jmhbnz/workshops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Begin scaffolding security hackathon.

Browse Source
This commit is contained in:
James Blair
2024-09-26 16:31:52 +12:00
parent 47aa8c9e4c
commit d87cb4a04e
11 changed files with 172 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

168
data/compliance/README.org Normal file
View File

@ -0,0 +1,168 @@
#+TITLE: Openshift disconnected security & compliance workshop
#+DATE: <2024-08-26 Mon>
#+AUTHOR: James Blair
This document captures the steps required to set up an instance of the workshop.
* Connect to the low side instance
#+begin_src tmux
ssh lab-user@3.143.149.146
#+end_src
* Install required tools low side
#+begin_src tmux
cd /mnt/low-side-data/
curl -L -o oc-mirror.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.35/oc-mirror.tar.gz
tar -xzf oc-mirror.tar.gz
rm -f oc-mirror.tar.gz
chmod +x oc-mirror
sudo cp -v oc-mirror /bin
curl -L -o mirror-registry.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/mirror-registry/latest/mirror-registry.tar.gz
curl -L -o openshift-install.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.35/openshift-install-linux.tar.gz
tar -xzf openshift-install.tar.gz openshift-install
rm -f openshift-install.tar.gz
curl -L -o oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.19/openshift-client-linux.tar.gz
tar -xzf oc.tar.gz oc
rm -f oc.tar.gz
sudo cp -v oc /bin
ls -1 /mnt/low-side-data/
#+end_src
* Mirror installation content low side
#+begin_src tmux
mkdir -v $HOME/.docker
cp -v $HOME/pull-secret-example.json $HOME/.docker/config.json
cat << EOF > /mnt/low-side-data/imageset-config.yaml
---
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
local:
path: ./
mirror:
platform:
channels:
- name: stable-4.14
type: ocp
minVersion: 4.14.35
maxVersion: 4.14.35
additionalImages:
- name: registry.redhat.io/rhel8/support-tools
EOF
cd /mnt/low-side-data
oc-mirror --config imageset-config.yaml file:///mnt/low-side-data
#+end_src
* Install mirror registry high side
#+begin_src tmux
rsync -avP /mnt/low-side-data/mirror-registry.tar.gz highside:/mnt/high-side-data/
ssh highside
cd /mnt/high-side-data
tar -xzvf mirror-registry.tar.gz
./mirror-registry install --initPassword discopass
#+end_src
* Trust mirror registry high side
#+begin_src tmux
sudo cp -v $HOME/quay-install/quay-rootCA/rootCA.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
podman login -u init -p discopass $(hostname):8443
#+end_src
* Transfer mirror content from low to high
#+begin_src tmux
exit
rsync -avP /mnt/low-side-data/ highside:/mnt/high-side-data/
ssh highside
sudo mv -v /mnt/high-side-data/oc /bin/
sudo mv -v /mnt/high-side-data/oc-mirror /bin/
sudo mv -v /mnt/high-side-data/openshift-install /bin/
cd /mnt/high-side-data
oc-mirror --from=/mnt/high-side-data/mirror_seq1_000000.tar docker://$(hostname):8443
#+end_src
* Install openshift high side
#+begin_src tmux
cat << EOF > /mnt/high-side-data/install-config.yaml
---
apiVersion: v1
metadata:
name: disco
baseDomain: lab
compute:
- architecture: amd64
hyperthreading: Enabled
name: worker
replicas: 0
controlPlane:
architecture: amd64
hyperthreading: Enabled
name: master
replicas: 1
platform:
aws:
type: m5.8xlarge
networking:
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
machineNetwork:
- cidr: 10.0.0.0/16
networkType: OVNKubernetes
serviceNetwork:
- 172.30.0.0/16
platform:
aws:
region: us-east-2
subnets:
- $(aws ec2 describe-subnets --output json | jq '.Subnets[0].SubnetId' -r)
publish: Internal
additionalTrustBundlePolicy: Always
EOF
if ! test -f "/mnt/high-side-data/id_rsa"; then
ssh-keygen -C "OpenShift Debug" -N "" -f /mnt/high-side-data/id_rsa
fi
echo "sshKey: $(cat /mnt/high-side-data/id_rsa.pub)" | tee -a /mnt/high-side-data/install-config.yaml
echo "pullSecret: '$(jq -c . $XDG_RUNTIME_DIR/containers/auth.json)'" | tee -a /mnt/high-side-data/install-config.yaml
if (test -e /mnt/high-side-data/oc-mirror-workspace/results-*/imageContentSourcePolicy.yaml)
then
echo -e "\n\n Looks good, go ahead! \n\n"
else
echo -e "\n\n Uh oh, something is wrong... \n\n"
fi
cat << EOF >> /mnt/high-side-data/install-config.yaml
imageContentSources:
$(grep "mirrors:" -A 2 --no-group-separator /mnt/high-side-data/oc-mirror-workspace/results-*/imageContentSourcePolicy.yaml)
EOF
tail -22 /mnt/high-side-data/install-config.yaml
cat << EOF >> /mnt/high-side-data/install-config.yaml
additionalTrustBundle: |
$(sed 's/^/ /' /home/lab-user/quay-install/quay-rootCA/rootCA.pem)
EOF
cat /mnt/high-side-data/install-config.yaml
cp -v /mnt/high-side-data/install-config.yaml /mnt/high-side-data/install-config.yaml.backup
openshift-install create cluster --dir /mnt/high-side-data
#+end_src
* Disable default catalog sources high side
#+begin_src tmux
oc login https://api.disco.lab:6443 --username kubeadmin -p "$(more /mnt/high-side-data/auth/kubeadmin-password)" --insecure-skip-tls-verify=true
oc patch OperatorHub cluster --type merge -p '{"spec": {"disableAllDefaultSources": true}}'
oc create -f /mnt/high-side-data/oc-mirror-workspace/results-*/catalogSource-cs-redhat-operator-index.yaml
#+end_src

0
data/workshop/exercise1.mdx → data/compliance/exercise1.mdx
View File

0
data/workshop/exercise2.mdx → data/compliance/exercise2.mdx
View File

0
data/workshop/exercise3.mdx → data/compliance/exercise3.mdx
View File

0
data/workshop/exercise4.mdx → data/compliance/exercise4.mdx
View File

0
data/workshop/exercise5.mdx → data/compliance/exercise5.mdx
View File

0
data/workshop/exercise6.mdx → data/compliance/exercise6.mdx
View File

0
data/workshop/exercise7.mdx → data/compliance/exercise7.mdx
View File

0
data/workshop/exercise8.mdx → data/compliance/exercise8.mdx
View File

4
data/siteMetadata.js
View File

@ -1,8 +1,8 @@
const siteMetadata = { const siteMetadata = {
title: 'Red Hat OpenShift Security & Compliance Workshop', title: 'Red Hat OpenShift Security Hackathon',
author: 'Red Hat', author: 'Red Hat',
headerTitle: 'Red Hat', headerTitle: 'Red Hat',
description: 'Red Hat OpenShift Security & Compliance Workshop', description: 'Red Hat OpenShift Security Hackathon',
language: 'en-us', language: 'en-us',
siteUrl: 'https://rhdemo.win', siteUrl: 'https://rhdemo.win',
siteRepo: 'https://github.com/jmhbnz/workshops', siteRepo: 'https://github.com/jmhbnz/workshops',

165
data/workshop/README.org
View File

@ -1,168 +1,7 @@
#+TITLE: Openshift disconnected security & compliance workshop #+TITLE: Openshift security hackathon
#+DATE: <2024-08-26 Mon> #+DATE: <2024-09-26 Thu>
#+AUTHOR: James Blair #+AUTHOR: James Blair
This document captures the steps required to set up an instance of the workshop. This document captures the steps required to set up an instance of the workshop.
* Connect to the low side instance
#+begin_src tmux
ssh lab-user@3.143.149.146
#+end_src
* Install required tools low side
#+begin_src tmux
cd /mnt/low-side-data/
curl -L -o oc-mirror.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.35/oc-mirror.tar.gz
tar -xzf oc-mirror.tar.gz
rm -f oc-mirror.tar.gz
chmod +x oc-mirror
sudo cp -v oc-mirror /bin
curl -L -o mirror-registry.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/mirror-registry/latest/mirror-registry.tar.gz
curl -L -o openshift-install.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.35/openshift-install-linux.tar.gz
tar -xzf openshift-install.tar.gz openshift-install
rm -f openshift-install.tar.gz
curl -L -o oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.19/openshift-client-linux.tar.gz
tar -xzf oc.tar.gz oc
rm -f oc.tar.gz
sudo cp -v oc /bin
ls -1 /mnt/low-side-data/
#+end_src
* Mirror installation content low side
#+begin_src tmux
mkdir -v $HOME/.docker
cp -v $HOME/pull-secret-example.json $HOME/.docker/config.json
cat << EOF > /mnt/low-side-data/imageset-config.yaml
---
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
local:
path: ./
mirror:
platform:
channels:
- name: stable-4.14
type: ocp
minVersion: 4.14.35
maxVersion: 4.14.35
additionalImages:
- name: registry.redhat.io/rhel8/support-tools
EOF
cd /mnt/low-side-data
oc-mirror --config imageset-config.yaml file:///mnt/low-side-data
#+end_src
* Install mirror registry high side
#+begin_src tmux
rsync -avP /mnt/low-side-data/mirror-registry.tar.gz highside:/mnt/high-side-data/
ssh highside
cd /mnt/high-side-data
tar -xzvf mirror-registry.tar.gz
./mirror-registry install --initPassword discopass
#+end_src
* Trust mirror registry high side
#+begin_src tmux
sudo cp -v $HOME/quay-install/quay-rootCA/rootCA.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
podman login -u init -p discopass $(hostname):8443
#+end_src
* Transfer mirror content from low to high
#+begin_src tmux
exit
rsync -avP /mnt/low-side-data/ highside:/mnt/high-side-data/
ssh highside
sudo mv -v /mnt/high-side-data/oc /bin/
sudo mv -v /mnt/high-side-data/oc-mirror /bin/
sudo mv -v /mnt/high-side-data/openshift-install /bin/
cd /mnt/high-side-data
oc-mirror --from=/mnt/high-side-data/mirror_seq1_000000.tar docker://$(hostname):8443
#+end_src
* Install openshift high side
#+begin_src tmux
cat << EOF > /mnt/high-side-data/install-config.yaml
---
apiVersion: v1
metadata:
name: disco
baseDomain: lab
compute:
- architecture: amd64
hyperthreading: Enabled
name: worker
replicas: 0
controlPlane:
architecture: amd64
hyperthreading: Enabled
name: master
replicas: 1
platform:
aws:
type: m5.8xlarge
networking:
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
machineNetwork:
- cidr: 10.0.0.0/16
networkType: OVNKubernetes
serviceNetwork:
- 172.30.0.0/16
platform:
aws:
region: us-east-2
subnets:
- $(aws ec2 describe-subnets --output json | jq '.Subnets[0].SubnetId' -r)
publish: Internal
additionalTrustBundlePolicy: Always
EOF
if ! test -f "/mnt/high-side-data/id_rsa"; then
ssh-keygen -C "OpenShift Debug" -N "" -f /mnt/high-side-data/id_rsa
fi
echo "sshKey: $(cat /mnt/high-side-data/id_rsa.pub)" | tee -a /mnt/high-side-data/install-config.yaml
echo "pullSecret: '$(jq -c . $XDG_RUNTIME_DIR/containers/auth.json)'" | tee -a /mnt/high-side-data/install-config.yaml
if (test -e /mnt/high-side-data/oc-mirror-workspace/results-*/imageContentSourcePolicy.yaml)
then
echo -e "\n\n Looks good, go ahead! \n\n"
else
echo -e "\n\n Uh oh, something is wrong... \n\n"
fi
cat << EOF >> /mnt/high-side-data/install-config.yaml
imageContentSources:
$(grep "mirrors:" -A 2 --no-group-separator /mnt/high-side-data/oc-mirror-workspace/results-*/imageContentSourcePolicy.yaml)
EOF
tail -22 /mnt/high-side-data/install-config.yaml
cat << EOF >> /mnt/high-side-data/install-config.yaml
additionalTrustBundle: |
$(sed 's/^/ /' /home/lab-user/quay-install/quay-rootCA/rootCA.pem)
EOF
cat /mnt/high-side-data/install-config.yaml
cp -v /mnt/high-side-data/install-config.yaml /mnt/high-side-data/install-config.yaml.backup
openshift-install create cluster --dir /mnt/high-side-data
#+end_src
* Disable default catalog sources high side
#+begin_src tmux
oc login https://api.disco.lab:6443 --username kubeadmin -p "$(more /mnt/high-side-data/auth/kubeadmin-password)" --insecure-skip-tls-verify=true
oc patch OperatorHub cluster --type merge -p '{"spec": {"disableAllDefaultSources": true}}'
oc create -f /mnt/high-side-data/oc-mirror-workspace/results-*/catalogSource-cs-redhat-operator-index.yaml
#+end_src