diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/README.md b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/README.md new file mode 100644 index 00000000000..6f41d194173 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed) . diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/defaults/main.yml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/defaults/main.yml new file mode 100644 index 00000000000..e46cc439453 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/defaults/main.yml @@ -0,0 +1,22 @@ +--- +# defaults file for ocp4_workload_multicluster_devsecops_demo + +ocp4_username: admin + +ocp4_workload_multicluster_devsecops_validated_pattern_sonarqube_namespace: sonarqube +ocp4_workload_multicluster_devsecops_validated_pattern_ci_namespace: ci + +ocp4_workload_multicluster_devsecops_validated_pattern_docker_username: quayadmin +ocp4_workload_multicluster_devsecops_validated_pattern_docker_password: "{{ common_password }}" + +ocp4_workload_multicluster_devsecops_validated_pattern_stackrox_namespace: stackrox + +ocp4_workload_multicluster_devsecops_validated_pattern_cosign_password: 123 + +ocp4_workload_multicluster_devsecops_validated_pattern_dev_cluster: aws-dev-cluster + +ocp4_workload_multicluster_devsecops_validated_pattern_inform_only_policies: +- Fixable Severity at least Important + +ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username: dev-user +ocp4_workload_multicluster_devsecops_validated_pattern_gitea_password: openshift \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/files/cosign.key b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/files/cosign.key new file mode 100644 index 00000000000..c3d7394eb7e --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/files/cosign.key @@ -0,0 +1,11 @@ +-----BEGIN ENCRYPTED COSIGN PRIVATE KEY----- +eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6 +OCwicCI6MX0sInNhbHQiOiJKQ2pKVGpGVzVxUGNBWDBmN2hQM1l2b09WNlBMWXVU +V1B2OWNIenk1TEFBPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 +Iiwibm9uY2UiOiJURjEwUXpQMjN0NkNLVWx6dmtxUmNxZ0ZaNjF6UlFXbSJ9LCJj +aXBoZXJ0ZXh0IjoicGdwampyZ0J4T05mSGpPR29YM3hTZU8xRC9ma3FmaDdCRXBV +QjNpcU1kQ1U4OUk4dU9FMVR5aXpJbmlEM25Ub2cvKzEza2ozRTlzNFIxeGtLTnhN +S1dVVnBXd1cxV3JGcEc2TEZQVXNLQU9EdFd3YTNQL0FNNjZEOUQyMUFDT2REZURl +U0NIYXZVZld4ODdQRm0zeDN5bXZHNmNIVm0rVDk5Rnd4QzFrMmVya0x6TzdwY2J5 +TDhRSGdDeE9xa29BeVh5bWpkRjM5N3dPTWc9PSJ9 +-----END ENCRYPTED COSIGN PRIVATE KEY----- \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/files/cosign.pub b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/files/cosign.pub new file mode 100644 index 00000000000..9781ef8ed44 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/files/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVgNgC/bFhzWarqL9biuznN33R5Ux +SBWSt9QHq90CdfodBsrmINdA7dgYKYChHJB/CrYPLm/H7b9U5Ul/DP7Mnw== +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/handlers/main.yml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/handlers/main.yml new file mode 100644 index 00000000000..b91c9d45188 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for ocp4_workload_multicluster_devsecops_demo \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/meta/main.yml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/meta/main.yml new file mode 100644 index 00000000000..4954a8d903a --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.9 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/fetch_and_apply_template.yml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/fetch_and_apply_template.yml new file mode 100644 index 00000000000..6f7d769e73c --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/fetch_and_apply_template.yml @@ -0,0 +1,13 @@ +--- +- name: Fetch template from remote host + run_once: true + fetch: + src: "{{ _folder }}/{{ item }}" + dest: /tmp/{{ item }} + flat: yes + fail_on_missing: yes + +- name: Apply template + ansible.builtin.template: + src: /tmp/{{ item }} + dest: "{{ _folder }}/{{ item }}" \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/inform_only_policy_tasks.yml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/inform_only_policy_tasks.yml new file mode 100644 index 00000000000..a4c5434d044 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/inform_only_policy_tasks.yml @@ -0,0 +1,40 @@ +- name: Get "{{ item }}" policy + set_fact: + policy_id: "{{ r_policies|json_query('json.policies[?name == `{}`]|[0].id'.format(item)) }}" + +- name: Get Stackrox policy {{ policy_id }} + uri: + url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_centeral_stackrox_url }}/v1/policies/{{ policy_id }}" + user: admin + password: "{{ common_password }}" + method: GET + force_basic_auth: true + validate_certs: false + body_format: json + headers: + Content-Type: application/json + register: r_policy + +- name: Read into fact + ansible.builtin.set_fact: + policy_fact: "{{ r_policy.json }}" + +- name: Update the fact to remove enforcement actions + ansible.utils.update_fact: + updates: + - path: policy_fact.enforcementActions + value: [] + register: updated_policy + +- name: Update Stackrox Policy {{ policy_id }} + uri: + url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_centeral_stackrox_url }}/v1/policies/{{ policy_id }}" + user: admin + password: "{{ common_password }}" + method: PUT + force_basic_auth: true + validate_certs: false + body_format: json + headers: + Content-Type: application/json + body: "{{ updated_policy.policy_fact }}" diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/main.yml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/main.yml new file mode 100644 index 00000000000..03a4801b4c7 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/main.yml @@ -0,0 +1,30 @@ +--- +# Do not modify this file + +- name: Running Pre Workload Tasks + include_tasks: + file: ./pre_workload.yml + apply: + become: "{{ become_override | bool }}" + when: ACTION == "create" or ACTION == "provision" + +- name: Running Workload Tasks + include_tasks: + file: ./workload.yml + apply: + become: "{{ become_override | bool }}" + when: ACTION == "create" or ACTION == "provision" + +- name: Running Post Workload Tasks + include_tasks: + file: ./post_workload.yml + apply: + become: "{{ become_override | bool }}" + when: ACTION == "create" or ACTION == "provision" + +- name: Running Workload removal Tasks + include_tasks: + file: ./remove_workload.yml + apply: + become: "{{ become_override | bool }}" + when: ACTION == "destroy" or ACTION == "remove" diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/post_workload.yml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/post_workload.yml new file mode 100644 index 00000000000..3130ed9b007 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/post_workload.yml @@ -0,0 +1,27 @@ +--- +# Implement your Post Workload deployment tasks here +# -------------------------------------------------- + + +# Leave these as the last tasks in the playbook +# --------------------------------------------- + +# For deployment onto a dedicated cluster (as part of the +# cluster deployment) set workload_shared_deployment to False +# This is the default so it does not have to be set explicitely +- name: post_workload tasks complete + debug: + msg: "Post-Workload tasks completed successfully." + when: + - not silent | bool + - not workload_shared_deployment | default(false) | bool + +# For RHPDS deployment (onto a shared cluster) set +# workload_shared_deployment to True +# (in the deploy script or AgnosticV configuration) +- name: post_workload tasks complete + debug: + msg: "Post-Software checks completed successfully" + when: + - not silent | bool + - workload_shared_deployment | default(false) | bool diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/pre_workload.yml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/pre_workload.yml new file mode 100644 index 00000000000..4877d859b34 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/pre_workload.yml @@ -0,0 +1,46 @@ +--- +# Implement your Pre Workload deployment tasks here +# ------------------------------------------------- + + +# Leave these as the last tasks in the playbook +# --------------------------------------------- + +# For deployment onto a dedicated cluster (as part of the +# cluster deployment) set workload_shared_deployment to False +# This is the default so it does not have to be set explicitely +- name: pre_workload tasks complete + debug: + msg: "Pre-Workload tasks completed successfully." + when: + - not silent | bool + - not workload_shared_deployment | default(false) | bool + +- name: Get the openshift console route + kubernetes.core.k8s_info: + api_version: route.openshift.io/v1 + kind: Route + namespace: openshift-console + field_selectors: + - spec.to.name=console + register: r_dc + until: + - r_dc is defined + - r_dc.resources is defined + - r_dc.resources | list | length > 0 + retries: 60 + delay: 15 + +- name: Get the subdomain using the openshift console url + set_fact: + _ocp4_workload_multicluster_devsecops_validated_pattern_ocp_apps_domain: "{{ r_dc.resources[0].spec.host | regex_search('(?<=\\.).*') }}" + +# For RHPDS deployment (onto a shared cluster) set +# workload_shared_deployment to True +# (in the deploy script or AgnosticV configuration) +- name: pre_workload tasks complete + debug: + msg: "Pre-Software checks completed successfully" + when: + - not silent | bool + - workload_shared_deployment | default(false) | bool diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/remove_workload.yml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/remove_workload.yml new file mode 100644 index 00000000000..1a0a1b33691 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/remove_workload.yml @@ -0,0 +1,85 @@ +--- +# Implement your workload removal tasks here +# ------------------------------------------ + +# Cleanup +# Delete VMs in RHEV +# Delete User in RHEV + +- name: Delete RHEV resources + environment: + OVIRT_URL: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_url }}" + OVIRT_USERNAME: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_admin_user_name }}" + OVIRT_PASSWORD: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_admin_user_password }}" + block: + - name: Delete Tomcat VM + when: ocp4_workload_multicluster_devsecops_validated_pattern_tomcat_vm_setup | bool + ovirt.ovirt.ovirt_vm: + auth: + insecure: true + state: absent + name: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_tomcat_vm_name }}" + cluster: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_vm_cluster }}" + + - name: Delete Oracle VM + when: ocp4_workload_multicluster_devsecops_validated_pattern_oracle_vm_setup | bool + ovirt.ovirt.ovirt_vm: + auth: + insecure: true + state: absent + name: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_oracle_vm_name }}" + cluster: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_vm_cluster }}" + + - name: Make sure user doesn't exist + ovirt.ovirt.ovirt_user: + auth: + insecure: true + state: absent + name: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_user_name }}" + authz_name: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_user_domain }}" + namespace: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_user_namespace }}" + + - name: Write private key for root account on RHEV to /tmp/rhev.pem + delegate_to: localhost + ansible.builtin.copy: + content: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_root_private_key }}" + dest: /tmp/rhev.pem + mode: 0600 + + - name: Add RHEV host to inventory + ansible.builtin.add_host: + groupname: rhevhosts + name: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_host }}" + ansible_ssh_host: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_host }}" + ansible_ssh_user: root + ansible_ssh_private_key_file: /tmp/rhev.pem + +- name: Remove user in RHEV Identity Management + delegate_to: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_host }}" + vars: + ansible_ssh_user: root + ansible_ssh_private_key_file: /tmp/rhev.pem + block: + - name: Remove RHEV IM user + ansible.builtin.include_tasks: rhev-remove-im-user.yml + +- name: Remove private key + delegate_to: localhost + ansible.builtin.file: + state: absent + path: /tmp/rhev.pem + +- name: Delete demo namespaces + kubernetes.core.k8s: + state: absent + definition: "{{ lookup('template', item ) | from_yaml }}" + loop: + - cicd/namespace-pipeline.yaml.j2 + - cicd/namespace-demo.yaml.j2 + +# Leave this as the last task in the playbook. +# -------------------------------------------- +- name: remove_workload tasks complete + debug: + msg: "Remove Workload tasks completed successfully." + when: not silent|bool diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/sonarqube_create_resources.yml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/sonarqube_create_resources.yml new file mode 100644 index 00000000000..fee2b0c5699 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/sonarqube_create_resources.yml @@ -0,0 +1,65 @@ +--- +- name: Get sonarqube route + k8s_info: + api_version: route.openshift.io/v1 + kind: Route + namespace: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_sonarqube_namespace }}" + name: sonarqube + register: r_route + +- name: Set sonarqube host url + set_fact: + _ocp4_workload_multicluster_devsecops_validated_pattern_sonarqube_host_url: https://{{ r_route.resources[0].spec.host }} + +- name: Does inventory already exist in sonarqube? + uri: + url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_sonarqube_host_url }}/api/projects/search?projects=inventory" # yamllint disable-line rule:line-length + user: admin + password: "{{ common_password }}" + method: GET + body_format: json + headers: + Content-Type: application/json + force_basic_auth: true + validate_certs: false + register: _projects_list + +- name: Create Inventory if necessary + when: _projects_list.json.components[0] is not defined + block: + + - name: Create inventory project + uri: + url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_sonarqube_host_url }}/api/projects/create?name=inventory&project=inventory" # yamllint disable-line rule:line-length + user: admin + password: "{{ common_password }}" + method: POST + body_format: json + headers: + Content-Type: application/json + force_basic_auth: true + validate_certs: false + register: result + ignore_errors: true + + - name: Create inventory project token + uri: + url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_sonarqube_host_url }}/api/user_tokens/generate?name=inventory_token&type=PROJECT_ANALYSIS_TOKEN&projectKey=inventory" # yamllint disable-line rule:line-length + user: admin + password: "{{ common_password }}" + method: POST + headers: + Content-Type: application/json + force_basic_auth: true + validate_certs: false + register: r_uri + ignore_errors: true + + - name: Set sonarqube project token + set_fact: + _ocp4_workload_multicluster_devsecops_validated_pattern_sonarqube_inventory_project_token: "{{ r_uri.json.token }}" + + - name: Create sonarqube inventory secret + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', 'secret-sonarqube-project.yml.j2' ) | from_yaml }}" diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/stackrox_create_secrets.yml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/stackrox_create_secrets.yml new file mode 100644 index 00000000000..9a82757f64d --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/stackrox_create_secrets.yml @@ -0,0 +1,174 @@ +--- +- name: Get stackrox route + k8s_info: + api_version: route.openshift.io/v1 + kind: Route + namespace: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_stackrox_namespace }}" + name: central + register: r_route + +- name: Set stackrox endpoint and url + set_fact: + _ocp4_workload_multicluster_devsecops_validated_pattern_central_stackrox_endpoint: "{{ r_route.resources[0].spec.host }}:443" # yamllint disable-line rule:line-length + _ocp4_workload_multicluster_devsecops_validated_pattern_centeral_stackrox_url: https://{{ r_route.resources[0].spec.host }} # yamllint disable-line rule:line-length + +- name: Create stackrox token + uri: + url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_centeral_stackrox_url }}/v1/apitokens/generate" + user: admin + password: "{{ common_password }}" + method: POST + force_basic_auth: true + validate_certs: false + body_format: json + headers: + Content-Type: application/json + body: {"name":"admin", "role":"Admin"} + register: r_uri + +- name: Set stackrox token + set_fact: + _ocp4_workload_multicluster_devsecops_validated_pattern_central_stackrox_token: "{{ r_uri.json.token }}" + +- name: Create secret (token) + k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: stackrox-secret + namespace: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_ci_namespace }}" + type: Opaque + data: + rox_api_token: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_central_stackrox_token | string | b64encode }}" + +- name: Create secret (endpoint) + k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + metadata: + name: stackrox-endpoint + namespace: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_ci_namespace }}" + type: Opaque + data: + rox_central_endpoint: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_central_stackrox_endpoint | string | b64encode }}" + +- name: Stackrox imagestream integration - add registry integration + uri: + url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_centeral_stackrox_url }}/v1/imageintegrations" + user: admin + password: "{{ common_password }}" + method: POST + force_basic_auth: true + validate_certs: false + body_format: json + headers: + Content-Type: application/json + body: >- + { + "name": "registry-admin-{{ guid }}", + "type": "docker", + "categories": ["REGISTRY"], + "docker": { + "endpoint": "{{ ocp4_workload_multicluster_devsecops_validated_pattern_docker_registry }}", + "username": "{{ ocp4_workload_multicluster_devsecops_validated_pattern_docker_username }}", + "password": "{{ ocp4_workload_multicluster_devsecops_validated_pattern_docker_password }}", + "insecure": true + }, + "skipTestIntegration": false + } + +- name: Read cosign public key + set_fact: + _ocp4_workload_multicluster_devsecops_validated_pattern_cosign_pub: "{{ lookup('file', 'files/cosign.pub') | replace('\n', '\\n') }}" + +- name: Stackrox imagestream integration - add signature integration + uri: + url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_centeral_stackrox_url }}/v1/signatureintegrations" + user: admin + password: "{{ common_password }}" + method: POST + force_basic_auth: true + validate_certs: false + body_format: json + headers: + Content-Type: application/json + body: >- + { + "name": "cosign", + "cosign": { + "publicKeys": [ + { + "name": "cosign.pub", + "publicKeyPemEnc": "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_cosign_pub }}" + } + ] + } + } + ignore_errors: true + register: r_integration_response + +- name: Set integration id + set_fact: + _signature_integration_id: "{{ r_integration_response.json.id }}" + + +- name: Get Clusters + uri: + url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_centeral_stackrox_url }}/v1/clusters" + user: admin + password: "{{ common_password }}" + method: GET + force_basic_auth: true + validate_certs: false + body_format: json + headers: + Content-Type: application/json + register: r_cluster_response + +- name: Set cluster id + set_fact: + _cluster_id: "{{ selected[0].id }}" + vars: + selected: >- + {{ + r_cluster_response.json.clusters | json_query("[?name=='aws_dev_cluster']") + }} + +- name: Read policy payload + set_fact: + _ocp4_workload_multicluster_devsecops_validated_pattern_signature_policy: "{{ lookup('template', 'templates/acs-signature-policy.json.j2', convert_data=False) | string }}" # yamllint disable-line rule:line-length + +- name: Create stackrox image signature policy + uri: + url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_centeral_stackrox_url }}/v1/policies" + user: admin + password: "{{ common_password }}" + method: POST + force_basic_auth: true + validate_certs: false + body_format: json + headers: + Content-Type: application/json + body: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_signature_policy }}" + ignore_errors: true + +- name: Get Stackrox policies + uri: + url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_centeral_stackrox_url }}/v1/policies" + user: admin + password: "{{ common_password }}" + method: GET + force_basic_auth: true + validate_certs: false + body_format: json + headers: + Content-Type: application/json + register: r_policies + +- name: Inform only policies + include_tasks: inform_only_policy_tasks.yml + loop: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_inform_only_policies }}" diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/update_devsecops_repository.yaml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/update_devsecops_repository.yaml new file mode 100644 index 00000000000..724e582db24 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/update_devsecops_repository.yaml @@ -0,0 +1,88 @@ +--- + +- name: Set internal facts + set_fact: + _internal_image_repo: >- + {{ ocp4_workload_multicluster_devsecops_validated_pattern_docker_registry }}/{{ + ocp4_workload_multicluster_devsecops_validated_pattern_docker_username }}/inventory + _internal_manifest_repo: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_repo_devsecops_url }}" + _internal_manifest_repo_name: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username }}/multicluster-devsecops-pattern" + _internal_manifest_file_dev: gitops/inventory/overlays/dev/kustomization.yaml + _internal_manifest_file_prod: gitops/inventory/overlays/prod/kustomization.yaml + _internal_manifest_file_fail: gitops/inventory/overlays/fail/kustomization.yaml + _internal_git_repo_host: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_hostname }}" + _internal_sonarqube_host_url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_sonarqube_host_url }}" + _internal_ci_namespace: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_ci_namespace }}" + _internal_webhook_secret_key: "{{ common_password }}" + _internal_gitea_token: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_token }}" + +- name: Base64 encode basic auth + set_fact: + _internal_docker_registry: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_docker_registry }}" + _internal_docker_registry_username: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_docker_username }}" + _internal_docker_registry_password: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_docker_password }}" + _internal_docker_registry_auth: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_docker_username }}:{{ ocp4_workload_multicluster_devsecops_validated_pattern_docker_password }}" # yamllint disable-line rule:line-length + +- name: Set docker config json + set_fact: + _internal_docker_config: "{{ lookup('template', 'templates/docker-config.json.j2') | to_nice_json | b64encode }}" + +- name: Base64 encode basic auth + set_fact: + _internal_cosign_key: "{{ lookup('file', 'files/cosign.key') | b64encode }}" + _internal_cosign_password: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_cosign_password | b64encode }}" + _internal_cosign_pub: "{{ lookup('file', 'files/cosign.pub') | b64encode }}" + +- name: Clone application source code + block: + - name: Clone config repository + ansible.builtin.git: + accept_hostkey: true + force: true + repo: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_repo_devsecops_url }}" + dest: "~/multicluster-devsecops-pattern" + version: main + environment: + GIT_SSL_NO_VERIFY: "true" + +- name: Fetch template from remote host + include_tasks: fetch_and_apply_template.yml + loop: + - binding-inventory.yaml + - binding-inventory-unsigned.yaml + - secret-webhook-secret-inventory.yaml + - secret-image-registry-secret.yaml + - secret-cosign-secret.yaml + - secret-gitea-token.yaml + - kustomization.yaml + vars: + _folder: /home/ec2-user/multicluster-devsecops-pattern/config/pipeline/inventory + +- name: Fetch template from remote host + include_tasks: fetch_and_apply_template.yml + loop: + - image-registry-secret.yaml + vars: + _folder: /home/ec2-user/multicluster-devsecops-pattern/gitops/inventory/base + +- name: Add new files to the repository + command: + chdir: >- + /home/ec2-user/multicluster-devsecops-pattern + cmd: "git add ." + ignore_errors: true + +- name: Commit changes to the repository + command: + chdir: >- + /home/ec2-user/multicluster-devsecops-pattern + cmd: >- + git commit -a -m 'Updates for starting scenario.' + ignore_errors: true + +- name: Push all changes back to the project repository + command: + chdir: >- + /home/ec2-user/multicluster-devsecops-pattern + cmd: >- + git push {{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_repo_devsecops_url }} \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/update_gitea_requirements.yaml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/update_gitea_requirements.yaml new file mode 100644 index 00000000000..4da53f316f6 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/update_gitea_requirements.yaml @@ -0,0 +1,85 @@ +--- +# Register Event Listener in Gitea +- name: Get current inventory web hooks + uri: + url: >- + {{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_route_url }}/api/v1/repos/{{ + ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username }}/inventory/hooks + user: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username }}" + password: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_gitea_password }}" + method: GET + force_basic_auth: true + validate_certs: false + register: r_webhook + +- name: Delete existing inventory web hooks + when: r_webhook.x_total_count | int > 0 + uri: + url: >- + {{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_route_url }}/api/v1/repos/{{ + ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username }}/inventory/hooks/{{ item.id }} + user: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username }}" + password: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_gitea_password }}" + force_basic_auth: true + method: DELETE + status_code: 204 + validate_certs: false + loop: "{{ r_webhook.json }}" + loop_control: + label: "{{ item.id }}" + +- name: Register web hook in inventory repository + uri: + url: >- + {{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_route_url }}/api/v1/repos/{{ + ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username }}/inventory/hooks + user: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username }}" + password: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_gitea_password }}" + method: POST + validate_certs: false + force_basic_auth: true + status_code: 201 + body_format: json + body: + type: gitea + config: + url: "http://gitops-webhook-event-listener-route-{{ ocp4_workload_multicluster_devsecops_validated_pattern_ci_namespace }}.{{ _ocp4_workload_multicluster_devsecops_validated_pattern_ocp_apps_domain }}" # yamllint disable-line rule:line-length + content_type: json + secret: "{{ common_password }}" + events: + - push + active: true + +- name: Delete existing Gitea token if it exists + ansible.builtin.uri: + url: >- + {{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_route_url }}/api/v1/users/{{ + ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username}}/tokens/inventory + method: DELETE + status_code: [204, 404, 422] + user: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username }}" + password: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_gitea_password }}" + force_basic_auth: true + validate_certs: false + +- name: Set up a Gitea token + ansible.builtin.uri: + url: >- + {{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_route_url}}/api/v1/users/{{ + ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username }}/tokens + method: POST + body: "{{ body }}" + body_format: json + status_code: 201 + user: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username }}" + password: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_gitea_password }}" + force_basic_auth: true + validate_certs: false + vars: + body: + name: inventory + register: r_gitea_token + +- name: Set Gitea token variable + set_fact: + _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_token: "{{ r_gitea_token.json.sha1 }}" \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/workload.yml b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/workload.yml new file mode 100644 index 00000000000..c7dd1ea437f --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/workload.yml @@ -0,0 +1,74 @@ +--- +- name: Setting up workload for user + debug: + msg: "Setting up workload for user = {{ ocp4_username }}" + +- name: Set up namespace + k8s: + state: present + definition: "{{ lookup('template', 'namespace-ci.yml.j2' ) | from_yaml }}" + +- name: Retrieve Quay instance + kubernetes.core.k8s_info: + kind: Route + name: quay-quay + namespace: quay-enterprise + register: r_quay + retries: 60 + delay: 5 + until: r_quay.resources | length > 0 + +- name: Set docker registry + set_fact: + ocp4_workload_multicluster_devsecops_validated_pattern_docker_registry: "{{ r_quay.resources[0].spec.host }}" + +- name: Create Sonarqube and Stackrox resources + include_tasks: "{{ item }}" + loop: + - sonarqube_create_resources.yml + - stackrox_create_secrets.yml + +- name: Retrieve Gitea instance + kubernetes.core.k8s_info: + api_version: gpte.opentlc.com/v1 + kind: Gitea + name: gitea + namespace: gitea + register: r_gitea + +- name: Set Gitea repo variables + set_fact: + _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_hostname: >- + {{ r_gitea.resources[0].status.giteaHostname }} + _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_route_url: >- + {{ r_gitea.resources[0].status.giteaRoute }} + _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_repo_inventory_url: >- + {{ r_gitea.resources[0].spec.giteaSsl | bool | ternary( 'https', 'http' ) }}://{{ + ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username | urlencode }}:{{ + ocp4_workload_multicluster_devsecops_validated_pattern_gitea_password | urlencode }}@{{ + r_gitea.resources[0].status.giteaHostname }}/{{ + ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username }}/inventory + _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_repo_devsecops_url: >- + {{ r_gitea.resources[0].spec.giteaSsl | bool | ternary( 'https', 'http' ) }}://{{ + ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username | urlencode }}:{{ + ocp4_workload_multicluster_devsecops_validated_pattern_gitea_password | urlencode }}@{{ + r_gitea.resources[0].status.giteaHostname }}/{{ + ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username }}/multicluster-devsecops-pattern + +- name: Register webhook and token in Gitea and Update devsecops repository + include_tasks: "{{ item }}" + loop: + - update_gitea_requirements.yaml + - update_devsecops_repository.yaml + +- name: Set up inventory pipeline application + k8s: + state: present + definition: "{{ lookup('template', 'templates/application-app-inventory-pipeline.yml.j2' ) | from_yaml }}" + +# Leave this as the last task in the playbook. +# -------------------------------------------- +- name: workload tasks complete + debug: + msg: "Workload Tasks completed successfully." + when: not silent | bool diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/acs-signature-policy.json.j2 b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/acs-signature-policy.json.j2 new file mode 100644 index 00000000000..1dd7e663d29 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/acs-signature-policy.json.j2 @@ -0,0 +1,69 @@ +{ + "name": "Trusted Signature Policy", + "description": "", + "rationale": "", + "remediation": "", + "disabled": false, + "categories": [ + "Security Best Practices" + ], + "lifecycleStages": [ + "BUILD", + "DEPLOY" + ], + "eventSource": "NOT_APPLICABLE", + "exclusions": [ + { + "name": "", + "deployment": { + "name": "inventory-database", + "scope": { + "cluster": "{{ _cluster_id }}", + "namespace": "coolstore", + "label": null + } + }, + "image": null, + "expiration": null + } + ], + "scope": [ + { + "cluster": "{{ _cluster_id }}", + "namespace": "coolstore", + "label": null + } + ], + "severity": "HIGH_SEVERITY", + "enforcementActions": [ + "FAIL_BUILD_ENFORCEMENT", + "SCALE_TO_ZERO_ENFORCEMENT", + "UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT" + ], + "notifiers": [], + "SORTName": "Trusted Signature Policy", + "SORTLifecycleStage": "BUILD,DEPLOY", + "SORTEnforcement": true, + "policyVersion": "1.1", + "policySections": [ + { + "sectionName": "Policy Section 1", + "policyGroups": [ + { + "fieldName": "Image Signature Verified By", + "booleanOperator": "OR", + "negate": false, + "values": [ + { + "value": "{{ _signature_integration_id }}" + } + ] + } + ] + } + ], + "mitreAttackVectors": [], + "criteriaLocked": false, + "mitreVectorsLocked": false, + "isDefault": false +} \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/application-app-inventory-pipeline.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/application-app-inventory-pipeline.yml.j2 new file mode 100644 index 00000000000..203d2472b88 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/application-app-inventory-pipeline.yml.j2 @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: app-inventory-pipeline + namespace: openshift-gitops +spec: + destination: + namespace: {{ ocp4_workload_multicluster_devsecops_validated_pattern_ci_namespace }} + server: 'https://kubernetes.default.svc' + project: default + source: + path: config/pipeline/inventory + repoURL: >- + {{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_repo_devsecops_url }} + targetRevision: HEAD + syncPolicy: + automated: {} + syncOptions: + - RespectIgnoreDifferences=true + ignoreDifferences: + - kind: "ServiceAccount" + jsonPointers: + - /imagePullSecrets \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/application-app-inventory-unsigned.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/application-app-inventory-unsigned.yml.j2 new file mode 100644 index 00000000000..e0266e3ae1a --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/application-app-inventory-unsigned.yml.j2 @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: inventory-unsigned-app + namespace: openshift-gitops +spec: + destination: + namespace: coolstore + server: 'https://kubernetes.default.svc' + project: default + source: + path: gitops/inventory/overlays/fail + repoURL: >- + {{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_repo_devsecops_url }} + targetRevision: HEAD + syncPolicy: + automated: {} + syncOptions: + - CreateNamespace=true \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/application-app-inventory.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/application-app-inventory.yml.j2 new file mode 100644 index 00000000000..53976a1d813 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/application-app-inventory.yml.j2 @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: inventory-app + namespace: openshift-gitops +spec: + destination: + namespace: coolstore + server: 'https://kubernetes.default.svc' + project: default + source: + path: gitops/inventory/overlays/dev + repoURL: >- + {{ _ocp4_workload_multicluster_devsecops_validated_pattern_gitea_repo_devsecops_url }} + targetRevision: HEAD + syncPolicy: + automated: {} + syncOptions: + - CreateNamespace=true \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/docker-config.json.j2 b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/docker-config.json.j2 new file mode 100644 index 00000000000..4bb8e496019 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/docker-config.json.j2 @@ -0,0 +1,9 @@ +{ + "auths":{ + "{{ _internal_docker_registry }}":{ + "username": "{{ _internal_docker_registry_username }}", + "password": "{{ _internal_docker_registry_password }}", + "auth": "{{ _internal_docker_registry_auth | b64encode }}" + } + } +} \ No newline at end of file diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/namespace-ci.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/namespace-ci.yml.j2 new file mode 100644 index 00000000000..d519c87584c --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/namespace-ci.yml.j2 @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/description: "" + openshift.io/requester: "{{ ocp4_username }}" + name: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_ci_namespace }}" diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/role-binding-argocd-coolstore-edit.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/role-binding-argocd-coolstore-edit.yml.j2 new file mode 100644 index 00000000000..95b119c5dcc --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/role-binding-argocd-coolstore-edit.yml.j2 @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: argocd-edit + namespace: coolstore +subjects: + - kind: ServiceAccount + name: openshift-gitops-argocd-application-controller + namespace: openshift-gitops +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit diff --git a/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/secret-sonarqube-project.yml.j2 b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/secret-sonarqube-project.yml.j2 new file mode 100644 index 00000000000..d5c270be0c5 --- /dev/null +++ b/ansible/roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/templates/secret-sonarqube-project.yml.j2 @@ -0,0 +1,8 @@ +kind: Secret +apiVersion: v1 +metadata: + name: inventory-sonarqube-secret + namespace: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_ci_namespace }}" +stringData: + token: {{ _ocp4_workload_multicluster_devsecops_validated_pattern_sonarqube_inventory_project_token }} +type: Opaque