devsecops update (#98)

* removing helm chart for spring-petclinic app

* using kustomize for the spring-petclinic app

* Updated values-development to update spring-petclinic application

* updated cosign app

* updated spring app to use overlay path

* updated typo apiversion

* updating volumeMount.name

* updating volumeMount.name

* Updated cosign app with fixed key generate command and working on
rbac

* adding signing-secrets to rbac

* fixing template and removing resourceNames

* updating script

* adding serversideapply sync-option to cm

* make test

Author: day0hero

charts/region/cosign/templates/cosign-cm-script.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: create-cosign-pubkey
+  namespace: openshift-pipelines
+data:
+  cosign.sh: |
+    #!/bin/bash
+    # check for signing-secrets in openshift-pipelines
+    SECRET=$(oc get secret signing-secrets -n openshift-pipelines)
+    if [[ $? -ne 0 ]]
+      then
+        export COSIGN_PASSWORD=$(openssl rand -base64 32) 
+        cosign generate-key-pair k8s://openshift-pipelines/signing-secrets --output-file /tmp/cosign.pub
+        oc create secret generic cosign-pubkey --from-file=/tmp/cosign.pub 
+      else
+        echo "the signing-secrets secret exists in openshift-pipelines"
+    fi

charts/region/cosign/templates/cosign_pubkey-job.yaml

@@ -14,12 +14,19 @@ spec:
         - /bin/bash
         - -c
         - |
-          export COSIGN_PASSWORD=$(openssl rand -base64 32) 
-          cosign key-generate k8s://openshift-pipelines/signing-secrets
-          oc create secret generic cosign-pubkey --from-file=cosign.pub 
+           '/tmp/cosign.sh'
         name: create-cosign-pubkey
+        volumeMounts:
+          - mountPath: /tmp/cosign.sh
+            name: cosign
+            subPath: cosign.sh
+      volumes:
+        - name: cosign
+          configMap:
+            name: create-cosign-pubkey
+            defaultMode: 0755
       dnsPolicy: ClusterFirst
       restartPolicy: Never
-      serviceAccount: pipeline
-      serviceAccountName: pipeline
-      terminationGracePeriodSeconds: 60
+      serviceAccount: cosign-sa
+      serviceAccountName: cosign-sa
+      terminationGracePeriodSeconds: 60

charts/region/cosign/templates/rbac/role.yaml

@@ -22,9 +22,15 @@ rules:
     resources:
 {{- range $value.resources }}
       - {{ . }}
+{{- end }}
+{{- if $value.resourceNames }}
+    resourceNames:
+{{- range $value.resourceNames }}
+      - {{ . }}
+{{- end }}
 {{- end }}
     verbs:
 {{- range $value.verbs }}
       - {{ . }}
 {{- end }}
-{{- end }}
+{{- end }}

charts/region/cosign/templates/rbac/serviceaccount.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cosign-sa
+  namespace: openshift-pipelines
+  annotations: {}

charts/region/cosign/values.yaml

@@ -31,14 +31,15 @@ rbac:
         - "patch"
         - "create"
         - "update"
+        - "delete"
   roleBindings:
     - name: cosign-mgmt
       scope:
         cluster: false
         namespace: openshift-pipelines
       subjects:
         kind: ServiceAccount
-        name: pipelines
+        name: cosign-sa
         namespace: openshift-pipelines
         apiGroup: '""'
       roleRef:

charts/region/pipelines/templates/chains/tekton-chains-configmap.yaml

@@ -5,9 +5,10 @@ metadata:
   namespace: openshift-pipelines
   annotations:
     argocd.argoproj.io/sync-options: PruneLast=true
+    argocd.argoproj.io/sync-options: ServerSideApply=true
 data:
   artifacts.oci.storage: 'oci'
   artifacts.taskrun.format: tekton
   artifacts.taskrun.storage: tekton
   artifacts.oci.format: simplesigning
-  artifacts.oci.signer: cosign
+  artifacts.oci.signer: cosign

charts/region/spring-petclinic-config/.helmignore

@@ -23,7 +23,7 @@ spec:
       containers:
       - name: spring-petclinic
         imagePullPolicy: Always
-        image: quay-registry-quay-quay-enterprise.{{ .Values.global.localClusterDomain }}/{{ .Values.quay.org.name }}/{{ .Values.quay.repo }}:latest
+        image: quay.io/hybridcloudpatterns/spring-petclinic:latest
         livenessProbe:
           failureThreshold: 3
           httpGet: