diff --git a/docs/supply-chain.md b/docs/supply-chain.md index 0391f4f8..b8e5f09f 100644 --- a/docs/supply-chain.md +++ b/docs/supply-chain.md @@ -36,13 +36,176 @@ In our demo, we will use a number of additional ZTVP components. These component * [Multicloud Object Gateway](https://docs.redhat.com/en/documentation/red_hat_openshift_container_storage/4.8/html/managing_hybrid_and_multicloud_resources/index) is a data service for OpenShift that provides an S3-compatible object storage. In our case, this component is necessary to provide a storage system to Quay. * [Red Hat OpenShift Pipelines](https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines/1.20) is a cloud-native CI/CD solution built on the Tekton framework. We will use this product to automate our secure supply chain process, but you could use your own CI/CD solution if one exists. +### Defining the values + +To enable this use case, the following parameters should be defined within the [values-hub.yaml](../values-hub.yaml) file + +* In the `clustergroup.namespaces` section, create the _Namespaces_ for the components by uncommenting the following + + ```shell + - openshift-storage: + operatorGroup: true + targetNamespace: openshift-storage + annotations: + openshift.io/cluster-monitoring: "true" + argocd.argoproj.io/sync-wave: "26" # Propagated to OperatorGroup by framework + - quay-enterprise: + annotations: + argocd.argoproj.io/sync-wave: "32" # Create before NooBaa and all Quay components + labels: + openshift.io/cluster-monitoring: "true" + - trusted-artifact-signer: + annotations: + argocd.argoproj.io/sync-wave: "32" # Auto-created by RHTAS operator + labels: + openshift.io/cluster-monitoring: "true" + - rhtpa-operator: + operatorGroup: true + targetNamespace: rhtpa-operator + annotations: + argocd.argoproj.io/sync-wave: "26" # Create before operator subscription + - trusted-profile-analyzer: + annotations: + argocd.argoproj.io/sync-wave: "32" # Create before RHTPA components + labels: + openshift.io/cluster-monitoring: "true" + - openshift-pipelines + ``` + +* In the `clusterGroup.subscriptions` section, create the _Subscriptions_ for the components operators by uncommenting the following: + + ```shell + openshift-pipelines: + name: openshift-pipelines-operator-rh + namespace: openshift-operators + odf: + name: odf-operator + namespace: openshift-storage + channel: stable-4.20 + annotations: + argocd.argoproj.io/sync-wave: "27" # Install after OperatorGroup (26) + quay-operator: + name: quay-operator + namespace: openshift-operators + channel: stable-3.15 + annotations: + argocd.argoproj.io/sync-wave: "28" # Install after ODF operator + rhtas-operator: + name: rhtas-operator + namespace: openshift-operators + channel: stable + annotations: + argocd.argoproj.io/sync-wave: "29" # Install after Quay operator, before applications + catalogSource: redhat-operators + rhtpa-operator: + name: rhtpa-operator + namespace: rhtpa-operator # MUST use dedicated namespace (not openshift-operators) + channel: stable-v1.1 # Use stable-v1.1 channel for 1.1.x updates + catalogSource: redhat-operators + annotations: + argocd.argoproj.io/sync-wave: "27" # Install after OperatorGroup (26), before applications + ``` + +* Configure the Argo CD _Applications_: + + ```shell + noobaa-mcg: + name: noobaa-mcg + namespace: openshift-storage + project: hub + path: charts/noobaa-mcg + annotations: + argocd.argoproj.io/sync-wave: "36" # Deploy after core services + quay-registry: + name: quay-registry + namespace: quay-enterprise + project: hub + path: charts/quay-registry + annotations: + argocd.argoproj.io/sync-wave: "41" # Deploy after NooBaa storage backend + trusted-artifact-signer: + name: trusted-artifact-signer + namespace: trusted-artifact-signer + project: hub + path: charts/rhtas-operator + annotations: + argocd.argoproj.io/sync-wave: "46" # Deploy after dependencies + overrides: + - name: rhtas.zeroTrust.spire.enabled + value: "true" + - name: rhtas.zeroTrust.spire.trustDomain + value: "apps.{{ $.Values.global.clusterDomain }}" + - name: rhtas.zeroTrust.spire.issuer + value: "https://spire-spiffe-oidc-discovery-provider.apps.{{ $.Values.global.clusterDomain }}" + - name: rhtas.zeroTrust.email.enabled + value: "true" + - name: rhtas.zeroTrust.email.issuer + value: https://keycloak.apps.{{ $.Values.global.clusterDomain }}/realms/ztvp + trusted-profile-analyzer: + name: trusted-profile-analyzer + namespace: trusted-profile-analyzer + project: hub + path: charts/rhtpa-operator + annotations: + argocd.argoproj.io/sync-wave: "41" # Create chart resources (OBC, DB, etc.) + ignoreDifferences: + - group: batch + kind: Job + jsonPointers: + - /status + overrides: + - name: rhtpa.zeroTrust.vault.url + value: https://vault.vault.svc.cluster.local:8200 + - name: rhtpa.modules.createImporters.importers.cve.cve.disabled + value: "false" + - name: rhtpa.modules.createImporters.importers.osv-github.osv.disabled + value: "false" + - name: rhtpa.modules.createImporters.importers.redhat-csaf.csaf.disabled + value: "false" + - name: rhtpa.modules.createImporters.importers.quay-redhat-user-workloads.quay.disabled + value: "false" + - name: rhtpa.modules.createImporters.importers.redhat-sboms.sbom.disabled + value: "false" + supply-chain: + name: supply-chain + project: hub + path: charts/supply-chain + annotations: + argocd.argoproj.io/sync-wave: "48" + ignoreDifferences: + - group: "" + kind: ServiceAccount + jqPathExpressions: + - .imagePullSecrets[]|select(.name | contains("-dockercfg-")) + overrides: + - name: rhtas.enabled + value: true + - name: rhtpa.enabled + value: true + # If you are using the Quay embedded registry, add these attributes: + - name: quay.enabled + value: "true" + - name: registry.tlsVerify + value: "false" + ``` + +* `applications.vault.jwt.roles.policies`: In the _Vault_ policies section, uncomment the following: + + ```shell + - name: rhtpa + audience: rhtpa + subject: spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/trusted-profile-analyzer/sa/rhtpa + policies: + - hub-infra-rhtpa-jwt-secret + ``` + ## Bring Your Own (BYO) Container Registry By default, ZTVP deploys a built-in Red Hat Quay registry. However, you can use your own container registry (e.g., quay.io, Docker Hub, GitHub Container Registry, or a private registry) instead. ### Configuration Steps -1. **Disable built-in Quay registry** (optional - if not using Quay): Comment out the Quay-related applications in `values-hub.yaml`: `quay-enterprise` namespace, `quay-operator` subscription, and `quay-registry` application. +1. **Disable built-in Quay registry** (optional - if not using Quay): Comment out the Quay-related applications in `values-hub.yaml`: `quay-enterprise` namespace, `quay-operator` subscription, and `quay-registry` application. Remove the `applications.supply-chain.overrides.quay.enabled` and `applications.supply-chain.overrides.registry.tlsVerify` settings. 2. **Configure registry credentials in Vault** (**BYO registry only**): Per VP rule, add your registry credentials to `~/values-secrets.yaml` (or `~/values-secret.yaml` / `~/values-secret-layered-zero-trust.yaml` per VP lookup order): @@ -213,7 +376,7 @@ resourceHealthChecks: return hs ``` -## Pipeline +## Automated Secure Supply Chain Pipeline To build and certify the application, we will use _Red Hat OpenShift Pipelines_. @@ -408,7 +571,7 @@ The credentials to access the Quay web interface can be obtained as follows: -o jsonpath='{.items[0].spec.host}')" ``` -* Quay username: The same one you specified in `values-hub.yaml` or **quay-user**. +* Quay username: The same one you specified in `values-hub.yaml` or **quay-admin**. * Quay password: ```shell