From 83eccba327d4f113b94e8d8772741e3171bcc845 Mon Sep 17 00:00:00 2001 From: Akash LM Date: Tue, 2 Jul 2024 11:07:56 +0530 Subject: [PATCH] Added trivy scan tekton-tasks and updated chart version of kubviz-agent --- .../templates/trivy-scan-after-task.yaml | 67 ++++ .../templates/trivy-scan-before-task.yaml | 67 ++++ default-apps-templates/app_list.yaml | 2 +- .../github-trivy-scan-pipeline.yaml | 303 ++++++++++++++++++ 4 files changed, 438 insertions(+), 1 deletion(-) create mode 100644 cicd/tekton-cluster-tasks/templates/trivy-scan-after-task.yaml create mode 100644 cicd/tekton-cluster-tasks/templates/trivy-scan-before-task.yaml create mode 100644 tekton-samples/tekton-pipeline-yamls/github-trivy-scan-pipeline.yaml diff --git a/cicd/tekton-cluster-tasks/templates/trivy-scan-after-task.yaml b/cicd/tekton-cluster-tasks/templates/trivy-scan-after-task.yaml new file mode 100644 index 0000000..4f8a6c2 --- /dev/null +++ b/cicd/tekton-cluster-tasks/templates/trivy-scan-after-task.yaml @@ -0,0 +1,67 @@ +apiVersion: tekton.dev/v1beta1 +kind: ClusterTask +metadata: + name: scan-image-after +spec: + workspaces: + - name: output + params: + - name: image + type: string + - name: timeout + type: string + default: "5m" + - name: ID + type: string + steps: + - name: scan + image: ghcr.io/kube-tarian/helmrepo-supporting-tools/trivy:latest + script: | + #!/bin/sh + trivy image --timeout $(params.timeout) $(params.image) + trivy image --timeout $(params.timeout) -f json -o /workspace/output/trivy-report.json $(params.image) + trivy image --timeout $(params.timeout) $(params.image) | grep Total + - name: store-scan-result + image: ghcr.io/kube-tarian/helmrepo-supporting-tools/trivy-db:1.0.0 + env: + - name: POSTGRES_HOST + valueFrom: + secretKeyRef: + name: postgres-secret + key: host + - name: DB_USER + valueFrom: + secretKeyRef: + name: postgres-secret + key: user + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: postgres-secret + key: password + - name: DB_NAME + valueFrom: + secretKeyRef: + name: postgres-secret + key: dbname + - name: JSON_FILE + value: /workspace/output/trivy-report.json + script: | + #!/bin/bash + export PGPASSWORD="${POSTGRES_PASSWORD}" + export POSTGRES_HOST="${POSTGRES_HOST}" + export DB_NAME="${DB_NAME}" + export DB_USER="${DB_USER}" + export JSON_FILE="${JSON_FILE}" + + /usr/local/bin/create_tables_after.sh + + # echo "Storing Trivy scan results to PostgreSQL..." + job_id=$(params.ID) + scan_result=$(cat $JSON_FILE | sed "s/'/''/g") + + psql -h "${POSTGRES_HOST}" -U "${DB_USER}" -d "${DB_NAME}" -c "\ + INSERT INTO tekton_after_trivy_results (job_id, image) \ + VALUES ('${job_id}', '$(params.image)')" + + /usr/local/bin/insert_data_after.sh diff --git a/cicd/tekton-cluster-tasks/templates/trivy-scan-before-task.yaml b/cicd/tekton-cluster-tasks/templates/trivy-scan-before-task.yaml new file mode 100644 index 0000000..d0a8dd5 --- /dev/null +++ b/cicd/tekton-cluster-tasks/templates/trivy-scan-before-task.yaml @@ -0,0 +1,67 @@ +apiVersion: tekton.dev/v1beta1 +kind: ClusterTask +metadata: + name: scan-image-before +spec: + workspaces: + - name: output + params: + - name: image + type: string + - name: timeout + type: string + default: "5m" + - name: ID + type: string + steps: + - name: scan + image: ghcr.io/kube-tarian/helmrepo-supporting-tools/trivy:latest + script: | + #!/bin/sh + trivy image --timeout $(params.timeout) $(params.image) + trivy image --timeout $(params.timeout) -f json -o /workspace/output/trivy-report.json $(params.image) + trivy image --timeout $(params.timeout) $(params.image) | grep Total + - name: store-scan-result + image: ghcr.io/kube-tarian/helmrepo-supporting-tools/trivy-db:1.0.0 + env: + - name: POSTGRES_HOST + valueFrom: + secretKeyRef: + name: postgres-secret + key: host + - name: DB_USER + valueFrom: + secretKeyRef: + name: postgres-secret + key: user + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: postgres-secret + key: password + - name: DB_NAME + valueFrom: + secretKeyRef: + name: postgres-secret + key: dbname + - name: JSON_FILE + value: /workspace/output/trivy-report.json + script: | + #!/bin/bash + export PGPASSWORD="${POSTGRES_PASSWORD}" + export POSTGRES_HOST="${POSTGRES_HOST}" + export DB_NAME="${DB_NAME}" + export DB_USER="${DB_USER}" + export JSON_FILE="${JSON_FILE}" + + /usr/local/bin/create_tables_before.sh + + # echo "Storing Trivy scan results to PostgreSQL..." + job_id=$(params.ID) + scan_result=$(cat $JSON_FILE | sed "s/'/''/g") + + psql -h "${POSTGRES_HOST}" -U "${DB_USER}" -d "${DB_NAME}" -c "\ + INSERT INTO tekton_before_trivy_results (job_id, image) \ + VALUES ('${job_id}', '$(params.image)')" + + /usr/local/bin/insert_data_before.sh diff --git a/default-apps-templates/app_list.yaml b/default-apps-templates/app_list.yaml index 1566517..588b5ad 100644 --- a/default-apps-templates/app_list.yaml +++ b/default-apps-templates/app_list.yaml @@ -33,7 +33,7 @@ defaultApps: repoURL: 'https://intelops.github.io/kubviz/' namespace: observability chart: agent - targetRevision: "1.1.23" + targetRevision: "1.1.24" valuesPath: infra/clusters/app-configs/{{.ClusterName}}/kubviz-agent-values.yaml - name: external-secrets repoURL: 'https://kube-tarian.github.io/helmrepo-supporting-tools' diff --git a/tekton-samples/tekton-pipeline-yamls/github-trivy-scan-pipeline.yaml b/tekton-samples/tekton-pipeline-yamls/github-trivy-scan-pipeline.yaml new file mode 100644 index 0000000..07d637c --- /dev/null +++ b/tekton-samples/tekton-pipeline-yamls/github-trivy-scan-pipeline.yaml @@ -0,0 +1,303 @@ +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: capten-pipeline +spec: + description: | + This pipeline clones a git repo, then echoes the README file to the stout. + params: + - name: repo-url + type: string + description: The git repo URL to clone from. + - name: revision + type: string + - name: PARAM_SCM + description: Define the Source code Management URL + type: string + default: "github.com" + - name: pathToContext + description: The path to the build context, used by Kaniko - within the workspace + default: . + - name: imageUrl + description: Image name including repository + - name: imageTag + description: Image tag + default: "latest" + - name: eventname + description: name of event happens + - name: reponame + description: repo name + - name: retag + description: rel tag + - name: ID + description: id of pipelinerun + - name: NAME + description: application name + + workspaces: + - name: shared-data + description: | + This workspace contains the cloned repo files, so they can be read by the + next task. + - name: git-credentials + description: basic-auth + - name: docker-credentials + description: docker cred + - name: cosign + - name: dockerconfig + - name: cosign-pub + - name: deploy-creds + description: app and cluster details + - name: argo-creds + description: argocd server and credentials + + tasks: + - name: fetch-source + taskRef: + name: git-clone + kind: ClusterTask + workspaces: + - name: output + workspace: shared-data + - name: basic-auth + workspace: git-credentials + params: + - name: url + value: $(params.repo-url) + - name: PARAM_SCM + value: $(params.PARAM_SCM) + - name: revision + value: $(params.revision) + when: + - input: "$(params.eventname)" + operator: in + values: [ "pull-request" , "push" , "tag" ,"release" ] + + - name: get-changed-files + taskRef: + name: get-changed-files-task + kind: ClusterTask + runAfter: + - fetch-source + workspaces: + - name: source + workspace: shared-data + params: + - name: REVISION + value: $(params.revision) + when: + - input: "$(params.eventname)" + operator: in + values: [ "pull-request" , "push" , "tag" ,"release" ] + + - name: scan-image-initial + taskRef: + name: scan-image-before + kind: ClusterTask + runAfter: + - get-changed-files + params: + - name: image + value: ghcr.io/sheril5/qt-test-application:latest + - name: timeout + value: "10m" + - name: ID + value: $(params.ID) + workspaces: + - name: output + workspace: shared-data + + - name: build + taskRef: + name: kaniko + kind: ClusterTask + runAfter: + - scan-image-initial + workspaces: + - name: source + workspace: shared-data + - name: dockerconfig + workspace: docker-credentials + params: + - name: CONTEXT + value: $(params.pathToContext) + - name: IMAGE + value: $(params.imageUrl):$(params.imageTag) + when: + - input: "$(params.eventname)" + operator: in + values: [ "pull-request" , "push" , "tag" ,"release" ] + + - name: scan-image-final + taskRef: + name: scan-image-after + kind: ClusterTask + runAfter: + - build + params: + - name: image + value: $(params.imageUrl):$(params.imageTag) + - name: timeout + value: "10m" + - name: ID + value: $(params.ID) + workspaces: + - name: output + workspace: shared-data + + - name: deploy-app + runAfter: ["cosign-sign"] + taskRef: + name: helm-deploy + kind: ClusterTask + params: + - name: NAME + value: $(params.NAME) + - name: userEmail + value: $(tasks.get-changed-files.results.email) + - name: IMAGE + value: $(params.imageUrl) + - name: ImageTag + value: $(params.imageTag) + - name: AppName + value: $(params.NAME) + - name: gitProjectUrl + value: github.com/Jeremy4040/infra + - name: appConfigPath + value: infra/clusters/app-configs/dev-alpha/apps/customer-apps + - name: clusterName + value: dev-alpha + + workspaces: + - name: basic-auth + workspace: deploy-creds + - name: output + workspace: shared-data + - name: argo-auth + workspace: argo-creds + when: + - input: "$(params.eventname)" + operator: in + values: [ "pull-request" , "tag" ,"release" ] + + - name: qt-testcase + runAfter: ["deploy-app"] + taskRef: + name: install-and-run-qt + kind: ClusterTask + params: + - name: QT_SERVER + value: http://qualitytrace.domain.com + - name: qt_path + value: qt_test + workspaces: + - name: basic-auth + workspace: git-credentials + - name: output + workspace: shared-data + when: + - input: "$(params.eventname)" + operator: in + values: [ "pull-request" , "tag" ,"release" ] + + - name: cosign-sign + runAfter: ["scan-image-final"] + taskRef: + name: cosign-sign + kind: ClusterTask + workspaces: + - name: source + workspace: shared-data + - name: dockerconfig + workspace: dockerconfig + - name: cosign + workspace: cosign + params: + - name: image + value: "$(params.imageUrl)@$(tasks.build.results.IMAGE_DIGEST)" + - name: eventname + value: "$(params.eventname)" + - name: registry + value: "ghcr.io" + when: + - input: "$(params.eventname)" + operator: in + values: [ "pull-request" , "tag" ,"release" ] + + - name: commit-task + taskRef: + name: get-latest-commit-id + kind: ClusterTask + runAfter: + - build + workspaces: + - name: source + workspace: shared-data + - name: basic-auth + workspace: git-credentials + params: + - name: REVISION + value: $(params.revision) + - name: REPONAME + value: $(params.reponame) + when: + - input: "$(params.eventname)" + operator: in + values: [ "tag" ,"push" ,"pull-request" ,"release"] + + finally: + - name: github-set-status-fail + when: + - input: $(tasks.status) + operator: in + values: [ "Failed", "None" ] + taskRef: + name: github-set-status + kind: ClusterTask + params: + - name: "STATE" + value: "failure" + - name: "GITHUB_HOST_URL" + value: "api.github.com" + - name: "REPO_FULL_NAME" + value: "$(params.reponame)" + - name: "GITHUB_TOKEN_SECRET_NAME" + value: "gitcred-capten-pipeline" + - name: "GITHUB_TOKEN_SECRET_KEY" + value: "password" + - name: "SHA" + value: "$(tasks.commit-task.results.commit-id)" + - name: "TARGET_URL" + value: "http://tekton.awsagents.optimizor.app/#/namespaces/tekton-pipelines/pipelineruns/trigger-$(params.ID)" + - name: "CONTEXT" + value: "tekton-pipeline" + - name: "DESCRIPTION" + value: "An error occurred building your commit in Tekton" + + - name: github-set-status-success + when: + - input: $(tasks.status) + operator: in + values: [ "Succeeded", "Completed" ] + taskRef: + name: github-set-status + kind: ClusterTask + params: + - name: "STATE" + value: "success" + - name: "GITHUB_HOST_URL" + value: "api.github.com" + - name: "REPO_FULL_NAME" + value: "$(params.reponame)" + - name: "GITHUB_TOKEN_SECRET_NAME" + value: "gitcred-capten-pipeline" + - name: "GITHUB_TOKEN_SECRET_KEY" + value: "password" + - name: "SHA" + value: "$(tasks.commit-task.results.commit-id)" + - name: "TARGET_URL" + value: "http://tekton.awsagents.optimizor.app/#/namespaces/tekton-pipelines/pipelineruns/trigger-$(params.ID)" + - name: "CONTEXT" + value: "tekton-pipeline" + - name: "DESCRIPTION" + value: "Finished building your commit in Tekton"