diff --git a/content/patterns/layered-zero-trust/_index.adoc b/content/patterns/layered-zero-trust/_index.adoc index 08744f265..e76a2e1c4 100644 --- a/content/patterns/layered-zero-trust/_index.adoc +++ b/content/patterns/layered-zero-trust/_index.adoc @@ -108,6 +108,9 @@ The pattern consists of the following key components: * link:https://docs.redhat.com/es/documentation/red_hat_trusted_profile_analyzer/2.2[Red{nbsp}Hat Trusted Profile Analyzer (RHTPA)] ** Provides the storage and management means for _Software Bill of Materials_ (SBOMs), with cross-referencing capabilities between SBOMs and CVEs/Security Advisories. +* link:https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines/1.20[Red{nbsp}Hat OpenShift Pipelines] +** Provides a cloud-native continuous integration and continuous deployment (CI/CD) solution on {ocp}. + [id="architecture-diagram"] ==== Architecture diagram @@ -186,3 +189,4 @@ The following technologies are used in this solution: * *Red{nbsp}Hat Quay*: Private registry for OCI images. * *Red{nbsp}Hat Trusted Artifact Signer*: Facilitates signing and verification of software artifacts. * *Red{nbsp}Hat Trusted Profile Analyzer*: Enables SBOM file analysis and vulnerability detection. +* *Red{nbsp}Hat OpenShift Pipelines*: Enables a native CI/CD solution on {ocp}. diff --git a/content/patterns/layered-zero-trust/lzt-automated-secure-supply-chain.adoc b/content/patterns/layered-zero-trust/lzt-automated-secure-supply-chain.adoc new file mode 100644 index 000000000..18cfb6abf --- /dev/null +++ b/content/patterns/layered-zero-trust/lzt-automated-secure-supply-chain.adoc @@ -0,0 +1,272 @@ +--- +title: Secure supply chain - Automated approach +weight: 40 +aliases: /layered-zero-trust/lzt-automated-secure-supply-chain/ +--- + +:toc: +:imagesdir: /images +:_mod-docs-content-type: ASSEMBLY +include::modules/comm-attributes.adoc[] + +[id="lzt-automated-secure-supply-chain"] += Use case: Automating the secure supply chain + +[role="_abstract"] +The xref:/patterns/layered-zero-trust/lzt-secure-multitier/index.html [Secure multitiered applications] use case describes how to implement a secure supply chain for application development by using Red{nbsp}Hat Trusted Artifact Signer (RHTAS) and the Red{nbsp}Hat Trusted Profile Analyzer (RHTPA). This use case demonstrates automation of the secure supply chain for application development by using link:https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines/1.20[{rh-pipelines-first}]. + +{pipelines-short} orchestrates the application building and certification process. The Zero Trust Validated Pattern (ZTVP) creates a pipeline in the cluster named `qtodo-supply-chain`. + +[id="pipeline-tasks"] +== Pipeline tasks + +The pipeline includes the following tasks: + +* **qtodo-clone-repository**: Clones the `qtodo` repository. +* **qtodo-build-artifact**: Builds an `uber-jar` of the `qtodo` application. +* **qtodo-sign-artifact**: Signs the generated JAR file. +* **qtodo-verify-artifact**: Verifies the JAR signature. +* **qtodo-build-image**: Builds a container image and uploads it to a registry. +* **qtodo-sign-image**: Signs the container image. +* **qtodo-generate-sbom**: Generates an SBOM from the image. +* **qtodo-sbom-attestation**: Creates a signed attestation and attaches it to the image. +* **qtodo-upload-sbom**: Uploads the SBOM file to RHTPA. +* **qtodo-verify-image**: Verifies the attestation and signature. + +[id="run-pipeline"] +== Running the pipeline + +Start the pipeline by using the {ocp} web console or the CLI. + +[id="run-pipeline-console"] +=== Running the pipeline from the web console + +To start a pipeline execution from the {ocp} Web console: + +.Procedure + +. Log in to the {ocp} web console. +. From the left navigation bar, select **Pipelines** -> **Pipelines**. +. In the **layered-zero-trust-hub** project, find the **qtodo-supply-chain** pipeline. +. Click the **Options** menu (⋮) and select **Start**. +. Verify the parameters. Most default values are correct for single-cluster mode. +. Configure the following workspaces: + +* For **qtodo-source**, select **PersistentVolumeClaim** and ensure the PVC name is **qtodo-workspace-source**. +* For **registry-auth-config**, select **Secret** and ensure the secret name is **qtodo-registry-auth**. +. Click **Start**. + +[id="run-pipeline-cli"] +=== Running the pipeline from the CLI + +Start a pipeline execution by creating a `PipelineRun` resource that references the `qtodo-supply-chain` pipeline. + +.Procedure + +. Create a file named `qtodo-pipeline.yaml` with the following content: ++ +[source,yaml] +---- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + generateName: qtodo-manual-run- + namespace: layered-zero-trust-hub +spec: + pipelineRef: + name: qtodo-supply-chain + taskRunTemplate: + serviceAccountName: pipeline + timeouts: + pipeline: 1h0m0s + workspaces: + - name: qtodo-source + persistentVolumeClaim: + claimName: qtodo-workspace-source + - name: registry-auth-config + secret: + secretName: qtodo-registry-auth +---- ++ +Verify the values for the PVC storage and registry configuration. + +. Create the `PipelineRun` resource: ++ +[source,terminal] +---- +$ oc create -f qtodo-pipeline.yaml +---- + +.Verification + +* Review the pipeline logs using the Tekton CLI: ++ +[source,terminal] +---- +$ tkn pipeline logs -n layered-zero-trust-hub -L -f +---- + +[id="inspect-results"] +== Inspecting pipeline results + +Verify the status and output of the pipeline by using the web console or the CLI. + +[id="inspect-results-ui"] +=== Inspecting results from the web console + +You can inspect the results of the pipeline execution from the {ocp} web console. + +.Procedure + +. Log in to the {ocp} web console. +. From the left navigation bar, select **Pipelines** -> **Pipelines**. +. In the **layered-zero-trust-hub** project, find the **qtodo-supply-chain** pipeline. +. Click the *PipelineRun* link in the *Last run* column. +. In the *Details* tab, view the summary of the pipeline execution and tasks. +. Click on a task or the *Logs* tab to see the output of specific tasks. + +[id="inspect-results-cli"] +=== Inspecting results from the CLI + +You can inspect the results of the pipeline execution by using the CLI. + +.Procedure + +. Verify that the pipeline completed successfully: ++ +[source,terminal] +---- +$ oc get pipelinerun -n layered-zero-trust-hub + +NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME +qtodo-manual-run-p46f7 True Succeeded 7m4s 2m12s +---- + +. Review the `TaskRuns` to see the results of each step: ++ +[source,terminal] +---- +$ oc get taskruns -n layered-zero-trust-hub + +NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME +qtodo-manual-run-p46f7-qtodo-build-artifact True Succeeded 7m44s 5m17s +qtodo-manual-run-p46f7-qtodo-build-image True Succeeded 4m55s 4m4s +qtodo-manual-run-p46f7-qtodo-clone-repository True Succeeded 7m55s 7m44s +... +---- + +. Identify the pods associated with the tasks in the `layered-zero-trust-hub` namespace: ++ +[source,terminal] +---- +$ oc get pods -n layered-zero-trust-hub + +NAME READY STATUS RESTARTS AGE +qtodo-manual-run-p46f7-qtodo-build-artifact-pod 0/1 Completed 0 10m +qtodo-manual-run-p46f7-qtodo-build-image-pod 0/1 Completed 0 7m21s +... +---- + +. Review the pod logs to view the output of a specific step. For example, to view image verification messages: ++ +[source,terminal] +---- +$ oc logs -n layered-zero-trust-hub qtodo-manual-run-p46f7-qtodo-verify-image-pod + +Success: true +Result: SUCCESS +Violations: 0, Warnings: 0, Successes: 3 +Component: Unnamed +ImageRef: quay-registry-quay-quay-enterprise.apps.example.com/ztvp/qtodo@sha256:df6506e93a141cfcaeb3b4686b558cddd963410a146b10c3cbd1319122f5f880 + +Results: +✓ [Success] builtin.attestation.signature_check +... +✓ [Success] builtin.image.signature_check +... +---- + +[id="review-services"] +== Reviewing integrated services + +The supply chain results are visible in the services used during the build process. + +[id="review-quay"] +=== Reviewing images in Quay + +If you used Quay as the image registry, you can review the built image inside the registry. + +.Procedure + +. Obtain the credentials for the Quay web interface: + +* *Quay URL*: ++ +[source,terminal] +---- +$ echo "https://$(oc get route -n quay-enterprise \ + -l quay-component=quay-app-route \ + -o jsonpath='{.items[0].spec.host}')" +---- +* *Quay username*: Use the value specified in `values-hub.yaml` or `quay-user`. +* *Quay password*: ++ +[source,terminal] +---- +$ oc get secret -n layered-zero-trust-hub qtodo-quay-password -o json | jq '.data["password"] | @base64d' +---- + +. Log in to the Quay web interface. +. Select the **ztvp/qtodo** repository. +. In the navigation menu, select **Tags**. +. Verify that the `latest` tag is signed and that the `.att` attestation file is present. + +image::/images/layered-zero-trust/quay-web-ui.png[Quay Web UI] + +[id="review-rekor"] +=== Reviewing Rekor verification records + +Use the Rekor search interface to check verification records. Search by email address or record index. + +.Procedure + +* Get the URL for the Rekor search interface: ++ +[source,terminal] +---- +$ echo "https://$(oc get route -n trusted-artifact-signer -l app.kubernetes.io/component=rekor-ui -o jsonpath='{.items[0].spec.host}')" +---- + +image::/images/layered-zero-trust/rekor-web-ui.png[Rekor's Search UI] + +[id="review-rhtpa"] +=== Reviewing RHTPA results + +The RHTPA web UI uses OIDC for user authentication. If you are using *Keycloak* integrated with the pattern, use the following commands to obtain the credentials. + +.Procedure + +. Get the credentials: +* *RHTPA URL*: ++ +[source,terminal] +---- +$ echo "https://$(oc get route -n trusted-profile-analyzer \ + -l app.kubernetes.io/name=server \ + -o jsonpath='{.items[0].spec.host}')" +---- +* *RHTPA user*: `rhtpa-user` +* *RHTPA user password*: ++ +[source,terminal] +---- +$ oc get secret keycloak-users -n keycloak-system -o json \ + | jq '.data["rhtpa-user-password"] | @base64d' +---- + +. Review the SBOM in the RHTPA web interface: +.. Log in to the RHTPA web interface using Keycloak credentials. +.. In the navigation menu, select **SBOMs**. +.. Select the container image name from the list of available SBOMs. + +image::/images/layered-zero-trust/rhtpa-web-ui.png[RHTPA Web UI] diff --git a/content/patterns/layered-zero-trust/lzt-secure-multitier.adoc b/content/patterns/layered-zero-trust/lzt-secure-multitier.adoc index 0ea740da5..bdccce461 100644 --- a/content/patterns/layered-zero-trust/lzt-secure-multitier.adoc +++ b/content/patterns/layered-zero-trust/lzt-secure-multitier.adoc @@ -1,5 +1,5 @@ --- -title: Secure multi-tier applications +title: Secure multitiered applications weight: 20 aliases: /layered-zero-trust/lzt-secure-multitier --- @@ -10,7 +10,7 @@ aliases: /layered-zero-trust/lzt-secure-multitier include::modules/comm-attributes.adoc[] [id="lzt-secure-multitier"] -= Use case: Secure multi-tier applications += Use case: Secure multitiered applications This use case demonstrates securing a common application design pattern: a frontend application using a database for persistent storage. diff --git a/static/images/layered-zero-trust/quay-web-ui.png b/static/images/layered-zero-trust/quay-web-ui.png new file mode 100644 index 000000000..070075405 Binary files /dev/null and b/static/images/layered-zero-trust/quay-web-ui.png differ