nicolas
/
demo-rhacs
mirror of https://github.com/nmasse-itix/demo-rhacs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

improve cleaning script

main
Nicolas Massé 4 years ago
parent
e90644e0bb
commit
0940af138b
2 changed files with 51 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 25
      README.md
  2. 31
      cleanup/cleanup.yaml

25
README.md
View File

@ -34,6 +34,7 @@ On your workstation:
* git * git
* curl * curl
* oc * oc
* ansible
On your OpenShift cluster(s): On your OpenShift cluster(s):
@ -72,6 +73,20 @@ oc new-project exploitkit-log4j
* Click **Test** and **Save** * Click **Test** and **Save**
Save the Jira API key to the Ansible Vault:
```sh
ansible-vault create cleanup/ansible-vault.yaml
```
Seize the opportunity to also add your Central admin password and hostname.
```yaml
jira_password: foo
central_admin_password: bar
central_hostname: foo.bar
```
### 2. Expose the registry ### 2. Expose the registry
Expose the OpenShift registry. Expose the OpenShift registry.
@ -159,16 +174,16 @@ REGISTRY_TOKEN="$(oc get secrets -n vulnerable-cicd -o json | jq -r '.items[] |
podman login "$REGISTRY" --username sa --password "$REGISTRY_TOKEN" podman login "$REGISTRY" --username sa --password "$REGISTRY_TOKEN"
``` ```
Deploy the vulnerable app. Run the cleanup script.
```sh ```sh
oc kustomize deployment | oc apply -f - ansible-playbook cleanup/cleanup.yaml
``` ```
Run the cleanup script. Deploy the vulnerable app.
``` ```sh
ansible-playbook cleanup/cleanup.yaml oc kustomize deployment | oc apply -f -
``` ```
## Demo scenario ## Demo scenario

31
cleanup/cleanup.yaml
View File

@ -11,6 +11,9 @@
central_hostname: "{{ lookup('env', 'ROX_CENTRAL_ENDPOINT' )}}" central_hostname: "{{ lookup('env', 'ROX_CENTRAL_ENDPOINT' )}}"
jira_password: "{{ lookup('env', 'JIRA_PASSWORD' )}}" jira_password: "{{ lookup('env', 'JIRA_PASSWORD' )}}"
tasks: tasks:
- include_vars:
file: ansible-vault.yaml
- assert: - assert:
that: that:
- central_admin_password|length > 0 - central_admin_password|length > 0
@ -108,3 +111,31 @@
dest: '{{ playbook_dir }}/../policy/log4shell.json' dest: '{{ playbook_dir }}/../policy/log4shell.json'
vars: vars:
notifier_id: '{{ create_notifier_response.json.id }}' notifier_id: '{{ create_notifier_response.json.id }}'
- name: Find the Log4Shell policy
uri:
url: '{{ acs_api }}/policies?query=Policy:Log4Shell'
validate_certs: '{{ validate_certs }}'
url_username: admin
url_password: '{{ central_admin_password }}'
force_basic_auth: yes
register: find_policies_response
changed_when: false
- set_fact:
policies: '{{ find_policies_response.json.policies | selectattr("name", "eq", "Log4Shell") | list }}'
- name: Delete the Log4Shell policy
uri:
url: '{{ acs_api }}/policies/{{ item.id }}'
method: DELETE
status_code: "200,404"
validate_certs: '{{ validate_certs }}'
url_username: admin
url_password: '{{ central_admin_password }}'
force_basic_auth: yes
register: delete_policy_response
changed_when: delete_policy_response.status == 200
with_items: '{{ policies }}'
loop_control:
label: '{{ item.name }}'

Write Preview
Loading…
Cancel
Save