Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Latest version #39

Merged
merged 7 commits into from
May 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions content/10-rhacs-setup/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ You should now have these two files in your Web Terminal session: `bundle.json`
The init bundle needs to be applied to all OpenShift clusters you want to secure and monitor.

{{% notice info %}}
As said, you can create an init bundle in the ACS Portal, download it and apply it from any terminal where you can run `oc` against your cluster. We did it the API way to show you how to do it and to enable you to use the Web Terminal.
As said, you can create an init bundle in the ACS Portal, download it and apply it from any terminal where you can run `oc` against your cluster. We used the API method to show you how to use it and to enable you to use the Web Terminal.
{{% /notice %}}

### Prepare the Secured Cluster
Expand Down Expand Up @@ -233,7 +233,7 @@ Now go to your **ACS Portal** again, after a couple of minutes you should see yo

To enable scanning of images in your Quay registry, you'll have to configure an **Integration** with valid credentials, so this is what you'll do.

Now create a new Integration:
Now, create a new Integration:

- Access the **RHACS Portal** and configure the already existing integrations of type **Generic Docker Registry**.
- Go to **Platform Configuration -> Integrations -> Generic Docker Registry**.
Expand Down
3 changes: 2 additions & 1 deletion content/12-create-policy/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ First create a new policy category and the system policy. In the **ACS Portal**
- Click **Next**
- **Policy Scope**
- You could limit the scope the policy is applied in, do nothing for now
- Click **Next**
- **Review Policy**
- Have a quick look around, if the policy would create a violation you get a preview here
- Click **Save**
Expand Down Expand Up @@ -71,7 +72,7 @@ To make it easier spotting the violations for this deployment you can filter the
- When the final build is deployed you'll see a violation in **ACS Portal** for policy `Workshop RHSA-2021:4904` (Check the Time of the violation)

{{% notice tip %}}
There will be other policy violations listed, triggered by default policies, have a look around. Note that none of the policies is enforced (so that the pipeline build would be stopped) yet!
There will be other policy violations listed, triggered by default policies, have a look around. Note that none of the policies are enforced (so that the pipeline build would be stopped) yet!
{{% /notice %}}

Now start the pipeline with the fixed image version that doesn't contain the CVE anymore:
Expand Down
9 changes: 5 additions & 4 deletions content/13-rhacs-pipeline/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,10 @@ Even if the form says **Drag and drop file with your value here...** you can jus

### Remove ImageStream Change Trigger

There is one more thing you have to do before integrating the image scanning into your build pipeline: When you created your deployment, a `trigger` was automatically added that will deploy a new version when the image referenced by the `ImageStream` changes.
There is one more thing you have to do before integrating the image scanning into your build pipeline:
When you created your deployment, a `trigger` was automatically added that deploys a new version when the image referenced by the `ImageStream` changes.

This is not what we want! Because this way a newly build image would be deployed immediately even if the `roxctl` scan finds a policy violation and terminates the pipeline.
This is not what we want! Because this way a newly build image would be deployed immediately even if the `roxctl` scan detects a policy violation and terminates the pipeline.

Have a look for yourself:

Expand Down Expand Up @@ -150,7 +151,7 @@ Now add the **rox-image-check** task to your pipeline between the **build** and
Remember how we edited the pipeline directly in yaml before? OpenShift comes with a graphical Pipeline editor that we will use this time.
{{% /notice %}}

- Hover your mouse over `build` task and click the **+** at the right side side of it, to add a task
- Hover your mouse over `build` task and click the **+** at the right side of it, to add a task
- Click on **Add task**
- Then enter **rox-image-check** in the search box
{{< figure src="../images/pipeline-select-roxctl-task.png?width=30pc&classes=border,shadow" title="Click image to enlarge" >}}
Expand All @@ -169,7 +170,7 @@ Remember how we edited the pipeline directly in yaml before? OpenShift comes wit

### Add the oc patch Task to the Pipeline

As you remember we removed the **trigger** that updates the **Deployment** on **ImageStream** chnages. Now the **Deployment** will never be updated and our new Image version will never be deployed to `workshop-int`.
As you remember we removed the **trigger** that updates the **Deployment** on **ImageStream** changes. Now the **Deployment** will never be updated and our new Image version will never be deployed to `workshop-int`.

To fix this we will add a new **oc client Task** that updates the **Deployment**, only after the **Scan Task** has run.

Expand Down
14 changes: 8 additions & 6 deletions content/3-inner-loop/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,17 +22,19 @@ We could create a workspace from one of the templates that come with Dev Spaces,
{{% /notice %}}

You will now need to access the Gitea repository where your Quarkus app resides and specifically get the path to the devfile.

- Find the Gitea URL by selecting the `git` project in openshift and then **Networking > Routes**
- Click on the URL and login to Gitea with
- username : gitea
- password : gitea
- On the right side click on the repository `gitea/quarkus-build-options`
- Then click on the devfile `devspaces_devfile.yml`
- Now click on button **Raw** (or **Originalversion** in German) and copy this URL
- Now click on button **Raw** (or **Originalformat** in German) and copy this URL

It is important that you have the URL to the Raw version, otherwise DevSpace will recieve a website that it cannot parse.

Now back in your DevSpaces Workspace :

- In the left menu click on **Create Workspace**
- Paste the full URL of the devfile that you just copied into the **Git Repo URL** field and click **Create & Open**

Expand Down Expand Up @@ -64,12 +66,12 @@ Let's clone our project into our workspace :
{{< figure src="../images/vscode_clone.png?width=50pc&classes=border,shadow" title="Click image to enlarge" >}}
- Enter the `Git URL` to your **Gitea** Repository (You can copy the URL by clicking on the clipboard icon in **Gitea**) and press enter
{{< figure src="../images/gitea_clone_icon.png?width=50pc&classes=border,shadow" title="Click image to enlarge" >}}
- In the following dialog **Choose a folder to clone ...** Click the button **OK**
- In the following dialog **Choose a folder to clone ...**, move up the dirs and select the `/projects` dir, then click the button **OK**
- In the following dialog when asked how to open the code, click on **Open**
{{< figure src="../images/vscode_open_folder.png?width=50pc&classes=border,shadow" title="Click image to enlarge" >}}
- The windows will briefly reload and then you will be in the cloned project folder
- You may have to check "Trust the authors ..." and click `Yes, I trust the authors` again. Last time, promise :)
{{< figure src="../images/vscode_trust.png?width=50pc&classes=border,shadow" title="Click image to enlarge" >}}
{{< figure src="../images/vscode_trust.png?width=50pc&classes=border,shadow" title="Click image to enlarge" >}}

## Access OpenShift and Create the Development Stage Project

Expand Down Expand Up @@ -117,17 +119,17 @@ odo dev

This will compile the app, start a pod in the OpenShift project and inject the app.

There will be a couple of popups in the bottom right corner
There will be a couple of popups in the bottom right corner (Click on all of them as explained below)

![DevSpaces Popups](../images/devspaces_popup.png)

- "A new process is listening ..." -> Choose **Yes**
- "Redirect is not enabled ..." --> Click on **Open in New Tab**
- "Do you want VS Code - Open Source to open an external website" --> Choose **Open**

A new tab will open and show the webpage of your app. You may have to wait a reload in a few seconds.
New tabs will open. One with the DevFile Editor and one showing the Quarkus webpage of your app. You may have to wait a reload in a few seconds.

To test the app:
To test the app in the Quarkus App tab:

Your app should be displayed as a simple web page. In the `RESTEasy JAX-RS` section click the `@Path` endpoint `/hello` to see the result.

Expand Down
8 changes: 4 additions & 4 deletions content/5-gitops/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ We will need to initialize the `workshop-prod/workshop` in Quay so the robo user

## Add Kustomize and Git Push Tekton Task

Let's add a new custom Tekton task to the `workshop-int` project that can update the Image `tag` via Kustomize after the build and then push the change to our git configuration repository.
Let's add a new custom Tekton task to the `workshop-int` project that can update the Image `tag` via Kustomize after the build process completed and then push the change to our git configuration repository.

We could add this through the OpenShift Web Console as well but to save time we will apply the file directly via the `oc` command.

Expand All @@ -101,12 +101,12 @@ oc create -f https://raw.githubusercontent.com/devsecops-workshop/yaml/main/tekt

## Add Tekton Tasks to your Pipeline to Promote your Image to workshop-prod

So now we have a new Tekton Task in our task catalog to update a GitOps Git repository, but we still need to promote the actual image from out `workshop-int` to `workshop-prod` project. Otherwise the image will not be available for our deployment.
So now we have a new Tekton Task in our task catalog to update a GitOps Git repository, but we still need to promote the actual image from our `workshop-int` to `workshop-prod` project. Otherwise the image will not be available for our deployment.

- In the `workshop_int` project, go to **Pipelines > Pipelines > workshop** and then YAML

{{% notice tip %}}
You can edit pipelines either directly in YAML or in the visual **Pipeline Builder**. We will see how to use the Builder later on so let's edit the YAML for now.
You can edit pipelines either directly in YAML or in the visual **Pipeline Builder**. We will see how to use the Builder later on, so let's edit the YAML for now.
{{% /notice %}}

Add the new Task to your Pipeline by adding it to the YAML like this:
Expand Down Expand Up @@ -176,7 +176,7 @@ The `Pipeline` should now look like this. Notice that the new **tasks** runs in

{{< figure src="../images/pipeline1.png?width=40pc&classes=border,shadow" title="Click image to enlarge" >}}

Now the pipeline is set. The last thing we need is authentication against the Gitea repository and the workshop-prod Quay org. We will add those from the **_start pipeline_** form next. Make sure to replace the <DOMAIN> placeholder if required.
Now, the pipeline is set. The last thing we need is authentication against the Gitea repository and the workshop-prod Quay org. We will add those from the **_start pipeline_** form next. Make sure to replace the <DOMAIN> placeholder if required.

## Update our Prod Stage via Pipeline and GitOps

Expand Down
Loading