devsecops-demo
devsecops-demo copied to clipboard
rcarrata
DevSecOps CICD demo in Openshift with ACS integration
Hello, I tried to deploy this demo on a 4.11 OCP cluster. Pre-requisites are installed : ``` $ pip3 list | grep -e kubernetes -e openshift -e jmespath jmespath 1.0.1...
* https://github.com/sigstore/cosign#registry-support Possible Issue: Quay needs to be used, because the OCP Internal registry it's not supported.
https://github.com/tektoncd/chains https://gkovan.medium.com/a-zero-trust-approach-for-securing-the-supply-chain-of-microservices-packaged-as-container-images-89d2f5b7293b https://github.com/ztsc/tekton
Include signing of the commits in Git Servers using PGP: * in Gitea -> https://docs.gitea.io/en-us/signing/ * in GitHub -> https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits
Integrate the ACS OAuth into DevSecOps demo to authenticate with the OAuth Credentials instead of hardcoded password - https://redhat-scholars.github.io/acs-workshop/acs-workshop/11-integrations.html#integrate_acs_oauth
Use the following [devsecops description](https://www.redhat.com/en/resources/deploy-comprehensive-devsecops-solution-overview)
Due to the image of the Sonarqube image have more than 90 days, we need to update towards the 9.1.0-community with tag "sonarqube:9.1.0-community", and test it in the devsecops demo.
Use the image registry.connect.redhat.com/sonatype/nexus-repository-manager:3.36.0-ubi-1 Check also the deployment to be used in the bootstrap demo
[Git Secrets](https://github.com/awslabs/git-secrets) could be a nice addon to the pipeline in order to ensure that the git repo have not any exposed secret. Additionally ACS includes out of the box...
Adding all these changes to ensure this demo still runs on 4.12+ cluster. Also tested on 4.13.
