You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/modules/ROOT/pages/06-tekton-pipeline-exploration.adoc
+13-13Lines changed: 13 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,4 @@
1
-
== Pipeline Exploration
1
+
== Tekton Pipeline Exploration
2
2
3
3
As a developer, I can see all the steps involved with the corporate standard pipeline and *GREEN is good*. As a developer, that makes me happy, I do not have worry about all the details.
4
4
@@ -8,21 +8,21 @@ Narrator: Now, for our architects and platform engineers in the room, you want t
8
8
9
9
Developer Hub pre-integrates several curated plug-ins that are great for overall developer experience. A lot has happened with the execution of this pipeline.
10
10
11
-
The first step in the pipeline is a simple `git clone`. The next step is basically a `mvn package` and then running of Sonarqube `scan-source` for static analysis. All pretty standard for CI pipelines. Get the code, compile/build the code, run some scans.
11
+
The first step in the pipeline is a simple `git clone`. The next step is basically a `mvn package` and then running of Sonarqube `scan-source` for static analysis. All pretty standard for CI pipelines. Get the code, compile/build the code, run some scans.
12
12
13
13
=== Build Sign Image
14
14
15
-
It is the `build-sign-image` where things get super interesting.
15
+
It is the `build-sign-image` where things get super interesting.
16
16
17
17
image::pipeline-exploration-2.png[]
18
18
19
-
The template is leveraging Tekton Chains, a Kubernetes Custom Resource Definition (CRD) controller, that nicely augments the supply chain security within OpenShift Pipelines. This tool's capacity to automatically sign task runs, and its adoption of advanced attestation formats like in-toto and SLA provenance, bring a higher degree of trust and verification to our processes. Tekton Chains works like an independent observer within the cluster, it signs, attests and stores additional artifacts as OCI images alongside with your container image.
19
+
The template is leveraging Tekton Chains, a Kubernetes Custom Resource Definition (CRD) controller, that nicely augments the supply chain security within OpenShift Pipelines. This tool's capacity to automatically sign task runs, and its adoption of advanced attestation formats like in-toto and SLA provenance, bring a higher degree of trust and verification to our processes. Tekton Chains works like an independent observer within the cluster, it signs, attests and stores additional artifacts as OCI images alongside with your container image.
20
20
21
21
If you look on the *Image Registry* tab you will see there is are *.att*, *.sig* and *.sbom* sitting side-by-side with the resulting container image produced by the pipeline.
22
22
23
23
image::pipeline-exploration-3.png[]
24
24
25
-
This plug-in using Quay, you might remember we selected Quay in the template wizard. Quay offers yet another aspect of supply chain security, it is constantly scanning your container images at rest. Your developers might not be actively coding and if nobody has pushed a change recently then the pipeline might not have run in a while.
25
+
This plug-in using Quay, you might remember we selected Quay in the template wizard. Quay offers yet another aspect of supply chain security, it is constantly scanning your container images at rest. Your developers might not be actively coding and if nobody has pushed a change recently then the pipeline might not have run in a while.
26
26
27
27
=== roxctl (ACS)
28
28
@@ -31,11 +31,11 @@ Back to the pipeline itself and let's look at the 3 Advanced Cluster Security ta
31
31
image::pipeline-exploration-4.png[]
32
32
33
33
34
-
The bottom-most task is performing CVE scanning via `roxctl image scan`.
34
+
The bottom-most task is performing CVE scanning via `roxctl image scan`.
35
35
36
-
The middle task is performing a policy check via `roxctl image check`. These policies might be things like 'No log4j allowed' or perhaps no curl, wget nor a package manager in a production image.
36
+
The middle task is performing a policy check via `roxctl image check`. These policies might be things like 'No log4j allowed' or perhaps no curl, wget nor a package manager in a production image.
37
37
38
-
The top-most task is perform yaml scanning via `roxctl deployment check` and it might identify that your Deployment.yaml has not properly configured its resource request and limit.
38
+
The top-most task is perform yaml scanning via `roxctl deployment check` and it might identify that your Deployment.yaml has not properly configured its resource request and limit.
39
39
40
40
A series of dashboards visualize the reporting from these 3 *roxctl* tasks, click on the *View Output* icon under *ACTIONS*
These ACS polices can be seen on the following screen, just look for *Build* policies under lifecycle.
48
+
These ACS polices can be seen on the following screen, just look for *Build* policies under lifecycle.
49
49
50
50
image::pipeline-exploration-5.png[]
51
51
52
-
These 3 aspects of *roxctl* are a great example of the "shift-left" idea by bringing these critical checks into the pipeline itself to be executed on each `git push`.
52
+
These 3 aspects of *roxctl* are a great example of the "shift-left" idea by bringing these critical checks into the pipeline itself to be executed on each `git push`.
53
53
54
54
=== scan-export-sbom
55
55
@@ -59,13 +59,13 @@ Pushes the SBOM to a CycloneDX repository. Currently, the SBOM is stored in Qua
59
59
60
60
image::pipeline-exploration-12.png[]
61
61
62
-
The SBOM is an artifact that deserves special mention. Think of the Software Bill of Materials as the ingredient list. I am sure you have gone to the grocery store and picked up an item and reviewed its packaging. On the back of the product there will be a list of ingredients. You can find out that something you might wish to eat includes gluten, perhaps too much sugar, or shellfish (my sister is allergic to shellfish) or perhaps nuts. Well, if you are allergic to nuts you might also be allergic to struts :-) You might remember that infamous Struts 2 vulnerability that allowed 143 million American's private data to end up on the dark web https://www.securityweek.com/apache-struts-flaw-reportedly-exploited-equifax-hack[Struts 2 hack].
62
+
The SBOM is an artifact that deserves special mention. Think of the Software Bill of Materials as the ingredient list. I am sure you have gone to the grocery store and picked up an item and reviewed its packaging. On the back of the product there will be a list of ingredients. You can find out that something you might wish to eat includes gluten, perhaps too much sugar, or shellfish (my sister is allergic to shellfish) or perhaps nuts. Well, if you are allergic to nuts you might also be allergic to struts :-) You might remember that infamous Struts 2 vulnerability that allowed 143 million American's private data to end up on the dark web https://www.securityweek.com/apache-struts-flaw-reportedly-exploited-equifax-hack[Struts 2 hack].
63
63
64
-
The SBOM is either a JSON or XML file and is stored in the container registry as the ingredient list associated with the container image.
64
+
The SBOM is either a JSON or XML file and is stored in the container registry as the ingredient list associated with the container image.
65
65
66
66
=== Dev Deployment
67
67
68
-
Click on *Topology*
68
+
Click on *Topology*
69
69
70
70
As a developer, I want to see my handy work, did my applicatio really deploy to the dev environment?
Copy file name to clipboardExpand all lines: content/modules/ROOT/pages/11-jenkins-pipeline-exploration.adoc
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,4 @@
1
-
== Jenkins CI
1
+
== Jenkins Pipeline Exploration
2
2
3
3
Jenkins is used to build and test your product continuously, so developers can continuously integrate changes into the build. Jenkins is the most popular open source CI/CD tool on the market today and is used in support of DevOps, alongside other cloud native tools.
4
4
@@ -17,7 +17,7 @@ This section demonstrates how *Developer Hub* allows you to instantiate a Quarku
17
17
. Click on the *CI* tab. There should be 3 projects visible, one for build, one for preparing a pre-prod deployment and one for preparing a prod deployment. A build should automatically trigger. If this does not show up, click on a different tab and then click back to the *CI* tab to refresh the page.
18
18
. You may click on the *View build* icon to view the output of the build on jenkins. Enter the credentials provided on the demo landing page.
19
19
. Once the build is complete, click on the *Topology* tab. The application for *dev* is now healthy, indicated by a blue ring. Click on the arrow on the application icon to view the Quarkus application.
20
-
* To make changes to the Quarkus application, click on the *Overview* tab and select the *OpenShift Dev Spaces (VS Code)* link. This should provision a *DevSpaces* project where you can update the source code as you wish. Pushing the changes back to GitLab triggers a new build and deploy to dev.
20
+
. To make changes to the Quarkus application, click on the *Overview* tab and select the *OpenShift Dev Spaces (VS Code)* link. This should provision a *DevSpaces* project where you can update the source code as you wish. Pushing the changes back to GitLab triggers a new build and deploy to dev.
21
21
22
22
=== Promote to preprod
23
23
. To deploy your Quarkus application to preprod, switch to the *Overview* tab and click on the *Source Code* link. This should open the repository root on GitLab.
0 commit comments