docx: working through operation

Signed-off-by: Kevin Bimonte <kbimonte@gmail.com>

Author: kcbimonte

docs/docs/operation/encryption.md

@@ -2,10 +2,89 @@
 title: Encryption
 ---
 
+Automating everything means authorizing something to automate many things. This makes CI systems a high-risk target for
+security leaks.
+
+Concourse pipelines are loaded with credentials: resources are configured with private keys, tasks are given credentials
+to servers they integrate via [credential manager variables](creds/index.md), [`task` step `vars`](../steps/task.md),
+or [`task` step `params`](../steps/task.md), etc. If someone gets their hands on your config, they have access to
+everything.
+
+To mitigate this, Concourse supports encrypting sensitive information before it reaches the database. This way the
+plaintext credentials only exist in memory for as long as they need to, and if someone gains access to your database,
+they can't so easily gain the keys to the kingdom.
+
+We strongly encourage anyone running Concourse to configure encryption. Going further, it's best to have Concourse not
+store the credentials in the first place, in which case you may want to
+configure [credential management](creds/index.md) as well.
+
 ## What's encrypted?
 
+The following values are expected to contain credentials, and so will be encrypted:
+
+* Resource [`resource.sources`](../resources/index.md#resource-schema), as they often contain private keys and other
+  credentials for writing to (or simply granting access to) the resource.
+* Resource type [`resource_type.sources`](../resource-types/index.md#resource_type-schema), for the same reason as
+  above, though this is probably a less common use case.
+* Pipeline [`task` step `vars`](../steps/task.md) and [`task` step `params`](../steps/task.md), in case they contain
+  sensitive information such as usernames and/or passwords.
+* Put step [`put` step `params`](../steps/put.md) and get step [`get` step `params`](../steps/get.md) are also
+  encrypted, even though they rarely should contain credentials (they're usually in [
+  `resource.source`](../resources/index.md#resource-schema)).
+* Team auth configurations, as they often contain things like GitHub or other oAuth client secrets.
+
+!!! note
+
+    The actual implementation encrypts things in a more heavy-handed way than the above list implies. For example, 
+    pipeline configs are actually encrypted as one large blob.
+
+Notably, the following things are NOT encrypted:
+
+* Build logs. If your jobs are outputting credentials, encryption won't help you. We have chosen not to tackle this
+  initially as it would introduce a performance burden for what is not as much of an obvious win.
+* Resource versions. These should never contain credentials, and are often meaningless on their own.
+* Resource metadata. These are visible to anyone if your pipeline
+  is [exposed](https://concourse-ci.org/managing-pipelines.html#fly-expose-pipeline), and should never contain
+  credentials.
+* Pipeline names, job names, etc. - anything else that is not a high-risk target for credential leakage, as opposed to
+  regular information leaks.
+  <br/><br/>
+  Resources and jobs in particular exist in their own tables, with their names in plaintext, and only their config
+  encrypted. In this way, names are not protected, even though the pipeline config itself is also stored as one big
+  encrypted blob.
+
 ## Enabling Encryption
 
+To enable encryption, you'll just need to come up with a 16 or 32-byte random character sequence and configure it as
+`--encryption-key` flag to the `web` command. For BOSH, this is the [
+`encryption_key`](https://bosh.io/jobs/web?source=github.com/concourse/concourse-bosh-release#p=encryption_key)
+property.
+
+On startup, the [`web` node](../install/running-web.md) will encrypt all existing plaintext data, and any new data being
+written will be encrypted before it's sent over the network to the database.
+
+The initial bulk encryption shouldn't take too long, but it will scale linearly with the amount of data that you have,
+and if another ATC is running it'll suddenly not be able to read the data until it's also given the key. So, expect some
+downtime.
+
 ## Rotating the Encryption Key
 
-## Disabling Encryption
+To swap out the encryption key, you'll need to pass the previous key as `--old-encryption-key` (or [
+`old_encryption_key`](https://bosh.io/jobs/web?source=github.com/concourse/concourse-bosh-release#p=old_encryption_key)),
+and the new key as `--encryption-key` (or [
+`encryption_key`](https://bosh.io/jobs/web?source=github.com/concourse/concourse-bosh-release#p=encryption_key)).
+
+On startup, the [`web` node](../install/running-web.md) will decrypt all existing data and re-encrypt it with the new
+key, in one go. If it encounters a row which is already encrypted with the new key, it will continue on (as may be the
+case when restarting with the flags again, or if the ATC died in the middle of rotating).
+
+If the ATC encounters a row which cannot be decrypted with neither the old key nor the new one, it will log loudly and
+fail to start, telling you which row it choked on. This data must be dealt with in some way, either by re-configuring
+the key the row was encrypted with as the old key, or manually performing database surgery to remove the offending row.
+Hopefully this doesn't happen to you!
+
+## Disabling Encryption
+
+To opt out of encryption entirely (I'm sure you have your reasons), simply pass `--old-encryption-key` (or [
+`old_encryption_key`](https://bosh.io/jobs/web?source=github.com/concourse/concourse-bosh-release#p=old_encryption_key))
+alone. With no new encryption key, the [web node](../install/running-web.md) will decrypt all existing data on start.

docs/docs/operation/index.md

@@ -1,3 +1,10 @@
 ---
 title: Operation
 ---
+
+The following sections describes operator-focused features and tools that Concourse provides, such as monitoring and
+credential management.
+
+These concepts are not required to operate Concourse, but are for users that are looking to extend the capabilities of
+managing a Concourse deployment. For users that are new to these concepts, we do recommend learning how to set
+up [Credential Management](creds/index.md) and [Encryption](encryption.md).

docs/docs/operation/metrics.md

@@ -2,6 +2,28 @@
 title: Metrics
 ---
 
+Metrics are essential in understanding how any large system is behaving and performing. Concourse can emit metrics about
+both the system health itself and about the builds that it is running. Operators can tap into these metrics in order to
+observe the health of the system.
+
 ## Configuring Metrics
 
-## What's emitted?
+The [`web` node](../install/running-web.md) can be configured to emit metrics on start.
+
+Currently supported metrics emitters are InfluxDB, NewRelic, Prometheus, and Datadog. There is also a dummy emitter that
+will just spit the metrics out in to the logs at `DEBUG` level, which can be enabled with the `--emit-to-logs` flag.
+
+Regardless of your metrics emitter, you can set `CONCOURSE_METRICS_BUFFER_SIZE` to determine how many metrics emissions
+are sent at a time. Increasing this number can be helpful if sending metrics is regularly failing (due to rate limiting
+or network failures) or if latency is particularly high.
+
+There are various flags for different emitters; run `concourse web --help` and look for "Metric Emitter" to see what's
+available.
+
+## What's emitted?
+
+This reference section lists of all the metrics that Concourse emits via the Prometheus emitter.
+
+To make this document easy to maintain, Prometheus is used as the "source of truth" - primarily because it has help text
+built-in, making this list easy to generate. Treat this list as a reference when looking for the equivalent metric names
+for your emitter of choice.

docs/docs/operation/opa-integration.md

@@ -2,12 +2,229 @@
 title: Open Policy Agent Integration
 ---
 
+!!! note
+
+    The [Open Policy Agent](https://www.openpolicyagent.org/docs/latest/) (OPA, pronounced “oh-pa”) is an open source, 
+    general-purpose policy engine that unifies policy enforcement across the stack.
+
+OPA allows you to create arbitrary rules within Concourse without having to add a new feature to Concourse. You could
+even recreate Concourse's [RBAC system](../auth-and-teams/user-roles.md) using OPA.
+
+More likely use-cases are to enforce rules your organization may have, such as not using certain container images or
+disallowing the use of privileged workloads. With OPA you can be as general or fine-grained as you want, enforcing these
+rules at the team or pipeline level.
+
+The next few sections explain how to configure Concourse to talk to an OPA server and how to write OPA rules for
+Concourse.
+
 ## Configuring Concourse
 
+There are four configuration options you need to set on the `concourse web` nodes to have them interact with OPA.
+
+`CONCOURSE_OPA_URL`: The OPA policy check endpoint.
+
+:   Should point to a specific `package/rule` that contains all Concourse rules for your cluster.
+
+:   _Example_: `http://opa-endpoint.com/v1/data/concourse/decision`
+
+`CONCOURSE_POLICY_CHECK_FILTER_HTTP_METHOD`: API http methods to go through policy check.
+
+:   You will need to make sure these match up with an API action in the next two configuration options.
+
+:   _Example_: `PUT,POST`
+
+`CONCOURSE_POLICY_CHECK_FILTER_ACTION`: Actions in this list will go through policy check.
+
+:   _Example_: `ListWorkers,ListContainers`
+
+`CONCOURSE_POLICY_CHECK_FILTER_ACTION_SKIP`: Actions in this list will not go through policy check
+
+:   _Example_: `PausePipeline,UnpausePipeline`
+
+For the last three configuration options you can refer
+to [this list of routes](https://github.com/concourse/concourse/blob/master/atc/routes.go) for a list of API actions and
+their respective HTTP method. There are also some [Special Actions](#special-actions) not directly in the API.
+
 ## Writing OPA Rules
 
+On the OPA server you'll need to create a package and policy for Concourse. This should match up with the endpoint
+provided to Concourse. The [OPA documentation](https://www.openpolicyagent.org/docs/latest/) has a good guide explaining
+how to generally write OPA rules and set up an OPA server.
+
+For any actions that Concourse has been configured to filter it will send a JSON request to the OPA server with the
+following details. Top-level data directly under the `input` key will be present for most actions. The information under
+the `data` key will differ based on the action being checked.
+
+This sample JSON payload is what OPA is sent when a user sets a pipeline. The `data` key contains the pipeline in JSON
+format.
+
+```json
+{
+  "input": {
+    "service": "concourse",
+    "cluster_name": "dev",
+    "cluster_version": "7.4.0",
+    "http_method": "PUT",
+    "action": "SaveConfig",
+    "user": "test",
+    "team": "main",
+    "pipeline": "check-pipeline",
+    "data": {
+      "jobs": [
+        {
+          "name": "test",
+          "plan": [
+            {
+              "get": "tiny"
+            },
+            {
+              "config": {
+                "image_resource": {
+                  "source": {
+                    "repository": "busybox"
+                  },
+                  "type": "registry-image"
+                },
+                "platform": "linux",
+                "run": {
+                  "args": [
+                    "-exc",
+                    "echo hello"
+                  ],
+                  "path": "sh"
+                }
+              },
+              "task": "a-task"
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
+```
+
+An OPA rule can respond to Concourse with three fields:
+
+<div class="annotate" markdown>
+
+* `allowed` (_required_): Boolean type. Setting to `False` will deny the action unless the `block` field is `False`.
+* `block` (_optional_): Boolean type. If set to `False` and `allowed` is `True` this creates a soft-policy enforcement.
+  The action will be allowed and the `reasons` will still be printed to the web UI like a warning message. (1)
+* `reasons` (_optional_): List of string type. If an action is denied based on the `allowed` field then the reason(s)
+  will be displayed in the UI.
+
+</div>
+
+1. Not setting `block` is the same as setting `"block": true`.
+
+Here is an example OPA policy. By default, it will allow whatever action it has been sent. It will deny the action if
+one or more of the three deny rules are true.
+
+```rego title="concourse.rego" linenums="1"
+package concourse
+
+default decision = {"allowed": true}
+
+decision = {"allowed": false, "reasons": reasons} {
+  count(deny) > 0
+  reasons := deny
+}
+
+deny["cannot use docker-image types"] {
+  input.action == "UseImage"
+  input.data.image_type == "docker-image"
+}
+
+deny["cannot run privileged tasks"] {
+  input.action == "SaveConfig"
+  input.data.jobs[_].plan[_].privileged
+}
+
+deny["cannot use privileged resource types"] {
+  input.action == "SaveConfig"
+  input.data.resource_types[_].privileged
+}
+```
+
 ## Special Actions
 
+Most of the actions you can filter for come directly from the list
+of [API actions](../auth-and-teams/user-roles.md#action-matrix). There are currently two special actions you can also
+filter on.
+
 ### `UseImage`
 
-### `SetPipeline`
+Before Concourse starts a container you can check what image it is going to use to create the container. Depending on
+the `image_type` the `image_source` field may contain other fields. The JSON payload for this action will look similar
+to the following example:
+
+```json
+{
+  "input": {
+    "service": "concourse",
+    "cluster_name": "dev",
+    "cluster_version": "7.4.0",
+    "action": "UseImage",
+    "team": "main",
+    "pipeline": "simple",
+    "data": {
+      "image_type": "registry-image",
+      "privileged": true,
+      "image_source": {
+        "repository": "alpine",
+        "tag": "latest"
+      }
+    }
+  }
+}
+```
+
+### `SetPipeline`
+
+This action occurs whenever a [`set_pipeline` step](../steps/set-pipeline.md) is run. The JSON payload for this action
+will contain the pipeline config in JSON format under the `data` key:
+
+```json
+{
+  "input": {
+    "service": "concourse",
+    "cluster_name": "dev",
+    "cluster_version": "7.4.0",
+    "action": "SetPipeline",
+    "team": "main",
+    "pipeline": "simple",
+    "data": {
+      "jobs": [
+        {
+          "name": "test",
+          "plan": [
+            {
+              "get": "tiny"
+            },
+            {
+              "config": {
+                "image_resource": {
+                  "source": {
+                    "repository": "busybox"
+                  },
+                  "type": "registry-image"
+                },
+                "platform": "linux",
+                "run": {
+                  "args": [
+                    "-exc",
+                    "echo hello"
+                  ],
+                  "path": "sh"
+                }
+              },
+              "task": "a-task"
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
+```