This is a generic implementation of a GitOps workflow for secure, revision and audit-proof application delivery on Red Hat OpenShift.
It uses several technologies such as:
- Red Hat OpenShift GitOps (a.k.a Argo CD)
- Red Hat OpenShift Pipelines (a.k.a. Tekton)
- Red Hat Quay and the Red Hat Quay Bridge Operator
- Red Hat Quay Container Security Operator
To support hybrid-cloud and multi-cluster deployments, additional tools can be added:
- Red Hat OpenShift Advanced Cluster Manager for Kubernetes
- Red Hat OpenShift Advanced Cluster Security for Kubernetes
The implementation assumes a Gitflow workflow to develop and release software. A Config Git Repository
allows for a declarative approach to application delivery. Using Git to controll the rollout of container images via pull requests makes the software delivery workflow revision and audit-proof.
The following section explains how to install and configure the operators and how to to deploy the build- and rollout pipelines.
See operator/README.md for a step-by-step guid how to install and configure the operators used in the setup.
There are two generic Tekton pipelines to support secure builds and auditable rollouts of container images:
build-pipeline
, defined inpipelines/build
rollout-pipeline
, defined inpipelines/rollout
The pipelines use custom ClusterTasks
and a custom container image
.
Create the namespace first:
make namespace
To deploy the pipelines and all resources:
make install
Note: you can verify that everything is deployed correctly by checking the sync
status of all resources in the Red Hat OpenShift GitOps UI.
Before you can start any pipeline runs, make sure that all configs and secrets are deployed.
Make a copy of the secrets/*.example.yaml
files and edit their contents to match your environment.
Deploy the pipeline configs and secrets:
oc apply -f secrets/pipeline_secrets.yaml -n devsecops-config
oc apply -f secrets/pipeline_configmap.yaml -n devsecops-config
A default instance is installed in the openshift-gitops
namespace.
Verify that the default GitOps instance is up-and-running:
oc get pods -n openshift-gitops
The instance has a default user admin
. A password is created during the inital deployment. In order to retrieve the password, run:
oc extract secret/openshift-gitops-cluster -n openshift-gitops --to=-
Note: this password is also used to access the Argo CD web UI.
Get the ArgoCD route:
oc get route openshift-gitops-server -n openshift-gitops
Updating repo files and creating pull request requires a personal access token for your GitHub account.
Note: currently only GitHub is supported. Using a different flavour of git (e.g. GitLab, Gitea etc.) would require modification of some of the pipeline steps.
TBD