Merge branch 'development' into 'master'

Development See merge request !167

Merge branch 'development' into 'master'
02d8c73a · Al Fontaine · 2fc5b9da · 0c537f0e · 02d8c73a · 02d8c73a
Commit 02d8c73a authored 4 months ago by Al Fontaine
--- a/.gitignore
+++ b/.gitignore
 *.tar.gz
 SopsSecretGenerator
 argocd
-kubectl
+kubectl*
 mkcert
 sops
-yq
\ No newline at end of file
+yq*
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,12 +11,12 @@ RUN microdnf upgrade -y && \
    rm -rf /var/cache/dnf

 # Install kubectl
-COPY kubectl /usr/local/bin/
+COPY kubectl.amd64 /usr/local/bin/kubectl
 RUN chmod +x /usr/local/bin/kubectl && \
    chown root:root /usr/local/bin/kubectl

 # Install yq
-COPY yq /usr/local/bin/
+COPY yq.amd64 /usr/local/bin/yq
 RUN chmod +x /usr/local/bin/yq && \
    chown root:root /usr/local/bin/yq


--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
+ARG BASE_REGISTRY=registry1.dso.mil
+ARG BASE_IMAGE=ironbank/redhat/ubi/ubi9-minimal
+ARG BASE_TAG=9.4
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+RUN microdnf upgrade -y && \
+    # Comes with gnutls and curl-minimal
+    microdnf install -y --nodocs jq pinentry findutils which && \
+    microdnf clean all && \
+    rm -rf /var/cache/dnf
+
+# Install kubectl
+COPY kubectl.arm64 /usr/local/bin/kubectl
+RUN chmod +x /usr/local/bin/kubectl && \
+    chown root:root /usr/local/bin/kubectl
+
+# Install yq
+COPY yq.arm64 /usr/local/bin/yq
+RUN chmod +x /usr/local/bin/yq && \
+    chown root:root /usr/local/bin/yq
+
+# Run CCE tasks
+COPY --chown=root --chmod=700 ./scripts /tmp/scripts/
+RUN groupadd -g 1000 base && \
+    useradd -r -u 1000 -m -s /sbin/nologin -g base base && \
+    /tmp/scripts/CCE-83434-1.sh && \
+    /tmp/scripts/CCE-84036-3.sh && \
+    /tmp/scripts/CCE-84038-9.sh && \
+    /tmp/scripts/CCE-85888-6.sh && \
+    /tmp/scripts/CCE-86534-5.sh && \
+    rm -rf /tmp/scripts
+
+USER base
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -17,15 +17,25 @@ labels:
  mil.dso.ironbank.product.name: Big Bang
 resources:
  - url: https://storage.googleapis.com/kubernetes-release/release/v1.28.4/bin/linux/amd64/kubectl
-    filename: kubectl
+    filename: kubectl.amd64
    validation:
      type: sha256
      value: 893c92053adea6edbbd4e959c871f5c21edce416988f968bec565d115383f7b8
+  - url: https://storage.googleapis.com/kubernetes-release/release/v1.28.4/bin/linux/arm64/kubectl
+    filename: kubectl.arm64
+    validation:
+      type: sha256
+      value: edf1e17b41891ec15d59dd3cc62bcd2cdce4b0fd9c2ee058b0967b17534457d7
  - url: https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
-    filename: yq
+    filename: yq.amd64
    validation:
      type: sha256
      value: a2c097180dd884a8d50c956ee16a9cec070f30a7947cf4ebf87d5f36213e9ed7
+  - url: https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_arm64
+    filename: yq.arm64
+    validation:
+      type: sha256
+      value: 0e7e1524f68d91b3ff9b089872d185940ab0fa020a5a9052046ef10547023156
 maintainers:
  - name: "James Casteel"
    email: "ironbank@dsop.io"