-
-
Save lumjjb/22191008f849f240851aec8a1ee0304d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: tekton.dev/v1alpha1 | |
kind: Task | |
metadata: | |
annotations: | |
generation: 5 | |
name: buildah | |
namespace: secure-devops | |
resourceVersion: "19659414" | |
selfLink: /apis/tekton.dev/v1alpha1/namespaces/kabanero/tasks/buildah | |
uid: 5473c62b-20d2-11ea-a323-005056adbb0f | |
spec: | |
inputs: | |
params: | |
- default: quay.io/buildah/stable:v1.11.4 | |
description: The location of the buildah builder image. | |
name: BUILDER_IMAGE | |
type: string | |
- default: ./Dockerfile | |
description: Path to the Dockerfile to build. | |
name: DOCKERFILE | |
type: string | |
- default: "true" | |
description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS | |
registry) | |
name: TLSVERIFY | |
type: string | |
resources: | |
- name: source | |
type: git | |
outputs: | |
resources: | |
- name: image | |
outputImageDir: /builder/home/image-outputs/image | |
type: image | |
steps: | |
- command: | |
- buildah | |
- bud | |
- --tls-verify=$(inputs.params.TLSVERIFY) | |
- --layers | |
- --squash | |
- -f | |
- $(inputs.params.DOCKERFILE) | |
- -t | |
- $(outputs.resources.image.url) | |
- . | |
image: $(inputs.params.BUILDER_IMAGE) | |
name: build | |
resources: {} | |
securityContext: | |
privileged: true | |
volumeMounts: | |
- mountPath: /var/lib/containers | |
name: varlibcontainers | |
workingDir: /workspace/source | |
- command: | |
- buildah | |
- push | |
- --tls-verify=$(inputs.params.TLSVERIFY) | |
- --format=v2s2 | |
- $(outputs.resources.image.url) | |
- docker://$(outputs.resources.image.url) | |
image: $(inputs.params.BUILDER_IMAGE) | |
name: push | |
resources: {} | |
securityContext: | |
privileged: true | |
volumeMounts: | |
- mountPath: /var/lib/containers | |
name: varlibcontainers | |
workingDir: /workspace/source | |
volumes: | |
- emptyDir: {} | |
name: varlibcontainers | |
--- | |
apiVersion: tekton.dev/v1alpha1 | |
kind: PipelineResource | |
metadata: | |
name: custom-rsrc | |
namespace: kabanero | |
spec: | |
params: | |
- name: url | |
value: quay.dev.os.fisc.lab:5000/harsingh2/redis:encrypted | |
type: cluster | |
--- | |
apiVersion: tekton.dev/v1alpha1 | |
kind: Task | |
metadata: | |
annotations: | |
manifestival: new | |
name: image-encrypt-task | |
namespace: secure-devops | |
spec: | |
inputs: | |
resources: | |
- name: git-source | |
type: git | |
- name: docker-image | |
type: image | |
- name: encrypted-image | |
type: image | |
volumes: | |
- name: encryption-keys | |
secret: | |
secretName: enc-key | |
- name: kbs-creds | |
secret: | |
secretName: kbs-creds-us | |
steps: | |
- name: encrypt | |
image: lumjjb/seccont-tools:0.1 | |
imagePullPolicy: Always | |
volumeMounts: | |
- name: encryption-keys | |
mountPath: /keys | |
readOnly: true | |
- name: kbs-creds | |
mountPath: /kbs-creds | |
readOnly: true | |
command: | |
- /bin/bash | |
args: | |
- -c | |
- /skopeo copy --src-tls-verify=false docker://$(inputs.resources.docker-image.url) oci:local-image | |
&& /skopeo copy --dest-tls-verify=false --encryption-key jwe:/keys/public.key oci:local-image docker://$(inputs.resources.encrypted-image.url) | |
&& echo "check kbs creds $(cat /kbs-creds/url),$(cat /kbs-creds/token,/kbs-creds/certificate.pem" | |
--- | |
apiVersion: tekton.dev/v1alpha1 | |
kind: PipelineResource | |
metadata: | |
name: fcto-ub8 | |
namespace: kabanero | |
spec: | |
params: | |
- name: url | |
value: https://github.com/fctoibm/ubi8 | |
type: git | |
--- | |
apiVersion: tekton.dev/v1alpha1 | |
kind: Task | |
metadata: | |
annotations: | |
manifestival: new | |
creationTimestamp: "2019-12-04T21:22:23Z" | |
generation: 1 | |
name: image-scan-task | |
namespace: secure-devops | |
spec: | |
inputs: | |
params: | |
- default: oscap-chroot | |
description: The scanner command | |
name: command | |
type: string | |
- default: kabanero/scans | |
description: The relative directory to save the scan outputs to | |
name: scansDir | |
type: string | |
- default: /usr/local/share/openscap/cpe/openscap-cpe-oval.xml | |
description: The scanner's XCCDF or OVAL file | |
name: pathToInputFile | |
type: string | |
resources: | |
- name: git-source | |
type: git | |
- name: docker-image | |
type: image | |
steps: | |
- args: | |
- -c | |
- 'echo "Pulling image $(inputs.resources.docker-image.url)"; buildah from --tls-verify=false | |
$(inputs.resources.docker-image.url); echo $(buildah mount $(buildah containers | |
-q)) > /var/lib/containers/rootfs.txt; echo "Mounted image to $(cat /var/lib/containers/rootfs.txt)"; | |
cd $(cat /var/lib/containers/rootfs.txt); ls -la; cp -a $(cat /var/lib/containers/rootfs.txt) | |
/var/lib/containers; echo "Copied mounted image to /var/lib/containers/merged"; | |
ls -la /var/lib/containers/merged; echo $(buildah images -q $(inputs.resources.docker-image.url)) | |
> /var/lib/containers/imageid.txt; echo "Image ID of the image to scan: $(cat | |
/var/lib/containers/imageid.txt)"' | |
command: | |
- /bin/bash | |
env: | |
- name: gitsource | |
value: git-source | |
image: appsody/appsody-buildah:0.2.1 | |
name: mount-image | |
resources: {} | |
securityContext: | |
privileged: true | |
volumeMounts: | |
- mountPath: /var/lib/containers | |
name: varlibcontainers | |
- args: | |
- -c | |
- mkdir -p /workspace/scans/$(inputs.params.scansDir)/$(inputs.resources.docker-image.url)/$(cat | |
/var/lib/containers/imageid.txt); echo "Scanning copy of image $(inputs.resources.docker-image.url) | |
with image ID $(cat /var/lib/containers/imageid.txt) in /var/lib/containers/merged"; | |
cd /var/lib/containers/merged; ls -la; $(inputs.params.command) /var/lib/containers/merged | |
oval eval --results /workspace/scans/$(inputs.params.scansDir)/$(inputs.resources.docker-image.url)/$(cat | |
/var/lib/containers/imageid.txt)/results.xml --report /workspace/scans/$(inputs.params.scansDir)/$(inputs.resources.docker-image.url)/$(cat | |
/var/lib/containers/imageid.txt)/report.html $(inputs.params.pathToInputFile) | |
command: | |
- /bin/bash | |
image: kabanero/scanner | |
name: scan-image | |
resources: {} | |
securityContext: | |
privileged: true | |
volumeMounts: | |
- mountPath: /workspace/scans | |
name: host-save-dir | |
- mountPath: /var/lib/containers | |
name: varlibcontainers | |
volumes: | |
- hostPath: | |
path: /var/lib | |
name: host-save-dir | |
- emptyDir: {} | |
name: varlibcontainers | |
--- | |
apiVersion: tekton.dev/v1alpha1 | |
kind: Pipeline | |
metadata: | |
name: dsop-image-scan | |
namespace: secure-devops | |
selfLink: /apis/tekton.dev/v1alpha1/namespaces/kabanero/pipelines/dsop-image-scan | |
uid: 192dbe2d-205c-11ea-a323-005056adbb0f | |
spec: | |
resources: | |
- name: fctogit-git | |
type: git | |
- name: fcto-image-leeroy-web | |
type: image | |
- name: fcto-encrypt-image-leeroy-web | |
type: image | |
tasks: | |
- name: build-image | |
params: | |
- name: DOCKERFILE | |
value: 8.1/Dockerfile | |
- name: TLSVERIFY | |
value: 'false' | |
resources: | |
inputs: | |
- name: source | |
resource: fctogit-git | |
outputs: | |
- name: image | |
resource: fcto-image-leeroy-web | |
taskRef: | |
name: buildah | |
- name: image-scan-task | |
resources: | |
inputs: | |
- name: git-source | |
resource: fctogit-git | |
- name: docker-image | |
resource: fcto-image-leeroy-web | |
runAfter: | |
- build-image | |
taskRef: | |
name: image-scan-task | |
- name: image-encrypt-task | |
resources: | |
inputs: | |
- name: git-source | |
resource: fctogit-git | |
- name: docker-image | |
resource: fcto-image-leeroy-web | |
- name: encrypted-image | |
resource: fcto-encrypt-image-leeroy-web | |
runAfter: | |
- image-scan-task | |
taskRef: | |
name: image-encrypt-task | |
--- | |
apiVersion: tekton.dev/v1alpha1 | |
kind: PipelineResource | |
metadata: | |
name: redis-encrypted-image | |
namespace: kabanero | |
spec: | |
params: | |
- name: url | |
value: 172.16.100.15:7777/redis:encrypted | |
type: image | |
--- | |
apiVersion: tekton.dev/v1alpha1 | |
kind: PipelineResource | |
metadata: | |
name: ub8-encrypted-image | |
namespace: secure-devops | |
spec: | |
params: | |
- name: url | |
value: 172.16.100.15:7777/ub8:encrypted | |
type: image | |
--- | |
apiVersion: tekton.dev/v1alpha1 | |
kind: PipelineResource | |
metadata: | |
name: ub8-image | |
namespace: kabanero | |
spec: | |
params: | |
- name: url | |
value: 172.16.100.15:7777/ub8:plain | |
type: image |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment