Hcp devsecops v1.1.0 (#5815)

* initial commit * add gitea webhook and event listener * fix argo app * update * update * update * update * update * update * update * update * update * update
redhat-cop · Jan 16, 2023 · 1dc27e4 · 1dc27e4
1 parent 5a49169
commit 1dc27e4
Show file tree

Hide file tree

Showing 25 changed files with 1,023 additions and 0 deletions.
diff --git a/..._ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/README.md b/..._ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/README.md
@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed) .
diff --git a/...es_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/defaults/main.yml b/...es_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/defaults/main.yml
@@ -0,0 +1,22 @@
+---
+# defaults file for ocp4_workload_multicluster_devsecops_demo
+
+ocp4_username: admin
+
+ocp4_workload_multicluster_devsecops_validated_pattern_sonarqube_namespace: sonarqube
+ocp4_workload_multicluster_devsecops_validated_pattern_ci_namespace: ci
+
+ocp4_workload_multicluster_devsecops_validated_pattern_docker_username: quayadmin
+ocp4_workload_multicluster_devsecops_validated_pattern_docker_password: "{{ common_password }}"
+
+ocp4_workload_multicluster_devsecops_validated_pattern_stackrox_namespace: stackrox
+
+ocp4_workload_multicluster_devsecops_validated_pattern_cosign_password: 123
+
+ocp4_workload_multicluster_devsecops_validated_pattern_dev_cluster: aws-dev-cluster
+
+ocp4_workload_multicluster_devsecops_validated_pattern_inform_only_policies:
+- Fixable Severity at least Important
+
+ocp4_workload_multicluster_devsecops_validated_pattern_gitea_username: dev-user
+ocp4_workload_multicluster_devsecops_validated_pattern_gitea_password: openshift
diff --git a/...les_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/files/cosign.key b/...les_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/files/cosign.key
@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
+OCwicCI6MX0sInNhbHQiOiJKQ2pKVGpGVzVxUGNBWDBmN2hQM1l2b09WNlBMWXVU
+V1B2OWNIenk1TEFBPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiJURjEwUXpQMjN0NkNLVWx6dmtxUmNxZ0ZaNjF6UlFXbSJ9LCJj
+aXBoZXJ0ZXh0IjoicGdwampyZ0J4T05mSGpPR29YM3hTZU8xRC9ma3FmaDdCRXBV
+QjNpcU1kQ1U4OUk4dU9FMVR5aXpJbmlEM25Ub2cvKzEza2ozRTlzNFIxeGtLTnhN
+S1dVVnBXd1cxV3JGcEc2TEZQVXNLQU9EdFd3YTNQL0FNNjZEOUQyMUFDT2REZURl
+U0NIYXZVZld4ODdQRm0zeDN5bXZHNmNIVm0rVDk5Rnd4QzFrMmVya0x6TzdwY2J5
+TDhRSGdDeE9xa29BeVh5bWpkRjM5N3dPTWc9PSJ9
+-----END ENCRYPTED COSIGN PRIVATE KEY-----
diff --git a/...les_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/files/cosign.pub b/...les_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/files/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVgNgC/bFhzWarqL9biuznN33R5Ux
+SBWSt9QHq90CdfodBsrmINdA7dgYKYChHJB/CrYPLm/H7b9U5Ul/DP7Mnw==
+-----END PUBLIC KEY-----
diff --git a/...es_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/handlers/main.yml b/...es_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for ocp4_workload_multicluster_devsecops_demo
diff --git a/.../roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/meta/main.yml b/.../roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/meta/main.yml
@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.9
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
diff --git a/...ocp4_workload_multicluster_devsecops_validated_pattern/tasks/fetch_and_apply_template.yml b/...ocp4_workload_multicluster_devsecops_validated_pattern/tasks/fetch_and_apply_template.yml
@@ -0,0 +1,13 @@
+---
+- name: Fetch template from remote host
+  run_once: true
+  fetch:
+    src: "{{ _folder }}/{{ item }}"
+    dest: /tmp/{{ item }}
+    flat: yes
+    fail_on_missing: yes
+
+- name: Apply template
+  ansible.builtin.template:
+    src: /tmp/{{ item }}
+    dest: "{{ _folder }}/{{ item }}"
diff --git a/...ocp4_workload_multicluster_devsecops_validated_pattern/tasks/inform_only_policy_tasks.yml b/...ocp4_workload_multicluster_devsecops_validated_pattern/tasks/inform_only_policy_tasks.yml
@@ -0,0 +1,40 @@
+- name: Get "{{ item }}" policy
+  set_fact:
+    policy_id: "{{ r_policies|json_query('json.policies[?name == `{}`]|[0].id'.format(item)) }}"
+
+- name: Get Stackrox policy {{ policy_id }}
+  uri:
+    url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_centeral_stackrox_url }}/v1/policies/{{ policy_id }}"
+    user: admin
+    password: "{{ common_password }}"
+    method: GET
+    force_basic_auth: true
+    validate_certs: false
+    body_format: json
+    headers:
+      Content-Type: application/json
+  register: r_policy
+
+- name: Read  into fact
+  ansible.builtin.set_fact:
+    policy_fact: "{{ r_policy.json }}"
+
+- name: Update the fact to remove enforcement actions
+  ansible.utils.update_fact:
+    updates:
+    - path: policy_fact.enforcementActions
+      value: []
+  register: updated_policy
+
+- name: Update Stackrox Policy {{ policy_id }}
+  uri:
+    url: "{{ _ocp4_workload_multicluster_devsecops_validated_pattern_centeral_stackrox_url }}/v1/policies/{{ policy_id }}"
+    user: admin
+    password: "{{ common_password }}"
+    method: PUT
+    force_basic_auth: true
+    validate_certs: false
+    body_format: json
+    headers:
+      Content-Type: application/json
+    body: "{{ updated_policy.policy_fact }}"
diff --git a/...roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/main.yml b/...roles_ocp_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+# Do not modify this file
+
+- name: Running Pre Workload Tasks
+  include_tasks:
+    file: ./pre_workload.yml
+    apply:
+      become: "{{ become_override | bool }}"
+  when: ACTION == "create" or ACTION == "provision"
+
+- name: Running Workload Tasks
+  include_tasks:
+    file: ./workload.yml
+    apply:
+      become: "{{ become_override | bool }}"
+  when: ACTION == "create" or ACTION == "provision"
+
+- name: Running Post Workload Tasks
+  include_tasks:
+    file: ./post_workload.yml
+    apply:
+      become: "{{ become_override | bool }}"
+  when: ACTION == "create" or ACTION == "provision"
+
+- name: Running Workload removal Tasks
+  include_tasks:
+    file: ./remove_workload.yml
+    apply:
+      become: "{{ become_override | bool }}"
+  when: ACTION == "destroy" or ACTION == "remove"
diff --git a/..._workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/post_workload.yml b/..._workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/post_workload.yml
@@ -0,0 +1,27 @@
+---
+# Implement your Post Workload deployment tasks here
+# --------------------------------------------------
+
+
+# Leave these as the last tasks in the playbook
+# ---------------------------------------------
+
+# For deployment onto a dedicated cluster (as part of the
+# cluster deployment) set workload_shared_deployment to False
+# This is the default so it does not have to be set explicitely
+- name: post_workload tasks complete
+  debug:
+    msg: "Post-Workload tasks completed successfully."
+  when:
+  - not silent | bool
+  - not workload_shared_deployment | default(false) | bool
+
+# For RHPDS deployment (onto a shared cluster) set
+# workload_shared_deployment to True
+# (in the deploy script or AgnosticV configuration)
+- name: post_workload tasks complete
+  debug:
+    msg: "Post-Software checks completed successfully"
+  when:
+  - not silent | bool
+  - workload_shared_deployment | default(false) | bool
diff --git a/...p_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/pre_workload.yml b/...p_workloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/pre_workload.yml
@@ -0,0 +1,46 @@
+---
+# Implement your Pre Workload deployment tasks here
+# -------------------------------------------------
+
+
+# Leave these as the last tasks in the playbook
+# ---------------------------------------------
+
+# For deployment onto a dedicated cluster (as part of the
+# cluster deployment) set workload_shared_deployment to False
+# This is the default so it does not have to be set explicitely
+- name: pre_workload tasks complete
+  debug:
+    msg: "Pre-Workload tasks completed successfully."
+  when:
+  - not silent | bool
+  - not workload_shared_deployment | default(false) | bool
+
+- name: Get the openshift console route
+  kubernetes.core.k8s_info:
+    api_version: route.openshift.io/v1
+    kind: Route
+    namespace: openshift-console
+    field_selectors:
+    - spec.to.name=console
+  register: r_dc
+  until:
+  - r_dc is defined
+  - r_dc.resources is defined
+  - r_dc.resources | list | length > 0
+  retries: 60
+  delay: 15
+
+- name: Get the subdomain using the openshift console url
+  set_fact:
+    _ocp4_workload_multicluster_devsecops_validated_pattern_ocp_apps_domain: "{{ r_dc.resources[0].spec.host | regex_search('(?<=\\.).*') }}"
+
+# For RHPDS deployment (onto a shared cluster) set
+# workload_shared_deployment to True
+# (in the deploy script or AgnosticV configuration)
+- name: pre_workload tasks complete
+  debug:
+    msg: "Pre-Software checks completed successfully"
+  when:
+  - not silent | bool
+  - workload_shared_deployment | default(false) | bool
diff --git a/...orkloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/remove_workload.yml b/...orkloads/ocp4_workload_multicluster_devsecops_validated_pattern/tasks/remove_workload.yml
@@ -0,0 +1,85 @@
+---
+# Implement your workload removal tasks here
+# ------------------------------------------
+
+# Cleanup
+# Delete VMs in RHEV
+# Delete User in RHEV
+
+- name: Delete RHEV resources
+  environment:
+    OVIRT_URL: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_url }}"
+    OVIRT_USERNAME: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_admin_user_name }}"
+    OVIRT_PASSWORD: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_admin_user_password }}"
+  block:
+  - name: Delete Tomcat VM
+    when: ocp4_workload_multicluster_devsecops_validated_pattern_tomcat_vm_setup | bool
+    ovirt.ovirt.ovirt_vm:
+      auth:
+        insecure: true
+      state: absent
+      name: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_tomcat_vm_name }}"
+      cluster: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_vm_cluster }}"
+
+  - name: Delete Oracle VM
+    when: ocp4_workload_multicluster_devsecops_validated_pattern_oracle_vm_setup | bool
+    ovirt.ovirt.ovirt_vm:
+      auth:
+        insecure: true
+      state: absent
+      name: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_oracle_vm_name }}"
+      cluster: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_vm_cluster }}"
+
+  - name: Make sure user doesn't exist
+    ovirt.ovirt.ovirt_user:
+      auth:
+        insecure: true
+      state: absent
+      name: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_user_name }}"
+      authz_name: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_user_domain }}"
+      namespace: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_user_namespace }}"
+
+  - name: Write private key for root account on RHEV to /tmp/rhev.pem
+    delegate_to: localhost
+    ansible.builtin.copy:
+      content: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_root_private_key }}"
+      dest: /tmp/rhev.pem
+      mode: 0600
+
+  - name: Add RHEV host to inventory
+    ansible.builtin.add_host:
+      groupname: rhevhosts
+      name: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_host }}"
+      ansible_ssh_host: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_host }}"
+      ansible_ssh_user: root
+      ansible_ssh_private_key_file: /tmp/rhev.pem
+
+- name: Remove user in RHEV Identity Management
+  delegate_to: "{{ ocp4_workload_multicluster_devsecops_validated_pattern_rhev_host }}"
+  vars:
+    ansible_ssh_user: root
+    ansible_ssh_private_key_file: /tmp/rhev.pem
+  block:
+  - name: Remove RHEV IM user
+    ansible.builtin.include_tasks: rhev-remove-im-user.yml
+
+- name: Remove private key
+  delegate_to: localhost
+  ansible.builtin.file:
+    state: absent
+    path: /tmp/rhev.pem
+
+- name: Delete demo namespaces
+  kubernetes.core.k8s:
+    state: absent
+    definition: "{{ lookup('template', item ) | from_yaml }}"
+  loop:
+  - cicd/namespace-pipeline.yaml.j2
+  - cicd/namespace-demo.yaml.j2
+
+# Leave this as the last task in the playbook.
+# --------------------------------------------
+- name: remove_workload tasks complete
+  debug:
+    msg: "Remove Workload tasks completed successfully."
+  when: not silent|bool