From 403215f30453f1b87c3e833272710029b33569de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Mon, 19 Jun 2023 16:28:52 +0200 Subject: [PATCH] fix ACS deployment --- .../stackrox-configure-hook/configure.yaml | 66 +++++++++++++++++++ infrastructure/templates/acs.yaml | 24 +++++++ 2 files changed, 90 insertions(+) diff --git a/infrastructure/files/stackrox-configure-hook/configure.yaml b/infrastructure/files/stackrox-configure-hook/configure.yaml index e2fff56..2f768a6 100644 --- a/infrastructure/files/stackrox-configure-hook/configure.yaml +++ b/infrastructure/files/stackrox-configure-hook/configure.yaml @@ -118,8 +118,74 @@ namespace: stackrox stringData: token: '{{ apitoken_value }}' + endpoint: '{{ central_hostname }}:443' when: apitoken_value is defined + - name: Get secrets in the stackrox namespace + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + namespace: stackrox + register: stackrox_secrets + failed_when: stackrox_secrets.resources|length == 0 + + - set_fact: + registry_reader_token: '{{ stackrox_secrets.resources | json_query(query) | first | b64decode }}' + vars: + query: > + [?metadata.annotations."kubernetes.io/service-account.name" == `stackrox-registry-reader` && type == `kubernetes.io/service-account-token`].data.token + + - name: Find image registry integrations + uri: + url: '{{ acs_api }}/imageintegrations' + validate_certs: '{{ validate_certs }}' + url_username: admin + url_password: '{{ central_admin_password }}' + force_basic_auth: yes + register: find_image_integrations_response + changed_when: false + + - set_fact: + image_integration_id: '{{ (find_image_integrations_response.json | json_query(query) | first).id }}' + when: find_image_integrations_response.json | json_query(query) | count > 0 + vars: + query: integrations[?type == `docker` && docker.endpoint == `image-registry.openshift-image-registry.svc:5000`] + + - name: Create the image registry integration + uri: + url: '{{ acs_api }}/imageintegrations' + method: POST + status_code: "200" + validate_certs: '{{ validate_certs }}' + url_username: admin + url_password: '{{ central_admin_password }}' + body: '{{ integration }}' + body_format: json + force_basic_auth: yes + register: create_image_integration_response + changed_when: create_image_integration_response.status == 200 + when: image_integration_id is not defined + vars: + integration: + name: OpenShift Internal Registry + autogenerated: false + categories: + - REGISTRY + clusterId: "" + docker: + endpoint: image-registry.openshift-image-registry.svc:5000 + insecure: true + username: stackrox-registry-reader + password: '{{ registry_reader_token }}' + type: docker + + - set_fact: + image_integration_id: '{{ create_image_integration_response.json.id }}' + when: image_integration_id is not defined + + - debug: + var: image_integration_id + - name: Find signature integrations uri: url: '{{ acs_api }}/signatureintegrations' diff --git a/infrastructure/templates/acs.yaml b/infrastructure/templates/acs.yaml index cb69ade..a80fdf2 100644 --- a/infrastructure/templates/acs.yaml +++ b/infrastructure/templates/acs.yaml @@ -328,3 +328,27 @@ spec: configMap: name: stackrox-configure-hook defaultMode: 0755 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: "20" + name: stackrox-registry-reader + namespace: stackrox +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: "20" + name: stackrox-registry-reader + namespace: stackrox +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:image-puller +subjects: +- kind: ServiceAccount + name: stackrox-registry-reader + namespace: stackrox