Merge branch '17-prod-deployment' into 'main'

Resolve "Prod Deployment"

Closes #17

See merge request pct-security/covscanrest!15

k8s/prod/app/database-envs.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  POSTGRESQL_DATABASE: oshwrapper-db
+  POSTGRESQL_USER: scanner
+kind: ConfigMap
+metadata:
+  name: database-envs-osh
+  namespace: psse-scanchain-prod

k8s/prod/app/service-account.yaml

@@ -2,14 +2,14 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    app.kubernetes.io/name: osh-wrapper-client-sa
+    app.kubernetes.io/name: osh
     app.kubernetes.io/version: 1.0.0-SNAPSHOT
     app.openshift.io/runtime: quarkus
     env: prod
-  name: osh-wrapper-client-sa
+  name: osh
   namespace: psse-scanchain-prod
 imagePullSecrets:
 - name: pct-security-osh-wrapper-client-pull-secret
-- name: osh-dockercfg-tfhlr
+- name: osh-dockercfg-n2hr7
 secrets:
-- name: osh-dockercfg-tfhlr
+- name: osh-dockercfg-n2hr7

k8s/prod/app/tekton-rbac.yaml

@@ -21,11 +21,11 @@ kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: osh-wrapper-tekton-rolebinding
-  namespace: pct-security-tooling
+  namespace: psse-scanchain-prod
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: osh-wrapper-tekton
 subjects:
 - kind: ServiceAccount
-  name: osh-wrapper-client-sa
+  name: osh

k8s/prod/osh-client-tekton/osh-client-config.yaml

@@ -49,7 +49,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: osh-client-config
-  namespace: pct-security-tooling
+  namespace: psse-scanchain-prod
 data:
   client.conf: |+
     # client config file for covscan

k8s/prod/osh-client-tekton/osh-client-pvc.yaml

@@ -16,7 +16,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: osh-client-source-tars
-  namespace: pct-security-tooling
+  namespace: psse-scanchain-prod
 spec:
   accessModes:
   - ReadWriteMany

k8s/prod/osh-client-tekton/pipeline/osh-client-from-source-pipeline.yaml

@@ -15,6 +15,10 @@ spec:
     description: The revision or tag
     type: string
 
+  - name: mock-build-params
+    description: The parameters to pass to covscan mock-build
+    type: string
+
   - name: archive-name
     description: The name of the git archive file
     type: string
@@ -77,6 +81,8 @@ spec:
       params:
         - name: targz-file
           value: $(params.archive-name)
+        - name: mock-build-params
+          value: $(params.mock-build-params)
       runAfter:
         - archive
       taskRef:

k8s/prod/osh-client-tekton/task/osh-client-from-source.yaml

@@ -13,15 +13,10 @@ spec:
     default: "source.tar.gz"
     description: The filename of the tar.gz we'll be uploading to covscan
 
-  - name: scan-profile
+  - name: mock-build-params
     type: string
-    description: The scan profile we will use
+    description: Parameters pushed to mock build
-    default: "snyk-only-unstable"
+    default: "-p snyk-only-unstable --tarball-build-script=:"
-
-  - name: tarball-build-script
-    type: string
-    description: Parameters to be passed to tarball-build-script
-    default: ":"
 
   volumes:
     - name: osh-client-kerb-vol
@@ -72,7 +67,6 @@ spec:
 
       script: |
         #!/bin/bash
-        echo $(params.scan-profile)
+        echo $(params.mock-build-params)
-        echo $(params.tarball-build-script)
         echo $(params.targz-file)
-        covscan mock-build -p $(params.scan-profile) --tarball-build-script=$(params.tarball-build-script) /workspace/source-tars/$(params.targz-file)
+        covscan mock-build $(params.mock-build-params) /workspace/source-tars/$(params.targz-file)

k8s/prod/osh-client-tekton/task/osh-client-git-cli-modified.yaml

@@ -13,7 +13,7 @@ metadata:
     app.kubernetes.io/version: "0.4"
     hub.tekton.dev/catalog: tekton
   name: git-cli
-  namespace: pct-security-tooling
+  namespace: psse-scanchain-prod
   resourceVersion: "3453559180"
   uid: 95fc93dd-8780-41ab-9477-b698762dc1de
 spec:

src/main/java/com/redhat/pctsec/model/ScanRequest.java

@@ -20,7 +20,7 @@ public class ScanRequest {
 
     @Id
     @GeneratedValue
-    protected UUID id;
+    public UUID id;
     private String metadata;
     //private String oshScanOptions;
 

src/main/resources/application.properties

@@ -25,7 +25,7 @@
 #   Data Source                          #
 ##########################################
 %dev.quarkus.datasource.devservices.enabled=true
-%dev.quarkus.datasource.db-kind = postgresql
+quarkus.datasource.db-kind = postgresql
 %dev.quarkus.datasource.username = quarkus
 %dev.quarkus.datasource.password = quarkus
 #%dev.quarkus.datasource.jdbc.url = jdbc:postgresql://localhost:5432/hibernate_db
@@ -41,15 +41,16 @@
 
 # Production settings. We db-name and the user are located on a config map (database-envs). The password is located on a
 # secret (database-envs).
-%prod.quarkus.kubernetes-config.secrets.enabled=true
+%prod.quarkus.openshift.env.mapping.db-password.from-secret=database-envs
-%prod.quarkus.kubernetes-config.secrets=database-envs
+%prod.quarkus.openshift.env.mapping.db-password.with-key=POSTGRESQL_PASSWORD
-%prod.quarkus.kubernetes.env.mapping.db-user.from-configmap=database-envs
+%prod.quarkus.openshift.env.mapping.db-user.from-configmap=database-envs-osh
-%prod.quarkus.kubernetes.env.mapping.db-user.with-key=POSTGRESQL_USER
+%prod.quarkus.openshift.env.mapping.db-user.with-key=POSTGRESQL_USER
-%prod.quarkus.kubernetes.env.mapping.db-name.from-configmap=database-envs
+%prod.quarkus.openshift.env.mapping.db-name.from-configmap=database-envs-osh
-%prod.quarkus.kubernetes.env.mapping.db-name.with-key=POSTGRESQL_DATABASE
+%prod.quarkus.openshift.env.mapping.db-name.with-key=POSTGRESQL_DATABASE
 %prod.quarkus.datasource.jdbc.url=jdbc:postgresql://postgresql:5432/${db-name}
 %prod.quarkus.datasource.username=${db-user}
-%prod.quarkus.datasource.password=${postgresql_password}
+%prod.quarkus.datasource.password=${db-password}
+%prod.quarkus.hibernate-orm.database.generation.create-schemas=true
 %prod.quarkus.hibernate-orm.database.generation=update
 
 
@@ -57,12 +58,14 @@
 quarkus.swagger-ui.always-include=true
 %dev.quarkus.openshift.service-account=osh-wrapper-client-sa
 %dev.quarkus.openshift.namespace=pct-security-tooling
+%prod.quarkus.http.root-path=/osh-wrapper/
 
 %stage.quarkus.openshift.name=osh
 quarkus.openshift.service-account=osh-wrapper-client-sa
 %stage.quarkus.openshift.labels.env=stage
 %stage.quarkus.log.level=DEBUG
 quarkus.arc.remove-unused-beans=false
+#%stage.quarkus.http.root-path=/stage/
 
 #Only in Quarkus > 3.x 
 %stage.quarkus.openshift.route.tls.termination=edge
@@ -78,8 +81,8 @@ quarkus.arc.remove-unused-beans=false
 #Always provide swagger ui
 
 # Probably we need to check these 2 settings
-%prod.quarkus.openshift.service-account=osh-wrapper-client-sa
+%prod.quarkus.openshift.service-account=osh
-%prod.quarkus.openshift.namespace=pct-security-tooling
+%prod.quarkus.openshift.namespace=psse-scanchain-prod
 
 %prod.quarkus.openshift.name=osh
 %prod.quarkus.openshift.labels.env=prod
@@ -114,7 +117,7 @@ quarkus.arc.remove-unused-beans=false
 %prod.quarkus.openshift.mounts.osh-wrapper.path=/kerberos
 %prod.quarkus.openshift.mounts.osh-wrapper.read-only=true
 %prod.quarkus.kerberos.keytab-path= /kerberos/kerberos-keytab-osh
-%prod.quarkus.kerberos.service-principal-name= HTTP/prodsec-scanchain.apps.ocp-c1.prod.psi.redhat.com
+%prod.quarkus.kerberos.service-principal-name= HTTP/prodsec-scanchain.apps.ocp-c1.prod.psi.redhat.com@IPA.REDHAT.COM
 
 %prod.quarkus.openshift.mounts.osh-wrapper-config-vol.path=/etc/krb5.conf
 %prod.quarkus.openshift.mounts.osh-wrapper-config-vol.sub-path=linux-krb5.conf