Skip to content

GuilhermeCamposo/tap-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

79 Commits
ansible
ansible
 
 
.gitignore
.gitignore
 
 
README.adoc
README.adoc
 
 

Repository files navigation

Trusted Application Pipeline Installation

Requirements

  • OCP >= 4.20

  • oc client >= 4.20

  • Ansible with Kubernetes module (requirements)

What is available?

  1. Trusted Profile Analyzer 2.2

  2. Trusted Artifact Signer 1.3

  3. Developer Hub 1.9

  4. Red Hat build of Keycloak v26

  5. Tekton Pipelines 1.21

  6. ArgoCD GitOps 1.19

  7. Advanced Cluster Security

  8. Devspaces - stable channel - last tested with 3.26.x

TAP Installation

Parameters

Parameter Example Value Definition

token

sha256~vFanQbthlPKfsaldJT3bdLXIyEkd7ypO_XPygY1DNtQ

access token for a user with cluster-admin privileges

server

https://api.mycluster.domain.com:6443

OpenShift cluster API URL

github_pat

longString

Personal Access Token used to download and publish content on Github. Required for Developer Hub deployment only. For information regarding scope, refer to the docs

aws_ec2_access_key

longStringOfCharacters

AWS EC2 Access Key. Required for TPA Only

aws_ec2_secret_key

longStringOfCharacters

AWS EC2 Secret Key. Required for TPA Only

How to run the playbook

ansible-playbook -e token=${token} -e server=${server} -e github_pat=${github_pat}  playbook.yml

Running parts of the playbook

This playbook has tags configured. To run a single role or selected roles you can:

ansible-playbook -e token=${token} -e server=${server} -e aws_ec2_access_key=${AWS_ACCESS_KEY_ID} -e aws_ec2_secret_key=${AWS_SECRET_ACCESS_KEY} --tags "tpa"  playbook.yml

Testing

Trusted Artifact Signer with Cosign

Before testing Cosign, you need a Keycloak user. The playbook configures a trusted-artifact-signer realm with the admin user. The password is password. You can create new users if you want.

  • Configure your shell environment for doing container image signing and verifying

export TUF_URL=$(oc get tuf -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)
export KEYCLOAK_HOST=$(oc get route -l app=keycloak -n keycloak-system -o jsonpath='{.items[0].spec.host}')
export OIDC_ISSUER_URL=https://$KEYCLOAK_HOST/realms/trusted-artifact-signer
export COSIGN_FULCIO_URL=$(oc get fulcio -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)
export COSIGN_REKOR_URL=$(oc get rekor -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)
export COSIGN_MIRROR=$TUF_URL
export COSIGN_ROOT=$TUF_URL/root.json
export COSIGN_OIDC_CLIENT_ID="trusted-artifact-signer"
export COSIGN_OIDC_ISSUER=$OIDC_ISSUER_URL
export COSIGN_CERTIFICATE_OIDC_ISSUER=$OIDC_ISSUER_URL
export COSIGN_YES="true"
export SIGSTORE_FULCIO_URL=$COSIGN_FULCIO_URL
export SIGSTORE_OIDC_ISSUER=$COSIGN_OIDC_ISSUER
export SIGSTORE_REKOR_URL=$COSIGN_REKOR_URL
export REKOR_REKOR_SERVER=$COSIGN_REKOR_URL

  • Initialize The Update Framework (TUF) system

cosign initialize

  • Create an image to be signed

echo "FROM scratch" > ./tmp.Dockerfile
podman build . -f ./tmp.Dockerfile -t ttl.sh/rhtas/test-image:1h
podman push ttl.sh/rhtas/test-image:1h

  • Sign the image

cosign sign -y ttl.sh/rhtas/test-image:1h

  • You can also verify the image signature

cosign verify --certificate-identity=admin@demo.com ttl.sh/rhtas/test-image:1h

About

No description or website provided.

Topics

ansible keycloak minio tpa developerhub

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages