From 9e669d446cda3e8a295bbeb8848e7fdc7e8d2bbf Mon Sep 17 00:00:00 2001 From: desmax74 Date: Tue, 27 Aug 2024 16:00:20 +0200 Subject: [PATCH] Templates and tasks Signed-off-by: desmax74 --- roles/tpa_single_node/tasks/main.yml | 12 + roles/tpa_single_node/tasks/os.yml | 4 + roles/tpa_single_node/tasks/podman.yml | 51 +++ roles/tpa_single_node/tasks/podman/guac.yml | 16 + .../tasks/podman/install_manifest.yml | 25 ++ .../templates/init/dataset/020-Job.yaml | 49 +++ .../templates/init/guac/010-ConfigMap.yaml | 26 ++ .../templates/init/guac/020-Job.yaml | 49 +++ .../bombastic/api/020-ConfigMap-auth.yaml | 19 + .../bombastic/api/030-Deployment.yaml | 119 +++++++ .../services/bombastic/api/040-Service.yaml | 22 ++ .../services/bombastic/api/050-Ingress.yaml | 24 ++ .../bombastic/indexer/030-Deployment.yaml | 110 ++++++ .../bombastic/walker/030-CronJob.yaml | 83 +++++ .../collector/osv/020-ConfigMap-auth.yaml | 19 + .../collector/osv/030-Deployment.yaml | 107 ++++++ .../services/collector/osv/040-Service.yaml | 22 ++ .../bombastic-collector/030-Deployment.yaml | 81 +++++ .../guac/collectsub/030-Deployment.yaml | 54 +++ .../services/guac/collectsub/040-Service.yaml | 23 ++ .../guac/collectsub/050-NetworkPolicy.yaml | 26 ++ .../services/guac/graphql/030-Deployment.yaml | 114 ++++++ .../services/guac/graphql/040-Service.yaml | 23 ++ .../guac/graphql/050-NetworkPolicy.yaml | 31 ++ .../vexination-collector/030-Deployment.yaml | 81 +++++ .../services/spog/api/020-ConfigMap-auth.yaml | 19 + .../services/spog/api/020-ConfigMap-ui.yaml | 337 ++++++++++++++++++ .../services/spog/api/030-Deployment.yaml | 121 +++++++ .../services/spog/api/040-Service.yaml | 23 ++ .../services/spog/api/050-Ingress.yaml | 26 ++ .../spog/ui/020-ConfigMap-backend.yaml | 12 + 31 files changed, 1728 insertions(+) create mode 100644 roles/tpa_single_node/tasks/main.yml create mode 100644 roles/tpa_single_node/tasks/os.yml create mode 100644 roles/tpa_single_node/tasks/podman.yml create mode 100644 roles/tpa_single_node/tasks/podman/guac.yml create mode 100644 roles/tpa_single_node/tasks/podman/install_manifest.yml create mode 100644 roles/tpa_single_node/templates/init/dataset/020-Job.yaml create mode 100644 roles/tpa_single_node/templates/init/guac/010-ConfigMap.yaml create mode 100644 roles/tpa_single_node/templates/init/guac/020-Job.yaml create mode 100644 roles/tpa_single_node/templates/services/bombastic/api/020-ConfigMap-auth.yaml create mode 100644 roles/tpa_single_node/templates/services/bombastic/api/030-Deployment.yaml create mode 100644 roles/tpa_single_node/templates/services/bombastic/api/040-Service.yaml create mode 100644 roles/tpa_single_node/templates/services/bombastic/api/050-Ingress.yaml create mode 100644 roles/tpa_single_node/templates/services/bombastic/indexer/030-Deployment.yaml create mode 100644 roles/tpa_single_node/templates/services/bombastic/walker/030-CronJob.yaml create mode 100644 roles/tpa_single_node/templates/services/collector/osv/020-ConfigMap-auth.yaml create mode 100644 roles/tpa_single_node/templates/services/collector/osv/030-Deployment.yaml create mode 100644 roles/tpa_single_node/templates/services/collector/osv/040-Service.yaml create mode 100644 roles/tpa_single_node/templates/services/guac/bombastic-collector/030-Deployment.yaml create mode 100644 roles/tpa_single_node/templates/services/guac/collectsub/030-Deployment.yaml create mode 100644 roles/tpa_single_node/templates/services/guac/collectsub/040-Service.yaml create mode 100644 roles/tpa_single_node/templates/services/guac/collectsub/050-NetworkPolicy.yaml create mode 100644 roles/tpa_single_node/templates/services/guac/graphql/030-Deployment.yaml create mode 100644 roles/tpa_single_node/templates/services/guac/graphql/040-Service.yaml create mode 100644 roles/tpa_single_node/templates/services/guac/graphql/050-NetworkPolicy.yaml create mode 100644 roles/tpa_single_node/templates/services/guac/vexination-collector/030-Deployment.yaml create mode 100644 roles/tpa_single_node/templates/services/spog/api/020-ConfigMap-auth.yaml create mode 100644 roles/tpa_single_node/templates/services/spog/api/020-ConfigMap-ui.yaml create mode 100644 roles/tpa_single_node/templates/services/spog/api/030-Deployment.yaml create mode 100644 roles/tpa_single_node/templates/services/spog/api/040-Service.yaml create mode 100644 roles/tpa_single_node/templates/services/spog/api/050-Ingress.yaml create mode 100644 roles/tpa_single_node/templates/services/spog/ui/020-ConfigMap-backend.yaml diff --git a/roles/tpa_single_node/tasks/main.yml b/roles/tpa_single_node/tasks/main.yml new file mode 100644 index 0000000..7e0e76b --- /dev/null +++ b/roles/tpa_single_node/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: Install Operating System Components + ansible.builtin.include_tasks: os.yml + args: + apply: + become: true + +- name: Execute Podman Actions + ansible.builtin.include_tasks: podman.yml + args: + apply: + become: true diff --git a/roles/tpa_single_node/tasks/os.yml b/roles/tpa_single_node/tasks/os.yml new file mode 100644 index 0000000..ebf0cfe --- /dev/null +++ b/roles/tpa_single_node/tasks/os.yml @@ -0,0 +1,4 @@ +--- +- name: Install System Packages dependencies + ansible.builtin.package: + name: "{{ tpa_single_node_system_packages }}" diff --git a/roles/tpa_single_node/tasks/podman.yml b/roles/tpa_single_node/tasks/podman.yml new file mode 100644 index 0000000..e0d6888 --- /dev/null +++ b/roles/tpa_single_node/tasks/podman.yml @@ -0,0 +1,51 @@ +--- +- name: Podman login to registry.redhat.io + when: + - ansible_facts['distribution'] == 'RedHat' + - ansible_facts['distribution_major_version'] == '9' + ansible.builtin.command: podman login registry.redhat.io -u {{ tpa_single_node_registry_username }} --password {{ tpa_single_node_registry_password }} + register: podman_login_result + changed_when: '"Already logged in" not in podman_login_result' + +- name: Create RHTPA network + containers.podman.podman_network: + name: "{{ tpa_single_node_podman_network }}" + +- name: Pull trustification image from registry.redhat.io + when: + - ansible_facts['distribution'] == 'RedHat' + - ansible_facts['distribution_major_version'] == '9' + containers.podman.podman_image: + name: "{{ tpa_single_node_trustification_image }}" + + +- name: Pull Guac image from registry.redhat.io + when: + - ansible_facts['distribution'] == 'RedHat' + - ansible_facts['distribution_major_version'] == '9' + containers.podman.podman_image: + name: "{{ tpa_single_node_guac_image }}" + +- name: Pull SSO image from registry.redhat.io + when: + - ansible_facts['distribution'] == 'RedHat' + - ansible_facts['distribution_major_version'] == '9' + containers.podman.podman_image: + name: "{{ tpa_single_node_sso_image }}" + +- name: Pull Postgresql 15 image from registry.redhat.io + when: + - ansible_facts['distribution'] == 'RedHat' + - ansible_facts['distribution_major_version'] == '9' + containers.podman.podman_image: + name: "{{ tpa_single_node_postgresql }}" + +- name: Pull Streams for Apache Kafka from registry.redhat.io + when: + - ansible_facts['distribution'] == 'RedHat' + - ansible_facts['distribution_major_version'] == '9' + containers.podman.podman_image: + name: "{{ tpa_single_node_streams_kafka }}" + +- name: Configure/Deploy guac + ansible.builtin.include_tasks: podman/guac.yml diff --git a/roles/tpa_single_node/tasks/podman/guac.yml b/roles/tpa_single_node/tasks/podman/guac.yml new file mode 100644 index 0000000..466230e --- /dev/null +++ b/roles/tpa_single_node/tasks/podman/guac.yml @@ -0,0 +1,16 @@ +--- +- name: Confirmed required parameters provided + ansible.builtin.assert: + that: + - tpa_single_node_base_hostname is defined + - tpa_single_node_base_hostname | trim | length > 0 + msg: "'tpa_single_node_base_hostname' must be specified" + +- name: Get RHTPA network details + containers.podman.podman_network: + name: "{{ tpa_single_node_podman_network }}" + register: tpa_podman_network_results + +- name: Set DNS Resolver + ansible.builtin.set_fact: + dns_resolver: "{{ tpa_podman_network_results.network.subnets[0].gateway }}" diff --git a/roles/tpa_single_node/tasks/podman/install_manifest.yml b/roles/tpa_single_node/tasks/podman/install_manifest.yml new file mode 100644 index 0000000..da783dd --- /dev/null +++ b/roles/tpa_single_node/tasks/podman/install_manifest.yml @@ -0,0 +1,25 @@ +--- +# NOTE: determining when the service will restart with `when: ...` is not ideal, however +# we would need a dynamic handler otherwise and these are a bit fragile. + +- name: Set location of Podman Play Manifest + ansible.builtin.set_fact: + kube_play_file: >- + {{ tpa_single_node_kube_manifest_dir + '/' + podman_spec.kube_file_content.metadata.namespace + '_' + + podman_spec.kube_file_content.metadata.name + '.yml' }} + +- name: Copy Manifest to Server + ansible.builtin.copy: + content: "{{ podman_spec.kube_file_content | to_nice_yaml(indent=2) }}" + dest: "{{ kube_play_file }}" + mode: "0600" + register: copy_manifest + + +- name: Restart Podman Service + ansible.builtin.systemd: + state: restarted + enabled: true + daemon_reload: true + name: "{{ podman_spec.systemd_file }}" + when: copy_manifest.changed or copy_systemd_file.changed or (podman_spec.secret is defined and podman_spec.secret_changed) diff --git a/roles/tpa_single_node/templates/init/dataset/020-Job.yaml b/roles/tpa_single_node/templates/init/dataset/020-Job.yaml new file mode 100644 index 0000000..98b69d3 --- /dev/null +++ b/roles/tpa_single_node/templates/init/dataset/020-Job.yaml @@ -0,0 +1,49 @@ +kind: Job +apiVersion: batch/v1 +metadata: + name: init-dataset + labels: + app.kubernetes.io/name: init-dataset + app.kubernetes.io/component: init + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: null +spec: + backoffLimit: 1000 + completions: 1 + parallelism: 1 + ttlSecondsAfterFinished: 600 + template: + metadata: + labels: + app.kubernetes.io/name: init-dataset + app.kubernetes.io/component: init + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + spec: + restartPolicy: OnFailure + containers: + - name: run + image: registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:044b6070e52378a93cbcd65cbd5d10b866f102ee8d6040b92147df7b52202e8 + imagePullPolicy: IfNotPresent + command: + - /usr/bin/bash + args: + - -ce + - "ARGS=\"\"\nif [[ -f /run/secrets/kubernetes.io/serviceaccount/service-ca.crt\ + \ ]]; then\n ARGS=\"--sender-root-certificates /run/secrets/kubernetes.io/serviceaccount/service-ca.crt\"\ + \nfi\n/trust bombastic walker $ARGS --sink https://bombastic-api.trustificcation.svc.cluster.local\ + \ --source file:/data/sbom\necho SBOM import done\n/trust vexination\ + \ walker $ARGS --sink https://vexination-api.trustificcation.svc.cluster.local/api/v1/vex\ + \ --source file:/data/csaf\necho CSAF import done\n" + env: + - name: OIDC_PROVIDER_CLIENT_ID + value: walker + - name: OIDC_PROVIDER_CLIENT_SECRET + value: 6560cc91-4e20-4edd-881c-b15b169f8a80 + - name: OIDC_PROVIDER_ISSUER_URL + value: https://sso$APP_DOMAIN_URL/realms/chicken + - name: RUST_LOG + value: info + volumeMounts: null + volumes: null diff --git a/roles/tpa_single_node/templates/init/guac/010-ConfigMap.yaml b/roles/tpa_single_node/templates/init/guac/010-ConfigMap.yaml new file mode 100644 index 0000000..2be18bc --- /dev/null +++ b/roles/tpa_single_node/templates/init/guac/010-ConfigMap.yaml @@ -0,0 +1,26 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: init-guac-db + labels: + app.kubernetes.io/name: init-guac-db + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: null +data: + init.sql: "-- ensure we have the database\nSELECT 'CREATE DATABASE ' || :'db_name'\n\ + WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = :'db_name')\\gexec\n\ + \n-- create the user (if it doesn't exist)\nCREATE OR REPLACE FUNCTION add_user_if_not_exists(username\ + \ NAME) RETURNS integer\n AS $$\nBEGIN\n IF NOT EXISTS (SELECT FROM\ + \ pg_roles\n WHERE rolname = username) THEN\n\n EXECUTE FORMAT('CREATE\ + \ ROLE \"%I\" LOGIN', username);\n\n END IF;\n RETURN NULL;\nEND;\n\ + $$ language plpgsql;\n\nSELECT add_user_if_not_exists(:'db_user');\n\n-- now\ + \ set the password\nALTER USER :db_user WITH PASSWORD :'db_password';\n\n\ + -- grant permission to connect\nGRANT CONNECT ON DATABASE :db_name TO :db_user;\n\ + \n-- grant permissions on database\n\\connect :db_name\n\nGRANT USAGE ON SCHEMA\ + \ public TO :db_user;\n\n-- grant on existing tables\nGRANT SELECT, INSERT,\ + \ UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO :db_user;\n\n-- grant on\ + \ future tables\nALTER DEFAULT PRIVILEGES\n IN SCHEMA public\n GRANT\ + \ SELECT, INSERT, UPDATE, DELETE ON TABLES TO :db_user;\n" diff --git a/roles/tpa_single_node/templates/init/guac/020-Job.yaml b/roles/tpa_single_node/templates/init/guac/020-Job.yaml new file mode 100644 index 0000000..74ee17e --- /dev/null +++ b/roles/tpa_single_node/templates/init/guac/020-Job.yaml @@ -0,0 +1,49 @@ +kind: Job +apiVersion: batch/v1 +metadata: + name: init-dataset + labels: + app.kubernetes.io/name: init-dataset + app.kubernetes.io/component: init + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: null +spec: + backoffLimit: 1000 + completions: 1 + parallelism: 1 + ttlSecondsAfterFinished: 600 + template: + metadata: + labels: + app.kubernetes.io/name: init-dataset + app.kubernetes.io/component: init + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + spec: + restartPolicy: OnFailure + containers: + - name: run + image: registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:60f676f8c7611d08827f5e1cad332d7ebc5d6660392618c29d1966c1825cff5b + imagePullPolicy: IfNotPresent + command: + - /usr/bin/bash + args: + - -ce + - "ARGS=\"\"\nif [[ -f /run/secrets/kubernetes.io/serviceaccount/service-ca.crt\ + \ ]]; then\n ARGS=\"--sender-root-certificates /run/secrets/kubernetes.io/serviceaccount/service-ca.crt\"\ + \nfi\n/trust bombastic walker $ARGS --sink https://bombastic-api.trustificcation.svc.cluster.local\ + \ --source file:/data/sbom\necho SBOM import done\n/trust vexination\ + \ walker $ARGS --sink https://vexination-api.trustificcation.svc.cluster.local/api/v1/vex\ + \ --source file:/data/csaf\necho CSAF import done\n" + env: + - name: OIDC_PROVIDER_CLIENT_ID + value: walker + - name: OIDC_PROVIDER_CLIENT_SECRET + value: 6560cc91-4e20-4edd-881c-b15b169f8a80 + - name: OIDC_PROVIDER_ISSUER_URL + value: https://sso$APP_DOMAIN_URL/realms/chicken + - name: RUST_LOG + value: info + volumeMounts: null + volumes: null diff --git a/roles/tpa_single_node/templates/services/bombastic/api/020-ConfigMap-auth.yaml b/roles/tpa_single_node/templates/services/bombastic/api/020-ConfigMap-auth.yaml new file mode 100644 index 0000000..984d311 --- /dev/null +++ b/roles/tpa_single_node/templates/services/bombastic/api/020-ConfigMap-auth.yaml @@ -0,0 +1,19 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: bombastic-api-auth + labels: + app.kubernetes.io/name: bombastic-api-auth + app.kubernetes.io/component: bombastic + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer +data: + auth.yaml: "\nauthentication:\n clients:\n\n - clientId: frontend\n \ + \ issuerUrl: https://sso$APP_DOMAIN_URL/realms/chicken\n scopeMappings:\ + \ &keycloakScopeMappings\n \"create:document\": [ \"create.sbom\",\ + \ \"create.vex\" ]\n \"read:document\": [ \"read.sbom\", \"read.vex\"\ + \ ]\n \"update:document\": [ \"update.sbom\", \"update.vex\" ]\n \ + \ \"delete:document\": [ \"delete.sbom\", \"delete.vex\" ]\n\n - clientId:\ + \ walker\n issuerUrl: https://sso$APP_DOMAIN_URL/realms/chicken\n \ + \ scopeMappings: *keycloakScopeMappings\n" diff --git a/roles/tpa_single_node/templates/services/bombastic/api/030-Deployment.yaml b/roles/tpa_single_node/templates/services/bombastic/api/030-Deployment.yaml new file mode 100644 index 0000000..0a1ca97 --- /dev/null +++ b/roles/tpa_single_node/templates/services/bombastic/api/030-Deployment.yaml @@ -0,0 +1,119 @@ +kind: Deployment +metadata: + name: bombastic-api + labels: + app.kubernetes.io/name: bombastic-api + app.kubernetes.io/component: bombastic + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: null +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: bombastic-api + app.kubernetes.io/component: bombastic + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + template: + metadata: + labels: + app.kubernetes.io/name: bombastic-api + app.kubernetes.io/component: bombastic + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + annotations: + configHash/auth: f1603b2e10b24822d2b2ae28973e973fb20d68559f0caff8327d5a9a7326b106 + spec: + containers: + - name: service + image: registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:044b6070e52378a93cbcd65cbd5d10b866f102ee8d6040b92147df7b52202e83 + imagePullPolicy: IfNotPresent + livenessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health/live + port: 9010 + readinessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health/ready + port: 9010 + command: + - /trust + args: + - bombastic + - api + - -p + - '8080' + - --validator + - sbom + - --index-mode + - file + - --auth-configuration + - /etc/config/auth.yaml + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RUST_LOG + value: info + - name: INFRASTRUCTURE_ENABLED + value: 'true' + - name: INFRASTRUCTURE_BIND + value: '[::]:9010' + - name: HTTP_SERVER_BIND_ADDR + value: '::' + - name: HTTP_SERVER_TLS_ENABLED + value: 'true' + - name: HTTP_SERVER_TLS_KEY_FILE + value: /etc/tls/tls.key + - name: HTTP_SERVER_TLS_CERTIFICATE_FILE + value: /etc/tls/tls.crt + - name: OIDC_PROVIDER_CLIENT_ID + value: walker + - name: OIDC_PROVIDER_CLIENT_SECRET + value: 6560cc91-4e20-4edd-881c-b15b169f8a80 + - name: OIDC_PROVIDER_ISSUER_URL + value: https://sso$APP_DOMAIN_URL/realms/chicken + - name: STORAGE_ACCESS_KEY + valueFrom: + secretKeyRef: + key: root-user + name: infrastructure-minio + - name: STORAGE_SECRET_KEY + valueFrom: + secretKeyRef: + key: root-password + name: infrastructure-minio + - name: STORAGE_ENDPOINT + value: http://infrastructure-minio:9000 + - name: STORAGE_REGION + value: eu-west-1 + - name: STORAGE_BUCKET + value: bombastic-default + - name: SWAGGER_UI_OIDC_ISSUER_URL + value: https://sso$APP_DOMAIN_URL/realms/chicken + - name: INDEX_SYNC_INTERVAL + value: 1m + ports: + - containerPort: 9010 + protocol: TCP + name: infra + - containerPort: 8080 + name: endpoint + protocol: TCP + volumeMounts: + - mountPath: /etc/tls + name: tls + readOnly: true + - name: config-auth + mountPath: /etc/config/auth.yaml + subPath: auth.yaml + volumes: + - name: tls + secret: + secretName: bombastic-api-tls + - name: config-auth + configMap: + name: bombastic-api-auth diff --git a/roles/tpa_single_node/templates/services/bombastic/api/040-Service.yaml b/roles/tpa_single_node/templates/services/bombastic/api/040-Service.yaml new file mode 100644 index 0000000..a7af28b --- /dev/null +++ b/roles/tpa_single_node/templates/services/bombastic/api/040-Service.yaml @@ -0,0 +1,22 @@ +kind: Service +metadata: + name: bombastic-api + labels: + app.kubernetes.io/name: bombastic-api + app.kubernetes.io/component: bombastic + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: + service.beta.openshift.io/serving-cert-secret-name: bombastic-api-tls +spec: + ports: + - name: endpoint + port: 443 + protocol: TCP + targetPort: endpoint + selector: + app.kubernetes.io/name: bombastic-api + app.kubernetes.io/component: bombastic + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + type: ClusterIP diff --git a/roles/tpa_single_node/templates/services/bombastic/api/050-Ingress.yaml b/roles/tpa_single_node/templates/services/bombastic/api/050-Ingress.yaml new file mode 100644 index 0000000..bb40ae1 --- /dev/null +++ b/roles/tpa_single_node/templates/services/bombastic/api/050-Ingress.yaml @@ -0,0 +1,24 @@ +kind: Ingress +metadata: + name: bombastic-api + labels: + app.kubernetes.io/name: bombastic-api + app.kubernetes.io/component: bombastic + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: + route.openshift.io/termination: reencrypt +spec: + ingressClassName: openshift-default + rules: + - host: sbom$APP_DOMAIN_URL + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: bombastic-api + port: + name: endpoint diff --git a/roles/tpa_single_node/templates/services/bombastic/indexer/030-Deployment.yaml b/roles/tpa_single_node/templates/services/bombastic/indexer/030-Deployment.yaml new file mode 100644 index 0000000..d45474d --- /dev/null +++ b/roles/tpa_single_node/templates/services/bombastic/indexer/030-Deployment.yaml @@ -0,0 +1,110 @@ +kind: Deployment +metadata: + name: bombastic-indexer + labels: + app.kubernetes.io/name: bombastic-indexer + app.kubernetes.io/component: bombastic + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: null +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: bombastic-indexer + app.kubernetes.io/component: bombastic + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + template: + metadata: + labels: + app.kubernetes.io/name: bombastic-indexer + app.kubernetes.io/component: bombastic + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + spec: + volumes: + - name: data + emptyDir: {} + containers: + - name: service + image: registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:044b6070e52378a93cbcd65cbd5d10b866f102ee8d6040b92147df7b52202e83 + imagePullPolicy: IfNotPresent + livenessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health/live + port: 9010 + readinessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health/ready + port: 9010 + command: + - /trust + args: + - bombastic + - indexer + - --stored-topic + - bombastic-stored-default + - --indexed-topic + - bombastic-indexed-default + - --failed-topic + - bombastic-failed-default + - --index-mode + - file + - --index-dir + - /data/index + env: + - name: RUST_LOG + value: info + - name: INFRASTRUCTURE_ENABLED + value: 'true' + - name: INFRASTRUCTURE_BIND + value: '[::]:9010' + - name: STORAGE_ACCESS_KEY + valueFrom: + secretKeyRef: + key: root-user + name: infrastructure-minio + - name: STORAGE_SECRET_KEY + valueFrom: + secretKeyRef: + key: root-password + name: infrastructure-minio + - name: STORAGE_ENDPOINT + value: http://infrastructure-minio:9000 + - name: STORAGE_REGION + value: eu-west-1 + - name: STORAGE_BUCKET + value: bombastic-default + - name: EVENT_BUS + value: kafka + - name: KAFKA_BOOTSTRAP_SERVERS + value: my-cluster-kafka-bootstrap:9092 + - name: KAFKA_PROPERTIES_ENV_PREFIX + value: TCK_ + - name: TCK_SECURITY__PROTOCOL + value: SASL_PLAINTEXT + - name: TCK_SASL__USERNAME + value: user1 + - name: TCK_SASL__PASSWORD + valueFrom: + secretKeyRef: + key: password + name: user1 + - name: TCK_SASL__MECHANISM + value: SCRAM-SHA-512 + - name: INDEX_WRITER_MEMORY_BYTES + value: 128MiB + - name: INDEX_SYNC_INTERVAL + value: 1m + volumeMounts: + - name: data + mountPath: /data + ports: + - containerPort: 9010 + protocol: TCP + name: infra diff --git a/roles/tpa_single_node/templates/services/bombastic/walker/030-CronJob.yaml b/roles/tpa_single_node/templates/services/bombastic/walker/030-CronJob.yaml new file mode 100644 index 0000000..05126d8 --- /dev/null +++ b/roles/tpa_single_node/templates/services/bombastic/walker/030-CronJob.yaml @@ -0,0 +1,83 @@ +kind: CronJob +metadata: + name: bombastic-walker + labels: + app.kubernetes.io/name: bombastic-walker + app.kubernetes.io/component: walker + app.kubernetes.io/part-of: trustification +spec: + schedule: ${BOMBASTIC_WALKER_SCHEDULE} + suspend: ${{BOMBASTIC_WALKER_SUSPEND}} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + labels: + app.kubernetes.io/name: bombastic-walker + app.kubernetes.io/component: walker + app.kubernetes.io/part-of: trustification + spec: + restartPolicy: OnFailure + volumes: + - name: walker-state + persistentVolumeClaim: + claimName: bombastic-walker-state + containers: + - image: registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:044b6070e52378a93cbcd65cbd5d10b866f102ee8d6040b92147df7b52202e83 + imagePullPolicy: Always + name: walker + command: + - /trust + args: + - bombastic + - walker + - --sink + - https://sbom.${DOMAIN} + - --source + - https://access.redhat.com/security/data/sbom/beta/ + - '-3' + - --signing-key + - https://access.redhat.com/security/data/97f5eac4.txt#77E79ABE93673533ED09EBE2DCE3823597F5EAC4 + - --fix-licenses + - 'true' + - --since-file + - /walker-state/since + env: + - name: RUST_LOG + value: ${LOG_LEVEL} + - name: INFRASTRUCTURE_ENABLED + value: 'true' + - name: INFRASTRUCTURE_BIND + value: '[::]:9010' + - name: OIDC_PROVIDER_CLIENT_ID + value: trusted-content-api + - name: OIDC_PROVIDER_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: ${OIDC_PROVIDER_CLIENT_SECRET_KEY} + name: ${OIDC_PROVIDER_CLIENT_SECRET_NAME} + - name: OIDC_PROVIDER_ISSUER_URL + value: ${ISSUER_URL} + ports: + - containerPort: 9010 + protocol: TCP + name: infra + volumeMounts: + - mountPath: /walker-state + name: walker-state + resources: ${{BOMBASTIC_WALKER_RESOURCES}} + livenessProbe: + httpGet: + path: /health/live + port: 9010 + initialDelaySeconds: 2 + readinessProbe: + httpGet: + path: /health/ready + port: 9010 + initialDelaySeconds: 2 + startupProbe: + httpGet: + path: /health/startup + port: 9010 diff --git a/roles/tpa_single_node/templates/services/collector/osv/020-ConfigMap-auth.yaml b/roles/tpa_single_node/templates/services/collector/osv/020-ConfigMap-auth.yaml new file mode 100644 index 0000000..57e974f --- /dev/null +++ b/roles/tpa_single_node/templates/services/collector/osv/020-ConfigMap-auth.yaml @@ -0,0 +1,19 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: collector-osv-auth + labels: + app.kubernetes.io/name: collector-osv-auth + app.kubernetes.io/component: collector + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer +data: + auth.yaml: "\nauthentication:\n clients:\n\n - clientId: frontend\n \ + \ issuerUrl: https://sso$APP_DOMAIN_URL/realms/chicken\n scopeMappings:\ + \ &keycloakScopeMappings\n \"create:document\": [ \"create.sbom\",\ + \ \"create.vex\" ]\n \"read:document\": [ \"read.sbom\", \"read.vex\"\ + \ ]\n \"update:document\": [ \"update.sbom\", \"update.vex\" ]\n \ + \ \"delete:document\": [ \"delete.sbom\", \"delete.vex\" ]\n\n - clientId:\ + \ walker\n issuerUrl: https://sso$APP_DOMAIN_URL/realms/chicken\n \ + \ scopeMappings: *keycloakScopeMappings\n" diff --git a/roles/tpa_single_node/templates/services/collector/osv/030-Deployment.yaml b/roles/tpa_single_node/templates/services/collector/osv/030-Deployment.yaml new file mode 100644 index 0000000..a4c8c1b --- /dev/null +++ b/roles/tpa_single_node/templates/services/collector/osv/030-Deployment.yaml @@ -0,0 +1,107 @@ +kind: Deployment +metadata: + name: collector-osv + labels: + app.kubernetes.io/name: collector-osv + app.kubernetes.io/component: collector + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: null +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: collector-osv + app.kubernetes.io/component: collector + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + template: + metadata: + labels: + app.kubernetes.io/name: collector-osv + app.kubernetes.io/component: collector + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + annotations: + configHash/auth: dac9d88322da8b671d9fc4f81500698ea05f108df8784b66db80d4242c9dee06 + spec: + containers: + - name: service + image: registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:044b6070e52378a93cbcd65cbd5d10b866f102ee8d6040b92147df7b52202e83 + imagePullPolicy: IfNotPresent + livenessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health/live + port: 9010 + readinessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health/ready + port: 9010 + command: + - /trust + args: + - collector + - osv + - -p + - '8080' + - --auth-configuration + - /etc/config/auth.yaml + - --v11y-url + - https://v11y-api.trustificcation.svc.cluster.local + - --guac-url + - https://guac-graphql.trustificcation.svc.cluster.local/query + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RUST_LOG + value: info + - name: INFRASTRUCTURE_ENABLED + value: 'true' + - name: INFRASTRUCTURE_BIND + value: '[::]:9010' + - name: HTTP_SERVER_BIND_ADDR + value: '::' + - name: HTTP_SERVER_TLS_ENABLED + value: 'true' + - name: HTTP_SERVER_TLS_KEY_FILE + value: /etc/tls/tls.key + - name: HTTP_SERVER_TLS_CERTIFICATE_FILE + value: /etc/tls/tls.crt + - name: OIDC_PROVIDER_CLIENT_ID + value: walker + - name: OIDC_PROVIDER_CLIENT_SECRET + value: 6560cc91-4e20-4edd-881c-b15b169f8a80 + - name: OIDC_PROVIDER_ISSUER_URL + value: https://sso$APP_DOMAIN_URL/realms/chicken + - name: CLIENT_TLS_CA_CERTIFICATES + value: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt + volumeMounts: + - name: guac-config + mountPath: /guac + readOnly: true + - mountPath: /etc/tls + name: tls + readOnly: true + - name: config-auth + mountPath: /etc/config/auth.yaml + subPath: auth.yaml + ports: + - containerPort: 9010 + protocol: TCP + name: infra + - containerPort: 8080 + name: endpoint + protocol: TCP + volumes: + - name: guac-config + configMap: + name: collectorist-api + - name: tls + secret: + secretName: collector-osv-tls + - name: config-auth + configMap: + name: collector-osv-auth diff --git a/roles/tpa_single_node/templates/services/collector/osv/040-Service.yaml b/roles/tpa_single_node/templates/services/collector/osv/040-Service.yaml new file mode 100644 index 0000000..e57dc2d --- /dev/null +++ b/roles/tpa_single_node/templates/services/collector/osv/040-Service.yaml @@ -0,0 +1,22 @@ +kind: Service +metadata: + name: collector-osv + labels: + app.kubernetes.io/name: collector-osv + app.kubernetes.io/component: collector + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: + service.beta.openshift.io/serving-cert-secret-name: collector-osv-tls +spec: + ports: + - name: endpoint + port: 443 + protocol: TCP + targetPort: endpoint + selector: + app.kubernetes.io/name: collector-osv + app.kubernetes.io/component: collector + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + type: ClusterIP diff --git a/roles/tpa_single_node/templates/services/guac/bombastic-collector/030-Deployment.yaml b/roles/tpa_single_node/templates/services/guac/bombastic-collector/030-Deployment.yaml new file mode 100644 index 0000000..0fd96c0 --- /dev/null +++ b/roles/tpa_single_node/templates/services/guac/bombastic-collector/030-Deployment.yaml @@ -0,0 +1,81 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bombastic-collector + labels: + app.kubernetes.io/name: bombastic-collector + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: null +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: bombastic-collector + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + template: + metadata: + labels: + app.kubernetes.io/name: bombastic-collector + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + spec: + containers: + - name: service + image: registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:a0cd9379eeaa15e95230fe330649b74928c776fbd35438b76fa17f3f4bbea954 + imagePullPolicy: IfNotPresent + command: + - /opt/guac/guacone + args: + - collect + - s3 + - --poll + env: + - name: STORAGE_ACCESS_KEY + valueFrom: + secretKeyRef: + key: root-user + name: infrastructure-minio + - name: STORAGE_SECRET_KEY + valueFrom: + secretKeyRef: + key: root-password + name: infrastructure-minio + - name: GUAC_S3_URL + value: http://infrastructure-minio:9000 + - name: GUAC_S3_BUCKET + value: bombastic-default + - name: GUAC_S3_MP + value: kafka + - name: GUAC_S3_MP_ENDPOINT + value: my-cluster-kafka-bootstrap:9092 + - name: KAFKA_PROPERTIES_ENV_PREFIX + value: TCK_ + - name: TCK_SECURITY__PROTOCOL + value: SASL_PLAINTEXT + - name: TCK_SASL__USERNAME + value: user1 + - name: TCK_SASL__PASSWORD + valueFrom: + secretKeyRef: + key: password + name: user1 + - name: TCK_SASL__MECHANISM + value: SCRAM-SHA-512 + - name: GUAC_S3_QUEUES + value: bombastic-indexed-default + - name: GUAC_GQL_ADDR + value: https://guac-graphql.trustificcation.svc.cluster.local/query + - name: GUAC_CSUB_ADDR + value: guac-collectsub.trustificcation.svc.cluster.local:2782 + - name: GUAC_CSUB_TLS_ROOT_CA + value: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - name: GUAC_GQL_TLS_ROOT_CA + value: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt + volumeMounts: null + volumes: null diff --git a/roles/tpa_single_node/templates/services/guac/collectsub/030-Deployment.yaml b/roles/tpa_single_node/templates/services/guac/collectsub/030-Deployment.yaml new file mode 100644 index 0000000..74507af --- /dev/null +++ b/roles/tpa_single_node/templates/services/guac/collectsub/030-Deployment.yaml @@ -0,0 +1,54 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: guac-collectsub + labels: + app.kubernetes.io/name: guac-collectsub + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: null +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: guac-collectsub + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + template: + metadata: + labels: + app.kubernetes.io/name: guac-collectsub + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + spec: + volumes: + - name: tls + secret: + secretName: guac-collectsub-tls + containers: + - name: service + image: registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:a0cd9379eeaa15e95230fe330649b74928c776fbd35438b76fa17f3f4bbea954 + imagePullPolicy: IfNotPresent + command: + - /opt/guac/guaccsub + args: [] + env: + - name: GUAC_CSUB_TLS_CERT_FILE + value: /etc/tls/tls.crt + - name: GUAC_CSUB_TLS_KEY_FILE + value: /etc/tls/tls.key + volumeMounts: + - mountPath: /etc/tls + name: tls + readOnly: true + livenessProbe: + tcpSocket: + port: 2782 + ports: + - containerPort: 2782 + protocol: TCP + name: endpoint diff --git a/roles/tpa_single_node/templates/services/guac/collectsub/040-Service.yaml b/roles/tpa_single_node/templates/services/guac/collectsub/040-Service.yaml new file mode 100644 index 0000000..b3d1eef --- /dev/null +++ b/roles/tpa_single_node/templates/services/guac/collectsub/040-Service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: guac-collectsub + labels: + app.kubernetes.io/name: guac-collectsub + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: + service.beta.openshift.io/serving-cert-secret-name: guac-collectsub-tls +spec: + ports: + - name: endpoint + port: 2782 + protocol: TCP + targetPort: endpoint + selector: + app.kubernetes.io/name: guac-collectsub + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + type: ClusterIP diff --git a/roles/tpa_single_node/templates/services/guac/collectsub/050-NetworkPolicy.yaml b/roles/tpa_single_node/templates/services/guac/collectsub/050-NetworkPolicy.yaml new file mode 100644 index 0000000..0854f3c --- /dev/null +++ b/roles/tpa_single_node/templates/services/guac/collectsub/050-NetworkPolicy.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: guac-collectsub + labels: + app.kubernetes.io/name: guac-collectsub + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: guac-collectsub + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: trustification + ports: + - protocol: TCP + port: 2782 diff --git a/roles/tpa_single_node/templates/services/guac/graphql/030-Deployment.yaml b/roles/tpa_single_node/templates/services/guac/graphql/030-Deployment.yaml new file mode 100644 index 0000000..b3d8958 --- /dev/null +++ b/roles/tpa_single_node/templates/services/guac/graphql/030-Deployment.yaml @@ -0,0 +1,114 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: guac-graphql + labels: + app.kubernetes.io/name: guac-graphql + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: null +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: guac-graphql + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + template: + metadata: + labels: + app.kubernetes.io/name: guac-graphql + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + spec: + initContainers: + - name: migrate + image: registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:a0cd9379eeaa15e95230fe330649b74928c776fbd35438b76fa17f3f4bbea954 + imagePullPolicy: IfNotPresent + command: + - /bin/sh + args: + - -ec + - 'TC_PGOPTIONS="?" + + TC_PGOPTIONS="${TC_PGOPTIONS}sslmode=${TC_PGSSLMODE}&" + + exec /opt/guac/guacmigrate "--db-address" "postgres://${TC_PGUSER}:${TC_PGPASSWORD}@${TC_PGHOST}:${TC_PGPORT}/${TC_PGDATABASE}${TC_PGOPTIONS}" + "--db-driver" "postgres" "--db-debug" "true" + + ' + env: + - name: TC_PGHOST + valueFrom: + secretKeyRef: + key: POSTGRES_HOST + name: keycloak-db-secret + - name: TC_PGPORT + value: '5432' + - name: TC_PGDATABASE + value: guac + - name: TC_PGUSER + value: postgres + - name: TC_PGPASSWORD + value: postgres + - name: TC_PGSSLMODE + value: disable + volumeMounts: null + containers: + - name: service + image: registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:1472d5acb56cb72d49cd0d25186e6a02af53cd14c84c1a22357d115958921e52 + imagePullPolicy: IfNotPresent + command: + - /bin/sh + args: + - -ec + - 'TC_PGOPTIONS="?" + + TC_PGOPTIONS="${TC_PGOPTIONS}sslmode=${TC_PGSSLMODE}&" + + exec /opt/guac/guacgql "--gql-backend" "ent" "--db-address" "postgres://${TC_PGUSER}:${TC_PGPASSWORD}@${TC_PGHOST}:${TC_PGPORT}/${TC_PGDATABASE}${TC_PGOPTIONS}" + "--db-driver" "postgres" "--db-migrate=false" + + ' + workingDir: /guac + env: + - name: TC_PGHOST + value: keycloak-postgresql + - name: TC_PGPORT + value: '5432' + - name: TC_PGDATABASE + value: guac + - name: TC_PGUSER + value: guac + - name: TC_PGPASSWORD + value: guac1234 + - name: TC_PGSSLMODE + value: disable + - name: GUAC_GQL_TLS_CERT_FILE + value: /etc/tls/tls.crt + - name: GUAC_GQL_TLS_KEY_FILE + value: /etc/tls/tls.key + - name: GUAC_PROMETHEUS_ADDR + value: '9010' + volumeMounts: + - mountPath: /etc/tls + name: tls + readOnly: true + readinessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTPS + ports: + - containerPort: 9010 + protocol: TCP + name: infra + - containerPort: 8080 + protocol: TCP + name: endpoint + volumes: + - name: tls + secret: + secretName: guac-graphql-tls diff --git a/roles/tpa_single_node/templates/services/guac/graphql/040-Service.yaml b/roles/tpa_single_node/templates/services/guac/graphql/040-Service.yaml new file mode 100644 index 0000000..d6245ad --- /dev/null +++ b/roles/tpa_single_node/templates/services/guac/graphql/040-Service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: guac-graphql + labels: + app.kubernetes.io/name: guac-graphql + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: + service.beta.openshift.io/serving-cert-secret-name: guac-graphql-tls +spec: + ports: + - name: endpoint + port: 443 + protocol: TCP + targetPort: endpoint + selector: + app.kubernetes.io/name: guac-graphql + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + type: ClusterIP diff --git a/roles/tpa_single_node/templates/services/guac/graphql/050-NetworkPolicy.yaml b/roles/tpa_single_node/templates/services/guac/graphql/050-NetworkPolicy.yaml new file mode 100644 index 0000000..19a0bd2 --- /dev/null +++ b/roles/tpa_single_node/templates/services/guac/graphql/050-NetworkPolicy.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: guac-graphql + labels: + app.kubernetes.io/name: guac-graphql + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: guac-graphql + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: trustification + ports: + - protocol: TCP + port: 8080 + - from: + - namespaceSelector: {} + ports: + - protocol: TCP + port: 9010 diff --git a/roles/tpa_single_node/templates/services/guac/vexination-collector/030-Deployment.yaml b/roles/tpa_single_node/templates/services/guac/vexination-collector/030-Deployment.yaml new file mode 100644 index 0000000..c02daca --- /dev/null +++ b/roles/tpa_single_node/templates/services/guac/vexination-collector/030-Deployment.yaml @@ -0,0 +1,81 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vexination-collector + labels: + app.kubernetes.io/name: vexination-collector + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: null +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: vexination-collector + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + template: + metadata: + labels: + app.kubernetes.io/name: vexination-collector + app.kubernetes.io/component: guac + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + spec: + containers: + - name: service + image: registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:a0cd9379eeaa15e95230fe330649b74928c776fbd35438b76fa17f3f4bbea954 + imagePullPolicy: IfNotPresent + command: + - /opt/guac/guacone + args: + - collect + - s3 + - --poll + env: + - name: STORAGE_ACCESS_KEY + valueFrom: + secretKeyRef: + key: root-user + name: infrastructure-minio + - name: STORAGE_SECRET_KEY + valueFrom: + secretKeyRef: + key: root-password + name: infrastructure-minio + - name: GUAC_S3_URL + value: http://infrastructure-minio:9000 + - name: GUAC_S3_BUCKET + value: vexination-default + - name: GUAC_S3_MP + value: kafka + - name: GUAC_S3_MP_ENDPOINT + value: my-cluster-kafka-bootstrap:9092 + - name: KAFKA_PROPERTIES_ENV_PREFIX + value: TCK_ + - name: TCK_SECURITY__PROTOCOL + value: SASL_PLAINTEXT + - name: TCK_SASL__USERNAME + value: user1 + - name: TCK_SASL__PASSWORD + valueFrom: + secretKeyRef: + key: password + name: user1 + - name: TCK_SASL__MECHANISM + value: SCRAM-SHA-512 + - name: GUAC_S3_QUEUES + value: vexination-indexed-default + - name: GUAC_GQL_ADDR + value: https://guac-graphql.trustificcation.svc.cluster.local/query + - name: GUAC_CSUB_ADDR + value: guac-collectsub.trustificcation.svc.cluster.local:2782 + - name: GUAC_CSUB_TLS_ROOT_CA + value: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - name: GUAC_GQL_TLS_ROOT_CA + value: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt + volumeMounts: null + volumes: null diff --git a/roles/tpa_single_node/templates/services/spog/api/020-ConfigMap-auth.yaml b/roles/tpa_single_node/templates/services/spog/api/020-ConfigMap-auth.yaml new file mode 100644 index 0000000..b3ba0ab --- /dev/null +++ b/roles/tpa_single_node/templates/services/spog/api/020-ConfigMap-auth.yaml @@ -0,0 +1,19 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: spog-api-auth + labels: + app.kubernetes.io/name: spog-api-auth + app.kubernetes.io/component: spog + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer +data: + auth.yaml: "\nauthentication:\n clients:\n\n - clientId: frontend\n \ + \ issuerUrl: https://sso$APP_DOMAIN_URL/realms/chicken\n scopeMappings:\ + \ &keycloakScopeMappings\n \"create:document\": [ \"create.sbom\",\ + \ \"create.vex\" ]\n \"read:document\": [ \"read.sbom\", \"read.vex\"\ + \ ]\n \"update:document\": [ \"update.sbom\", \"update.vex\" ]\n \ + \ \"delete:document\": [ \"delete.sbom\", \"delete.vex\" ]\n\n - clientId:\ + \ walker\n issuerUrl: https://sso$APP_DOMAIN_URL/realms/chicken\n \ + \ scopeMappings: *keycloakScopeMappings\n" diff --git a/roles/tpa_single_node/templates/services/spog/api/020-ConfigMap-ui.yaml b/roles/tpa_single_node/templates/services/spog/api/020-ConfigMap-ui.yaml new file mode 100644 index 0000000..98223b3 --- /dev/null +++ b/roles/tpa_single_node/templates/services/spog/api/020-ConfigMap-ui.yaml @@ -0,0 +1,337 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: spog-ui-config + labels: + app.kubernetes.io/name: spog-ui-config + app.kubernetes.io/component: branding + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer +data: + spog-ui.yaml: "$schema: \"https://raw.githubusercontent.com/trustification/trustification/main/spog/model/schema/config.json\"\ + \n\nglobal:\n documentationUrl: https://access.redhat.com/documentation/en-us/red_hat_trusted_profile_analyzer/1\n\ + \ supportUrl: https://issues.redhat.com/browse/TC\n productName: Red Hat\ + \ Trusted Profile Analyzer\n brandImageSrc: branding/logo.svg\n supportCaseUrl:\ + \ https://issues.redhat.com/projects/TC/issues/\n supportCaseLabel: \"Support\ + \ (Jira)\"\n aboutBackgroundSrc: \"\"\n aboutBrandImageSrc: branding/about-logo.svg\n\ + \ showGithubLink: false\n\nfeatures:\n dedicatedSearch: false\n additionalPackageInformation:\ + \ false\n showSource: false\n scanner: false\n uploader: true\n showReport:\ + \ true\n extendSection: true\n\nbombastic:\n\n filters:\n categories:\n\ + \n - label: Products\n options:\n\n - type: check\n \ + \ label: UBI 7\n id: ubi7\n terms:\n \ + \ - '\"pkg:oci/ubi7\"'\n\n - type: check\n label:\ + \ UBI 8\n id: ubi8\n terms:\n - '\"pkg:oci/ubi8\"\ + '\n\n - type: check\n label: UBI 9\n id: ubi9\n\ + \ terms:\n - '\"pkg:oci/ubi9\"'\n\n - type:\ + \ divider\n\n - type: check\n label: Red Hat Enterprise\ + \ Linux 7\n id: rhel7\n terms:\n - '\"\ + cpe:/o:redhat:enterprise_linux:7\"'\n - '\"cpe:/o:redhat:rhel_aus:7\"\ + '\n\n - type: check\n label: Red Hat Enterprise Linux\ + \ 8\n id: rhel8\n terms:\n - '\"cpe:/o:redhat:enterprise_linux:8\"\ + '\n - '\"cpe:/o:redhat:rhel_e4s:8.1\"'\n\n - type: check\n\ + \ label: Red Hat Enterprise Linux 9\n id: rhel9\n \ + \ terms:\n - '\"cpe:/o:redhat:enterprise_linux:9\"'\n\ + \n - type: divider\n\n - type: check\n label:\ + \ Ansible\n id: ansible\n terms:\n - '\"\ + cpe:/a:redhat:ansible_automation_platform\"'\n\n - type: check\n\ + \ label: AMQ\n id: amq\n terms:\n \ + \ - '\"cpe:/a:redhat:amq\" OR \"amq-\"'\n\n - type: check\n\ + \ label: Quarkus\n id: quarkus\n terms:\n\ + \ - '\"quarkus\"'\n\n - label: Type\n options:\n\ + \ - type: check\n label: Container\n id: is_container\n\ + \ terms:\n - 'type:oci'\n\n - type: check\n\ + \ label: Product\n id: is_product\n terms:\n\ + \ - 'NOT type:oci'\n\n - label: Suppliers\n options:\n\ + \ - type: check\n label: Red Hat\n id: supplier_redhat\n\ + \ terms:\n - 'supplier:\"Organization: Red Hat\"'\n\ + \n - label: Created on\n options:\n - type: select\n\ + \ group: created-on\n default: any\n options:\n\ + \ - id: last-week\n label: Last 7 days\n \ + \ script: |\n const end = new Date();\n \ + \ const start = new Date(end.getTime() - (7 * 24 * 60 * 60 * 1000));\n\ + \ [\n \"created:\" + \n \ + \ start.toLocaleString(\"default\", { year: \"numeric\" }) + \"-\" +\n\ + \ start.toLocaleString(\"default\", { month: \"2-digit\"\ + \ }) + \"-\" +\n start.toLocaleString(\"default\", { day:\ + \ \"2-digit\" }) + \"..\" +\n end.toLocaleString(\"default\"\ + , { year: \"numeric\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { day: \"2-digit\" })\n ];\n - id:\ + \ last-month\n label: Last 30 days\n script:\ + \ |\n const end = new Date();\n const start\ + \ = new Date(end.getTime() - (30 * 24 * 60 * 60 * 1000));\n \ + \ [\n \"created:\" + \n start.toLocaleString(\"\ + default\", { year: \"numeric\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { day: \"2-digit\" }) + \"..\" +\n end.toLocaleString(\"\ + default\", { year: \"numeric\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { day: \"2-digit\" })\n ];\n - id:\ + \ this-year\n label: This year\n script: |\n\ + \ const date = new Date();\n const start\ + \ = new Date(date.getFullYear(), 0, 1);\n const end = new\ + \ Date(date.getFullYear()+1, 0, 1);\n [\n \ + \ \"created:\" + \n start.toLocaleString(\"default\"\ + , { year: \"numeric\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { day: \"2-digit\" }) + \"..\" +\n end.toLocaleString(\"\ + default\", { year: \"numeric\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { day: \"2-digit\" })\n ];\n - id:\ + \ \"2023\"\n label: \"2023\"\n terms:\n \ + \ - 'created:2023-01-01..2024-01-01'\n - id: \"\ + 2022\"\n label: \"2022\"\n terms:\n \ + \ - 'created:2022-01-01..2023-01-01'\n - id: \"any\"\ + \n label: \"Any time\"\n\nvexination:\n\n filters:\n categories:\n\ + \ - label: Severity\n options:\n - type: check\n \ + \ id: low\n label: |\n \n \n \ + \ Low \n \n\ + \ terms:\n - \"severity:Low\"\n\n - type:\ + \ check\n id: moderate\n label: |\n \n \n Moderate \n \n terms:\n \ + \ - \"severity:Moderate\"\n\n - type: check\n id: important\n\ + \ label: |\n \n \ + \ \n \ + \ Important \n \n\ + \ terms:\n - \"severity:Important\"\n\n -\ + \ type: check\n id: critical\n label: |\n \ + \ \n \n Critical \n \n terms:\n \ + \ - \"severity:Critical\"\n\n - label: Products\n options:\n\ + \n - type: check\n id: rhel7\n label: Red Hat\ + \ Enterprise Linux 7\n terms:\n - '( \"cpe:/o:redhat:rhel_eus:7\"\ + \ in:package )'\n\n - type: check\n id: rhel8\n \ + \ label: Red Hat Enterprise Linux 8\n terms:\n \ + \ - '( \"cpe:/o:redhat:rhel_eus:8\" in:package )'\n\n - type: check\n\ + \ id: rhel9\n label: Red Hat Enterprise Linux 9\n \ + \ terms:\n - '( \"cpe:/a:redhat:enterprise_linux:9\"\ + \ in:package )'\n\n - type: divider\n\n - type: check\n\ + \ id: ocp3\n label: OpenShift Container Platform 3\n\ + \ terms:\n - '( \"cpe:/a:redhat:openshift:3\" in:package\ + \ )'\n\n - type: check\n id: ocp4\n label:\ + \ OpenShift Container Platform 4\n terms:\n - '( \"\ + cpe:/a:redhat:openshift:4\" in:package )'\n\n - label: Revisions\n \ + \ options:\n - type: select\n group: release\n \ + \ default: any\n options:\n - id: last-week\n\ + \ label: Last 7 days\n script: |\n \ + \ const end = new Date();\n const start = new Date(end.getTime()\ + \ - (7 * 24 * 60 * 60 * 1000));\n [\n \ + \ \"release:\" +\n start.toLocaleString(\"default\", {\ + \ year: \"numeric\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { day: \"2-digit\" }) + \"..\" +\n end.toLocaleString(\"\ + default\", { year: \"numeric\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { day: \"2-digit\" })\n ];\n - id:\ + \ last-month\n label: Last 30 days\n script:\ + \ |\n const end = new Date();\n const start\ + \ = new Date(end.getTime() - (30 * 24 * 60 * 60 * 1000));\n \ + \ [\n \"release:\" +\n start.toLocaleString(\"\ + default\", { year: \"numeric\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { day: \"2-digit\" }) + \"..\" +\n end.toLocaleString(\"\ + default\", { year: \"numeric\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { day: \"2-digit\" })\n ];\n - id:\ + \ this-year\n label: This year\n script: |\n\ + \ const date = new Date();\n const start\ + \ = new Date(date.getFullYear(), 0, 1);\n const end = new\ + \ Date(date.getFullYear()+1, 0, 1);\n [\n \ + \ \"release:\" +\n start.toLocaleString(\"default\"\ + , { year: \"numeric\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { day: \"2-digit\" }) + \"..\" +\n end.toLocaleString(\"\ + default\", { year: \"numeric\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { day: \"2-digit\" })\n ];\n - id:\ + \ \"2023\"\n label: \"2023\"\n terms:\n \ + \ - 'release:2023-01-01..2024-01-01'\n - id: \"\ + 2022\"\n label: \"2022\"\n terms:\n \ + \ - 'release:2022-01-01..2023-01-01'\n - id: \"any\"\ + \n label: \"Any time\"\n\ncve:\n filters:\n categories:\n\ + \n - label: State\n options:\n - type: select\n \ + \ default: published\n group: state\n options:\n\ + \ - id: any\n label: Any\n terms:\ + \ [ ]\n - id: published\n label: Published\n \ + \ terms:\n - \"is:published\"\n \ + \ - id: rejected\n label: Rejected\n terms:\n\ + \ - \"is:rejected\"\n\n - label: CVSS\n options:\n\ + \ - type: check\n id: low\n label: |\n \ + \ \n \n Low \n \n terms:\n -\ + \ \"severity:low\"\n\n - type: check\n id: moderate\n\ + \ label: |\n \n \ + \ \n \ + \ Medium \n \n\ + \ terms:\n - \"severity:medium\"\n\n - type:\ + \ check\n id: important\n label: |\n \n \n High \n \n terms:\n -\ + \ \"severity:high\"\n\n - type: check\n id: critical\n\ + \ label: |\n \n \ + \ \n \ + \ Critical \n \n\ + \ terms:\n - \"severity:critical\"\n\n - label:\ + \ Published\n options:\n - type: select\n group:\ + \ date-published\n default: any\n options:\n \ + \ - id: last-week\n label: Last 7 days\n \ + \ script: |\n const end = new Date();\n \ + \ const start = new Date(end.getTime() - (7 * 24 * 60 * 60 * 1000));\n\ + \ [\n \"datePublished:\" +\n \ + \ start.toLocaleString(\"default\", { year: \"numeric\" }) + \"\ + -\" +\n start.toLocaleString(\"default\", { month: \"2-digit\"\ + \ }) + \"-\" +\n start.toLocaleString(\"default\", { day:\ + \ \"2-digit\" }) + \"..\" +\n end.toLocaleString(\"default\"\ + , { year: \"numeric\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { day: \"2-digit\" })\n ];\n - id:\ + \ last-month\n label: Last 30 days\n script:\ + \ |\n const end = new Date();\n const start\ + \ = new Date(end.getTime() - (30 * 24 * 60 * 60 * 1000));\n \ + \ [\n \"datePublished:\" +\n start.toLocaleString(\"\ + default\", { year: \"numeric\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { day: \"2-digit\" }) + \"..\" +\n end.toLocaleString(\"\ + default\", { year: \"numeric\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { day: \"2-digit\" })\n ];\n - id:\ + \ this-year\n label: This year\n script: |\n\ + \ const date = new Date();\n const start\ + \ = new Date(date.getFullYear(), 0, 1);\n const end = new\ + \ Date(date.getFullYear()+1, 0, 1);\n [\n \ + \ \"datePublished:\" +\n start.toLocaleString(\"default\"\ + , { year: \"numeric\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n start.toLocaleString(\"\ + default\", { day: \"2-digit\" }) + \"..\" +\n end.toLocaleString(\"\ + default\", { year: \"numeric\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { month: \"2-digit\" }) + \"-\" +\n end.toLocaleString(\"\ + default\", { day: \"2-digit\" })\n ];\n - id:\ + \ \"2023\"\n label: \"2023\"\n terms:\n \ + \ - 'datePublished:2023-01-01..2024-01-01'\n - id:\ + \ \"2022\"\n label: \"2022\"\n terms:\n \ + \ - 'datePublished:2022-01-01..2023-01-01'\n - id:\ + \ \"any\"\n label: \"Any time\"\n\npackages:\n\n filters:\n\ + \ categories:\n\n - label: Type\n options:\n\n - type:\ + \ check\n label: maven\n id: maven\n terms:\n\ + \ - 'type:maven'\n\n - type: check\n label:\ + \ RPM\n id: RPM\n terms:\n - 'type:rpm'\n\ + \n - type: check\n label: NPM\n id: NPM\n \ + \ terms:\n - 'type:npm'\n\n - label: Supplier\n\ + \ options:\n\n - type: check\n label: Red Hat\n\ + \ id: redhat\n terms:\n - 'supplier:\"\ + Organization: Red Hat\"'\n\nscanner:\n documentationUrl: https://red.ht/trusted\n\ + \ welcomeHint:\n title: |\n

\n Receive a detailed summary of your\ + \ SBOM stack including:\n

\n body: |\n
\n
\n
\n
Security issues
\n
\n
\n
\n
\n\ + \
Licenses
\n\ + \
\n
\n
\n
\n\ + \
Dependency\ + \ details
\n
\n \n\nlandingPage:\n headerContent:\ + \ |\n \n
\n
\n\ + \
\n

Red Hat Trusted Profile Analyzer

\n

A managed service for software supply chain security

\n\ + \

\n The Red Hat Trusted Profile Analyzer service\ + \ brings awareness to and remediation of Open Source Software (OSS) vulnerabilities\ + \ that are discovered within the software supply chain.\n The\ + \ Red Hat Trusted Profile Analyzer service works within the software supply\ + \ chain by helping developers to identify, and resolve security vulnerabilities\ + \ during their development cycle.\n

\n
\n \ + \
\n
\n \n\n beforeInnerContent: |\n \ + \
\n\n afterInnerContent: |\n \n
\n
\n
\n
\n
I need an SBOM for…
\n\ + \
\n
\n \ + \
\n \ + \
I have an SBOM and need vulnerability\ + \ information
\n
\n
\n
\n\ + \
I need information on a specific vulnerability
\n\ + \
\n
\n \ + \
\n \ + \
I want to browse by category: UBI, RHEL, …
\n\ + \
\n
\n
\n \n\n afterOuterContent:\ + \ |\n
\n
\n
\n

Upload your SBOM

\n\ + \
\n
\n By\ + \ uploading your Software Bill of Materials (SBOM) file, you receive a detailed\ + \ report of dependencies, and potential vulnerabilities within your software\ + \ stack.\n\n Start by clicking the Upload an SBOM\ + \ button.\n
\n
\n \ + \
\n
\n Upload an SBOM\n
\n\ + \
\n
\n
\n
\n\n
\n
\n
\n

Getting started!

\n
\n
\n
\n \n Searching for vulnerability information\n
\n\ + \
\n Scanning a software bill of materials file\n
\n\ + \
\n Configuring Visual Studio Code to use Dependency Analytics\n\ + \
\n
\n \ + \ Configuring IntelliJ to use Dependency Analytics\n \ + \
\n
\n \ + \ Glossary\n
\n
\n Frequently Asked Questions\n
\n
\n\ + \
\n
\n " diff --git a/roles/tpa_single_node/templates/services/spog/api/030-Deployment.yaml b/roles/tpa_single_node/templates/services/spog/api/030-Deployment.yaml new file mode 100644 index 0000000..893aa4b --- /dev/null +++ b/roles/tpa_single_node/templates/services/spog/api/030-Deployment.yaml @@ -0,0 +1,121 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: spog-api + labels: + app.kubernetes.io/name: spog-api + app.kubernetes.io/component: spog + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: null +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: spog-api + app.kubernetes.io/component: spog + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + template: + metadata: + labels: + app.kubernetes.io/name: spog-api + app.kubernetes.io/component: spog + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + annotations: + configHash/auth: f1603b2e10b24822d2b2ae28973e973fb20d68559f0caff8327d5a9a7326b106 + configHash/ui: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + spec: + containers: + - name: service + image: registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:60f676f8c7611d08827f5e1cad332d7ebc5d6660392618c29d1966c1825cff5b + imagePullPolicy: IfNotPresent + livenessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health/live + port: 9010 + readinessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health/ready + port: 9010 + command: + - /trust + args: + - spog + - api + - -p + - '8080' + - --bombastic-url + - https://bombastic-api.trustificcation.svc.cluster.local + - --vexination-url + - https://vexination-api.trustificcation.svc.cluster.local + - --collectorist-url + - https://collectorist-api.trustificcation.svc.cluster.local + - --v11y-url + - https://v11y-api.trustificcation.svc.cluster.local + - --exhort-url + - https://exhort-api.trustificcation.svc.cluster.local + - --crda-url + - https://rhda.rhcloud.com/api/v4/analysis + - --guac + - https://guac-graphql.trustificcation.svc.cluster.local/query + - --auth-configuration + - /etc/config/auth.yaml + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RUST_LOG + value: info + - name: INFRASTRUCTURE_ENABLED + value: 'true' + - name: INFRASTRUCTURE_BIND + value: '[::]:9010' + - name: HTTP_SERVER_BIND_ADDR + value: '::' + - name: HTTP_SERVER_TLS_ENABLED + value: 'true' + - name: HTTP_SERVER_TLS_KEY_FILE + value: /etc/tls/tls.key + - name: HTTP_SERVER_TLS_CERTIFICATE_FILE + value: /etc/tls/tls.crt + - name: OIDC_PROVIDER_CLIENT_ID + value: walker + - name: OIDC_PROVIDER_CLIENT_SECRET + value: 6560cc91-4e20-4edd-881c-b15b169f8a80 + - name: OIDC_PROVIDER_ISSUER_URL + value: https://sso$APP_DOMAIN_URL/realms/chicken + - name: SWAGGER_UI_OIDC_ISSUER_URL + value: https://sso$APP_DOMAIN_URL/realms/chicken + - name: SPOG_UI_CONFIG + value: /etc/config/spog-ui.yaml + ports: + - containerPort: 9010 + protocol: TCP + name: infra + - containerPort: 8080 + name: endpoint + protocol: TCP + volumeMounts: + - mountPath: /etc/tls + name: tls + readOnly: true + - name: config-auth + mountPath: /etc/config/auth.yaml + subPath: auth.yaml + - name: config-ui + mountPath: /etc/config/spog-ui.yaml + subPath: spog-ui.yaml + volumes: + - name: tls + secret: + secretName: spog-api-tls + - name: config-auth + configMap: + name: spog-api-auth + - name: config-ui + configMap: + name: spog-ui-config diff --git a/roles/tpa_single_node/templates/services/spog/api/040-Service.yaml b/roles/tpa_single_node/templates/services/spog/api/040-Service.yaml new file mode 100644 index 0000000..f9560cf --- /dev/null +++ b/roles/tpa_single_node/templates/services/spog/api/040-Service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: spog-api + labels: + app.kubernetes.io/name: spog-api + app.kubernetes.io/component: spog + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: + service.beta.openshift.io/serving-cert-secret-name: spog-api-tls +spec: + ports: + - name: endpoint + port: 443 + protocol: TCP + targetPort: endpoint + selector: + app.kubernetes.io/name: spog-api + app.kubernetes.io/component: spog + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + type: ClusterIP diff --git a/roles/tpa_single_node/templates/services/spog/api/050-Ingress.yaml b/roles/tpa_single_node/templates/services/spog/api/050-Ingress.yaml new file mode 100644 index 0000000..adc4584 --- /dev/null +++ b/roles/tpa_single_node/templates/services/spog/api/050-Ingress.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: spog-api + labels: + app.kubernetes.io/name: spog-api + app.kubernetes.io/component: spog + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/part-of: trusted-profile-analyzer + annotations: + haproxy.router.openshift.io/timeout: 180s + route.openshift.io/termination: reencrypt +spec: + ingressClassName: openshift-default + rules: + - host: api$APP_DOMAIN_URL + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: spog-api + port: + name: endpoint diff --git a/roles/tpa_single_node/templates/services/spog/ui/020-ConfigMap-backend.yaml b/roles/tpa_single_node/templates/services/spog/ui/020-ConfigMap-backend.yaml new file mode 100644 index 0000000..5d50bd9 --- /dev/null +++ b/roles/tpa_single_node/templates/services/spog/ui/020-ConfigMap-backend.yaml @@ -0,0 +1,12 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: spog-ui-backend + labels: + app.kubernetes.io/name: spog-ui-backend + app.kubernetes.io/component: spog + app.kubernetes.io/instance: redhat-trusted-profile-analyzer + app.kubernetes.io/version: 1.1.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: trusted-profile-analyzer +data: null