Skip to content

MoOyeg/testFlask-tekton

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

56 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

testFlask-tekton

Sample Tekton Pipeline for a Flask Python Application

Application will show how we can use Tekton to deploy/test a flask application running on openshift, the Application being used is testFlask
Environment variables used in Commands have samples in the sample_env file.
So this example assumes a pipeline scenario where there is a running production application represented by our Production Project and at build time we deploy the same exact infrastructure in our devlopment project and test the code, when all satisfied we promote our dev image to production which is automatically deployed based on a trigger from our imagestream.

Prerequisites:

Steps to Run via Kustomize

  • Create Prerequisite Infrastucture Components if Required

  • Create Dev Environment

    oc apply -k ./overlays/dev
  • Create Prod Environment

    oc apply -k ./overlays/prod
  • Create CICD Environment Respository provides examples on how to deploy a normal tekton CICD Pipeline and a version that provides Image Scanning and Policy Checking using Red hat's Advanced Cluster Security Product.Depending on your version of OpenShift the default run of the pipeline might fail, please read Notes below.

    • Deploy pipeline without scanning and security

      oc kustomize ./cicd/overlays/simple | sed -e 's/name: testflask-pipelinerun/# name: testflask-pipelinerun/' | oc create -f -
    • Create CICD Environment with ACS
      Please see Notes if you run into errors

      oc kustomize ./cicd/overlays/secure | sed -e 's/name: testflask-pipelinerun/# name: testflask-pipelinerun/' | oc create -f -

Prerequisite Infrastructure

Please note this section is not maintained and is pulled from other repos.

  • Install Openshift Pipelines Operator

    oc apply -k ./infra/pipeline-operator
  • Install Advanced Cluster Security Operator

    oc apply -k ./infra/acs-operator
  • Create Advanced Cluster Security Instance

    oc apply -k ./infra/acs-instance
  • Install Gatekeeper Operator

    oc apply -k ./infra/gatekeeper-operator

Notes

  • Please note scanning the Openshift internal registry is not supported as of this writing.

  • Error('image-scan-pod" is waiting to start: CreateContainerConfigError').With error ('Error: secret "roxsecrets" not found'). ACS roxctl requires a secret that contains the Central cluster url and the API Token. You can try using the below command to create this(This might not be updated).

    oc kustomize ./cicd/overlays/secure/acs/pipelines-and-secrets | oc create -f -
  • Error - unable to validate against any security context constraint for builah task when running Pipeline Depending on your version of openshift pipelines the buildah task might require an enhanced scc.

    oc project 1234-tekton
    oc adm policy add-scc-to-user privileged system:serviceaccount:1234-tekton:pipeline
    oc policy add-role-to-user system:image-pusher system:serviceaccount:1234-tekton:pipeline
  • If you get "error creating build container: Error initializing source docker://registry.redhat.io/ubi8/ubi:latest: unable to retrieve auth token". This means the docker file we are using for build is not using the internal openshift registry.We might have to update the dockerfile to build.

    oc tag --source=docker registry.redhat.io/ubi8/ubi:latest ubi8:latest -n openshift
  • To use the eventlistener remember to create a webhook

  • PipelineRun will start in pending, re-run to start Build

Gatekeeper Enforcement

With the use of the Gatekeeper/OPA you can create policies to enforce/inform of cluster violations.There are sample policies to show an example of enforcing with tekton.Please make sure to install the gatekeeper operator first.

Note: Might need to run it 2x as API has to create CRD for contraint

Make sure all tekton pipelines have an ACS Policy Checking Task

oc kustomize ./cicd/overlays/secure/acs/policy-tekton-checking | oc create -f -

Make sure all tekton pipelines have an ACS Policy Scanning Task

oc kustomize ./cicd/overlays/secure/acs/policy-tekton-scanning | oc create -f -

Make sure all tekton pipelines have the appropriate apiVersions

oc kustomize ./cicd/overlays/secure/policy-tekton-api-version/ | oc create -f -

Make sure all tekton pipelines have a max failure timeout set.

oc kustomize ./cicd/overlays/secure/policy-tekton-timeout-set | oc create -f -

Make sure all tetkon pipeline resolvers only use approved git registries

oc kustomize ./cicd/overlays/secure/policy-tekton-allowed-git-resolver | oc create -f -

Make sure all tetkon pipeline resolvers only use approved bundle repos

oc kustomize ./cicd/overlays/secure/policy-tekton-allowed-bundle-resolver | oc create -f -

After the above constraints are created, you should not longer be able to run the non-secure pipeline creation above but you should be able to run the secure version.