From c0254be12b7eeb8b4f8912fce460b1793d712ad0 Mon Sep 17 00:00:00 2001 From: Nicolas MASSE Date: Mon, 18 Oct 2021 11:41:08 +0200 Subject: [PATCH] first commit --- .gitignore | 2 + .gitmodules | 4 ++ README.md | 31 +++++++++++ ansible/agnosticd | 1 + ansible/group_vars/all/secrets.yaml.sample | 10 ++++ ansible/install.yaml | 7 +++ .../roles/ocp4_workload_stackrox_demo_apps | 1 + .../ocp4_workload_stackrox_demo_pipeline | 1 + icsp.yaml | 54 +++++++++++++++++++ mirror.sh | 24 +++++++++ 10 files changed, 135 insertions(+) create mode 100644 .gitignore create mode 100644 .gitmodules create mode 100644 README.md create mode 160000 ansible/agnosticd create mode 100644 ansible/group_vars/all/secrets.yaml.sample create mode 100644 ansible/install.yaml create mode 120000 ansible/roles/ocp4_workload_stackrox_demo_apps create mode 120000 ansible/roles/ocp4_workload_stackrox_demo_pipeline create mode 100644 icsp.yaml create mode 100755 mirror.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1aae70b --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +gcr.json +ansible/group_vars/all/secrets.yaml diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..ac4a56b --- /dev/null +++ b/.gitmodules @@ -0,0 +1,4 @@ +[submodule "agnosticd"] + path = ansible/agnosticd + url = https://github.com/redhat-cop/agnosticd.git + branch = development diff --git a/README.md b/README.md new file mode 100644 index 0000000..384ce45 --- /dev/null +++ b/README.md @@ -0,0 +1,31 @@ +# Stackrox Demo + +Create secrets.yaml and review it. + +```sh +cp ansible/group_vars/all/secrets.yaml.sample ansible/group_vars/all/secrets.yaml +``` + +Install the pre-requisites. + +```sh +ansible-galaxy collection install kubernetes.core +sudo dnf install python3-openshift +``` + +Patch the existing roles. + +```sh +echo -n > ansible/roles/ocp4_workload_stackrox_demo_apps/tasks/pre_workload.yml +echo -n > ansible/roles/ocp4_workload_stackrox_demo_pipeline/tasks/pre_workload.yml +``` + +Deploy the demo. + +```sh +cd ansible +export K8S_AUTH_VERIFY_SSL=false +export K8S_AUTH_KUBECONFIG="$KUBECONFIG" +ansible-playbook install.yaml +``` + diff --git a/ansible/agnosticd b/ansible/agnosticd new file mode 160000 index 0000000..0479e02 --- /dev/null +++ b/ansible/agnosticd @@ -0,0 +1 @@ +Subproject commit 0479e02b2c9a2e018e2543c9940c8279f3246e2d diff --git a/ansible/group_vars/all/secrets.yaml.sample b/ansible/group_vars/all/secrets.yaml.sample new file mode 100644 index 0000000..5177985 --- /dev/null +++ b/ansible/group_vars/all/secrets.yaml.sample @@ -0,0 +1,10 @@ +# Your stackrox admin password +ocp4_workload_stackrox_central_admin_password: stackrox + +# The stackrox central hostname +f_stackrox_central_addr: central-stackrox.apps.central.itix.xyz + +# Your Stackrox Registry pull secret +ocp4_workload_stackrox_demo_apps_pull_secret: >- + ewoJImF1dGhzIjogewoJCSJnY3IuaW8iOiB7CgkJCSJhdXRoIjogIlgycHpiMjVmYTJWNU9uc0tJQ0FpZEhsd1pTSTZJQ0p6WlhKMmFXTmxYMkZqWTI5MWJuUWlMQW9nSUNKd2NtOXFaV04wWDJsa0lqb2dJbkp2ZUMxelpTSXNDaUFnSW5CeWFYWmhkR1ZmYTJWNVgybGtJam9nSWpneE1HRXhNbUZoWldSbU9HSTVaakptTlRGa1pUZ3laVFJrTm1ZeU1XUTJaakUzTTJNMU1XUWlMQW9nSUNKd2NtbDJZWFJsWDJ0bGVTSTZJQ0l0TFMwdExVSkZSMGxPSUZCU1NWWkJWRVVnUzBWWkxTMHRMUzFjYmsxSlNVVjJRVWxDUVVSQlRrSm5hM0ZvYTJsSE9YY3dRa0ZSUlVaQlFWTkRRa3RaZDJkblUybEJaMFZCUVc5SlFrRlJRMkpKYUhWc1IweEVNVmsxVlROY2JsRm1aazFxVkdoV2VsTlNRME5KTmtsdFZYcHpZMGhFY2tKTVl5OVlaMk5UVDNCdVIwMU1XbWxtZVZCU1duVkJRV1pxWWxKV2F6QllhbloyTkhNeE5UUmNiblZVYkRkUFNFMHdObVZJZFdSRlJ6WlpSazFDUVV4dFUxSnZVMGx3ZDB4cFVrVnpOMHBYVWtSakszbzRVa1p2UVhsVllWSmxVeXRYY1V3M2IyMHhTM0JjYm5GQk1XVTRjMEU0WWt3NU9GUXhXa3czUjFOWk4wY3hkRTFGU2pKbmFsb3ZZaTlKVTA5a1dWbExRalpWZVZvdlRrSk1ZVlZGUjFaYU1taHJTMDk0YTBoY2JsRXpTbGhRTUVOSFNGVmxVR0pHU2t0S2RWaEJjbFZVU3pkR1RVMVphVXRJYTNrdk1sUkRkVFJGTkhSSWVVOXJkMUY2SzI0MWJDc3lNazRyYkZNMlRUQmNiazFhU2xwWU5EVjNaMWRYUkZwYVFtMDRhVVEwVFdSWlluTXlhbU4yUWtKbGRsWktZMjlXWm5jMWVqVnlhVGwzVm1WSUt6VTBVbFJhVG5kRE1qa3pRMFJjYmk5V2JFWTFZbFIwUVdkTlFrRkJSVU5uWjBWQlEwSTBNVlI1VEc1Sk4yY3hNVEJJY1N0NlprdHZiV0pPVW0weFdFNUNkVGxzUlZCblJFNVNaVEpKUTA1Y2JtOTVNRkV6Wm1WMmJUWkViVzFYT0cxUGNrSm5TWFl3SzNCSlVqRmxRa3NyTVRGa2RVSkNOREJ1VTJrclF6TkliUzlLT1UxNVMydHRhazV4UnpGbVdGUmNibG93TjBkc2R6VkRXRWQwUmtaQlFuQnhNQzlrUlhkRVFqbHJURmhXY1c1SFNHZ3lkWE5ZUkVocldVaHdWbFpLTjJoQ1lWaFFkemxyVUVsdlFtVkdNRTFjYmtsVVRtSk1kRW95ZG1KQmRITnFaakJZYTNBM2NUUlpaRXh1U0V0S2FrbFJUR0pZVkhoc1RVOURZVGxuUlM5RlVqaHRUakZIUkcxdmFqVnhOV1pXYWt4Y2JrTmlLelp5YmpCQlNYWnRSbTh6VVN0MkwyUlVRVzF6UkZSemQxYzRXSGxVVFZod1pFMTNVRFZ3UkZWbWRtcEtSRkV6TURJNVRFNWtlbWRNT0ZwV1pHeGNibFY2YWpKV2JGQlJUV3BxZUhoQ09WUm1ZVVoyY25kT1R6QnljRVZZTTNVMWNXcHpLMVpLZUV0VGQwdENaMUZFVlhkSWJXRkZRM2huYTBabVdGcElUbmRjYmxabWRVRXlXUzkzTW1oYVYyNTNURVZ6T0dKQ2RXOWtVMncyVjNaclJGVnVOMmRyZW5Wak1UWTBhRll6WXl0ellYbElTMlUxU2poaGJITkNjMHBpYVhGY2JuVk5TRkU0TVVsalpuVXdOelV2VEZodFJGbE1kV2QxYUhBM09YRmxMM0pSUzI1UVF6VlFUMlV5VDJ0R05tcHNSVFJPZWxKdVVHbGlVbnByZEhONE9WVmNiakpLTkVGNWQwUmtaMVZXYXl0b2FXSmFVVWg0VlN0c1dFWjNTMEpuVVVNMmNYazJXbEJHWTNFNGIySldjVTFTTkVVclJWaElNMjl5V1U5aFNuQnlkMWRjYmlzNVFqZFVZVk4xVlVwcGRVTkJUa0l4ZEdWSVlsZDBhM1p1VkVRM1YxRTJWMjgzTlZaWWNWQk1RM2xHV0ZCbVlsVm9RMkpNVkZSR00xTm9NVmxQVmxoY2JsWXZRV2hEV25sQ2R6Z3JkV3RUTURGUFl6ZFlTMGhUTVVacGNuQlRWbU5rVVdoQ1VGQkpaMHRSVmtKUVlYZzNhazVLU3poMFVFNXdibGxJZFVKRmVUbGNia0V6U0VFelF6UlhiWGRMUW1kRVEybDRObTVIY0V3MU1tZFFOVWRuYmxaa01IQTRSVWhZYmsxQlYzUlFPRzkzVWtwU1JFbHRXVXg1UlM5b2MyMVNjRVpjYm5WdGFrOTNkME5wYVhCSVEwOUROM0JRTDNFckwxQm9Va2RxUVdVNU0xcG1kMm80U1ZGUE9IVjJVVVZETlRKelRqWjBNRWhpVURGS2IyVkxkamhSYVVKY2Jta3ZSWG80WkZkUlpFMVVZbHBNWjNkU05ISk1kbUpIVW5WTGNWQXhhM1pLVFZkWGVFRnpUMmRrT0VzM2QyTkNWV1ZRY3pSWFdrZEdRVzlIUVU5VE5uWmNiazgyYmsxWFp5dHdWbXhKTkhaVUx6VjFRV1ZuWlZOR1dpOWthbWg2V0dsbFUwOWthMEo2U1ZKVk1UWktRVTlaTjFvdlZWRTNUeXRoTDFadUwxWm9SR1pjYm5NeWJVZ3ZZM1psV2pSM2RrMVVVbGRsWmt4RVRUaHRiakY1TUhwc1EyOVJSMVUzUldKemRqVkdkRlJMVFVndlp6WlFRWFp6Ukd3eVRUZHBVSGQ0Y1RGY2JuWkdRV2x5UjBkT2NFbGhRVVU0U0V4SlduVmpOVlZIYlhnMk4zaG5kMVpJUmpOc1ltUlFhME5uV1VGck9HdEZTMlpGV2tObU5HMDVTSG96ZDJWaE1uQmNibGhVVUZWNmIxWXhTMlZ0Vm5KaVJrcHFhUzlqWVhGRVRDdG9iQzlwSzJaM1RYSkljbTFYVTNsek4xcGpja0ozUTNBdlpWTkhhRzgzZUZGVFJDOWhjamhjYm1OMmVVZFVVVTgwYjBKdFprZEpZM1pSUlVVd1ZHNUJiRlZRYmxrMlZtNVdXVzVxVXpsa1MzSTFXRFpETkRZM2JteHlOMFJEUld4d1JUWlZkbXhNWlcxY2JrazBaM1VyZURrNFNTOVVWV2cxZVVaa2MyaGhVa0U5UFZ4dUxTMHRMUzFGVGtRZ1VGSkpWa0ZVUlNCTFJWa3RMUzB0TFZ4dUlpd0tJQ0FpWTJ4cFpXNTBYMlZ0WVdsc0lqb2dJbVJsYlc4dFoyTnlMWEpsWVdSQWNtOTRMWE5sTG1saGJTNW5jMlZ5ZG1salpXRmpZMjkxYm5RdVkyOXRJaXdLSUNBaVkyeHBaVzUwWDJsa0lqb2dJakV3TVRZM016UXpORGMwTXpFMk5qVTBOalV4TVNJc0NpQWdJbUYxZEdoZmRYSnBJam9nSW1oMGRIQnpPaTh2WVdOamIzVnVkSE11WjI5dloyeGxMbU52YlM5dkwyOWhkWFJvTWk5aGRYUm9JaXdLSUNBaWRHOXJaVzVmZFhKcElqb2dJbWgwZEhCek9pOHZiMkYxZEdneUxtZHZiMmRzWldGd2FYTXVZMjl0TDNSdmEyVnVJaXdLSUNBaVlYVjBhRjl3Y205MmFXUmxjbDk0TlRBNVgyTmxjblJmZFhKc0lqb2dJbWgwZEhCek9pOHZkM2QzTG1kdmIyZHNaV0Z3YVhNdVkyOXRMMjloZFhSb01pOTJNUzlqWlhKMGN5SXNDaUFnSW1Oc2FXVnVkRjk0TlRBNVgyTmxjblJmZFhKc0lqb2dJbWgwZEhCek9pOHZkM2QzTG1kdmIyZHNaV0Z3YVhNdVkyOXRMM0p2WW05MEwzWXhMMjFsZEdGa1lYUmhMM2cxTURrdlpHVnRieTFuWTNJdGNtVmhaQ1UwTUhKdmVDMXpaUzVwWVcwdVozTmxjblpwWTJWaFkyTnZkVzUwTG1OdmJTSUtmUT09IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy44IChsaW51eCkiCgl9Cn0= + diff --git a/ansible/install.yaml b/ansible/install.yaml new file mode 100644 index 0000000..037a1a1 --- /dev/null +++ b/ansible/install.yaml @@ -0,0 +1,7 @@ +- name: Install the Stackrox demo artefacts + hosts: localhost + vars: + ACTION: create + roles: + - { name: ocp4_workload_stackrox_demo_apps, tags: apps } + - { name: ocp4_workload_stackrox_demo_pipeline, tags: pipeline } diff --git a/ansible/roles/ocp4_workload_stackrox_demo_apps b/ansible/roles/ocp4_workload_stackrox_demo_apps new file mode 120000 index 0000000..6f88917 --- /dev/null +++ b/ansible/roles/ocp4_workload_stackrox_demo_apps @@ -0,0 +1 @@ +../agnosticd/ansible/roles/ocp4_workload_stackrox_demo_apps \ No newline at end of file diff --git a/ansible/roles/ocp4_workload_stackrox_demo_pipeline b/ansible/roles/ocp4_workload_stackrox_demo_pipeline new file mode 120000 index 0000000..c8ef4fa --- /dev/null +++ b/ansible/roles/ocp4_workload_stackrox_demo_pipeline @@ -0,0 +1 @@ +../agnosticd/ansible/roles/ocp4_workload_stackrox_demo_pipeline \ No newline at end of file diff --git a/icsp.yaml b/icsp.yaml new file mode 100644 index 0000000..e7c1777 --- /dev/null +++ b/icsp.yaml @@ -0,0 +1,54 @@ +apiVersion: operator.openshift.io/v1alpha1 +kind: ImageContentSourcePolicy +metadata: + name: stackrox +spec: + repositoryDigestMirrors: + + - source: gcr.io/rox-se/sample-image + mirrors: + - registry.itix.xyz/stackrox-demo/sample-image + + - source: gcr.io/rox-se/srox/netflow + mirrors: + - registry.itix.xyz/stackrox-demo/netflow + + - source: gcr.io/rox-se/struts-violations/mastercard-processor + mirrors: + - registry.itix.xyz/stackrox-demo/mastercard-processor + + - source: gcr.io/rox-se/struts-violations/visa-processor + mirrors: + - registry.itix.xyz/stackrox-demo/visa-processor + + - source: gcr.io/rox-se/srox/visa-processor + mirrors: + - registry.itix.xyz/stackrox-demo/visa-processor-sidecar + + - source: gcr.io/rox-se/srox/jump-host + mirrors: + - registry.itix.xyz/stackrox-demo/jump-host + + - source: gcr.io/rox-se/srox/proxy + mirrors: + - registry.itix.xyz/stackrox-demo/proxy + + - source: gcr.io/rox-se/srox/reporting + mirrors: + - registry.itix.xyz/stackrox-demo/reporting + + - source: gcr.io/rox-se/struts-violations/asset-cache + mirrors: + - registry.itix.xyz/stackrox-demo/struts-asset-cache + + - source: gcr.io/rox-se/srox/asset-cache + mirrors: + - registry.itix.xyz/stackrox-demo/srox-asset-cache + + - source: gcr.io/rox-se/srox/monitor + mirrors: + - registry.itix.xyz/stackrox-demo/monitor + + - source: gcr.io/rox-se/struts-violations/backend-atlas + mirrors: + - registry.itix.xyz/stackrox-demo/backend-atlas diff --git a/mirror.sh b/mirror.sh new file mode 100755 index 0000000..4bb6213 --- /dev/null +++ b/mirror.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +set -Eeuo pipefail + +function skopeo_copy () { + # gcr.json has been extracted as such: + # + # $ oc extract secret/gcrcred --to=- --keys=.dockerconfigjson -n backend > gcr.json + # + skopeo copy --authfile "gcr.json" --dest-creds "$DESTINATION_CREDENTIALS" docker://$1 docker://$2 +} + +skopeo_copy "gcr.io/rox-se/sample-image:getting-started" "registry.itix.xyz/stackrox-demo/sample-image:getting-started" +skopeo_copy "gcr.io/rox-se/srox/netflow:latest" "registry.itix.xyz/stackrox-demo/netflow:latest" +skopeo_copy "gcr.io/rox-se/struts-violations/mastercard-processor:latest" "registry.itix.xyz/stackrox-demo/mastercard-processor:latest" +skopeo_copy "gcr.io/rox-se/struts-violations/visa-processor:latest-v2" "registry.itix.xyz/stackrox-demo/visa-processor:latest-v2" +skopeo_copy "gcr.io/rox-se/srox/visa-processor:sidecar-latest-v2" "registry.itix.xyz/stackrox-demo/visa-processor-sidecar:sidecar-latest-v2" +skopeo_copy "gcr.io/rox-se/srox/jump-host:latest" "registry.itix.xyz/stackrox-demo/jump-host:latest" +skopeo_copy "gcr.io/rox-se/srox/proxy:latest" "registry.itix.xyz/stackrox-demo/proxy:latest" +skopeo_copy "gcr.io/rox-se/srox/reporting:latest" "registry.itix.xyz/stackrox-demo/reporting:latest" +skopeo_copy "gcr.io/rox-se/struts-violations/asset-cache:latest" "registry.itix.xyz/stackrox-demo/struts-asset-cache" +skopeo_copy "gcr.io/rox-se/srox/asset-cache:sidecar-latest" "registry.itix.xyz/stackrox-demo/srox-asset-cache" +skopeo_copy "gcr.io/rox-se/srox/monitor:latest" "registry.itix.xyz/stackrox-demo/monitor:latest" +skopeo_copy "gcr.io/rox-se/struts-violations/backend-atlas:latest" "registry.itix.xyz/stackrox-demo/backend-atlas"