_url: <OS_AUTH_URL>
# The ID of application credentials to authenticate at the OpenStack cloud platform.
kypo_crp_os_application_credential_id: <OS_APPLICATION_CREDENTIAL_ID>
# The secret string of `kypo_crp_os_application_credential_id`.
kypo_crp_os_application_credential_secret: <OS_APPLICATION_CREDENTIAL_SECRET>

Configure access to the KYPO CRP Proxy machine that has direct access to the virtual network dedicated to sandboxes.
1. Obtain access to the VM from Base Infrastructure, i.e.:
  - hostname
  - username
  - passwordless SSH key
  And make sure you can access it.
```
$ ssh -i <passwordless-ssh-key> <username>@<hostname>
```
2. Edit the following variables of an extra-vars.yml file using values obtained from the previous step.
```
# The KYPO Jump host IP address or hostname.
kypo_crp_proxy_host: <hostname>
# The name of the user on the KYPO Jump host.
kypo_crp_proxy_user: <username>
```
3. Encode the obtained passwordless SSH key using the base64 tool.
```
$ base64 <passwordless-ssh-key>
```
4. Edit the following variable of an secrets.yml file using value obtained from the previous step.
```
# The base64 encoded content of private SSL key used for communication with `kypo_crp_proxy_host`.
kypo_crp_proxy_key: |-
    <encoded-passwordless-ssh-key
    spanning-multiple-lines>
```
Configure access to the KYPO CRP Head machine.
1. Obtain access to the VM from Base Infrastructure, i.e.:
  - hostname
  - username
  - SSH key
  And make sure you can access it.
```
$ ssh -i <passwordless-ssh-key> <username>@<hostname>
```
2. Edit the following variable of an inventory.ini file using value obtained from the previous step.
```
[kypo_head]
kypo
[kypo_head:vars]
ansible_host=<hostname>
ansible_user=<username>
ansible_ssh_private_key_file=<ssh-key>
```
3. Edit the following variable of an extra-vars.yml file using value obtained from the previous step.
```
# The FQDN or IP address of KYPO CRP.
kypo_crp_host: <hostname>
```

Configure an SSL certificate that will be used for HTTPS communication.

Obtain a certificate either from your Certification Authority (CA) or generate a self-signed one.
Encode obtained certificate and its key using the base64 tool.
```
$ base64 <certificate.pem>
$ base64 <certificate.key>
```

Edit the following variables of an secrets.yml file using values obtained from the previous step.

# The base64 encoded content of SSL certificate that is used by KYPO CRP for HTTPS communication.
kypo_crp_cert: |-
    <encoded-certificate.pem
    spanning-multiple-lines>
# The base64 encoded content of private SSL key of `kypo_crp_cert`.
kypo_crp_cert_key: |-
    <encoded-certificate.key
    spanning-multiple-lines>

Configure OpenID Connect providers.

There has to be at least one OIDC issuer defined. If you do not have one, you can create our CSIRT-MU dummy OIDC issuer.
```
$ ansible-playbook -i inventory.ini provisioning/docker.yml --extra-vars=@extra-vars.yml --extra-vars=@secrets.yml
$ ansible-playbook -i inventory.ini provisioning-oidc/oidc.yml --extra-vars=@extra-vars.yml --extra-vars=@secrets.yml
```
Security Risk

Do not use this issuer in the production environment, it could be a security risk.

CSIRT-MU dummy OIDC issuer

The issuer can be found at https://<kypo_crp_head>:8443/csirtmu-dummy-issuer-server/
Obtain OIDC URL and clients secrets from Setting up OIDC Provider, i.e.:
- url
- client_id
- resource_client_id
- resource_client_secret

Edit the following variables of an extra-vars.yml file using values obtained from the previous step.

# The list of OIDC providers and their specification.
kypo_crp_oidc_providers:
      # The label that is displayed as an option for authentication.
    - label: "Login with Example issuer"
      # The URL of resource server configuration.
      url: <url>
      # The ID of OIDC client.
      client_id: <client_id>
      # The ID of resource client.
      resource_client_id: <resource_client_id>
      # The secret for resource client `resource_client_id`.
      resource_client_secret: <resource_client_secret>

Configure initial users.

There has to be at least one initial user with admin permissions that will be able to manage other users. See Administration Agenda. Edit the following variables of an extra-vars.yml file using values obtained from the previous step.

CSIRT-MU dummy OIDC issuer

The format of variable sub is <user-login>@oidc.csirt.muni.cz
The variable iss is https://<kypo_crp_head>:8443/csirtmu-dummy-issuer-server/

kypo_crp_users:
      # The unique identifier of the user within the OIDC provider.
    - sub: admin@example.com
      # The URL of the OIDC provider.
      iss: https://example.com:443/issuer
      # A password of the user.
      password: password
      # An email address of the user.
      email: admin@example.com
      # The user full name.
      fullName: "Demo Admin"
      # The user given name.
      givenName: "Demo"
      # The user family name.
      familyName: "Admin"
      # The boolean value that represents whether the user is admin or not.
      admin: True

Configure access to the Gitlab repository.

There has to be exactly one Gitlab specification. If you want to use KYPO CRP Internal Git, just leave the variable kypo_crp_git of an extra-vars.yml file set as follows.

kypo_crp_git: '{{ kypo_crp_git_internal }}'

Optional

The rest of the Gitlab repository configuration is optional.

Otherwise you will have to obtain the access information to an external Gitlab, i.e.:
- hostname
- REST API URL
- passwordless SSH key - of the Gitlab user
- access token - of the Gitlab user to be used for communication with REST API URL

Encode obtained private and public SSH key using the base64 tool.

$ base64 <passwordless-ssh-key>
$ base64 <passwordless-ssh-key.pub>

There has to be available KYPO CRP Ansible Stage One repository within your Gitlab, so you will have to fork it. Then obtain its Clone with SSH URL address and revision, i.e. branch, tag or commit SHA.

Edit the following variables of an extra-vars.yml file using values obtained from the previous step.

# The Git repository settings.
kypo_crp_git:
    # The type of Git repository. For external, keep the value set to GITLAB.
    type: GITLAB
    # The Git server hostname or IP address.
    server: <hostname>
    # The URL of Git REST server.
    rest_server_url: <rest-api-url>
    # The name of user used for communication with Git repository.
    user: git
    # The base64 encoded content of private SSL key that KYPO CRP uses to communicate with Git repository.
    private_key: |-
        <encoded-ssh-key
        spanning-multiple-lines>
    # The base64 encoded content of public part of `kypo_crp_git.private_key` SSL key.
    public_key: |-
        <encoded-ssh-key
        spanning-multiple-lines>
    # The access token for Git REST server.
    access_token: <access-token>
    # The URL of Ansible networking Git repository.
    ansible_networking_url: <kypo-crp-ansible-stage-one-url>
    # The revision of Ansible networking Git repository. Either branch name, tag, or SHA commit hash.
    ansible_networking_rev: <kypo-crp-ansible-stage-one-rev>

Deploy#

Run the Ansible provisioning that will install and configure KYPO CRP.

$ ansible-playbook -i inventory.ini provisioning/docker.yml --extra-vars=@extra-vars.yml --extra-vars=@secrets.yml
$ ansible-playbook -i inventory.ini provisioning/playbook.yml --extra-vars=@extra-vars.yml --extra-vars=@secrets.yml