-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
patch: reworked code to remove direct calls to viper.GetXXXX
Previously there were calls to viper.GetSomething all over the code. This was prone to error if a value changed so now the code has been refactored to process any viper inputs. Flags will always override the viper config file and any fields not supplied will use the defaults where applicable. Added checksum validation for the Trivy cli download Removed duplicate Trivy report structs and generally moved some bits around to begin work for allowing other clouds to be used. There is still work to be done to allow other clouds though as it's still generally OpenStack focussed. Added new docs/readme & changelog Fixes #32 & Fixes #34 updated README
- Loading branch information
1 parent
85821e0
commit dbe9815
Showing
25 changed files
with
712 additions
and
572 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # Changelog | ||
|
|
||
| ## [ 12/04/2023 - v0.1.0-beta.1 ] | ||
|
|
||
| ### ADDED | ||
| * Added changelog | ||
| * Refactored code to: | ||
| * Prevent using `viper.GetXXXX` across the codebase - now gets put into struct to allow one location to be updated rather than multiples. | ||
| * Begin work to allow more clouds to be added - still work to be done #36. | ||
| * Begin work to improve flags - still work to be done #33. | ||
| * Updated the config file requirements. *This is a breaking change and old configs will no longer work.*. | ||
|
|
||
| ### Fixed | ||
| * Trivy checksum now used to validate trivy download if required #32. | ||
| * Added flags, which were previously missing, to support adding Trivy and Falco to the image #34. | ||
|
|
||
| ### Deprecated | ||
| * The publish command will be reworked in an upcoming release to prevent the GitHub requirement. Instead, it will generate the files require to publish a single images scan results as an artifact with which the user can then decide what to do. | ||
|
|
||
| ## [ Previous versions ] | ||
|
|
||
| * Up to this point, there has been no changelog supplied for previous versions as it was a rapid iterative process. | ||
| * With the release of v0.1.0-beta.1, any changes will be logged and should one be a breaking change, it will incur a version bump. | ||
| * Minor version bumps will be reserved for general changes | ||
| * Patch version bumps will be for fixes and patches | ||
| * The beta tags will be for superficial changes within a patch that require testing before a final release is created. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| cloud: | ||
| openstack: | ||
| clouds-file: "~/.config/openstack/clouds.yaml" | ||
| cloud-name: "image-builder" | ||
| network-id: "network-id" | ||
| source-image-id: "source-image" | ||
| flavor-name: "spicy-meatball" | ||
| attach-config-drive: false | ||
| use-floating-ip: true | ||
| floating-ip-network-name: "Internet" | ||
| image-visibility: "public" | ||
| image-disk-format: "raw" | ||
| volume-type: "" | ||
| rootfs-uuid: "ROOT_FS_UUID" # The image in Openstack will be tagged with this. Useful for bare-metal in some use cases. | ||
| build: | ||
| verbose: true | ||
| build-os: "ubuntu-2204" | ||
| image-prefix: "kube" | ||
| image-repo: "https://github.com/kubernetes-sigs/image-builder.git" | ||
| crictl-version: "1.26.0" | ||
| cni-version: "1.2.0" | ||
| kubernetes-version: "1.26.3" | ||
| extra-debs: "nfs-common" | ||
| add-trivy: true | ||
| add-falco: true | ||
| nvidia: | ||
| enable-nvidia-support: true | ||
| nvidia-driver-version: "525.85.05" # Currently used for tagging metadata - may be removed in future in favor of parsing the filename. | ||
| nvidia-bucket-endpoint: "S3_ENDPOINT_URL" | ||
| nvidia-bucket-name: "nvidia" | ||
| nvidia-bucket-access: "ACCESS_KEY" | ||
| nvidia-bucket-secret: "SECRET_KEY" | ||
| nvidia-installer-location: "NVIDIA-Linux-x86_64-525.85.05-grid.run" | ||
| nvidia-tok-location: "client_configuration_token.tok" | ||
| nvidia-gridd-feature-type: "4" | ||
| scan: | ||
| image-id: "" # Used for existing images | ||
| auto-delete-image: false | ||
| skip-cve-check: false | ||
| max-severity-score: 7.0 # Minimum severity score to check for | ||
| max-severity-type: MEDIUM # Minimum severity to check for | ||
| sign: | ||
| generate: | ||
| path: "." # Output path of any generated keys | ||
| vault: | ||
| url: "https://vault.ENDPOINT/" | ||
| token: "VAULT_TOKEN" | ||
| image-id: "" # Used for existing images | ||
| private-key: "" # Takes precedence over vault. | ||
| public-key: "" # Takes precedence over vault. | ||
| digest: "" # Used to verify a digest. Not required for image signing. | ||
| publish: | ||
| image-id: "" # Used for existing images | ||
| github: | ||
| user: "some-user" | ||
| account: "some-account" # Used for none personal accounts - leave blank if personal-account/project | ||
| project: "some-project" | ||
| token: "123456789" | ||
| pages-branch: "" | ||
| #results-file: "/tmp/results.json" # Not currently used |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| ### Openstack guidelines | ||
|
|
||
| It is expected that you have a network and sufficient security groups in place to run this.<br> | ||
| It will not create the network or security groups for you. | ||
|
|
||
| For example: | ||
|
|
||
| ``` | ||
| openstack network create image-builder | ||
| openstack subnet create image-builder --network image-builder --dhcp --dns-nameserver 1.1.1.1 --subnet-range 10.10.10.0/24 --allocation-pool start=10.10.10.10,end=10.10.10.200 | ||
| openstack router create image-builder --external-gateway public1 | ||
| openstack router add subnet image-builder image-builder | ||
| OS_SG=$(openstack security group list -c ID -c Name -f json | jq '.[]|select(.Name == "default") | .ID') | ||
| openstack security group rule create "${OS_SG}" --ingress --ethertype IPv4 --protocol TCP --dst-port 22 --remote-ip 0.0.0.0/0 --description "Allows SSH access" | ||
| openstack security group rule create "${OS_SG}" --egress --ethertype IPv4 --protocol TCP --dst-port -1 --remote-ip 0.0.0.0/0 --description "Allows TCP Egress" | ||
| openstack security group rule create "${OS_SG}" --egress --ethertype IPv4 --protocol UDP --dst-port -1 --remote-ip 0.0.0.0/0 --description "Allows UDP Egress" | ||
| ``` | ||
|
|
||
| Then craft a `baski.yaml` file based on the [example](../baski-example.yaml) supplied and run the commands you require. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.