nicolas
/
eShopOnWeb-gitops
mirror of https://github.com/nmasse-itix/eShopOnWeb-gitops.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
27 Commits
2 Branches
0 Tags
109 KiB
 
 
Tree: 3cb151ccd1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3cb151ccd1'
${ noResults }
eShopOnWeb-gitops/infrastructure/files/stackrox-configure-hook/configure.yaml

203 lines
6.0 KiB
Raw Blame History

- name: Configure RHACS
hosts: localhost
gather_facts: no
vars:
ansible_connection: local
acs_api: https://{{ central_hostname }}/v1
validate_certs: no
tasks:
- name: Get Stackrox central's Route
kubernetes.core.k8s_info:
api_version: route.openshift.io/v1
kind: Route
name: central
namespace: stackrox
register: central_route
failed_when: central_route.resources|length == 0
until: central_route is succeeded
retries: 60
delay: 5
- set_fact:
central_hostname: '{{ central_route.resources[0].spec.host }}:443'
- name: Get Stackrox central's admin password
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
name: central-admin
namespace: stackrox
register: admin_secret
failed_when: admin_secret.resources|length == 0
until: admin_secret is succeeded
retries: 60
delay: 5
- set_fact:
central_admin_password: '{{ admin_secret.resources[0].data.password | b64decode }}'
- name: Get Cosign public key
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
name: code-signature
namespace: fruits-dev
register: cosign_secret
failed_when: cosign_secret.resources|length == 0
until: cosign_secret is succeeded
retries: 60
delay: 5
- set_fact:
cosign_public_key: '{{ cosign_secret.resources[0].data["cosign.pub"] | b64decode }}'
- name: Check if jmespath is available locally
debug: msg={{ dummy|json_query('@') }}
register: check_jmespath
ignore_errors: yes
vars:
dummy: Hello World
- name: Ensure JMESPath is installed
assert:
that:
- 'check_jmespath is success'
msg: >
The JMESPath library is required by this playbook.
Please install the JMESPath library with 'pip install jmespath'.
- name: Wait for the Central to be ready
uri:
url: 'https://{{ central_hostname }}'
validate_certs: '{{ validate_certs }}'
register: healthcheck
changed_when: false
until: healthcheck is succeeded
retries: 60
delay: 5
- name: Find signature integrations
uri:
url: '{{ acs_api }}/signatureintegrations'
validate_certs: '{{ validate_certs }}'
url_username: admin
url_password: '{{ central_admin_password }}'
force_basic_auth: yes
register: find_signature_integrations_response
changed_when: false
- set_fact:
signature_integration_id: '{{ (find_signature_integrations_response.json | json_query(query) | first).id }}'
when: find_signature_integrations_response.json | json_query(query) | count > 0
vars:
query: integrations[?name == `Sigstore`]
- name: Create the Cosign signature integration
uri:
url: '{{ acs_api }}/signatureintegrations'
method: POST
status_code: "200"
validate_certs: '{{ validate_certs }}'
url_username: admin
url_password: '{{ central_admin_password }}'
body: '{{ integration }}'
body_format: json
force_basic_auth: yes
register: create_signature_integration_response
changed_when: create_signature_integration_response.status == 200
when: signature_integration_id is not defined
vars:
integration:
name: Sigstore
cosign:
publicKeys:
- name: cosign.pub
publicKeyPemEnc: '{{ cosign_public_key }}'
- set_fact:
signature_integration_id: '{{ create_signature_integration_response.json.id }}'
when: signature_integration_id is not defined
- debug:
var: signature_integration_id
- name: Find policies
uri:
url: '{{ acs_api }}/policies?query=Policy%3AImage%20is%20not%20signed'
validate_certs: '{{ validate_certs }}'
url_username: admin
url_password: '{{ central_admin_password }}'
force_basic_auth: yes
register: find_policies_response
changed_when: false
- set_fact:
policy_id: '{{ (find_policies_response.json.policies | first).id }}'
when: find_policies_response.json.policies | count > 0
- name: Create the policy
uri:
url: '{{ acs_api }}/policies'
method: POST
status_code: "200"
validate_certs: '{{ validate_certs }}'
url_username: admin
url_password: '{{ central_admin_password }}'
body: '{{ policy }}'
body_format: json
force_basic_auth: yes
register: create_policy_response
changed_when: create_policy_response.status == 200
when: policy_id is not defined
vars:
policy:
SORTEnforcement: no
SORTLifecycleStage: ''
SORTName: ''
categories:
- Security Best Practices
criteriaLocked: no
description: The container image has not been digitally signed.
disabled: no
enforcementActions:
- SCALE_TO_ZERO_ENFORCEMENT
- UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT
eventSource: NOT_APPLICABLE
exclusions: []
isDefault: no
lifecycleStages:
- DEPLOY
mitreAttackVectors: []
mitreVectorsLocked: no
name: Image is not signed
notifiers: []
policySections:
- policyGroups:
- booleanOperator: OR
fieldName: Image Signature Verified By
negate: no
values:
- value: "{{ signature_integration_id }}"
sectionName: Policy Section 1
policyVersion: '1.1'
rationale: The container image MUST be digitally signed in order to prevent tampering.
remediation: Use cosign to sign this image. See https://docs.sigstore.dev/cosign/signing_with_containers/
scope:
- cluster:
label:
key: app
value: fruits
namespace: fruits-test
- cluster:
label:
key: app
value: fruits
namespace: fruits-prod
severity: CRITICAL_SEVERITY
- set_fact:
policy_id: '{{ create_policy_response.json.id }}'
when: policy_id is not defined
- debug:
var: policy_id