Update docs (#20)

Co-authored-by: Marko Paulic <[email protected]>

README.md

@@ -137,4 +137,32 @@ The [`reusable-workflow-packer-image.yml`](./.github/workflows/reusable-workflow
 
 ### Example User Repository
 
-An example user repository that demonstrates how to call these reusable workflows can be found [here](https://github.com/comsysto/wp10-image-factory-user).
+An example user repository that demonstrates how to call these reusable workflows can be found [here](https://github.com/comsysto/wp10-image-factory-user-1).
+
+## GitHub Action Runners
+
+### Multi-target architecture
+
+Our infrastructure now supports the production of both arm64 and amd64 container images. This enhancement has been achieved by enabling multi-architecture support on our Image Factory GitHub Actions runners.
+
+The following commands were executed to facilitate this capability:
+
+```bash
+sudo update-binfmts --enable qemu-aarch64
+sudo update-binfmts --enable qemu-arm
+```
+
+By enabling these QEMU interpreters, our CI/CD pipeline can seamlessly handle and build container images for multiple architectures, empowering customers with greater flexibility and compatibility for their deployment needs.
+
+### Quality gate and SBOM generation
+
+Quality Gate Checking with Trivy helps us enforce quality gates automatically. This integration reduces the risk of deploying insecure or non-compliant images to production, maintaining high security.
+
+SBOM Generation with Trivy provides detailed visibility into the components, libraries, and dependencies within our Docker images. This transparency allows us to manage software components effectively, quickly identify and mitigate vulnerabilities, and ensure compliance with licensing and regulatory requirements.
+
+SBOM is generated in following formats:
+
+- CycloneDX
+- SPDX
+
+Each invocation of our reusable workflow generates and uploads the results to the GitHub Actions run. The output is consolidated into a file named image-scan-results.zip.

ansible/README.md

@@ -10,6 +10,8 @@ The main Ansible playbook [`configure-image-factory-vm.yml`](./configure-image-f
 
 The [`podman`](./roles/podman) role configures Podman on the runner host VM. It sets up necessary directories, templates configuration files and GitHub PAT, logs into the Azure Container Registry, pulls the runner image, and creates the runner container. It also generates a systemd unit file for the runner container, ensuring it is managed by systemd, which enables automatic restarts and ensures that the container starts on system boot.
 
+**Important Note:** Podman runner containers are currently rootless, but are still running with "--priviledged" flag. Further setup is needed in Ansible podman role to remove this flag.
+
 ## GitHub Workflow
 
 The Ansible playbook is executed through the GitHub Actions workflow [`ansible-configure-if-vm.yml`](../.github/workflows/ansible-configure-if-vm.yml). This workflow handles both development and air-gapped environments, and templates the necessary SSH keys and inventory files accordingly.
@@ -20,4 +22,4 @@ The Ansible playbook is executed through the GitHub Actions workflow [`ansible-c
 2. Template SSH Key and Inventory (based on the environment)
 3. Template Ansible Variables
 4. Install and Configure Ansible
-5. Run Ansible Playbook
+5. Run Ansible Playbook

images/docker/image-factory-runner/Dockerfile

@@ -33,16 +33,6 @@ RUN apt-get update -y && \
     wget && \
     apt-get clean && rm -rf /var/lib/apt/lists/*
 
-# # Create runner user
-# RUN mkdir -p ${USER_HOME} && \
-#     useradd -r -d ${USER_HOME} -s /sbin/nologin -c "GitHub Actions User" ${USER_NAME}
-
-# # Add podman configuration file(s) and permissions
-# ADD files/containers.conf ${USER_HOME}/.config/containers/containers.conf
-# ADD files/registries.conf ${USER_HOME}/.config/containers/registries.conf
-# RUN mkdir -p ${USER_HOME}/.local/share/containers && \
-#     chown -R ${USER_GROUP}:${USER_NAME} ${USER_HOME}
-
 # Create runner user and necessary directories
 RUN groupadd -r ${USER_GROUP} && \
     useradd -r -d ${USER_HOME} -s /sbin/nologin -g ${USER_GROUP} -c "GitHub Actions User" ${USER_NAME} && \

images/packer/Readme.md

@@ -0,0 +1,25 @@
+# packer
+
+This directory contains 2 repositories:
+
+- image-factory-vm
+- user-packer
+
+Both directories are used to build VM images with Packer and store them in Azure Shared Image Gallery however there is difference in when one is used:
+
+## image-factory-vm
+
+This directory contains Packer scripts to build Image Factory VM which will host GitHub Actions runner.
+
+Produced VM image version is then used by Terraform module during deployment:
+
+- runner
+
+To trigger image rebuild following GitHub Actions Workflow needs to be executed:
+
+- Build Image Factory VM
+
+## user-packer
+
+This directory contains Packer scripts to build user VM images produced by Image Factory.
+These scripts are used whenever user calls reusable workflow: "Reusable workflow - build packer VM"

images/packer/image-factory-vm/scripts/setup-vm.sh

@@ -34,10 +34,4 @@ apt-get install --no-install-recommends -y \
 rm -rf /var/lib/apt/lists/*
 
 # Install Azure CLI
-curl -sL https://aka.ms/InstallAzureCLIDeb | bash
-
-# Set up Trivy repository and install Trivy
-wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
-echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | tee -a /etc/apt/sources.list.d/trivy.list
-apt-get update
-apt-get install -y trivy
+curl -sL https://aka.ms/InstallAzureCLIDeb | bash