buildsec · kodiakhq · Aug 12, 2022 · Aug 7, 2022 · Aug 7, 2022 · Aug 7, 2022
@@ -41,21 +41,9 @@ jobs:
           make setup-minikube
       - name: Try the cluster !
         run: kubectl get pods -A
-      - name: Generate certs
+      - name: Initialize FRSCA
         run: |
-          make setup-certs
-      - name: Setup Tekton Pipeline and Chains
-        run: |
-          make setup-tekton-chains
-      - name: Setup Spire
-        run: |
-          make setup-spire
-      - name: Setup Vault
-        run: |
-          make setup-vault
-      - name: Setup Kyverno
-        run: |
-          make setup-kyverno
+          make setup-frsca
       - name: Run buildpacks pipeline
         run: |
           make example-buildpacks

@@ -22,7 +22,7 @@ help: # Display help
 		}' $(MAKEFILE_LIST) | sort
 
 .PHONY: quickstart
-quickstart: setup-minikube setup-frsca setup-kyverno example-buildpacks ## Spin up the FRSCA project into minikube
+quickstart: setup-minikube setup-frsca example-buildpacks ## Spin up the FRSCA project into minikube
 
 .PHONY: teardown
 teardown:
@@ -33,7 +33,15 @@ setup-minikube: ## Setup a Kubernetes cluster using Minikube
 	bash platform/00-kubernetes-minikube-setup.sh
 
 .PHONY: setup-frsca
-setup-frsca: setup-certs setup-registry setup-tekton-chains setup-spire setup-vault
+setup-frsca: setup-certs install-components setup-components setup-kyverno
+
+.PHONY: install-components
+install-components: 
+	make -j install-tekton-pipelines install-tekton-chains install-spire install-vault install-kyverno
+
+.PHONY: setup-components
+setup-components: 
+	make -j setup-tekton-pipelines setup-tekton-chains setup-spire setup-vault setup-registry
 
 .PHONY: setup-certs
 setup-certs: ## Setup certificates used by vault and spire
@@ -47,36 +55,58 @@ setup-registry: ## Setup a registry
 registry-proxy: ## Forward the registry to the host
 	bash platform/05-registry-proxy.sh
 
+.PHONY: install-tekton-pipelines
+install-tekton-pipelines: ## Install a Tekton CD
+	bash platform/10-tekton-pipelines-install.sh
+
+.PHONY: setup-tekton-pipelines
+setup-tekton-pipelines: ## Setup a Tekton CD
+	bash platform/11-tekton-pipeline-setup.sh
+	bash platform/14-tekton-tasks.sh
+
+.PHONY: install-tekton-chains
+install-tekton-chains: ## Install a Tekton Chains
+	bash platform/12-tekton-chains-install.sh
+
 .PHONY: setup-tekton-chains
-setup-tekton-chains: ## Setup a Tekton CD with Chains.
-	bash platform/10-tekton-setup.sh
-	bash platform/11-tekton-chains.sh
-	bash platform/12-tekton-tasks.sh
+setup-tekton-chains: ## Setup a Tekton Chains
+	bash platform/13-tekton-chains-setup.sh
 
 .PHONY: tekton-generate-keys
-tekton-generate-keys: ## Generate key pair for Tekton.
+tekton-generate-keys: ## Generate key pair for Tekton
 	bash scripts/gen-keys.sh
 
 .PHONY: tekton-verify-taskrun
 tekton-verify-taskrun: ## Verify taskrun payload against signature
 	bash scripts/provenance.sh
 
+.PHONY: install-spire
+install-spire: ## install spire
+	bash platform/20-spire-install.sh
+
 .PHONY: setup-spire
 setup-spire: ## Setup spire
-	bash platform/20-spire-setup.sh
+	bash platform/21-spire-setup.sh
+
+.PHONY: install-vault
+install-vault: ## Install vault
+	bash platform/25-vault-install.sh
 
 .PHONY: setup-vault
 setup-vault: ## Setup vault
-	bash platform/25-vault-install.sh
 	bash platform/26-vault-setup.sh
 
+.PHONY: install-kyverno
+install-kyverno: ## Install Kyverno
+	bash platform/30-kyverno-install.sh
+
 .PHONY: setup-kyverno
-setup-kyverno: ## Setup Kyverno.
-	bash platform/30-kyverno-setup.sh
+setup-kyverno: ## Setup Kyverno
+	bash platform/31-kyverno-setup.sh
 
 .PHONY: setup-opa-gatekeeper
 setup-opa-gatekeeper: ##  Setup opa gatekeeper
-	bash platform/31-opa-gatekeeper-setup.sh
+	bash platform/35-opa-gatekeeper-setup.sh
 
 .PHONY: setup-efk-stack
 setup-efk-stack: ## Setup up EFK stack

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+GIT_ROOT=$(git rev-parse --show-toplevel)
+
+# Define variables.
+C_GREEN='\033[32m'
+C_RESET_ALL='\033[0m'
+
+# Setup Tekton.
+echo -e "${C_GREEN}Installing Tekton CD...${C_RESET_ALL}"
+kubectl apply --filename "$GIT_ROOT"/platform/vendor/tekton/pipeline/release.yaml
+
+# Setup the Dashboard.
+#   Use `kubectl proxy --port=8080` and then
+#   http://localhost:8080/api/v1/namespaces/tekton-pipelines/services/tekton-dashboard:http/proxy/
+#   to access it.
+
+echo -e "${C_GREEN}Installing up Tekton Dashboard...${C_RESET_ALL}"
+kubectl apply --filename "$GIT_ROOT"/platform/vendor/tekton/dashboard/tekton-dashboard-release.yaml
+kubectl rollout status -n tekton-pipelines deployment/tekton-dashboard
+
+# Wait for tekton pipelines configuration webhook to come up
+kubectl rollout status -n tekton-pipelines deployment/tekton-pipelines-webhook
@@ -9,7 +9,6 @@ C_RESET_ALL='\033[0m'
 
 # Setup Tekton.
 echo -e "${C_GREEN}Setting up Tekton CD...${C_RESET_ALL}"
-kubectl apply --filename "$GIT_ROOT"/platform/vendor/tekton/pipeline/release.yaml
 
 ca_cert="${GIT_ROOT}/platform/certs/ca/ca.pem"
 # TODO: at most only one of these is actually needed
@@ -24,12 +23,3 @@ kubectl -n tekton-pipelines delete pod -l app=tekton-pipelines-controller
 
 kubectl rollout status -n tekton-pipelines deployment/tekton-pipelines-controller
 
-# Setup the Dashboard.
-#   Use `kubectl proxy --port=8080` and then
-#   http://localhost:8080/api/v1/namespaces/tekton-pipelines/services/tekton-dashboard:http/proxy/
-#   to access it.
-kubectl apply --filename "$GIT_ROOT"/platform/vendor/tekton/dashboard/tekton-dashboard-release.yaml
-kubectl rollout status -n tekton-pipelines deployment/tekton-dashboard
-
-# Wait for tekton pipelines configuration webhook to come up
-kubectl rollout status -n tekton-pipelines deployment/tekton-pipelines-webhook
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+GIT_ROOT=$(git rev-parse --show-toplevel)
+
+# Define variables.
+C_GREEN='\033[32m'
+C_RESET_ALL='\033[0m'
+
+# Install Chains.
+echo -e "${C_GREEN}Installing Tekton Chains...${C_RESET_ALL}"
+
+kubectl apply --filename "$GIT_ROOT"/platform/vendor/tekton/chains/release.yaml || true
+kubectl rollout status -n tekton-chains deployment/tekton-chains-controller
@@ -3,11 +3,12 @@ set -euo pipefail
 
 GIT_ROOT=$(git rev-parse --show-toplevel)
 
-# Setup tekton Chains
+# Define variables.
+C_GREEN='\033[32m'
+C_RESET_ALL='\033[0m'
 
-# Install Chains.
-kubectl apply --filename "$GIT_ROOT"/platform/vendor/tekton/chains/release.yaml || true
-kubectl rollout status -n tekton-chains deployment/tekton-chains-controller
+# Setup tekton Chains
+echo -e "${C_GREEN}Setting up Tekton Chains...${C_RESET_ALL}"
 
 # Patch chains to generate in-toto provenance and store output in OCI
 kubectl patch \

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -exuo pipefail
+
+GIT_ROOT=$(git rev-parse --show-toplevel)
+
+# Define variables.
+C_GREEN='\033[32m'
+C_RESET_ALL='\033[0m'
+
+# Install Spire.
+ echo -e "${C_GREEN}Installing Spire..${C_RESET_ALL}"
+
+kubectl create namespace spire --dry-run=client -o yaml | kubectl apply -f -
+
+helm upgrade --install spire "${GIT_ROOT}/platform/vendor/spire/chart" \
+  --values "${GIT_ROOT}/platform/components/spire/values.yaml" \
+  --namespace spire --wait
+
+kubectl rollout status -n spire statefulset/spire-server
+kubectl rollout status -n spire daemonset/spire-agent
@@ -1,7 +1,12 @@
 #!/usr/bin/env bash
 set -exuo pipefail
 
-GIT_ROOT=$(git rev-parse --show-toplevel)
+# Define variables.
+C_GREEN='\033[32m'
+C_RESET_ALL='\033[0m'
+
+# Setup spire
+echo -e "${C_GREEN}Setting up spire...${C_RESET_ALL}"
 
 spire_apply() {
   if [ $# -lt 2 ] || [ "$1" != "-spiffeID" ]; then
@@ -21,15 +26,6 @@ spire_apply() {
     /opt/spire/bin/spire-server entry create "$@"
 }
 
-kubectl create namespace spire --dry-run=client -o yaml | kubectl apply -f -
-
-helm upgrade --install spire "${GIT_ROOT}/platform/vendor/spire/chart" \
-  --values "${GIT_ROOT}/platform/components/spire/values.yaml" \
-  --namespace spire --wait
-
-kubectl rollout status -n spire statefulset/spire-server
-kubectl rollout status -n spire daemonset/spire-agent
-
 # Register Workloads.
 spire_apply \
   -spiffeID spiffe://example.org/ns/spire/node/frsca \

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+GIT_ROOT=$(git rev-parse --show-toplevel)
+KYVERNO_INSTALL_DIR=${GIT_ROOT}/platform/vendor/kyverno/release
+
+# Define variables.
+C_GREEN='\033[32m'
+C_RESET_ALL='\033[0m'
+
+# Kyverno setup from the getting started tutorial:
+#   https://nirmata.com/2021/08/12/kubernetes-supply-chain-policy-management-with-cosign-and-kyverno/
+#   Installation: https://kyverno.io/docs/installation/
+
+echo -e "${C_GREEN}Installing Kyverno...${C_RESET_ALL}"
+kubectl apply -f "$KYVERNO_INSTALL_DIR"/install.yaml
+# Wait for kyverno deployment to complete
+kubectl rollout status -n kyverno deployment/kyverno
@@ -9,7 +9,6 @@ fi
 REPO="ttl.sh/*"
 
 GIT_ROOT=$(git rev-parse --show-toplevel)
-KYVERNO_INSTALL_DIR=${GIT_ROOT}/platform/vendor/kyverno/release
 
 # Define variables.
 C_GREEN='\033[32m'
@@ -22,11 +21,6 @@ DOCKER_CONFIG_JSON=$HOME/.docker/config.json
 #   https://nirmata.com/2021/08/12/kubernetes-supply-chain-policy-management-with-cosign-and-kyverno/
 #   Installation: https://kyverno.io/docs/installation/
 
-echo -e "${C_GREEN}Installing Kyverno...${C_RESET_ALL}"
-kubectl apply -f "$KYVERNO_INSTALL_DIR"/install.yaml
-# Wait for kyverno deployment to complete
-kubectl rollout status -n kyverno deployment/kyverno
-
 echo -e "${C_GREEN}Creating docker config secrets...${C_RESET_ALL}"
 # TODO: This should just be the normal secret if the kaniko task is updated to correctly use the docker config secret instead of requiring it to be hardcoded as config.json
 kubectl create secret generic secret-dockerconfigjson --type=opaque --from-file=config.json="$DOCKER_CONFIG_JSON" --dry-run=client -o yaml | kubectl apply -f -