From b4e6d7f92cfaaa1edfda799452eb11821b2d85ca Mon Sep 17 00:00:00 2001 From: Stephan Michard Date: Thu, 2 May 2024 15:07:30 +0200 Subject: [PATCH 1/4] docs: :memo: fixed some typos for chapter 5 --- content/5-gitops/_index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/5-gitops/_index.md b/content/5-gitops/_index.md index 42daaa3..9a54890 100644 --- a/content/5-gitops/_index.md +++ b/content/5-gitops/_index.md @@ -86,7 +86,7 @@ We will need to initialize the `workshop-prod/workshop` in Quay so the robo user ## Add Kustomize and Git Push Tekton Task -Let's add a new custom Tekton task to the `workshop-int` project that can update the Image `tag` via Kustomize after the build and then push the change to our git configuration repository. +Let's add a new custom Tekton task to the `workshop-int` project that can update the Image `tag` via Kustomize after the build process completed and then push the change to our git configuration repository. We could add this through the OpenShift Web Console as well but to save time we will apply the file directly via the `oc` command. @@ -101,12 +101,12 @@ oc create -f https://raw.githubusercontent.com/devsecops-workshop/yaml/main/tekt ## Add Tekton Tasks to your Pipeline to Promote your Image to workshop-prod -So now we have a new Tekton Task in our task catalog to update a GitOps Git repository, but we still need to promote the actual image from out `workshop-int` to `workshop-prod` project. Otherwise the image will not be available for our deployment. +So now we have a new Tekton Task in our task catalog to update a GitOps Git repository, but we still need to promote the actual image from our `workshop-int` to `workshop-prod` project. Otherwise the image will not be available for our deployment. - In the `workshop_int` project, go to **Pipelines > Pipelines > workshop** and then YAML {{% notice tip %}} -You can edit pipelines either directly in YAML or in the visual **Pipeline Builder**. We will see how to use the Builder later on so let's edit the YAML for now. +You can edit pipelines either directly in YAML or in the visual **Pipeline Builder**. We will see how to use the Builder later on, so let's edit the YAML for now. {{% /notice %}} Add the new Task to your Pipeline by adding it to the YAML like this: @@ -176,7 +176,7 @@ The `Pipeline` should now look like this. Notice that the new **tasks** runs in {{< figure src="../images/pipeline1.png?width=40pc&classes=border,shadow" title="Click image to enlarge" >}} -Now the pipeline is set. The last thing we need is authentication against the Gitea repository and the workshop-prod Quay org. We will add those from the **_start pipeline_** form next. Make sure to replace the placeholder if required. +Now, the pipeline is set. The last thing we need is authentication against the Gitea repository and the workshop-prod Quay org. We will add those from the **_start pipeline_** form next. Make sure to replace the placeholder if required. ## Update our Prod Stage via Pipeline and GitOps From e1500bc3ff35e4998da95805eb800dea8b013df4 Mon Sep 17 00:00:00 2001 From: Stephan Michard Date: Thu, 2 May 2024 15:07:51 +0200 Subject: [PATCH 2/4] docs: :memo: fixed some typos for chapter 10 --- content/10-rhacs-setup/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/10-rhacs-setup/_index.md b/content/10-rhacs-setup/_index.md index 53e2f47..553a016 100644 --- a/content/10-rhacs-setup/_index.md +++ b/content/10-rhacs-setup/_index.md @@ -189,7 +189,7 @@ You should now have these two files in your Web Terminal session: `bundle.json` The init bundle needs to be applied to all OpenShift clusters you want to secure and monitor. {{% notice info %}} -As said, you can create an init bundle in the ACS Portal, download it and apply it from any terminal where you can run `oc` against your cluster. We did it the API way to show you how to do it and to enable you to use the Web Terminal. +As said, you can create an init bundle in the ACS Portal, download it and apply it from any terminal where you can run `oc` against your cluster. We used the API method to show you how to use it and to enable you to use the Web Terminal. {{% /notice %}} ### Prepare the Secured Cluster @@ -233,7 +233,7 @@ Now go to your **ACS Portal** again, after a couple of minutes you should see yo To enable scanning of images in your Quay registry, you'll have to configure an **Integration** with valid credentials, so this is what you'll do. -Now create a new Integration: +Now, create a new Integration: - Access the **RHACS Portal** and configure the already existing integrations of type **Generic Docker Registry**. - Go to **Platform Configuration -> Integrations -> Generic Docker Registry**. From 6c57d561b8fc80bc8b40dd83bbf82e647f8e5730 Mon Sep 17 00:00:00 2001 From: Stephan Michard Date: Thu, 2 May 2024 15:08:11 +0200 Subject: [PATCH 3/4] docs: :memo: fixed some typos for chapter 12 --- content/12-create-policy/_index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/12-create-policy/_index.md b/content/12-create-policy/_index.md index 71b9958..922e379 100644 --- a/content/12-create-policy/_index.md +++ b/content/12-create-policy/_index.md @@ -43,6 +43,7 @@ First create a new policy category and the system policy. In the **ACS Portal** - Click **Next** - **Policy Scope** - You could limit the scope the policy is applied in, do nothing for now + - Click **Next** - **Review Policy** - Have a quick look around, if the policy would create a violation you get a preview here - Click **Save** @@ -71,7 +72,7 @@ To make it easier spotting the violations for this deployment you can filter the - When the final build is deployed you'll see a violation in **ACS Portal** for policy `Workshop RHSA-2021:4904` (Check the Time of the violation) {{% notice tip %}} -There will be other policy violations listed, triggered by default policies, have a look around. Note that none of the policies is enforced (so that the pipeline build would be stopped) yet! +There will be other policy violations listed, triggered by default policies, have a look around. Note that none of the policies are enforced (so that the pipeline build would be stopped) yet! {{% /notice %}} Now start the pipeline with the fixed image version that doesn't contain the CVE anymore: From b9142689d0b27007759fc7d0930847d6b99f9293 Mon Sep 17 00:00:00 2001 From: Stephan Michard Date: Thu, 2 May 2024 15:08:27 +0200 Subject: [PATCH 4/4] docs: :memo: fixed some typos for chapter 13 --- content/13-rhacs-pipeline/_index.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/content/13-rhacs-pipeline/_index.md b/content/13-rhacs-pipeline/_index.md index 240de2a..a2814d0 100644 --- a/content/13-rhacs-pipeline/_index.md +++ b/content/13-rhacs-pipeline/_index.md @@ -49,9 +49,10 @@ Even if the form says **Drag and drop file with your value here...** you can jus ### Remove ImageStream Change Trigger -There is one more thing you have to do before integrating the image scanning into your build pipeline: When you created your deployment, a `trigger` was automatically added that will deploy a new version when the image referenced by the `ImageStream` changes. +There is one more thing you have to do before integrating the image scanning into your build pipeline: +When you created your deployment, a `trigger` was automatically added that deploys a new version when the image referenced by the `ImageStream` changes. -This is not what we want! Because this way a newly build image would be deployed immediately even if the `roxctl` scan finds a policy violation and terminates the pipeline. +This is not what we want! Because this way a newly build image would be deployed immediately even if the `roxctl` scan detects a policy violation and terminates the pipeline. Have a look for yourself: @@ -150,7 +151,7 @@ Now add the **rox-image-check** task to your pipeline between the **build** and Remember how we edited the pipeline directly in yaml before? OpenShift comes with a graphical Pipeline editor that we will use this time. {{% /notice %}} -- Hover your mouse over `build` task and click the **+** at the right side side of it, to add a task +- Hover your mouse over `build` task and click the **+** at the right side of it, to add a task - Click on **Add task** - Then enter **rox-image-check** in the search box {{< figure src="../images/pipeline-select-roxctl-task.png?width=30pc&classes=border,shadow" title="Click image to enlarge" >}} @@ -169,7 +170,7 @@ Remember how we edited the pipeline directly in yaml before? OpenShift comes wit ### Add the oc patch Task to the Pipeline -As you remember we removed the **trigger** that updates the **Deployment** on **ImageStream** chnages. Now the **Deployment** will never be updated and our new Image version will never be deployed to `workshop-int`. +As you remember we removed the **trigger** that updates the **Deployment** on **ImageStream** changes. Now the **Deployment** will never be updated and our new Image version will never be deployed to `workshop-int`. To fix this we will add a new **oc client Task** that updates the **Deployment**, only after the **Scan Task** has run.