Merge branch 'sebastian/prod-2981-set-up-catalog-pipeline' of github.…

…com:pluralsh/scaffolds into sebastian/prod-2981-set-up-catalog-pipeline
pluralsh · Dec 13, 2024 · e64a8a2 · e64a8a2
2 parents 63f68b8 + 50080f9
commit e64a8a2
Show file tree

Hide file tree

Showing 12 changed files with 92 additions and 150 deletions.
diff --git a/catalogs/security/gatekeeper/README.md b/catalogs/security/gatekeeper/README.md
@@ -0,0 +1,13 @@
+# Gatekeeper
+
+This is a baseline, prod-ready OPA Gatekeeper installation using Plural. Besides Gatekeeper installation, it includes a policy bundle and set of constraints.
+
+You might want to slightly tweak the default setup for a few reasons:
+
+- only want to set up policy enforcement on a subset of your fleet (it's fleet-wide by default)
+- prefer to choose a different policy bundle
+- tweaking namespace names, crd names, etc. for your organization's preferences
+
+## Contributing
+
+If there are any features or documentation you'd like to add to this setup, please feel free to contribute back at https://github.com/pluralsh/scaffolds.
diff --git a/catalogs/security/gatekeeper/gatekeeper-constraints.yaml b/catalogs/security/gatekeeper/gatekeeper-constraints.yaml
@@ -0,0 +1,14 @@
+apiVersion: deployments.plural.sh/v1alpha1
+kind: GlobalService
+metadata:
+  name: gatekeeper-constraints
+spec:
+  template:
+    name: gatekeeper-constraints
+    namespace: policy
+    git:
+      folder: resources/policy/constraints
+      ref: main
+    repositoryRef:
+      kind: GitRepository
+      name: bootstrap
diff --git a/catalogs/security/gatekeeper/gatekeeper-policy-bundle.yaml b/catalogs/security/gatekeeper/gatekeeper-policy-bundle.yaml
@@ -0,0 +1,15 @@
+apiVersion: deployments.plural.sh/v1alpha1
+kind: GlobalService
+metadata:
+  name: gatekeeper-policy-bundle
+  namespace: apps
+spec:
+  template:
+    name: gatekeeper-policy-bundle
+    namespace: policy
+    git:
+      folder: resources/policy/bundles/{{ context.bundle }}
+      ref: main
+    repositoryRef:
+      kind: GitRepository
+      name: bootstrap
diff --git a/catalogs/security/gatekeeper/gatekeeper.yaml b/catalogs/security/gatekeeper/gatekeeper.yaml
@@ -0,0 +1,13 @@
+apiVersion: deployments.plural.sh/v1alpha1
+kind: GlobalService
+metadata:
+  name: gatekeeper
+  namespace: apps
+spec:
+  template:
+    name: gatekeeper
+    namespace: policy
+    helm:
+      url: https://open-policy-agent.github.io/gatekeeper/charts
+      version: 3.15.1
+      chart: gatekeeper
diff --git a/catalogs/security/opa-gatekeeper/README.md b/catalogs/security/opa-gatekeeper/README.md
diff --git a/catalogs/security/opa-gatekeeper/helmrepository.yaml b/catalogs/security/opa-gatekeeper/helmrepository.yaml
diff --git a/catalogs/security/opa-gatekeeper/servicedeployments.yaml.liquid b/catalogs/security/opa-gatekeeper/servicedeployments.yaml.liquid
diff --git a/catalogs/security/trivy-operator/helmrepository.yaml b/catalogs/security/trivy-operator/helmrepository.yaml
diff --git a/catalogs/security/trivy-operator/servicedeployment.yaml.liquid b/catalogs/security/trivy-operator/servicedeployment.yaml.liquid
diff --git a/catalogs/security/trivy-operator/trivy-operator.yaml b/catalogs/security/trivy-operator/trivy-operator.yaml
@@ -0,0 +1,16 @@
+apiVersion: deployments.plural.sh/v1alpha1
+kind: GlobalService
+metadata:
+  name: trivy-operator
+  namespace: apps
+spec:
+  template:
+    name: trivy-operator
+    namespace: trivy-system
+    helm:
+      url: https://aquasecurity.github.io/helm-charts/
+      chart: trivy-operator
+      version: 'x.x.x'
+      values:
+        trivy:
+          additionalVulnerabilityReportFields: Description,Links,CVSS,Target
diff --git a/setup/catalogs/security/opa-gatekeeper.yaml → setup/catalogs/security/gatekeeper.yaml b/setup/catalogs/security/opa-gatekeeper.yaml → setup/catalogs/security/gatekeeper.yaml
@@ -1,43 +1,41 @@
 apiVersion: deployments.plural.sh/v1alpha1
 kind: PrAutomation
 metadata:
-  name: opa-gatekeeper
+  name: gatekeeper
 spec:
-  name: opa-gatekeeper
+  name: gatekeeper
   icon: https://www.openpolicyagent.org/img/logos/opa-no-text-color.png
-  documentation: |
-    Sets up OPA Gatekeeper policy controller
+  documentation: Sets up Gatekeeper policy controller.
   creates:
     git:
       ref: sebastian/prod-2981-set-up-catalog-pipeline # TODO set to main
-      folder: catalogs/security/opa-gatekeeper
+      folder: catalogs/security/gatekeeper
     templates:
       - source: README.md
-        destination: documentation/opa-gatekeeper/README.md
+        destination: documentation/gatekeeper/README.md
         external: true
-      - source: helmrepository.yaml
-        destination: "bootstrap/apps/opa-gatekeeper/{{ context.cluster }}/helmrepository.yaml"
+      - source: gatekeeper.yaml
+        destination: bootstrap/apps/gatekeeper/gatekeeper.yaml
         external: true
-      - source: servicedeployments.yaml.liquid
-        destination: "bootstrap/apps/opa-gatekeeper/{{ context.cluster }}/servicedeployments.yaml"
+      - source: gatekeeper-constraints.yaml
+        destination: bootstrap/apps/gatekeeper/gatekeeper-constraints.yaml
+        external: true
+      - source: gatekeeper-policy-bundle.yaml
+        destination: bootstrap/apps/gatekeeper/gatekeeper-policy-bundle.yaml
         external: true
   repositoryRef:
     name: scaffolds
   catalogRef:
     name: security
   scmConnectionRef:
     name: plural  # you'll need to add this ScmConnection manually before this is functional
-  title: "OPA Gatekeeper setup ({{ context.cluster }})"
-  message: |
-    Sets up OPA Gatekeeper on {{ context.cluster }} cluster.
+  title: Gatekeeper setup
+  message: Sets up Gatekeeper, policy bundle and a set of constraints.
   identifier: pluralsh/plrl-dev-aws # FIXME
   configuration:
-  - name: cluster
-    type: STRING
-    documentation: the cluster you want to deploy to
   - name: bundle
     type: ENUM
-    documentation: the policy bundle you want to install
+    documentation: The policy bundle you want to install.
     values:
       - asm-policy-v0.0.1
       - cis-k8s-v1.5.1

diff --git a/setup/catalogs/security/trivy-operator.yaml b/setup/catalogs/security/trivy-operator.yaml
@@ -4,9 +4,8 @@ metadata:
   name: trivy-operator
 spec:
   name: trivy-operator
-  icon: https://aquasecurity.github.io/trivy-operator/latest/images/trivy-operator-logo.png
-  documentation: |
-    Sets up Trivy Operator security toolkit
+  icon: https://raw.githubusercontent.com/aquasecurity/trivy-vscode-extension/refs/tags/0.7.1/media/trivy.svg
+  documentation: Sets up Trivy Operator security toolkit.
   creates:
     git:
       ref: sebastian/prod-2981-set-up-catalog-pipeline # TODO set to main
@@ -15,23 +14,15 @@ spec:
       - source: README.md
         destination: documentation/trivy-operator/README.md
         external: true
-      - source: helmrepository.yaml
-        destination: "bootstrap/apps/trivy-operator/{{ context.cluster }}/helmrepository.yaml"
-        external: true
-      - source: servicedeployment.yaml.liquid
-        destination: "bootstrap/apps/trivy-operator/{{ context.cluster }}/servicedeployment.yaml"
+      - source: trivy-operator.yaml
+        destination: bootstrap/apps/trivy-operator/trivy-operator.yaml
         external: true
   repositoryRef:
     name: scaffolds
   catalogRef:
     name: security
   scmConnectionRef:
     name: plural  # you'll need to add this ScmConnection manually before this is functional
-  title: "Trivy Operator setup ({{ context.cluster }})"
-  message: |
-    Sets up Trivy Operator on {{ context.cluster }} cluster. Includes set of constraints and policy bundle.
+  title: Trivy Operator setup
+  message: Sets up Trivy Operator.
   identifier: pluralsh/plrl-dev-aws # FIXME
-  configuration:
-  - name: cluster
-    type: STRING
-    documentation: the cluster you want to deploy to