trustification · desmax74 · Aug 27, 2024 · Aug 27, 2024
diff --git a/roles/tpa_single_node/tasks/main.yml b/roles/tpa_single_node/tasks/main.yml
@@ -0,0 +1,12 @@
+---
+- name: Install Operating System Components
+  ansible.builtin.include_tasks: os.yml
+  args:
+    apply:
+      become: true
+
+- name: Execute Podman Actions
+  ansible.builtin.include_tasks: podman.yml
+  args:
+    apply:
+      become: true
diff --git a/roles/tpa_single_node/tasks/os.yml b/roles/tpa_single_node/tasks/os.yml
@@ -0,0 +1,4 @@
+---
+- name: Install System Packages dependencies
+  ansible.builtin.package:
+    name: "{{ tpa_single_node_system_packages }}"
diff --git a/roles/tpa_single_node/tasks/podman.yml b/roles/tpa_single_node/tasks/podman.yml
@@ -0,0 +1,51 @@
+---
+- name: Podman login to registry.redhat.io
+  when:
+    - ansible_facts['distribution'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] == '9'
+  ansible.builtin.command: podman login registry.redhat.io -u {{ tpa_single_node_registry_username }} --password {{ tpa_single_node_registry_password }}
+  register: podman_login_result
+  changed_when: '"Already logged in" not in podman_login_result'
+
+- name: Create RHTPA network
+  containers.podman.podman_network:
+    name: "{{ tpa_single_node_podman_network }}"
+
+- name: Pull trustification image from registry.redhat.io
+  when:
+    - ansible_facts['distribution'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] == '9'
+  containers.podman.podman_image:
+    name: "{{ tpa_single_node_trustification_image }}"
+
+
+- name: Pull Guac image from registry.redhat.io
+  when:
+    - ansible_facts['distribution'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] == '9'
+  containers.podman.podman_image:
+    name: "{{ tpa_single_node_guac_image }}"
+
+- name: Pull SSO image from registry.redhat.io
+  when:
+    - ansible_facts['distribution'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] == '9'
+  containers.podman.podman_image:
+    name: "{{ tpa_single_node_sso_image }}"
+
+- name: Pull Postgresql 15 image from registry.redhat.io
+  when:
+    - ansible_facts['distribution'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] == '9'
+  containers.podman.podman_image:
+    name: "{{ tpa_single_node_postgresql }}"
+
+- name: Pull Streams for Apache Kafka from registry.redhat.io
+  when:
+    - ansible_facts['distribution'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] == '9'
+  containers.podman.podman_image:
+    name: "{{ tpa_single_node_streams_kafka }}"
+
+- name: Configure/Deploy guac
+  ansible.builtin.include_tasks: podman/guac.yml
diff --git a/roles/tpa_single_node/tasks/podman/guac.yml b/roles/tpa_single_node/tasks/podman/guac.yml
@@ -0,0 +1,16 @@
+---
+- name: Confirmed required parameters provided
+  ansible.builtin.assert:
+    that:
+      - tpa_single_node_base_hostname is defined
+      - tpa_single_node_base_hostname | trim | length > 0
+    msg: "'tpa_single_node_base_hostname' must be specified"
+
+- name: Get RHTPA network details
+  containers.podman.podman_network:
+    name: "{{ tpa_single_node_podman_network }}"
+  register: tpa_podman_network_results
+
+- name: Set DNS Resolver
+  ansible.builtin.set_fact:
+    dns_resolver: "{{ tpa_podman_network_results.network.subnets[0].gateway }}"
diff --git a/roles/tpa_single_node/tasks/podman/install_manifest.yml b/roles/tpa_single_node/tasks/podman/install_manifest.yml
@@ -0,0 +1,25 @@
+---
+# NOTE: determining when the service will restart with `when: ...` is not ideal, however
+# we would need a dynamic handler otherwise and these are a bit fragile.
+
+- name: Set location of Podman Play Manifest
+  ansible.builtin.set_fact:
+    kube_play_file: >-
+      {{ tpa_single_node_kube_manifest_dir + '/' + podman_spec.kube_file_content.metadata.namespace + '_'
+      + podman_spec.kube_file_content.metadata.name + '.yml' }}
+
+- name: Copy Manifest to Server
+  ansible.builtin.copy:
+    content: "{{ podman_spec.kube_file_content | to_nice_yaml(indent=2) }}"
+    dest: "{{ kube_play_file }}"
+    mode: "0600"
+  register: copy_manifest
+
+
+- name: Restart Podman Service
+  ansible.builtin.systemd:
+    state: restarted
+    enabled: true
+    daemon_reload: true
+    name: "{{ podman_spec.systemd_file }}"
+  when: copy_manifest.changed or copy_systemd_file.changed or (podman_spec.secret is defined and podman_spec.secret_changed)
diff --git a/roles/tpa_single_node/templates/init/dataset/020-Job.yaml b/roles/tpa_single_node/templates/init/dataset/020-Job.yaml
@@ -0,0 +1,49 @@
+kind: Job
+apiVersion: batch/v1
+metadata:
+  name: init-dataset
+  labels:
+    app.kubernetes.io/name: init-dataset
+    app.kubernetes.io/component: init
+    app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+    app.kubernetes.io/version: 1.1.1
+    app.kubernetes.io/part-of: trusted-profile-analyzer
+    annotations: null
+spec:
+  backoffLimit: 1000
+  completions: 1
+  parallelism: 1
+  ttlSecondsAfterFinished: 600
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: init-dataset
+        app.kubernetes.io/component: init
+        app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: run
+          image: registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:044b6070e52378a93cbcd65cbd5d10b866f102ee8d6040b92147df7b52202e8
+          imagePullPolicy: IfNotPresent
+          command:
+            - /usr/bin/bash
+          args:
+            - -ce
+            - "ARGS=\"\"\nif [[ -f /run/secrets/kubernetes.io/serviceaccount/service-ca.crt\
+                \ ]]; then\n  ARGS=\"--sender-root-certificates /run/secrets/kubernetes.io/serviceaccount/service-ca.crt\"\
+                \nfi\n/trust bombastic walker $ARGS --sink https://bombastic-api.trustificcation.svc.cluster.local\
+                \ --source file:/data/sbom\necho SBOM import done\n/trust vexination\
+                \ walker $ARGS --sink https://vexination-api.trustificcation.svc.cluster.local/api/v1/vex\
+                \ --source file:/data/csaf\necho CSAF import done\n"
+          env:
+            - name: OIDC_PROVIDER_CLIENT_ID
+              value: walker
+            - name: OIDC_PROVIDER_CLIENT_SECRET
+              value: 6560cc91-4e20-4edd-881c-b15b169f8a80
+            - name: OIDC_PROVIDER_ISSUER_URL
+              value: https://sso$APP_DOMAIN_URL/realms/chicken
+            - name: RUST_LOG
+              value: info
+          volumeMounts: null
+      volumes: null
diff --git a/roles/tpa_single_node/templates/init/guac/010-ConfigMap.yaml b/roles/tpa_single_node/templates/init/guac/010-ConfigMap.yaml
@@ -0,0 +1,26 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: init-guac-db
+  labels:
+    app.kubernetes.io/name: init-guac-db
+    app.kubernetes.io/component: guac
+    app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+    app.kubernetes.io/version: 1.1.1
+    app.kubernetes.io/part-of: trusted-profile-analyzer
+  annotations: null
+data:
+  init.sql: "-- ensure we have the database\nSELECT 'CREATE DATABASE ' || :'db_name'\n\
+      WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = :'db_name')\\gexec\n\
+      \n-- create the user (if it doesn't exist)\nCREATE OR REPLACE FUNCTION add_user_if_not_exists(username\
+      \ NAME) RETURNS integer\n    AS $$\nBEGIN\n    IF NOT EXISTS (SELECT FROM\
+      \ pg_roles\n        WHERE rolname = username) THEN\n\n        EXECUTE FORMAT('CREATE\
+      \ ROLE \"%I\" LOGIN', username);\n\n    END IF;\n    RETURN NULL;\nEND;\n\
+      $$ language plpgsql;\n\nSELECT add_user_if_not_exists(:'db_user');\n\n-- now\
+      \ set the password\nALTER USER :db_user WITH PASSWORD :'db_password';\n\n\
+      -- grant permission to connect\nGRANT CONNECT ON DATABASE :db_name TO :db_user;\n\
+      \n-- grant permissions on database\n\\connect :db_name\n\nGRANT USAGE ON SCHEMA\
+      \ public TO :db_user;\n\n-- grant on existing tables\nGRANT SELECT, INSERT,\
+      \ UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO :db_user;\n\n-- grant on\
+      \ future tables\nALTER DEFAULT PRIVILEGES\n    IN SCHEMA public\n    GRANT\
+      \ SELECT, INSERT, UPDATE, DELETE ON TABLES TO :db_user;\n"
diff --git a/roles/tpa_single_node/templates/init/guac/020-Job.yaml b/roles/tpa_single_node/templates/init/guac/020-Job.yaml
@@ -0,0 +1,49 @@
+kind: Job
+apiVersion: batch/v1
+metadata:
+  name: init-dataset
+  labels:
+    app.kubernetes.io/name: init-dataset
+    app.kubernetes.io/component: init
+    app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+    app.kubernetes.io/version: 1.1.1
+    app.kubernetes.io/part-of: trusted-profile-analyzer
+  annotations: null
+spec:
+  backoffLimit: 1000
+  completions: 1
+  parallelism: 1
+  ttlSecondsAfterFinished: 600
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: init-dataset
+        app.kubernetes.io/component: init
+        app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: run
+          image: registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:60f676f8c7611d08827f5e1cad332d7ebc5d6660392618c29d1966c1825cff5b
+          imagePullPolicy: IfNotPresent
+          command:
+            - /usr/bin/bash
+          args:
+            - -ce
+            - "ARGS=\"\"\nif [[ -f /run/secrets/kubernetes.io/serviceaccount/service-ca.crt\
+                \ ]]; then\n  ARGS=\"--sender-root-certificates /run/secrets/kubernetes.io/serviceaccount/service-ca.crt\"\
+                \nfi\n/trust bombastic walker $ARGS --sink https://bombastic-api.trustificcation.svc.cluster.local\
+                \ --source file:/data/sbom\necho SBOM import done\n/trust vexination\
+                \ walker $ARGS --sink https://vexination-api.trustificcation.svc.cluster.local/api/v1/vex\
+                \ --source file:/data/csaf\necho CSAF import done\n"
+          env:
+            - name: OIDC_PROVIDER_CLIENT_ID
+              value: walker
+            - name: OIDC_PROVIDER_CLIENT_SECRET
+              value: 6560cc91-4e20-4edd-881c-b15b169f8a80
+            - name: OIDC_PROVIDER_ISSUER_URL
+              value: https://sso$APP_DOMAIN_URL/realms/chicken
+            - name: RUST_LOG
+              value: info
+          volumeMounts: null
+      volumes: null
diff --git a/roles/tpa_single_node/templates/services/bombastic/api/020-ConfigMap-auth.yaml b/roles/tpa_single_node/templates/services/bombastic/api/020-ConfigMap-auth.yaml
@@ -0,0 +1,19 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: bombastic-api-auth
+  labels:
+    app.kubernetes.io/name: bombastic-api-auth
+    app.kubernetes.io/component: bombastic
+    app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+    app.kubernetes.io/version: 1.1.1
+    app.kubernetes.io/part-of: trusted-profile-analyzer
+data:
+  auth.yaml: "\nauthentication:\n  clients:\n\n    - clientId: frontend\n    \
+        \  issuerUrl: https://sso$APP_DOMAIN_URL/realms/chicken\n      scopeMappings:\
+        \ &keycloakScopeMappings\n        \"create:document\": [ \"create.sbom\",\
+        \ \"create.vex\" ]\n        \"read:document\": [ \"read.sbom\", \"read.vex\"\
+        \ ]\n        \"update:document\": [ \"update.sbom\", \"update.vex\" ]\n  \
+        \      \"delete:document\": [ \"delete.sbom\", \"delete.vex\" ]\n\n    - clientId:\
+        \ walker\n      issuerUrl: https://sso$APP_DOMAIN_URL/realms/chicken\n   \
+        \   scopeMappings: *keycloakScopeMappings\n"
diff --git a/roles/tpa_single_node/templates/services/bombastic/api/030-Deployment.yaml b/roles/tpa_single_node/templates/services/bombastic/api/030-Deployment.yaml
@@ -0,0 +1,119 @@
+kind: Deployment
+metadata:
+  name: bombastic-api
+  labels:
+    app.kubernetes.io/name: bombastic-api
+    app.kubernetes.io/component: bombastic
+    app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+    app.kubernetes.io/version: 1.1.1
+    app.kubernetes.io/part-of: trusted-profile-analyzer
+  annotations: null
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: bombastic-api
+      app.kubernetes.io/component: bombastic
+      app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: bombastic-api
+        app.kubernetes.io/component: bombastic
+        app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+      annotations:
+        configHash/auth: f1603b2e10b24822d2b2ae28973e973fb20d68559f0caff8327d5a9a7326b106
+    spec:
+      containers:
+        - name: service
+          image: registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:044b6070e52378a93cbcd65cbd5d10b866f102ee8d6040b92147df7b52202e83
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            initialDelaySeconds: 2
+            httpGet:
+              path: /health/live
+              port: 9010
+          readinessProbe:
+            initialDelaySeconds: 2
+            httpGet:
+              path: /health/ready
+              port: 9010
+          command:
+            - /trust
+          args:
+            - bombastic
+            - api
+            - -p
+            - '8080'
+            - --validator
+            - sbom
+            - --index-mode
+            - file
+            - --auth-configuration
+            - /etc/config/auth.yaml
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: RUST_LOG
+              value: info
+            - name: INFRASTRUCTURE_ENABLED
+              value: 'true'
+            - name: INFRASTRUCTURE_BIND
+              value: '[::]:9010'
+            - name: HTTP_SERVER_BIND_ADDR
+              value: '::'
+            - name: HTTP_SERVER_TLS_ENABLED
+              value: 'true'
+            - name: HTTP_SERVER_TLS_KEY_FILE
+              value: /etc/tls/tls.key
+            - name: HTTP_SERVER_TLS_CERTIFICATE_FILE
+              value: /etc/tls/tls.crt
+            - name: OIDC_PROVIDER_CLIENT_ID
+              value: walker
+            - name: OIDC_PROVIDER_CLIENT_SECRET
+              value: 6560cc91-4e20-4edd-881c-b15b169f8a80
+            - name: OIDC_PROVIDER_ISSUER_URL
+              value: https://sso$APP_DOMAIN_URL/realms/chicken
+            - name: STORAGE_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: root-user
+                  name: infrastructure-minio
+            - name: STORAGE_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: root-password
+                  name: infrastructure-minio
+            - name: STORAGE_ENDPOINT
+              value: http://infrastructure-minio:9000
+            - name: STORAGE_REGION
+              value: eu-west-1
+            - name: STORAGE_BUCKET
+              value: bombastic-default
+            - name: SWAGGER_UI_OIDC_ISSUER_URL
+              value: https://sso$APP_DOMAIN_URL/realms/chicken
+            - name: INDEX_SYNC_INTERVAL
+              value: 1m
+          ports:
+            - containerPort: 9010
+              protocol: TCP
+              name: infra
+            - containerPort: 8080
+              name: endpoint
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /etc/tls
+              name: tls
+              readOnly: true
+            - name: config-auth
+              mountPath: /etc/config/auth.yaml
+              subPath: auth.yaml
+      volumes:
+        - name: tls
+          secret:
+            secretName: bombastic-api-tls
+        - name: config-auth
+          configMap:
+            name: bombastic-api-auth