Compare commits
20 Commits
refactor
...
tekton_wor
| Author | SHA1 | Date |
|---|---|---|
Jonathan Christison
|
9510e768dc | 3 years ago |
|
Jonathan Christison
|
094c81bc47 | 3 years ago |
|
Jonathan Christison
|
63e1d8b01c | 3 years ago |
Nicholas Caughey
|
8553cfb22c | 3 years ago |
|
Nicholas Caughey
|
1c1007b811 | 3 years ago |
|
Nicholas Caughey
|
0d7678a990 | 3 years ago |
|
Jonathan Christison
|
fa4ea264e2 | 3 years ago |
|
Jonathan Christison
|
e755fe945c | 3 years ago |
|
Jonathan Christison
|
c15a0c5ee1 | 3 years ago |
|
Jonathan Christison
|
b1942b512a | 3 years ago |
|
Jonathan Christison
|
e3fcecac06 | 3 years ago |
|
Jonathan Christison
|
2e38ec0461 | 3 years ago |
|
Jonathan Christison
|
4526231088 | 3 years ago |
jperezde
|
fee2bd340f | 3 years ago |
|
jperezde
|
1ab0639941 | 3 years ago |
|
jperezde
|
af4a80b04a | 3 years ago |
|
jperezde
|
d3e2990851 | 3 years ago |
|
jperezde
|
94d72b95c8 | 3 years ago |
|
jperezde
|
22c0be081b | 3 years ago |
|
jperezde
|
6df7da6c10 | 3 years ago |
27 changed files with 388 additions and 425 deletions
@ -1,112 +1,51 @@
|
||||
See https://docs.google.com/document/d/15yod6K_ZbNkJ_ern7gwpxjBkdJIlHXORfYZ3CGQhnEM/edit?usp=sharing for a full version with images |
||||
# code-with-quarkus |
||||
|
||||
# Introduction |
||||
Currently we rely on CPaaS to submit requests to PSSaaS which then invokes the PSSC scanning container. The idea behind the ScanChain api is to act as an interaction point for services to be able to directly access our scan tooling. |
||||
This project uses Quarkus, the Supersonic Subatomic Java Framework. |
||||
|
||||
Our api will be written in Quarkus for ease of use and deployment to OpenShift, we will also use Tekton to assist with CI/CD. |
||||
If you want to learn more about Quarkus, please visit its website: https://quarkus.io/ . |
||||
|
||||
# How to build |
||||
## Running the application in dev mode |
||||
|
||||
To set up the environment. After cloning the repository: |
||||
|
||||
``` |
||||
cd <repository>/ |
||||
quarkus create app quarkus:dev |
||||
mvn -N io.takari:maven:wrapper |
||||
``` |
||||
|
||||
Also, it is necessary to create a local PostgreSQL instance. For development purposes, the parameters are: |
||||
``` |
||||
username = postgresql |
||||
password = password |
||||
``` |
||||
|
||||
ToDo: Create Database Model |
||||
|
||||
|
||||
|
||||
To run the Quarkus build in dev mode simply run: |
||||
```` |
||||
You can run your application in dev mode that enables live coding using: |
||||
```shell script |
||||
./mvnw compile quarkus:dev |
||||
```` |
||||
All end points should be avaliable on localhost:8080/{endpoint}. The endpoints are listed in the endpoints section |
||||
|
||||
|
||||
|
||||
# Deploying to OpenShift (https://quarkus.io/guides/deploying-to-openshift) |
||||
Part of the advantage of working with quarkus is the ease of which we can deploy it to OpenShift. We have the OpenShift extension already installed via the pom, |
||||
|
||||
All that should be required to build and deploy OpenShift is to login to OpenShift via the usual method (oc login (creds) for example). Before running a build command: |
||||
|
||||
You can then expose the routes (oc expose {route}), then your application should be accessible on the OpenShift cluster. This is verifiable either by using the console to request which services are running (oc get svc) or by using the web console which should display the service graphically. |
||||
|
||||
# Design diagram |
||||
API endpoint diagram with all endpoints DB links, connections to further services (PNC API etc) |
||||
|
||||
# API endpoints |
||||
|
||||
## /{scanId} - GET request for retrieving scans |
||||
This is a simple request for retrieving scans that are stored in our postgresql database. The assigned scanId will return the whole scan payload in JSON format. |
||||
|
||||
## / - POST request takes a JSON payload to start scans (Maybe isnt relevant/shouldnt be included in the future) |
||||
|
||||
Creating scans via passing fully formed JSON payloads. The standard JSON format should contain: |
||||
product-id |
||||
event-id |
||||
is-managed-service |
||||
component-list |
||||
See appendix 1 for a provided example |
||||
|
||||
## /scanRequest - Post request for starting scans |
||||
|
||||
There are several different types of build that should be retrieved from the backend source. Different inputs are required based off the build source. |
||||
|
||||
The required fields for BREW builds are: |
||||
buildSystemType |
||||
brewId |
||||
brewNVR - matches brewId |
||||
pncId |
||||
artifactType |
||||
fileName |
||||
builtFromSource |
||||
|
||||
The required fields for git builds are: |
||||
buildSystemType |
||||
repository |
||||
reference |
||||
commitId |
||||
|
||||
The required fields for PNC builds are: |
||||
buildSystemType |
||||
buildId |
||||
``` |
||||
|
||||
This information should allow us to have all the requirements for retrieving and then starting a scan when requested from the required sources. |
||||
> **_NOTE:_** Quarkus now ships with a Dev UI, which is available in dev mode only at http://localhost:8080/q/dev/. |
||||
|
||||
## /startScan - PUT request to start off the relevant scan |
||||
## Packaging and running the application |
||||
|
||||
Only requires the scanId and should start off the relevant scan, should return a success only on finished or failure if there's no further response after timeout. |
||||
## /removeScan - DELETE request to remove a scan build from DB |
||||
The application can be packaged using: |
||||
```shell script |
||||
./mvnw package |
||||
``` |
||||
It produces the `quarkus-run.jar` file in the `target/quarkus-app/` directory. |
||||
Be aware that it’s not an _über-jar_ as the dependencies are copied into the `target/quarkus-app/lib/` directory. |
||||
|
||||
Only requires the scanId should remove the relevant scan from our DB. Should return a success or failure. |
||||
The application is now runnable using `java -jar target/quarkus-app/quarkus-run.jar`. |
||||
|
||||
# Expanded work to do |
||||
If you want to build an _über-jar_, execute the following command: |
||||
```shell script |
||||
./mvnw package -Dquarkus.package.type=uber-jar |
||||
``` |
||||
|
||||
## Jenkins |
||||
The application, packaged as an _über-jar_, is now runnable using `java -jar target/*-runner.jar`. |
||||
|
||||
Haven't looked into the correct way for the API to interact with Jenkins needs more investigation. |
||||
## Creating a native executable |
||||
|
||||
## Jira tickets still to do: |
||||
https://issues.redhat.com/browse/PSSECMGT-1548 |
||||
https://issues.redhat.com/browse/PSSECMGT-1549 |
||||
https://issues.redhat.com/browse/PSSECMGT-1550 |
||||
https://issues.redhat.com/browse/PSSECMGT-1551 |
||||
https://issues.redhat.com/browse/PSSECMGT-1552 |
||||
https://issues.redhat.com/browse/PSSECMGT-1553 |
||||
https://issues.redhat.com/browse/PSSECMGT-1554 |
||||
You can create a native executable using: |
||||
```shell script |
||||
./mvnw package -Pnative |
||||
``` |
||||
|
||||
Or, if you don't have GraalVM installed, you can run the native executable build in a container using: |
||||
```shell script |
||||
./mvnw package -Pnative -Dquarkus.native.container-build=true |
||||
``` |
||||
|
||||
# Appendix |
||||
You can then execute your native executable with: `./target/code-with-quarkus-1.0.0-SNAPSHOT-runner` |
||||
|
||||
Appendix 1 |
||||
If you want to learn more about building native executables, please consult https://quarkus.io/guides/maven-tooling. |
||||
|
||||
## Related Guides |
||||
|
||||
|
||||
@ -0,0 +1,12 @@
|
||||
#!/bin/bash |
||||
|
||||
#Scan a RPM builds for quarkus with Snyk |
||||
|
||||
#Doesn't work - interprets as tar |
||||
#covscan mock-build -p snyk-only-unstable --tarball-build-script=: --brew-build quarkus-mandrel-22-22.3.2.1_1-4.el8qks |
||||
|
||||
#Doesn't work requires profile tuning/further mock env setup |
||||
#covscan mock-build -p snyk-only-unstable --brew-build quarkus-mandrel-22-22.3.2.1_1-4.el8qks |
||||
|
||||
#Working but using wrong mockenv |
||||
covscan mock-build -p snyk-only-unstable --brew-build xterm-366-8.el9 |
||||
@ -0,0 +1,10 @@
|
||||
{ |
||||
"product-id": "jochrist-dev-test-rhbq-mandrel", |
||||
"is-managed-service": false, |
||||
"cpaas-version": "latest", |
||||
"component-list":[ |
||||
{"build-id":"quarkus-mandrel-22-22.3.2.1_1-4.el8qks", |
||||
"type":"brew"} |
||||
] |
||||
} |
||||
|
||||
@ -0,0 +1,4 @@
|
||||
#!/bin/bash |
||||
|
||||
curl -X POST -H "PSSC-Secret-Key: pig" -H "PSSC-Secret-Value: FOO" -d '@example_pssaas_payload.json' http://el-pssc-scan-listener-pssaas-service.apps.pssaas.07fi.p1.openshiftapps.com |
||||
|
||||
@ -0,0 +1,36 @@
|
||||
includedir /etc/krb5.conf.d/ |
||||
|
||||
# depending on your config, you may wish to uncomment the following: |
||||
# includedir /var/lib/sss/pubconf/krb5.include.d/ |
||||
|
||||
[libdefaults] |
||||
default_realm = IPA.REDHAT.COM |
||||
dns_lookup_realm = true |
||||
dns_lookup_kdc = true |
||||
rdns = false |
||||
dns_canonicalize_hostname = false |
||||
ticket_lifetime = 24h |
||||
forwardable = true |
||||
udp_preference_limit = 1 |
||||
default_ccache_name = KEYRING:persistent:%{uid} |
||||
max_retries = 1 |
||||
kdc_timeout = 1500 |
||||
|
||||
[realms] |
||||
|
||||
REDHAT.COM = { |
||||
default_domain = redhat.com |
||||
dns_lookup_kdc = true |
||||
master_kdc = kerberos.corp.redhat.com |
||||
admin_server = kerberos.corp.redhat.com |
||||
} |
||||
|
||||
IPA.REDHAT.COM = { |
||||
default_domain = ipa.redhat.com |
||||
dns_lookup_kdc = true |
||||
# Trust tickets issued by legacy realm on this host |
||||
auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*// |
||||
auth_to_local = DEFAULT |
||||
} |
||||
#DO NOT ADD A [domain_realms] section |
||||
#https://mojo.redhat.com/docs/DOC-1166841 |
||||
@ -0,0 +1,21 @@
|
||||
#oc create route edge --service=osh --dry-run=client -o yaml > edgeroute.yml |
||||
apiVersion: route.openshift.io/v1 |
||||
kind: Route |
||||
metadata: |
||||
creationTimestamp: null |
||||
labels: |
||||
app.kubernetes.io/name: osh |
||||
app.kubernetes.io/version: 1.0.0-SNAPSHOT |
||||
app.openshift.io/runtime: quarkus |
||||
env: stage |
||||
name: osh |
||||
spec: |
||||
port: |
||||
targetPort: http |
||||
tls: |
||||
termination: edge |
||||
to: |
||||
kind: "" |
||||
name: osh |
||||
weight: null |
||||
status: {} |
||||
@ -0,0 +1,44 @@
|
||||
#oc create configmap kerberos-config --from-file=linux-krb5.conf --dry-run=client -o yaml > kerberos-config.yaml |
||||
apiVersion: v1 |
||||
data: |
||||
linux-krb5.conf: | |
||||
includedir /etc/krb5.conf.d/ |
||||
|
||||
# depending on your config, you may wish to uncomment the following: |
||||
# includedir /var/lib/sss/pubconf/krb5.include.d/ |
||||
|
||||
[libdefaults] |
||||
default_realm = IPA.REDHAT.COM |
||||
dns_lookup_realm = true |
||||
dns_lookup_kdc = true |
||||
rdns = false |
||||
dns_canonicalize_hostname = false |
||||
ticket_lifetime = 24h |
||||
forwardable = true |
||||
udp_preference_limit = 1 |
||||
default_ccache_name = KEYRING:persistent:%{uid} |
||||
max_retries = 1 |
||||
kdc_timeout = 1500 |
||||
|
||||
[realms] |
||||
|
||||
REDHAT.COM = { |
||||
default_domain = redhat.com |
||||
dns_lookup_kdc = true |
||||
master_kdc = kerberos.corp.redhat.com |
||||
admin_server = kerberos.corp.redhat.com |
||||
} |
||||
|
||||
IPA.REDHAT.COM = { |
||||
default_domain = ipa.redhat.com |
||||
dns_lookup_kdc = true |
||||
# Trust tickets issued by legacy realm on this host |
||||
auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*// |
||||
auth_to_local = DEFAULT |
||||
} |
||||
#DO NOT ADD A [domain_realms] section |
||||
#https://mojo.redhat.com/docs/DOC-1166841 |
||||
kind: ConfigMap |
||||
metadata: |
||||
creationTimestamp: null |
||||
name: kerberos-config |
||||
@ -0,0 +1,38 @@
|
||||
package rest; |
||||
|
||||
import dto.ConnectDB; |
||||
import dto.ScanObj; |
||||
import io.quarkus.arc.profile.UnlessBuildProfile; |
||||
import io.quarkiverse.kerberos.KerberosPrincipal; |
||||
import io.quarkus.security.Authenticated; |
||||
import io.quarkus.security.identity.SecurityIdentity; |
||||
|
||||
import javax.inject.Inject; |
||||
import javax.ws.rs.GET; |
||||
import javax.ws.rs.Path; |
||||
import javax.ws.rs.PathParam; |
||||
import java.sql.Connection; |
||||
import java.sql.ResultSet; |
||||
import java.sql.SQLException; |
||||
import java.sql.Statement; |
||||
import java.util.Collections; |
||||
import java.util.LinkedHashMap; |
||||
import java.util.Set; |
||||
import javax.ws.rs.Produces; |
||||
|
||||
@UnlessBuildProfile("dev") |
||||
@Path("/testKerberos") |
||||
@Authenticated |
||||
public class UsersResource { |
||||
@Inject |
||||
SecurityIdentity identity; |
||||
@Inject |
||||
KerberosPrincipal kerberosPrincipal; |
||||
|
||||
@GET |
||||
@Path("/me") |
||||
@Produces("text/plain") |
||||
public String me() { |
||||
return identity.getPrincipal().getName(); |
||||
} |
||||
} |
||||
@ -1,7 +1,51 @@
|
||||
#Example deploy - mvn deploy -Dquarkus.profile=stage -Dquarkus.kubernetes.deploy=true |
||||
# quarkus.rest-client."rest.CreateScanService".url=https://localhost:8080/ |
||||
# quarkus.rest-client."rest.CreateScanService".scope=javax.inject.Singleton |
||||
|
||||
# couchdb.name=scan-results |
||||
# couchdb.url=https://localhost:5984 |
||||
|
||||
# quarkus.hibernate-orm.database.generation=drop-and-create |
||||
# quarkus.hibernate-orm.database.generation=drop-and-create |
||||
|
||||
#temporary fix, we need to enable it with a working devservices setup |
||||
%dev.quarkus.kerberos.enabled=false |
||||
%dev.quarkus.security.auth.enabled-in-dev-mode=false |
||||
#Also tried |
||||
#%dev.quarkus.security.enabled=false |
||||
#%dev.quarkus.http.auth.proactive=false |
||||
#%dev.quarkus.http.auth.basic=false |
||||
#%dev.quarkus.http.auth.permission.permit1.paths=/Ping/Ping |
||||
#%dev.quarkus.http.auth.permission.permit1.policy=permit |
||||
#%dev.quarkus.http.auth.permission.permit1.methods=GET,HEAD |
||||
#%quarkus.arc.unremovable-types=io.quarkiverse.kerberos.*,io.quarkiverse.kerberos.KerberosPrincipal |
||||
#%dev.quarkus.kerberos.keytab-path= HTTP_osh-pct-security-tooling.apps.ocp-c1.prod.psi.redhat.com@IPA.REDHAT.COM.keytab |
||||
#%dev.quarkus.kerberos.service-principal-name= HTTP/osh-pct-security-tooling.apps.ocp-c1.prod.psi.redhat.com@IPA.REDHAT.COM |
||||
|
||||
%stage.quarkus.openshift.name=osh |
||||
%stage.quarkus.openshift.labels.env=stage |
||||
%stage.quarkus.log.level=DEBUG |
||||
|
||||
#Only in Quarkus > 3.x |
||||
%stage.quarkus.openshift.route.tls.termination=edge |
||||
#As we cant create a edge terminated route (quarkus <3.x) lets disable route creation for now |
||||
%stage.quarkus.openshift.route.expose=false |
||||
%stage.quarkus.openshift.route.target-port=https |
||||
%stage.quarkus.openshift.route.tls.insecure-edge-termination-policy=redirect |
||||
|
||||
########################################## |
||||
# Kerberos Specifics # |
||||
########################################## |
||||
%stage.quarkus.openshift.secret-volumes.osh-wrapper.secret-name=kerberos-keytab-osh |
||||
%stage.quarkus.openshift.mounts.osh-wrapper.path=/kerberos |
||||
%stage.quarkus.openshift.mounts.osh-wrapper.read-only=true |
||||
%stage.quarkus.kerberos.keytab-path= /kerberos/kerberos-keytab-osh |
||||
%stage.quarkus.kerberos.service-principal-name= HTTP/osh-pct-security-tooling.apps.ocp-c1.prod.psi.redhat.com@IPA.REDHAT.COM |
||||
|
||||
%stage.quarkus.openshift.mounts.osh-wrapper-config-vol.path=/etc/krb5.conf |
||||
%stage.quarkus.openshift.mounts.osh-wrapper-config-vol.sub-path=linux-krb5.conf |
||||
%stage.quarkus.openshift.config-map-volumes.osh-wrapper-config-vol.config-map-name=kerberos-config |
||||
%stage.quarkus.openshift.config-map-volumes.osh-wrapper-config-vol.items."linux-krb5.conf".path=linux-krb5.conf |
||||
%stage.quarkus.openshift.mounts.osh-wrapper-config-vol.read-only=true |
||||
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in new issue