From 674f1ae8b134e1c73ac8ce201c7e6216cd609d31 Mon Sep 17 00:00:00 2001 From: pxp928 Date: Sun, 7 Aug 2022 12:51:21 -0400 Subject: [PATCH 1/2] broke out scirpts to install and setup Signed-off-by: pxp928 --- .github/workflows/install-frsca.yaml | 6 +++ Makefile | 46 ++++++++++++++----- platform/10-tekton-pipelines-install.sh | 24 ++++++++++ ...n-setup.sh => 11-tekton-pipeline-setup.sh} | 10 ---- platform/12-tekton-chains-install.sh | 14 ++++++ ...on-chains.sh => 13-tekton-chains-setup.sh} | 9 ++-- ...{12-tekton-tasks.sh => 14-tekton-tasks.sh} | 0 platform/20-spire-install.sh | 20 ++++++++ .../{20-spire-setup.sh => 21-spire-setup.sh} | 16 +++---- platform/30-kyverno-install.sh | 18 ++++++++ ...0-kyverno-setup.sh => 31-kyverno-setup.sh} | 6 --- ...er-setup.sh => 35-opa-gatekeeper-setup.sh} | 0 12 files changed, 127 insertions(+), 42 deletions(-) create mode 100755 platform/10-tekton-pipelines-install.sh rename platform/{10-tekton-setup.sh => 11-tekton-pipeline-setup.sh} (58%) create mode 100755 platform/12-tekton-chains-install.sh rename platform/{11-tekton-chains.sh => 13-tekton-chains-setup.sh} (83%) rename platform/{12-tekton-tasks.sh => 14-tekton-tasks.sh} (100%) create mode 100755 platform/20-spire-install.sh rename platform/{20-spire-setup.sh => 21-spire-setup.sh} (74%) create mode 100755 platform/30-kyverno-install.sh rename platform/{30-kyverno-setup.sh => 31-kyverno-setup.sh} (88%) rename platform/{31-opa-gatekeeper-setup.sh => 35-opa-gatekeeper-setup.sh} (100%) diff --git a/.github/workflows/install-frsca.yaml b/.github/workflows/install-frsca.yaml index 29892bed..253e1bdf 100644 --- a/.github/workflows/install-frsca.yaml +++ b/.github/workflows/install-frsca.yaml @@ -46,15 +46,21 @@ jobs: make setup-certs - name: Setup Tekton Pipeline and Chains run: | + make install-tekton-pipelines + make setup-tekton-pipelines + make install-tekton-chains make setup-tekton-chains - name: Setup Spire run: | + make install-spire make setup-spire - name: Setup Vault run: | + make install-vault make setup-vault - name: Setup Kyverno run: | + make install-kyverno make setup-kyverno - name: Run buildpacks pipeline run: | diff --git a/Makefile b/Makefile index 5cb86dac..0d6870b4 100644 --- a/Makefile +++ b/Makefile @@ -22,7 +22,7 @@ help: # Display help }' $(MAKEFILE_LIST) | sort .PHONY: quickstart -quickstart: setup-minikube setup-frsca setup-kyverno example-buildpacks ## Spin up the FRSCA project into minikube +quickstart: setup-minikube setup-frsca install-kyverno setup-kyverno example-buildpacks ## Spin up the FRSCA project into minikube .PHONY: teardown teardown: @@ -33,7 +33,7 @@ setup-minikube: ## Setup a Kubernetes cluster using Minikube bash platform/00-kubernetes-minikube-setup.sh .PHONY: setup-frsca -setup-frsca: setup-certs setup-registry setup-tekton-chains setup-spire setup-vault +setup-frsca: setup-certs setup-registry install-tekton-pipelines setup-tekton-pipelines install-tekton-chains setup-tekton-chains install-spire setup-spire install-vault setup-vault .PHONY: setup-certs setup-certs: ## Setup certificates used by vault and spire @@ -47,36 +47,58 @@ setup-registry: ## Setup a registry registry-proxy: ## Forward the registry to the host bash platform/05-registry-proxy.sh +.PHONY: install-tekton-pipelines +install-tekton-pipelines: ## Install a Tekton CD + bash platform/10-tekton-pipelines-install.sh + bash platform/14-tekton-tasks.sh + +.PHONY: setup-tekton-pipelines +setup-tekton-pipelines: ## Setup a Tekton CD + bash platform/11-tekton-pipeline-setup.sh + +.PHONY: install-tekton-chains +install-tekton-chains: ## Install a Tekton Chains + bash platform/12-tekton-chains-install.sh + .PHONY: setup-tekton-chains -setup-tekton-chains: ## Setup a Tekton CD with Chains. - bash platform/10-tekton-setup.sh - bash platform/11-tekton-chains.sh - bash platform/12-tekton-tasks.sh +setup-tekton-chains: ## Setup a Tekton Chains + bash platform/13-tekton-chains-setup.sh .PHONY: tekton-generate-keys -tekton-generate-keys: ## Generate key pair for Tekton. +tekton-generate-keys: ## Generate key pair for Tekton bash scripts/gen-keys.sh .PHONY: tekton-verify-taskrun tekton-verify-taskrun: ## Verify taskrun payload against signature bash scripts/provenance.sh +.PHONY: install-spire +install-spire: ## install spire + bash platform/20-spire-install.sh + .PHONY: setup-spire setup-spire: ## Setup spire - bash platform/20-spire-setup.sh + bash platform/21-spire-setup.sh + +.PHONY: install-vault +install-vault: ## Install vault + bash platform/25-vault-install.sh .PHONY: setup-vault setup-vault: ## Setup vault - bash platform/25-vault-install.sh bash platform/26-vault-setup.sh +.PHONY: install-kyverno +install-kyverno: ## Install Kyverno + bash platform/30-kyverno-install.sh + .PHONY: setup-kyverno -setup-kyverno: ## Setup Kyverno. - bash platform/30-kyverno-setup.sh +setup-kyverno: ## Setup Kyverno + bash platform/31-kyverno-setup.sh .PHONY: setup-opa-gatekeeper setup-opa-gatekeeper: ## Setup opa gatekeeper - bash platform/31-opa-gatekeeper-setup.sh + bash platform/35-opa-gatekeeper-setup.sh .PHONY: setup-efk-stack setup-efk-stack: ## Setup up EFK stack diff --git a/platform/10-tekton-pipelines-install.sh b/platform/10-tekton-pipelines-install.sh new file mode 100755 index 00000000..71640cc4 --- /dev/null +++ b/platform/10-tekton-pipelines-install.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +set -euo pipefail + +GIT_ROOT=$(git rev-parse --show-toplevel) + +# Define variables. +C_GREEN='\033[32m' +C_RESET_ALL='\033[0m' + +# Setup Tekton. +echo -e "${C_GREEN}Installing Tekton CD...${C_RESET_ALL}" +kubectl apply --filename "$GIT_ROOT"/platform/vendor/tekton/pipeline/release.yaml + +# Setup the Dashboard. +# Use `kubectl proxy --port=8080` and then +# http://localhost:8080/api/v1/namespaces/tekton-pipelines/services/tekton-dashboard:http/proxy/ +# to access it. + +echo -e "${C_GREEN}Installing up Tekton Dashboard...${C_RESET_ALL}" +kubectl apply --filename "$GIT_ROOT"/platform/vendor/tekton/dashboard/tekton-dashboard-release.yaml +kubectl rollout status -n tekton-pipelines deployment/tekton-dashboard + +# Wait for tekton pipelines configuration webhook to come up +kubectl rollout status -n tekton-pipelines deployment/tekton-pipelines-webhook diff --git a/platform/10-tekton-setup.sh b/platform/11-tekton-pipeline-setup.sh similarity index 58% rename from platform/10-tekton-setup.sh rename to platform/11-tekton-pipeline-setup.sh index d508d903..19d473f5 100755 --- a/platform/10-tekton-setup.sh +++ b/platform/11-tekton-pipeline-setup.sh @@ -9,7 +9,6 @@ C_RESET_ALL='\033[0m' # Setup Tekton. echo -e "${C_GREEN}Setting up Tekton CD...${C_RESET_ALL}" -kubectl apply --filename "$GIT_ROOT"/platform/vendor/tekton/pipeline/release.yaml ca_cert="${GIT_ROOT}/platform/certs/ca/ca.pem" # TODO: at most only one of these is actually needed @@ -24,12 +23,3 @@ kubectl -n tekton-pipelines delete pod -l app=tekton-pipelines-controller kubectl rollout status -n tekton-pipelines deployment/tekton-pipelines-controller -# Setup the Dashboard. -# Use `kubectl proxy --port=8080` and then -# http://localhost:8080/api/v1/namespaces/tekton-pipelines/services/tekton-dashboard:http/proxy/ -# to access it. -kubectl apply --filename "$GIT_ROOT"/platform/vendor/tekton/dashboard/tekton-dashboard-release.yaml -kubectl rollout status -n tekton-pipelines deployment/tekton-dashboard - -# Wait for tekton pipelines configuration webhook to come up -kubectl rollout status -n tekton-pipelines deployment/tekton-pipelines-webhook diff --git a/platform/12-tekton-chains-install.sh b/platform/12-tekton-chains-install.sh new file mode 100755 index 00000000..321efe17 --- /dev/null +++ b/platform/12-tekton-chains-install.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +set -euo pipefail + +GIT_ROOT=$(git rev-parse --show-toplevel) + +# Define variables. +C_GREEN='\033[32m' +C_RESET_ALL='\033[0m' + +# Install Chains. +echo -e "${C_GREEN}Installing Tekton Chains...${C_RESET_ALL}" + +kubectl apply --filename "$GIT_ROOT"/platform/vendor/tekton/chains/release.yaml || true +kubectl rollout status -n tekton-chains deployment/tekton-chains-controller diff --git a/platform/11-tekton-chains.sh b/platform/13-tekton-chains-setup.sh similarity index 83% rename from platform/11-tekton-chains.sh rename to platform/13-tekton-chains-setup.sh index 725d1a47..f67824d6 100755 --- a/platform/11-tekton-chains.sh +++ b/platform/13-tekton-chains-setup.sh @@ -3,11 +3,12 @@ set -euo pipefail GIT_ROOT=$(git rev-parse --show-toplevel) -# Setup tekton Chains +# Define variables. +C_GREEN='\033[32m' +C_RESET_ALL='\033[0m' -# Install Chains. -kubectl apply --filename "$GIT_ROOT"/platform/vendor/tekton/chains/release.yaml || true -kubectl rollout status -n tekton-chains deployment/tekton-chains-controller +# Setup tekton Chains +echo -e "${C_GREEN}Setting up Tekton Chains...${C_RESET_ALL}" # Patch chains to generate in-toto provenance and store output in OCI kubectl patch \ diff --git a/platform/12-tekton-tasks.sh b/platform/14-tekton-tasks.sh similarity index 100% rename from platform/12-tekton-tasks.sh rename to platform/14-tekton-tasks.sh diff --git a/platform/20-spire-install.sh b/platform/20-spire-install.sh new file mode 100755 index 00000000..3a551ae4 --- /dev/null +++ b/platform/20-spire-install.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +set -exuo pipefail + +GIT_ROOT=$(git rev-parse --show-toplevel) + +# Define variables. +C_GREEN='\033[32m' +C_RESET_ALL='\033[0m' + +# Install Spire. + echo -e "${C_GREEN}Installing Spire..${C_RESET_ALL}" + +kubectl create namespace spire --dry-run=client -o yaml | kubectl apply -f - + +helm upgrade --install spire "${GIT_ROOT}/platform/vendor/spire/chart" \ + --values "${GIT_ROOT}/platform/components/spire/values.yaml" \ + --namespace spire --wait + +kubectl rollout status -n spire statefulset/spire-server +kubectl rollout status -n spire daemonset/spire-agent diff --git a/platform/20-spire-setup.sh b/platform/21-spire-setup.sh similarity index 74% rename from platform/20-spire-setup.sh rename to platform/21-spire-setup.sh index 03df28f1..bc976df4 100755 --- a/platform/20-spire-setup.sh +++ b/platform/21-spire-setup.sh @@ -1,7 +1,12 @@ #!/usr/bin/env bash set -exuo pipefail -GIT_ROOT=$(git rev-parse --show-toplevel) +# Define variables. +C_GREEN='\033[32m' +C_RESET_ALL='\033[0m' + +# Setup spire +echo -e "${C_GREEN}Setting up spire...${C_RESET_ALL}" spire_apply() { if [ $# -lt 2 ] || [ "$1" != "-spiffeID" ]; then @@ -21,15 +26,6 @@ spire_apply() { /opt/spire/bin/spire-server entry create "$@" } -kubectl create namespace spire --dry-run=client -o yaml | kubectl apply -f - - -helm upgrade --install spire "${GIT_ROOT}/platform/vendor/spire/chart" \ - --values "${GIT_ROOT}/platform/components/spire/values.yaml" \ - --namespace spire --wait - -kubectl rollout status -n spire statefulset/spire-server -kubectl rollout status -n spire daemonset/spire-agent - # Register Workloads. spire_apply \ -spiffeID spiffe://example.org/ns/spire/node/frsca \ diff --git a/platform/30-kyverno-install.sh b/platform/30-kyverno-install.sh new file mode 100755 index 00000000..c95ddcec --- /dev/null +++ b/platform/30-kyverno-install.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +set -euo pipefail + +GIT_ROOT=$(git rev-parse --show-toplevel) +KYVERNO_INSTALL_DIR=${GIT_ROOT}/platform/vendor/kyverno/release + +# Define variables. +C_GREEN='\033[32m' +C_RESET_ALL='\033[0m' + +# Kyverno setup from the getting started tutorial: +# https://nirmata.com/2021/08/12/kubernetes-supply-chain-policy-management-with-cosign-and-kyverno/ +# Installation: https://kyverno.io/docs/installation/ + +echo -e "${C_GREEN}Installing Kyverno...${C_RESET_ALL}" +kubectl apply -f "$KYVERNO_INSTALL_DIR"/install.yaml +# Wait for kyverno deployment to complete +kubectl rollout status -n kyverno deployment/kyverno diff --git a/platform/30-kyverno-setup.sh b/platform/31-kyverno-setup.sh similarity index 88% rename from platform/30-kyverno-setup.sh rename to platform/31-kyverno-setup.sh index 7216490f..475b1a63 100755 --- a/platform/30-kyverno-setup.sh +++ b/platform/31-kyverno-setup.sh @@ -9,7 +9,6 @@ fi REPO="ttl.sh/*" GIT_ROOT=$(git rev-parse --show-toplevel) -KYVERNO_INSTALL_DIR=${GIT_ROOT}/platform/vendor/kyverno/release # Define variables. C_GREEN='\033[32m' @@ -22,11 +21,6 @@ DOCKER_CONFIG_JSON=$HOME/.docker/config.json # https://nirmata.com/2021/08/12/kubernetes-supply-chain-policy-management-with-cosign-and-kyverno/ # Installation: https://kyverno.io/docs/installation/ -echo -e "${C_GREEN}Installing Kyverno...${C_RESET_ALL}" -kubectl apply -f "$KYVERNO_INSTALL_DIR"/install.yaml -# Wait for kyverno deployment to complete -kubectl rollout status -n kyverno deployment/kyverno - echo -e "${C_GREEN}Creating docker config secrets...${C_RESET_ALL}" # TODO: This should just be the normal secret if the kaniko task is updated to correctly use the docker config secret instead of requiring it to be hardcoded as config.json kubectl create secret generic secret-dockerconfigjson --type=opaque --from-file=config.json="$DOCKER_CONFIG_JSON" --dry-run=client -o yaml | kubectl apply -f - diff --git a/platform/31-opa-gatekeeper-setup.sh b/platform/35-opa-gatekeeper-setup.sh similarity index 100% rename from platform/31-opa-gatekeeper-setup.sh rename to platform/35-opa-gatekeeper-setup.sh From 9f5f825b932be5bde335675768e2416dc5ce17c4 Mon Sep 17 00:00:00 2001 From: pxp928 Date: Sun, 7 Aug 2022 18:47:48 -0400 Subject: [PATCH 2/2] added concurrency to make file Signed-off-by: pxp928 --- .github/workflows/install-frsca.yaml | 22 ++-------------------- Makefile | 14 +++++++++++--- 2 files changed, 13 insertions(+), 23 deletions(-) diff --git a/.github/workflows/install-frsca.yaml b/.github/workflows/install-frsca.yaml index 253e1bdf..3ba7bd96 100644 --- a/.github/workflows/install-frsca.yaml +++ b/.github/workflows/install-frsca.yaml @@ -41,27 +41,9 @@ jobs: make setup-minikube - name: Try the cluster ! run: kubectl get pods -A - - name: Generate certs + - name: Initialize FRSCA run: | - make setup-certs - - name: Setup Tekton Pipeline and Chains - run: | - make install-tekton-pipelines - make setup-tekton-pipelines - make install-tekton-chains - make setup-tekton-chains - - name: Setup Spire - run: | - make install-spire - make setup-spire - - name: Setup Vault - run: | - make install-vault - make setup-vault - - name: Setup Kyverno - run: | - make install-kyverno - make setup-kyverno + make setup-frsca - name: Run buildpacks pipeline run: | make example-buildpacks diff --git a/Makefile b/Makefile index 0d6870b4..f307cd02 100644 --- a/Makefile +++ b/Makefile @@ -22,7 +22,7 @@ help: # Display help }' $(MAKEFILE_LIST) | sort .PHONY: quickstart -quickstart: setup-minikube setup-frsca install-kyverno setup-kyverno example-buildpacks ## Spin up the FRSCA project into minikube +quickstart: setup-minikube setup-frsca example-buildpacks ## Spin up the FRSCA project into minikube .PHONY: teardown teardown: @@ -33,7 +33,15 @@ setup-minikube: ## Setup a Kubernetes cluster using Minikube bash platform/00-kubernetes-minikube-setup.sh .PHONY: setup-frsca -setup-frsca: setup-certs setup-registry install-tekton-pipelines setup-tekton-pipelines install-tekton-chains setup-tekton-chains install-spire setup-spire install-vault setup-vault +setup-frsca: setup-certs install-components setup-components setup-kyverno + +.PHONY: install-components +install-components: + make -j install-tekton-pipelines install-tekton-chains install-spire install-vault install-kyverno + +.PHONY: setup-components +setup-components: + make -j setup-tekton-pipelines setup-tekton-chains setup-spire setup-vault setup-registry .PHONY: setup-certs setup-certs: ## Setup certificates used by vault and spire @@ -50,11 +58,11 @@ registry-proxy: ## Forward the registry to the host .PHONY: install-tekton-pipelines install-tekton-pipelines: ## Install a Tekton CD bash platform/10-tekton-pipelines-install.sh - bash platform/14-tekton-tasks.sh .PHONY: setup-tekton-pipelines setup-tekton-pipelines: ## Setup a Tekton CD bash platform/11-tekton-pipeline-setup.sh + bash platform/14-tekton-tasks.sh .PHONY: install-tekton-chains install-tekton-chains: ## Install a Tekton Chains