Redesign of C2P for pipeline use case (#3)

* update k8s library version Signed-off-by: Takumi Yanagawa <[email protected]> * decomposer outputs should contain only successfully decomposed policies Signed-off-by: Takumi Yanagawa <[email protected]> * refactor Signed-off-by: Takumi Yanagawa <[email protected]> * decomposed resources include policy-generator manifest Signed-off-by: Takumi Yanagawa <[email protected]> * reuse policy-generator manifest generated at decomposition Signed-off-by: Takumi Yanagawa <[email protected]> * composer takes OSCAL Signed-off-by: Takumi Yanagawa <[email protected]> * composer generates policySet Signed-off-by: Takumi Yanagawa <[email protected]> * composer takes c2pcr Signed-off-by: Takumi Yanagawa <[email protected]> * refactor Signed-off-by: Takumi Yanagawa <[email protected]> * add templatized parameter filling Signed-off-by: Takumi Yanagawa <[email protected]> * add default namespace selector Signed-off-by: Takumi Yanagawa <[email protected]> * refactor Signed-off-by: Takumi Yanagawa <[email protected]> * use kustomize type provided by sigs.k8s.io Signed-off-by: Takumi Yanagawa <[email protected]> * add component-title annotation Signed-off-by: Takumi Yanagawa <[email protected]> * add reporter Signed-off-by: Takumi Yanagawa <[email protected]> * add placement_type and helpers Signed-off-by: Takumi Yanagawa <[email protected]> * convert policy to policy report Signed-off-by: Takumi Yanagawa <[email protected]> * compliance-report from policy reports Signed-off-by: Takumi Yanagawa <[email protected]> * do not ommit the InformGatekeeper/KyvernoPolicies field Signed-off-by: Takumi Yanagawa <[email protected]> * refactor Signed-off-by: Takumi Yanagawa <[email protected]> * create c2pcli Signed-off-by: Takumi Yanagawa <[email protected]> * enable gorelease Signed-off-by: Takumi Yanagawa <[email protected]> * move policyResultDir parameter to c2pcr Signed-off-by: Takumi Yanagawa <[email protected]> * generate reports as default Signed-off-by: Takumi Yanagawa <[email protected]> * add metadata to compliance report Signed-off-by: Takumi Yanagawa <[email protected]> * add scripts Signed-off-by: Takumi Yanagawa <[email protected]> * fix Signed-off-by: Takumi Yanagawa <[email protected]> * separate generated OCM manifests and policy generator sources Signed-off-by: Takumi Yanagawa <[email protected]> * fix NPE when unable to get statuses Signed-off-by: Takumi Yanagawa <[email protected]> * add scripts for setting up argocd Signed-off-by: Takumi Yanagawa <[email protected]> * ocm status collector Signed-off-by: Takumi Yanagawa <[email protected]> * fix Signed-off-by: Takumi Yanagawa <[email protected]> * generate md file Signed-off-by: Takumi Yanagawa <[email protected]> * fix Signed-off-by: Takumi Yanagawa <[email protected]> * add report-utils Signed-off-by: Takumi Yanagawa <[email protected]> * use OCM gitops Signed-off-by: Takumi Yanagawa <[email protected]> * remove the dependency on hub namepsace from Reporter Signed-off-by: Takumi Yanagawa <[email protected]> * allow to use PolicyGenerator with empty namespace in PolicyDefaults Signed-off-by: Takumi Yanagawa <[email protected]> * upsate collector script Signed-off-by: Takumi Yanagawa <[email protected]> --------- Signed-off-by: Takumi Yanagawa <[email protected]>
oscal-compass · Jul 25, 2023 · fba0dd8 · fba0dd8
1 parent e9d9f53
commit fba0dd8
Show file tree

Hide file tree

Showing 159 changed files with 225,152 additions and 865 deletions.
diff --git a/.github/workflows/create-and-publish-image.yml b/.github/workflows/create-and-publish-image.yml
@@ -0,0 +1,59 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# GitHub recommends pinning actions to a commit SHA.
+# To get a newer version, you will need to update the SHA.
+# You can also reference a tag or branch, but the action may change without warning.
+
+name: Create and publish a Docker image
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}-ocm-status-collector
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: ./scripts/docker
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/goreleaser-workflow.yml b/.github/workflows/goreleaser-workflow.yml
@@ -0,0 +1,53 @@
+name: goreleaser
+
+on:
+  push:
+    tags:
+    - 'v*'
+    paths:
+    - .github/workflows/goreleaser.yml
+    - .goreleaser.yaml
+
+permissions:
+  contents: write
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
+  ARCHS: linux/amd64,linux/arm64
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+    - uses: actions/setup-go@v4
+      with:
+        go-version: v1.19
+    - name: Set env
+      run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+    - name: Delete non-semver tags
+      run: 'git tag -d $(git tag -l | grep -v "^v")'
+    - name: Set LDFLAGS
+      run: echo LDFLAGS="$(make ldflags)" >> $GITHUB_ENV
+    - name: Run GoReleaser on tag
+      if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
+      uses: goreleaser/goreleaser-action@v4
+      with:
+        distribution: goreleaser
+        version: latest
+        args: release --timeout 60m
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Run GoReleaser on push without tag
+      if: github.event_name == 'push' && !contains(github.ref, 'refs/tags/')
+      uses: goreleaser/goreleaser-action@v4
+      with:
+        distribution: goreleaser
+        version: latest
+        args: release --timeout 60m --snapshot --clean
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -30,6 +30,9 @@ Dockerfile.cross
 .vscode
 .idea
 
+# Output of gorelease
+dist
+
 # ignore output by test
 /**/_test
 

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,21 @@
+# .goreleaser.yaml
+builds:
+- id: c2pcli
+  main: ./cmd/c2pcli
+  binary: c2pcli
+  goos:
+  - linux
+  - darwin
+  goarch:
+  - amd64
+  - arm64
+  ignore:
+  - goos: linux
+    goarch: arm64
+
+release:
+  disable: false
+  skip_upload: false
+  github:
+    owner: yana1205
+    name: compliance-to-policy
diff --git a/Makefile b/Makefile
@@ -277,3 +277,19 @@ catalog-build: opm ## Build a catalog image.
 .PHONY: catalog-push
 catalog-push: ## Push a catalog image.
 	$(MAKE) docker-push IMG=$(CATALOG_IMG)
+
+###
+.PHONY: compose-v2
+compose-v2: bin/compose-v2.linux_amd64 bin/compose-v2.darwin_amd64 bin/compose-v2.darwin_arm64
+
+bin/compose-v2.linux_amd64:
+	GOOS=linux GOARCH=amd64 go build -o bin/compose-v2.linux_amd64 ./cmd/compose-v2
+
+bin/compose-v2.darwin_amd64:
+	GOOS=darwin GOARCH=amd64 go build -o bin/compose-v2.darwin_amd64 ./cmd/compose-v2
+
+bin/compose-v2.darwin_arm64:
+	GOOS=darwin GOARCH=arm64 go build -o bin/compose-v2.darwin_arm64 ./cmd/compose-v2
+
+bin/compose-v2.%.gz: bin/compose-v2.%
+	gzip ./bin/compose-v2.$*	
diff --git a/README.md b/README.md
@@ -1,6 +1,70 @@
 # compliance-to-policy
 Compliance-to-Policy (C2P) provides the framework to bridge the gap between compliance and policy administration.
 
+## setup pipeline
+1. Create two repositories (one is configuration repository that's used for pipeline from OSCAL to Policy and another is evidence repository that's used for pipeline from OCM statuses to Compliance result)
+  - For example, c2p-for-ocm-pipeline01-config and c2p-for-ocm-pipeline01-evidence
+1. Create Github Personal Access Token having following permissions
+  - Repository permission of `Contents`, `Pull Requests`, and `Workflows` with read-and-write against both the configuration repository and the evidence repository.
+1. Fork C2P repository (yana1205/compliance-to-policy.git) and checkout `template`
+1. Set required parameters for github action to initialize your configuration and evidence repo
+  1. Go to Settings tab
+  1. Go to `Actions` under `Secrets and variables`
+  1. Create `New repository secret`
+    - Name: PAT
+    - Secret: Created Github Personal Access Token  
+  1. Go to `Variables` tab to create `New repository variable`
+  1. Create `CONFIGURATION_REPOSITORY` variable
+    - Name: CONFIGURATION_REPOSITORY
+    - Value: `<configuration repository org>/<configuration repository name> (e.g. yana1205/c2p-for-ocm-pipeline01-config)`
+  1. Create `EVIDENCE_REPOSITORY` variable
+    - Name: EVIDENCE_REPOSITORY
+    - Value: `<evidence repository org>/<evidence repository name> (e.g. yana1205/c2p-for-ocm-pipeline01-evidence)`
+1. Run Action `Initialize repositories` with branch `template`
+1. Go to the configuration repository and create `New repository secret`
+  - Name: PAT
+  - Secret: Created Github Personal Access Token
+1. Go to the evidence repository and create `New repository secret`
+  - Name: PAT
+  - Secret: Created Github Personal Access Token
+
+## run oscal-to-pocliy
+1. Go to the configuration repository
+1. Go to `Actions` tab
+1. Run `OSCAL to Policy`
+  1. This action generates manifests from OSCAL and then generate a PR of changes for a directory `ocm-policy-manifests` containing the generated manifests.
+1. Merge the PR
+
+## integrate with GitOps
+1. Sync `ocm-policy-manifests` directory with your OCM Hub by OCM GitOps (OCM Channel and Subscription addon)
+
+## deploy collector to your OCM Hub
+1. Apply RBAC for collector
+  ```
+  kubectl apply -f https://raw.githubusercontent.com/yana1205/compliance-to-policy/redesign.0622/scripts/collect/rbac.yaml
+  ```
+1. Create Secret for Github access
+  ```
+  kubectl -n c2p create secret generic --save-config collect-ocm-status-secret --from-literal=user=<github user> --from-literal=token=<github PAT> --from-literal=org=<evidence org name> --from-literal=repo=<evidence repo name>
+  ```
+  e.g.
+  ```
+  kubectl -n c2p create secret generic --save-config collect-ocm-status-secret --from-literal=user=yana1205 --from-literal=token=github_pat_xxx --from-literal=org=yana1205 --from-literal=repo=c2p-for-ocm-pipeline01-evidence
+  ```
+1. Deploy collector cronjob
+  ```
+  kubectl apply -f https://raw.githubusercontent.com/yana1205/compliance-to-policy/redesign.0622/scripts/collect/cronjob.yaml
+  ```
+
+## cleanup
+```
+kubectl delete -f https://raw.githubusercontent.com/yana1205/compliance-to-policy/redesign.0622/scripts/collect/cronjob.yaml
+kubectl -n c2p delete secret collect-ocm-status-secret 
+kubectl delete -f https://raw.githubusercontent.com/yana1205/compliance-to-policy/redesign.0622/scripts/collect/rbac.yaml
+```
+
+---
+# Controller pattern
 ## Prerequisites
 1. Install [Policy Generator Plugin](https://github.com/open-cluster-management-io/policy-generator-plugin#as-a-kustomize-plugin)
 
@@ -22,37 +86,48 @@ Decompose OCM poicy collection to kubernetes resources composing each OCM policy
     ├── _sources
     └── resources
     ```
-
+    Individual decomposed resource contains k8s manifests and configuration files (policy-generator.yaml and kustomization.yaml) for PolicyGenerator. 
+    ```
+    $ tree -L 3 /tmp/c2p-output/decomposed/resources
+    /tmp/c2p-output/decomposed/resources
+    ├── add-chrony
+    │   ├── add-chrony-worker
+    │   │   └── MachineConfig.50-worker-chrony.0.yaml
+    │   ├── kustomization.yaml
+    │   └── policy-generator.yaml
+    ├── add-tvk-license
+    │   ├── add-tvk-license
+    │   │   └── License.triliovault-license.0.yaml
+    │   ├── kustomization.yaml
+    ```
 ## C2P Composer
 Compose OCM Policy from policy resources from compliance information (for example, [compliance.yaml](cmd/compose/compliance.yaml))
 
 1. Run C2P Composer
     ```
-    go run ./cmd/compose/compose.go --policy-resources-dir=/tmp/c2p-output/decomposed/resources --compliance-yaml=./cmd/compose/compliance.yaml --out=/tmp/c2p-output
-    ```
-1. Composed OCM policies are output in `/tmp/c2p-output/composed`
-    ```
-    $ tree -L 1 /tmp/c2p-output/composed  
-    /tmp/c2p-output/composed
-    ├── add-chrony.yaml
-    └── install-odf-lvm-operator.yaml
-    ```
-1. If you want to see the intermidiate files to generate OCM Policy, please set `--temp-dir=<something to directory>` in the previous C2P Composer command.
-    ```
-    $ mkdir -p /tmp/c2p-temp
-    $ go run ./cmd/compose/compose.go --policy-resources-dir=/tmp/c2p-output/decomposed/resources --compliance-yaml=./cmd/compose/compliance.yaml --out=/tmp/c2p-output --temp-dir=/tmp/c2p-temp
-    $ tree -L 4 /tmp/c2p-temp
-    /tmp/c2p-temp
-    └── tmp-747478669
-        └── CM-2 Baseline Configuration
-            ├── add-chrony
-            │   ├── kustomization.yaml
-            │   ├── policy-generator.yaml
-            │   └── resources
-            └── install-odf-lvm-operator
-                ├── kustomization.yaml
-                ├── policy-generator.yaml
-                └── resources
+    go run cmd/compose-by-c2pcr/main.go --c2pcr ./cmd/compose-by-c2pcr/c2pcr.yaml --out /tmp/c2p-output
+    ```
+1. Composed OCM policies are output in `/tmp/c2p-output`
+    ```
+    $ tree /tmp/c2p-output                                                                             
+    /tmp/c2p-output
+    ├── add-chrony
+    │   ├── add-chrony-worker
+    │   │   └── MachineConfig.50-worker-chrony.0.yaml
+    │   ├── kustomization.yaml
+    │   └── policy-generator.yaml
+    ├── install-odf-lvm-operator
+    │   ├── kustomization.yaml
+    │   ├── odf-lvmcluster
+    │   │   └── LVMCluster.odf-lvmcluster.0.yaml
+    │   ├── policy-generator.yaml
+    │   └── policy-odf-lvm-operator
+    │       ├── Namespace.openshift-storage.0.yaml
+    │       ├── OperatorGroup.openshift-storage-operatorgroup.0.yaml
+    │       └── Subscription.lvm-operator.0.yaml
+    ├── kustomization.yaml
+    ├── policy-generator.yaml
+    └── policy-sets.yaml
     ```
 
 ## C2P Controller

diff --git a/cmd/c2pcli/cmd/cmd.go b/cmd/c2pcli/cmd/cmd.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2023 IBM Corporation
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/IBM/compliance-to-policy/cmd/c2pcli/options"
+	composecmd "github.com/IBM/compliance-to-policy/cmd/compose/cmd"
+	reportutilscmd "github.com/IBM/compliance-to-policy/cmd/report-utils/cmd"
+	reportcmd "github.com/IBM/compliance-to-policy/cmd/report/cmd"
+)
+
+func New() *cobra.Command {
+	opts := options.NewOptions()
+
+	command := &cobra.Command{
+		Use:   "c2pcli",
+		Short: "C2P CLI",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := opts.Complete(); err != nil {
+				return err
+			}
+
+			if err := opts.Validate(); err != nil {
+				return err
+			}
+			return nil
+		},
+	}
+
+	opts.AddFlags(command.Flags())
+
+	command.AddCommand(composecmd.New())
+	command.AddCommand(reportcmd.New())
+	command.AddCommand(reportutilscmd.New())
+
+	return command
+}
diff --git a/cmd/c2pcli/main.go b/cmd/c2pcli/main.go
@@ -0,0 +1,30 @@
+/*
+Copyright 2023 IBM Corporation
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"os"
+
+	"github.com/IBM/compliance-to-policy/cmd/c2pcli/cmd"
+)
+
+func main() {
+	err := cmd.New().Execute()
+	if err != nil {
+		os.Exit(1)
+	}
+}