diff --git a/k8s/docker/Dockerfile b/docker/osh-client/Dockerfile similarity index 100% rename from k8s/docker/Dockerfile rename to docker/osh-client/Dockerfile diff --git a/hack/stage-debug-pod.yaml b/hack/stage-debug-pod.yaml new file mode 100644 index 0000000..da5948f --- /dev/null +++ b/hack/stage-debug-pod.yaml @@ -0,0 +1,48 @@ +apiVersion: v1 +kind: Pod +metadata: + name: image-debug-with-mount + namespace: pct-security-tooling +spec: + serviceAccountName: deployer + containers: + - command: + - /bin/sh + image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7f0ed1d2500a005e8e134920085ec6b28770b915b0449d45c4a44fbec818f33f + name: debug-with-mount + volumeMounts: + - name: osh-wrapper + mountPath: /mounts/kerberos + - name: osh-wrapper-config-vol + mountPath: /mounts/wraper-config + - name: osh-client-sources + mountPath: /mounts/osh-client-sources + - name: osh-client-tgz + mountPath: /mounts/osh-client-tgz + resources: {} + securityContext: {} + stdin: true + stdinOnce: true + tty: true + restartPolicy: Never + volumes: + - name: osh-wrapper + secret: + defaultMode: 384 + optional: false + secretName: kerberos-keytab-osh + - configMap: + defaultMode: 384 + items: + - key: linux-krb5.conf + path: linux-krb5.conf + name: kerberos-config + optional: false + name: osh-wrapper-config-vol + - name: osh-client-sources + persistentVolumeClaim: + claimName: osh-client-sources + - name: osh-client-tgz + persistentVolumeClaim: + claimName: osh-client-source-tars + diff --git a/k8s/stage/edgeroute.yml b/k8s/stage/app/edge-route.yaml similarity index 100% rename from k8s/stage/edgeroute.yml rename to k8s/stage/app/edge-route.yaml diff --git a/k8s/stage/kerberos-config.yaml b/k8s/stage/app/kerberos-config.yaml similarity index 100% rename from k8s/stage/kerberos-config.yaml rename to k8s/stage/app/kerberos-config.yaml diff --git a/k8s/linux-krb5.conf b/k8s/stage/app/linux-krb5.conf similarity index 100% rename from k8s/linux-krb5.conf rename to k8s/stage/app/linux-krb5.conf diff --git a/k8s/stage/osh-client-tekton/osh-client-config.yaml b/k8s/stage/osh-client-tekton/osh-client-config.yaml new file mode 100644 index 0000000..d868693 --- /dev/null +++ b/k8s/stage/osh-client-tekton/osh-client-config.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + name: kerberos-config-osh-client + namespace: pct-security-tooling +data: + linux-krb5.conf: | + includedir /etc/krb5.conf.d/ + + # depending on your config, you may wish to uncomment the following: + # includedir /var/lib/sss/pubconf/krb5.include.d/ + + [libdefaults] + default_realm = IPA.REDHAT.COM + dns_lookup_realm = true + dns_lookup_kdc = true + rdns = false + dns_canonicalize_hostname = false + ticket_lifetime = 24h + forwardable = true + udp_preference_limit = 1 + default_ccache_name = FILE:/tmp/krb5cc_%{uid} + max_retries = 1 + kdc_timeout = 1500 + + [realms] + + REDHAT.COM = { + default_domain = redhat.com + dns_lookup_kdc = true + master_kdc = kerberos.corp.redhat.com + admin_server = kerberos.corp.redhat.com + } + + IPA.REDHAT.COM = { + default_domain = ipa.redhat.com + dns_lookup_kdc = true + # Trust tickets issued by legacy realm on this host + auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*// + auth_to_local = DEFAULT + } + #DO NOT ADD A [domain_realms] section + #https://mojo.redhat.com/docs/DOC-1166841 + +--- +#oc create configmap osh-client-config --from-file=client.conf --dry-run=client -o yaml > osh-client-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: osh-client-config + namespace: pct-security-tooling +data: + client.conf: |+ + # client config file for covscan + + # Hub XML-RPC address. + HUB_URL = "https://cov01.lab.eng.brq2.redhat.com/covscanhub/xmlrpc" + BREW_URL = "https://brewhub.engineering.redhat.com/brewhub" + KOJI_URL = "https://koji.fedoraproject.org/kojihub" + KOJI_PROFILES = "brew,koji" + + CIM_SERVER = "cov01.lab.eng.brq2.redhat.com" + CIM_PORT = "8080" + + DEFAULT_MOCKCONFIG = "fedora-rawhide-x86_64" + + # Hub authentication method: "krbv", "password", or "gssapi" + AUTH_METHOD = "krbv" + KRB_REALM = "IPA.REDHAT.COM" + + # Kerberos principal. If commented, default principal obtained by kinit is used. + KRB_PRINCIPAL = "HTTP/osh-pct-security-tooling.apps.ocp-c1.prod.psi.redhat.com@IPA.REDHAT.COM" + + # Kerberos keytab file. + KRB_KEYTAB = "/kerberos/kerberos-keytab-osh" + + # Enables XML-RPC verbose flag + DEBUG_XMLRPC = 0 diff --git a/k8s/stage/osh-client-tekton/osh-client-from-source-pipeline-run.yaml b/k8s/stage/osh-client-tekton/osh-client-from-source-pipeline-run.yaml new file mode 100644 index 0000000..44ae810 --- /dev/null +++ b/k8s/stage/osh-client-tekton/osh-client-from-source-pipeline-run.yaml @@ -0,0 +1,99 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + generateName: osh-client-from-source-run- + #openshift.io/scc: pipelines-scc + +spec: + serviceAccountName: osh-wrapper-client-sa + podTemplate: + securityContext: + runAsNonRoot: true + runAsUser: 65532 + pipelineRef: + name: osh-client-from-source + params: + - name: repo-url + value: https://code.engineering.redhat.com/gerrit/messaging/activemq-artemis.git + + - name: revision + value: amq-broker-7.11 + + workspaces: + - name: sources + persistentVolumeClaim: + claimName: osh-client-sources + - name: source-tars + persistentVolumeClaim: + claimName: osh-client-source-tars + - name: ssl-ca-directory + configmap: + name: config-trusted-cabundle +--- +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + generateName: osh-client-from-source-run- + #openshift.io/scc: pipelines-scc + +spec: + serviceAccountName: osh-wrapper-client-sa + podTemplate: + securityContext: + runAsNonRoot: true + runAsUser: 65532 + pipelineRef: + name: osh-client-from-source + params: + - name: repo-url + value: https://code.engineering.redhat.com/gerrit/quarkusio/quarkus.git + + - name: revision + value: 2.13.8.Final-redhat-00001 + + workspaces: + - name: sources + persistentVolumeClaim: + claimName: osh-client-sources + - name: source-tars + persistentVolumeClaim: + claimName: osh-client-source-tars + - name: ssl-ca-directory + configmap: + name: config-trusted-cabundle + +--- +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + generateName: osh-client-from-source-run- + #openshift.io/scc: pipelines-scc + +spec: + serviceAccountName: osh-wrapper-client-sa + podTemplate: + securityContext: + runAsNonRoot: true + runAsUser: 65532 + pipelineRef: + name: osh-client-from-source + params: + - name: repo-url + value: https://code.engineering.redhat.com/gerrit/quarkusio/quarkus-platform.git + + - name: revision + value: 6a13a9fe4e5526bee4a8ea5e425d89945bea1c17 + + workspaces: + - name: sources + persistentVolumeClaim: + claimName: osh-client-sources + - name: source-tars + persistentVolumeClaim: + claimName: osh-client-source-tars + - name: ssl-ca-directory + configmap: + name: config-trusted-cabundle + + + diff --git a/k8s/stage/osh-client-tekton/osh-client-pvc.yaml b/k8s/stage/osh-client-tekton/osh-client-pvc.yaml new file mode 100644 index 0000000..6b904d3 --- /dev/null +++ b/k8s/stage/osh-client-tekton/osh-client-pvc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: osh-client-sources + namespace: pct-security-tooling +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5Gi + storageClassName: dynamic-nfs + volumeMode: Filesystem +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: osh-client-source-tars + namespace: pct-security-tooling +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: dynamic-nfs + volumeMode: Filesystem + diff --git a/k8s/stage/osh-client-tekton/pipline/osh-client-from-source-pipeline.yaml b/k8s/stage/osh-client-tekton/pipline/osh-client-from-source-pipeline.yaml new file mode 100644 index 0000000..f806c12 --- /dev/null +++ b/k8s/stage/osh-client-tekton/pipline/osh-client-from-source-pipeline.yaml @@ -0,0 +1,98 @@ +#requires running `tkn hub install task "git-cli"` first +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: osh-client-from-source +spec: + description: This pipeline clones a repo, git archives it then sends it to covscan to be scanned with snyk + params: + + - name: repo-url + description: The SCMURL + type: string + + - name: revision + description: The revision or tag + type: string + + - name: archive-name + description: The name of the git archive file + type: string + default: $(context.pipelineRun.uid).tar.gz + + workspaces: + - name: sources + description: This workspace contains our cloned sources and is temporary + - name: source-tars + description: This workspace contains our source tar gzips for covscan and is semi-persistant + - name: ssl-ca-directory + description: Location of CA bundle for ssl verification with internal services + + + tasks: + - name: clone + taskRef: + name: git-clone + workspaces: + - name: output + workspace: sources + subPath: $(context.pipelineRun.name) + - name: ssl-ca-directory + workspace: ssl-ca-directory + params: + - name: url + value: $(params.repo-url) + - name: revision + value: $(params.revision) + - name: verbose + value: true + + - name: archive + runAfter: + - clone + taskRef: + name: git-cli + workspaces: + - name: source + workspace: sources + subPath: $(context.pipelineRun.name) + - name: source-tars + workspace: source-tars + subPath: $(context.pipelineRun.name) + params: + - name: USER_HOME + value: /home/git + - name: archive-name + value: $(params.archive-name) + - name: GIT_SCRIPT + value: | + git config --global --add safe.directory /workspace/source + git archive --format=tar.gz HEAD -o /workspace/source-tars/$(params.archive-name) + + #results: + #- name: archive-name + #description: The name of the tar.gz we created + + - name: covscan + params: + - name: targz-file + value: $(params.archive-name) + runAfter: + - archive + taskRef: + name: osh-scan-task-from-source + workspaces: + - name: source-tars + workspace: source-tars + subPath: $(context.pipelineRun.name) + finally: + - name: cleanup-workspace + params: + - name: clear-dir + value: $(context.pipelineRun.name) + taskRef: + name: cleanup-workspace + workspaces: + - name: sources + workspace: sources + #Note we don't provide a subpath, this way we can contain the whole folder diff --git a/k8s/stage/osh-client-tekton/task/osh-client-from-source-clearup-workspace.yaml b/k8s/stage/osh-client-tekton/task/osh-client-from-source-clearup-workspace.yaml new file mode 100644 index 0000000..e30ea0d --- /dev/null +++ b/k8s/stage/osh-client-tekton/task/osh-client-from-source-clearup-workspace.yaml @@ -0,0 +1,25 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: cleanup-workspace +spec: + params: + - name: cleanup + type: string + default: true + description: Should we actually cleanup the sources dir + - name: clear-dir + type: string + + workspaces: + - name: sources + description: Where we checked out our sources + + steps: + - name: perform-buildid-scan + image: registry.access.redhat.com/ubi9/ubi:9.2-696 + + script: | + #!/bin/bash + echo "Clearing up sources form $(params.clear-dir)" + rm -rv /workspace/sources/$(params.clear-dir) diff --git a/k8s/stage/osh-client-tekton/task/osh-client-from-source.yaml b/k8s/stage/osh-client-tekton/task/osh-client-from-source.yaml new file mode 100644 index 0000000..aba0eb1 --- /dev/null +++ b/k8s/stage/osh-client-tekton/task/osh-client-from-source.yaml @@ -0,0 +1,78 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: osh-scan-task-from-source +spec: + stepTemplate: + env: + - name: "HOME" + value: "/tekton/home" + params: + - name: targz-file + type: string + default: "source.tar.gz" + description: The filename of the tar.gz we'll be uploading to covscan + + - name: scan-profile + type: string + description: The scan profile we will use + default: "snyk-only-unstable" + + - name: tarball-build-script + type: string + description: Parameters to be passed to tarball-build-script + default: ":" + + volumes: + - name: osh-client-kerb-vol + secret: + defaultMode: 292 + optional: false + secretName: kerberos-keytab-osh + + - name: osh-client-kerb-config-vol + configMap: + name: kerberos-config-osh-client + items: + - key: linux-krb5.conf + path: linux-krb5.conf + defaultMode: 292 + optional: false + + - name: osh-client-config-vol + configMap: + name: osh-client-config + items: + - key: client.conf + path: client.conf + optional: false + + workspaces: + - name: source-tars + description: source tar gzips are kept here + + steps: + - name: perform-buildid-scan + image: quay.io/pct-security/osh-wrapper-client:latest + workingDir: /home/covscan + volumeMounts: + - name: osh-client-kerb-vol + mountPath: /kerberos + readOnly: true + + - name: osh-client-config-vol + mountPath: /etc/osh/client.conf + readOnly: true + subPath: client.conf + + - name: osh-client-kerb-config-vol + mountPath: /etc/krb5.conf + readOnly: true + subPath: linux-krb5.conf + + script: | + #!/bin/bash + echo $(params.scan-profile) + echo $(params.tarball-build-script) + echo $(params.targz-file) + covscan mock-build -p $(params.scan-profile) --tarball-build-script=$(params.tarball-build-script) /workspace/source-tars/$(params.targz-file) diff --git a/k8s/stage/osh-client-tekton/task/osh-client-git-cli-modified.yaml b/k8s/stage/osh-client-tekton/task/osh-client-git-cli-modified.yaml new file mode 100644 index 0000000..25b49d2 --- /dev/null +++ b/k8s/stage/osh-client-tekton/task/osh-client-git-cli-modified.yaml @@ -0,0 +1,146 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + annotations: + tekton.dev/categories: Git + tekton.dev/displayName: git cli + tekton.dev/pipelines.minVersion: 0.21.0 + tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le + tekton.dev/tags: git + creationTimestamp: "2023-06-20T22:58:05Z" + generation: 2 + labels: + app.kubernetes.io/version: "0.4" + hub.tekton.dev/catalog: tekton + name: git-cli + namespace: pct-security-tooling + resourceVersion: "3453559180" + uid: 95fc93dd-8780-41ab-9477-b698762dc1de +spec: + description: |- + This task can be used to perform git operations. + Git command that needs to be run can be passed as a script to the task. This task needs authentication to git in order to push after the git operation. + params: + - default: cgr.dev/chainguard/git:root-2.39@sha256:7759f87050dd8bacabe61354d75ccd7f864d6b6f8ec42697db7159eccd491139 + description: | + The base image for the task. + name: BASE_IMAGE + type: string + - default: "" + description: | + Git user name for performing git operation. + name: GIT_USER_NAME + type: string + - default: "" + description: | + Git user email for performing git operation. + name: GIT_USER_EMAIL + type: string + - default: | + git help + description: The git script to run. + name: GIT_SCRIPT + type: string + - default: /root + description: | + Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user or have overridden + the gitInitImage param with an image containing custom user configuration. + name: USER_HOME + type: string + - default: "true" + description: Log the commands that are executed during `git-clone`'s operation. + name: VERBOSE + type: string + results: + - description: The precise commit SHA after the git operation. + name: commit + type: string + - name: archive-name + type: string + description: The archive name produced by the git archive + steps: + - env: + - name: HOME + value: $(params.USER_HOME) + - name: PARAM_VERBOSE + value: $(params.VERBOSE) + - name: PARAM_USER_HOME + value: $(params.USER_HOME) + - name: WORKSPACE_OUTPUT_PATH + value: $(workspaces.output.path) + - name: WORKSPACE_SSH_DIRECTORY_BOUND + value: $(workspaces.ssh-directory.bound) + - name: WORKSPACE_SSH_DIRECTORY_PATH + value: $(workspaces.ssh-directory.path) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND + value: $(workspaces.basic-auth.bound) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH + value: $(workspaces.basic-auth.path) + image: $(params.BASE_IMAGE) + name: git + resources: {} + script: | + #!/usr/bin/env sh + set -eu + + if [ "${PARAM_VERBOSE}" = "true" ] ; then + set -x + fi + + if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig" + chmod 400 "${PARAM_USER_HOME}/.git-credentials" + chmod 400 "${PARAM_USER_HOME}/.gitconfig" + fi + + if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then + cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh + chmod 700 "${PARAM_USER_HOME}"/.ssh + chmod -R 400 "${PARAM_USER_HOME}"/.ssh/* + fi + + # Setting up the config for the git. + git config --global user.email "$(params.GIT_USER_EMAIL)" + git config --global user.name "$(params.GIT_USER_NAME)" + + eval '$(params.GIT_SCRIPT)' + + RESULT_SHA="$(git rev-parse HEAD | tr -d '\n')" + EXIT_CODE="$?" + if [ "$EXIT_CODE" != 0 ] + then + exit $EXIT_CODE + fi + # Make sure we don't add a trailing newline to the result! + printf "%s" "$RESULT_SHA" > "$(results.commit.path)" + workingDir: $(workspaces.source.path) + workspaces: + - description: custom source tar location + name: source-tars + - description: A workspace that contains the fetched git repository. + name: source + - description: | + An optional workspace that contains the files that need to be added to git. You can + access the workspace from your script using `$(workspaces.input.path)`, for instance: + + cp $(workspaces.input.path)/file_that_i_want . + git add file_that_i_want + # etc + name: input + optional: true + - description: | + A .ssh directory with private key, known_hosts, config, etc. Copied to + the user's home before git commands are executed. Used to authenticate + with the git remote when performing the clone. Binding a Secret to this + Workspace is strongly recommended over other volume types. + name: ssh-directory + optional: true + - description: | + A Workspace containing a .gitconfig and .git-credentials file. These + will be copied to the user's home before any git commands are run. Any + other files in this Workspace are ignored. It is strongly recommended + to use ssh-directory over basic-auth whenever possible and to bind a + Secret to this Workspace over other volume types. + name: basic-auth + optional: true diff --git a/k8s/stage/osh-client-tekton/task/osh-scan-task.yaml b/k8s/stage/osh-client-tekton/task/osh-scan-task.yaml new file mode 100644 index 0000000..5cbd31e --- /dev/null +++ b/k8s/stage/osh-client-tekton/task/osh-scan-task.yaml @@ -0,0 +1,63 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: osh-scan-task +spec: + stepTemplate: + env: + - name: "HOME" + value: "/tekton/home" + params: + - name: buildId + type: string + - name: scanProfile + type: string + + volumes: + - name: osh-client-kerb-vol + secret: + defaultMode: 384 + optional: false + secretName: kerberos-keytab-osh + + - name: osh-client-kerb-config-vol + configMap: + name: kerberos-config-osh-client + items: + - key: linux-krb5.conf + path: linux-krb5.conf + defaultMode: 384 + optional: false + + - name: osh-client-config-vol + configMap: + name: osh-client-config + items: + - key: client.conf + path: client.conf + optional: false + + steps: + - name: perform-buildid-scan + image: quay.io/pct-security/osh-wrapper-client:latest + workingDir: /home/covscan + volumeMounts: + - name: osh-client-kerb-vol + mountPath: /kerberos + readOnly: true + + - name: osh-client-config-vol + mountPath: /etc/osh/client.conf + readOnly: true + subPath: client.conf + + - name: osh-client-kerb-config-vol + mountPath: /etc/krb5.conf + readOnly: true + subPath: linux-krb5.conf + + script: | + #!/bin/bash + echo $(params.buildId) + echo $(params.scanProfile) + covscan mock-build -p $(params.scanProfile) --brew-build $(params.buildId)