4.6 KiB
RHACS Workflows & Integration
This is a short demo I gave on Red Hat Advanced Cluster Security.
Pre-requisites
This demo setup process assumes you already have an OpenShift 4.12+ cluster running, and are logged into the oc cli locally with cluster administration privileges.
For this demo I have an OpenShift 4.12.12 cluster running on AWS provisioned through the Red Hat Demo system.
oc version | grep Server
oc statusDeveloper workflow integration
A key element of any cloud native security platform is how it can be incorporated into software development workflows to enable security teams to gain visibility of emerging security issues and also empower developers to understand the security posture of what they are building.
For this demonstration we will be using OpenShift Dev Spaces as a cloud based development environment, and OpenShift Pipelines for a continuous integration environment.
Install dev spaces operator
The first step to prepare the demo is to install the dev spaces operator so our cluster will be able to create cloud based development environments. We can install the operator programmatically by creating a subscription resource:
cat << EOF | oc apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: devspaces
namespace: openshift-operators
spec:
channel: stable
installPlanApproval: Automatic
name: devspaces
source: redhat-operators
sourceNamespace: openshift-marketplace
EOFCreate devspaces controller
Once the operator is installed we can create a devspaces controller instance, this will be what is actually responsible for instantiating new individual developer workspaces.
Once again we can do this programmatically by creating a checluster resource:
cat << EOF | oc apply -f -
apiVersion: org.eclipse.che/v2
kind: CheCluster
metadata:
name: devspaces
namespace: openshift-operators
spec:
components:
cheServer:
debug: false
logLevel: INFO
dashboard: {}
database:
externalDb: false
devWorkspace: {}
devfileRegistry: {}
imagePuller:
enable: false
spec: {}
metrics:
enable: true
pluginRegistry: {}
containerRegistry: {}
devEnvironments:
containerBuildConfiguration:
openShiftSecurityContextConstraint: container-build
defaultNamespace:
autoProvision: true
template: <username>-devspaces
maxNumberOfWorkspacesPerUser: -1
secondsOfInactivityBeforeIdling: 36000
secondsOfRunBeforeIdling: -1
startTimeoutSeconds: 300
storage:
pvcStrategy: per-user
gitServices: {}
networking:
auth:
gateway:
configLabels:
app: che
component: che-gateway-config
EOFCreate individual dev space
Once the dev workspace operator and controller are ready we can create our individual developer workspace.
cat << EOF | oc apply -f -
kind: DevWorkspace
apiVersion: workspace.devfile.io/v1alpha2
metadata:
name: vscode
namespace: opentlc-mgr-devspaces
spec:
started: true
template:
projects:
- name: talks
git:
remotes:
origin: "https://github.com/jmhbnz/talks.git"
components:
- name: dev
container:
image: quay.io/devfile/universal-developer-image:latest
commands:
- id: install-roxctl
exec:
component: dev
commandLine: curl -O https://mirror.openshift.com/pub/rhacs/assets/4.1.2/bin/Linux/roxctl && chmod +x roxctl
workingDir: ${PROJECT_SOURCE}
contributions:
- name: che-code
uri: https://eclipse-che.github.io/che-plugin-registry/main/v3/plugins/che-incubator/che-code/latest/devfile.yaml
components:
- name: che-code-runtime-description
container:
env:
- name: CODE_HOST
value: 0.0.0.0
EOFDeploy sample application
In order to showcase incorporating roxctl into developer workflows we need a sample application to tinker with.