From 5f961c203fb998d9eaf828d916ae992b5a2c957b Mon Sep 17 00:00:00 2001 From: James Blair Date: Mon, 31 Jul 2023 09:56:05 +1200 Subject: [PATCH] Add jira integration and separate pipelines. --- 2023-07-31-acs-workflows/README.org | 41 ++++++++++-- 2023-07-31-acs-workflows/guestbook/Dockerfile | 2 +- 2023-07-31-acs-workflows/guestbook/Makefile | 6 ++ .../{pipeline.yaml => build-pipeline.yaml} | 11 +-- ...ipelinerun.yaml => build-pipelinerun.yaml} | 4 +- .../guestbook/manifests/deploy-pipeline.yaml | 67 +++++++++++++++++++ 6 files changed, 113 insertions(+), 18 deletions(-) create mode 100644 2023-07-31-acs-workflows/guestbook/Makefile rename 2023-07-31-acs-workflows/guestbook/manifests/{pipeline.yaml => build-pipeline.yaml} (90%) rename 2023-07-31-acs-workflows/guestbook/manifests/{pipelinerun.yaml => build-pipelinerun.yaml} (94%) create mode 100644 2023-07-31-acs-workflows/guestbook/manifests/deploy-pipeline.yaml diff --git a/2023-07-31-acs-workflows/README.org b/2023-07-31-acs-workflows/README.org index 0ed80f6..2c3d938 100644 --- a/2023-07-31-acs-workflows/README.org +++ b/2023-07-31-acs-workflows/README.org @@ -15,6 +15,9 @@ For this demo I have an OpenShift ~4.12.12~ cluster running on AWS provisioned t #+NAME: Check oc status #+begin_src bash :results silent +export $(cat .env) + +oc login --token="${openshift_token}" --server="${openshift_apiserver}" --insecure-skip-tls-verify=true oc version | grep Server oc status #+end_src @@ -126,11 +129,16 @@ spec: container: image: quay.io/devfile/universal-developer-image:latest commands: - - id: install-roxctl + - id: build exec: component: dev - commandLine: curl -O https://mirror.openshift.com/pub/rhacs/assets/4.1.2/bin/Linux/roxctl && chmod +x roxctl - workingDir: ${PROJECT_SOURCE} + commandLine: make build + workingDir: ${PROJECT_SOURCE}/2023-07-31-acs-workflows/guestbook/ + - id: test + exec: + component: dev + commandLine: make test + workingDir: ${PROJECT_SOURCE}/2023-07-31-acs-workflows/guestbook/ contributions: - name: che-code uri: https://eclipse-che.github.io/che-plugin-registry/main/v3/plugins/che-incubator/che-code/latest/devfile.yaml @@ -156,7 +164,7 @@ export $(cat .env) curl -v "https://${rox_central_endpoint}/v1/imageintegrations" \ --user "admin:${rox_admin_password}" \ --header 'content-type: application/json' \ - --data-raw '{"id":"","name":"ocp-internal","categories":["REGISTRY"],"docker":{"endpoint":"image-registry.openshift-image-registry.svc:5000","username":"opentlc-mgr","password":"$(oc whoami --show-token)","insecure":true},"autogenerated":false,"clusterId":"","clusters":[],"skipTestIntegration":false,"type":"docker"}' \ + --data-raw '{"id":"","name":"ocp-internal","categories":["REGISTRY"],"docker":{"endpoint":"image-registry.openshift-image-registry.svc:5000","username":"opentlc-mgr","password":"'"$(oc whoami --show-token)"'","insecure":true},"autogenerated":false,"clusterId":"","clusters":[],"skipTestIntegration":false,"type":"docker"}' \ --insecure #+end_src @@ -180,5 +188,28 @@ oc create secret generic roxsecrets \ --dry-run=client --output=yaml \ | oc apply --filename - -oc apply --filename guestbook/manifests +oc apply --filename guestbook/manifests/imagestream.yaml +oc apply --filename guestbook/manifests/build-pipeline.yaml +oc apply --filename guestbook/manifests/deploy-pipeline.yaml +oc apply --filename guestbook/manifests/build-pipelinerun.yaml #+end_src + + +** Add jira integration + +To help reduce manual burden for security teams we can automate the process of creating jira issues for teams by adding a jira integration. + +For jira we can use the ~notifiers~ api to add the new integration, note the payload inclusion of project, issue types and priority mappings: + +#+begin_src bash :results silent +export $(cat .env) + +curl "https://${rox_central_endpoint}/v1/notifiers" \ + --user "admin:${rox_admin_password}" \ + -H 'content-type: application/json' \ + --data-raw '{"id":"","name":"jira-cloud","jira":{"username":"'"${jira_username}"'","password":"'"${jira_api_token}:"'","issueType":"Task","url":"https://jablairdemo.atlassian.net","priorityMappings":[{"severity":"CRITICAL_SEVERITY","priorityName":"Highest"},{"severity":"HIGH_SEVERITY","priorityName":"High"},{"severity":"MEDIUM_SEVERITY","priorityName":"Medium"},{"severity":"LOW_SEVERITY","priorityName":"Low"}],"defaultFieldsJson":""},"labelDefault":"DEV","labelKey":"","uiEndpoint":"https://central-stackrox.apps.cluster-7228t.7228t.sandbox2400.opentlc.com","type":"jira"}' \ + --insecure +#+end_src + + +Once a jira integration has been created this can then be attached to specific policies. diff --git a/2023-07-31-acs-workflows/guestbook/Dockerfile b/2023-07-31-acs-workflows/guestbook/Dockerfile index 841054b..6612c40 100644 --- a/2023-07-31-acs-workflows/guestbook/Dockerfile +++ b/2023-07-31-acs-workflows/guestbook/Dockerfile @@ -4,7 +4,7 @@ COPY go.mod /guestbook/ COPY go.sum /guestbook/ RUN cd /guestbook && go build -FROM docker.io/ubuntu:jammy-20230522 +FROM docker.io/ubuntu:jammy-20221130 COPY --from=builder /guestbook/guestbook /app/guestbook diff --git a/2023-07-31-acs-workflows/guestbook/Makefile b/2023-07-31-acs-workflows/guestbook/Makefile new file mode 100644 index 0000000..4ca185a --- /dev/null +++ b/2023-07-31-acs-workflows/guestbook/Makefile @@ -0,0 +1,6 @@ +# Build the guestbook example + +all: build + +build: + go build diff --git a/2023-07-31-acs-workflows/guestbook/manifests/pipeline.yaml b/2023-07-31-acs-workflows/guestbook/manifests/build-pipeline.yaml similarity index 90% rename from 2023-07-31-acs-workflows/guestbook/manifests/pipeline.yaml rename to 2023-07-31-acs-workflows/guestbook/manifests/build-pipeline.yaml index 51350d8..f64579a 100644 --- a/2023-07-31-acs-workflows/guestbook/manifests/pipeline.yaml +++ b/2023-07-31-acs-workflows/guestbook/manifests/build-pipeline.yaml @@ -8,7 +8,7 @@ metadata: operator.tekton.dev/operand-name: openshift-pipelines-addons pipeline.openshift.io/strategy: docker pipeline.openshift.io/type: kubernetes - name: guestbook + name: guestbook-build namespace: guestbook spec: params: @@ -88,14 +88,5 @@ spec: taskRef: kind: ClusterTask name: rox-image-check - - name: deploy - params: - - name: SCRIPT - value: oc rollout status deploy/$(params.APP_NAME) - runAfter: - - image-check - taskRef: - kind: ClusterTask - name: openshift-client workspaces: - name: workspace diff --git a/2023-07-31-acs-workflows/guestbook/manifests/pipelinerun.yaml b/2023-07-31-acs-workflows/guestbook/manifests/build-pipelinerun.yaml similarity index 94% rename from 2023-07-31-acs-workflows/guestbook/manifests/pipelinerun.yaml rename to 2023-07-31-acs-workflows/guestbook/manifests/build-pipelinerun.yaml index b3987ca..4c3f549 100644 --- a/2023-07-31-acs-workflows/guestbook/manifests/pipelinerun.yaml +++ b/2023-07-31-acs-workflows/guestbook/manifests/build-pipelinerun.yaml @@ -10,7 +10,7 @@ metadata: operator.tekton.dev/operand-name: openshift-pipelines-addons pipeline.openshift.io/strategy: docker pipeline.openshift.io/type: kubernetes - tekton.dev/pipeline: guestbook + tekton.dev/pipeline: guestbook-build spec: params: - name: APP_NAME @@ -24,7 +24,7 @@ spec: - name: PATH_CONTEXT value: 2023-07-31-acs-workflows/guestbook pipelineRef: - name: guestbook + name: guestbook-build serviceAccountName: pipeline timeout: 1h0m0s workspaces: diff --git a/2023-07-31-acs-workflows/guestbook/manifests/deploy-pipeline.yaml b/2023-07-31-acs-workflows/guestbook/manifests/deploy-pipeline.yaml new file mode 100644 index 0000000..3e7b32d --- /dev/null +++ b/2023-07-31-acs-workflows/guestbook/manifests/deploy-pipeline.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + labels: + app.kubernetes.io/instance: guestbook + app.kubernetes.io/name: guestbook + operator.tekton.dev/operand-name: openshift-pipelines-addons + pipeline.openshift.io/strategy: docker + pipeline.openshift.io/type: kubernetes + name: guestbook-deploy + namespace: guestbook +spec: + params: + - default: guestbook + name: APP_NAME + type: string + - default: 'https://github.com/jmhbnz/talks.git' + name: GIT_REPO + type: string + - default: main + name: GIT_REVISION + type: string + - default: 'image-registry.openshift-image-registry.svc:5000/guestbook/guestbook' + name: IMAGE_NAME + type: string + - default: 2023-07-31-acs-workflows/guestbook + name: PATH_CONTEXT + type: string + tasks: + - name: image-scan + params: + - name: image + value: image-registry.openshift-image-registry.svc:5000/guestbook/guestbook + - name: rox_api_token + value: roxsecrets + - name: rox_central_endpoint + value: roxsecrets + - name: output_format + value: json + taskRef: + kind: ClusterTask + name: rox-image-scan + - name: image-check + params: + - name: image + value: image-registry.openshift-image-registry.svc:5000/guestbook/guestbook + - name: rox_api_token + value: roxsecrets + - name: rox_central_endpoint + value: roxsecrets + runAfter: + - image-scan + taskRef: + kind: ClusterTask + name: rox-image-check + - name: deploy + params: + - name: SCRIPT + value: oc rollout status deploy/$(params.APP_NAME) + runAfter: + - image-check + taskRef: + kind: ClusterTask + name: openshift-client + workspaces: + - name: workspace