Skip to content

GuilhermeCamposo/tap-demo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Trusted Application Pipeline Installation

Requirements

  • OCP 4.16

  • oc client >= 4.16

  • Minio client(mc) in your local $PATH

  • Helm client

  • Ansible With Kubernets module (requirements)

What is available?

  1. Trusted Profile Analyzer 1.2

    1. Streams for Apache Kafka 2.8

    2. MinIO

  2. Trusted Application Signer 1.1

  3. Developer Hub 1.4

  4. Red Hat build of Keycloak v24

  5. Tekton Pipelines 1.17

  6. ArgoCD GitOps 1.15

TAP Installation

Parameters

Parameter Example Value Definition

token

sha256~vFanQbthlPKfsaldJT3bdLXIyEkd7ypO_XPygY1DNtQ

access token for a user with cluster-admin privileges

server

https://api.mycluster.domain.com:6443

OpenShift cluster API URL

github_pat

longString

Personal Access Token used to download and publish content on Github. Required for Developer Hub deployment only. For information regarding scope, refer to the docs

How to run the playbook

ansible-playbook -e token=${token} -e server=${server} -e github_pat=${github_pat}  playbook.yml

Running parts of the playbook

This playbook has tags configured. To run a single role or selected roles you can:

ansible-playbook -e token=${token} -e server=${server} --tags "keycloak"  playbook.yml

Testing

Trusted Artifact Signer with Cosign

Before testing Cosign, you need a Keycloak user. The playbook configures a trusted-artifact-signer realm with the admin user. The password is password. You can create new users if you want.

  • Configure your shell environment for doing container image signing and verifying

export TUF_URL=$(oc get tuf -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)
export KEYCLOAK_HOST=$(oc get route -l app=keycloak -n keycloak-system -o jsonpath='{.items[0].spec.host}')
export OIDC_ISSUER_URL=https://$KEYCLOAK_HOST/realms/trusted-artifact-signer
export COSIGN_FULCIO_URL=$(oc get fulcio -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)
export COSIGN_REKOR_URL=$(oc get rekor -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)
export COSIGN_MIRROR=$TUF_URL
export COSIGN_ROOT=$TUF_URL/root.json
export COSIGN_OIDC_CLIENT_ID="trusted-artifact-signer"
export COSIGN_OIDC_ISSUER=$OIDC_ISSUER_URL
export COSIGN_CERTIFICATE_OIDC_ISSUER=$OIDC_ISSUER_URL
export COSIGN_YES="true"
export SIGSTORE_FULCIO_URL=$COSIGN_FULCIO_URL
export SIGSTORE_OIDC_ISSUER=$COSIGN_OIDC_ISSUER
export SIGSTORE_REKOR_URL=$COSIGN_REKOR_URL
export REKOR_REKOR_SERVER=$COSIGN_REKOR_URL
  • Initialize The Update Framework (TUF) system

cosign initialize
  • Create an image to be signed

echo "FROM scratch" > ./tmp.Dockerfile
podman build . -f ./tmp.Dockerfile -t ttl.sh/rhtas/test-image:1h
podman push ttl.sh/rhtas/test-image:1h
  • Sign the image

cosign sign -y ttl.sh/rhtas/test-image:1h
  • You can also verify the image signature

cosign verify --certificate-identity=admin@demo.com ttl.sh/rhtas/test-image:1h

Loading CVE and Advosories database

You can load data from 2022 into TPA, instead of running the full job. You can do it by executing the following Job.

oc apply -f job.yml -n trusted-profile-analyzer

To run the whole thing, just:

oc create job --from=cronjob/v11y-walker v11y-walker-now

About

No description or website provided.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages