You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/supply-chain.md
+11-3Lines changed: 11 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,9 +11,9 @@ In this project, we used the [qtodo](https://github.com/validatedpatterns-demos/
11
11
*[Red Hat Trusted Artifact Signer (RHTAS)](https://docs.redhat.com/en/documentation/red_hat_trusted_artifact_signer/1) is a solution for signing and verifying software artifacts to ensure their integrity and authenticity.
12
12
*[Red Hat Trusted Profile Analyzer (RHTPA)](https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/2) is a product that helps DevSecOps teams gain visibility into software supply chain risks by analyzing _Software Bill of Materials_ (SBOMs) and crossing data with _Vulnerability Exploitability eXchange_ (VEX) and _Common Vulnerabilities and Exposures_ (CVE) databases.
13
13
14
-
### Auxiliary
14
+
### Supporting Components
15
15
16
-
In our demo, we will use a number of additional ZTVP components. These components are auxiliary, helping us to prepare a ZT-compliant environment, but they are also cross-cutting and can be replaced by other compatible solutions.
16
+
In our demo, we will use a number of additional ZTVP components. These components are auxiliary, and help us prepare an environment compatible with Zero Trust (ZT), but they are also cross-cutting and can be replaced by other compatible solutions.
17
17
18
18
*[Red Hat Zero Trust Workload Identity Manager](https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/security_and_compliance/zero-trust-workload-identity-manager) is a solution that automates the provisioning and management of verifiable identities based on SPIRE/SPIFFE for workloads on OpenShift. It will be used to manage the signature and verification. It could be replaced by your own OIDC.
19
19
*[Red Hat Quay](https://docs.redhat.com/en/documentation/red_hat_quay/3) is container registry platform for storing and distributing container images and cloud-native artifacts. We will use it to store the image, signature, and attestations associated with our application. An alternate image registry can be used if desired.
@@ -22,7 +22,7 @@ In our demo, we will use a number of additional ZTVP components. These component
22
22
23
23
## Automatic approach
24
24
25
-
To automate the application building and certification process, we will use _Red Hat Openshift Pipelines_.
25
+
To automate the application building and certifying process, we will use _Red Hat OpenShift Pipelines_.
26
26
27
27
ZTVP will create a `Pipeline` in our cluster called **qtodo-supply-chain** that will orchestrate the various tasks necessary to build the application from its source code, generate a container image, and publish the resulting image to the defined OCI registry. Within the pipeline, an SBOM containing the build's contents will be generated, binaries and the build attestation will be signed, and the validity of those signatures will be verified.
28
28
@@ -70,12 +70,20 @@ spec:
70
70
secretName: qtodo-registry-auth
71
71
```
72
72
73
+
As was described previously, verify the values associated with the PVC storage and registry configuration.
74
+
73
75
Using the previously created definition, start a new execution of the pipeline using `oc` CLI:
74
76
75
77
```shell
76
78
oc create -f qtodo-pipeline.yaml
77
79
```
78
80
81
+
You can review the current pipeline logs using the [Tekton CLI](https://tekton.dev/docs/cli/).
82
+
83
+
```shell
84
+
tkn pipeline logs -n layered-zero-trust-hub -L -f
85
+
```
86
+
79
87
### Pipeline tasks
80
88
81
89
The pipeline we have prepared has the following steps:
0 commit comments