Add jira integration and separate pipelines.

2023-07-31-acs-workflows/README.org

@@ -15,6 +15,9 @@ For this demo I have an OpenShift ~4.12.12~ cluster running on AWS provisioned t
 
 #+NAME: Check oc status
 #+begin_src bash :results silent
+export $(cat .env)
+
+oc login --token="${openshift_token}" --server="${openshift_apiserver}" --insecure-skip-tls-verify=true
 oc version | grep Server
 oc status
 #+end_src
@@ -126,11 +129,16 @@ spec:
         container:
           image: quay.io/devfile/universal-developer-image:latest
     commands:
-      - id: install-roxctl
+      - id: build
         exec:
           component: dev
-          commandLine: curl -O https://mirror.openshift.com/pub/rhacs/assets/4.1.2/bin/Linux/roxctl && chmod +x roxctl
-          workingDir: ${PROJECT_SOURCE}
+          commandLine: make build
+          workingDir: ${PROJECT_SOURCE}/2023-07-31-acs-workflows/guestbook/
+      - id: test
+        exec:
+          component: dev
+          commandLine: make test
+          workingDir: ${PROJECT_SOURCE}/2023-07-31-acs-workflows/guestbook/
   contributions:
     - name: che-code
       uri: https://eclipse-che.github.io/che-plugin-registry/main/v3/plugins/che-incubator/che-code/latest/devfile.yaml
@@ -156,7 +164,7 @@ export $(cat .env)
 curl -v "https://${rox_central_endpoint}/v1/imageintegrations" \
   --user "admin:${rox_admin_password}" \
   --header 'content-type: application/json' \
-  --data-raw '{"id":"","name":"ocp-internal","categories":["REGISTRY"],"docker":{"endpoint":"image-registry.openshift-image-registry.svc:5000","username":"opentlc-mgr","password":"$(oc whoami --show-token)","insecure":true},"autogenerated":false,"clusterId":"","clusters":[],"skipTestIntegration":false,"type":"docker"}' \
+  --data-raw '{"id":"","name":"ocp-internal","categories":["REGISTRY"],"docker":{"endpoint":"image-registry.openshift-image-registry.svc:5000","username":"opentlc-mgr","password":"'"$(oc whoami --show-token)"'","insecure":true},"autogenerated":false,"clusterId":"","clusters":[],"skipTestIntegration":false,"type":"docker"}' \
   --insecure
 #+end_src
 
@@ -180,5 +188,28 @@ oc create secret generic roxsecrets \
     --dry-run=client --output=yaml \
     | oc apply --filename -
 
-oc apply --filename guestbook/manifests
+oc apply --filename guestbook/manifests/imagestream.yaml
+oc apply --filename guestbook/manifests/build-pipeline.yaml
+oc apply --filename guestbook/manifests/deploy-pipeline.yaml
+oc apply --filename guestbook/manifests/build-pipelinerun.yaml
 #+end_src
+
+
+** Add jira integration
+
+To help reduce manual burden for security teams we can automate the process of creating jira issues for teams by adding a jira integration.
+
+For jira we can use the ~notifiers~ api to add the new integration, note the payload inclusion of project, issue types and priority mappings:
+
+#+begin_src bash :results silent
+export $(cat .env)
+
+curl "https://${rox_central_endpoint}/v1/notifiers" \
+  --user "admin:${rox_admin_password}" \
+  -H 'content-type: application/json' \
+  --data-raw '{"id":"","name":"jira-cloud","jira":{"username":"'"${jira_username}"'","password":"'"${jira_api_token}:"'","issueType":"Task","url":"https://jablairdemo.atlassian.net","priorityMappings":[{"severity":"CRITICAL_SEVERITY","priorityName":"Highest"},{"severity":"HIGH_SEVERITY","priorityName":"High"},{"severity":"MEDIUM_SEVERITY","priorityName":"Medium"},{"severity":"LOW_SEVERITY","priorityName":"Low"}],"defaultFieldsJson":""},"labelDefault":"DEV","labelKey":"","uiEndpoint":"https://central-stackrox.apps.cluster-7228t.7228t.sandbox2400.opentlc.com","type":"jira"}' \
+  --insecure
+#+end_src
+
+
+Once a jira integration has been created this can then be attached to specific policies.

2023-07-31-acs-workflows/guestbook/Dockerfile

@@ -4,7 +4,7 @@ COPY go.mod /guestbook/
 COPY go.sum /guestbook/
 RUN cd /guestbook && go build
 
-FROM docker.io/ubuntu:jammy-20230522
+FROM docker.io/ubuntu:jammy-20221130
 
 COPY --from=builder /guestbook/guestbook /app/guestbook
 

2023-07-31-acs-workflows/guestbook/Makefile

@@ -0,0 +1,6 @@
+# Build the guestbook example
+
+all: build
+
+build:
+	go build

2023-07-31-acs-workflows/guestbook/manifests/build-pipeline.yaml

@@ -8,7 +8,7 @@ metadata:
     operator.tekton.dev/operand-name: openshift-pipelines-addons
     pipeline.openshift.io/strategy: docker
     pipeline.openshift.io/type: kubernetes
-  name: guestbook
+  name: guestbook-build
   namespace: guestbook
 spec:
   params:
@@ -88,14 +88,5 @@ spec:
       taskRef:
         kind: ClusterTask
         name: rox-image-check
-    - name: deploy
-      params:
-        - name: SCRIPT
-          value: oc rollout status deploy/$(params.APP_NAME)
-      runAfter:
-        - image-check
-      taskRef:
-        kind: ClusterTask
-        name: openshift-client
   workspaces:
     - name: workspace

2023-07-31-acs-workflows/guestbook/manifests/build-pipelinerun.yaml

@@ -10,7 +10,7 @@ metadata:
     operator.tekton.dev/operand-name: openshift-pipelines-addons
     pipeline.openshift.io/strategy: docker
     pipeline.openshift.io/type: kubernetes
-    tekton.dev/pipeline: guestbook
+    tekton.dev/pipeline: guestbook-build
 spec:
   params:
     - name: APP_NAME
@@ -24,7 +24,7 @@ spec:
     - name: PATH_CONTEXT
       value: 2023-07-31-acs-workflows/guestbook
   pipelineRef:
-    name: guestbook
+    name: guestbook-build
   serviceAccountName: pipeline
   timeout: 1h0m0s
   workspaces:

2023-07-31-acs-workflows/guestbook/manifests/deploy-pipeline.yaml

@@ -0,0 +1,67 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  labels:
+    app.kubernetes.io/instance: guestbook
+    app.kubernetes.io/name: guestbook
+    operator.tekton.dev/operand-name: openshift-pipelines-addons
+    pipeline.openshift.io/strategy: docker
+    pipeline.openshift.io/type: kubernetes
+  name: guestbook-deploy
+  namespace: guestbook
+spec:
+  params:
+    - default: guestbook
+      name: APP_NAME
+      type: string
+    - default: 'https://github.com/jmhbnz/talks.git'
+      name: GIT_REPO
+      type: string
+    - default: main
+      name: GIT_REVISION
+      type: string
+    - default: 'image-registry.openshift-image-registry.svc:5000/guestbook/guestbook'
+      name: IMAGE_NAME
+      type: string
+    - default: 2023-07-31-acs-workflows/guestbook
+      name: PATH_CONTEXT
+      type: string
+  tasks:
+    - name: image-scan
+      params:
+        - name: image
+          value: image-registry.openshift-image-registry.svc:5000/guestbook/guestbook
+        - name: rox_api_token
+          value: roxsecrets
+        - name: rox_central_endpoint
+          value: roxsecrets
+        - name: output_format
+          value: json
+      taskRef:
+        kind: ClusterTask
+        name: rox-image-scan
+    - name: image-check
+      params:
+        - name: image
+          value: image-registry.openshift-image-registry.svc:5000/guestbook/guestbook
+        - name: rox_api_token
+          value: roxsecrets
+        - name: rox_central_endpoint
+          value: roxsecrets
+      runAfter:
+        - image-scan
+      taskRef:
+        kind: ClusterTask
+        name: rox-image-check
+    - name: deploy
+      params:
+        - name: SCRIPT
+          value: oc rollout status deploy/$(params.APP_NAME)
+      runAfter:
+        - image-check
+      taskRef:
+        kind: ClusterTask
+        name: openshift-client
+  workspaces:
+    - name: workspace