first commit

.gitignore

@@ -0,0 +1,2 @@
+gcr.json
+ansible/group_vars/all/secrets.yaml

.gitmodules

@@ -0,0 +1,4 @@
+[submodule "agnosticd"]
+	path = ansible/agnosticd
+	url = https://github.com/redhat-cop/agnosticd.git
+	branch = development

README.md

@@ -0,0 +1,31 @@
+# Stackrox Demo
+
+Create secrets.yaml and review it.
+
+```sh
+cp ansible/group_vars/all/secrets.yaml.sample ansible/group_vars/all/secrets.yaml
+```
+
+Install the pre-requisites.
+
+```sh
+ansible-galaxy collection install kubernetes.core
+sudo dnf install python3-openshift
+```
+
+Patch the existing roles.
+
+```sh
+echo -n > ansible/roles/ocp4_workload_stackrox_demo_apps/tasks/pre_workload.yml
+echo -n > ansible/roles/ocp4_workload_stackrox_demo_pipeline/tasks/pre_workload.yml
+```
+
+Deploy the demo.
+
+```sh
+cd ansible
+export K8S_AUTH_VERIFY_SSL=false
+export K8S_AUTH_KUBECONFIG="$KUBECONFIG"
+ansible-playbook install.yaml
+```
+

ansible/agnosticd

@@ -0,0 +1 @@
+Subproject commit 0479e02b2c9a2e018e2543c9940c8279f3246e2d

ansible/group_vars/all/secrets.yaml.sample

@@ -0,0 +1,10 @@
+# Your stackrox admin password
+ocp4_workload_stackrox_central_admin_password: stackrox
+
+# The stackrox central hostname
+f_stackrox_central_addr: central-stackrox.apps.central.itix.xyz
+
+# Your Stackrox Registry pull secret
+ocp4_workload_stackrox_demo_apps_pull_secret: >-
+  ewoJImF1dGhzIjogewoJCSJnY3IuaW8iOiB7CgkJCSJhdXRoIjogIlgycHpiMjVmYTJWNU9uc0tJQ0FpZEhsd1pTSTZJQ0p6WlhKMmFXTmxYMkZqWTI5MWJuUWlMQW9nSUNKd2NtOXFaV04wWDJsa0lqb2dJbkp2ZUMxelpTSXNDaUFnSW5CeWFYWmhkR1ZmYTJWNVgybGtJam9nSWpneE1HRXhNbUZoWldSbU9HSTVaakptTlRGa1pUZ3laVFJrTm1ZeU1XUTJaakUzTTJNMU1XUWlMQW9nSUNKd2NtbDJZWFJsWDJ0bGVTSTZJQ0l0TFMwdExVSkZSMGxPSUZCU1NWWkJWRVVnUzBWWkxTMHRMUzFjYmsxSlNVVjJRVWxDUVVSQlRrSm5hM0ZvYTJsSE9YY3dRa0ZSUlVaQlFWTkRRa3RaZDJkblUybEJaMFZCUVc5SlFrRlJRMkpKYUhWc1IweEVNVmsxVlROY2JsRm1aazFxVkdoV2VsTlNRME5KTmtsdFZYcHpZMGhFY2tKTVl5OVlaMk5UVDNCdVIwMU1XbWxtZVZCU1duVkJRV1pxWWxKV2F6QllhbloyTkhNeE5UUmNiblZVYkRkUFNFMHdObVZJZFdSRlJ6WlpSazFDUVV4dFUxSnZVMGx3ZDB4cFVrVnpOMHBYVWtSakszbzRVa1p2UVhsVllWSmxVeXRYY1V3M2IyMHhTM0JjYm5GQk1XVTRjMEU0WWt3NU9GUXhXa3czUjFOWk4wY3hkRTFGU2pKbmFsb3ZZaTlKVTA5a1dWbExRalpWZVZvdlRrSk1ZVlZGUjFaYU1taHJTMDk0YTBoY2JsRXpTbGhRTUVOSFNGVmxVR0pHU2t0S2RWaEJjbFZVU3pkR1RVMVphVXRJYTNrdk1sUkRkVFJGTkhSSWVVOXJkMUY2SzI0MWJDc3lNazRyYkZNMlRUQmNiazFhU2xwWU5EVjNaMWRYUkZwYVFtMDRhVVEwVFdSWlluTXlhbU4yUWtKbGRsWktZMjlXWm5jMWVqVnlhVGwzVm1WSUt6VTBVbFJhVG5kRE1qa3pRMFJjYmk5V2JFWTFZbFIwUVdkTlFrRkJSVU5uWjBWQlEwSTBNVlI1VEc1Sk4yY3hNVEJJY1N0NlprdHZiV0pPVW0weFdFNUNkVGxzUlZCblJFNVNaVEpKUTA1Y2JtOTVNRkV6Wm1WMmJUWkViVzFYT0cxUGNrSm5TWFl3SzNCSlVqRmxRa3NyTVRGa2RVSkNOREJ1VTJrclF6TkliUzlLT1UxNVMydHRhazV4UnpGbVdGUmNibG93TjBkc2R6VkRXRWQwUmtaQlFuQnhNQzlrUlhkRVFqbHJURmhXY1c1SFNHZ3lkWE5ZUkVocldVaHdWbFpLTjJoQ1lWaFFkemxyVUVsdlFtVkdNRTFjYmtsVVRtSk1kRW95ZG1KQmRITnFaakJZYTNBM2NUUlpaRXh1U0V0S2FrbFJUR0pZVkhoc1RVOURZVGxuUlM5RlVqaHRUakZIUkcxdmFqVnhOV1pXYWt4Y2JrTmlLelp5YmpCQlNYWnRSbTh6VVN0MkwyUlVRVzF6UkZSemQxYzRXSGxVVFZod1pFMTNVRFZ3UkZWbWRtcEtSRkV6TURJNVRFNWtlbWRNT0ZwV1pHeGNibFY2YWpKV2JGQlJUV3BxZUhoQ09WUm1ZVVoyY25kT1R6QnljRVZZTTNVMWNXcHpLMVpLZUV0VGQwdENaMUZFVlhkSWJXRkZRM2huYTBabVdGcElUbmRjYmxabWRVRXlXUzkzTW1oYVYyNTNURVZ6T0dKQ2RXOWtVMncyVjNaclJGVnVOMmRyZW5Wak1UWTBhRll6WXl0ellYbElTMlUxU2poaGJITkNjMHBpYVhGY2JuVk5TRkU0TVVsalpuVXdOelV2VEZodFJGbE1kV2QxYUhBM09YRmxMM0pSUzI1UVF6VlFUMlV5VDJ0R05tcHNSVFJPZWxKdVVHbGlVbnByZEhONE9WVmNiakpLTkVGNWQwUmtaMVZXYXl0b2FXSmFVVWg0VlN0c1dFWjNTMEpuVVVNMmNYazJXbEJHWTNFNGIySldjVTFTTkVVclJWaElNMjl5V1U5aFNuQnlkMWRjYmlzNVFqZFVZVk4xVlVwcGRVTkJUa0l4ZEdWSVlsZDBhM1p1VkVRM1YxRTJWMjgzTlZaWWNWQk1RM2xHV0ZCbVlsVm9RMkpNVkZSR00xTm9NVmxQVmxoY2JsWXZRV2hEV25sQ2R6Z3JkV3RUTURGUFl6ZFlTMGhUTVVacGNuQlRWbU5rVVdoQ1VGQkpaMHRSVmtKUVlYZzNhazVLU3poMFVFNXdibGxJZFVKRmVUbGNia0V6U0VFelF6UlhiWGRMUW1kRVEybDRObTVIY0V3MU1tZFFOVWRuYmxaa01IQTRSVWhZYmsxQlYzUlFPRzkzVWtwU1JFbHRXVXg1UlM5b2MyMVNjRVpjYm5WdGFrOTNkME5wYVhCSVEwOUROM0JRTDNFckwxQm9Va2RxUVdVNU0xcG1kMm80U1ZGUE9IVjJVVVZETlRKelRqWjBNRWhpVURGS2IyVkxkamhSYVVKY2Jta3ZSWG80WkZkUlpFMVVZbHBNWjNkU05ISk1kbUpIVW5WTGNWQXhhM1pLVFZkWGVFRnpUMmRrT0VzM2QyTkNWV1ZRY3pSWFdrZEdRVzlIUVU5VE5uWmNiazgyYmsxWFp5dHdWbXhKTkhaVUx6VjFRV1ZuWlZOR1dpOWthbWg2V0dsbFUwOWthMEo2U1ZKVk1UWktRVTlaTjFvdlZWRTNUeXRoTDFadUwxWm9SR1pjYm5NeWJVZ3ZZM1psV2pSM2RrMVVVbGRsWmt4RVRUaHRiakY1TUhwc1EyOVJSMVUzUldKemRqVkdkRlJMVFVndlp6WlFRWFp6Ukd3eVRUZHBVSGQ0Y1RGY2JuWkdRV2x5UjBkT2NFbGhRVVU0U0V4SlduVmpOVlZIYlhnMk4zaG5kMVpJUmpOc1ltUlFhME5uV1VGck9HdEZTMlpGV2tObU5HMDVTSG96ZDJWaE1uQmNibGhVVUZWNmIxWXhTMlZ0Vm5KaVJrcHFhUzlqWVhGRVRDdG9iQzlwSzJaM1RYSkljbTFYVTNsek4xcGpja0ozUTNBdlpWTkhhRzgzZUZGVFJDOWhjamhjYm1OMmVVZFVVVTgwYjBKdFprZEpZM1pSUlVVd1ZHNUJiRlZRYmxrMlZtNVdXVzVxVXpsa1MzSTFXRFpETkRZM2JteHlOMFJEUld4d1JUWlZkbXhNWlcxY2JrazBaM1VyZURrNFNTOVVWV2cxZVVaa2MyaGhVa0U5UFZ4dUxTMHRMUzFGVGtRZ1VGSkpWa0ZVUlNCTFJWa3RMUzB0TFZ4dUlpd0tJQ0FpWTJ4cFpXNTBYMlZ0WVdsc0lqb2dJbVJsYlc4dFoyTnlMWEpsWVdSQWNtOTRMWE5sTG1saGJTNW5jMlZ5ZG1salpXRmpZMjkxYm5RdVkyOXRJaXdLSUNBaVkyeHBaVzUwWDJsa0lqb2dJakV3TVRZM016UXpORGMwTXpFMk5qVTBOalV4TVNJc0NpQWdJbUYxZEdoZmRYSnBJam9nSW1oMGRIQnpPaTh2WVdOamIzVnVkSE11WjI5dloyeGxMbU52YlM5dkwyOWhkWFJvTWk5aGRYUm9JaXdLSUNBaWRHOXJaVzVmZFhKcElqb2dJbWgwZEhCek9pOHZiMkYxZEdneUxtZHZiMmRzWldGd2FYTXVZMjl0TDNSdmEyVnVJaXdLSUNBaVlYVjBhRjl3Y205MmFXUmxjbDk0TlRBNVgyTmxjblJmZFhKc0lqb2dJbWgwZEhCek9pOHZkM2QzTG1kdmIyZHNaV0Z3YVhNdVkyOXRMMjloZFhSb01pOTJNUzlqWlhKMGN5SXNDaUFnSW1Oc2FXVnVkRjk0TlRBNVgyTmxjblJmZFhKc0lqb2dJbWgwZEhCek9pOHZkM2QzTG1kdmIyZHNaV0Z3YVhNdVkyOXRMM0p2WW05MEwzWXhMMjFsZEdGa1lYUmhMM2cxTURrdlpHVnRieTFuWTNJdGNtVmhaQ1UwTUhKdmVDMXpaUzVwWVcwdVozTmxjblpwWTJWaFkyTnZkVzUwTG1OdmJTSUtmUT09IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy44IChsaW51eCkiCgl9Cn0=
+

ansible/install.yaml

@@ -0,0 +1,7 @@
+- name: Install the Stackrox demo artefacts
+  hosts: localhost
+  vars:
+    ACTION: create
+  roles:
+  - { name: ocp4_workload_stackrox_demo_apps, tags: apps }
+  - { name: ocp4_workload_stackrox_demo_pipeline, tags: pipeline }

ansible/roles/ocp4_workload_stackrox_demo_apps

@@ -0,0 +1 @@
+../agnosticd/ansible/roles/ocp4_workload_stackrox_demo_apps

ansible/roles/ocp4_workload_stackrox_demo_pipeline

@@ -0,0 +1 @@
+../agnosticd/ansible/roles/ocp4_workload_stackrox_demo_pipeline

icsp.yaml

@@ -0,0 +1,54 @@
+apiVersion: operator.openshift.io/v1alpha1
+kind: ImageContentSourcePolicy
+metadata:
+  name: stackrox
+spec:
+  repositoryDigestMirrors:
+
+  - source: gcr.io/rox-se/sample-image
+    mirrors:
+    - registry.itix.xyz/stackrox-demo/sample-image
+
+  - source: gcr.io/rox-se/srox/netflow
+    mirrors:
+    - registry.itix.xyz/stackrox-demo/netflow
+
+  - source: gcr.io/rox-se/struts-violations/mastercard-processor
+    mirrors:
+    - registry.itix.xyz/stackrox-demo/mastercard-processor
+
+  - source: gcr.io/rox-se/struts-violations/visa-processor
+    mirrors:
+    - registry.itix.xyz/stackrox-demo/visa-processor
+
+  - source: gcr.io/rox-se/srox/visa-processor
+    mirrors:
+    - registry.itix.xyz/stackrox-demo/visa-processor-sidecar
+
+  - source: gcr.io/rox-se/srox/jump-host
+    mirrors:
+    - registry.itix.xyz/stackrox-demo/jump-host
+
+  - source: gcr.io/rox-se/srox/proxy
+    mirrors:
+    - registry.itix.xyz/stackrox-demo/proxy
+
+  - source: gcr.io/rox-se/srox/reporting
+    mirrors:
+    - registry.itix.xyz/stackrox-demo/reporting
+
+  - source: gcr.io/rox-se/struts-violations/asset-cache
+    mirrors:
+    - registry.itix.xyz/stackrox-demo/struts-asset-cache
+
+  - source: gcr.io/rox-se/srox/asset-cache
+    mirrors:
+    - registry.itix.xyz/stackrox-demo/srox-asset-cache
+
+  - source: gcr.io/rox-se/srox/monitor
+    mirrors:
+    - registry.itix.xyz/stackrox-demo/monitor
+    
+  - source: gcr.io/rox-se/struts-violations/backend-atlas
+    mirrors:
+    - registry.itix.xyz/stackrox-demo/backend-atlas

mirror.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+set -Eeuo pipefail
+
+function skopeo_copy () {
+    # gcr.json has been extracted as such:
+    #
+    # $ oc extract secret/gcrcred --to=- --keys=.dockerconfigjson -n backend > gcr.json
+    #
+    skopeo copy --authfile "gcr.json" --dest-creds "$DESTINATION_CREDENTIALS" docker://$1 docker://$2
+}
+
+skopeo_copy "gcr.io/rox-se/sample-image:getting-started"                  "registry.itix.xyz/stackrox-demo/sample-image:getting-started"
+skopeo_copy "gcr.io/rox-se/srox/netflow:latest"                           "registry.itix.xyz/stackrox-demo/netflow:latest"
+skopeo_copy "gcr.io/rox-se/struts-violations/mastercard-processor:latest" "registry.itix.xyz/stackrox-demo/mastercard-processor:latest"
+skopeo_copy "gcr.io/rox-se/struts-violations/visa-processor:latest-v2"    "registry.itix.xyz/stackrox-demo/visa-processor:latest-v2"
+skopeo_copy "gcr.io/rox-se/srox/visa-processor:sidecar-latest-v2"         "registry.itix.xyz/stackrox-demo/visa-processor-sidecar:sidecar-latest-v2"
+skopeo_copy "gcr.io/rox-se/srox/jump-host:latest"                         "registry.itix.xyz/stackrox-demo/jump-host:latest"
+skopeo_copy "gcr.io/rox-se/srox/proxy:latest"                             "registry.itix.xyz/stackrox-demo/proxy:latest"
+skopeo_copy "gcr.io/rox-se/srox/reporting:latest"                         "registry.itix.xyz/stackrox-demo/reporting:latest"
+skopeo_copy "gcr.io/rox-se/struts-violations/asset-cache:latest"          "registry.itix.xyz/stackrox-demo/struts-asset-cache"
+skopeo_copy "gcr.io/rox-se/srox/asset-cache:sidecar-latest"               "registry.itix.xyz/stackrox-demo/srox-asset-cache"
+skopeo_copy "gcr.io/rox-se/srox/monitor:latest"                           "registry.itix.xyz/stackrox-demo/monitor:latest"
+skopeo_copy "gcr.io/rox-se/struts-violations/backend-atlas:latest"        "registry.itix.xyz/stackrox-demo/backend-atlas"