From e3de053b73bd33f803b3e7449abc2f1c6116d3ab Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Mon, 10 Jul 2023 15:55:42 -0400 Subject: [PATCH 01/34] adding all the changes need for this to work in a 4.12+ cluster --- .../ocp4-install-gitops/tasks/gitops.yaml | 62 +++++++++--------- .../tasks/noobaa-create.yaml | 2 +- .../templates/task-s2i-java-11.yaml.j2 | 12 ++++ .../files/policies/signed-image-policy.json | 2 +- .../tasks/build-cosign-infra.yaml | 2 +- .../roles/ocp4-post-acs/tasks/post_ci.yaml | 64 +++++++++++++------ 6 files changed, 91 insertions(+), 53 deletions(-) diff --git a/bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml b/bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml index 1df9c33..4968861 100644 --- a/bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml +++ b/bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml @@ -53,35 +53,39 @@ state: present definition: "{{ lookup('template', 'subs-pipelines.yml.j2') }}" -- name: Adapt to the openshift_cluster_version LESS than 4.9 - when: ocp4_cluster_version is version_compare('4.9', '<') - block: - - - name: Wait for Pipelines CRD to exist - kubernetes.core.k8s_info: - api_version: "apiextensions.k8s.io/v1beta1" - kind: CustomResourceDefinition - name: "{{ item }}" - loop: "{{ pipelines_expected_crds }}" - register: crds - until: crds.resources|length > 0 - retries: 30 - delay: 10 - -- name: Adapt to the openshift_cluster_version MORE than 4.9 - when: ocp4_cluster_version is version_compare('4.9', '>=') - block: - - - name: Wait for Pipelines CRD to exist - kubernetes.core.k8s_info: - api_version: "apiextensions.k8s.io/v1" - kind: CustomResourceDefinition - name: "{{ item }}" - loop: "{{ pipelines_expected_crds }}" - register: crds - until: crds.resources|length > 0 - retries: 30 - delay: 10 +# - name: Adapt to the openshift_cluster_version LESS than 4.9 +# when: ocp4_cluster_version is version_compare('4.9', '<') +# block: + +# - name: Wait for Pipelines CRD to exist +# kubernetes.core.k8s_info: +# api_version: "apiextensions.k8s.io/v1beta1" +# kind: CustomResourceDefinition +# name: "{{ item }}" +# loop: "{{ pipelines_expected_crds }}" +# register: crds +# until: crds.resources|length > 0 +# retries: 30 +# delay: 10 + +# - name: Adapt to the openshift_cluster_version MORE than 4.9 +# when: ocp4_cluster_version is version_compare('4.9', '>=') +# block: + +# - name: Wait for Pipelines CRD to exist +# kubernetes.core.k8s_info: +# api_version: "apiextensions.k8s.io/v1" +# kind: CustomResourceDefinition +# name: "{{ item }}" +# loop: "{{ pipelines_expected_crds }}" +# register: crds +# until: crds.resources|length > 0 +# retries: 30 +# delay: 10 + +- name: Wait for Pipelines Operator to be up and running + pause: + minutes: 1 - name: Add ClusterRoleBinding to the openshift-gitops-controller kubernetes.core.k8s: diff --git a/bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml b/bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml index 91868ae..52a4310 100644 --- a/bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml +++ b/bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml @@ -76,7 +76,7 @@ shell: | oc get noobaas.noobaa.io/noobaa -n openshift-storage -o jsonpath='{.status.phase}' register: noobaa_status - retries: 10 + retries: 20 delay: 20 until: - noobaa_status.stdout == "Ready" diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/task-s2i-java-11.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/task-s2i-java-11.yaml.j2 index 36d27f6..b7805eb 100644 --- a/bootstrap/roles/ocp4-install-pipelines/templates/task-s2i-java-11.yaml.j2 +++ b/bootstrap/roles/ocp4-install-pipelines/templates/task-s2i-java-11.yaml.j2 @@ -109,6 +109,10 @@ spec: registry.redhat.io/rhel8/buildah@sha256:180c4d9849b6ab0e5465d30d4f3a77765cf0d852ca1cb1efb59d6e8c9f90d467 name: build resources: {} + securityContext: + capabilities: + add: + - SETFCAP volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers @@ -127,6 +131,10 @@ spec: image: registry.redhat.io/rhel8/buildah@sha256:180c4d9849b6ab0e5465d30d4f3a77765cf0d852ca1cb1efb59d6e8c9f90d467 name: push-tag resources: {} + securityContext: + capabilities: + add: + - SETFCAP volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers @@ -142,6 +150,10 @@ spec: image: registry.redhat.io/rhel8/buildah@sha256:180c4d9849b6ab0e5465d30d4f3a77765cf0d852ca1cb1efb59d6e8c9f90d467 name: push-latest resources: {} + securityContext: + capabilities: + add: + - SETFCAP volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers diff --git a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json index 7764131..61d95d8 100644 --- a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json +++ b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json @@ -31,7 +31,7 @@ "negate": false, "values": [ { - "value": "io.stackrox.signatureintegration.f9352803-d5c9-45d6-abe0-e1361a24559a" + "value": "io.stackrox.signatureintegration.8c536a20-0dc4-4949-89d3-cbb5df52057d" } ] } diff --git a/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml b/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml index 9dca8a9..1b19f5f 100644 --- a/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml +++ b/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml @@ -11,7 +11,7 @@ shell: | oc get build -l build=cosign-pod -n "{{ pipeline_namespace }}" --sort-by=.metadata.creationTimestamp | tail -n 1 | awk '{print $4}' register: build_status - retries: 10 + retries: 20 delay: 20 until: - build_status.stdout == "Complete" diff --git a/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml b/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml index ef56247..2bf331c 100644 --- a/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml +++ b/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml @@ -47,6 +47,39 @@ namespace: "{{ ocp4_demo_pipeline_namespace }}" type: Opaque +# - name: Get Service Account objects +# kubernetes.core.k8s_info: +# kind: ServiceAccount +# api_version: /v1 +# name: pipeline +# namespace: cicd +# register: r_argopass + +# - name: Get the secret that contains the token of sa pipeline +# set_fact: +# token_sa_pipeline_secret: "{{ r_argopass.resources[0].secrets | to_json | from_json | json_query(query) }}" +# vars: +# query: >- +# [?contains(name,'token')].name + +# # - debug: +# # msg: "{{ token_sa_pipeline_secret }}" + +# - name: Get token in the secret for the sa pipeline and decode +# kubernetes.core.k8s_info: +# kind: Secret +# api_version: /v1 +# name: "{{ token_sa_pipeline_secret[0] | replace(\"'\",'') }}" +# namespace: cicd +# register: r_token_sa_secret + +# # - debug: +# # msg: "{{ r_token_sa_secret.resources[0].data.token | b64decode }}" + +# - name: define the token secret decoded +# set_fact: +# pipeline_token: "{{ r_token_sa_secret.resources[0].data.token | b64decode }}" + - name: Get Service Account objects kubernetes.core.k8s_info: kind: ServiceAccount @@ -55,30 +88,19 @@ namespace: cicd register: r_argopass -- name: Get the secret that contains the token of sa pipeline - set_fact: - token_sa_pipeline_secret: "{{ r_argopass.resources[0].secrets | to_json | from_json | json_query(query) }}" - vars: - query: >- - [?contains(name,'token')].name - -#- debug: -# msg: "{{ token_sa_pipeline_secret }}" +- name: lets do it with shell + shell: "oc describe sa pipeline -n cicd | grep Tokens | awk '{print$2}'" + register: r_argopass -- name: Get token in the secret for the sa pipeline and decode - kubernetes.core.k8s_info: - kind: Secret - api_version: /v1 - name: "{{ token_sa_pipeline_secret[0] | replace(\"'\",'') }}" - namespace: cicd - register: r_token_sa_secret +- set_fact: + r_argopass: "{{ r_argopass.stdout }}" -#- debug: -# msg: "{{ r_token_sa_secret.resources[0].data.token | b64decode }}" +- name: pulling secret and base64 decoding it + shell: oc get secret {{ r_argopass }} -n cicd -o jsonpath='{.data.token}' | base64 -d + register: pipeline_token -- name: define the token secret decoded - set_fact: - pipeline_token: "{{ r_token_sa_secret.resources[0].data.token | b64decode }}" +- set_fact: + pipeline_token: "{{ pipeline_token.stdout }}" - name: Creating ACS Integration with the Openshift Internal Registry uri: From c2683f6e46978191faae817712b9fb9266944001 Mon Sep 17 00:00:00 2001 From: Allen <69975867+afouladi7@users.noreply.github.com> Date: Mon, 10 Jul 2023 15:59:28 -0400 Subject: [PATCH 02/34] Delete users.htpasswd From 1e52799ce5a871b2f3a387f92e426097138b67bf Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Tue, 11 Jul 2023 18:49:41 -0400 Subject: [PATCH 03/34] added the changes for gitops and bc for cosign --- .../roles/ocp4-install-gitops/templates/subs-gitops.yml.j2 | 2 +- .../files/policies/signed-image-policy.json | 2 +- .../roles/ocp4-install-signing/tasks/build-cosign-infra.yaml | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/bootstrap/roles/ocp4-install-gitops/templates/subs-gitops.yml.j2 b/bootstrap/roles/ocp4-install-gitops/templates/subs-gitops.yml.j2 index 980ce1d..db8f0e9 100644 --- a/bootstrap/roles/ocp4-install-gitops/templates/subs-gitops.yml.j2 +++ b/bootstrap/roles/ocp4-install-gitops/templates/subs-gitops.yml.j2 @@ -4,7 +4,7 @@ metadata: name: openshift-gitops-operator namespace: openshift-operators spec: - channel: stable + channel: latest installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json index 61d95d8..deaf38c 100644 --- a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json +++ b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json @@ -31,7 +31,7 @@ "negate": false, "values": [ { - "value": "io.stackrox.signatureintegration.8c536a20-0dc4-4949-89d3-cbb5df52057d" + "value": "io.stackrox.signatureintegration.e9a5fc49-7969-4f90-9ec5-2bf845b22843" } ] } diff --git a/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml b/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml index 1b19f5f..1feb0f9 100644 --- a/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml +++ b/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml @@ -6,6 +6,11 @@ - ./templates/cosign-ubi-is.yaml.j2 - ./templates/cosign-is.yaml.j2 - ./templates/cosign-build.yaml.j2 + +- name: restarting the build if failed + shell: | + oc start-build cosign-pod -n "{{ pipeline_namespace }}" + register: build - name: Wait Until cosign build is complete shell: | From 89b005a1ec49a84b4f76cff93b3c54cb2edee626 Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Tue, 11 Jul 2023 19:27:41 -0400 Subject: [PATCH 04/34] adding all the changes for 4.12+ --- .../files/policies/signed-image-policy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json index deaf38c..ceb83db 100644 --- a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json +++ b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json @@ -31,7 +31,7 @@ "negate": false, "values": [ { - "value": "io.stackrox.signatureintegration.e9a5fc49-7969-4f90-9ec5-2bf845b22843" + "value": "io.stackrox.signatureintegration.6388cd9f-e65a-4562-9364-5ee5ad6a199a" } ] } From 171d34929db2eb40c2e6f661cd029843274e47e9 Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Tue, 18 Jul 2023 11:59:07 -0400 Subject: [PATCH 05/34] changing the gitops app config --- .../roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 | 4 ++-- .../ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 b/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 index 2cea26f..89ac465 100644 --- a/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 +++ b/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 @@ -14,5 +14,5 @@ spec: targetRevision: HEAD syncPolicy: automated: - prune: false - selfHeal: false + prune: true + selfHeal: true diff --git a/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 b/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 index d093614..40cbf10 100644 --- a/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 +++ b/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 @@ -14,5 +14,5 @@ spec: targetRevision: HEAD syncPolicy: automated: - prune: false - selfHeal: false + prune: true + selfHeal: true From 90f165c3e11142f507206cfd8514a275146ba880 Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Thu, 20 Jul 2023 10:47:23 -0400 Subject: [PATCH 06/34] adiing sbom to the pipeline --- .../templates/cicd-reports-repo.yaml.j2 | 2 +- .../tasks/noobaa-create.yaml | 2 +- .../tasks/pipelines.yaml | 1 + .../templates/task-syft-sbom.yaml.j2 | 64 +++++++++++++++++++ .../files/policies/signed-image-policy.json | 2 +- .../templates/pipeline-build-dev.yaml.j2 | 13 +++- install.sh | 1 + 7 files changed, 81 insertions(+), 4 deletions(-) create mode 100644 bootstrap/roles/ocp4-install-pipelines/templates/task-syft-sbom.yaml.j2 diff --git a/bootstrap/roles/ocp4-install-cicd/templates/cicd-reports-repo.yaml.j2 b/bootstrap/roles/ocp4-install-cicd/templates/cicd-reports-repo.yaml.j2 index 0a1cd6b..7618541 100644 --- a/bootstrap/roles/ocp4-install-cicd/templates/cicd-reports-repo.yaml.j2 +++ b/bootstrap/roles/ocp4-install-cicd/templates/cicd-reports-repo.yaml.j2 @@ -33,7 +33,7 @@ spec: volumeMounts: - mountPath: /fileuploads name: staticfiles - - image: quay.io/siamaksade/nginx:latest + - image: quay.io/allenfouladi/nginx:latest name: nginx ports: - containerPort: 8080 diff --git a/bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml b/bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml index 52a4310..06cea2a 100644 --- a/bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml +++ b/bootstrap/roles/ocp4-install-noobaa/tasks/noobaa-create.yaml @@ -114,7 +114,7 @@ shell: | oc get BackingStore/"{{ backing_store_name }}" -n openshift-storage -o jsonpath='{.status.phase}' register: backing_store - retries: 10 + retries: 20 delay: 20 until: - backing_store.stdout == "Ready" diff --git a/bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml b/bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml index a2c0728..ba99872 100644 --- a/bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml +++ b/bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml @@ -14,6 +14,7 @@ - ./templates/task-rox-image-check.yaml.j2 - ./templates/task-s2i-java-11.yaml.j2 - ./templates/task-zap-proxy.yaml.j2 + - ./templates/task-syft-sbom.yaml.j2 - name: Create OpenShift Objects for Openshift Pipeline Triggers k8s: diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/task-syft-sbom.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/task-syft-sbom.yaml.j2 new file mode 100644 index 0000000..8c1b700 --- /dev/null +++ b/bootstrap/roles/ocp4-install-pipelines/templates/task-syft-sbom.yaml.j2 @@ -0,0 +1,64 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: syft-sbom + namespace: cicd +spec: + description: This Task can be used to generate a SBOM file with Syft. + params: + - default: $(workspaces.source.path) + description: Application folder to scan + name: APP_PATH + type: string + - default: reports + description: The reports repository username + name: REPORTS_REPO_USERNAME + type: string + - default: reports + description: The reports repository password + name: REPORTS_REPO_PASSWORD + type: string + - default: 'http://reports-repo:8080' + description: >- + The reports repository host based on + https://github.com/chmouel/openshift-django-uploader + name: REPORTS_REPO_HOST + type: string + steps: + - env: + - name: PIPELINERUN_NAME + valueFrom: + fieldRef: + fieldPath: 'metadata.labels[''tekton.dev/pipelineRun'']' + image: 'registry.access.redhat.com/ubi8/ubi:latest' + name: syft-scan + resources: {} + script: > + #!/usr/bin/env bash + + echo '## Getting Syft ##' + + pwd + + curl -sSfL + https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s + -- -b . + + chmod +x ./syft + + echo '## Scanning folder and generating SBOM ##' + + ./syft $(params.APP_PATH) -o spdx-json=sbom.json + + echo '## SBOM content ##' + + cat ./sbom.json + + echo "Uploading the report into the report server" + + curl -u $(params.REPORTS_REPO_USERNAME):$(params.REPORTS_REPO_PASSWORD) + -F path=$PIPELINERUN_NAME/$'PIPELINERUN_NAME'-sbom.json -F file=@sbom.json -X + POST $(params.REPORTS_REPO_HOST)/upload; echo "" + workspaces: + - description: The workspace consisting of maven project. + name: source \ No newline at end of file diff --git a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json index ceb83db..96aba54 100644 --- a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json +++ b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json @@ -31,7 +31,7 @@ "negate": false, "values": [ { - "value": "io.stackrox.signatureintegration.6388cd9f-e65a-4562-9364-5ee5ad6a199a" + "value": "io.stackrox.signatureintegration.9e37b973-37bd-4d0a-b329-7fc01019c8ed" } ] } diff --git a/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 b/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 index b96e56c..0e8b6e1 100644 --- a/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 +++ b/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 @@ -4,6 +4,17 @@ metadata: name: petclinic-build-dev namespace: cicd spec: + finally: + - name: syft-sbom + params: + - name: APP_PATH + value: $(workspaces.source.path) + taskRef: + kind: Task + name: syft-sbom + workspaces: + - name: source + workspace: workspace params: - name: APP_SOURCE_GIT type: string @@ -276,4 +287,4 @@ spec: workspaces: - name: simulations workspace: workspace - subPath: spring-petclinic-gatling + subPath: spring-petclinic-gatling \ No newline at end of file diff --git a/install.sh b/install.sh index 031b96b..7bb9de4 100755 --- a/install.sh +++ b/install.sh @@ -18,3 +18,4 @@ err() { info "Installing Demo" ansible-playbook bootstrap/deploy_demo.yaml -v +ansible-playbook bootstrap/deploy_signing.yaml -v From fe8a4350dfa1f781a025e7420ed4915b1e7ff87c Mon Sep 17 00:00:00 2001 From: Roger Seip Date: Thu, 20 Jul 2023 10:57:10 -0600 Subject: [PATCH 07/34] Updated ACS policy enforcement guidance to permit initial pipeline to run without failure. --- README.md | 2 +- docs/disable_policy_enforcement.md | 28 ++++++++++++++++++++-------- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index fd40363..95f00e6 100644 --- a/README.md +++ b/README.md @@ -217,7 +217,7 @@ cd .. ./demo.sh start ``` -NOTE: This pipeline will fail if you don't [disable the "Fixable at least Important"](docs/disable_policy_enforcement.md) policy enforcement behaviour of ACS. This is expected to demonstrate the failure when a violation of the system policy occurs. +NOTE: This pipeline will fail if you don't [disable the "Fixable Severity at least Important"](docs/disable_policy_enforcement.md) policy enforcement behaviour of ACS. This is expected to demonstrate the failure when a violation of the system policy occurs. Without disabling this policy (or at least changing the behaviour from "inform and enforce" to just "inform"), the image-check stage of the pipeline will fail (and break the build). ## Quick Video with the Demo diff --git a/docs/disable_policy_enforcement.md b/docs/disable_policy_enforcement.md index 6d708f5..51cb8e5 100644 --- a/docs/disable_policy_enforcement.md +++ b/docs/disable_policy_enforcement.md @@ -1,10 +1,22 @@ ## Disable the Policy Enforcement -To disable the policy enforcement you need to: - -- Go to the ACS Console -- Platform Configuration Tab -- System Policies -- Fixable CVSS >= 7 -- Edit -> Next -> Next -> Next -- Build and Deploy into Enforcement Behavior Off \ No newline at end of file +To disable the policy enforcement: + +- Login to ACS console. +- Expand the "Platform Configuration" tab. +- Select "Policy Management". +- Click on the 3 vertical dots at the right of the target policy. + +EITHER + +- Click "Disable policy". + +OR + +- Click "Edit policy". +- Click "Next" to skip "1 Policy details". +- At "2 Policy behavior", scroll down to "Response method". Click "Inform" radio button instead of "Inform and enforce". Click "Next". +- Click "Next" to skip "3 Policy criteria". +- Click "Next" to skip "4 Policy scope". +- Click "Save" at "5 Review policy" to save the updated policy configuration. +- Click "5 Review policy". From d8692bbb9a5202d1e09d88d591df5338fa75b20c Mon Sep 17 00:00:00 2001 From: Chris Mays Date: Thu, 20 Jul 2023 15:59:39 -0500 Subject: [PATCH 08/34] Create trust_quay_from_another_cluster.md --- docs/trust_quay_from_another_cluster.md | 30 +++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 docs/trust_quay_from_another_cluster.md diff --git a/docs/trust_quay_from_another_cluster.md b/docs/trust_quay_from_another_cluster.md new file mode 100644 index 0000000..11e86ee --- /dev/null +++ b/docs/trust_quay_from_another_cluster.md @@ -0,0 +1,30 @@ +## Add the private quay registry as a trusted registry in a secondary cluster +### Prerequisites +- Have a cluster up and running with this demo setup including the extend.sh portion (with local quay) +- Have a secondary cluster up and running where you want to also deploy images from the above quay +- Run the following export commands to make the below scripts easier to run: + ```bash + export QUAY_URL= + export QUAY_USER= + export QUAY_PASS= + export LOCAL_NS= + ``` +### Obtain default router certificate from primary cluster +```bash +oc get secret -n openshift-ingress router-certs-default -o jsonpath="{.data['tls\.crt']}" | base64 -d > tls.key +``` +### Add tls.key to the secondary cluster as a trusted CA +Make sure to login to the secondary cluster before running these commands, and make sure you have the tls.key +from the above step in this folder. +```bash +oc create configmap registry-cas -n openshift-config \ +--from-file=${QUAY_URL}=tls.key +oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge +``` + +### Setup login credentials for the Service Account in the secondary cluster +This example is going to use the default service account +```bash +oc create secret docker-registry quay-robot-secret --docker-server=$QUAY_URL --docker-username=$QUAY_USER --docker-password=$QUAY_PASS -n $LOCAL_NS +oc secrets link default quay-robot-secret --for=pull,mount -n $LOCAL_NS +``` From 78d61282c1575ddd652a9ea0f7d355d8e750e6f2 Mon Sep 17 00:00:00 2001 From: Roger Seip Date: Fri, 21 Jul 2023 09:42:33 -0600 Subject: [PATCH 09/34] Adds single command for Fedora to install all prerequisite tools. --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 95f00e6..a93fb2c 100644 --- a/README.md +++ b/README.md @@ -181,6 +181,13 @@ Install some extra Python dependency: pip3 install jmespath ``` +* On Fedora workstations/servers, these prequisities can be fulfilled with the following single command: + +```sh +sudo dnf install -y git ansible ansible-collection-kubernetes-core python3-kubernetes python3-openshift python3-jmespath jq +``` + + ## Bootstrap Fully automated deployment and integration of every resource and tool needed for this demo. From cc266e6a82483573584b93cf0518b154ec9ca08d Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Sun, 23 Jul 2023 22:08:32 -0400 Subject: [PATCH 10/34] adding sbom signing and supporting tasks --- .../tasks/pipelines.yaml | 1 + .../templates/task-signing-sbom.yaml.j2 | 54 ++ .../templates/task-syft-sbom.yaml.j2 | 6 +- .../templates/quay-subscription.yaml.j2 | 2 +- .../files/policies/signed-image-policy.json | 2 +- .../templates/pipeline-build-dev.yaml.j2 | 579 ++++++++++-------- 6 files changed, 371 insertions(+), 273 deletions(-) create mode 100644 bootstrap/roles/ocp4-install-pipelines/templates/task-signing-sbom.yaml.j2 diff --git a/bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml b/bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml index ba99872..ab1dd89 100644 --- a/bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml +++ b/bootstrap/roles/ocp4-install-pipelines/tasks/pipelines.yaml @@ -15,6 +15,7 @@ - ./templates/task-s2i-java-11.yaml.j2 - ./templates/task-zap-proxy.yaml.j2 - ./templates/task-syft-sbom.yaml.j2 + - ./templates/task-signing-sbom.yaml.j2 - name: Create OpenShift Objects for Openshift Pipeline Triggers k8s: diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/task-signing-sbom.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/task-signing-sbom.yaml.j2 new file mode 100644 index 0000000..4ac3e5a --- /dev/null +++ b/bootstrap/roles/ocp4-install-pipelines/templates/task-signing-sbom.yaml.j2 @@ -0,0 +1,54 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: cosign-sign-sbom + namespace: cicd +spec: + description: This Task can be used to sign an image in a registry + params: + - description: Image to be signed + name: SIGNATURE_IMAGE + type: string + - description: Name (reference) of the cosign image + name: IMAGE + type: string + - description: SBOM to be signed + name: SIGNATURE_SBOM + type: string + - default: [] + description: args to pass to cosign command to + name: ARGS + type: array + steps: + - args: + - $(params.ARGS) + env: + - name: PIPELINERUN_NAME + valueFrom: + fieldRef: + fieldPath: 'metadata.labels[''tekton.dev/pipelineRun'']' + image: $(params.IMAGE) + name: cosign-actions + resources: {} + script: | + #!/usr/bin/env bash + + verify="cosign verify --allow-insecure-registry --key k8s://cicd/signing-secrets $(params.SIGNATURE_IMAGE)" + signing="cosign sign --allow-insecure-registry --key k8s://cicd/signing-secrets --attachment sbom $(params.SIGNATURE_IMAGE)" + $verify + attach="cosign $* $(params.SIGNATURE_SBOM) $(params.SIGNATURE_IMAGE) --sbom=none" + attest="cosign attest --predicate $(params.SIGNATURE_SBOM) --key k8s://cicd/signing-secrets --allow-insecure-registry $(params.SIGNATURE_IMAGE)" + tree="cosign tree --allow-insecure-registry $(params.SIGNATURE_IMAGE)" + echo "This is the command we will run $attach" + $attach + echo "Starting Image Signing Task" + echo "This is the command we will run $signing" + $signing + echo "This is the command we will run $attest" + $attest + echo "This will run the cosign tree command to see what is attached to signed image" + $tree + workingDir: $(workspaces.source.path) + workspaces: + - description: The workspace consisting of maven project. + name: source \ No newline at end of file diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/task-syft-sbom.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/task-syft-sbom.yaml.j2 index 8c1b700..02579e3 100644 --- a/bootstrap/roles/ocp4-install-pipelines/templates/task-syft-sbom.yaml.j2 +++ b/bootstrap/roles/ocp4-install-pipelines/templates/task-syft-sbom.yaml.j2 @@ -54,10 +54,14 @@ spec: cat ./sbom.json + cp ./sbom.json /workspace/source/. + + chmod 0666 /workspace/source/sbom.json + echo "Uploading the report into the report server" curl -u $(params.REPORTS_REPO_USERNAME):$(params.REPORTS_REPO_PASSWORD) - -F path=$PIPELINERUN_NAME/$'PIPELINERUN_NAME'-sbom.json -F file=@sbom.json -X + -F path=$PIPELINERUN_NAME/$PIPELINERUN_NAME-sbom.json -F file=@sbom.json -X POST $(params.REPORTS_REPO_HOST)/upload; echo "" workspaces: - description: The workspace consisting of maven project. diff --git a/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 b/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 index bd1eff9..3e27ce3 100644 --- a/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 +++ b/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 @@ -4,7 +4,7 @@ metadata: name: quay-operator namespace: openshift-operators spec: - channel: stable-3.7 + channel: stable-3.8 installPlanApproval: Automatic name: quay-operator source: redhat-operators diff --git a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json index 96aba54..51309d1 100644 --- a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json +++ b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json @@ -31,7 +31,7 @@ "negate": false, "values": [ { - "value": "io.stackrox.signatureintegration.9e37b973-37bd-4d0a-b329-7fc01019c8ed" + "value": "io.stackrox.signatureintegration.3a7589a4-6cd1-41d0-b521-6378fd71a73c" } ] } diff --git a/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 b/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 index 0e8b6e1..ba50586 100644 --- a/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 +++ b/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 @@ -4,287 +4,326 @@ metadata: name: petclinic-build-dev namespace: cicd spec: - finally: - - name: syft-sbom - params: - - name: APP_PATH - value: $(workspaces.source.path) - taskRef: - kind: Task - name: syft-sbom - workspaces: - - name: source - workspace: workspace params: - - name: APP_SOURCE_GIT - type: string + - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic description: The application git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic - - name: APP_SOURCE_REVISION + name: APP_SOURCE_GIT type: string + - default: master description: The application git revision - default: master - - name: APP_MANIFESTS_GIT + name: APP_SOURCE_REVISION type: string + - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config description: The application manifests git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config - - name: APP_IMAGE_TAG + name: APP_MANIFESTS_GIT type: string - default: latest + - default: latest description: The application image tag to build - - name: DEV_NAMESPACE + name: APP_IMAGE_TAG type: string - default: devsecops-dev + - default: devsecops-dev description: The namespace for Stage environments - - name: APP_TESTS_GIT + name: DEV_NAMESPACE type: string + - default: 'https://github.com/rcarrata/spring-petclinic-gatling' description: The application test cases git repository - default: https://github.com/rcarrata/spring-petclinic-gatling - workspaces: - - name: workspace - - name: maven-settings + name: APP_TESTS_GIT + type: string tasks: - - name: source-clone - taskRef: - name: git-clone - kind: ClusterTask - workspaces: - - name: output - workspace: workspace - params: - - name: url - value: $(params.APP_SOURCE_GIT) - - name: revision - value: $(params.APP_SOURCE_REVISION) - - name: depth - value: "0" - - name: subdirectory - value: spring-petclinic - - name: deleteExisting - value: "true" - - name: unit-tests - taskRef: - name: maven - runAfter: - - source-clone - workspaces: - - name: source - workspace: workspace - - name: maven-settings - workspace: maven-settings - params: - - name: GOALS - value: ["package", "-f", "spring-petclinic"] - - name: code-analysis - taskRef: - name: maven - runAfter: - - source-clone - workspaces: - - name: source - workspace: workspace - - name: maven-settings - workspace: maven-settings - params: - - name: GOALS - value: - - install - - sonar:sonar - - -f - - spring-petclinic - - -Dsonar.host.url=http://sonarqube:9000 - - -Dsonar.userHome=/tmp/sonar - - -DskipTests=true - - name: dependency-report - taskRef: - name: dependency-report - runAfter: - - source-clone - workspaces: - - name: source - workspace: workspace - - name: maven-settings - workspace: maven-settings - params: - - name: SOURCE_DIR - value: spring-petclinic - - name: release-app - taskRef: - name: maven - runAfter: - - code-analysis - - unit-tests - - dependency-report - workspaces: - - name: source - workspace: workspace - - name: maven-settings - workspace: maven-settings - params: - - name: GOALS - value: - - deploy - - -f - - spring-petclinic - - -DskipTests=true - - -DaltDeploymentRepository=nexus::default::http://nexus:8081/repository/maven-releases/ - - -DaltSnapshotDeploymentRepository=nexus::default::http://nexus:8081/repository/maven-snapshots/ - - name: build-image - taskRef: - name: s2i-java-11 - runAfter: - - release-app - params: - - name: TLSVERIFY - value: "false" - - name: MAVEN_MIRROR_URL - value: http://nexus:8081/repository/maven-public/ - - name: PATH_CONTEXT - value: spring-petclinic/target - - name: IMAGE_NAME - value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev - - name: IMAGE_TAG - value: $(params.APP_IMAGE_TAG) - workspaces: - - name: source - workspace: workspace - - name: image-sign - taskRef: - name: cosign-task - runAfter: - - build-image - params: - - name: IMAGE - value: "image-registry.openshift-image-registry.svc:5000/{{pipeline_namespace}}/cosign-pod" - - name: SIGNATURE_IMAGE - value: "{{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev" - - name: ARGS - value: - - "sign" - - "--allow-insecure-registry" - - "--key k8s://{{ pipeline_namespace }}/{{ secret_generate_name }}" - - name: image-scan - runAfter: - - build-image - taskRef: - name: rox-image-scan - kind: ClusterTask - params: - - name: image - value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev - - name: rox_api_token - value: roxsecrets - - name: rox_central_endpoint - value: roxsecrets - - name: output_format - value: table - - name: image_digest - value: $(tasks.build-image.results.IMAGE_DIGEST) - - name: image-check - runAfter: - - build-image - taskRef: - name: rox-image-check - kind: ClusterTask - params: - - name: image - value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev - - name: rox_api_token - value: roxsecrets - - name: rox_central_endpoint - value: roxsecrets - - name: image_digest - value: $(tasks.build-image.results.IMAGE_DIGEST) - - name: deploy-check - runAfter: - - build-image - taskRef: - name: rox-deployment-check - kind: ClusterTask - params: - - name: GIT_REPOSITORY - value: "$(params.APP_MANIFESTS_GIT)" - - name: rox_api_token - value: roxsecrets - - name: rox_central_endpoint - value: roxsecrets - - name: file - value: deployment.yaml - - name: deployment_files_path - value: app - workspaces: - - name: workspace - workspace: workspace - - name: update-deployment - runAfter: - - image-sign - - image-scan - - image-check - - deploy-check - taskRef: - name: git-update-deployment - params: - - name: GIT_REPOSITORY - value: "$(params.APP_MANIFESTS_GIT)" - - name: GIT_USERNAME - value: gogs - - name: GIT_PASSWORD - value: gogs - - name: CURRENT_IMAGE - value: quay.io/siamaksade/spring-petclinic:latest - - name: NEW_IMAGE - value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev - - name: NEW_DIGEST - value: "$(tasks.build-image.results.IMAGE_DIGEST)" - - name: KUSTOMIZATION_PATH - value: environments/dev - workspaces: - - name: workspace - workspace: workspace - - name: wait-application - taskRef: - name: argocd-task-sync-and-wait - runAfter: - - update-deployment - params: - - name: application-name - value: dev-spring-petclinic - - name: perf-tests-clone - taskRef: - name: git-clone - kind: ClusterTask - workspaces: - - name: output - workspace: workspace - runAfter: - - wait-application - params: - - name: url - value: $(params.APP_TESTS_GIT) - - name: subdirectory - value: spring-petclinic-gatling - - name: deleteExisting - value: "true" - - name: pentesting-test - taskRef: - name: zap-proxy - runAfter: - - perf-tests-clone - params: - - name: APP_URL - value: "http://spring-petclinic.$(params.DEV_NAMESPACE).svc.cluster.local:8080" - workspaces: + - name: source-clone + params: + - name: url + value: $(params.APP_SOURCE_GIT) + - name: revision + value: $(params.APP_SOURCE_REVISION) + - name: depth + value: '0' + - name: subdirectory + value: spring-petclinic + - name: deleteExisting + value: 'true' + taskRef: + kind: ClusterTask + name: git-clone + workspaces: + - name: output + workspace: workspace + - name: unit-tests + params: + - name: GOALS + value: + - package + - '-f' + - spring-petclinic + runAfter: + - source-clone + taskRef: + kind: Task + name: maven + workspaces: + - name: source + workspace: workspace + - name: maven-settings + workspace: maven-settings + - name: code-analysis + params: + - name: GOALS + value: + - install + - 'sonar:sonar' + - '-f' + - spring-petclinic + - '-Dsonar.host.url=http://sonarqube:9000' + - '-Dsonar.userHome=/tmp/sonar' + - '-DskipTests=true' + runAfter: + - source-clone + taskRef: + kind: Task + name: maven + workspaces: + - name: source + workspace: workspace + - name: maven-settings + workspace: maven-settings + - name: dependency-report + params: + - name: SOURCE_DIR + value: spring-petclinic + runAfter: + - source-clone + taskRef: + kind: Task + name: dependency-report + workspaces: + - name: source + workspace: workspace + - name: maven-settings + workspace: maven-settings + - name: release-app + params: + - name: GOALS + value: + - deploy + - '-f' + - spring-petclinic + - '-DskipTests=true' + - >- + -DaltDeploymentRepository=nexus::default::http://nexus:8081/repository/maven-releases/ + - >- + -DaltSnapshotDeploymentRepository=nexus::default::http://nexus:8081/repository/maven-snapshots/ + runAfter: + - code-analysis + - unit-tests + - dependency-report + taskRef: + kind: Task + name: maven + workspaces: + - name: source + workspace: workspace + - name: maven-settings + workspace: maven-settings + - name: build-image + params: + - name: TLSVERIFY + value: 'false' + - name: MAVEN_MIRROR_URL + value: 'http://nexus:8081/repository/maven-public/' + - name: PATH_CONTEXT + value: spring-petclinic/target + - name: IMAGE_NAME + value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev + - name: IMAGE_TAG + value: $(params.APP_IMAGE_TAG) + runAfter: + - syft-sbom-post-release + taskRef: + kind: Task + name: s2i-java-11 + workspaces: + - name: source + workspace: workspace + - name: image-sign + params: + - name: IMAGE + value: "image-registry.openshift-image-registry.svc:5000/{{pipeline_namespace}}/cosign-pod" + - name: SIGNATURE_IMAGE + value: "{{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev" + - name: ARGS + value: + - sign + - '--allow-insecure-registry' + - '--key k8s://cicd/signing-secrets' + runAfter: + - build-image + taskRef: + kind: Task + name: cosign-task + - name: image-scan + params: + - name: image + value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev + - name: rox_api_token + value: roxsecrets + - name: rox_central_endpoint + value: roxsecrets + - name: output_format + value: table + - name: image_digest + value: $(tasks.build-image.results.IMAGE_DIGEST) + runAfter: + - build-image + taskRef: + kind: ClusterTask + name: rox-image-scan + - name: image-check + params: + - name: image + value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev + - name: rox_api_token + value: roxsecrets + - name: rox_central_endpoint + value: roxsecrets + - name: image_digest + value: $(tasks.build-image.results.IMAGE_DIGEST) + runAfter: + - build-image + taskRef: + kind: ClusterTask + name: rox-image-check + - name: deploy-check + params: + - name: GIT_REPOSITORY + value: $(params.APP_MANIFESTS_GIT) + - name: rox_api_token + value: roxsecrets + - name: rox_central_endpoint + value: roxsecrets + - name: file + value: deployment.yaml + - name: deployment_files_path + value: app + runAfter: + - build-image + taskRef: + kind: ClusterTask + name: rox-deployment-check + workspaces: + - name: workspace + workspace: workspace + - name: update-deployment + params: + - name: GIT_REPOSITORY + value: $(params.APP_MANIFESTS_GIT) + - name: GIT_USERNAME + value: gogs + - name: GIT_PASSWORD + value: gogs + - name: CURRENT_IMAGE + value: 'quay.io/siamaksade/spring-petclinic:latest' + - name: NEW_IMAGE + value: {{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev + - name: NEW_DIGEST + value: $(tasks.build-image.results.IMAGE_DIGEST) + - name: KUSTOMIZATION_PATH + value: environments/dev + runAfter: + - sign-sbom + taskRef: + kind: Task + name: git-update-deployment + workspaces: + - name: workspace + workspace: workspace + - name: wait-application + params: + - name: application-name + value: dev-spring-petclinic + runAfter: + - update-deployment + taskRef: + kind: Task + name: argocd-task-sync-and-wait + - name: perf-tests-clone + params: + - name: url + value: $(params.APP_TESTS_GIT) + - name: subdirectory + value: spring-petclinic-gatling + - name: deleteExisting + value: 'true' + runAfter: + - wait-application + taskRef: + kind: ClusterTask + name: git-clone + workspaces: + - name: output + workspace: workspace + - name: pentesting-test + params: + - name: APP_URL + value: "http://spring-petclinic.$(params.DEV_NAMESPACE).svc.cluster.local:8080" + runAfter: + - perf-tests-clone + taskRef: + kind: Task + name: zap-proxy + workspaces: + - name: workspace + workspace: workspace + - name: performance-test + params: + - name: APP_URL + value: "http://spring-petclinic.$(params.DEV_NAMESPACE).svc.cluster.local:8080" + runAfter: + - perf-tests-clone + taskRef: + kind: Task + name: gatling + workspaces: + - name: simulations + subPath: spring-petclinic-gatling + workspace: workspace + - name: syft-sbom-post-release + params: + - name: APP_PATH + value: $(workspaces.source.path) + runAfter: + - release-app + taskRef: + kind: Task + name: syft-sbom + workspaces: + - name: source + workspace: workspace + - name: sign-sbom + params: + - name: IMAGE + value: "image-registry.openshift-image-registry.svc:5000/{{pipeline_namespace}}/cosign-pod" + - name: SIGNATURE_SBOM + value: sbom.json + - name: ARGS + value: + - attach + - sbom + - '--allow-insecure-registry' + - '--type syft' + - '--sbom' + - name: SIGNATURE_IMAGE + value: "{{ quay_route}}/{{ quay_org_name }}/spring-petclinic-dev" + runAfter: + - image-sign + - image-scan + - image-check + - deploy-check + taskRef: + kind: Task + name: cosign-sign-sbom + workspaces: + - name: source + workspace: workspace + workspaces: - name: workspace - workspace: workspace - - name: performance-test - taskRef: - name: gatling - runAfter: - - perf-tests-clone - params: - - name: APP_URL - value: "http://spring-petclinic.$(params.DEV_NAMESPACE).svc.cluster.local:8080" - workspaces: - - name: simulations - workspace: workspace - subPath: spring-petclinic-gatling \ No newline at end of file + - name: maven-settings \ No newline at end of file From 8fa9f2a48ae7615c65ffbdd0ad99edecc6114e6d Mon Sep 17 00:00:00 2001 From: Allen <69975867+afouladi7@users.noreply.github.com> Date: Mon, 24 Jul 2023 22:42:27 -0400 Subject: [PATCH 11/34] Update cosign-build.yaml.j2 changing the ubi to 8.8 --- .../roles/ocp4-install-signing/templates/cosign-build.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bootstrap/roles/ocp4-install-signing/templates/cosign-build.yaml.j2 b/bootstrap/roles/ocp4-install-signing/templates/cosign-build.yaml.j2 index 7b2f185..767caf2 100644 --- a/bootstrap/roles/ocp4-install-signing/templates/cosign-build.yaml.j2 +++ b/bootstrap/roles/ocp4-install-signing/templates/cosign-build.yaml.j2 @@ -19,12 +19,12 @@ spec: dockerStrategy: from: kind: ImageStreamTag - name: 'ubi:8.0' + name: 'ubi:8.8' postCommit: {} source: type: Dockerfile dockerfile: >- - FROM registry.redhat.io/ubi8/ubi:8.0 + FROM registry.redhat.io/ubi8/ubi:8.8 RUN yum install go git wget tar rsync -y && wget From 3d0067b36c2fd606b9d128bcadf0a67bd09d660b Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Tue, 25 Jul 2023 15:02:06 -0400 Subject: [PATCH 12/34] changing to the latest ubi --- .../ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bootstrap/roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 b/bootstrap/roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 index ff84878..7c9feeb 100644 --- a/bootstrap/roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 +++ b/bootstrap/roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 @@ -9,12 +9,12 @@ spec: lookupPolicy: local: false tags: - - name: '8.0' + - name: '8.8' annotations: openshift.io/imported-from: 'registry.redhat.io/ubi8/ubi:8.0' from: kind: DockerImage - name: 'registry.redhat.io/ubi8/ubi:8.0' + name: 'registry.redhat.io/ubi8/ubi:8.8' generation: 2 importPolicy: {} referencePolicy: From 4070550844d1d603d6290cadb988633be1f547fd Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Tue, 25 Jul 2023 20:29:06 -0400 Subject: [PATCH 13/34] changing to the latest ubi --- .../files/policies/signed-image-policy.json | 2 +- .../roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json index 51309d1..f601cb8 100644 --- a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json +++ b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json @@ -31,7 +31,7 @@ "negate": false, "values": [ { - "value": "io.stackrox.signatureintegration.3a7589a4-6cd1-41d0-b521-6378fd71a73c" + "value": "io.stackrox.signatureintegration.9d62589f-57ad-4580-bbc7-8e36fed96e3e" } ] } diff --git a/bootstrap/roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 b/bootstrap/roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 index 7c9feeb..263c0b1 100644 --- a/bootstrap/roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 +++ b/bootstrap/roles/ocp4-install-signing/templates/cosign-ubi-is.yaml.j2 @@ -11,7 +11,7 @@ spec: tags: - name: '8.8' annotations: - openshift.io/imported-from: 'registry.redhat.io/ubi8/ubi:8.0' + openshift.io/imported-from: 'registry.redhat.io/ubi8/ubi:8.8' from: kind: DockerImage name: 'registry.redhat.io/ubi8/ubi:8.8' From ca5681db5a484c7f83673f447ce7e60b2ae79774 Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Tue, 25 Jul 2023 22:57:07 -0400 Subject: [PATCH 14/34] adding sbom, attestion, image verify to demo.sh --- .../files/policies/signed-image-policy.json | 2 +- .../ocp4-install-signing/tasks/build-cosign-infra.yaml | 8 ++++---- demo.sh | 2 ++ 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json index f601cb8..3c40625 100644 --- a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json +++ b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json @@ -31,7 +31,7 @@ "negate": false, "values": [ { - "value": "io.stackrox.signatureintegration.9d62589f-57ad-4580-bbc7-8e36fed96e3e" + "value": "io.stackrox.signatureintegration.0de32435-50c6-440f-8f26-96ec3c790bfb" } ] } diff --git a/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml b/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml index 1feb0f9..4239a4c 100644 --- a/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml +++ b/bootstrap/roles/ocp4-install-signing/tasks/build-cosign-infra.yaml @@ -7,10 +7,10 @@ - ./templates/cosign-is.yaml.j2 - ./templates/cosign-build.yaml.j2 -- name: restarting the build if failed - shell: | - oc start-build cosign-pod -n "{{ pipeline_namespace }}" - register: build +# - name: restarting the build if failed +# shell: | +# oc start-build cosign-pod -n "{{ pipeline_namespace }}" +# register: build - name: Wait Until cosign build is complete shell: | diff --git a/demo.sh b/demo.sh index eef9177..107b12f 100755 --- a/demo.sh +++ b/demo.sh @@ -135,6 +135,8 @@ command.sign-verify() { oc exec pod/"$cosign_pod" -n $working_namespace -- /bin/bash -c "chmod ugo+x /workdir/verify/${verify_script}" oc exec pod/"$cosign_pod" -n $working_namespace -- /bin/bash -c "/workdir/verify/${verify_script} $working_namespace " + info "## Verifying image, SBOM, and attestation ##" + taskrun=$(oc get taskruns -n cicd | grep sign-sbom | awk '{print$1}'); oc logs $taskrun-pod -n $working_namespace # echo "Obtaining cosign.key" # oc exec pod/"$cosign_pod" -n openshift-pipelines -- /bin/bash -c "oc get secret/signing-secrets -n openshift-pipelines -o jsonpath='{.data.cosign\.key}' | base64 -d > /test/cosign.key" # echo "Obtaining cosign.password" From 665c1bf3f3fef0af2c1a4c7cc173ace6d46a10f0 Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Wed, 26 Jul 2023 14:54:30 -0400 Subject: [PATCH 15/34] adding signing to demo.sh --- demo.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/demo.sh b/demo.sh index 107b12f..5cf5b93 100755 --- a/demo.sh +++ b/demo.sh @@ -136,7 +136,7 @@ command.sign-verify() { oc exec pod/"$cosign_pod" -n $working_namespace -- /bin/bash -c "/workdir/verify/${verify_script} $working_namespace " info "## Verifying image, SBOM, and attestation ##" - taskrun=$(oc get taskruns -n cicd | grep sign-sbom | awk '{print$1}'); oc logs $taskrun-pod -n $working_namespace + taskrun=$(oc get taskruns -n cicd --sort-by=.metadata.creationTimestamp | grep sign-sbom | tail -1 | awk '{print$1}'); oc logs $taskrun-pod -n cicd # echo "Obtaining cosign.key" # oc exec pod/"$cosign_pod" -n openshift-pipelines -- /bin/bash -c "oc get secret/signing-secrets -n openshift-pipelines -o jsonpath='{.data.cosign\.key}' | base64 -d > /test/cosign.key" # echo "Obtaining cosign.password" From cfb459cb213ccc8b90075dd6a4dd0c90c0199a90 Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Wed, 26 Jul 2023 14:55:16 -0400 Subject: [PATCH 16/34] adding signing to demo.sh --- demo.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/demo.sh b/demo.sh index 5cf5b93..665e137 100755 --- a/demo.sh +++ b/demo.sh @@ -136,7 +136,7 @@ command.sign-verify() { oc exec pod/"$cosign_pod" -n $working_namespace -- /bin/bash -c "/workdir/verify/${verify_script} $working_namespace " info "## Verifying image, SBOM, and attestation ##" - taskrun=$(oc get taskruns -n cicd --sort-by=.metadata.creationTimestamp | grep sign-sbom | tail -1 | awk '{print$1}'); oc logs $taskrun-pod -n cicd + taskrun=$(oc get taskruns -n cicd --sort-by=.metadata.creationTimestamp | grep sign-sbom | tail -1 | awk '{print$1}'); oc logs $taskrun-pod -n $working_namespace # echo "Obtaining cosign.key" # oc exec pod/"$cosign_pod" -n openshift-pipelines -- /bin/bash -c "oc get secret/signing-secrets -n openshift-pipelines -o jsonpath='{.data.cosign\.key}' | base64 -d > /test/cosign.key" # echo "Obtaining cosign.password" From 1b17f72e1750e94e91fa99b35b206e689221fb13 Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Wed, 23 Aug 2023 10:18:00 -0400 Subject: [PATCH 17/34] updating gogs and quay --- bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 | 2 +- .../roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 index f2879c5..f2a7dc4 100644 --- a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 +++ b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 @@ -111,7 +111,7 @@ spec: containers: - name: gogs imagePullPolicy: Always - image: quay.io/rcarrata/gogs:stable + image: quay.io/allenfouladi/gogs:stable ports: - containerPort: 3000 protocol: TCP diff --git a/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 b/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 index 3e27ce3..cc55460 100644 --- a/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 +++ b/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 @@ -4,7 +4,7 @@ metadata: name: quay-operator namespace: openshift-operators spec: - channel: stable-3.8 + channel: stable-3.9 installPlanApproval: Automatic name: quay-operator source: redhat-operators From b0635c46805c1b49fb6134fde5f71fb6011df2b8 Mon Sep 17 00:00:00 2001 From: Jason Kincl Date: Mon, 28 Aug 2023 10:57:19 -0400 Subject: [PATCH 18/34] Fixing ArgoCD CR: Cannot specify both keycloak and dex We cannot specify both keycloak and dex as SSO providers. When I tried enabling just keycloak the gitops-operator hit some segfault errors so switch to just using dex for now --- .../ocp4-install-gitops/templates/gitops-argocd.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2 b/bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2 index 0b3d8b2..b394e0f 100644 --- a/bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2 +++ b/bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2 @@ -34,7 +34,9 @@ spec: enabled: false initialSSHKnownHosts: {} sso: - provider: keycloak + provider: dex + dex: + openShiftOAuth: true applicationSet: resources: limits: @@ -55,8 +57,6 @@ spec: kinds: - TaskRun - PipelineRun - dex: - openShiftOAuth: true ha: enabled: false resources: From 48792e29c1c2eff807f6aa3a97e1058e4d0dce50 Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Mon, 28 Aug 2023 18:50:00 -0400 Subject: [PATCH 19/34] fixing the argo issue with OCP dex --- .../ocp4-install-gitops/templates/gitops-argocd.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2 b/bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2 index 0b3d8b2..b394e0f 100644 --- a/bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2 +++ b/bootstrap/roles/ocp4-install-gitops/templates/gitops-argocd.yaml.j2 @@ -34,7 +34,9 @@ spec: enabled: false initialSSHKnownHosts: {} sso: - provider: keycloak + provider: dex + dex: + openShiftOAuth: true applicationSet: resources: limits: @@ -55,8 +57,6 @@ spec: kinds: - TaskRun - PipelineRun - dex: - openShiftOAuth: true ha: enabled: false resources: From c287a00dc13c48c1651790890f76076a506afbdc Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Mon, 28 Aug 2023 18:57:44 -0400 Subject: [PATCH 20/34] updated the readme for the credits --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a93fb2c..2365f7a 100644 --- a/README.md +++ b/README.md @@ -245,4 +245,4 @@ NOTE: This pipeline will fail if you don't [disable the "Fixable Severity at lea # Credits -Big thanks for the [contributors](https://github.com/rcarrata/devsecops-demo/graphs/contributors) and reviews that helped so much in this demo! We grow as we share! +Big thanks for the [contributors](https://github.com/afouladi7/devsecops-demo/graphs/contributors) and reviews that helped so much in this demo! We grow as we share! From 6e9970efcfe457dea2eae8377833cc1512b818e5 Mon Sep 17 00:00:00 2001 From: Jason Kincl Date: Mon, 28 Aug 2023 14:14:33 -0400 Subject: [PATCH 21/34] Removing update to add keycloak for now Using Keycloak breaks the gitops operator as of v1.9.1 --- bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml b/bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml index 4968861..38f35f1 100644 --- a/bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml +++ b/bootstrap/roles/ocp4-install-gitops/tasks/gitops.yaml @@ -100,10 +100,6 @@ - name: Patch the CM of Openshift GitOps to add role admin by default command: oc patch cm/argocd-rbac-cm -n openshift-gitops --type=merge -p '{"data":{"policy.default":"role:admin"}}' -- name: Add SSO Keycloak in Openshift GitOps by default - shell: | - oc -n openshift-gitops patch argocd openshift-gitops --type='json' -p='[{"op": "add", "path": "/spec/sso", "value": {"provider": "keycloak"} }]' - - name: Get ArgoCD route kubernetes.core.k8s_info: kind: Route From d171b5bf1f7fdfb9d0cd97d3cc438bd46ba7490d Mon Sep 17 00:00:00 2001 From: Jason Kincl Date: Tue, 5 Sep 2023 14:05:45 -0400 Subject: [PATCH 22/34] Adding Quay to doc and status.sh --- README.md | 4 ++-- status.sh | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2365f7a..5e7c81b 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ DevSecOps CICD pipeline demo using several technologies such as: - [OpenShift Pipelines](https://www.openshift.com/learn/topics/ci-cd) - [OpenShift GitOps](https://www.openshift.com/blog/announcing-openshift-gitops) - [OpenShift Advanced Cluster Security for Kubernetes](https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet) -- [OpenShift Container Registry](https://docs.openshift.com/container-platform/latest/registry/architecture-component-imageregistry.html) +- [Red Hat Quay](https://www.redhat.com/en/resources/quay-datasheet) Vulnerability and configuration management methods included in this demo are the following: @@ -41,7 +41,7 @@ On every push to the spring-petclinic git repository on Gogs git server, the fol 1. [Dependency report](docs/Steps.md#dependency-report) from the source code is generated and uploaded to the report server repository. 2. [Unit tests](docs/Steps.md#unit-tests) are executed and in parallel the code is [analyzed by Sonarqube](docs/Steps.md#code-analysis-sonarqube) for anti-patterns. 3. Application is packaged as a JAR and [released to Sonatype Nexus](docs/Steps.md#release-app) snapshot repository -4. A [container image is built](docs/Steps.md#build-image) in DEV environment using S2I, and pushed to OpenShift internal registry, and tagged with spring-petclinic:[branch]-[commit-sha] and spring-petclinic:latest +4. A [container image is built](docs/Steps.md#build-image) in DEV environment using S2I and pushed to local instance of Red Hat Quay tagged with spring-petclinic:[branch]-[commit-sha] and spring-petclinic:latest ## 2. DevSecOps steps using Advanced Cluster Security for Kubernetes diff --git a/status.sh b/status.sh index 6c8ca9d..bcd9ac5 100755 --- a/status.sh +++ b/status.sh @@ -27,3 +27,8 @@ printf "\n## ArgoCD Server - Username/Password: admin/[DEX] ##\n" ARGO=$(oc get route -n openshift-gitops openshift-gitops-server -o jsonpath='{.spec.host}') printf "https://$ARGO" printf "\n" + +printf "\n## Quay Server - Username/Password: quayadmin/quaypass123 ##\n" +QUAY=$(oc get route -n quay-demo demo-registry-quay -o jsonpath='{.spec.host}') +printf "https://$QUAY" +printf "\n" From 996baa818b0d569c3cd676e7533d38422bc4d154 Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Mon, 6 Nov 2023 11:57:36 -0500 Subject: [PATCH 23/34] adding secure route for gogs --- .../roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 | 8 ++++++++ .../files/policies/signed-image-policy.json | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 index f2a7dc4..04875ff 100644 --- a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 +++ b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 @@ -179,7 +179,15 @@ metadata: namespace: cicd spec: to: + kind: Service name: gogs + weight: 100 + port: + targetPort: 3000-tcp + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None --- kind: PersistentVolumeClaim apiVersion: v1 diff --git a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json index 3c40625..108ba13 100644 --- a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json +++ b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json @@ -31,7 +31,7 @@ "negate": false, "values": [ { - "value": "io.stackrox.signatureintegration.0de32435-50c6-440f-8f26-96ec3c790bfb" + "value": "io.stackrox.signatureintegration.4464982e-c6df-4e8d-979d-29952a7db0b1" } ] } From 0818aa356c2549a65fe6cec8692bed8c8018a659 Mon Sep 17 00:00:00 2001 From: Chris Mays Date: Mon, 6 Nov 2023 13:26:38 -0800 Subject: [PATCH 24/34] Tell it to ignore cert validation for the gogs url --- bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml b/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml index 7ee6b65..a852537 100644 --- a/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml +++ b/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml @@ -49,6 +49,7 @@ uri: url: http://{{ r_gogs_route.resources[0].spec.host }} status_code: 200 + validate_certs: false register: result until: result.status == 200 retries: 10 From 535ea3685a48ad400b7f06d7a7cb32f775f4fc6f Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Tue, 7 Nov 2023 21:48:11 -0500 Subject: [PATCH 25/34] putting quay and acs on a diet --- .../ocp4-install-acs/templates/central.yml.j2 | 8 ++-- .../templates/cicd-gogs.yaml.j2 | 2 +- .../templates/quayregistry.yaml.j2 | 48 ++++++++++--------- 3 files changed, 31 insertions(+), 27 deletions(-) diff --git a/bootstrap/roles/ocp4-install-acs/templates/central.yml.j2 b/bootstrap/roles/ocp4-install-acs/templates/central.yml.j2 index fdbe94f..fccf5b3 100644 --- a/bootstrap/roles/ocp4-install-acs/templates/central.yml.j2 +++ b/bootstrap/roles/ocp4-install-acs/templates/central.yml.j2 @@ -23,9 +23,9 @@ spec: scanner: analyzer: scaling: - autoScaling: Enabled - maxReplicas: 5 - minReplicas: 2 - replicas: 3 + autoScaling: Disabled + maxReplicas: 1 + minReplicas: 1 + replicas: 1 scannerComponent: Enabled diff --git a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 index 04875ff..58efb5e 100644 --- a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 +++ b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 @@ -186,7 +186,7 @@ spec: targetPort: 3000-tcp tls: termination: edge - insecureEdgeTerminationPolicy: Redirect + insecureEdgeTerminationPolicy: None wildcardPolicy: None --- kind: PersistentVolumeClaim diff --git a/bootstrap/roles/ocp4-install-quay/templates/quayregistry.yaml.j2 b/bootstrap/roles/ocp4-install-quay/templates/quayregistry.yaml.j2 index 0c74740..febd900 100644 --- a/bootstrap/roles/ocp4-install-quay/templates/quayregistry.yaml.j2 +++ b/bootstrap/roles/ocp4-install-quay/templates/quayregistry.yaml.j2 @@ -6,25 +6,29 @@ metadata: spec: configBundleSecret: quay-config-bundle components: - - managed: true - kind: clair - - managed: true - kind: postgres - - managed: true - kind: objectstorage - - managed: true - kind: redis - - managed: true - kind: horizontalpodautoscaler - - managed: true - kind: route - - managed: true - kind: mirror - - managed: true - kind: monitoring - - managed: true - kind: tls - - managed: true - kind: quay - - managed: true - kind: clairpostgres + - kind: clair + managed: true + overrides: + replicas: 1 + - kind: postgres + managed: true + - kind: objectstorage + managed: true + - kind: redis + managed: true + - kind: horizontalpodautoscaler + managed: false + - kind: route + managed: true + - kind: mirror + managed: false + - kind: tls + managed: true + - kind: quay + managed: true + overrides: + replicas: 1 + - kind: clairpostgres + managed: true + - kind: monitoring + managed: false \ No newline at end of file From 151f96fa78bb7cc4fb8f5faf28ce26439056c30b Mon Sep 17 00:00:00 2001 From: Allen <69975867+afouladi7@users.noreply.github.com> Date: Mon, 13 Nov 2023 10:21:53 -0500 Subject: [PATCH 26/34] Update cicd-gogs.yaml.j2 --- bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 | 3 --- 1 file changed, 3 deletions(-) diff --git a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 index 58efb5e..7bf93ed 100644 --- a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 +++ b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 @@ -184,9 +184,6 @@ spec: weight: 100 port: targetPort: 3000-tcp - tls: - termination: edge - insecureEdgeTerminationPolicy: None wildcardPolicy: None --- kind: PersistentVolumeClaim From a022d006ca0939425640b41ebc94e3028085225d Mon Sep 17 00:00:00 2001 From: Allen <69975867+afouladi7@users.noreply.github.com> Date: Mon, 13 Nov 2023 10:22:27 -0500 Subject: [PATCH 27/34] Update cicd.yaml --- bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml b/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml index a852537..e8c7485 100644 --- a/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml +++ b/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml @@ -51,7 +51,7 @@ status_code: 200 validate_certs: false register: result - until: result.status == 200 + #until: result.status == 200 retries: 10 delay: 30 From 1517216307aebcb1a1d8b6a926c2242e5378faa6 Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Tue, 14 Nov 2023 13:37:25 -0500 Subject: [PATCH 28/34] adding console link for acs --- bootstrap/roles/ocp4-post-acs/templates/acs-console-link.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/roles/ocp4-post-acs/templates/acs-console-link.yml.j2 b/bootstrap/roles/ocp4-post-acs/templates/acs-console-link.yml.j2 index 9d28b16..7e4eddb 100644 --- a/bootstrap/roles/ocp4-post-acs/templates/acs-console-link.yml.j2 +++ b/bootstrap/roles/ocp4-post-acs/templates/acs-console-link.yml.j2 @@ -4,7 +4,7 @@ metadata: name: acs-console-link spec: applicationMenu: - imageURL: 'https://upload.wikimedia.org/wikipedia/commons/3/3a/OpenShift-LogoType.svg' + imageURL: 'https://upload.wikimedia.org/wikipedia/commons/d/d8/Red_Hat_logo.svg' section: Red Hat Applications href: 'https://{{ f_stackrox_central_addr }}' location: ApplicationMenu From 3831d93bddd623986624589e673c4ab7c290a28e Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Tue, 5 Dec 2023 14:35:06 -0500 Subject: [PATCH 29/34] adding the https for gogs --- bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml | 4 ++-- .../templates/pipeline-build-dev.yaml.j2 | 4 ++-- .../files/policies/signed-image-policy.json | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml b/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml index e8c7485..362ae2e 100644 --- a/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml +++ b/bootstrap/roles/ocp4-install-cicd/tasks/cicd.yaml @@ -47,11 +47,11 @@ - name: Wait for gogs and gogs-postgresql to be running uri: - url: http://{{ r_gogs_route.resources[0].spec.host }} + url: https://{{ r_gogs_route.resources[0].spec.host }} status_code: 200 validate_certs: false register: result - #until: result.status == 200 + until: result.status == 200 retries: 10 delay: 30 diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-dev.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-dev.yaml.j2 index cf04646..0112b6b 100644 --- a/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-dev.yaml.j2 +++ b/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-dev.yaml.j2 @@ -8,7 +8,7 @@ spec: - name: APP_SOURCE_GIT type: string description: The application git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic + default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic - name: APP_SOURCE_REVISION type: string description: The application git revision @@ -16,7 +16,7 @@ spec: - name: APP_MANIFESTS_GIT type: string description: The application manifests git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config + default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config - name: APP_IMAGE_TAG type: string default: latest diff --git a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json index 108ba13..082e104 100644 --- a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json +++ b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json @@ -31,7 +31,7 @@ "negate": false, "values": [ { - "value": "io.stackrox.signatureintegration.4464982e-c6df-4e8d-979d-29952a7db0b1" + "value": "io.stackrox.signatureintegration.c6be6131-e7ba-489a-bd9e-9434aa01875b" } ] } From e496fbb2258b9d46a7baf47171f38e0e03256220 Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Tue, 5 Dec 2023 14:45:06 -0500 Subject: [PATCH 30/34] adding the https for gogs --- bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 index 7bf93ed..58efb5e 100644 --- a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 +++ b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 @@ -184,6 +184,9 @@ spec: weight: 100 port: targetPort: 3000-tcp + tls: + termination: edge + insecureEdgeTerminationPolicy: None wildcardPolicy: None --- kind: PersistentVolumeClaim From c053508f014a1c355b77cc80f8eb68af31e7ccbf Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Tue, 5 Dec 2023 15:05:02 -0500 Subject: [PATCH 31/34] adding the https for gogs --- .../roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 | 2 +- .../roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 | 2 +- .../templates/task-git-update-deployment.yaml.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 b/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 index 89ac465..ceea456 100644 --- a/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 +++ b/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-dev.yaml.j2 @@ -10,7 +10,7 @@ spec: project: spring-petclinic source: path: environments/dev - repoURL: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config + repoURL: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config targetRevision: HEAD syncPolicy: automated: diff --git a/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 b/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 index 40cbf10..330f3e1 100644 --- a/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 +++ b/bootstrap/roles/ocp4-config-gitops/templates/argocd-app-stage.yaml.j2 @@ -10,7 +10,7 @@ spec: project: spring-petclinic source: path: environments/stage - repoURL: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config + repoURL: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config targetRevision: HEAD syncPolicy: automated: diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/task-git-update-deployment.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/task-git-update-deployment.yaml.j2 index 6341692..b1411d8 100644 --- a/bootstrap/roles/ocp4-install-pipelines/templates/task-git-update-deployment.yaml.j2 +++ b/bootstrap/roles/ocp4-install-pipelines/templates/task-git-update-deployment.yaml.j2 @@ -67,7 +67,7 @@ spec: # git commit -m "[$(context.pipelineRun.name)] Image digest updated" git commit -m "[ci] Image digest updated" - git remote add auth-origin $(echo $(params.GIT_REPOSITORY) | sed -E "s#http://(.*)#http://$(params.GIT_USERNAME):$(params.GIT_PASSWORD)@\1#g") + git remote add auth-origin $(echo $(params.GIT_REPOSITORY) | sed -E "s#https://(.*)#https://$(params.GIT_USERNAME):$(params.GIT_PASSWORD)@\1#g") git push auth-origin master RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" From dea453c8ffb9ccf3398edac1ae670f6a8611e447 Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Wed, 6 Dec 2023 18:27:11 -0500 Subject: [PATCH 32/34] adding the https for gogs --- .../templates/pipeline-build-stage.yaml.j2 | 4 ++-- .../files/policies/signed-image-policy.json | 2 +- .../ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 | 4 ++-- .../templates/pipeline-build-stage.yaml.j2 | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-stage.yaml.j2 b/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-stage.yaml.j2 index 8468cb3..672a32a 100644 --- a/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-stage.yaml.j2 +++ b/bootstrap/roles/ocp4-install-pipelines/templates/pipeline-build-stage.yaml.j2 @@ -8,7 +8,7 @@ spec: - name: APP_SOURCE_GIT type: string description: The application git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic + default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic - name: APP_SOURCE_REVISION type: string description: The application git revision @@ -16,7 +16,7 @@ spec: - name: APP_MANIFESTS_GIT type: string description: The application manifests git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config + default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config - name: APP_IMAGE_TAG type: string default: latest diff --git a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json index 082e104..ff7c5a7 100644 --- a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json +++ b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json @@ -31,7 +31,7 @@ "negate": false, "values": [ { - "value": "io.stackrox.signatureintegration.c6be6131-e7ba-489a-bd9e-9434aa01875b" + "value": "io.stackrox.signatureintegration.f2932e3b-9290-48ff-9112-5652537a9737" } ] } diff --git a/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 b/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 index ba50586..8bea7d4 100644 --- a/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 +++ b/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-dev.yaml.j2 @@ -5,7 +5,7 @@ metadata: namespace: cicd spec: params: - - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic + - default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic description: The application git repository name: APP_SOURCE_GIT type: string @@ -13,7 +13,7 @@ spec: description: The application git revision name: APP_SOURCE_REVISION type: string - - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config + - default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config description: The application manifests git repository name: APP_MANIFESTS_GIT type: string diff --git a/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-stage.yaml.j2 b/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-stage.yaml.j2 index f056670..08154ec 100644 --- a/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-stage.yaml.j2 +++ b/bootstrap/roles/ocp4-install-signing/templates/pipeline-build-stage.yaml.j2 @@ -8,7 +8,7 @@ spec: - name: APP_SOURCE_GIT type: string description: The application git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic + default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic - name: APP_SOURCE_REVISION type: string description: The application git revision @@ -16,7 +16,7 @@ spec: - name: APP_MANIFESTS_GIT type: string description: The application manifests git repository - default: http://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config + default: https://{{ r_gogs_route.resources[0].spec.host }}/gogs/spring-petclinic-config - name: APP_IMAGE_TAG type: string default: latest From 9576f1ea8a4634a88ae403357dfc44b20d246f0c Mon Sep 17 00:00:00 2001 From: afouladi7 Date: Thu, 7 Dec 2023 15:58:18 -0500 Subject: [PATCH 33/34] adding the https for gogs --- bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 | 2 +- .../files/policies/signed-image-policy.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 index 58efb5e..3f65319 100644 --- a/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 +++ b/bootstrap/roles/ocp4-install-cicd/templates/cicd-gogs.yaml.j2 @@ -186,7 +186,7 @@ spec: targetPort: 3000-tcp tls: termination: edge - insecureEdgeTerminationPolicy: None + insecureEdgeTerminationPolicy: Allow wildcardPolicy: None --- kind: PersistentVolumeClaim diff --git a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json index ff7c5a7..a88ec2c 100644 --- a/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json +++ b/bootstrap/roles/ocp4-install-signing/files/policies/signed-image-policy.json @@ -31,7 +31,7 @@ "negate": false, "values": [ { - "value": "io.stackrox.signatureintegration.f2932e3b-9290-48ff-9112-5652537a9737" + "value": "io.stackrox.signatureintegration.11eafb0b-9c98-4639-98e0-46e124bd912e" } ] } From 309d51543216f03d9671845399b7d0436325ca3c Mon Sep 17 00:00:00 2001 From: Allen <69975867+afouladi7@users.noreply.github.com> Date: Mon, 29 Jul 2024 21:58:03 -0400 Subject: [PATCH 34/34] Update quay-subscription.yaml.j2 --- .../roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 b/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 index cc55460..a587e44 100644 --- a/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 +++ b/bootstrap/roles/ocp4-install-quay/templates/quay-subscription.yaml.j2 @@ -4,7 +4,7 @@ metadata: name: quay-operator namespace: openshift-operators spec: - channel: stable-3.9 + channel: stable-3.12 installPlanApproval: Automatic name: quay-operator source: redhat-operators