Squashed 'cluster-config/' content from commit 654f2390

git-subtree-dir: cluster-config
git-subtree-split: 654f23903bd1f9a27a4810bd289d165b6cfdbb0c
This commit is contained in:
2025-03-30 15:46:16 -05:00
commit fe564d7227
346 changed files with 11754 additions and 0 deletions

View File

@@ -0,0 +1,7 @@
## Not being used at the moment, use at your own risk :)
Uses a post-sync hook to generate ACS tokens for various namespaces to consume. Useful when there is a need to integrate with ACS for image scanning, etc.
Namespaces can be passed in a comma-separated list via environment variables.
based on Andrew Pitt's tekton task here: https://github.com/pittar-gitops/gitops-mono-repo-admins/tree/main/03-cluster-services/08-advanced-cluster-security/pipelines-and-secrets

View File

@@ -0,0 +1,6 @@
namespace: stackrox
resources:
- postsync-create-roxsecrets-sa-rbac.yaml
- postsync-create-roxsecrets-job.yaml
- postsync-roxsecret-namespaces.yaml

View File

@@ -0,0 +1,85 @@
apiVersion: batch/v1
kind: Job
metadata:
name: postsync-create-roxsecrets-job
namespace: stackrox
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
template:
spec:
containers:
- image: quay.io/gnunn/tools:4.10-1
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
key: password
name: central-htpasswd
envFrom:
- configMapRef:
name: roxsecret-namespaces
command:
- /bin/bash
- -c
- |
# Wait for central to be ready
attempt_counter=0
max_attempts=20
echo "Waiting for central to be available..."
until $(curl -k --output /dev/null --silent --head --fail https://$CENTRAL_URL); do
if [ ${attempt_counter} -eq ${max_attempts} ];then
echo "Max attempts reached"
exit 1
fi
printf '.'
attempt_counter=$(($attempt_counter+1))
echo "Made attempt $attempt_counter, waiting..."
sleep 10
done
API_ENDPOINT="/v1/apitokens/generate"
CENTRAL_URL_API="https://$CENTRAL_URL$API_ENDPOINT"
echo "Central API endpoint: $CENTRAL_URL_API"
echo "Creating secrets in namespaces $NAMESPACES"
for NAMESPACE in ${NAMESPACES//,/ }
do
echo "Creating secret for $NAMESPACE"
if [[ `oc get namespace $NAMESPACE 2>/dev/null` ]] ;
then
echo "Namespace '$NAMESPACE' exists, checking secret..."
else
echo "Namespace '$NAMESPACE' doesn't exist, skipping"
continue
fi
# If secret already exists, don't regenerate.
if [[ -n `oc get secret roxsecrets -n $NAMESPACE 2>/dev/null` ]] ;
then
echo "Stackrox token secret already exists in $NAMESPACE"
continue
fi
PAYLOAD="{\"name\": \"$NAMESPACE\", \"role\": \"Continuous Integration\"}"
echo "$PAYLOAD"
echo "Generate new token."
RESPONSE=$(curl -k \
-X POST -u "admin:$PASSWORD" \
-H "Content-Type: application/json" \
--data "$PAYLOAD" \
$CENTRAL_URL_API)
TOKEN=$(jq -r '.token' <<< "$RESPONSE")
# Create secret in target namespace
oc create secret generic roxsecrets \
--from-literal=rox_central_endpoint=$CENTRAL_URL:443 \
--from-literal=rox_api_token=$TOKEN \
-n $NAMESPACE
done
name: create-secrets
dnsPolicy: ClusterFirst
restartPolicy: Never
terminationGracePeriodSeconds: 30
serviceAccount: postsync-create-roxsecrets
serviceAccountName: postsync-create-roxsecrets

View File

@@ -0,0 +1,40 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: postsync-create-roxsecrets
namespace: stackrox
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
argocd.argoproj.io/sync-wave: "1"
name: postsync-create-roxsecrets
namespace: stackrox
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: postsync-create-roxsecrets
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: postsync-create-roxsecrets
subjects:
- kind: ServiceAccount
name: postsync-create-roxsecrets
namespace: stackrox

View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: roxsecret-namespaces
namespace: stackrox
data:
NAMESPACES: product-catalog-cicd,demo-cicd
CENTRAL_URL: central-stackrox.apps.hub.ocplab.com