Add jira integration and separate pipelines.

2023-07-31 09:56:05 +12:00
parent c0ecafdcbc
commit 5f961c203f
6 changed files with 113 additions and 18 deletions
--- a/2023-07-31-acs-workflows/README.org
+++ b/2023-07-31-acs-workflows/README.org
@ -15,6 +15,9 @@ For this demo I have an OpenShift ~4.12.12~ cluster running on AWS provisioned t

 #+NAME: Check oc status
 #+begin_src bash :results silent
+export $(cat .env)
+
+oc login --token="${openshift_token}" --server="${openshift_apiserver}" --insecure-skip-tls-verify=true
 oc version | grep Server
 oc status
 #+end_src
@ -126,11 +129,16 @@ spec:
        container:
          image: quay.io/devfile/universal-developer-image:latest
    commands:
-      - id: install-roxctl
+      - id: build
        exec:
          component: dev
-          commandLine: curl -O https://mirror.openshift.com/pub/rhacs/assets/4.1.2/bin/Linux/roxctl && chmod +x roxctl
-          workingDir: ${PROJECT_SOURCE}
+          commandLine: make build
+          workingDir: ${PROJECT_SOURCE}/2023-07-31-acs-workflows/guestbook/
+      - id: test
+        exec:
+          component: dev
+          commandLine: make test
+          workingDir: ${PROJECT_SOURCE}/2023-07-31-acs-workflows/guestbook/
  contributions:
    - name: che-code
      uri: https://eclipse-che.github.io/che-plugin-registry/main/v3/plugins/che-incubator/che-code/latest/devfile.yaml
@ -156,7 +164,7 @@ export $(cat .env)
 curl -v "https://${rox_central_endpoint}/v1/imageintegrations" \
  --user "admin:${rox_admin_password}" \
  --header 'content-type: application/json' \
-  --data-raw '{"id":"","name":"ocp-internal","categories":["REGISTRY"],"docker":{"endpoint":"image-registry.openshift-image-registry.svc:5000","username":"opentlc-mgr","password":"$(oc whoami --show-token)","insecure":true},"autogenerated":false,"clusterId":"","clusters":[],"skipTestIntegration":false,"type":"docker"}' \
+  --data-raw '{"id":"","name":"ocp-internal","categories":["REGISTRY"],"docker":{"endpoint":"image-registry.openshift-image-registry.svc:5000","username":"opentlc-mgr","password":"'"$(oc whoami --show-token)"'","insecure":true},"autogenerated":false,"clusterId":"","clusters":[],"skipTestIntegration":false,"type":"docker"}' \
  --insecure
 #+end_src

@ -180,5 +188,28 @@ oc create secret generic roxsecrets \
    --dry-run=client --output=yaml \
    | oc apply --filename -

-oc apply --filename guestbook/manifests
+oc apply --filename guestbook/manifests/imagestream.yaml
+oc apply --filename guestbook/manifests/build-pipeline.yaml
+oc apply --filename guestbook/manifests/deploy-pipeline.yaml
+oc apply --filename guestbook/manifests/build-pipelinerun.yaml
 #+end_src
+
+
+** Add jira integration
+
+To help reduce manual burden for security teams we can automate the process of creating jira issues for teams by adding a jira integration.
+
+For jira we can use the ~notifiers~ api to add the new integration, note the payload inclusion of project, issue types and priority mappings:
+
+#+begin_src bash :results silent
+export $(cat .env)
+
+curl "https://${rox_central_endpoint}/v1/notifiers" \
+  --user "admin:${rox_admin_password}" \
+  -H 'content-type: application/json' \
+  --data-raw '{"id":"","name":"jira-cloud","jira":{"username":"'"${jira_username}"'","password":"'"${jira_api_token}:"'","issueType":"Task","url":"https://jablairdemo.atlassian.net","priorityMappings":[{"severity":"CRITICAL_SEVERITY","priorityName":"Highest"},{"severity":"HIGH_SEVERITY","priorityName":"High"},{"severity":"MEDIUM_SEVERITY","priorityName":"Medium"},{"severity":"LOW_SEVERITY","priorityName":"Low"}],"defaultFieldsJson":""},"labelDefault":"DEV","labelKey":"","uiEndpoint":"https://central-stackrox.apps.cluster-7228t.7228t.sandbox2400.opentlc.com","type":"jira"}' \
+  --insecure
+#+end_src
+
+
+Once a jira integration has been created this can then be attached to specific policies.
--- a/2023-07-31-acs-workflows/guestbook/Dockerfile
+++ b/2023-07-31-acs-workflows/guestbook/Dockerfile
@ -4,7 +4,7 @@ COPY go.mod /guestbook/
 COPY go.sum /guestbook/
 RUN cd /guestbook && go build

-FROM docker.io/ubuntu:jammy-20230522
+FROM docker.io/ubuntu:jammy-20221130

 COPY --from=builder /guestbook/guestbook /app/guestbook

--- a/2023-07-31-acs-workflows/guestbook/Makefile
+++ b/2023-07-31-acs-workflows/guestbook/Makefile
@ -0,0 +1,6 @@
+# Build the guestbook example
+
+all: build
+
+build:
+	go build
--- a/2023-07-31-acs-workflows/guestbook/manifests/build-pipeline.yaml
+++ b/2023-07-31-acs-workflows/guestbook/manifests/build-pipeline.yaml
@ -8,7 +8,7 @@ metadata:
    operator.tekton.dev/operand-name: openshift-pipelines-addons
    pipeline.openshift.io/strategy: docker
    pipeline.openshift.io/type: kubernetes
-  name: guestbook
+  name: guestbook-build
  namespace: guestbook
 spec:
  params:
@ -88,14 +88,5 @@ spec:
      taskRef:
        kind: ClusterTask
        name: rox-image-check
-    - name: deploy
-      params:
-        - name: SCRIPT
-          value: oc rollout status deploy/$(params.APP_NAME)
-      runAfter:
-        - image-check
-      taskRef:
-        kind: ClusterTask
-        name: openshift-client
  workspaces:
    - name: workspace
--- a/2023-07-31-acs-workflows/guestbook/manifests/build-pipelinerun.yaml
+++ b/2023-07-31-acs-workflows/guestbook/manifests/build-pipelinerun.yaml
@ -10,7 +10,7 @@ metadata:
    operator.tekton.dev/operand-name: openshift-pipelines-addons
    pipeline.openshift.io/strategy: docker
    pipeline.openshift.io/type: kubernetes
-    tekton.dev/pipeline: guestbook
+    tekton.dev/pipeline: guestbook-build
 spec:
  params:
    - name: APP_NAME
@ -24,7 +24,7 @@ spec:
    - name: PATH_CONTEXT
      value: 2023-07-31-acs-workflows/guestbook
  pipelineRef:
-    name: guestbook
+    name: guestbook-build
  serviceAccountName: pipeline
  timeout: 1h0m0s
  workspaces:
--- a/2023-07-31-acs-workflows/guestbook/manifests/deploy-pipeline.yaml
+++ b/2023-07-31-acs-workflows/guestbook/manifests/deploy-pipeline.yaml
@ -0,0 +1,67 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  labels:
+    app.kubernetes.io/instance: guestbook
+    app.kubernetes.io/name: guestbook
+    operator.tekton.dev/operand-name: openshift-pipelines-addons
+    pipeline.openshift.io/strategy: docker
+    pipeline.openshift.io/type: kubernetes
+  name: guestbook-deploy
+  namespace: guestbook
+spec:
+  params:
+    - default: guestbook
+      name: APP_NAME
+      type: string
+    - default: 'https://github.com/jmhbnz/talks.git'
+      name: GIT_REPO
+      type: string
+    - default: main
+      name: GIT_REVISION
+      type: string
+    - default: 'image-registry.openshift-image-registry.svc:5000/guestbook/guestbook'
+      name: IMAGE_NAME
+      type: string
+    - default: 2023-07-31-acs-workflows/guestbook
+      name: PATH_CONTEXT
+      type: string
+  tasks:
+    - name: image-scan
+      params:
+        - name: image
+          value: image-registry.openshift-image-registry.svc:5000/guestbook/guestbook
+        - name: rox_api_token
+          value: roxsecrets
+        - name: rox_central_endpoint
+          value: roxsecrets
+        - name: output_format
+          value: json
+      taskRef:
+        kind: ClusterTask
+        name: rox-image-scan
+    - name: image-check
+      params:
+        - name: image
+          value: image-registry.openshift-image-registry.svc:5000/guestbook/guestbook
+        - name: rox_api_token
+          value: roxsecrets
+        - name: rox_central_endpoint
+          value: roxsecrets
+      runAfter:
+        - image-scan
+      taskRef:
+        kind: ClusterTask
+        name: rox-image-check
+    - name: deploy
+      params:
+        - name: SCRIPT
+          value: oc rollout status deploy/$(params.APP_NAME)
+      runAfter:
+        - image-check
+      taskRef:
+        kind: ClusterTask
+        name: openshift-client
+  workspaces:
+    - name: workspace