mbp-1008: UC02 automated pipeline (#81)

Signed-off-by: Manuel Lorenzo <mlorenzofr@redhat.com>

Author: mlorenzofr

.github/workflows/superlinter.yml

@@ -43,7 +43,7 @@ jobs:
           VALIDATE_SHELL_SHFMT: false
           VALIDATE_YAML: false
           VALIDATE_YAML_PRETTIER: false
+          VALIDATE_TEKTON: false
           # VALIDATE_DOCKERFILE_HADOLINT: false
           # VALIDATE_MARKDOWN: false
           # VALIDATE_NATURAL_LANGUAGE: false
-          # VALIDATE_TEKTON: false

README.md

@@ -28,6 +28,16 @@ The following components are included in the Layered Zero Trust Pattern
   * Synchronizes secrets stored in HashiCorp Vault with OpenShift
 * [Red Hat Advanced Cluster Management (ACM)](https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.14)
   * Provides a management control in multi-cluster scenarios
+* [Red Hat Quay](https://docs.redhat.com/en/documentation/red_hat_quay/3.15)
+**  * Enables a private repository for OCI images within the environment
+* [Multicloud Object Gateway](https://docs.redhat.com/en/documentation/red_hat_openshift_container_storage/4.8/html/managing_hybrid_and_multicloud_resources/index)
+  * Provides an object storage service for Openshift
+* [Red Hat Trusted Artifact Signer (RHTAS)](https://docs.redhat.com/en/documentation/red_hat_trusted_artifact_signer/1.3)
+**  * Provides cryptographic signing and verification of software artifacts and container images
+* [Red Hat Trusted Profile Analyzer (RHTPA)](https://docs.redhat.com/es/documentation/red_hat_trusted_profile_analyzer/2.2)
+**  * Provides the storage and management means for _Software Bill of Materials_ (SBOMs), with cross-referencing capabilities between SBOMs and CVEs/Security Advisories
+* [Red Hat Openshift Pipelines](https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines/1.20)
+  * Enables a native CI/CD solution in Openshift
 
 ## Getting Started
 

charts/qtodo/templates/app-serviceaccount.yaml

@@ -5,3 +5,7 @@ metadata:
     app: qtodo
   name: qtodo
   namespace: qtodo
+{{- if .Values.app.images.main.registry.auth }}
+imagePullSecrets:
+  - name: {{ .Values.app.images.main.registry.secretName }}
+{{- end }}

charts/qtodo/templates/registry-external-secret.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.app.images.main.registry.auth }}
+---
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  name: {{ .Values.app.images.main.registry.secretName }}
+  namespace: {{ .Release.Namespace | default .Values.global.namespace }}
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: {{ .Values.global.secretStore.name }}
+    kind: {{ .Values.global.secretStore.kind }}
+  target:
+    name: {{ .Values.app.images.main.registry.secretName }}
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: |
+          {
+            "auths": {
+              "{{ .Values.app.images.main.registry.domain | default (printf "quay-registry-quay-quay-enterprise.%s" .Values.global.hubClusterDomain) }}": {
+                "auth": "{{ `{{ printf "%s:%s" "` }}{{ .Values.app.images.main.registry.user }}{{ `" .password | b64enc }}` }}"
+              }
+            }
+          }
+  data:
+  - secretKey: password
+    remoteRef:
+      key: {{ .Values.app.images.main.registry.vaultPath }}
+      property: {{ .Values.app.images.main.registry.passwordVaultKey }}
+{{- end }}

charts/qtodo/values.yaml

@@ -14,6 +14,13 @@ app:
       tag: latest
       # Modified to Always to force a pull so we can test changes to the container image without requiring manual deletion of images or restarts of argo
       pullPolicy: Always
+      registry:
+        auth: false
+        secretName: qtodo-registry-auth
+        user: quay-user
+        # domain: quay-registry-quay-quay-enterprise.apps.example.com
+        vaultPath: secret/data/global/quay-users
+        passwordVaultKey: password
     spiffeHelper:
       name: ghcr.io/spiffe/spiffe-helper
       tag: 0.10.1

charts/supply-chain/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: supply-chain
+description: A Helm chart for Supply Chain (UC02)
+type: application
+version: 0.1.0
+appVersion: "1.0.0"
+keywords:
+  - supply-chain
+  - uc02
+  - zero-trust
+  - tekton
+maintainers:
+  - name: Zero Trust Validated Patterns Team
+    email: ztvp-arch-group@redhat.com

charts/supply-chain/files/quay_user.py

@@ -0,0 +1,124 @@
+#!/usr/bin/env python3
+
+import http.cookiejar
+import json
+import os
+import ssl
+import sys
+import time
+import urllib.error
+import urllib.parse
+import urllib.request
+
+# Configuration
+QUAY_HOST = os.getenv("QUAY_HOST")
+USERNAME = os.getenv("QUAY_ADMIN_USER", "username")
+EMAIL = os.getenv("QUAY_ADMIN_EMAIL", "user@example.com")
+PASSWORD = os.getenv("QUAY_ADMIN_PASSWORD")
+CA_CERT = os.getenv("CA_CERT", "/run/secrets/kubernetes.io/serviceaccount/ca.crt")
+
+if not all([QUAY_HOST, PASSWORD]):
+    print("ERROR: Missing QUAY_HOST or QUAY_ADMIN_PASSWORD env vars")
+    sys.exit(1)
+
+BASE_URL = f"https://{QUAY_HOST}"
+
+
+def log(msg):
+    """Log a message to the console"""
+    print(f"[{time.strftime('%X')}] {msg}", flush=True)
+
+
+# Setup SSL
+ctx = ssl.create_default_context()
+if os.path.exists(CA_CERT):
+    ctx.load_verify_locations(CA_CERT)
+    log(f"Using CA certificate from {CA_CERT}")
+    ctx.check_hostname = True
+    ctx.verify_mode = ssl.CERT_REQUIRED
+else:
+    log(f"WARNING: CA certificate file not found at {CA_CERT}")
+    ctx.check_hostname = False
+    ctx.verify_mode = ssl.CERT_NONE
+
+# Setup Cookies (Required for CSRF)
+cj = http.cookiejar.CookieJar()
+opener = urllib.request.build_opener(
+    urllib.request.HTTPSHandler(context=ctx),
+    urllib.request.HTTPCookieProcessor(cj),
+)
+
+
+def wait_for_quay():
+    """Loop until Quay health endpoint returns 200"""
+    url = f"{BASE_URL}/health/instance"
+    while True:
+        try:
+            log(f"Checking Quay health at {url}...")
+            with opener.open(url, timeout=10) as response:
+                if response.status == 200:
+                    log("Quay is Online.")
+                    return
+        except Exception as e:
+            log(f"Quay unavailable ({e}). Retrying in 5s...")
+            time.sleep(5)
+
+
+def get_csrf_token():
+    """Fetch CSRF token and prime the cookie jar"""
+    url = f"{BASE_URL}/csrf_token"
+    with opener.open(url) as response:
+        data = json.loads(response.read().decode())
+        token = data.get("csrf_token")
+    return token
+
+
+def create_user():
+    """Perform the creation flow"""
+    try:
+        log("Attempting to create user...")
+        csrf_token = get_csrf_token()
+
+        url = f"{BASE_URL}/api/v1/user/"
+        payload = json.dumps(
+            {
+                "username": USERNAME,
+                "email": EMAIL,
+                "password": PASSWORD,
+                "_csrf_token": csrf_token,
+            }
+        ).encode("utf-8")
+
+        headers = {
+            "Content-Type": "application/json",
+            "X-CSRF-Token": csrf_token,
+        }
+
+        req = urllib.request.Request(url, data=payload, headers=headers, method="POST")
+
+        with opener.open(req) as response:
+            if response.status in [200, 201, 202]:
+                log("SUCCESS: User created successfully.")
+                return True
+    except urllib.error.HTTPError as e:
+        if e.code == 400:
+            log(f"User '{USERNAME}' already exists. Exiting.")
+            return True
+        log(f"FAILED to create user: {e.code} {e.reason}")
+    except Exception as e:
+        log(f"FAILED to create user: {e}")
+    return False
+
+
+# Main
+if __name__ == "__main__":
+    log("Starting Quay User Automator")
+
+    wait_for_quay()
+
+    while True:
+        if create_user():
+            sys.exit(0)
+
+        log("Retrying user creation in 10s...")
+        time.sleep(10)