diff --git a/Building-Castles/DevSecOps-Pipeline-GitLab-Ultimate-DAST.md b/Building-Castles/DevSecOps-Pipeline-GitLab-Ultimate-DAST.md index a04523c..9bf3c60 100644 --- a/Building-Castles/DevSecOps-Pipeline-GitLab-Ultimate-DAST.md +++ b/Building-Castles/DevSecOps-Pipeline-GitLab-Ultimate-DAST.md @@ -136,6 +136,12 @@ build-image: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - docker build -t "$CS_IMAGE" . - docker push "$CS_IMAGE" + after_script: + - | + if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then + docker tag "$CS_IMAGE" "$CI_REGISTRY_IMAGE:latest" + docker push "$CI_REGISTRY_IMAGE:latest" + fi sast: stage: test @@ -150,6 +156,9 @@ dast: alias: app ``` +Note the inclusion of `after_script` that will tag as `latest` the pushed image +_only if_ the branch is `$CI_DEFAULT_BRANCH`, which is normally `main`. + Commit and push after checking the status of the repository: ```console diff --git a/Building-Castles/DevSecOps-Pipeline-GitLab-Ultimate-Kubernetes-Image-Usage.md b/Building-Castles/DevSecOps-Pipeline-GitLab-Ultimate-Kubernetes-Image-Usage.md new file mode 100644 index 0000000..e0980e8 --- /dev/null +++ b/Building-Castles/DevSecOps-Pipeline-GitLab-Ultimate-Kubernetes-Image-Usage.md @@ -0,0 +1,142 @@ +# Lab | Use the image generated from GitLab into a Kubernetes deployment + +In this lab you will configure a Kubernetes deployment that will use the image +generated in [DevSecOps-Pipeline-GitLab-Ultimate-DAST.md](DevSecOps-Pipeline-GitLab-Ultimate-DAST.md). + +## Requirements + +The lab is based on a local Kubernetes installation run with Minikube, as +described in [Kubernetes-Install-Minikube.md](../Common/Kubernetes-Install-Minikube.md) +and uses the container image that was created in the previously executed lab +[DevSecOps-Pipeline-GitLab-Ultimate-DAST.md](DevSecOps-Pipeline-GitLab-Ultimate-DAST.md). + +## Create a GitLab token for pull operations + +Log into the GitLab web interface and become the `admdevsecops` user by +clocking `Impersonate` from the user page: + +[https://172.16.99.1:8443/admin/users/admdevsecops/](https://172.16.99.1:8443/admin/users/admdevsecops/) + +Move into `myproject` project access tokens page: + +[https://172.16.99.1:8443/building-castles/myproject/-/settings/access_tokens](https://172.16.99.1:8443/building-castles/myproject/-/settings/access_tokens) + +Press `Add new token` and set these values: + +- `Token name`: `Kubernetes pull` +- Under `Select scopes` check `read_registry` + +After pressing create copy the token. Note that if you lose it, you will need to +regenerate it. + +To test the effectiveness of the token it is possible to use `docker login` as +follows: + +```console +$ echo "" | docker login 172.16.99.1:5050 -u admdevsecops --password-stdin + +WARNING! Your credentials are stored unencrypted in '/home/kirater/.docker/config.json'. +Configure a credential helper to remove this warning. See +https://docs.docker.com/go/credential-store/ + +Login Succeeded +``` + +It is time to test things in Kubernetes. + +## Create Kubernetes namespace and secret + +We will use a dedicated namespace named `myns`: + +```console +$ kubectl create namespace myns +namespace/myns created +``` + +Inside the namespace we will create the pull secret named +`gitlab-registry-secret` that will contain the token: + +```console +$ kubectl create secret docker-registry gitlab-registry-secret \ + --namespace=myns \ + --docker-server=172.16.99.1:5050 \ + --docker-username=admdevsecops \ + --docker-password= +secret/gitlab-registry-secret created +``` + +This secret will be part of the deployment definition. + +## Create and test Kubernetes deployment + +Create the deployment file with this command: + +```console +$ cat << EOF > myproject-deployment.yml +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: myns + name: myproject +spec: + replicas: 1 + selector: + matchLabels: + app: myproject + template: + metadata: + labels: + app: myproject + spec: + containers: + - name: app + image: 172.16.99.1:5050/building-castles/myproject:latest + ports: + - containerPort: 5000 + imagePullSecrets: + - name: gitlab-registry-secret +EOF +``` + +To effectively deploy it, use `kubectl`: + +```console +$ kubectl apply -f myproject-deployment.yml +deployment.apps/myproject created +``` + +After checking the effective application startup: + +```console +$ kubectl -n myns get all +NAME READY STATUS RESTARTS AGE +pod/myproject-75cb8899d9-6zkg7 1/1 Running 0 3m3s + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/myproject 1/1 1 1 3m3s + +NAME DESIRED CURRENT READY AGE +replicaset.apps/myproject-75cb8899d9 1 1 1 3m3s +``` + +It will be possible to map the service port using `port-forward`: + +```console +$ kubectl -n myns port-forward deployments/myproject 5000:5000 +Forwarding from 127.0.0.1:5000 -> 5000 +Forwarding from [::1]:5000 -> 5000 +``` + +And from another terminal test the application via `curl`: + +```console +$ curl localhost:5000/ping +PING 127.0.0.1 (127.0.0.1): 56 data bytes +64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.032 ms + +--- 127.0.0.1 ping statistics --- +1 packets transmitted, 1 packets received, 0% packet loss +round-trip min/avg/max = 0.032/0.032/0.032 ms +``` + +The output shows that the application is up and running. diff --git a/Building-Castles/DevSecOps-Pipeline-GitLab-Ultimate-Security-Policies.md b/Building-Castles/DevSecOps-Pipeline-GitLab-Ultimate-Security-Policies.md index f0963fb..493e4ac 100644 --- a/Building-Castles/DevSecOps-Pipeline-GitLab-Ultimate-Security-Policies.md +++ b/Building-Castles/DevSecOps-Pipeline-GitLab-Ultimate-Security-Policies.md @@ -186,6 +186,14 @@ By passing just: And ensuring group is `building-castles` then pressing `Create project`. +Be sure to disable the `Auto DevOps` for the project, go to: + +[https://172.16.99.1:8443/building-castles/myproject/-/settings/ci_cd#autodevops-settings](https://172.16.99.1:8443/building-castles/myproject/-/settings/ci_cd#autodevops-settings) + +And uncheck `Default to Auto DevOps pipeline`. This will prevent GitLab from +adding any automatic CI pipeline, everything CI related will be managed manually +inside this and other laboratories. + ## Add members to myproject Go to: @@ -194,8 +202,6 @@ Go to: and by pressing `Invite memebers`, add three members as: -- Username: admdevsecops - Select a role: Owner - Username: mntdevsecops Select a role: Maintainer - Username: devsecops