Added v11y-api resources (trustification#28)

* Added v11y-api resources Signed-off-by: Rajan Ravi <[email protected]> * Added Environment lookup for sensitive information Signed-off-by: Rajan Ravi <[email protected]> * Error handling and changes for existing resources Signed-off-by: Rajan Ravi <[email protected]> * configmap updates for v11y-api-deployment Signed-off-by: Rajan Ravi <[email protected]> * Jinja2 changes and deployment configmap/secret updates Signed-off-by: Rajan Ravi <[email protected]> * Volume updates for secret and configmap Signed-off-by: Rajan Ravi <[email protected]> * new line new line --------- Signed-off-by: Rajan Ravi <[email protected]> Co-authored-by: Rajan Ravi <[email protected]> Co-authored-by: Massimiliano Dessì - (Fast Chauffeur) <[email protected]>
desmax74 · Sep 20, 2024 · 48c3e62 · 48c3e62
1 parent b14c45b
commit 48c3e62
Show file tree

Hide file tree

Showing 11 changed files with 292 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -110,7 +110,15 @@ Default values for certificate file names are defined in `roles/tpa_single_node/
         name: tpa_single_node
 ```
 
-6. Execute the following command (NOTE: you will have to provide credentials to authenticate to registry.redhat.io: https://access.redhat.com/RegistryAuthentication):
+6. Create Environment Variables with S3 and OIDC credentails
+```
+export TPA_S3_ACCESS_KEY=<S3 Storage Access Key>
+export TPA_S3_SECRET_KEY=<S3 Storage Secret Key>
+export TPA_OIDC_WALKER_SECRET=<OIDC Walker Secret>
+```
+
+
+7. Execute the following command (NOTE: you will have to provide credentials to authenticate to registry.redhat.io: https://access.redhat.com/RegistryAuthentication):
 
 ```shell
 ANSIBLE_ROLES_PATH="roles/" ansible-playbook -i inventory.ini play.yml -vvvv -e registry_username='REGISTRY.REDHAT.IO_USERNAME' -e registry_password='REGISTRY.REDHAT.IO_PASSWORD'

diff --git a/galaxy.yml b/galaxy.yml
@@ -7,6 +7,7 @@ readme: README.md
 authors:
   - Max Dessì <[email protected]>
   - Gilles Dubreuil <[email protected]>
+  - Rajan Ravi <[email protected]>
 description: Install and configure RHTPA, a downstream redistribution of the Trustification project.
 license_file: Apache-2.0
 tags: [rhtpa, tpa, trusted profile analyzer, security, application, tools]

diff --git a/roles/tpa_single_node/tasks/podman.yml b/roles/tpa_single_node/tasks/podman.yml
@@ -1,4 +1,10 @@
 ---
+- name: Check Registry Username exists
+  ansible.builtin.assert:
+    that:
+      - tpa_single_node_registry_username is defined
+    fail_msg: "tpa_single_node_registry_username is not exists, export the registry username and password"
+
 - name: Podman login to registry.redhat.io
   when:
     - ansible_facts['distribution'] == 'RedHat'
@@ -63,3 +69,6 @@
   vars:
     tpa_single_node_guac_graphql_tls_cert_pem: "{{ lookup('file', tpa_single_node_guac_graphql_tls_cert_pem_path) }}"
     tpa_single_node_guac_graphql_tls_cert_key: "{{ lookup('file', tpa_single_node_guac_graphql_tls_cert_key_path) }}"
+
+- name: Configure/Deploy v11y api
+  ansible.builtin.include_tasks: podman/v11y_api.yml
diff --git a/roles/tpa_single_node/tasks/podman/postgresql.yml b/roles/tpa_single_node/tasks/podman/postgresql.yml
@@ -81,4 +81,4 @@
 - name: Restart postgres
   ansible.builtin.service:
     name: postgresql
-    state: restarted
+    state: restarted
diff --git a/roles/tpa_single_node/tasks/podman/v11y_api.yml b/roles/tpa_single_node/tasks/podman/v11y_api.yml
@@ -0,0 +1,60 @@
+---
+- name: Set OIDC variable
+  ansible.builtin.set_fact:
+    oidc: keycloak
+
+- name: Overwrite OIDC variable
+  ansible.builtin.set_fact:
+    oidc: cognito
+  when: "'cognito' in (tpa_single_node_oidc_issuer_url | string | safe)"
+
+- name: Check S3 Access key and Secret is defined
+  ansible.builtin.assert:
+    that:
+      - tpa_single_node_s3_access_key is defined
+      - tpa_single_node_s3_access_key != ""
+      - tpa_single_node_s3_secret_key is defined
+      - tpa_single_node_s3_secret_key != ""
+    fail_msg: S3 Access Key and Secret is not defined
+
+- name: Check OIDC Walker is defined
+  ansible.builtin.assert:
+    that:
+      - tpa_single_node_oidc_walker_secret is defined
+      - tpa_single_node_oidc_walker_secret != ""
+    fail_msg: OIDC Walker Secret is not defined
+
+- name: Generate v11y API secret manifest
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/manifests/v11y/api/v11y-api-secret.j2"
+    dest: "{{ tpa_single_node_v11y_api_secret }}"
+    mode: "0600"
+
+- name: Play v11y API secret manifest
+  containers.podman.podman_play:
+    kube_file: "{{ tpa_single_node_v11y_api_secret }}"
+    state: started
+
+- name: Generate OIDC auth ConfigMap manifest
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/manifests/v11y/api/v11y-api-cm-{{ oidc }}.j2"
+    dest: "{{ tpa_single_node_v11y_api_config }}"
+    mode: "0600"
+  register: configmap_result
+
+- name: Retrieve the checksum of the ConfigMap
+  ansible.builtin.stat:
+    path: "{{ tpa_single_node_v11y_api_config }}"
+    checksum_algorithm: sha256
+  register: cm_checksum
+
+- name: Deploy v11y-api Deployment
+  ansible.builtin.include_tasks: podman/install_manifest.yml
+  vars:
+    podman_spec:
+      state: started
+      systemd_file: v11y-api
+      network: "{{ tpa_single_node_podman_network }}"
+      kube_file_content: "{{ lookup('ansible.builtin.template', 'manifests/v11y/api/v11y-api-deployment-s3.j2') | from_yaml }}"
+      configmap: "{{ tpa_single_node_v11y_api_config }}"
+      configmap_changed: "{{ configmap_result.changed }}"
diff --git a/roles/tpa_single_node/templates/manifests/v11y/api/v11y-api-cm-cognito.j2 b/roles/tpa_single_node/templates/manifests/v11y/api/v11y-api-cm-cognito.j2
@@ -0,0 +1,45 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: v11y_api_config
+  namespace: "{{ tpa_single_node_namespace }}"
+  labels:
+    app: v11y-api
+    component: v11y
+
+data:
+  auth.yaml: |
+    authentication:
+      clients:
+        - clientId: "{{ tpa_single_node_oidc_frontend }}"
+          issuerUrl: "{{ tpa_single_node_oidc_issuer_url }}"
+          additionalPermissions:
+            - "read.sbom"
+            - "read.vex"
+            - "read.cve"
+          groupSelector: "$.['cognito:groups'][*]"
+          groupMappings:
+            manager:
+              - "create.sbom"
+              - "create.vex"
+              - "update.sbom"
+              - "update.vex"
+              - "delete.sbom"
+              - "delete.vex"
+
+
+        - clientId: "{{ tpa_single_node_oidc_walker }}"
+          issuerUrl: "{{ tpa_single_node_oidc_issuer_url }}"
+          scopeMappings:
+            "trustification/bombastic":
+              - "create.sbom"
+              - "read.sbom"
+              - "update.sbom"
+              - "delete.sbom"
+            "trustification/vexination":
+              - "create.vex"
+              - "read.vex"
+              - "update.vex"
+              - "delete.vex"
+            "trustification/v11y":
+              - "read.cve"
diff --git a/roles/tpa_single_node/templates/manifests/v11y/api/v11y-api-cm-keycloak.j2 b/roles/tpa_single_node/templates/manifests/v11y/api/v11y-api-cm-keycloak.j2
@@ -0,0 +1,24 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: v11y_api_config
+  namespace: "{{ tpa_single_node_namespace }}"
+  labels:
+    app: v11y-api
+    component: v11y
+
+data:
+  auth.yaml: |
+    authentication:
+      clients:
+        - clientId: "{{ tpa_single_node_oidc_frontend }}"
+          issuerUrl: "{{ tpa_single_node_oidc_issuer_url }}"
+          scopeMappings: &keycloakScopeMappings
+            "create:document": [ "create.sbom", "create.vex" ]
+            "read:document": [ "read.sbom", "read.vex" ]
+            "update:document": [ "update.sbom", "update.vex" ]
+            "delete:document": [ "delete.sbom", "delete.vex" ]
+
+        - clientId: "{{ tpa_single_node_oidc_walker }}"
+          issuerUrl: "{{ tpa_single_node_oidc_issuer_url }}"
+          scopeMappings: *keycloakScopeMappings
diff --git a/roles/tpa_single_node/templates/manifests/v11y/api/v11y-api-deployment-s3.j2 b/roles/tpa_single_node/templates/manifests/v11y/api/v11y-api-deployment-s3.j2
@@ -0,0 +1,116 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: v11y-api
+  namespace: "{{ tpa_single_node_namespace }}"
+  labels:
+    app.kubernetes.io/name: v11y-api
+    app.kubernetes.io/component: v11y
+    app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+    app.kubernetes.io/version: 1.1.1
+    app.kubernetes.io/part-of: trusted-profile-analyzer
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: v11y-api
+      app.kubernetes.io/component: v11y
+      app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: v11y-api
+        app.kubernetes.io/component: v11y
+        app.kubernetes.io/instance: redhat-trusted-profile-analyzer
+      annotations:
+        config/checksum: "{{ cm_checksum.stat.checksum }}"
+    spec:
+      volumes:
+      - name: config-auth
+        configMap:
+          name: v11y_api_config
+      - name: v11yapisecret
+        secret:
+          secretName: v11y_api_secret
+      containers:
+        - image: "{{ tpa_single_node_trustification_image }}"
+          imagePullPolicy: IfNotPresent
+          name: service
+          command: ["/trust"]
+          args:
+            - "v11y"
+            - "api"
+            - "-p"
+            - "8080"
+            - "--index-mode"
+            - "file"
+            - "--auth-configuration"
+            - "/etc/config/auth.yaml"      
+
+          ports: 
+            - containerPort: 9010
+              protocol: TCP
+              name: infra
+            - containerPort: 8080
+              name: endpoint
+              protocol: TCP
+
+          volumeMounts:
+          - name: config-auth
+            mountPath: /etc/config/auth.yaml
+            subPath: auth.yaml
+          - mountPath: /etc/v11yapisecret
+            name: v11yapisecret
+          livenessProbe:
+            initialDelaySeconds: 2
+            httpGet:
+              path: /health/live
+              port: 9010
+
+          readinessProbe:
+            initialDelaySeconds: 2
+            httpGet:
+              path: /health/ready
+              port: 9010
+
+          env:
+            - name: RUST_LOG
+              value: "info"    
+            - name: INFRASTRUCTURE_ENABLED
+              value: "true"
+            - name: INFRASTRUCTURE_BIND
+              value: "[::]:9010"
+            - name: HTTP_SERVER_BIND_ADDR
+              value: "::"
+            - name: INDEX_SYNC_INTERVAL
+              value: 1m
+
+            - name: OIDC_PROVIDER_ISSUER_URL
+              value: "{{ tpa_single_node_oidc_issuer_url }}"
+            - name: OIDC_PROVIDER_CLIENT_ID
+              value: "{{ tpa_single_node_oidc_walker }}"
+            - name: OIDC_PROVIDER_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: client_secret
+                  name: v11y_api_secret
+{% if tpa_single_node_s3_minio_endpoint is defined %}
+            - name: STORAGE_ENDPOINT
+              value: "{{ tpa_single_node_s3_minio_endpoint }}"
+{% endif %}
+            - name: STORAGE_REGION
+              value: "{{ tpa_single_node_s3_storage_region }}"
+            - name: STORAGE_BUCKET
+              value: "{{ tpa_single_node_s3_v11y_bucket }}"
+            - name: STORAGE_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: s3_access_key
+                  name: v11y_api_secret
+            - name: STORAGE_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: s3_secret_key
+                  name: v11y_api_secret
diff --git a/roles/tpa_single_node/templates/manifests/v11y/api/v11y-api-secret.j2 b/roles/tpa_single_node/templates/manifests/v11y/api/v11y-api-secret.j2
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: v11y_api_secret
+data:
+  client_secret: "{{ tpa_single_node_oidc_walker_secret | b64encode }}"
+  s3_access_key: "{{ tpa_single_node_s3_access_key | b64encode }}"
+  s3_secret_key: "{{ tpa_single_node_s3_secret_key | b64encode }}"
diff --git a/roles/tpa_single_node/templates/manifests/v11y/walker/Deployment.yaml b/roles/tpa_single_node/templates/manifests/v11y/walker/Deployment.yaml
@@ -22,10 +22,9 @@ spec:
           volumeMounts:
             - mountPath: /git
               name: cvelist
-          command: [ "/bin/sh" ]
+          command: [ "/bin/sh", "-ec" ]
           workingDir: /git
           args:
-            - "-ec"
             - |
                 if test -d cvelistV5; then
                   cd cvelistV5
@@ -57,11 +56,11 @@ spec:
             - name: INFRASTRUCTURE_BIND
               value: "[::]:9010"
             - name: STORAGE_ACCESS_KEY
-              value: "{{ tpa_single_node_s3_username }}"
+              value: "{{ tpa_single_node_s3_access_key }}"
             - name: STORAGE_SECRET_KEY
-              value: "{{ tpa_single_node_s3_password }}"
+              value: "{{ tpa_single_node_s3_secret_key }}"
             - name: STORAGE_ENDPOINT
-              value: "{{ tpa_single_node_s3_url }}"
+              value: "{{ tpa_single_node_s3_minio_endpoint }}"
             - name: STORAGE_REGION
               value: "eu-west-1" # just a dummy value
             - name: STORAGE_BUCKET

diff --git a/roles/tpa_single_node/vars/main.yml b/roles/tpa_single_node/vars/main.yml
@@ -20,15 +20,27 @@ tpa_single_node_pg_ssl_mode: disable
 
 # S3_SERVICE
 tpa_single_node_s3_url:
-tpa_single_node_s3_username:
-tpa_single_node_s3_password:
+tpa_single_node_s3_access_key: "{{ lookup('env', 'TPA_S3_ACCESS_KEY') }}" # Export S3 access key
+tpa_single_node_s3_secret_key: "{{ lookup('env', 'TPA_S3_SECRET_KEY') }}" # Export S3 Secret key
+tpa_single_node_s3_v11y_bucket: # <v11y storage bucket name>
+tpa_single_node_s3_storage_region: # <AWS S3 Stroage region> # For Minio just keep us-west-1
+tpa_single_node_s3_minio_endpoint: # <Enter minio storage endpoint, For AWS this field is not necessary>
 
 # SQS_SERVICE
 
+
 # SSO_SERVICE
+tpa_single_node_oidc_issuer_url: # <Keycloak or AWS cognito Issuer URL with endpoint auth/realms/chicken>
+tpa_single_node_oidc_frontend: # <Keycloak or AWS cognito frontend Client ID>
+tpa_single_node_oidc_walker: # <Keycloak or AWS cognito Walker Client ID>
+tpa_single_node_oidc_walker_secret: "{{ lookup('env', 'TPA_OIDC_WALKER_SECRET') }}" #  Export AWS Cognito or Keycloak walker Secret
 
 # TSL Certificates
 tpa_single_node_guac_csub_tls_cert_pem_path: "{{ tpa_single_node_certificates_dir }}/guac-collectsub-tls-certificate.pem"
 tpa_single_node_guac_csub_tls_cert_key_path: "{{ tpa_single_node_certificates_dir }}/guac-collectsub-tls-certificate.key"
 tpa_single_node_guac_graphql_tls_cert_pem_path: "{{ tpa_single_node_certificates_dir }}/guac-graphql-tls-certificate.pem"
 tpa_single_node_guac_graphql_tls_cert_key_path: "{{ tpa_single_node_certificates_dir }}/guac-graphql-tls-certificate.key"
+
+# Secret, certs and Configmap locations
+tpa_single_node_v11y_api_config: "{{ tpa_single_node_kube_configmap_dir }}/v11y-api-configmap.yaml"
+tpa_single_node_v11y_api_secret: "{{ tpa_single_node_kube_configmap_dir }}/v11y-api-secret.yaml"