From 3dff549872e1b0e8c352fd1288c7cdf188d6f024 Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Mon, 10 Jul 2023 09:47:07 +0100 Subject: [PATCH 01/14] Change ID to public, we need this visible for subequent requests --- src/main/java/com/redhat/pctsec/model/ScanRequest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/redhat/pctsec/model/ScanRequest.java b/src/main/java/com/redhat/pctsec/model/ScanRequest.java index 8bc16d3..c8c5f86 100644 --- a/src/main/java/com/redhat/pctsec/model/ScanRequest.java +++ b/src/main/java/com/redhat/pctsec/model/ScanRequest.java @@ -20,7 +20,7 @@ public class ScanRequest { @Id @GeneratedValue - protected UUID id; + public UUID id; private String metadata; //private String oshScanOptions; From dc8de982f0c4e72c2975472dfe55cfcc3b9345cb Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Mon, 10 Jul 2023 10:07:27 +0100 Subject: [PATCH 02/14] Minor alterations for prod deploy --- k8s/prod/app/service-account.yaml | 4 ++-- k8s/prod/app/tekton-rbac.yaml | 4 ++-- .../osh-client-from-source-pipeline.yaml | 6 ++++++ .../task/osh-client-from-source.yaml | 16 +++++----------- src/main/resources/application.properties | 2 +- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/k8s/prod/app/service-account.yaml b/k8s/prod/app/service-account.yaml index 8af0e29..bf0f10a 100644 --- a/k8s/prod/app/service-account.yaml +++ b/k8s/prod/app/service-account.yaml @@ -2,11 +2,11 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - app.kubernetes.io/name: osh-wrapper-client-sa + app.kubernetes.io/name: osh app.kubernetes.io/version: 1.0.0-SNAPSHOT app.openshift.io/runtime: quarkus env: prod - name: osh-wrapper-client-sa + name: osh namespace: psse-scanchain-prod imagePullSecrets: - name: pct-security-osh-wrapper-client-pull-secret diff --git a/k8s/prod/app/tekton-rbac.yaml b/k8s/prod/app/tekton-rbac.yaml index 9401c9d..b4e84eb 100644 --- a/k8s/prod/app/tekton-rbac.yaml +++ b/k8s/prod/app/tekton-rbac.yaml @@ -21,11 +21,11 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: osh-wrapper-tekton-rolebinding - namespace: pct-security-tooling + namespace: psse-scanchain-prod roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: osh-wrapper-tekton subjects: - kind: ServiceAccount - name: osh-wrapper-client-sa + name: osh diff --git a/k8s/prod/osh-client-tekton/pipeline/osh-client-from-source-pipeline.yaml b/k8s/prod/osh-client-tekton/pipeline/osh-client-from-source-pipeline.yaml index f806c12..613023a 100644 --- a/k8s/prod/osh-client-tekton/pipeline/osh-client-from-source-pipeline.yaml +++ b/k8s/prod/osh-client-tekton/pipeline/osh-client-from-source-pipeline.yaml @@ -15,6 +15,10 @@ spec: description: The revision or tag type: string + - name: mock-build-params + description: The parameters to pass to covscan mock-build + type: string + - name: archive-name description: The name of the git archive file type: string @@ -77,6 +81,8 @@ spec: params: - name: targz-file value: $(params.archive-name) + - name: mock-build-params + value: $(params.mock-build-params) runAfter: - archive taskRef: diff --git a/k8s/prod/osh-client-tekton/task/osh-client-from-source.yaml b/k8s/prod/osh-client-tekton/task/osh-client-from-source.yaml index aba0eb1..fe8b38d 100644 --- a/k8s/prod/osh-client-tekton/task/osh-client-from-source.yaml +++ b/k8s/prod/osh-client-tekton/task/osh-client-from-source.yaml @@ -13,15 +13,10 @@ spec: default: "source.tar.gz" description: The filename of the tar.gz we'll be uploading to covscan - - name: scan-profile + - name: mock-build-params type: string - description: The scan profile we will use - default: "snyk-only-unstable" - - - name: tarball-build-script - type: string - description: Parameters to be passed to tarball-build-script - default: ":" + description: Parameters pushed to mock build + default: "-p snyk-only-unstable --tarball-build-script=:" volumes: - name: osh-client-kerb-vol @@ -72,7 +67,6 @@ spec: script: | #!/bin/bash - echo $(params.scan-profile) - echo $(params.tarball-build-script) + echo $(params.mock-build-params) echo $(params.targz-file) - covscan mock-build -p $(params.scan-profile) --tarball-build-script=$(params.tarball-build-script) /workspace/source-tars/$(params.targz-file) + covscan mock-build $(params.mock-build-params) /workspace/source-tars/$(params.targz-file) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 1c5ca4f..cc00ef6 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -78,7 +78,7 @@ quarkus.arc.remove-unused-beans=false #Always provide swagger ui # Probably we need to check these 2 settings -%prod.quarkus.openshift.service-account=osh-wrapper-client-sa +%prod.quarkus.openshift.service-account=osh %prod.quarkus.openshift.namespace=pct-security-tooling %prod.quarkus.openshift.name=osh From b3feca922b2bf59e4c6d18bceddbbe96d42be90c Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Mon, 10 Jul 2023 10:34:44 +0100 Subject: [PATCH 03/14] Change to prod namespace --- src/main/resources/application.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index cc00ef6..04538b1 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -79,7 +79,7 @@ quarkus.arc.remove-unused-beans=false # Probably we need to check these 2 settings %prod.quarkus.openshift.service-account=osh -%prod.quarkus.openshift.namespace=pct-security-tooling +%prod.quarkus.openshift.namespace=psse-scanchain-prod %prod.quarkus.openshift.name=osh %prod.quarkus.openshift.labels.env=prod From 6da7606ad76eec09811f5dc114f2f0bf2058ec9a Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Mon, 10 Jul 2023 11:40:29 +0100 Subject: [PATCH 04/14] Use an alternate DB in the postgres instance --- k8s/prod/app/database-envs.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 k8s/prod/app/database-envs.yaml diff --git a/k8s/prod/app/database-envs.yaml b/k8s/prod/app/database-envs.yaml new file mode 100644 index 0000000..4b1d837 --- /dev/null +++ b/k8s/prod/app/database-envs.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + POSTGRESQL_DATABASE: oshwrapper-db + POSTGRESQL_USER: scanner +kind: ConfigMap +metadata: + name: database-envs-osh + namespace: psse-scanchain-prod From e8738d1cd1e5a2f2fcb0bf9a4bf310d0994d7347 Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Mon, 10 Jul 2023 11:41:29 +0100 Subject: [PATCH 05/14] Use an alternate DB in the postgres instance (alter application.properties) --- src/main/resources/application.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 04538b1..35ef5b8 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -43,7 +43,7 @@ # secret (database-envs). %prod.quarkus.kubernetes-config.secrets.enabled=true %prod.quarkus.kubernetes-config.secrets=database-envs -%prod.quarkus.kubernetes.env.mapping.db-user.from-configmap=database-envs +%prod.quarkus.kubernetes.env.mapping.db-user.from-configmap=database-envs-osh %prod.quarkus.kubernetes.env.mapping.db-user.with-key=POSTGRESQL_USER %prod.quarkus.kubernetes.env.mapping.db-name.from-configmap=database-envs %prod.quarkus.kubernetes.env.mapping.db-name.with-key=POSTGRESQL_DATABASE From 161651f61e1e2a7fb339c27b4afcfd8e661cc62d Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Mon, 10 Jul 2023 12:14:36 +0100 Subject: [PATCH 06/14] Create the schema initially for blank db --- k8s/prod/osh-client-tekton/osh-client-config.yaml | 2 +- k8s/prod/osh-client-tekton/osh-client-pvc.yaml | 2 +- src/main/resources/application.properties | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/k8s/prod/osh-client-tekton/osh-client-config.yaml b/k8s/prod/osh-client-tekton/osh-client-config.yaml index f88d0df..a1cee69 100644 --- a/k8s/prod/osh-client-tekton/osh-client-config.yaml +++ b/k8s/prod/osh-client-tekton/osh-client-config.yaml @@ -49,7 +49,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: osh-client-config - namespace: pct-security-tooling + namespace: psse-scanchain-prod data: client.conf: |+ # client config file for covscan diff --git a/k8s/prod/osh-client-tekton/osh-client-pvc.yaml b/k8s/prod/osh-client-tekton/osh-client-pvc.yaml index 07383bb..058e1e7 100644 --- a/k8s/prod/osh-client-tekton/osh-client-pvc.yaml +++ b/k8s/prod/osh-client-tekton/osh-client-pvc.yaml @@ -16,7 +16,7 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: osh-client-source-tars - namespace: pct-security-tooling + namespace: psse-scanchain-prod spec: accessModes: - ReadWriteMany diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 35ef5b8..8cc00ea 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -50,9 +50,11 @@ %prod.quarkus.datasource.jdbc.url=jdbc:postgresql://postgresql:5432/${db-name} %prod.quarkus.datasource.username=${db-user} %prod.quarkus.datasource.password=${postgresql_password} +%prod.quarkus.hibernate-orm.database.generation.create-schemas=true %prod.quarkus.hibernate-orm.database.generation=update + #Always provide swagger ui quarkus.swagger-ui.always-include=true %dev.quarkus.openshift.service-account=osh-wrapper-client-sa From 29c73976f3938f091f5c9e67be9896609902ba7d Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Mon, 10 Jul 2023 13:14:32 +0100 Subject: [PATCH 07/14] Set path to be osh-wrapper for prod system route --- src/main/resources/application.properties | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 8cc00ea..365232e 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -59,12 +59,14 @@ quarkus.swagger-ui.always-include=true %dev.quarkus.openshift.service-account=osh-wrapper-client-sa %dev.quarkus.openshift.namespace=pct-security-tooling +%prod.quarkus.http.root-path=/osh-wrapper/ %stage.quarkus.openshift.name=osh quarkus.openshift.service-account=osh-wrapper-client-sa %stage.quarkus.openshift.labels.env=stage %stage.quarkus.log.level=DEBUG quarkus.arc.remove-unused-beans=false +#%stage.quarkus.http.root-path=/stage/ #Only in Quarkus > 3.x %stage.quarkus.openshift.route.tls.termination=edge From 3f003048a66abca66c37f7f8a42ac1f961290828 Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Mon, 10 Jul 2023 13:57:32 +0100 Subject: [PATCH 08/14] Set postgresql as the default driver for all profiles --- src/main/resources/application.properties | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 365232e..b59674f 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -25,7 +25,7 @@ # Data Source # ########################################## %dev.quarkus.datasource.devservices.enabled=true -%dev.quarkus.datasource.db-kind = postgresql +quarkus.datasource.db-kind = postgresql %dev.quarkus.datasource.username = quarkus %dev.quarkus.datasource.password = quarkus #%dev.quarkus.datasource.jdbc.url = jdbc:postgresql://localhost:5432/hibernate_db @@ -54,7 +54,6 @@ %prod.quarkus.hibernate-orm.database.generation=update - #Always provide swagger ui quarkus.swagger-ui.always-include=true %dev.quarkus.openshift.service-account=osh-wrapper-client-sa From 26592328b92bb15af26d9085c1941441465efe03 Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Mon, 10 Jul 2023 15:23:06 +0100 Subject: [PATCH 09/14] Use openshift env settings as k8s are not carried across to openshift yaml --- src/main/resources/application.properties | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index b59674f..c26f14a 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -41,15 +41,15 @@ quarkus.datasource.db-kind = postgresql # Production settings. We db-name and the user are located on a config map (database-envs). The password is located on a # secret (database-envs). -%prod.quarkus.kubernetes-config.secrets.enabled=true -%prod.quarkus.kubernetes-config.secrets=database-envs -%prod.quarkus.kubernetes.env.mapping.db-user.from-configmap=database-envs-osh -%prod.quarkus.kubernetes.env.mapping.db-user.with-key=POSTGRESQL_USER -%prod.quarkus.kubernetes.env.mapping.db-name.from-configmap=database-envs -%prod.quarkus.kubernetes.env.mapping.db-name.with-key=POSTGRESQL_DATABASE +%prod.quarkus.openshift.env.mapping.db-password.from-secret=database-envs +%prod.quarkus.openshift.env.mapping.db-password.with-key=POSTGRESQL_PASSWORD +%prod.quarkus.openshift.env.mapping.db-user.from-configmap=database-envs-osh +%prod.quarkus.openshift.env.mapping.db-user.with-key=POSTGRESQL_USER +%prod.quarkus.openshift.env.mapping.db-name.from-configmap=database-envs-osh +%prod.quarkus.openshift.env.mapping.db-name.with-key=POSTGRESQL_DATABASE %prod.quarkus.datasource.jdbc.url=jdbc:postgresql://postgresql:5432/${db-name} %prod.quarkus.datasource.username=${db-user} -%prod.quarkus.datasource.password=${postgresql_password} +%prod.quarkus.datasource.password=${db-password} %prod.quarkus.hibernate-orm.database.generation.create-schemas=true %prod.quarkus.hibernate-orm.database.generation=update From f83d0a1b06bfeeec1004057ef2013e2ce53d1f6a Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Mon, 10 Jul 2023 15:38:27 +0100 Subject: [PATCH 10/14] Specify its IPA we need to authenticate against --- src/main/resources/application.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index c26f14a..c3b2dcb 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -117,7 +117,7 @@ quarkus.arc.remove-unused-beans=false %prod.quarkus.openshift.mounts.osh-wrapper.path=/kerberos %prod.quarkus.openshift.mounts.osh-wrapper.read-only=true %prod.quarkus.kerberos.keytab-path= /kerberos/kerberos-keytab-osh -%prod.quarkus.kerberos.service-principal-name= HTTP/prodsec-scanchain.apps.ocp-c1.prod.psi.redhat.com +%prod.quarkus.kerberos.service-principal-name= HTTP/prodsec-scanchain.apps.ocp-c1.prod.psi.redhat.com@IPA.REDHAT.COM %prod.quarkus.openshift.mounts.osh-wrapper-config-vol.path=/etc/krb5.conf %prod.quarkus.openshift.mounts.osh-wrapper-config-vol.sub-path=linux-krb5.conf From ce845c9ade4947f2f98b6a4ab2801a4dee6d2300 Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Mon, 10 Jul 2023 16:17:40 +0100 Subject: [PATCH 11/14] Try setting the principle in the kt file --- k8s/prod/osh-client-tekton/osh-client-config.yaml | 2 +- src/main/resources/application.properties | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/prod/osh-client-tekton/osh-client-config.yaml b/k8s/prod/osh-client-tekton/osh-client-config.yaml index a1cee69..6c57265 100644 --- a/k8s/prod/osh-client-tekton/osh-client-config.yaml +++ b/k8s/prod/osh-client-tekton/osh-client-config.yaml @@ -70,7 +70,7 @@ data: KRB_REALM = "IPA.REDHAT.COM" # Kerberos principal. If commented, default principal obtained by kinit is used. - KRB_PRINCIPAL = "HTTP/prodsec-scanchain.apps.ocp-c1.prod.psi.redhat.com" + KRB_PRINCIPAL = "oshw-prod-svc-principle" # Kerberos keytab file. KRB_KEYTAB = "/kerberos/kerberos-keytab-osh" diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index c3b2dcb..83dbdb0 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -117,7 +117,7 @@ quarkus.arc.remove-unused-beans=false %prod.quarkus.openshift.mounts.osh-wrapper.path=/kerberos %prod.quarkus.openshift.mounts.osh-wrapper.read-only=true %prod.quarkus.kerberos.keytab-path= /kerberos/kerberos-keytab-osh -%prod.quarkus.kerberos.service-principal-name= HTTP/prodsec-scanchain.apps.ocp-c1.prod.psi.redhat.com@IPA.REDHAT.COM +%prod.quarkus.kerberos.service-principal-name= oshw-prod-svc-principle@IPA.REDHAT.COM %prod.quarkus.openshift.mounts.osh-wrapper-config-vol.path=/etc/krb5.conf %prod.quarkus.openshift.mounts.osh-wrapper-config-vol.sub-path=linux-krb5.conf From 721c0ad3744a30b6760a125b06d230fd7b453e97 Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Tue, 11 Jul 2023 17:57:18 +0100 Subject: [PATCH 12/14] Revert "Try setting the principle in the kt file" This reverts commit ce845c9ade4947f2f98b6a4ab2801a4dee6d2300. --- k8s/prod/osh-client-tekton/osh-client-config.yaml | 2 +- src/main/resources/application.properties | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/prod/osh-client-tekton/osh-client-config.yaml b/k8s/prod/osh-client-tekton/osh-client-config.yaml index 6c57265..a1cee69 100644 --- a/k8s/prod/osh-client-tekton/osh-client-config.yaml +++ b/k8s/prod/osh-client-tekton/osh-client-config.yaml @@ -70,7 +70,7 @@ data: KRB_REALM = "IPA.REDHAT.COM" # Kerberos principal. If commented, default principal obtained by kinit is used. - KRB_PRINCIPAL = "oshw-prod-svc-principle" + KRB_PRINCIPAL = "HTTP/prodsec-scanchain.apps.ocp-c1.prod.psi.redhat.com" # Kerberos keytab file. KRB_KEYTAB = "/kerberos/kerberos-keytab-osh" diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 83dbdb0..c3b2dcb 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -117,7 +117,7 @@ quarkus.arc.remove-unused-beans=false %prod.quarkus.openshift.mounts.osh-wrapper.path=/kerberos %prod.quarkus.openshift.mounts.osh-wrapper.read-only=true %prod.quarkus.kerberos.keytab-path= /kerberos/kerberos-keytab-osh -%prod.quarkus.kerberos.service-principal-name= oshw-prod-svc-principle@IPA.REDHAT.COM +%prod.quarkus.kerberos.service-principal-name= HTTP/prodsec-scanchain.apps.ocp-c1.prod.psi.redhat.com@IPA.REDHAT.COM %prod.quarkus.openshift.mounts.osh-wrapper-config-vol.path=/etc/krb5.conf %prod.quarkus.openshift.mounts.osh-wrapper-config-vol.sub-path=linux-krb5.conf From 82fbf480ec1821373c0fc2119ca46e99e865ecd0 Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Wed, 12 Jul 2023 10:02:38 +0100 Subject: [PATCH 13/14] Set the correct namespace Extra steps also required - `tkn hub install task git-clone` --- .../osh-client-tekton/task/osh-client-git-cli-modified.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/prod/osh-client-tekton/task/osh-client-git-cli-modified.yaml b/k8s/prod/osh-client-tekton/task/osh-client-git-cli-modified.yaml index 25b49d2..f797c8c 100644 --- a/k8s/prod/osh-client-tekton/task/osh-client-git-cli-modified.yaml +++ b/k8s/prod/osh-client-tekton/task/osh-client-git-cli-modified.yaml @@ -13,7 +13,7 @@ metadata: app.kubernetes.io/version: "0.4" hub.tekton.dev/catalog: tekton name: git-cli - namespace: pct-security-tooling + namespace: psse-scanchain-prod resourceVersion: "3453559180" uid: 95fc93dd-8780-41ab-9477-b698762dc1de spec: From 8727bff831877f3978d9a6242669bc974b27d233 Mon Sep 17 00:00:00 2001 From: Jonathan Christison Date: Wed, 12 Jul 2023 10:47:49 +0100 Subject: [PATCH 14/14] We really need to set these to template values, every redeploy will break this --- k8s/prod/app/service-account.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/prod/app/service-account.yaml b/k8s/prod/app/service-account.yaml index bf0f10a..4f51c06 100644 --- a/k8s/prod/app/service-account.yaml +++ b/k8s/prod/app/service-account.yaml @@ -10,6 +10,6 @@ metadata: namespace: psse-scanchain-prod imagePullSecrets: - name: pct-security-osh-wrapper-client-pull-secret -- name: osh-dockercfg-tfhlr +- name: osh-dockercfg-n2hr7 secrets: -- name: osh-dockercfg-tfhlr +- name: osh-dockercfg-n2hr7