diff --git a/README.md b/README.md index fd40363..5e7c81b 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ DevSecOps CICD pipeline demo using several technologies such as: - [OpenShift Pipelines](https://www.openshift.com/learn/topics/ci-cd) - [OpenShift GitOps](https://www.openshift.com/blog/announcing-openshift-gitops) - [OpenShift Advanced Cluster Security for Kubernetes](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet) -- [OpenShift Container Registry](https://docs.openshift.com/container-platform/latest/registry/architecture-component-imageregistry.html) +- [Red Hat Quay](https://www.redhat.com/en/resources/quay-datasheet) Vulnerability and configuration management methods included in this demo are the following: @@ -41,7 +41,7 @@ On every push to the spring-petclinic git repository on Gogs git server, the fol 1. [Dependency report](docs/Steps.md#dependency-report) from the source code is generated and uploaded to the report server repository. 2. [Unit tests](docs/Steps.md#unit-tests) are executed and in parallel the code is [analyzed by Sonarqube](docs/Steps.md#code-analysis-sonarqube) for anti-patterns. 3. Application is packaged as a JAR and [released to Sonatype Nexus](docs/Steps.md#release-app) snapshot repository -4. A [container image is built](docs/Steps.md#build-image) in DEV environment using S2I, and pushed to OpenShift internal registry, and tagged with spring-petclinic:[branch]-[commit-sha] and spring-petclinic:latest +4. A [container image is built](docs/Steps.md#build-image) in DEV environment using S2I and pushed to local instance of Red Hat Quay tagged with spring-petclinic:[branch]-[commit-sha] and spring-petclinic:latest ## 2. DevSecOps steps using Advanced Cluster Security for Kubernetes @@ -181,6 +181,13 @@ Install some extra Python dependency: pip3 install jmespath ``` +* On Fedora workstations/servers, these prequisities can be fulfilled with the following single command: + +```sh +sudo dnf install -y git ansible ansible-collection-kubernetes-core python3-kubernetes python3-openshift python3-jmespath jq +``` + + ## Bootstrap Fully automated deployment and integration of every resource and tool needed for this demo. @@ -217,7 +224,7 @@ cd .. ./demo.sh start ``` -NOTE: This pipeline will fail if you don't [disable the "Fixable at least Important"](docs/disable_policy_enforcement.md) policy enforcement behaviour of ACS. This is expected to demonstrate the failure when a violation of the system policy occurs. +NOTE: This pipeline will fail if you don't [disable the "Fixable Severity at least Important"](docs/disable_policy_enforcement.md) policy enforcement behaviour of ACS. This is expected to demonstrate the failure when a violation of the system policy occurs. Without disabling this policy (or at least changing the behaviour from "inform and enforce" to just "inform"), the image-check stage of the pipeline will fail (and break the build). ## Quick Video with the Demo @@ -238,4 +245,4 @@ NOTE: This pipeline will fail if you don't [disable the "Fixable at least Import # Credits -Big thanks for the [contributors](https://github.com/rcarrata/devsecops-demo/graphs/contributors) and reviews that helped so much in this demo! We grow as we share! +Big thanks for the [contributors](https://github.com/afouladi7/devsecops-demo/graphs/contributors) and reviews that helped so much in this demo! We grow as we share! diff --git a/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 b/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 index 2cea26f..ceea456 100644 --- a/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 +++ b/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 @@ -10,9 +10,9 @@ spec: project: spring-petclinic source: path: environments/dev - repoURL: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config + repoURL: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config targetRevision: HEAD syncPolicy: automated: - prune: false - selfHeal: false + prune: true + selfHeal: true diff --git a/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 b/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 index d093614..330f3e1 100644 --- a/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 +++ b/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 @@ -10,9 +10,9 @@ spec: project: spring-petclinic source: path: environments/stage - repoURL: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config + repoURL: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config targetRevision: HEAD syncPolicy: automated: - prune: false - selfHeal: false + prune: true + selfHeal: true diff --git a/bootstrap/roles/ocp4-install-acs/templates/central.yml.j2 b/bootstrap/roles/ocp4-install-acs/templates/central.yml.j2 index fdbe94f..fccf5b3 100644 --- a/bootstrap/roles/ocp4-install-acs/templates/central.yml.j2 +++ b/bootstrap/roles/ocp4-install-acs/templates/central.yml.j2 @@ -23,9 +23,9 @@ spec: scanner: analyzer: scaling: - autoScaling: Enabled - maxReplicas: 5 - minReplicas: 2 - replicas: 3 + autoScaling: Disabled + maxReplicas: 1 + minReplicas: 1 + replicas: 1 scannerComponent: Enabled diff --git a/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml b/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml index 7ee6b65..362ae2e 100644 --- a/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml +++ b/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml @@ -47,8 +47,9 @@ - name: Wait for gogs and gogs-postgresql to be running uri: - url: http://{{ r_gogs_route.resources[0].spec.host }} + url: https://{{ r_gogs_route.resources[0].spec.host }} status_code: 200 + validate_certs: false register: result until: result.status == 200 retries: 10 diff --git a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 index f2879c5..3f65319 100644 --- a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 +++ b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 @@ -111,7 +111,7 @@ spec: containers: - name: gogs imagePullPolicy: Always - image: quay.io/rcarrata/gogs:stable + image: quay.io/allenfouladi/gogs:stable ports: - containerPort: 3000 protocol: TCP @@ -179,7 +179,15 @@ metadata: namespace: cicd spec: to: + kind: Service name: gogs + weight: 100 + port: + targetPort: 3000-tcp + tls: + termination: edge + insecureEdgeTerminationPolicy: Allow + wildcardPolicy: None --- kind: PersistentVolumeClaim apiVersion: v1 diff --git a/bootstrap/roles/ocp4-install-cicd/templates/cicd-reports-repo.yaml.j2 b/bootstrap/roles/ocp4-install-cicd/templates/cicd-reports-repo.yaml.j2 index 0a1cd6b..7618541 100644 --- a/bootstrap/roles/ocp4-install-cicd/templates/cicd-reports-repo.yaml.j2 +++ b/bootstrap/roles/ocp4-install-cicd/templates/cicd-reports-repo.yaml.j2 @@ -33,7 +33,7 @@ spec: volumeMounts: - mountPath: /fileuploads name: staticfiles - - image: quay.io/siamaksade/nginx:latest + - image: quay.io/allenfouladi/nginx:latest name: nginx ports: - containerPort: 8080 diff --git a/bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml b/bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml index 1df9c33..38f35f1 100644 --- a/bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml +++ b/bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml @@ -53,35 +53,39 @@ state: present definition: "{{ lookup('template', 'subs-pipelines.yml.j2') }}" -- name: Adapt to the openshift_cluster_version LESS than 4.9 - when: ocp4_cluster_version is version_compare('4.9', '<') - block: - - - name: Wait for Pipelines CRD to exist - kubernetes.core.k8s_info: - api_version: "apiextensions.k8s.io/v1beta1" - kind: CustomResourceDefinition - name: "{{ item }}" - loop: "{{ pipelines_expected_crds }}" - register: crds - until: crds.resources|length > 0 - retries: 30 - delay: 10 - -- name: Adapt to the openshift_cluster_version MORE than 4.9 - when: ocp4_cluster_version is version_compare('4.9', '>=') - block: - - - name: Wait for Pipelines CRD to exist - kubernetes.core.k8s_info: - api_version: "apiextensions.k8s.io/v1" - kind: CustomResourceDefinition - name: "{{ item }}" - loop: "{{ pipelines_expected_crds }}" - register: crds - until: crds.resources|length > 0 - retries: 30 - delay: 10 +# - name: Adapt to the openshift_cluster_version LESS than 4.9 +# when: ocp4_cluster_version is version_compare('4.9', '<') +# block: + +# - name: Wait for Pipelines CRD to exist +# kubernetes.core.k8s_info: +# api_version: "apiextensions.k8s.io/v1beta1" +# kind: CustomResourceDefinition +# name: "{{ item }}" +# loop: "{{ pipelines_expected_crds }}" +# register: crds +# until: crds.resources|length > 0 +# retries: 30 +# delay: 10 + +# - name: Adapt to the openshift_cluster_version MORE than 4.9 +# when: ocp4_cluster_version is version_compare('4.9', '>=') +# block: + +# - name: Wait for Pipelines CRD to exist +# kubernetes.core.k8s_info: +# api_version: "apiextensions.k8s.io/v1" +# kind: CustomResourceDefinition +# name: "{{ item }}" +# loop: "{{ pipelines_expected_crds }}" +# register: crds +# until: crds.resources|length > 0 +# retries: 30 +# delay: 10 + +- name: Wait for Pipelines Operator to be up and running + pause: + minutes: 1 - name: Add ClusterRoleBinding to the openshift-gitops-controller kubernetes.core.k8s: @@ -96,10 +100,6 @@ - name: Patch the CM of Openshift GitOps to add role admin by default command: oc patch cm/argocd-rbac-cm -n openshift-gitops --type=merge -p '{"data":{"policy.default":"role:admin"}}' -- name: Add SSO Keycloak in Openshift GitOps by default - shell: | - oc -n openshift-gitops patch argocd openshift-gitops --type='json' -p='[{"op": "add", "path": "/spec/sso", "value": {"provider": "keycloak"} }]' - - name: Get ArgoCD route kubernetes.core.k8s_info: kind: Route diff --git a/bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2 b/bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2 index 0b3d8b2..b394e0f 100644 --- a/bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2 +++ b/bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2 @@ -34,7 +34,9 @@ spec: enabled: false initialSSHKnownHosts: {} sso: - provider: keycloak + provider: dex + dex: + openShiftOAuth: true applicationSet: resources: limits: @@ -55,8 +57,6 @@ spec: kinds: - TaskRun - PipelineRun - dex: - openShiftOAuth: true ha: enabled: false resources: diff --git a/bootstrap/roles/ocp4-install-gitops/templates/subs-gitops.yml.j2 b/bootstrap/roles/ocp4-install-gitops/templates/subs-gitops.yml.j2 index 980ce1d..db8f0e9 100644 --- a/bootstrap/roles/ocp4-install-gitops/templates/subs-gitops.yml.j2 +++ b/bootstrap/roles/ocp4-install-gitops/templates/subs-gitops.yml.j2 @@ -4,7 +4,7 @@ metadata: name: openshift-gitops-operator namespace: openshift-operators spec: - channel: stable + channel: latest installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml b/bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml index 91868ae..06cea2a 100644 --- a/bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml +++ b/bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml @@ -76,7 +76,7 @@ shell: | oc get noobaas.noobaa.io/noobaa -n openshift-storage -o jsonpath='{.status.phase}' register: noobaa_status - retries: 10 + retries: 20 delay: 20 until: - noobaa_status.stdout == "Ready" @@ -114,7 +114,7 @@ shell: | oc get BackingStore/"{{ backing_store_name }}" -n openshift-storage -o jsonpath='{.status.phase}' register: backing_store - retries: 10 + retries: 20 delay: 20 until: - backing_store.stdout == "Ready" diff --git a/bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml b/bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml index a2c0728..ab1dd89 100644 --- a/bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml +++ b/bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml @@ -14,6 +14,8 @@ - ./templates/task-rox-image-check.yaml.j2 - ./templates/task-s2i-java-11.yaml.j2 - ./templates/task-zap-proxy.yaml.j2 + - ./templates/task-syft-sbom.yaml.j2 + - ./templates/task-signing-sbom.yaml.j2 - name: Create OpenShift Objects for Openshift Pipeline Triggers k8s: diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-dev.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-dev.yaml.j2 index cf04646..0112b6b 100644 --- a/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-dev.yaml.j2 +++ b/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-dev.yaml.j2 @@ -8,7 +8,7 @@ spec: - name: APP_SOURCE_GIT type: string description: The application git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic + default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic - name: APP_SOURCE_REVISION type: string description: The application git revision @@ -16,7 +16,7 @@ spec: - name: APP_MANIFESTS_GIT type: string description: The application manifests git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config + default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config - name: APP_IMAGE_TAG type: string default: latest diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-stage.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-stage.yaml.j2 index 8468cb3..672a32a 100644 --- a/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-stage.yaml.j2 +++ b/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-stage.yaml.j2 @@ -8,7 +8,7 @@ spec: - name: APP_SOURCE_GIT type: string description: The application git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic + default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic - name: APP_SOURCE_REVISION type: string description: The application git revision @@ -16,7 +16,7 @@ spec: - name: APP_MANIFESTS_GIT type: string description: The application manifests git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config + default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config - name: APP_IMAGE_TAG type: string default: latest diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/task-git-update-deployment.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/task-git-update-deployment.yaml.j2 index 6341692..b1411d8 100644 --- a/bootstrap/roles/ocp4-install-pipelines/templates/task-git-update-deployment.yaml.j2 +++ b/bootstrap/roles/ocp4-install-pipelines/templates/task-git-update-deployment.yaml.j2 @@ -67,7 +67,7 @@ spec: # git commit -m "[$(context.pipelineRun.name)] Image digest updated" git commit -m "[ci] Image digest updated" - git remote add auth-origin $(echo $(params.GIT_REPOSITORY) | sed -E "s#http://(.*)#http://$(params.GIT_USERNAME):$(params.GIT_PASSWORD)@\1#g") + git remote add auth-origin $(echo $(params.GIT_REPOSITORY) | sed -E "s#https://(.*)#https://$(params.GIT_USERNAME):$(params.GIT_PASSWORD)@\1#g") git push auth-origin master RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/task-s2i-java-11.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/task-s2i-java-11.yaml.j2 index 36d27f6..b7805eb 100644 --- a/bootstrap/roles/ocp4-install-pipelines/templates/task-s2i-java-11.yaml.j2 +++ b/bootstrap/roles/ocp4-install-pipelines/templates/task-s2i-java-11.yaml.j2 @@ -109,6 +109,10 @@ spec: registry.redhat.io/rhel8/buildah@sha256:180c4d9849b6ab0e5465d30d4f3a77765cf0d852ca1cb1efb59d6e8c9f90d467 name: build resources: {} + securityContext: + capabilities: + add: + - SETFCAP volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers @@ -127,6 +131,10 @@ spec: image: registry.redhat.io/rhel8/buildah@sha256:180c4d9849b6ab0e5465d30d4f3a77765cf0d852ca1cb1efb59d6e8c9f90d467 name: push-tag resources: {} + securityContext: + capabilities: + add: + - SETFCAP volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers @@ -142,6 +150,10 @@ spec: image: registry.redhat.io/rhel8/buildah@sha256:180c4d9849b6ab0e5465d30d4f3a77765cf0d852ca1cb1efb59d6e8c9f90d467 name: push-latest resources: {} + securityContext: + capabilities: + add: + - SETFCAP volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/task-signing-sbom.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/task-signing-sbom.yaml.j2 new file mode 100644 index 0000000..4ac3e5a --- /dev/null +++ b/bootstrap/roles/ocp4-install-pipelines/templates/task-signing-sbom.yaml.j2 @@ -0,0 +1,54 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: cosign-sign-sbom + namespace: cicd +spec: + description: This Task can be used to sign an image in a registry + params: + - description: Image to be signed + name: SIGNATURE_IMAGE + type: string + - description: Name (reference) of the cosign image + name: IMAGE + type: string + - description: SBOM to be signed + name: SIGNATURE_SBOM + type: string + - default: [] + description: args to pass to cosign command to + name: ARGS + type: array + steps: + - args: + - $(params.ARGS) + env: + - name: PIPELINERUN_NAME + valueFrom: + fieldRef: + fieldPath: 'metadata.labels[''tekton.dev/pipelineRun'']' + image: $(params.IMAGE) + name: cosign-actions + resources: {} + script: | + #!/usr/bin/env bash + + verify="cosign verify --allow-insecure-registry --key k8s://cicd/signing-secrets $(params.SIGNATURE_IMAGE)" + signing="cosign sign --allow-insecure-registry --key k8s://cicd/signing-secrets --attachment sbom $(params.SIGNATURE_IMAGE)" + $verify + attach="cosign $* $(params.SIGNATURE_SBOM) $(params.SIGNATURE_IMAGE) --sbom=none" + attest="cosign attest --predicate $(params.SIGNATURE_SBOM) --key k8s://cicd/signing-secrets --allow-insecure-registry $(params.SIGNATURE_IMAGE)" + tree="cosign tree --allow-insecure-registry $(params.SIGNATURE_IMAGE)" + echo "This is the command we will run $attach" + $attach + echo "Starting Image Signing Task" + echo "This is the command we will run $signing" + $signing + echo "This is the command we will run $attest" + $attest + echo "This will run the cosign tree command to see what is attached to signed image" + $tree + workingDir: $(workspaces.source.path) + workspaces: + - description: The workspace consisting of maven project. + name: source \ No newline at end of file diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/task-syft-sbom.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/task-syft-sbom.yaml.j2 new file mode 100644 index 0000000..02579e3 --- /dev/null +++ b/bootstrap/roles/ocp4-install-pipelines/templates/task-syft-sbom.yaml.j2 @@ -0,0 +1,68 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: syft-sbom + namespace: cicd +spec: + description: This Task can be used to generate a SBOM file with Syft. + params: + - default: $(workspaces.source.path) + description: Application folder to scan + name: APP_PATH + type: string + - default: reports + description: The reports repository username + name: REPORTS_REPO_USERNAME + type: string + - default: reports + description: The reports repository password + name: REPORTS_REPO_PASSWORD + type: string + - default: 'http://reports-repo:8080' + description: >- + The reports repository host based on + https://github.com/chmouel/openshift-django-uploader + name: REPORTS_REPO_HOST + type: string + steps: + - env: + - name: PIPELINERUN_NAME + valueFrom: + fieldRef: + fieldPath: 'metadata.labels[''tekton.dev/pipelineRun'']' + image: 'registry.access.redhat.com/ubi8/ubi:latest' + name: syft-scan + resources: {} + script: > + #!/usr/bin/env bash + + echo '## Getting Syft ##' + + pwd + + curl -sSfL + https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s + -- -b . + + chmod +x ./syft + + echo '## Scanning folder and generating SBOM ##' + + ./syft $(params.APP_PATH) -o spdx-json=sbom.json + + echo '## SBOM content ##' + + cat ./sbom.json + + cp ./sbom.json /workspace/source/. + + chmod 0666 /workspace/source/sbom.json + + echo "Uploading the report into the report server" + + curl -u $(params.REPORTS_REPO_USERNAME):$(params.REPORTS_REPO_PASSWORD) + -F path=$PIPELINERUN_NAME/$PIPELINERUN_NAME-sbom.json -F file=@sbom.json -X + POST $(params.REPORTS_REPO_HOST)/upload; echo "" + workspaces: + - description: The workspace consisting of maven project. + name: source \ No newline at end of file diff --git a/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 b/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 index bd1eff9..a587e44 100644 --- a/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 +++ b/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 @@ -4,7 +4,7 @@ metadata: name: quay-operator namespace: openshift-operators spec: - channel: stable-3.7 + channel: stable-3.12 installPlanApproval: Automatic name: quay-operator source: redhat-operators diff --git a/bootstrap/roles/ocp4-install-quay/templates/quayregistry.yaml.j2 b/bootstrap/roles/ocp4-install-quay/templates/quayregistry.yaml.j2 index 0c74740..febd900 100644 --- a/bootstrap/roles/ocp4-install-quay/templates/quayregistry.yaml.j2 +++ b/bootstrap/roles/ocp4-install-quay/templates/quayregistry.yaml.j2 @@ -6,25 +6,29 @@ metadata: spec: configBundleSecret: quay-config-bundle components: - - managed: true - kind: clair - - managed: true - kind: postgres - - managed: true - kind: objectstorage - - managed: true - kind: redis - - managed: true - kind: horizontalpodautoscaler - - managed: true - kind: route - - managed: true - kind: mirror - - managed: true - kind: monitoring - - managed: true - kind: tls - - managed: true - kind: quay - - managed: true - kind: clairpostgres + - kind: clair + managed: true + overrides: + replicas: 1 + - kind: postgres + managed: true + - kind: objectstorage + managed: true + - kind: redis + managed: true + - kind: horizontalpodautoscaler + managed: false + - kind: route + managed: true + - kind: mirror + managed: false + - kind: tls + managed: true + - kind: quay + managed: true + overrides: + replicas: 1 + - kind: clairpostgres + managed: true + - kind: monitoring + managed: false \ No newline at end of file diff --git a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json index 7764131..a88ec2c 100644 --- a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json +++ b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json @@ -31,7 +31,7 @@ "negate": false, "values": [ { - "value": "io.stackrox.signatureintegration.f9352803-d5c9-45d6-abe0-e1361a24559a" + "value": "io.stackrox.signatureintegration.11eafb0b-9c98-4639-98e0-46e124bd912e" } ] } diff --git a/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml b/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml index 9dca8a9..4239a4c 100644 --- a/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml +++ b/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml @@ -6,12 +6,17 @@ - ./templates/cosign-ubi-is.yaml.j2 - ./templates/cosign-is.yaml.j2 - ./templates/cosign-build.yaml.j2 + +# - name: restarting the build if failed +# shell: | +# oc start-build cosign-pod -n "{{ pipeline_namespace }}" +# register: build - name: Wait Until cosign build is complete shell: | oc get build -l build=cosign-pod -n "{{ pipeline_namespace }}" --sort-by=.metadata.creationTimestamp | tail -n 1 | awk '{print $4}' register: build_status - retries: 10 + retries: 20 delay: 20 until: - build_status.stdout == "Complete" diff --git a/bootstrap/roles/ocp4-install-signing/templates/cosign-build.yaml.j2 b/bootstrap/roles/ocp4-install-signing/templates/cosign-build.yaml.j2 index 7b2f185..767caf2 100644 --- a/bootstrap/roles/ocp4-install-signing/templates/cosign-build.yaml.j2 +++ b/bootstrap/roles/ocp4-install-signing/templates/cosign-build.yaml.j2 @@ -19,12 +19,12 @@ spec: dockerStrategy: from: kind: ImageStreamTag - name: 'ubi:8.0' + name: 'ubi:8.8' postCommit: {} source: type: Dockerfile dockerfile: >- - FROM registry.redhat.io/ubi8/ubi:8.0 + FROM registry.redhat.io/ubi8/ubi:8.8 RUN yum install go git wget tar rsync -y && wget diff --git a/bootstrap/roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 b/bootstrap/roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 index ff84878..263c0b1 100644 --- a/bootstrap/roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 +++ b/bootstrap/roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 @@ -9,12 +9,12 @@ spec: lookupPolicy: local: false tags: - - name: '8.0' + - name: '8.8' annotations: - openshift.io/imported-from: 'registry.redhat.io/ubi8/ubi:8.0' + openshift.io/imported-from: 'registry.redhat.io/ubi8/ubi:8.8' from: kind: DockerImage - name: 'registry.redhat.io/ubi8/ubi:8.0' + name: 'registry.redhat.io/ubi8/ubi:8.8' generation: 2 importPolicy: {} referencePolicy: diff --git a/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 b/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 index b96e56c..8bea7d4 100644 --- a/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 +++ b/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 @@ -5,275 +5,325 @@ metadata: namespace: cicd spec: params: - - name: APP_SOURCE_GIT - type: string + - default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic description: The application git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic - - name: APP_SOURCE_REVISION + name: APP_SOURCE_GIT type: string + - default: master description: The application git revision - default: master - - name: APP_MANIFESTS_GIT + name: APP_SOURCE_REVISION type: string + - default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config description: The application manifests git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config - - name: APP_IMAGE_TAG + name: APP_MANIFESTS_GIT type: string - default: latest + - default: latest description: The application image tag to build - - name: DEV_NAMESPACE + name: APP_IMAGE_TAG type: string - default: devsecops-dev + - default: devsecops-dev description: The namespace for Stage environments - - name: APP_TESTS_GIT + name: DEV_NAMESPACE type: string + - default: 'https://github.com/rcarrata/spring-petclinic-gatling' description: The application test cases git repository - default: https://github.com/rcarrata/spring-petclinic-gatling - workspaces: - - name: workspace - - name: maven-settings + name: APP_TESTS_GIT + type: string tasks: - - name: source-clone - taskRef: - name: git-clone - kind: ClusterTask - workspaces: - - name: output - workspace: workspace - params: - - name: url - value: $(params.APP_SOURCE_GIT) - - name: revision - value: $(params.APP_SOURCE_REVISION) - - name: depth - value: "0" - - name: subdirectory - value: spring-petclinic - - name: deleteExisting - value: "true" - - name: unit-tests - taskRef: - name: maven - runAfter: - - source-clone - workspaces: - - name: source - workspace: workspace - - name: maven-settings - workspace: maven-settings - params: - - name: GOALS - value: ["package", "-f", "spring-petclinic"] - - name: code-analysis - taskRef: - name: maven - runAfter: - - source-clone - workspaces: - - name: source - workspace: workspace - - name: maven-settings - workspace: maven-settings - params: - - name: GOALS - value: - - install - - sonar:sonar - - -f - - spring-petclinic - - -Dsonar.host.url=http://sonarqube:9000 - - -Dsonar.userHome=/tmp/sonar - - -DskipTests=true - - name: dependency-report - taskRef: - name: dependency-report - runAfter: - - source-clone - workspaces: - - name: source - workspace: workspace - - name: maven-settings - workspace: maven-settings - params: - - name: SOURCE_DIR - value: spring-petclinic - - name: release-app - taskRef: - name: maven - runAfter: - - code-analysis - - unit-tests - - dependency-report - workspaces: - - name: source - workspace: workspace - - name: maven-settings - workspace: maven-settings - params: - - name: GOALS - value: - - deploy - - -f - - spring-petclinic - - -DskipTests=true - - -DaltDeploymentRepository=nexus::default::http://nexus:8081/repository/maven-releases/ - - -DaltSnapshotDeploymentRepository=nexus::default::http://nexus:8081/repository/maven-snapshots/ - - name: build-image - taskRef: - name: s2i-java-11 - runAfter: - - release-app - params: - - name: TLSVERIFY - value: "false" - - name: MAVEN_MIRROR_URL - value: http://nexus:8081/repository/maven-public/ - - name: PATH_CONTEXT - value: spring-petclinic/target - - name: IMAGE_NAME - value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev - - name: IMAGE_TAG - value: $(params.APP_IMAGE_TAG) - workspaces: - - name: source - workspace: workspace - - name: image-sign - taskRef: - name: cosign-task - runAfter: - - build-image - params: - - name: IMAGE - value: "image-registry.openshift-image-registry.svc:5000/{{pipeline_namespace}}/cosign-pod" - - name: SIGNATURE_IMAGE - value: "{{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev" - - name: ARGS - value: - - "sign" - - "--allow-insecure-registry" - - "--key k8s://{{ pipeline_namespace }}/{{ secret_generate_name }}" - - name: image-scan - runAfter: - - build-image - taskRef: - name: rox-image-scan - kind: ClusterTask - params: - - name: image - value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev - - name: rox_api_token - value: roxsecrets - - name: rox_central_endpoint - value: roxsecrets - - name: output_format - value: table - - name: image_digest - value: $(tasks.build-image.results.IMAGE_DIGEST) - - name: image-check - runAfter: - - build-image - taskRef: - name: rox-image-check - kind: ClusterTask - params: - - name: image - value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev - - name: rox_api_token - value: roxsecrets - - name: rox_central_endpoint - value: roxsecrets - - name: image_digest - value: $(tasks.build-image.results.IMAGE_DIGEST) - - name: deploy-check - runAfter: - - build-image - taskRef: - name: rox-deployment-check - kind: ClusterTask - params: - - name: GIT_REPOSITORY - value: "$(params.APP_MANIFESTS_GIT)" - - name: rox_api_token - value: roxsecrets - - name: rox_central_endpoint - value: roxsecrets - - name: file - value: deployment.yaml - - name: deployment_files_path - value: app - workspaces: - - name: workspace - workspace: workspace - - name: update-deployment - runAfter: - - image-sign - - image-scan - - image-check - - deploy-check - taskRef: - name: git-update-deployment - params: - - name: GIT_REPOSITORY - value: "$(params.APP_MANIFESTS_GIT)" - - name: GIT_USERNAME - value: gogs - - name: GIT_PASSWORD - value: gogs - - name: CURRENT_IMAGE - value: quay.io/siamaksade/spring-petclinic:latest - - name: NEW_IMAGE - value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev - - name: NEW_DIGEST - value: "$(tasks.build-image.results.IMAGE_DIGEST)" - - name: KUSTOMIZATION_PATH - value: environments/dev - workspaces: - - name: workspace - workspace: workspace - - name: wait-application - taskRef: - name: argocd-task-sync-and-wait - runAfter: - - update-deployment - params: - - name: application-name - value: dev-spring-petclinic - - name: perf-tests-clone - taskRef: - name: git-clone - kind: ClusterTask - workspaces: - - name: output - workspace: workspace - runAfter: - - wait-application - params: - - name: url - value: $(params.APP_TESTS_GIT) - - name: subdirectory - value: spring-petclinic-gatling - - name: deleteExisting - value: "true" - - name: pentesting-test - taskRef: - name: zap-proxy - runAfter: - - perf-tests-clone - params: - - name: APP_URL - value: "http://spring-petclinic.$(params.DEV_NAMESPACE).svc.cluster.local:8080" - workspaces: + - name: source-clone + params: + - name: url + value: $(params.APP_SOURCE_GIT) + - name: revision + value: $(params.APP_SOURCE_REVISION) + - name: depth + value: '0' + - name: subdirectory + value: spring-petclinic + - name: deleteExisting + value: 'true' + taskRef: + kind: ClusterTask + name: git-clone + workspaces: + - name: output + workspace: workspace + - name: unit-tests + params: + - name: GOALS + value: + - package + - '-f' + - spring-petclinic + runAfter: + - source-clone + taskRef: + kind: Task + name: maven + workspaces: + - name: source + workspace: workspace + - name: maven-settings + workspace: maven-settings + - name: code-analysis + params: + - name: GOALS + value: + - install + - 'sonar:sonar' + - '-f' + - spring-petclinic + - '-Dsonar.host.url=http://sonarqube:9000' + - '-Dsonar.userHome=/tmp/sonar' + - '-DskipTests=true' + runAfter: + - source-clone + taskRef: + kind: Task + name: maven + workspaces: + - name: source + workspace: workspace + - name: maven-settings + workspace: maven-settings + - name: dependency-report + params: + - name: SOURCE_DIR + value: spring-petclinic + runAfter: + - source-clone + taskRef: + kind: Task + name: dependency-report + workspaces: + - name: source + workspace: workspace + - name: maven-settings + workspace: maven-settings + - name: release-app + params: + - name: GOALS + value: + - deploy + - '-f' + - spring-petclinic + - '-DskipTests=true' + - >- + -DaltDeploymentRepository=nexus::default::http://nexus:8081/repository/maven-releases/ + - >- + -DaltSnapshotDeploymentRepository=nexus::default::http://nexus:8081/repository/maven-snapshots/ + runAfter: + - code-analysis + - unit-tests + - dependency-report + taskRef: + kind: Task + name: maven + workspaces: + - name: source + workspace: workspace + - name: maven-settings + workspace: maven-settings + - name: build-image + params: + - name: TLSVERIFY + value: 'false' + - name: MAVEN_MIRROR_URL + value: 'http://nexus:8081/repository/maven-public/' + - name: PATH_CONTEXT + value: spring-petclinic/target + - name: IMAGE_NAME + value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev + - name: IMAGE_TAG + value: $(params.APP_IMAGE_TAG) + runAfter: + - syft-sbom-post-release + taskRef: + kind: Task + name: s2i-java-11 + workspaces: + - name: source + workspace: workspace + - name: image-sign + params: + - name: IMAGE + value: "image-registry.openshift-image-registry.svc:5000/{{pipeline_namespace}}/cosign-pod" + - name: SIGNATURE_IMAGE + value: "{{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev" + - name: ARGS + value: + - sign + - '--allow-insecure-registry' + - '--key k8s://cicd/signing-secrets' + runAfter: + - build-image + taskRef: + kind: Task + name: cosign-task + - name: image-scan + params: + - name: image + value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev + - name: rox_api_token + value: roxsecrets + - name: rox_central_endpoint + value: roxsecrets + - name: output_format + value: table + - name: image_digest + value: $(tasks.build-image.results.IMAGE_DIGEST) + runAfter: + - build-image + taskRef: + kind: ClusterTask + name: rox-image-scan + - name: image-check + params: + - name: image + value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev + - name: rox_api_token + value: roxsecrets + - name: rox_central_endpoint + value: roxsecrets + - name: image_digest + value: $(tasks.build-image.results.IMAGE_DIGEST) + runAfter: + - build-image + taskRef: + kind: ClusterTask + name: rox-image-check + - name: deploy-check + params: + - name: GIT_REPOSITORY + value: $(params.APP_MANIFESTS_GIT) + - name: rox_api_token + value: roxsecrets + - name: rox_central_endpoint + value: roxsecrets + - name: file + value: deployment.yaml + - name: deployment_files_path + value: app + runAfter: + - build-image + taskRef: + kind: ClusterTask + name: rox-deployment-check + workspaces: + - name: workspace + workspace: workspace + - name: update-deployment + params: + - name: GIT_REPOSITORY + value: $(params.APP_MANIFESTS_GIT) + - name: GIT_USERNAME + value: gogs + - name: GIT_PASSWORD + value: gogs + - name: CURRENT_IMAGE + value: 'quay.io/siamaksade/spring-petclinic:latest' + - name: NEW_IMAGE + value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev + - name: NEW_DIGEST + value: $(tasks.build-image.results.IMAGE_DIGEST) + - name: KUSTOMIZATION_PATH + value: environments/dev + runAfter: + - sign-sbom + taskRef: + kind: Task + name: git-update-deployment + workspaces: + - name: workspace + workspace: workspace + - name: wait-application + params: + - name: application-name + value: dev-spring-petclinic + runAfter: + - update-deployment + taskRef: + kind: Task + name: argocd-task-sync-and-wait + - name: perf-tests-clone + params: + - name: url + value: $(params.APP_TESTS_GIT) + - name: subdirectory + value: spring-petclinic-gatling + - name: deleteExisting + value: 'true' + runAfter: + - wait-application + taskRef: + kind: ClusterTask + name: git-clone + workspaces: + - name: output + workspace: workspace + - name: pentesting-test + params: + - name: APP_URL + value: "http://spring-petclinic.$(params.DEV_NAMESPACE).svc.cluster.local:8080" + runAfter: + - perf-tests-clone + taskRef: + kind: Task + name: zap-proxy + workspaces: + - name: workspace + workspace: workspace + - name: performance-test + params: + - name: APP_URL + value: "http://spring-petclinic.$(params.DEV_NAMESPACE).svc.cluster.local:8080" + runAfter: + - perf-tests-clone + taskRef: + kind: Task + name: gatling + workspaces: + - name: simulations + subPath: spring-petclinic-gatling + workspace: workspace + - name: syft-sbom-post-release + params: + - name: APP_PATH + value: $(workspaces.source.path) + runAfter: + - release-app + taskRef: + kind: Task + name: syft-sbom + workspaces: + - name: source + workspace: workspace + - name: sign-sbom + params: + - name: IMAGE + value: "image-registry.openshift-image-registry.svc:5000/{{pipeline_namespace}}/cosign-pod" + - name: SIGNATURE_SBOM + value: sbom.json + - name: ARGS + value: + - attach + - sbom + - '--allow-insecure-registry' + - '--type syft' + - '--sbom' + - name: SIGNATURE_IMAGE + value: "{{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev" + runAfter: + - image-sign + - image-scan + - image-check + - deploy-check + taskRef: + kind: Task + name: cosign-sign-sbom + workspaces: + - name: source + workspace: workspace + workspaces: - name: workspace - workspace: workspace - - name: performance-test - taskRef: - name: gatling - runAfter: - - perf-tests-clone - params: - - name: APP_URL - value: "http://spring-petclinic.$(params.DEV_NAMESPACE).svc.cluster.local:8080" - workspaces: - - name: simulations - workspace: workspace - subPath: spring-petclinic-gatling + - name: maven-settings \ No newline at end of file diff --git a/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-stage.yaml.j2 b/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-stage.yaml.j2 index f056670..08154ec 100644 --- a/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-stage.yaml.j2 +++ b/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-stage.yaml.j2 @@ -8,7 +8,7 @@ spec: - name: APP_SOURCE_GIT type: string description: The application git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic + default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic - name: APP_SOURCE_REVISION type: string description: The application git revision @@ -16,7 +16,7 @@ spec: - name: APP_MANIFESTS_GIT type: string description: The application manifests git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config + default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config - name: APP_IMAGE_TAG type: string default: latest diff --git a/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml b/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml index ef56247..2bf331c 100644 --- a/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml +++ b/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml @@ -47,6 +47,39 @@ namespace: "{{ ocp4_demo_pipeline_namespace }}" type: Opaque +# - name: Get Service Account objects +# kubernetes.core.k8s_info: +# kind: ServiceAccount +# api_version: /v1 +# name: pipeline +# namespace: cicd +# register: r_argopass + +# - name: Get the secret that contains the token of sa pipeline +# set_fact: +# token_sa_pipeline_secret: "{{ r_argopass.resources[0].secrets | to_json | from_json | json_query(query) }}" +# vars: +# query: >- +# [?contains(name,'token')].name + +# # - debug: +# # msg: "{{ token_sa_pipeline_secret }}" + +# - name: Get token in the secret for the sa pipeline and decode +# kubernetes.core.k8s_info: +# kind: Secret +# api_version: /v1 +# name: "{{ token_sa_pipeline_secret[0] | replace(\"'\",'') }}" +# namespace: cicd +# register: r_token_sa_secret + +# # - debug: +# # msg: "{{ r_token_sa_secret.resources[0].data.token | b64decode }}" + +# - name: define the token secret decoded +# set_fact: +# pipeline_token: "{{ r_token_sa_secret.resources[0].data.token | b64decode }}" + - name: Get Service Account objects kubernetes.core.k8s_info: kind: ServiceAccount @@ -55,30 +88,19 @@ namespace: cicd register: r_argopass -- name: Get the secret that contains the token of sa pipeline - set_fact: - token_sa_pipeline_secret: "{{ r_argopass.resources[0].secrets | to_json | from_json | json_query(query) }}" - vars: - query: >- - [?contains(name,'token')].name - -#- debug: -# msg: "{{ token_sa_pipeline_secret }}" +- name: lets do it with shell + shell: "oc describe sa pipeline -n cicd | grep Tokens | awk '{print$2}'" + register: r_argopass -- name: Get token in the secret for the sa pipeline and decode - kubernetes.core.k8s_info: - kind: Secret - api_version: /v1 - name: "{{ token_sa_pipeline_secret[0] | replace(\"'\",'') }}" - namespace: cicd - register: r_token_sa_secret +- set_fact: + r_argopass: "{{ r_argopass.stdout }}" -#- debug: -# msg: "{{ r_token_sa_secret.resources[0].data.token | b64decode }}" +- name: pulling secret and base64 decoding it + shell: oc get secret {{ r_argopass }} -n cicd -o jsonpath='{.data.token}' | base64 -d + register: pipeline_token -- name: define the token secret decoded - set_fact: - pipeline_token: "{{ r_token_sa_secret.resources[0].data.token | b64decode }}" +- set_fact: + pipeline_token: "{{ pipeline_token.stdout }}" - name: Creating ACS Integration with the Openshift Internal Registry uri: diff --git a/bootstrap/roles/ocp4-post-acs/templates/acs-console-link.yml.j2 b/bootstrap/roles/ocp4-post-acs/templates/acs-console-link.yml.j2 index 9d28b16..7e4eddb 100644 --- a/bootstrap/roles/ocp4-post-acs/templates/acs-console-link.yml.j2 +++ b/bootstrap/roles/ocp4-post-acs/templates/acs-console-link.yml.j2 @@ -4,7 +4,7 @@ metadata: name: acs-console-link spec: applicationMenu: - imageURL: 'https://upload.wikimedia.org/wikipedia/commons/3/3a/OpenShift-LogoType.svg' + imageURL: 'https://upload.wikimedia.org/wikipedia/commons/d/d8/Red_Hat_logo.svg' section: Red Hat Applications href: 'https://{{ f_stackrox_central_addr }}' location: ApplicationMenu diff --git a/demo.sh b/demo.sh index eef9177..665e137 100755 --- a/demo.sh +++ b/demo.sh @@ -135,6 +135,8 @@ command.sign-verify() { oc exec pod/"$cosign_pod" -n $working_namespace -- /bin/bash -c "chmod ugo+x /workdir/verify/${verify_script}" oc exec pod/"$cosign_pod" -n $working_namespace -- /bin/bash -c "/workdir/verify/${verify_script} $working_namespace " + info "## Verifying image, SBOM, and attestation ##" + taskrun=$(oc get taskruns -n cicd --sort-by=.metadata.creationTimestamp | grep sign-sbom | tail -1 | awk '{print$1}'); oc logs $taskrun-pod -n $working_namespace # echo "Obtaining cosign.key" # oc exec pod/"$cosign_pod" -n openshift-pipelines -- /bin/bash -c "oc get secret/signing-secrets -n openshift-pipelines -o jsonpath='{.data.cosign\.key}' | base64 -d > /test/cosign.key" # echo "Obtaining cosign.password" diff --git a/docs/disable_policy_enforcement.md b/docs/disable_policy_enforcement.md index 6d708f5..51cb8e5 100644 --- a/docs/disable_policy_enforcement.md +++ b/docs/disable_policy_enforcement.md @@ -1,10 +1,22 @@ ## Disable the Policy Enforcement -To disable the policy enforcement you need to: - -- Go to the ACS Console -- Platform Configuration Tab -- System Policies -- Fixable CVSS >= 7 -- Edit -> Next -> Next -> Next -- Build and Deploy into Enforcement Behavior Off \ No newline at end of file +To disable the policy enforcement: + +- Login to ACS console. +- Expand the "Platform Configuration" tab. +- Select "Policy Management". +- Click on the 3 vertical dots at the right of the target policy. + +EITHER + +- Click "Disable policy". + +OR + +- Click "Edit policy". +- Click "Next" to skip "1 Policy details". +- At "2 Policy behavior", scroll down to "Response method". Click "Inform" radio button instead of "Inform and enforce". Click "Next". +- Click "Next" to skip "3 Policy criteria". +- Click "Next" to skip "4 Policy scope". +- Click "Save" at "5 Review policy" to save the updated policy configuration. +- Click "5 Review policy". diff --git a/docs/trust_quay_from_another_cluster.md b/docs/trust_quay_from_another_cluster.md new file mode 100644 index 0000000..11e86ee --- /dev/null +++ b/docs/trust_quay_from_another_cluster.md @@ -0,0 +1,30 @@ +## Add the private quay registry as a trusted registry in a secondary cluster +### Prerequisites +- Have a cluster up and running with this demo setup including the extend.sh portion (with local quay) +- Have a secondary cluster up and running where you want to also deploy images from the above quay +- Run the following export commands to make the below scripts easier to run: + ```bash + export QUAY_URL= + export QUAY_USER= + export QUAY_PASS= + export LOCAL_NS= + ``` +### Obtain default router certificate from primary cluster +```bash +oc get secret -n openshift-ingress router-certs-default -o jsonpath="{.data['tls\.crt']}" | base64 -d > tls.key +``` +### Add tls.key to the secondary cluster as a trusted CA +Make sure to login to the secondary cluster before running these commands, and make sure you have the tls.key +from the above step in this folder. +```bash +oc create configmap registry-cas -n openshift-config \ +--from-file=${QUAY_URL}=tls.key +oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge +``` + +### Setup login credentials for the Service Account in the secondary cluster +This example is going to use the default service account +```bash +oc create secret docker-registry quay-robot-secret --docker-server=$QUAY_URL --docker-username=$QUAY_USER --docker-password=$QUAY_PASS -n $LOCAL_NS +oc secrets link default quay-robot-secret --for=pull,mount -n $LOCAL_NS +``` diff --git a/install.sh b/install.sh index 031b96b..7bb9de4 100755 --- a/install.sh +++ b/install.sh @@ -18,3 +18,4 @@ err() { info "Installing Demo" ansible-playbook bootstrap/deploy_demo.yaml -v +ansible-playbook bootstrap/deploy_signing.yaml -v diff --git a/status.sh b/status.sh index 6c8ca9d..bcd9ac5 100755 --- a/status.sh +++ b/status.sh @@ -27,3 +27,8 @@ printf "\n## ArgoCD Server - Username/Password: admin/[DEX] ##\n" ARGO=$(oc get route -n openshift-gitops openshift-gitops-server -o jsonpath='{.spec.host}') printf "https://$ARGO" printf "\n" + +printf "\n## Quay Server - Username/Password: quayadmin/quaypass123 ##\n" +QUAY=$(oc get route -n quay-demo demo-registry-quay -o jsonpath='{.spec.host}') +printf "https://$QUAY" +printf "\n"