mbp-1024: Add Automated Secure Supply Chain to layered-zero-trust

mlorenzofr · gaurav-nelson · commit b25c4953e6c3 · 2026-01-13T12:10:30.000+05:30
Signed-off-by: Manuel Lorenzo &lt;mlorenzofr@redhat.com&gt;
diff --git a/content/patterns/layered-zero-trust/_index.adoc b/content/patterns/layered-zero-trust/_index.adoc
@@ -108,6 +108,9 @@ The pattern consists of the following key components:
 * link:https://docs.redhat.com/es/documentation/red_hat_trusted_profile_analyzer/2.2[Red{nbsp}Hat Trusted Profile Analyzer (RHTPA)]
 ** Provides the storage and management means for _Software Bill of Materials_ (SBOMs), with cross-referencing capabilities between SBOMs and CVEs/Security Advisories.
 
+* link:https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines/1.20[Red{nbsp}Hat OpenShift Pipelines]
+** Provides a cloud-native continuous integration and continuous deployment (CI/CD) solution on {ocp}.
+
 [id="architecture-diagram"]
 ==== Architecture diagram
 
@@ -186,3 +189,4 @@ The following technologies are used in this solution:
 * *Red{nbsp}Hat Quay*: Private registry for OCI images.
 * *Red{nbsp}Hat Trusted Artifact Signer*: Facilitates signing and verification of software artifacts.
 * *Red{nbsp}Hat Trusted Profile Analyzer*: Enables SBOM file analysis and vulnerability detection.
+* *Red{nbsp}Hat OpenShift Pipelines*: Enables a native CI/CD solution on {ocp}.
diff --git a/content/patterns/layered-zero-trust/lzt-automated-secure-supply-chain.adoc b/content/patterns/layered-zero-trust/lzt-automated-secure-supply-chain.adoc
@@ -0,0 +1,278 @@
+---
+title: Secure supply chain - Automated approach
+weight: 40
+aliases: /layered-zero-trust/lzt-automated-secure-supply-chain/
+---
+
+:toc:
+:imagesdir: /images
+:_mod-docs-content-type: ASSEMBLY
+include::modules/comm-attributes.adoc[]
+
+[id="lzt-automated-secure-supply-chain"]
+= Use case: Automating the secure supply chain
+
+[role="_abstract"]
+The xref:/patterns/layered-zero-trust/lzt-secure-multitier/index.html [Secure multitiered applications] use case describes how to implement a secure supply chain for application development by using Red{nbsp}Hat Trusted Artifact Signer (RHTAS) and the Red{nbsp}Hat Trusted Profile Analyzer (RHTPA). This use case demonstrates automation of the secure supply chain for application development by using link:https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines/1.20[{rh-pipelines-first}].
+
+{pipelines-short} orchestrates the application building and certification process. The Zero Trust Validated Pattern (ZTVP) creates a pipeline in the cluster named `qtodo-supply-chain`. This pipeline builds the application from source code, generates a container image, and publishes the image to an OCI registry.
+
+The pipeline performs the following actions:
+
+* Generates a Software Bill of Materials (SBOM) containing the build contents.
+* Signs binaries and the build attestation.
+* Verifies the validity of the signatures.
+
+[id="run-pipeline"]
+== Running the pipeline
+
+Start the pipeline by using the {ocp} web console or the CLI.
+
+[id="run-pipeline-console"]
+=== Running the pipeline from the web console
+
+To start a pipeline execution from the {ocp} Web console:
+
+.Procedure
+
+. Log in to the {ocp} web console.
+. From the left navigation bar, select **Pipelines** -> **Pipelines**.
+. In the **layered-zero-trust-hub** project, find the **qtodo-supply-chain** pipeline.
+. Click the **Options** menu (⋮) and select **Start**.
+. Verify the parameters. Most default values are correct for single-cluster mode.
+. Configure the following workspaces:
+
+* For **qtodo-source**, select **PersistentVolumeClaim** and ensure the PVC name is **qtodo-workspace-source**.
+* For **registry-auth-config**, select **Secret** and ensure the secret name is **qtodo-registry-auth**.
+. Click **Start**.
+
+[id="run-pipeline-cli"]
+=== Running the pipeline from the CLI
+
+Start a pipeline execution by creating a `PipelineRun` resource that references the `qtodo-supply-chain` pipeline.
+
+.Procedure
+
+. Create a file named `qtodo-pipeline.yaml` with the following content:
++
+[source,yaml]
+----
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  generateName: qtodo-manual-run-
+  namespace: layered-zero-trust-hub
+spec:
+  pipelineRef:
+    name: qtodo-supply-chain
+  taskRunTemplate:
+    serviceAccountName: pipeline
+  timeouts:
+    pipeline: 1h0m0s
+  workspaces:
+  - name: qtodo-source
+    persistentVolumeClaim:
+      claimName: qtodo-workspace-source
+  - name: registry-auth-config
+    secret:
+      secretName: qtodo-registry-auth
+----
++
+Verify the values for the PVC storage and registry configuration.
+
+. Create the `PipelineRun` resource:
++
+[source,terminal]
+----
+$ oc create -f qtodo-pipeline.yaml
+----
+
+.Verification
+
+* Review the pipeline logs using the Tekton CLI:
++
+[source,terminal]
+----
+$ tkn pipeline logs -n layered-zero-trust-hub -L -f
+----
+
+[id="pipeline-tasks"]
+== Pipeline tasks
+
+The pipeline includes the following tasks:
+
+* **qtodo-clone-repository**: Clones the `qtodo` repository.
+* **qtodo-build-artifact**: Builds an `uber-jar` of the `qtodo` application.
+* **qtodo-sign-artifact**: Signs the generated JAR file.
+* **qtodo-verify-artifact**: Verifies the JAR signature.
+* **qtodo-build-image**: Builds a container image and uploads it to a registry.
+* **qtodo-sign-image**: Signs the container image.
+* **qtodo-generate-sbom**: Generates an SBOM from the image.
+* **qtodo-sbom-attestation**: Creates a signed attestation and attaches it to the image.
+* **qtodo-upload-sbom**: Uploads the SBOM file to RHTPA.
+* **qtodo-verify-image**: Verifies the attestation and signature.
+
+[id="inspect-results"]
+== Inspecting pipeline results
+
+Verify the status and output of the pipeline by using the web console or the CLI.
+
+[id="inspect-results-ui"]
+=== Inspecting results from the web console
+
+You can inspect the results of the pipeline execution from the {ocp} web console.
+
+.Procedure
+
+. Log in to the {ocp} web console.
+. From the left navigation bar, select **Pipelines** -> **Pipelines**.
+. In the **layered-zero-trust-hub** project, find the **qtodo-supply-chain** pipeline.
+. Click the *PipelineRun* link in the *Last run* column.
+. In the *Details* tab, view the summary of the pipeline execution and tasks.
+. Click on a task or the *Logs* tab to see the output of specific tasks.
+
+[id="inspect-results-cli"]
+=== Inspecting results from the CLI
+
+You can inspect the results of the pipeline execution by using the CLI.
+
+.Procedure
+
+. Verify that the pipeline completed successfully:
++
+[source,terminal]
+----
+$ oc get pipelinerun -n layered-zero-trust-hub
+
+NAME                        SUCCEEDED   REASON      STARTTIME   COMPLETIONTIME
+qtodo-manual-run-p46f7      True        Succeeded   7m4s        2m12s
+----
+
+. Review the `TaskRuns` to see the results of each step:
++
+[source,terminal]
+----
+$ oc get taskruns -n layered-zero-trust-hub
+
+NAME                                               SUCCEEDED   REASON             STARTTIME   COMPLETIONTIME
+qtodo-manual-run-p46f7-qtodo-build-artifact        True        Succeeded          7m44s       5m17s
+qtodo-manual-run-p46f7-qtodo-build-image           True        Succeeded          4m55s       4m4s
+qtodo-manual-run-p46f7-qtodo-clone-repository      True        Succeeded          7m55s       7m44s
+...
+----
+
+. Identify the pods associated with the tasks in the `layered-zero-trust-hub` namespace:
++
+[source,terminal]
+----
+$ oc get pods -n layered-zero-trust-hub
+
+NAME                                                    READY   STATUS      RESTARTS   AGE
+qtodo-manual-run-p46f7-qtodo-build-artifact-pod         0/1     Completed   0          10m
+qtodo-manual-run-p46f7-qtodo-build-image-pod            0/1     Completed   0          7m21s
+...
+----
+
+. Review the pod logs to view the output of a specific step. For example, to view image verification messages:
++
+[source,terminal]
+----
+$ oc logs -n layered-zero-trust-hub qtodo-manual-run-p46f7-qtodo-verify-image-pod
+
+Success: true
+Result: SUCCESS
+Violations: 0, Warnings: 0, Successes: 3
+Component: Unnamed
+ImageRef: quay-registry-quay-quay-enterprise.apps.example.com/ztvp/qtodo@sha256:df6506e93a141cfcaeb3b4686b558cddd963410a146b10c3cbd1319122f5f880
+
+Results:
+✓ [Success] builtin.attestation.signature_check
+...
+✓ [Success] builtin.image.signature_check
+...
+----
+
+[id="review-services"]
+== Reviewing integrated services
+
+The supply chain results are visible in the services used during the build process.
+
+[id="review-quay"]
+=== Reviewing images in Quay
+
+If you used Quay as the image registry, you can review the built image inside the registry.
+
+.Procedure
+
+. Obtain the credentials for the Quay web interface:
+
+* *Quay URL*:
++
+[source,terminal]
+----
+$ echo "https://$(oc get route -n quay-enterprise \
+    -l quay-component=quay-app-route \
+    -o jsonpath='{.items[0].spec.host}')"
+----
+* *Quay username*: Use the value specified in `values-hub.yaml` or `quay-user`.
+* *Quay password*:
++
+[source,terminal]
+----
+$ oc get secret -n layered-zero-trust-hub qtodo-quay-password -o json | jq '.data["password"] | @base64d'
+----
+
+. Log in to the Quay web interface.
+. Select the **ztvp/qtodo** repository.
+. In the navigation menu, select **Tags**.
+. Verify that the `latest` tag is signed and that the `.att` attestation file is present.
+
+image::/images/layered-zero-trust/quay-web-ui.png[Quay Web UI]
+
+[id="review-rekor"]
+=== Reviewing Rekor verification records
+
+Use the Rekor search interface to check verification records. Search by email address or record index.
+
+.Procedure
+
+* Get the URL for the Rekor search interface:
++
+[source,terminal]
+----
+$ echo "https://$(oc get route -n trusted-artifact-signer -l app.kubernetes.io/component=rekor-ui -o jsonpath='{.items[0].spec.host}')"
+----
+
+image::/images/layered-zero-trust/rekor-web-ui.png[Rekor's Search UI]
+
+[id="review-rhtpa"]
+=== Reviewing RHTPA results
+
+The RHTPA web UI uses OIDC for user authentication. If you are using *Keycloak* integrated with the pattern, use the following commands to obtain the credentials.
+
+.Procedure
+
+. Get the credentials:
+* *RHTPA URL*:
++
+[source,terminal]
+----
+$ echo "https://$(oc get route -n trusted-profile-analyzer \
+    -l app.kubernetes.io/name=server \
+    -o jsonpath='{.items[0].spec.host}')"
+----
+* *RHTPA user*: `rhtpa-user`
+* *RHTPA user password*:
++
+[source,terminal]
+----
+$ oc get secret keycloak-users -n keycloak-system -o json \
+    | jq '.data["rhtpa-user-password"] | @base64d'
+----
+
+. Review the SBOM in the RHTPA web interface:
+.. Log in to the RHTPA web interface using Keycloak credentials.
+.. In the navigation menu, select **SBOMs**.
+.. Select the container image name from the list of available SBOMs.
+
+image::/images/layered-zero-trust/rhtpa-web-ui.png[RHTPA Web UI]
diff --git a/content/patterns/layered-zero-trust/lzt-secure-multitier.adoc b/content/patterns/layered-zero-trust/lzt-secure-multitier.adoc
@@ -1,5 +1,5 @@
 ---
-title: Secure multi-tier applications
+title: Secure multitiered applications
 weight: 20
 aliases: /layered-zero-trust/lzt-secure-multitier
 ---
@@ -10,7 +10,7 @@ aliases: /layered-zero-trust/lzt-secure-multitier
 include::modules/comm-attributes.adoc[]
 
 [id="lzt-secure-multitier"]
-= Use case: Secure multi-tier applications
+= Use case: Secure multitiered applications
 
 This use case demonstrates securing a common application design pattern: a frontend application using a database for persistent storage.
 
diff --git a/static/images/layered-zero-trust/quay-web-ui.png b/static/images/layered-zero-trust/quay-web-ui.png
