CI/CD pipeline with roxctl image check

4 years ago · 5fdf150192
4 changed files with 85 additions and 44 deletions
--- a/README.md
+++ b/README.md
@ -64,18 +64,43 @@ On your OpenShift cluster(s):

 * Click **Test** and **Save**

-### 2. Deploy the CI/CD pipeline
+### 2. Expose the registry
+
+Expose the OpenShift registry.
+
+```sh
+oc create route reencrypt image-registry --service=image-registry -n openshift-image-registry
+REGISTRY=$(oc get route -n openshift-image-registry image-registry -o jsonpath={.spec.host})
+```
+
+Set the registry hostname where required.
+
+```sh
+sed -i.bak "s/__REGISTRY__/$REGISTRY/" remediation/Dockerfile deployment/kustomization.yaml cicd/80-pipeline.yaml
+```
+
+### 3. Deploy the CI/CD pipeline
+
+Deploy the CI/CD pipeline.

 ```sh
 oc apply -f cicd
 ```

-### 3. Expose the registry
+Open the Central and:

-Expose the OpenShift registry.
+* Drill down to **Platform configuration** > **Integration**.
+* Select **API Token**.
+* Click **Generate token**.
+* Fill-in the **Token name** with **Tekton**.
+* Select the **Role** `Continuous Integration`.
+* Click **Generate**.
+* Write down the generated token.
+
+Create a Kubernetes secret with this token:

 ```sh
-oc create route reencrypt image-registry --service=image-registry -n openshift-image-registry
+oc create secret generic central-apitoken -n vulnerable-cicd --from-literal=rox_api_token=<TOKEN> --from-literal=rox_central_endpoint=central-stackrox.apps.$CLUSTER_DOMAIN_NAME:443
 ```

 Get the registry hostname and default token.
@ -90,11 +115,13 @@ oc serviceaccounts get-token -n vulnerable-cicd default

 Create the Docker Registry integration in Central with the above information.

-Set the registry hostname where required.
+Add an enforcement exception for the `Fixable Severity at least important` policy:

-```sh
-sed -i.bak "s/__REGISTRY__/$REGISTRY/" remediation/Dockerfile deployment/kustomization.yaml
-```
+* Drill down to **Platform configuration** > **System policy**
+* Select the policy `Fixable Severity at least important`
+* Click **Edit**
+* In the excluded image, add `<REGISTRY>/vulnerable-cicd/vulnerable-log4j` (you will have to select the last option of the list: `Create ...`)
+* Save the policy

 ### 4. Deploy the vulnerable app

@ -105,7 +132,6 @@ oc kustomize deployment | oc apply -f -
 Give access to the `vulnerable-cicd` images from the `vulnerable-log4j` namespace.

 ```sh
-REGISTRY=$(oc get route -n openshift-image-registry image-registry -o jsonpath={.spec.host})
 oc get secrets -n vulnerable-cicd -o json | jq -r '.items[] | select(.metadata.annotations["kubernetes.io/service-account.name"]=="default" and .type=="kubernetes.io/dockercfg") | .data[".dockercfg"]' | base64 -d | jq --arg registry "$REGISTRY" '.["image-registry.openshift-image-registry.svc:5000"] as $conf | { ($registry) : $conf}' > dockercfg
 oc apply -n vulnerable-log4j -f - <<EOF
 kind: Secret
--- a/cicd/03-rolebindings.yaml
+++ b/cicd/03-rolebindings.yaml
@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: deployment-can-pull-vulnerable-log4j
+  name: vulnerable-log4j-puller
  namespace: vulnerable-cicd
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -11,3 +11,6 @@ subjects:
 - kind: ServiceAccount
  name: default
  namespace: vulnerable-log4j
+- kind: ServiceAccount
+  name: pipeline
+  namespace: vulnerable-cicd
--- a/cicd/70-tasks.yaml
+++ b/cicd/70-tasks.yaml
@ -52,27 +52,41 @@ spec:
 apiVersion: tekton.dev/v1beta1
 kind: Task
 metadata:
-  name: oc-annotate
-  namespace: vulnerable-cicd
+  name: roxctl-image-check
 spec:
  params:
-    - name: namespace
-      default: default
-      description: The kubernetes namespace
-    - name: componentName
-      default: sample
-      description: The name of the component
-    - name: annotation
-      description: The annotation (key=value)
+    - description: >-
+        Secret containing the StackRox API token with CI permissions and the
+        address:port tuple for StackRox Central (example: rox.stackrox.io:443)
+      name: roxctlSecret
+      type: string
+    - description: 'Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1)'
+      name: image
+      type: string
+  results:
+    - description: Output of `roxctl image check`
+      name: check_output
  steps:
-    - name: oc-annotate
-      image: quay.io/openshift/origin-cli:latest
-      command: 
-        - "/usr/bin/oc"
-      args:
-        - annotate 
-        - -n
-        - $(inputs.params.namespace)
-        - deploy 
-        - $(inputs.params.componentName)
-        - $(inputs.params.annotation)
+    - env:
+        - name: ROX_API_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: rox_api_token
+              name: $(params.roxctlSecret)
+        - name: ROX_CENTRAL_ENDPOINT
+          valueFrom:
+            secretKeyRef:
+              key: rox_central_endpoint
+              name: $(params.roxctlSecret)
+      image: quay.io/skopeo/stable:v1.5.2
+      name: roxctl-image-check
+      resources: {}
+      script: |
+        #!/bin/bash
+        set -Eeuo pipefail
+        TOKEN=`cat /var/run/secrets/kubernetes.io/serviceaccount/token`
+        DIGEST=`skopeo inspect "docker://$(params.image)" --format '{{.Digest}}' --creds token:$TOKEN`
+        NAME=`skopeo inspect "docker://$(params.image)" --format '{{.Name}}' --creds token:$TOKEN`
+        curl -s -k -L -H "Authorization: Bearer $ROX_API_TOKEN" "https://$ROX_CENTRAL_ENDPOINT/api/cli/download/roxctl-linux" --output /tmp/roxctl  > /dev/null
+        chmod +x /tmp/roxctl
+        /tmp/roxctl image check --insecure-skip-tls-verify -e "$ROX_CENTRAL_ENDPOINT" --image "$NAME@$DIGEST"
--- a/cicd/80-pipeline.yaml
+++ b/cicd/80-pipeline.yaml
@ -13,25 +13,23 @@ spec:
      value: vulnerable-log4j
    - name: namespace
      value: vulnerable-cicd
+  - name: roxctl-image-check
+    taskRef:
+      name: roxctl-image-check
+    runAfter:
+      - build-image
+    params:
+    - name: roxctlSecret
+      value: central-apitoken
+    - name: image
+      value: __REGISTRY__/vulnerable-cicd/vulnerable-log4j:latest
  - name: deploy
    taskRef:
      name: oc-deploy
    runAfter:
-      - build-image
+      - roxctl-image-check
    params:
    - name: componentName
      value: settlement-app
    - name: namespace
      value: vulnerable-log4j
-  # - name: remediate
-  #   taskRef:
-  #     name: oc-annotate
-  #   runAfter:
-  #     - deploy
-  #   params:
-  #   - name: componentName
-  #     value: settlement-app
-  #   - name: namespace
-  #     value: vulnerable-log4j
-  #   - name: annotation
-  #     value: cve.log4shell.remediate=true