From 63dfab1dbdb21229204b3616a9f46b09a44bc39d Mon Sep 17 00:00:00 2001 From: Pavlos Tzianos Date: Tue, 7 May 2024 19:03:43 +0100 Subject: [PATCH] cleanup golang project example, fix mongodb deployment and pipelinerun parameters --- deploy/dracon/values/dev.yaml | 12 +- docs/getting-started.md | 2 +- examples/pipelines/golang-project/Chart.yaml | 6 - .../{pipelinerun => }/pipelinerun.yaml | 4 + .../golang-project/templates/all.yaml | 1066 ----------------- 5 files changed, 10 insertions(+), 1080 deletions(-) delete mode 100644 examples/pipelines/golang-project/Chart.yaml rename examples/pipelines/golang-project/{pipelinerun => }/pipelinerun.yaml (79%) delete mode 100644 examples/pipelines/golang-project/templates/all.yaml diff --git a/deploy/dracon/values/dev.yaml b/deploy/dracon/values/dev.yaml index 23e30bbc4..b7b88cc89 100644 --- a/deploy/dracon/values/dev.yaml +++ b/deploy/dracon/values/dev.yaml @@ -13,13 +13,11 @@ kibana: mongodb: enabled: true - # auth: - # enabled: true - # usernames: ["consumer-mongodb"] - # passwords: ["consumer-mongodb"] - # databases: ["consumer-mongodb"] - # rootUser: "consumer-mongodb" - # rootPassword: "consumer-mongodb" + auth: + enabled: true + usernames: ["consumer-mongodb"] + passwords: ["consumer-mongodb"] + databases: ["consumer-mongodb"] arangodb: enabled: true diff --git a/docs/getting-started.md b/docs/getting-started.md index 19d1ddda7..b6d5db013 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -244,5 +244,5 @@ Then you can run an instance of the pipeline as follows: ```bash kubectl create \ -n dracon \ - -f ./examples/pipelines/golang-project/pipelinerun/pipelinerun.yaml + -f ./examples/pipelines/golang-project/pipelinerun.yaml ``` diff --git a/examples/pipelines/golang-project/Chart.yaml b/examples/pipelines/golang-project/Chart.yaml deleted file mode 100644 index b804de160..000000000 --- a/examples/pipelines/golang-project/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: "dracon-golang-project" -description: "A Helm chart for deploying a Dracon pipeline for a Golang project." -type: "application" -version: 0.0.1 -appVersion: "0.0.1" diff --git a/examples/pipelines/golang-project/pipelinerun/pipelinerun.yaml b/examples/pipelines/golang-project/pipelinerun.yaml similarity index 79% rename from examples/pipelines/golang-project/pipelinerun/pipelinerun.yaml rename to examples/pipelines/golang-project/pipelinerun.yaml index 4d4fff06e..e3371c1b7 100644 --- a/examples/pipelines/golang-project/pipelinerun/pipelinerun.yaml +++ b/examples/pipelines/golang-project/pipelinerun.yaml @@ -15,6 +15,10 @@ spec: # THIS IS AN EXAMPLE, PLEASE USE A PROPERLY SECURED SECRET KEY IN PRODUCTION # Corresponding public key for verification is MOt7TFuLyGB9yRN5mcIeAPa6jKoFglkwEwGBTOVLeXI= value: Lvbo+wAsW8Y4ENBA+lAikOwGTYAIXCQ49eRMEwClv94w63tMW4vIYH3JE3mZwh4A9rqMqgWCWTATAYFM5Ut5cg== + - name: consumer-elasticsearch-url + value: http://dracon-es-http:9200 + - name: consumer-mongodb-db-uri + value: mongodb://consumer-mongodb:consumer-mongodb@dracon-mongodb:27017/consumer-mongodb workspaces: - name: output volumeClaimTemplate: diff --git a/examples/pipelines/golang-project/templates/all.yaml b/examples/pipelines/golang-project/templates/all.yaml deleted file mode 100644 index 48f6ad153..000000000 --- a/examples/pipelines/golang-project/templates/all.yaml +++ /dev/null @@ -1,1066 +0,0 @@ -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - creationTimestamp: null - name: dracon-golang-project -spec: - params: - - default: "" - name: base-scan-tags - type: string - - description: Repository URL to clone from. - name: git-clone-url - type: string - - default: "" - description: Revision to checkout. (branch, tag, sha, ref, etc...) - name: git-clone-revision - type: string - - default: "" - description: Refspec to fetch before checking out revision. - name: git-clone-refspec - type: string - - default: "true" - description: Initialize and fetch git submodules. - name: git-clone-submodules - type: string - - default: "1" - description: Perform a shallow clone, fetching only the most recent N commits. - name: git-clone-depth - type: string - - default: "true" - description: Set the `http.sslVerify` global git config. Setting this to `false` - is not advised unless you are sure that you trust your git remote. - name: git-clone-sslVerify - type: string - - default: ca-bundle.crt - description: file name of mounted crt using ssl-ca-directory workspace. default - value is ca-bundle.crt. - name: git-clone-crtFileName - type: string - - default: "" - description: Subdirectory inside the `output` Workspace to clone the repo into. - name: git-clone-subdirectory - type: string - - default: "" - description: Define the directory patterns to match or exclude when performing - a sparse checkout. - name: git-clone-sparseCheckoutDirectories - type: string - - default: "true" - description: Clean out the contents of the destination directory if it already - exists before cloning. - name: git-clone-deleteExisting - type: string - - default: "" - description: HTTP proxy server for non-SSL requests. - name: git-clone-httpProxy - type: string - - default: "" - description: HTTPS proxy server for SSL requests. - name: git-clone-httpsProxy - type: string - - default: "" - description: Opt out of proxying HTTP/HTTPS requests. - name: git-clone-noProxy - type: string - - default: "true" - description: Log the commands that are executed during `git-clone`'s operation. - name: git-clone-verbose - type: string - - default: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2 - description: The image providing the git-init binary that this Task runs. - name: git-clone-gitInitImage - type: string - - default: /home/git - description: | - Absolute path to the user's home directory. - name: git-clone-userHome - type: string - - default: - - -r - - -quiet - - -sort - - -nosec - name: producer-golang-gosec-flags - type: array - - default: docker.io/golang:1.21 - description: The container image that will be used to run Go nancy - name: producer-golang-nancy-goImage - type: string - - default: cGFja2FnZSBleGFtcGxlLmdvc2VjCgpkZWZhdWx0IGFsbG93IDo9IGZhbHNlCgphbGxvdyA9dHJ1ZSB7CiAgICBwcmludChpbnB1dCkKICAgIGNoZWNrX3NldmVyaXR5Cn0KCmNoZWNrX3NldmVyaXR5IHsKICAgIGlucHV0LnNldmVyaXR5ID09ICJTRVZFUklUWV9ISUdIIgp9CmNoZWNrX3NldmVyaXR5IHsKICAgIGlucHV0LnNldmVyaXR5ID09ICJTRVZFUklUWV9NRURJVU0iCn0KY2hlY2tfc2V2ZXJpdHkgewogICAgaW5wdXQuc2V2ZXJpdHkgPT0gIlNFVkVSSVRZX0xPVyIKfQ== - name: enricher-policy-base64-policy - type: string - - default: "" - name: enricher-policy-annotation - type: string - - default: "" - description: An optional key to sign each aggregated result with - name: enricher-aggregator-b64-signature-key - type: string - - default: mongodb://consumer-mongodb:consumer-mongodb@consumer-mongodb:27017/consumer-mongodb - name: consumer-mongodb-db-uri - type: string - - default: consumer-mongodb - name: consumer-mongodb-db-name - type: string - - default: consumer-mongodb - name: consumer-mongodb-collection-name - type: string - - default: http://dracon-es-elasticsearch-es-http:9200 - name: consumer-elasticsearch-url - type: string - - default: "" - name: consumer-elasticsearch-description-template - type: string - tasks: - - name: base - params: - - name: base-scan-tags - value: $(params.base-scan-tags) - taskRef: - name: base - - name: git-clone - params: - - name: git-clone-url - value: $(params.git-clone-url) - - name: git-clone-revision - value: $(params.git-clone-revision) - - name: git-clone-refspec - value: $(params.git-clone-refspec) - - name: git-clone-submodules - value: $(params.git-clone-submodules) - - name: git-clone-depth - value: $(params.git-clone-depth) - - name: git-clone-sslVerify - value: $(params.git-clone-sslVerify) - - name: git-clone-crtFileName - value: $(params.git-clone-crtFileName) - - name: git-clone-subdirectory - value: $(params.git-clone-subdirectory) - - name: git-clone-sparseCheckoutDirectories - value: $(params.git-clone-sparseCheckoutDirectories) - - name: git-clone-deleteExisting - value: $(params.git-clone-deleteExisting) - - name: git-clone-httpProxy - value: $(params.git-clone-httpProxy) - - name: git-clone-httpsProxy - value: $(params.git-clone-httpsProxy) - - name: git-clone-noProxy - value: $(params.git-clone-noProxy) - - name: git-clone-verbose - value: $(params.git-clone-verbose) - - name: git-clone-gitInitImage - value: $(params.git-clone-gitInitImage) - - name: git-clone-userHome - value: $(params.git-clone-userHome) - taskRef: - name: git-clone - workspaces: - - name: output - workspace: output - - name: ssh-directory - workspace: ssh-directory - - name: basic-auth - workspace: basic-auth - - name: ssl-ca-directory - workspace: ssl-ca-directory - - name: producer-golang-gosec - params: - - name: producer-golang-gosec-flags - value: - - $(params.producer-golang-gosec-flags) - - name: anchors - value: - - $(tasks.git-clone.results.anchor) - - name: dracon_scan_id - value: $(tasks.base.results.dracon-scan-id) - - name: dracon_scan_start_time - value: $(tasks.base.results.dracon-scan-start-time) - - name: dracon_scan_tags - value: $(tasks.base.results.dracon-scan-tags) - taskRef: - name: producer-golang-gosec - workspaces: - - name: output - workspace: output - - name: producer-golang-nancy - params: - - name: producer-golang-nancy-goImage - value: $(params.producer-golang-nancy-goImage) - - name: anchors - value: - - $(tasks.git-clone.results.anchor) - - name: dracon_scan_id - value: $(tasks.base.results.dracon-scan-id) - - name: dracon_scan_start_time - value: $(tasks.base.results.dracon-scan-start-time) - - name: dracon_scan_tags - value: $(tasks.base.results.dracon-scan-tags) - taskRef: - name: producer-golang-nancy - workspaces: - - name: output - workspace: output - - name: producer-aggregator - params: - - name: anchors - value: - - $(tasks.producer-golang-gosec.results.anchor) - - $(tasks.producer-golang-nancy.results.anchor) - taskRef: - name: producer-aggregator - workspaces: - - name: output - workspace: output - - name: enricher-policy - params: - - name: enricher-policy-base64-policy - value: $(params.enricher-policy-base64-policy) - - name: enricher-policy-annotation - value: $(params.enricher-policy-annotation) - - name: anchors - value: - - $(tasks.producer-aggregator.results.anchor) - taskRef: - name: enricher-policy - workspaces: - - name: output - workspace: output - - name: enricher-deduplication - params: - - name: anchors - value: - - $(tasks.producer-aggregator.results.anchor) - taskRef: - name: enricher-deduplication - workspaces: - - name: output - workspace: output - - name: enricher-aggregator - params: - - name: enricher-aggregator-b64-signature-key - value: $(params.enricher-aggregator-b64-signature-key) - - name: anchors - value: - - $(tasks.enricher-policy.results.anchor) - - $(tasks.enricher-deduplication.results.anchor) - taskRef: - name: enricher-aggregator - workspaces: - - name: output - workspace: output - - name: consumer-mongodb - params: - - name: consumer-mongodb-db-uri - value: $(params.consumer-mongodb-db-uri) - - name: consumer-mongodb-db-name - value: $(params.consumer-mongodb-db-name) - - name: consumer-mongodb-collection-name - value: $(params.consumer-mongodb-collection-name) - - name: anchors - value: - - $(tasks.enricher-aggregator.results.anchor) - taskRef: - name: consumer-mongodb - workspaces: - - name: output - workspace: output - - name: consumer-elasticsearch - params: - - name: consumer-elasticsearch-url - value: $(params.consumer-elasticsearch-url) - - name: consumer-elasticsearch-description-template - value: $(params.consumer-elasticsearch-description-template) - - name: anchors - value: - - $(tasks.enricher-aggregator.results.anchor) - taskRef: - name: consumer-elasticsearch - workspaces: - - name: output - workspace: output - workspaces: - - name: output - - name: ssh-directory - optional: true - - name: basic-auth - optional: true - - name: ssl-ca-directory - optional: true ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - creationTimestamp: null - labels: - v1.dracon.ocurity.com/component: base - name: base -spec: - params: - - default: "" - name: base-scan-tags - type: string - results: - - description: The scan start time - name: dracon-scan-start-time - - description: The scan unique id - name: dracon-scan-id - - description: serialized map[string]string of tags for this scan - name: dracon-scan-tags - steps: - - image: docker.io/busybox:1.35.0 - name: generate-scan-id-start-time - resources: {} - script: | - cat /proc/sys/kernel/random/uuid | tee $(results.dracon-scan-id.path) - date +"%Y-%m-%dT%H:%M:%SZ" | tee $(results.dracon-scan-start-time.path) - echo "$(params.base-scan-tags)" | tee $(results.dracon-scan-tags.path) ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - annotations: - tekton.dev/categories: Git - tekton.dev/displayName: git clone - tekton.dev/pipelines.minVersion: 0.38.0 - tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 - tekton.dev/tags: git - creationTimestamp: null - labels: - app.kubernetes.io/version: "0.9" - v1.dracon.ocurity.com/component: source - name: git-clone -spec: - description: |- - These Tasks are Git tasks to work with repositories used by other tasks in your Pipeline. - The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace. You can clone into a subdirectory by setting this Task's subdirectory param. This Task also supports sparse checkouts. To perform a sparse checkout, pass a list of comma separated directory patterns to this Task's sparseCheckoutDirectories param. - params: - - description: Repository URL to clone from. - name: git-clone-url - type: string - - default: "" - description: Revision to checkout. (branch, tag, sha, ref, etc...) - name: git-clone-revision - type: string - - default: "" - description: Refspec to fetch before checking out revision. - name: git-clone-refspec - type: string - - default: "true" - description: Initialize and fetch git submodules. - name: git-clone-submodules - type: string - - default: "1" - description: Perform a shallow clone, fetching only the most recent N commits. - name: git-clone-depth - type: string - - default: "true" - description: Set the `http.sslVerify` global git config. Setting this to `false` - is not advised unless you are sure that you trust your git remote. - name: git-clone-sslVerify - type: string - - default: ca-bundle.crt - description: file name of mounted crt using ssl-ca-directory workspace. default - value is ca-bundle.crt. - name: git-clone-crtFileName - type: string - - default: "" - description: Subdirectory inside the `output` Workspace to clone the repo into. - name: git-clone-subdirectory - type: string - - default: "" - description: Define the directory patterns to match or exclude when performing - a sparse checkout. - name: git-clone-sparseCheckoutDirectories - type: string - - default: "true" - description: Clean out the contents of the destination directory if it already - exists before cloning. - name: git-clone-deleteExisting - type: string - - default: "" - description: HTTP proxy server for non-SSL requests. - name: git-clone-httpProxy - type: string - - default: "" - description: HTTPS proxy server for SSL requests. - name: git-clone-httpsProxy - type: string - - default: "" - description: Opt out of proxying HTTP/HTTPS requests. - name: git-clone-noProxy - type: string - - default: "true" - description: Log the commands that are executed during `git-clone`'s operation. - name: git-clone-verbose - type: string - - default: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2 - description: The image providing the git-init binary that this Task runs. - name: git-clone-gitInitImage - type: string - - default: /home/git - description: | - Absolute path to the user's home directory. - name: git-clone-userHome - type: string - results: - - description: The precise commit SHA that was fetched by this Task. - name: commit - - description: The precise URL that was fetched by this Task. - name: url - - description: The epoch timestamp of the commit that was fetched by this Task. - name: committer-date - - description: An anchor to allow other tasks to depend on this task. - name: anchor - - description: An anchor to allow other tasks to depend on this task. - name: anchor - steps: - - env: - - name: HOME - value: $(params.git-clone-userHome) - - name: PARAM_URL - value: $(params.git-clone-url) - - name: PARAM_REVISION - value: $(params.git-clone-revision) - - name: PARAM_REFSPEC - value: $(params.git-clone-refspec) - - name: PARAM_SUBMODULES - value: $(params.git-clone-submodules) - - name: PARAM_DEPTH - value: $(params.git-clone-depth) - - name: PARAM_SSL_VERIFY - value: $(params.git-clone-sslVerify) - - name: PARAM_CRT_FILENAME - value: $(params.git-clone-crtFileName) - - name: PARAM_SUBDIRECTORY - value: $(params.git-clone-subdirectory) - - name: PARAM_DELETE_EXISTING - value: $(params.git-clone-deleteExisting) - - name: PARAM_HTTP_PROXY - value: $(params.git-clone-httpProxy) - - name: PARAM_HTTPS_PROXY - value: $(params.git-clone-httpsProxy) - - name: PARAM_NO_PROXY - value: $(params.git-clone-noProxy) - - name: PARAM_VERBOSE - value: $(params.git-clone-verbose) - - name: PARAM_SPARSE_CHECKOUT_DIRECTORIES - value: $(params.git-clone-sparseCheckoutDirectories) - - name: PARAM_USER_HOME - value: $(params.git-clone-userHome) - - name: WORKSPACE_OUTPUT_PATH - value: $(workspaces.output.path) - - name: WORKSPACE_SSH_DIRECTORY_BOUND - value: $(workspaces.ssh-directory.bound) - - name: WORKSPACE_SSH_DIRECTORY_PATH - value: $(workspaces.ssh-directory.path) - - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND - value: $(workspaces.basic-auth.bound) - - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH - value: $(workspaces.basic-auth.path) - - name: WORKSPACE_SSL_CA_DIRECTORY_BOUND - value: $(workspaces.ssl-ca-directory.bound) - - name: WORKSPACE_SSL_CA_DIRECTORY_PATH - value: $(workspaces.ssl-ca-directory.path) - image: $(params.git-clone-gitInitImage) - name: clone - resources: {} - script: | - #!/usr/bin/env sh - set -eu - - if [ "${PARAM_VERBOSE}" = "true" ] ; then - set -x - fi - - if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then - cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" - cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig" - chmod 400 "${PARAM_USER_HOME}/.git-credentials" - chmod 400 "${PARAM_USER_HOME}/.gitconfig" - fi - - if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then - cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh - chmod 700 "${PARAM_USER_HOME}"/.ssh - chmod -R 400 "${PARAM_USER_HOME}"/.ssh/* - fi - - if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then - export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}" - if [ "${PARAM_CRT_FILENAME}" != "" ] ; then - export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}" - fi - fi - CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}" - - cleandir() { - # Delete any existing contents of the repo directory if it exists. - # - # We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/" - # or the root of a mounted volume. - if [ -d "${CHECKOUT_DIR}" ] ; then - # Delete non-hidden files and directories - rm -rf "${CHECKOUT_DIR:?}"/* - # Delete files and directories starting with . but excluding .. - rm -rf "${CHECKOUT_DIR}"/.[!.]* - # Delete files and directories starting with .. plus any other character - rm -rf "${CHECKOUT_DIR}"/..?* - fi - } - - if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then - cleandir || true - fi - - test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}" - test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}" - test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}" - - git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}" - /ko-app/git-init \ - -url="${PARAM_URL}" \ - -revision="${PARAM_REVISION}" \ - -refspec="${PARAM_REFSPEC}" \ - -path="${CHECKOUT_DIR}" \ - -sslVerify="${PARAM_SSL_VERIFY}" \ - -submodules="${PARAM_SUBMODULES}" \ - -depth="${PARAM_DEPTH}" \ - -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}" - cd "${CHECKOUT_DIR}" - RESULT_SHA="$(git rev-parse HEAD)" - EXIT_CODE="$?" - if [ "${EXIT_CODE}" != 0 ] ; then - exit "${EXIT_CODE}" - fi - RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)" - printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)" - printf "%s" "${RESULT_SHA}" > "$(results.commit.path)" - printf "%s" "${PARAM_URL}" > "$(results.url.path)" - securityContext: - runAsNonRoot: true - runAsUser: 65532 - - image: $(params.git-clone-gitInitImage) - name: add-anchor - resources: {} - script: echo "git-clone" > "$(results.anchor.path)" - - image: docker.io/busybox - name: anchor - resources: {} - script: echo "$(context.task.name)" > "$(results.anchor.path)" - workspaces: - - description: The git repo will be cloned onto the volume backing this Workspace. - name: output - - description: | - A .ssh directory with private key, known_hosts, config, etc. Copied to - the user's home before git commands are executed. Used to authenticate - with the git remote when performing the clone. Binding a Secret to this - Workspace is strongly recommended over other volume types. - name: ssh-directory - optional: true - - description: | - A Workspace containing a .gitconfig and .git-credentials file. These - will be copied to the user's home before any git commands are run. Any - other files in this Workspace are ignored. It is strongly recommended - to use ssh-directory over basic-auth whenever possible and to bind a - Secret to this Workspace over other volume types. - name: basic-auth - optional: true - - description: | - A workspace containing CA certificates, this will be used by Git to - verify the peer with when fetching or pushing over HTTPS. - name: ssl-ca-directory - optional: true ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - creationTimestamp: null - labels: - v1.dracon.ocurity.com/component: producer - name: producer-golang-gosec -spec: - params: - - default: - - -r - - -quiet - - -sort - - -nosec - name: producer-golang-gosec-flags - type: array - - default: null - description: A list of tasks that this task depends on - name: anchors - type: array - - name: dracon_scan_id - type: string - - name: dracon_scan_start_time - type: string - - name: dracon_scan_tags - type: string - results: - - description: An anchor to allow other tasks to depend on this task. - name: anchor - steps: - - args: - - $(params.producer-golang-gosec-flags[*]) - - -fmt=json - - -out=/scratch/out.json - - -no-fail - - $(workspaces.output.path)/source-code/... - command: - - gosec - env: - - name: DRACON_SCAN_TIME - value: $(params.dracon_scan_start_time) - - name: DRACON_SCAN_ID - value: $(params.dracon_scan_id) - - name: DRACON_SCAN_TAGS - value: $(params.dracon_scan_tags) - image: docker.io/securego/gosec:2.15.0 - name: run-gosec - resources: {} - volumeMounts: - - mountPath: /scratch - name: scratch - - args: - - -in=/scratch/out.json - - -out=$(workspaces.output.path)/.dracon/producers/golang-gosec.pb - command: - - /app/components/producers/golang-gosec/golang-gosec-parser - env: - - name: DRACON_SCAN_TIME - value: $(params.dracon_scan_start_time) - - name: DRACON_SCAN_ID - value: $(params.dracon_scan_id) - - name: DRACON_SCAN_TAGS - value: $(params.dracon_scan_tags) - image: '{{ default "ghcr.io/ocurity/dracon" .Values.container_registry }}/components/producers/golang-gosec:{{ - default "latest" .Values.dracon_os_component_version }}' - imagePullPolicy: IfNotPresent - name: produce-issues - resources: {} - volumeMounts: - - mountPath: /scratch - name: scratch - - env: - - name: DRACON_SCAN_TIME - value: $(params.dracon_scan_start_time) - - name: DRACON_SCAN_ID - value: $(params.dracon_scan_id) - - name: DRACON_SCAN_TAGS - value: $(params.dracon_scan_tags) - image: docker.io/busybox - name: anchor - resources: {} - script: echo "$(context.task.name)" > "$(results.anchor.path)" - volumes: - - emptyDir: {} - name: scratch - workspaces: - - description: The workspace containing the source-code to scan. - name: output ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - creationTimestamp: null - labels: - v1.dracon.ocurity.com/component: producer - name: producer-golang-nancy -spec: - params: - - default: docker.io/golang:1.21 - description: The container image that will be used to run Go nancy - name: producer-golang-nancy-goImage - type: string - - default: null - description: A list of tasks that this task depends on - name: anchors - type: array - - name: dracon_scan_id - type: string - - name: dracon_scan_start_time - type: string - - name: dracon_scan_tags - type: string - results: - - description: An anchor to allow other tasks to depend on this task. - name: anchor - steps: - - env: - - name: DRACON_SCAN_TIME - value: $(params.dracon_scan_start_time) - - name: DRACON_SCAN_ID - value: $(params.dracon_scan_id) - - name: DRACON_SCAN_TAGS - value: $(params.dracon_scan_tags) - image: $(params.producer-golang-nancy-goImage) - name: go-deps - resources: {} - script: | - #!/bin/bash -xe - # make sure that the git repo is considered secure since it's mounted with onwen None but the process itself runs as root - git config --global --add safe.directory $(workspaces.output.path)/source-code - if [[ ! -f "$(workspaces.output.path)/source-code/Gopkg.lock" ]]; then - go_mod_paths=$(find $(workspaces.output.path)/source-code -iname "go.mod") - touch /scratch/golist.json - for go_mod_path in $go_mod_paths; do - cd $(dirname $go_mod_path) && go list -json -deps ./... >> /scratch/golist.json - done - cat /scratch/golist.json - else - cat $(workspaces.output.path)/source-code/Gopkg.lock - fi - ls -lah /scratch - volumeMounts: - - mountPath: /scratch - name: scratch - - env: - - name: DRACON_SCAN_TIME - value: $(params.dracon_scan_start_time) - - name: DRACON_SCAN_ID - value: $(params.dracon_scan_id) - - name: DRACON_SCAN_TAGS - value: $(params.dracon_scan_tags) - image: docker.io/sonatypecommunity/nancy:v1.0.42-alpine - imagePullPolicy: IfNotPresent - name: run-nancy - resources: {} - script: | - #!/bin/sh - if [[ ! -f "$(workspaces.output.path)/source-code/Gopkg.lock" ]]; then - echo "Running nancy with golist" - cat /scratch/golist.json | nancy sleuth -o json > /scratch/out.json || true - else - echo "Running nancy in dep mode" - nancy sleuth -p "$(workspaces.output.path)/source-code/Gopkg.lock" -o json > /scratch/out.json || true - fi - cat /scratch/out.json - volumeMounts: - - mountPath: /scratch - name: scratch - - args: - - -in=/scratch/out.json - - -out=$(workspaces.output.path)/.dracon/producers/golang-nancy.pb - command: - - /app/components/producers/golang-nancy/golang-nancy-parser - env: - - name: DRACON_SCAN_TIME - value: $(params.dracon_scan_start_time) - - name: DRACON_SCAN_ID - value: $(params.dracon_scan_id) - - name: DRACON_SCAN_TAGS - value: $(params.dracon_scan_tags) - image: '{{ default "ghcr.io/ocurity/dracon" .Values.container_registry }}/components/producers/golang-nancy:{{ - default "latest" .Values.dracon_os_component_version }}' - imagePullPolicy: IfNotPresent - name: produce-issues - resources: {} - volumeMounts: - - mountPath: /scratch - name: scratch - - env: - - name: DRACON_SCAN_TIME - value: $(params.dracon_scan_start_time) - - name: DRACON_SCAN_ID - value: $(params.dracon_scan_id) - - name: DRACON_SCAN_TAGS - value: $(params.dracon_scan_tags) - image: docker.io/busybox - name: anchor - resources: {} - script: echo "$(context.task.name)" > "$(results.anchor.path)" - volumes: - - emptyDir: {} - name: scratch - workspaces: - - description: The workspace containing the source-code to scan. - name: output ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - creationTimestamp: null - labels: - v1.dracon.ocurity.com/component: producer-aggregator - name: producer-aggregator -spec: - params: - - default: null - description: A list of tasks that this task depends on - name: anchors - type: array - results: - - description: An anchor to allow other tasks to depend on this task. - name: anchor - steps: - - args: - - $(workspaces.output.path) - command: - - ls - image: docker.io/busybox - name: aggregate - resources: {} - - command: - - /app/components/producers/aggregator/tagger - env: - - name: READ_PATH - value: $(workspaces.output.path)/.dracon/producers - - name: WRITE_PATH - value: $(workspaces.output.path)/.dracon/producers - image: '{{ default "ghcr.io/ocurity/dracon" .Values.container_registry }}/components/producers/tagger:{{ - default "latest" .Values.dracon_os_component_version }}' - name: tag - resources: {} - - image: docker.io/busybox - name: anchor - resources: {} - script: echo "$(context.task.name)" > "$(results.anchor.path)" - workspaces: - - description: The workspace containing the source-code to scan. - name: output ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - creationTimestamp: null - labels: - v1.dracon.ocurity.com/component: enricher - name: enricher-policy -spec: - params: - - default: cGFja2FnZSBleGFtcGxlLmdvc2VjCgpkZWZhdWx0IGFsbG93IDo9IGZhbHNlCgphbGxvdyA9dHJ1ZSB7CiAgICBwcmludChpbnB1dCkKICAgIGNoZWNrX3NldmVyaXR5Cn0KCmNoZWNrX3NldmVyaXR5IHsKICAgIGlucHV0LnNldmVyaXR5ID09ICJTRVZFUklUWV9ISUdIIgp9CmNoZWNrX3NldmVyaXR5IHsKICAgIGlucHV0LnNldmVyaXR5ID09ICJTRVZFUklUWV9NRURJVU0iCn0KY2hlY2tfc2V2ZXJpdHkgewogICAgaW5wdXQuc2V2ZXJpdHkgPT0gIlNFVkVSSVRZX0xPVyIKfQ== - name: enricher-policy-base64-policy - type: string - - default: "" - name: enricher-policy-annotation - type: string - - default: null - description: A list of tasks that this task depends on - name: anchors - type: array - results: - - description: An anchor to allow other tasks to depend on this task. - name: anchor - sidecars: - - args: - - run - - --server - - --addr - - 0.0.0.0:8181 - - --log-level - - debug - command: - - /opa - image: docker.io/openpolicyagent/opa:0.44.0-rootless - name: open-policy-agent - resources: - limits: - cpu: "1" - memory: 5Gi - requests: - cpu: 500m - memory: 512Mi - securityContext: - runAsGroup: 70 - runAsUser: 70 - steps: - - command: - - /app/components/enrichers/policy/policy - env: - - name: READ_PATH - value: $(workspaces.output.path)/.dracon/producers - - name: WRITE_PATH - value: $(workspaces.output.path)/.dracon/enrichers/policy - - name: POLICY - value: $(params.enricher-policy-base64-policy) - - name: OPA_SERVER - value: http://localhost:8181 - - name: ANNOTATION - value: $(params.enricher-policy-annotation) - image: '{{ default "ghcr.io/ocurity/dracon" .Values.container_registry }}/components/enrichers/policy:{{ - default "latest" .Values.dracon_os_component_version }}' - imagePullPolicy: IfNotPresent - name: run-enricher - resources: {} - - image: docker.io/busybox - name: anchor - resources: {} - script: echo "$(context.task.name)" > "$(results.anchor.path)" - workspaces: - - description: The workspace containing the source-code to scan. - name: output ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - creationTimestamp: null - labels: - v1.dracon.ocurity.com/component: enricher - name: enricher-deduplication -spec: - params: - - default: null - description: A list of tasks that this task depends on - name: anchors - type: array - results: - - description: An anchor to allow other tasks to depend on this task. - name: anchor - steps: - - command: - - /app/components/enrichers/deduplication/deduplication - env: - - name: ENRICHER_READ_PATH - value: $(workspaces.output.path)/.dracon/producers - - name: ENRICHER_WRITE_PATH - value: $(workspaces.output.path)/.dracon/enrichers/deduplication - - name: ENRICHER_DB_CONNECTION - value: postgresql://dracon:dracon@dracon-enrichment-db.$(context.taskRun.namespace).svc?sslmode=disable - image: '{{ default "ghcr.io/ocurity/dracon" .Values.container_registry }}/components/enrichers/deduplication:{{ - default "latest" .Values.dracon_os_component_version }}' - imagePullPolicy: IfNotPresent - name: run-enricher - resources: {} - - image: docker.io/busybox - name: anchor - resources: {} - script: echo "$(context.task.name)" > "$(results.anchor.path)" - workspaces: - - description: The workspace containing the source-code to scan. - name: output ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - creationTimestamp: null - labels: - v1.dracon.ocurity.com/component: enricher-aggregator - name: enricher-aggregator -spec: - params: - - default: "" - description: An optional key to sign each aggregated result with - name: enricher-aggregator-b64-signature-key - type: string - - default: null - description: A list of tasks that this task depends on - name: anchors - type: array - results: - - description: An anchor to allow other tasks to depend on this task. - name: anchor - steps: - - args: - - $(workspaces.output.path) - command: - - ls - - -lah - image: docker.io/busybox:1.35.0 - name: aggregate - resources: {} - - command: - - /app/components/enrichers/aggregator/aggregator - env: - - name: READ_PATH - value: $(workspaces.output.path)/.dracon/enrichers - - name: WRITE_PATH - value: $(workspaces.output.path)/.dracon/enrichers - - name: B64_SIGNATURE_KEY - value: $(params.enricher-aggregator-b64-signature-key) - image: '{{ default "ghcr.io/ocurity/dracon" .Values.container_registry }}/components/enrichers/aggregator:{{ - default "latest" .Values.dracon_os_component_version }}' - name: aggregate-tagged-issues - resources: {} - - image: docker.io/busybox - name: anchor - resources: {} - script: echo "$(context.task.name)" > "$(results.anchor.path)" - workspaces: - - description: The workspace containing the source-code to scan. - name: output ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - creationTimestamp: null - labels: - v1.dracon.ocurity.com/component: consumer - name: consumer-mongodb -spec: - params: - - default: mongodb://consumer-mongodb:consumer-mongodb@consumer-mongodb:27017/consumer-mongodb - name: consumer-mongodb-db-uri - type: string - - default: consumer-mongodb - name: consumer-mongodb-db-name - type: string - - default: consumer-mongodb - name: consumer-mongodb-collection-name - type: string - - default: null - description: A list of tasks that this task depends on - name: anchors - type: array - steps: - - args: - - -in - - $(workspaces.output.path)/.dracon/enrichers/ - - -db-uri - - $(params.consumer-mongodb-db-uri) - - -db-name - - $(params.consumer-mongodb-db-name) - - -collection-name - - $(params.consumer-mongodb-collection-name) - command: - - /app/components/consumers/mongodb/mongodb - image: '{{ default "ghcr.io/ocurity/dracon" .Values.container_registry }}/components/consumers/mongodb:{{ - default "latest" .Values.dracon_os_component_version }}' - imagePullPolicy: IfNotPresent - name: run-consumer - resources: {} - workspaces: - - description: The workspace containing the source-code to scan. - name: output ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - creationTimestamp: null - labels: - v1.dracon.ocurity.com/component: consumer - name: consumer-elasticsearch -spec: - params: - - default: http://dracon-es-elasticsearch-es-http:9200 - name: consumer-elasticsearch-url - type: string - - default: "" - name: consumer-elasticsearch-description-template - type: string - - default: null - description: A list of tasks that this task depends on - name: anchors - type: array - steps: - - args: - - -in - - $(workspaces.output.path)/.dracon/enrichers/ - - -es-index - - dracon - - -descriptionTemplate - - $(params.consumer-elasticsearch-description-template) - command: - - /app/components/consumers/elasticsearch/elasticsearch - env: - - name: ELASTICSEARCH_URL - value: $(params.consumer-elasticsearch-url) - image: '{{ default "ghcr.io/ocurity/dracon" .Values.container_registry }}/components/consumers/elasticsearch:{{ - default "latest" .Values.dracon_os_component_version }}' - imagePullPolicy: IfNotPresent - name: run-consumer - resources: {} - workspaces: - - description: The workspace containing the source-code to scan. - name: output