Made some changes so this runs on 4.12+ cluster

README.md

@@ -7,7 +7,7 @@ DevSecOps CICD pipeline demo using several technologies such as:
 - [OpenShift Pipelines](https://www.openshift.com/learn/topics/ci-cd)
 - [OpenShift GitOps](https://www.openshift.com/blog/announcing-openshift-gitops)
 - [OpenShift Advanced Cluster Security for Kubernetes](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet)
-- [OpenShift Container Registry](https://docs.openshift.com/container-platform/latest/registry/architecture-component-imageregistry.html)
+- [Red Hat Quay](https://www.redhat.com/en/resources/quay-datasheet)
 
 Vulnerability and configuration management methods included in this demo are the following:
 
@@ -41,7 +41,7 @@ On every push to the spring-petclinic git repository on Gogs git server, the fol
 1. [Dependency report](docs/Steps.md#dependency-report) from the source code is generated and uploaded to the report server repository.
 2. [Unit tests](docs/Steps.md#unit-tests) are executed and in parallel the code is [analyzed by Sonarqube](docs/Steps.md#code-analysis-sonarqube) for anti-patterns.
 3. Application is packaged as a JAR and [released to Sonatype Nexus](docs/Steps.md#release-app) snapshot repository
-4. A [container image is built](docs/Steps.md#build-image) in DEV environment using S2I, and pushed to OpenShift internal registry, and tagged with spring-petclinic:[branch]-[commit-sha] and spring-petclinic:latest
+4. A [container image is built](docs/Steps.md#build-image) in DEV environment using S2I and pushed to local instance of Red Hat Quay tagged with spring-petclinic:[branch]-[commit-sha] and spring-petclinic:latest
 
 ## 2. DevSecOps steps using Advanced Cluster Security for Kubernetes
 
@@ -181,6 +181,13 @@ Install some extra Python dependency:
 pip3 install jmespath
 ```
 
+* On Fedora workstations/servers, these prequisities can be fulfilled with the following single command:
+
+```sh
+sudo dnf install -y git ansible ansible-collection-kubernetes-core python3-kubernetes python3-openshift python3-jmespath jq
+```
+
+
 ## Bootstrap
 
 Fully automated deployment and integration of every resource and tool needed for this demo.
@@ -217,7 +224,7 @@ cd ..
 ./demo.sh start
 ```
 
-NOTE: This pipeline will fail if you don't [disable the "Fixable at least Important"](docs/disable_policy_enforcement.md) policy enforcement behaviour of ACS. This is expected to demonstrate the failure when a violation of the system policy occurs.
+NOTE: This pipeline will fail if you don't [disable the "Fixable Severity at least Important"](docs/disable_policy_enforcement.md) policy enforcement behaviour of ACS. This is expected to demonstrate the failure when a violation of the system policy occurs. Without disabling this policy (or at least changing the behaviour from "inform and enforce" to just "inform"), the image-check stage of the pipeline will fail (and break the build).
 
 ## Quick Video with the Demo
 
@@ -238,4 +245,4 @@ NOTE: This pipeline will fail if you don't [disable the "Fixable at least Import
 
 # Credits
 
-Big thanks for the [contributors](https://github.com/rcarrata/devsecops-demo/graphs/contributors) and reviews that helped so much in this demo! We grow as we share!
+Big thanks for the [contributors](https://github.com/afouladi7/devsecops-demo/graphs/contributors) and reviews that helped so much in this demo! We grow as we share!

bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2

@@ -10,9 +10,9 @@ spec:
   project: spring-petclinic
   source:
     path: environments/dev
-    repoURL: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config
+    repoURL: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config
     targetRevision: HEAD
   syncPolicy:
     automated:
-      prune: false
-      selfHeal: false
+      prune: true
+      selfHeal: true

bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2

@@ -10,9 +10,9 @@ spec:
   project: spring-petclinic
   source:
     path: environments/stage
-    repoURL: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config
+    repoURL: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config
     targetRevision: HEAD
   syncPolicy:
     automated:
-      prune: false
-      selfHeal: false
+      prune: true
+      selfHeal: true

bootstrap/roles/ocp4-install-acs/templates/central.yml.j2

@@ -23,9 +23,9 @@ spec:
   scanner:
     analyzer:
       scaling:
-        autoScaling: Enabled
-        maxReplicas: 5
-        minReplicas: 2
-        replicas: 3
+        autoScaling: Disabled
+        maxReplicas: 1
+        minReplicas: 1
+        replicas: 1
     scannerComponent: Enabled
 

bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml

@@ -47,8 +47,9 @@
 
 - name: Wait for gogs and gogs-postgresql to be running
   uri:
-    url: http://{{ r_gogs_route.resources[0].spec.host }}
+    url: https://{{ r_gogs_route.resources[0].spec.host }}
     status_code: 200
+    validate_certs: false
   register: result
   until: result.status == 200
   retries: 10

bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2

@@ -111,7 +111,7 @@ spec:
       containers:
       - name: gogs
         imagePullPolicy: Always
-        image: quay.io/rcarrata/gogs:stable
+        image: quay.io/allenfouladi/gogs:stable
         ports:
         - containerPort: 3000
           protocol: TCP
@@ -179,7 +179,15 @@ metadata:
   namespace: cicd
 spec:
   to:
+    kind: Service
     name: gogs
+    weight: 100
+  port:
+    targetPort: 3000-tcp
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Allow
+  wildcardPolicy: None
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1

bootstrap/roles/ocp4-install-cicd/templates/cicd-reports-repo.yaml.j2

@@ -33,7 +33,7 @@ spec:
         volumeMounts:
         - mountPath: /fileuploads
           name: staticfiles
-      - image: quay.io/siamaksade/nginx:latest
+      - image: quay.io/allenfouladi/nginx:latest
         name: nginx
         ports:
         - containerPort: 8080

bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml

@@ -53,35 +53,39 @@
     state: present
     definition: "{{ lookup('template', 'subs-pipelines.yml.j2') }}"
 
-- name: Adapt to the openshift_cluster_version LESS than 4.9
-  when: ocp4_cluster_version is version_compare('4.9', '<')
-  block:
-
-  - name: Wait for Pipelines CRD to exist
-    kubernetes.core.k8s_info:
-      api_version: "apiextensions.k8s.io/v1beta1"
-      kind: CustomResourceDefinition
-      name: "{{ item }}"
-    loop: "{{ pipelines_expected_crds }}"
-    register: crds
-    until: crds.resources|length > 0
-    retries: 30
-    delay: 10
-
-- name: Adapt to the openshift_cluster_version MORE than 4.9
-  when: ocp4_cluster_version is version_compare('4.9', '>=')
-  block:
-
-  - name: Wait for Pipelines CRD to exist
-    kubernetes.core.k8s_info:
-      api_version: "apiextensions.k8s.io/v1"
-      kind: CustomResourceDefinition
-      name: "{{ item }}"
-    loop: "{{ pipelines_expected_crds }}"
-    register: crds
-    until: crds.resources|length > 0
-    retries: 30
-    delay: 10
+# - name: Adapt to the openshift_cluster_version LESS than 4.9
+#   when: ocp4_cluster_version is version_compare('4.9', '<')
+#   block:
+
+#   - name: Wait for Pipelines CRD to exist
+#     kubernetes.core.k8s_info:
+#       api_version: "apiextensions.k8s.io/v1beta1"
+#       kind: CustomResourceDefinition
+#       name: "{{ item }}"
+#     loop: "{{ pipelines_expected_crds }}"
+#     register: crds
+#     until: crds.resources|length > 0
+#     retries: 30
+#     delay: 10
+
+# - name: Adapt to the openshift_cluster_version MORE than 4.9
+#   when: ocp4_cluster_version is version_compare('4.9', '>=')
+#   block:
+
+#   - name: Wait for Pipelines CRD to exist
+#     kubernetes.core.k8s_info:
+#       api_version: "apiextensions.k8s.io/v1"
+#       kind: CustomResourceDefinition
+#       name: "{{ item }}"
+#     loop: "{{ pipelines_expected_crds }}"
+#     register: crds
+#     until: crds.resources|length > 0
+#     retries: 30
+#     delay: 10
+
+- name: Wait for Pipelines Operator to be up and running
+  pause:
+    minutes: 1
 
 - name: Add ClusterRoleBinding to the openshift-gitops-controller
   kubernetes.core.k8s:
@@ -96,10 +100,6 @@
 - name: Patch the CM of Openshift GitOps to add role admin by default
   command: oc patch cm/argocd-rbac-cm -n openshift-gitops --type=merge -p '{"data":{"policy.default":"role:admin"}}'
 
-- name: Add SSO Keycloak in Openshift GitOps by default
-  shell: |
-    oc -n openshift-gitops patch argocd openshift-gitops --type='json' -p='[{"op": "add", "path": "/spec/sso", "value": {"provider": "keycloak"} }]'
-
 - name: Get ArgoCD route
   kubernetes.core.k8s_info:
     kind: Route

bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2

@@ -34,7 +34,9 @@ spec:
       enabled: false
   initialSSHKnownHosts: {}
   sso:
-    provider: keycloak
+    provider: dex
+    dex:
+      openShiftOAuth: true
   applicationSet:
     resources:
       limits:
@@ -55,8 +57,6 @@ spec:
       kinds:
       - TaskRun
       - PipelineRun
-  dex:
-    openShiftOAuth: true
   ha:
     enabled: false
     resources:

bootstrap/roles/ocp4-install-gitops/templates/subs-gitops.yml.j2

@@ -4,7 +4,7 @@ metadata:
   name: openshift-gitops-operator
   namespace: openshift-operators
 spec:
-  channel: stable
+  channel: latest
   installPlanApproval: Automatic
   name: openshift-gitops-operator
   source: redhat-operators

bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml

@@ -76,7 +76,7 @@
   shell: |
     oc get noobaas.noobaa.io/noobaa -n openshift-storage -o jsonpath='{.status.phase}'
   register: noobaa_status
-  retries: 10
+  retries: 20
   delay: 20
   until:
     - noobaa_status.stdout == "Ready"
@@ -114,7 +114,7 @@
   shell: |
     oc get BackingStore/"{{ backing_store_name }}" -n openshift-storage -o jsonpath='{.status.phase}'
   register: backing_store
-  retries: 10
+  retries: 20
   delay: 20
   until:
     - backing_store.stdout == "Ready"

bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml

@@ -14,6 +14,8 @@
   - ./templates/task-rox-image-check.yaml.j2
   - ./templates/task-s2i-java-11.yaml.j2
   - ./templates/task-zap-proxy.yaml.j2
+  - ./templates/task-syft-sbom.yaml.j2
+  - ./templates/task-signing-sbom.yaml.j2
 
 - name: Create OpenShift Objects for Openshift Pipeline Triggers
   k8s:

bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-dev.yaml.j2

@@ -8,15 +8,15 @@ spec:
     - name: APP_SOURCE_GIT
       type: string
       description: The application git repository
-      default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic
+      default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic
     - name: APP_SOURCE_REVISION
       type: string
       description: The application git revision
       default: master
     - name: APP_MANIFESTS_GIT
       type: string
       description: The application manifests git repository
-      default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config
+      default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config
     - name: APP_IMAGE_TAG
       type: string
       default: latest

bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-stage.yaml.j2

@@ -8,15 +8,15 @@ spec:
     - name: APP_SOURCE_GIT
       type: string
       description: The application git repository
-      default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic
+      default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic
     - name: APP_SOURCE_REVISION
       type: string
       description: The application git revision
       default: master
     - name: APP_MANIFESTS_GIT
       type: string
       description: The application manifests git repository
-      default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config
+      default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config
     - name: APP_IMAGE_TAG
       type: string
       default: latest

bootstrap/roles/ocp4-install-pipelines/templates/task-git-update-deployment.yaml.j2

@@ -67,7 +67,7 @@ spec:
         # git commit -m "[$(context.pipelineRun.name)] Image digest updated"
         git commit -m "[ci] Image digest updated"
 
-        git remote add auth-origin $(echo $(params.GIT_REPOSITORY) | sed -E "s#http://(.*)#http://$(params.GIT_USERNAME):$(params.GIT_PASSWORD)@\1#g")
+        git remote add auth-origin $(echo $(params.GIT_REPOSITORY) | sed -E "s#https://(.*)#https://$(params.GIT_USERNAME):$(params.GIT_PASSWORD)@\1#g")
         git push auth-origin master
 
         RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')"

bootstrap/roles/ocp4-install-pipelines/templates/task-s2i-java-11.yaml.j2

@@ -109,6 +109,10 @@ spec:
         registry.redhat.io/rhel8/buildah@sha256:180c4d9849b6ab0e5465d30d4f3a77765cf0d852ca1cb1efb59d6e8c9f90d467
       name: build
       resources: {}
+      securityContext:
+        capabilities:
+          add:
+            - SETFCAP
       volumeMounts:
         - mountPath: /var/lib/containers
           name: varlibcontainers
@@ -127,6 +131,10 @@ spec:
       image: registry.redhat.io/rhel8/buildah@sha256:180c4d9849b6ab0e5465d30d4f3a77765cf0d852ca1cb1efb59d6e8c9f90d467
       name: push-tag
       resources: {}
+      securityContext:
+        capabilities:
+          add:
+            - SETFCAP
       volumeMounts:
         - mountPath: /var/lib/containers
           name: varlibcontainers
@@ -142,6 +150,10 @@ spec:
       image: registry.redhat.io/rhel8/buildah@sha256:180c4d9849b6ab0e5465d30d4f3a77765cf0d852ca1cb1efb59d6e8c9f90d467
       name: push-latest
       resources: {}
+      securityContext:
+        capabilities:
+          add:
+            - SETFCAP
       volumeMounts:
         - mountPath: /var/lib/containers
           name: varlibcontainers