WIP: blarg

src/ploigos/params/AllWorkflowParams.groovy → src/ploigos/params/ConstantEnvironmentWorkflowParams.groovy

@@ -2,48 +2,17 @@ package ploigos.params
 
 import ploigos.params.UserServiceWorkflowParams
 
-/* All Parameters (infra + user)
+/* Paramters that don't change from workflow to workflow and are rather constent for an enviornment.
  */
-class AllWorkflowParams extends UserServiceWorkflowParams {
+interface ConstantEnvironmentWorkflowParams extends Serializable {
     /* Policy for pulling new versions of the imageTag for the CI worker images
      * when running this pipeline. */
-    String workflowWorkersImagePullPolicy = 'IfNotPresent'
+    String workflowWorkersImagePullPolicy = 'Always'
 
     /* Container image to use when creating a workflow worker
      * to for connecting to the workflow runner tool */
     String workflowWorkerImageAgent = "openshift/origin-jenkins-agent-base:4.8.0"
 
-    /* Container image to use when creating a workflow worker
-     * to run pipeline steps when performing app operations, such as unit-test, package, push.
-     *
-     * This image is also used for other miscalaneous steps that need a place to run but dont
-     * need specialized tooling. */
-    String workflowWorkerImageAppOperations = null
-
-    /* Container image to use when creating a workflow worker
-     * to run pipeline steps when performing static code analysis step(s). */
-    String workflowWorkerImageStaticCodeAnalysis = "ploigos/ploigos-tool-sonar:nightly"
-
-    /* Container image to use when creating a workflow worker
-     * to run pipeline steps when performing container operations (build/push/sign/etc) step(s). */
-    String workflowWorkerImageContainerOperations = "ploigos/ploigos-tool-containers:nightly"
-
-    /* Container image to use when creating a workflow worker
-     * to run pipeline steps when performing container scanning (vulnerability/compliance/etc) step(s) */
-    String workflowWorkerImageContainerScanning = "ploigos/ploigos-tool-openscap:nightly"
-
-    /* Container image to use when creating a workflow worker
-     * to run pipeline steps when performing deploy step(s). */
-    String workflowWorkerImageDeploy = "ploigos/ploigos-tool-argocd:nightly"
-
-    /* Container image to use when creating a workflow worker
-     * to run pipeline steps when performing automated-governance step(s). */
-    String workflowWorkerImageAutomatedGovernance = "ploigos/ploigos-tool-autogov:nightly"
-
-    /* Container image to use when creating a workflow worker
-     * to run pipeline steps when performing validate environment configuration step(s). */
-    String workflowWorkerImageValidateEnvironmentConfiguration = "ploigos/ploigos-tool-config-lint:nightly"
-
     /* If `true` then use `allowPrivilegeEscalation` securityContex for the
      * container operations workflow worker container so that `buildah`/`podman`
      * can do rootless container operations.
@@ -144,4 +113,4 @@ class AllWorkflowParams extends UserServiceWorkflowParams {
      * determines whether to verify the Git TLS when checking out the step runner library source
      * for installation. */
     boolean stepRunnerLibSourceGitTLSNoVerify = false
-}
+}

src/ploigos/params/ExistingContainerImageScanWorkflowParams.groovy

@@ -0,0 +1,12 @@
+package ploigos.params
+
+import ploigos.params.UserServiceWorkflowParams
+import ploigos.params.ConstantEnvironmentWorkflowParams
+
+/* All the paramters for existingContainerImageScan* workflows.
+ */
+class ExistingContainerImageScanWorkflowParams extends UserExistingContainerImageScanWorkflowParams implements ConstantEnvironmentWorkflowParams {
+    /* Container image to use when creating a workflow worker
+     * to run pipeline steps when performing container scanning (vulnerability/compliance/etc) step(s) */
+    String workflowWorkerImageContainerScanning = null
+}

src/ploigos/params/ServiceWorkflowParams.groovy

@@ -0,0 +1,39 @@
+package ploigos.params
+
+import ploigos.params.UserServiceWorkflowParams
+import ploigos.params.ConstantEnvironmentWorkflowParams
+
+/* All the paramters for service* workflows.
+ */
+class ServiceWorkflowParams extends UserServiceWorkflowParams implements ConstantEnvironmentWorkflowParams {
+    /* Container image to use when creating a workflow worker
+     * to run pipeline steps when performing app operations, such as unit-test, package, push.
+     *
+     * This image is also used for other miscalaneous steps that need a place to run but dont
+     * need specialized tooling. */
+    String workflowWorkerImageAppOperations = null
+
+    /* Container image to use when creating a workflow worker
+     * to run pipeline steps when performing static code analysis step(s). */
+    String workflowWorkerImageStaticCodeAnalysis = "ploigos/ploigos-tool-sonar:nightly"
+
+    /* Container image to use when creating a workflow worker
+     * to run pipeline steps when performing container operations (build/push/sign/etc) step(s). */
+    String workflowWorkerImageContainerOperations = "ploigos/ploigos-tool-containers:nightly"
+
+    /* Container image to use when creating a workflow worker
+     * to run pipeline steps when performing container scanning (vulnerability/compliance/etc) step(s) */
+    String workflowWorkerImageContainerScanning = "ploigos/ploigos-tool-openscap:nightly"
+
+    /* Container image to use when creating a workflow worker
+     * to run pipeline steps when performing deploy step(s). */
+    String workflowWorkerImageDeploy = "ploigos/ploigos-tool-argocd:nightly"
+
+    /* Container image to use when creating a workflow worker
+     * to run pipeline steps when performing automated-governance step(s). */
+    String workflowWorkerImageAutomatedGovernance = "ploigos/ploigos-tool-autogov:nightly"
+
+    /* Container image to use when creating a workflow worker
+     * to run pipeline steps when performing validate environment configuration step(s). */
+    String workflowWorkerImageValidateEnvironmentConfiguration = "ploigos/ploigos-tool-config-lint:nightly"
+}

src/ploigos/params/SharedUserWorkflowParams.groovy

@@ -0,0 +1,65 @@
+package ploigos.params
+
+/* User parameters shared by all workflows
+ */
+class SharedUserWorkflowParams implements Serializable {
+    /* log any *sh commands used during execution */
+    String verbose = 'false'
+
+    /* Path to the Step Runner configuration to pass to the
+     * Workflow Step Runner when running workflow steps. */
+    String stepRunnerConfigDir = ''
+
+    /* Name of the Kubernetes Secret containing the PGP private keys to import for use by SOPS
+     * to decrypt encrypted Step Runner config. */
+    String pgpKeysSecretName = 'jenkins-pgp-private-key'
+
+    /* Kubernetes ServiceAccount that the Jenkins Worker Kubernetes Pod should be deployed with.
+     *
+     * IMPORTANT
+     * ---------
+     * So that `buildah`/`podman` can perform rootles container operations then this service account
+     * needs to have access to slightly escalted privilages.
+     *
+     * If `workflowWorkerContainerOperationsUsePrivilegeEscalation` is `true` then this
+     * this Kubernetes ServiceAccount needs to have access (via RoleBinding to Role)
+     * to a SecurityContextConstraints that allows for `allowPrivilegeEscalation`.
+     *
+     * If `workflowWorkerContainerOperationsUsePrivilegeEscalation` is `false` then this
+     * this Kubernetes ServiceAccount needs to have access (via RoleBinding to Role)
+     * to a SecurityContextConstraints that allows for the use of the
+     * `SETUID` and `SETGID` capabilities.
+     */
+    String workflowServiceAccountName = 'pipeline'
+
+    /* Name of the ConfigMap to mount as a trusted CA Bundle.
+     * Useful for when interacting with external services signed by an internal CA.
+     * If not specified then ignored. */
+    String trustedCABundleConfigMapName = ''
+
+    /* Kubernetes ConfigMap name containing shared Ploigos configuration file(s).
+     *
+     * Typically this would be provided by an infrastrcture or release engineering team so
+     * that development teams dont have to have duplicate configuration that can be provided
+     * and shared among multiple teams/projects.
+     *
+     * EX: the uri for container image repoistory would be a good thing
+     *     to put in shared config.
+     */
+    String platformConfigConfigMapName = null
+
+    /* Kubernetes Secret name containing shared Ploigos configuration file(s).
+     *
+     * IMPORTANT: Since Kubernetes Secrets are not encrypted it is highly recomended that
+     *            the contents of this Secret be encrypted with SOPS or similar.
+     *
+     * Typically this would be provided by an infrastrcture or release engineering team so
+     * that development teams dont have to have duplicate configuration that can be provided
+     * and shared among multiple teams/projects.
+     *
+     * EX: the usernmae and password for container image repoistory would be a good thing
+     *     to put in shared secret config, assuming crednetials shared with more then one
+     *     team/project.
+     */
+    String platformConfigSecretName = null
+}

src/ploigos/params/UserExistingContainerImageScanWorkflowParams.groovy

@@ -1,68 +1,8 @@
 package ploigos.params
 
-/* User parameters
+/* User parameters for existing container image scan workflows
  */
-class UserExistingContainerImageScanWorkflowParams implements Serializable {
-    /* log any *sh commands used during execution */
-    String verbose = 'false'
-
-    /* Path to the Step Runner configuration to pass to the
-     * Workflow Step Runner when running workflow steps. */
-    String stepRunnerConfigDir = ''
-
-    /* Name of the Kubernetes Secret containing the PGP private keys to import for use by SOPS
-     * to decrypt encrypted Step Runner config. */
-    String pgpKeysSecretName = 'jenkins-pgp-private-key'
-
-    /* Kubernetes ServiceAccount that the Jenkins Worker Kubernetes Pod should be deployed with.
-     *
-     * IMPORTANT
-     * ---------
-     * So that `buildah`/`podman` can perform rootles container operations then this service account
-     * needs to have access to slightly escalted privilages.
-     *
-     * If `workflowWorkerContainerOperationsUsePrivilegeEscalation` is `true` then this
-     * this Kubernetes ServiceAccount needs to have access (via RoleBinding to Role)
-     * to a SecurityContextConstraints that allows for `allowPrivilegeEscalation`.
-     *
-     * If `workflowWorkerContainerOperationsUsePrivilegeEscalation` is `false` then this
-     * this Kubernetes ServiceAccount needs to have access (via RoleBinding to Role)
-     * to a SecurityContextConstraints that allows for the use of the
-     * `SETUID` and `SETGID` capabilities.
-     */
-    String workflowServiceAccountName = 'pipeline'
-
-    /* Name of the ConfigMap to mount as a trusted CA Bundle.
-     * Useful for when interacting with external services signed by an internal CA.
-     * If not specified then ignored. */
-    String trustedCABundleConfigMapName = ''
-
-    /* Kubernetes ConfigMap name containing shared Ploigos configuration file(s).
-     *
-     * Typically this would be provided by an infrastrcture or release engineering team so
-     * that development teams dont have to have duplicate configuration that can be provided
-     * and shared among multiple teams/projects.
-     *
-     * EX: the uri for container image repoistory would be a good thing
-     *     to put in shared config.
-     */
-    String platformConfigConfigMapName = null
-
-    /* Kubernetes Secret name containing shared Ploigos configuration file(s).
-     *
-     * IMPORTANT: Since Kubernetes Secrets are not encrypted it is highly recomended that
-     *            the contents of this Secret be encrypted with SOPS or similar.
-     *
-     * Typically this would be provided by an infrastrcture or release engineering team so
-     * that development teams dont have to have duplicate configuration that can be provided
-     * and shared among multiple teams/projects.
-     *
-     * EX: the usernmae and password for container image repoistory would be a good thing
-     *     to put in shared secret config, assuming crednetials shared with more then one
-     *     team/project.
-     */
-    String platformConfigSecretName = null
-
+class UserExistingContainerImageScanWorkflowParams extends SharedUserWorkflowParams {
     /* Registry URL of the container image to scan.
      * i.e. In `quay.io/myorg/mycontainer:mytag` registry URL is `quay.io`. */
     String registryURL = ''

src/ploigos/params/UserServiceWorkflowParams.groovy

@@ -1,37 +1,10 @@
 package ploigos.params
 
-/* User parameters
- */
-class UserServiceWorkflowParams implements Serializable {
-    /* log any *sh commands used during execution */
-    String verbose = 'false'
-
-    /* Path to the Step Runner configuration to pass to the
-     * Workflow Step Runner when running workflow steps. */
-    String stepRunnerConfigDir = ''
-
-    /* Name of the Kubernetes Secret containing the PGP private keys to import for use by SOPS
-     * to decrypt encrypted Step Runner config. */
-    String pgpKeysSecretName = 'jenkins-pgp-private-key'
-
-    /* Kubernetes ServiceAccount that the Jenkins Worker Kubernetes Pod should be deployed with.
-     *
-     * IMPORTANT
-     * ---------
-     * So that `buildah`/`podman` can perform rootles container operations then this service account
-     * needs to have access to slightly escalted privilages.
-     *
-     * If `workflowWorkerContainerOperationsUsePrivilegeEscalation` is `true` then this
-     * this Kubernetes ServiceAccount needs to have access (via RoleBinding to Role)
-     * to a SecurityContextConstraints that allows for `allowPrivilegeEscalation`.
-     *
-     * If `workflowWorkerContainerOperationsUsePrivilegeEscalation` is `false` then this
-     * this Kubernetes ServiceAccount needs to have access (via RoleBinding to Role)
-     * to a SecurityContextConstraints that allows for the use of the
-     * `SETUID` and `SETGID` capabilities.
-     */
-    String workflowServiceAccountName = 'pipeline'
+import ploigos.params.SharedUserWorkflowParams
 
+/* User parameters for service workflows.
+ */
+class UserServiceWorkflowParams extends SharedUserWorkflowParams {
     /* Name of the "Development" environment used in the Step Runner configuration
      * files and to pass to the Workflow Step Runner when running a step targeted to
      * the "Development" environment. */
@@ -65,35 +38,4 @@ class UserServiceWorkflowParams implements Serializable {
      * Continues Integration (CI) workflow and then the deployment to
      * "Release" environment(s) (IE: "DEVTEST", "TEST", and then "PROD" environments) workflow. */
     String[] releaseGitRefPatterns = ['^main$']
-
-    /* Name of the ConfigMap to mount as a trusted CA Bundle.
-     * Useful for when interacting with external services signed by an internal CA.
-     * If not specified then ignored. */
-    String trustedCABundleConfigMapName = ''
-
-    /* Kubernetes ConfigMap name containing shared Ploigos configuration file(s).
-     *
-     * Typically this would be provided by an infrastrcture or release engineering team so
-     * that development teams dont have to have duplicate configuration that can be provided
-     * and shared among multiple teams/projects.
-     *
-     * EX: the uri for container image repoistory would be a good thing
-     *     to put in shared config.
-     */
-    String platformConfigConfigMapName = null
-
-    /* Kubernetes Secret name containing shared Ploigos configuration file(s).
-     *
-     * IMPORTANT: Since Kubernetes Secrets are not encrypted it is highly recomended that
-     *            the contents of this Secret be encrypted with SOPS or similar.
-     *
-     * Typically this would be provided by an infrastrcture or release engineering team so
-     * that development teams dont have to have duplicate configuration that can be provided
-     * and shared among multiple teams/projects.
-     *
-     * EX: the usernmae and password for container image repoistory would be a good thing
-     *     to put in shared secret config, assuming crednetials shared with more then one
-     *     team/project.
-     */
-    String platformConfigSecretName = null
 }

vars/existingContainerImageScanPloigosWorkflow.groovy

@@ -1,7 +1,8 @@
 #!/usr/bin/env groovy
 
+import ploigos.params.ExistingContainerImageScanWorkflowParams
 
-def call(Map paramsMap) {
+def call(ExistingContainerImageScanWorkflowParams params) {
 /* Match everything that isn't a-z, a-Z, 0-9, -, _, or .
     *
     * See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
@@ -132,9 +133,12 @@ def call(Map paramsMap) {
           tty: true
           securityContext:
             runAsUser: ${params.workflowWorkerRunAsUser}
+            ${WORKFLOW_WORKER_CONTAINER_OPERATIONS_ADDITIONAL_SECURITY_CONTEXTS}
           volumeMounts:
           - mountPath: ${WORKFLOW_WORKER_WORKSPACE_HOME_PATH}
             name: home-ploigos
+          - mountPath: /var/pgp-private-keys
+            name: pgp-private-keys
           ${PLATFORM_CONFIG_MOUNT}
           ${PLATFORM_CONFIG_SECRETS_MOUNT}
           ${TLS_MOUNTS}
@@ -167,7 +171,7 @@ def call(Map paramsMap) {
                             VERBOSE                         = "${params.verbose}"
                         }
                         steps {
-                            container("${WORKFLOW_WORKER_NAME_APP_OPERATIONS}") {
+                            container("${WORKFLOW_WORKER_NAME_CONTAINER_SCANNING}") {
                                 script {
                                     ploigosUtils.setupWorkflowStepRunner()
                                 }
@@ -208,7 +212,7 @@ def call(Map paramsMap) {
                                                 --step container-image-static-compliance-scan \
 						                        --step-config \
                                                     container-image-tag=${params.registryURL}/${IMAGE_TARGET} \
-                                                    container-image-pull-repository-type='docker://'
+                                                    container-image-registry-type='docker://'
                                         """
                                     }
                                 }
@@ -226,7 +230,7 @@ def call(Map paramsMap) {
                                                 --step container-image-static-vulnerability-scan \
 						                        --step-config \
                                                     container-image-tag=${params.registryURL}/${IMAGE_TARGET} \
-                                                    container-image-pull-repository-type='docker://'
+                                                     container-image-registry-type='docker://'
                                         """
                                     }
                                 }

vars/java11ServicePloigosWorkflowEverything.groovy

@@ -1,5 +1,5 @@
 import ploigos.params.UserServiceWorkflowParams
-import ploigos.params.AllWorkflowParams
+import ploigos.params.ServiceWorkflowParams
 
 /* Convince wrapper for `servicePipeline` to run workflow to CI/CD a Java service.
  */
@@ -12,7 +12,7 @@ def call(Map paramsMap) {
     new UserServiceWorkflowParams(paramsMap)
 
     // create All params from params map now the user params have been vlaidated
-    params = new AllWorkflowParams(paramsMap)
+    params = new ServiceWorkflowParams(paramsMap)
 
     // set javaService specific infra params
     params.workflowWorkerImageAppOperations = "ploigos/ploigos-tool-maven:nightly.java11.ubi8"