Accounts Setup

Overview

This guide covers all required credentials and configurations needed for development. These credentials enable access to:

  • VA Nexus Repository (dependencies)

  • BitBucket Repository (code)

  • Docker Trust Registry (container images)

  • Maven builds and deployments

Early Onboarding Accounts

  1. Access your Apothesource Gmail account (initial invite will be sent to your personal email).

  2. Complete all required on-boarding documents. These will be sent via email, prior to your start date. For any questions regarding these documents, please reference the VA Document Process Details Document (attached to the email). Once these documents are submitted, it generally takes about a week for processing.

  3. Please contact Amy Calvert with any questions, unless otherwise specified below.

Slack is used for general communication. A description of those channels you have been invited to, will be sent to you once you have joined Slack.

Quickbooks Time / TSheets hosts time-tracking. Log actual hours and ask for pre-approval for >40 hours a week. Do not place any comments in the notes section as these have to be manually deleted when turned into accounting.

→ Google Calendar: You will receive an invite on during on-boarding.

  1. Apothesource Leave Calendar: Tracks PTO (vacation, appointments, etc.)

  2. Leave calendar (For CKM: NGSS/CKM Calendar)

  3. List of Observed Holidays

→ Google Drive:

  1. Your personal folder will be shared with you prior to your first day. This is where you will store any on- boarding documents required during the process.

  2. Miscellaneous Folders (e.g., Employee Resources, etc.).

Later Onboarding Accounts

These accounts require time to set up due to the dependence upon having a PIV and having the necessary tickets completed.

VA Nexus DTR (see wiki page) hosts the sandbox environment and DTR (Docker Trusted Registry). The password for this site will be used in your settings.xml file. The password is your sandbox jenkins credentials.

For account issues, contact Jonathan Williams.

→ The MAE (Mobile Application Environment) on the VA network hosts:

VA access requires a valid PIV card and background check. To change the displayed name or email for any of these services, use the MAE Crowd Console link.

Sandbox

The Sandbox Jenkins server builds images from the code in MAE Stash and pushes the images to the VA Nexus DTR (dtr.mapsandbox.net). The Sandbox Kubernetes cluster also hosts test environments. Sandbox is an ephemeral environment only used for building images, no services are left running and no integration happens in this environment.

You can access the dashboard using the kubeconfig file or using the urls below. kubectl can also be used with a kubeconfig. The example below grants developer level access with the public and private keys. Admin level access is also available.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvRENDQW9pZ0F3SUJBZ0lVUkt3OWFrOHNlZVJXRlBRMkR4MlcrbnFwRHV3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTVJNd0VRWURWUVFECkV3cExkV0psY201bGRHVnpNQjRYRFRFNE1USXhOREUzTWpnd01Gb1hEVEl6TVRJeE16RTNNamd3TUZvd2FERUwKTUFrR0ExVUVCaE1DVlZNeER6QU5CZ05WQkFnVEJrOXlaV2R2YmpFUk1BOEdBMVVFQnhNSVVHOXlkR3hoYm1ReApFekFSQmdOVkJBb1RDa3QxWW1WeWJtVjBaWE14Q3pBSkJnTlZCQXNUQWtOQk1STXdFUVlEVlFRREV3cExkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4YUFPRUlMUld4Y2wKTk9XWXBNTkoydzZLb293cEtiWjhsc3ZDSXFtZ3FXVUZkRHY0cWZDMTJTYTZUck52ZU5FSHlza1h1OExSUjdjTAprbFhQdnFUWW1RQlFFMWwwcGhicHhnLy9jMkk4SUU1OUlkUjRhN3ZHOWtmakRMeCswK3Axc0xQblBZcVNYVUNxCk14cnJBdzNHK0dQTGV2T1pKV2szM3VEZm9nQk52bEZqd2FQZjNlWEFZWjl2V3R6VC9jc1c2WTVSdzkxbCtFL0cKQU1VK0RWaWkvUlE3VjZSVXhpSG1kOVc5TFNjNnhaNFRrUWNUZnlJaEJHbHpSbUlhT3lpWm9xNy9FRWlSaFpZNwp0L0tkN2lnUklReXhneGFQU0s3ckNoTlc0bDByYk4rNXM0YldvR2JlZ1RtdjFzdjBhM01GZ0VvL0dUZS9hRVR2CmVhU2ltSG5WQVFJREFRQUJvMEl3UURBT0JnTlZIUThCQWY4RUJBTUNBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIKL3pBZEJnTlZIUTRFRmdRVU5HdHRkNlhSUGJoQnM0TXZPU0twNjI3RzNrMHdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQUFwQWpjRXprUFhUNkx5NDlwNU5BZGhGM2hnc1R1UnBlTW9Ka0NRRXdhR3d2dHVuK3F2NkdYTmVIa3E2CjBhVGFLRjJpQ0g2alFtZXpSc2ovQVppSFJJWGUwb2Jhb2RINVpzcnlvOTBvNGtZUEFzOUlzUEwxOWxaNUpwOC8KRE5EMnFrKzRRRk1McU8yZ0QrVlU5U3dhWmJQbFdaN2ZmaFNGQk1ieDhLWHR4SVBTVHh5MjJ5ZVRCUFZoeW1DOQpmb2lxcUpxQnJMUytVNEtKeFpSK3RsZEpHMko5aUdDVkZEK09pRG5qSzg4bmU2ZXdwSHZNMXZYeS9Zc2gzMlJCCmxjcTdzZ0ZxU2xWazltME9zUmg2RXlWam8vVkIrTDRFOG00U1A1eHF2Mm14M0s2SzdNMVFEMFlRSWsxbzZYMUwKRzI1QkNQb2FOVkk5dGRTK0NhRGY2bW15TUxnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    #server: https://sandbox-2-kube-api-588901878.us-gov-west-1.elb.amazonaws.com:6443
    server: https://sandbox-kube-api-1804029434.us-gov-west-1.elb.amazonaws.com:6443
  name: map-sandbox
contexts:
- context:
    cluster: map-sandbox
    user: map-sandbox
  name: map-sandbox
current-context: map-sandbox
kind: Config
preferences: {}
users:
- name: map-sandbox
  user:
    client-certificate: /path/to/.ssh/developer.pem
    client-key: /path/to/.ssh/developer-key.pem
    kubectl --kubeconfig=sandboxcfg proxy --port=8801 & sleep 1;
    open 'http://localhost:8801/api/v1/namespaces/kube-system/services/http:kubernetes-dashboard:/proxy/#!/workload?namespace=ckm';
Sandbox, like all environments, switches in blue-green deployments. The API endpoint will switch between the two listed servers, depending on the blue-green state.

If using admin-idp, the test user is mockuser01 / pass.

The consul changes to sandbox are managed using git2consul

Sandbox URLs

VA Network Remote Access

You must use a valid PIV Card to access the VA network for SQA and PROD environments. Any .med.va.gov or .apps.va.gov sites are behind the firewall. Temporary PIV exemptions may also be granted.

You can access the VA network two ways: via Citrix Access Gateway (CAG) or Azure Virtual Desktop (AVD).

Once you have configured your network access, keep a copy of the SRE bookmarks file in your shared drive.This will not be deleted ever, every other setting you change may disappear due to the nature of the remote desktop environment.This file contains links to the SRE tools, accessed through AdminIDP for both the SQA and PROD environments.It also has a link to the VA PPG Slack, logging into this can be useful to allow you to copy/paste long stack traces to be able to see on your local machine.

SRE Bookmarks

SQA / Staging

The Staging Jenkins server is accessible only on the VA network.This environment is where developers for other teams often start integrating with our services.

The admin-idp URLs in SQA can be used with test accounts or your MAP AD Credentials.MAP AD credentials are usually in the format VACO<name>.

AppDynamics in SQA: Our SQA goes to AppD Preprod.If you are accessing AppD you need to complete the SSOi process in PreProd to create your account.This will give your PIV access to PreProd where AppD lives.

Be sure to select the correct PIV cert when logging into AppD. Google Chrome may not display an option to select your cert.

SQA URLs:

PROD / Production

The production environment is more restrictive than staging, but some dev tools are visible:

If you cannot access these URLs, create an ECCB ticket to request them.

CodeRepo, JIRA, and Wiki

Configuring Macbook Pro and Touch ID as Two-Factor Hardware Device

Currently, this only works with Google Chrome or Mozilla Firefox. It should also work with other Chromium based browsers although it has only been tested to work with Brave. Unfortunately, this does not work with Safari.

The following steps will have to be done separately for CodeRepo, JIRA, and the Wiki. These steps also assume you have setup Touch ID on your laptop with your fingerprint.

Setup steps (this example is for CodeRepo):

  1. Login to CodeRepo with your username and password: https://coderepo.mobilehealth.va.gov/login

  2. Click on your profile at the top right and select "2FA Configuration", or go to this link: https://coderepo.mobilehealth.va.gov/plugins/servlet/authplugin/tfaconfiguration

  3. Under "Register U2F Hardware Security Keys", Click on "Add U2F Device"

  4. Enter a device name, e.g. Apothesource MBPro

  5. You will then be prompted to enter a passkey for coderepo.mobilehealth.va.gov. Click "Continue".

  6. At this point, you will see a prompt to "Use Password" (which would be your laptop password) OR use Touch ID on your laptop. Place your finger on Touch ID.

  7. Your laptop should now be added as a hardware device

Alternative: You may use a hardware security key such as a Thetis Pro FIDO2 Security Key that you push a button on to authenticate. Follow similar steps as above but push the button on the key. This works well for anyone that keeps their laptop closed/docked.

Test it out:

  1. Next time you login and after the 2 hour expiration, you’ll be prompted to provide Two-Factor Authentication

  2. Click "Remember Me" and hit submit

  3. You’ll be prompted again by your browser to "Use Password" OR use Touch ID on your laptop. Place your finger on Touch ID.

  4. You should now be logged in using your laptop + Touch ID as your Two-Factor Authentication method

Repeat these steps for your accounts with JIRA and the Wiki.

Accounts Used for Development

(Amy Calvert will request access for your VA Crowd Account once you have received your PIV)

A minimum of two accounts are required for a working local development environment.

Account URL Description ENV Variable POC

VA Crowd Account

https://crowd.mobilehealth.va.gov/crowd/console/login.action

Account for VA MAE internal resources

VA_NEXUS_USER / VA_NEXUS_PWD

Ryan or Michael *Need PIV first

VA Nexus DTR

dtr.mapsandbox.net

Sandbox DTR (Docker Trusted Registry)

DTR_USER / DTR_PWD

Amy (check your spam folder)

The VA now requires Bitbucket, Confluence and JIRA access to have two-factor authentication (2FA) enabled.

  • Follow the instructions here to set it up and follow the Bitbucket-specific instructions to generate a personal access token that is used for Git or other tools: https://wiki.mobilehealth.va.gov/display/MACMCPO/2+Factor+Authentication+-+Bitbucket+Personal+Access+Token+Use.

  • The personal access token for Bitbucket will need to be set as an environment variable in addition to the Crowd user password. The convention for this variable name is VA_BITBT_PWD to align with the Jenkins CI environment variable name for Bitbucket credentials.

  • If you are a new hire without credentials of your own, you will use the provided tokens from the onboarding team.

  • Follow the guide for setting up Token and Environment Configuration

  • Copy the Maven configuration to your ~/.m2/settings.xml and either open a new terminal window or re-source your shell configuration using source ~/.zshrc to refresh the environment variables.

Encrypting Passwords

Password encryption is not necessary if you generate and use tokens for all of your development accounts.

However, if you decide to use your account password values, then each account password environment variable will have to be properly encrypted.

If you need to determine escape characters for your password use the echo command. If the password is escaped correctly, it will echo correctly: 
$ echo P4\$\$W0RD\!

Create a Master Password:

$ mvn --encrypt-master-password
Master password:

Place the master password in your ~/.m2/settings-security.xml if not already there.

Encrypt Account Passwords:

For each account password, encrypt it and put these in your environment settings (~/.zshrc or similar).

$ mvn --encrypt-password
Password: