-
-
Save lumjjb/22191008f849f240851aec8a1ee0304d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: tekton.dev/v1alpha1 | |
| kind: Task | |
| metadata: | |
| annotations: | |
| generation: 5 | |
| name: buildah | |
| namespace: secure-devops | |
| resourceVersion: "19659414" | |
| selfLink: /apis/tekton.dev/v1alpha1/namespaces/kabanero/tasks/buildah | |
| uid: 5473c62b-20d2-11ea-a323-005056adbb0f | |
| spec: | |
| inputs: | |
| params: | |
| - default: quay.io/buildah/stable:v1.11.4 | |
| description: The location of the buildah builder image. | |
| name: BUILDER_IMAGE | |
| type: string | |
| - default: ./Dockerfile | |
| description: Path to the Dockerfile to build. | |
| name: DOCKERFILE | |
| type: string | |
| - default: "true" | |
| description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS | |
| registry) | |
| name: TLSVERIFY | |
| type: string | |
| resources: | |
| - name: source | |
| type: git | |
| outputs: | |
| resources: | |
| - name: image | |
| outputImageDir: /builder/home/image-outputs/image | |
| type: image | |
| steps: | |
| - command: | |
| - buildah | |
| - bud | |
| - --tls-verify=$(inputs.params.TLSVERIFY) | |
| - --layers | |
| - --squash | |
| - -f | |
| - $(inputs.params.DOCKERFILE) | |
| - -t | |
| - $(outputs.resources.image.url) | |
| - . | |
| image: $(inputs.params.BUILDER_IMAGE) | |
| name: build | |
| resources: {} | |
| securityContext: | |
| privileged: true | |
| volumeMounts: | |
| - mountPath: /var/lib/containers | |
| name: varlibcontainers | |
| workingDir: /workspace/source | |
| - command: | |
| - buildah | |
| - push | |
| - --tls-verify=$(inputs.params.TLSVERIFY) | |
| - --format=v2s2 | |
| - $(outputs.resources.image.url) | |
| - docker://$(outputs.resources.image.url) | |
| image: $(inputs.params.BUILDER_IMAGE) | |
| name: push | |
| resources: {} | |
| securityContext: | |
| privileged: true | |
| volumeMounts: | |
| - mountPath: /var/lib/containers | |
| name: varlibcontainers | |
| workingDir: /workspace/source | |
| volumes: | |
| - emptyDir: {} | |
| name: varlibcontainers | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: PipelineResource | |
| metadata: | |
| name: custom-rsrc | |
| namespace: kabanero | |
| spec: | |
| params: | |
| - name: url | |
| value: quay.dev.os.fisc.lab:5000/harsingh2/redis:encrypted | |
| type: cluster | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: Task | |
| metadata: | |
| annotations: | |
| manifestival: new | |
| name: image-encrypt-task | |
| namespace: secure-devops | |
| spec: | |
| inputs: | |
| resources: | |
| - name: git-source | |
| type: git | |
| - name: docker-image | |
| type: image | |
| - name: encrypted-image | |
| type: image | |
| volumes: | |
| - name: encryption-keys | |
| secret: | |
| secretName: enc-key | |
| - name: kbs-creds | |
| secret: | |
| secretName: kbs-creds-us | |
| steps: | |
| - name: encrypt | |
| image: lumjjb/seccont-tools:0.1 | |
| imagePullPolicy: Always | |
| volumeMounts: | |
| - name: encryption-keys | |
| mountPath: /keys | |
| readOnly: true | |
| - name: kbs-creds | |
| mountPath: /kbs-creds | |
| readOnly: true | |
| command: | |
| - /bin/bash | |
| args: | |
| - -c | |
| - /skopeo copy --src-tls-verify=false docker://$(inputs.resources.docker-image.url) oci:local-image | |
| && /skopeo copy --dest-tls-verify=false --encryption-key jwe:/keys/public.key oci:local-image docker://$(inputs.resources.encrypted-image.url) | |
| && echo "check kbs creds $(cat /kbs-creds/url),$(cat /kbs-creds/token,/kbs-creds/certificate.pem" | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: PipelineResource | |
| metadata: | |
| name: fcto-ub8 | |
| namespace: kabanero | |
| spec: | |
| params: | |
| - name: url | |
| value: https://github.com/fctoibm/ubi8 | |
| type: git | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: Task | |
| metadata: | |
| annotations: | |
| manifestival: new | |
| creationTimestamp: "2019-12-04T21:22:23Z" | |
| generation: 1 | |
| name: image-scan-task | |
| namespace: secure-devops | |
| spec: | |
| inputs: | |
| params: | |
| - default: oscap-chroot | |
| description: The scanner command | |
| name: command | |
| type: string | |
| - default: kabanero/scans | |
| description: The relative directory to save the scan outputs to | |
| name: scansDir | |
| type: string | |
| - default: /usr/local/share/openscap/cpe/openscap-cpe-oval.xml | |
| description: The scanner's XCCDF or OVAL file | |
| name: pathToInputFile | |
| type: string | |
| resources: | |
| - name: git-source | |
| type: git | |
| - name: docker-image | |
| type: image | |
| steps: | |
| - args: | |
| - -c | |
| - 'echo "Pulling image $(inputs.resources.docker-image.url)"; buildah from --tls-verify=false | |
| $(inputs.resources.docker-image.url); echo $(buildah mount $(buildah containers | |
| -q)) > /var/lib/containers/rootfs.txt; echo "Mounted image to $(cat /var/lib/containers/rootfs.txt)"; | |
| cd $(cat /var/lib/containers/rootfs.txt); ls -la; cp -a $(cat /var/lib/containers/rootfs.txt) | |
| /var/lib/containers; echo "Copied mounted image to /var/lib/containers/merged"; | |
| ls -la /var/lib/containers/merged; echo $(buildah images -q $(inputs.resources.docker-image.url)) | |
| > /var/lib/containers/imageid.txt; echo "Image ID of the image to scan: $(cat | |
| /var/lib/containers/imageid.txt)"' | |
| command: | |
| - /bin/bash | |
| env: | |
| - name: gitsource | |
| value: git-source | |
| image: appsody/appsody-buildah:0.2.1 | |
| name: mount-image | |
| resources: {} | |
| securityContext: | |
| privileged: true | |
| volumeMounts: | |
| - mountPath: /var/lib/containers | |
| name: varlibcontainers | |
| - args: | |
| - -c | |
| - mkdir -p /workspace/scans/$(inputs.params.scansDir)/$(inputs.resources.docker-image.url)/$(cat | |
| /var/lib/containers/imageid.txt); echo "Scanning copy of image $(inputs.resources.docker-image.url) | |
| with image ID $(cat /var/lib/containers/imageid.txt) in /var/lib/containers/merged"; | |
| cd /var/lib/containers/merged; ls -la; $(inputs.params.command) /var/lib/containers/merged | |
| oval eval --results /workspace/scans/$(inputs.params.scansDir)/$(inputs.resources.docker-image.url)/$(cat | |
| /var/lib/containers/imageid.txt)/results.xml --report /workspace/scans/$(inputs.params.scansDir)/$(inputs.resources.docker-image.url)/$(cat | |
| /var/lib/containers/imageid.txt)/report.html $(inputs.params.pathToInputFile) | |
| command: | |
| - /bin/bash | |
| image: kabanero/scanner | |
| name: scan-image | |
| resources: {} | |
| securityContext: | |
| privileged: true | |
| volumeMounts: | |
| - mountPath: /workspace/scans | |
| name: host-save-dir | |
| - mountPath: /var/lib/containers | |
| name: varlibcontainers | |
| volumes: | |
| - hostPath: | |
| path: /var/lib | |
| name: host-save-dir | |
| - emptyDir: {} | |
| name: varlibcontainers | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: Pipeline | |
| metadata: | |
| name: dsop-image-scan | |
| namespace: secure-devops | |
| selfLink: /apis/tekton.dev/v1alpha1/namespaces/kabanero/pipelines/dsop-image-scan | |
| uid: 192dbe2d-205c-11ea-a323-005056adbb0f | |
| spec: | |
| resources: | |
| - name: fctogit-git | |
| type: git | |
| - name: fcto-image-leeroy-web | |
| type: image | |
| - name: fcto-encrypt-image-leeroy-web | |
| type: image | |
| tasks: | |
| - name: build-image | |
| params: | |
| - name: DOCKERFILE | |
| value: 8.1/Dockerfile | |
| - name: TLSVERIFY | |
| value: 'false' | |
| resources: | |
| inputs: | |
| - name: source | |
| resource: fctogit-git | |
| outputs: | |
| - name: image | |
| resource: fcto-image-leeroy-web | |
| taskRef: | |
| name: buildah | |
| - name: image-scan-task | |
| resources: | |
| inputs: | |
| - name: git-source | |
| resource: fctogit-git | |
| - name: docker-image | |
| resource: fcto-image-leeroy-web | |
| runAfter: | |
| - build-image | |
| taskRef: | |
| name: image-scan-task | |
| - name: image-encrypt-task | |
| resources: | |
| inputs: | |
| - name: git-source | |
| resource: fctogit-git | |
| - name: docker-image | |
| resource: fcto-image-leeroy-web | |
| - name: encrypted-image | |
| resource: fcto-encrypt-image-leeroy-web | |
| runAfter: | |
| - image-scan-task | |
| taskRef: | |
| name: image-encrypt-task | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: PipelineResource | |
| metadata: | |
| name: redis-encrypted-image | |
| namespace: kabanero | |
| spec: | |
| params: | |
| - name: url | |
| value: 172.16.100.15:7777/redis:encrypted | |
| type: image | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: PipelineResource | |
| metadata: | |
| name: ub8-encrypted-image | |
| namespace: secure-devops | |
| spec: | |
| params: | |
| - name: url | |
| value: 172.16.100.15:7777/ub8:encrypted | |
| type: image | |
| --- | |
| apiVersion: tekton.dev/v1alpha1 | |
| kind: PipelineResource | |
| metadata: | |
| name: ub8-image | |
| namespace: kabanero | |
| spec: | |
| params: | |
| - name: url | |
| value: 172.16.100.15:7777/ub8:plain | |
| type: image |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment