GitOps Approach

Edit online

GitOps is a modern approach to continuous deployment that uses Git as the single source of truth for declarative infrastructure and applications.

IBM Verify Identity Access GitOps implementation combines two powerful tools:
  • Helm charts: Published to IBM Container Registry (ICR) for declarative Kubernetes resource management.
  • ibmvia-autoconf: A Python-based configuration module for IVIA-specific settings.
Figure 1. GitOps Approach
GitOps process
This GitOps approach provides:
  • Separation of concerns: It distinguishes infrastructure configuration (Helm) from application configuration (ibmvia-autoconf).
  • Reusability: Enables the same Helm chart to be reused across multiple environments, reducing duplication and improving consistency.
  • Flexibility: It supports customization through values files and configuration files tailored to different environments.
  • Automation: It automatically triggers pod restarts whenever configuration changes are detected, ensuring seamless updates.
  • Ephemeral Configuration: The Verify Identity Access configuration is ephemeral and created from scratch with each deployment. The configuration service builds the complete configuration database during container startup based on the ibmvia-autoconf file, ensuring consistency and eliminating configuration drift.

Helm Chart Overview

The ivia-autoconf-helm chart is published to icr.io/ivia.

The ivia-autoconf-helm chart provides the following components:
  • Configuration Service (always enabled): The core Verify Identity Access component managing the configuration database.
  • Web Reverse Proxy (WRP) (always enabled): It provides web access and reverse proxy capabilities.
  • Runtime Service (optional): It provides Federation and Advanced Access Control (AAC) capabilities when required.
Note:
  • The helm chart follows the Semantic Versioning 2.0.0 standard. As a result, the helm chart version for Verify Identity Access includes only the first three components of the Verify Identity Access version number. For example, for Verify Identity Access version 11.0.3, the corresponding helm chart version is 11.0.3.
  • The helm chart does not include the distributed session cache container (DSC). Session cache management is not part of this GitOps process and must be deployed and managed separately if required.

Key features

The key features of the helm chart:
  • Automatic Configuration Management: ConfigMap checksums detect configuration changes and automatically trigger pod restarts.
  • Certificate Management: Seamless integration with cert-manager enables automated provisioning and renewal of TLS certificates.
  • Flexible Deployment: Supports multiple Kubernetes service types, including ClusterIP, NodePort, and LoadBalancer, to accommodate diverse deployment needs.
  • Ingress Support: Provides built-in Ingress configuration to enable secure external access to services.
  • RBAC: Automatically creates ServiceAccounts and Roles with the necessary permissions.
  • High Availability: Supports multiple replicas with configurable affinity rules.
Chart Structure
ivia-autoconf-helm/
├── Chart.yaml              # Chart metadata
├── values.yaml             # Default configuration values
└── templates/              # Kubernetes resource templates
    ├── configmap.yaml      # Auto-configuration ConfigMap
    ├── serviceaccount.yaml # RBAC resources
    ├── certificates.yaml   # cert-manager Certificate resources
    ├── config-*.yaml       # Configuration service resources
    ├── wrp-*.yaml          # Web Reverse Proxy resources
    └── runtime-*.yaml      # Runtime service resources (optional)

ibmvia-autoconf Overview

The ibmvia-autoconf module is a Python package available at https://pypi.org/project/ibmvia-autoconf/.

The ibmvia-autoconf configuration provides the following purposes:
  • Supports declarative configuration of Verify Identity Access components such as WebSEAL, Runtime, and Federation.
  • Uses a YAML-based configuration format, making it easy to manage, version, and track changes in Git.
  • Provides seamless integration with Kubernetes secrets.
  • Automatically applies configuration during container startup.

Key features

The key features of ibmvia-autoconf:
  • Declarative Syntax: Enables you to define the entire IVIA configuration in YAML.
  • Secret Management: Supports secure handling of sensitive data by referencing Kubernetes secrets using the !secret syntax.
  • Version Control: Allows tracking and managing configuration changes through the version field.
  • Modular Configuration: Organizes configuration into separate sections for different Verify Identity Access components.
  • Validation: Includes built-in validation of configuration parameters.
Note: The ibmvia-autoconf module may not yet provide complete coverage of all existing Verify Identity Access configuration APIs. If you identify any gaps or missing functionality, submit an Idea against the product. The development team will review these requests and consider them for inclusion in future releases to expand coverage.
Configuration structure 
version: 1                    # Configuration version (increment to force restarts)
container:
  activation:                 # Activation codes
    webseal: !secret ...
    runtime: !secret ...
webseal:                      # WebSEAL configuration
  runtime:                    # Runtime settings
    policy_server: "ldap"
    user_registry: "local"
    domain: "Default"
  reverse_proxy:              # Reverse proxy instances
    - name: "default"
      host: "example.com"
      https:
        enabled: "yes"
        port: "9443"
runtime:                      # Runtime/Federation configuration (optional)
  database:
    type: "postgresql"
  # ... additional runtime settings