From 49513cf02d4764407dd3cdb89f6350bce16d7341 Mon Sep 17 00:00:00 2001 From: ironbank-bot Date: Thu, 10 Dec 2020 01:07:22 +0000 Subject: [PATCH 1/2] Migrate to hardening_manifest.yaml --- Dockerfile | 6 ----- Jenkinsfile | 3 --- download.yaml | 3 --- hardening_manifest.yaml | 55 +++++++++++++++++++++++++++++++++++++++++ renovate.json | 30 +++++++++++++++++----- 5 files changed, 79 insertions(+), 18 deletions(-) delete mode 100644 Jenkinsfile delete mode 100644 download.yaml create mode 100644 hardening_manifest.yaml diff --git a/Dockerfile b/Dockerfile index 4623a8d..9b7e632 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,12 +6,6 @@ FROM vault:1.6.0 AS source FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -LABEL org.opencontainers.image.title="vault" \ - org.opencontainers.image.description="Vault is a tool for securely accessing secrets." \ - org.opencontainers.image.licenses="MPL-2.0" \ - org.opencontainers.image.url="https://www.vaultproject.io/" \ - org.opencontainers.image.version="1.6.0" \ - maintainer="cht@dsop.io" COPY --from=source /bin/vault /bin/vault COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index c5df20e..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,3 +0,0 @@ -@Library('DCCSCR@master') _ -dccscrPipeline(version: "1.6.0") - diff --git a/download.yaml b/download.yaml deleted file mode 100644 index c172157..0000000 --- a/download.yaml +++ /dev/null @@ -1,3 +0,0 @@ -resources: - - url: "docker://docker.io/library/vault@sha256:b04266db3e7ece92690df720fcf98ecf138a92ed3d1edc14dc86fe814c33ab9b" - tag: "vault:1.6.0" diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..6a8081e --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "hashicorp/vault/vault" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "1.6.0" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/ubi/ubi8" + BASE_TAG: "8.3" + +# Docker image labels +labels: + org.opencontainers.image.title: "vault" + ## Human-readable description of the software packaged in the image + # org.opencontainers.image.description: "FIXME" + ## License(s) under which contained software is distributed + # org.opencontainers.image.licenses: "FIXME" + ## URL to find more information on the image + # org.opencontainers.image.url: "FIXME" + ## Name of the distributing entity, organization or individual + # org.opencontainers.image.vendor: "FIXME" + org.opencontainers.image.version: "1.6.0" + ## Keywords to help with search (ex. "cicd,gitops,golang") + # mil.dso.ironbank.image.keywords: "FIXME" + ## This value can be "opensource" or "commercial" + # mil.dso.ironbank.image.type: "FIXME" + ## Product the image belongs to for grouping multiple images + # mil.dso.ironbank.product.name: "FIXME" + +# List of resources to make available to the offline build context +resources: +- tag: vault:1.6.0 + url: docker://docker.io/library/vault@sha256:b04266db3e7ece92690df720fcf98ecf138a92ed3d1edc14dc86fe814c33ab9b + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: +- email: "brianmiller@cloudfitsoftware.com" +# # The name of the current container owner +# name: "FIXME" +# # The gitlab username of the current container owner +# username: "FIXME" +# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT +# - name: "FIXME" +# username: "FIXME" +# email: "FIXME" diff --git a/renovate.json b/renovate.json index 102a928..6435ed2 100644 --- a/renovate.json +++ b/renovate.json @@ -1,9 +1,15 @@ { - "assignees": ["@sean.melissari"], - "baseBranches": ["development"], + "assignees": [ + "@sean.melissari" + ], + "baseBranches": [ + "development" + ], "regexManagers": [ { - "fileMatch": ["^Dockerfile$"], + "fileMatch": [ + "^Dockerfile$" + ], "matchStrings": [ "version=\"(?.*?)\"" ], @@ -11,12 +17,24 @@ "datasourceTemplate": "docker" }, { - "fileMatch": ["^Jenkinsfile$"], + "fileMatch": [ + "^hardening_manifest.yaml$" + ], + "matchStrings": [ + "org\\.opencontainers\\.image\\.version:\\s+\"(?.+?)\"" + ], + "depNameTemplate": "vault", + "datasourceTemplate": "docker" + }, + { + "fileMatch": [ + "^hardening_manifest.yaml$" + ], "matchStrings": [ - "version:\\s+\"(?.*?)\"" + "tags:\\s+-\\s+\"(?.+?)\"" ], "depNameTemplate": "vault", "datasourceTemplate": "docker" } ] -} +} \ No newline at end of file -- GitLab From 675aaffc448c0892dd03f0c2362673ab3d3155e3 Mon Sep 17 00:00:00 2001 From: "shen_vickie@bah.com" Date: Fri, 18 Dec 2020 16:28:34 -0500 Subject: [PATCH 2/2] updated hardening --- Dockerfile | 8 ++++---- hardening_manifest.yaml | 27 +++++++++++---------------- 2 files changed, 15 insertions(+), 20 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9b7e632..dda1e4e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ -ARG BASE_REGISTRY=nexus-docker-secure.levelup-dev.io +ARG BASE_REGISTRY=registry1.dsop.io ARG BASE_IMAGE=ubi8 -ARG BASE_TAG=8.2 +ARG BASE_TAG=8.3 FROM vault:1.6.0 AS source @@ -17,11 +17,11 @@ RUN groupadd -g 1001 vault && \ mkdir -p /vault/config && \ chown -R vault:vault /vault -EXPOSE 8200 +EXPOSE 8200 USER vault HEALTHCHECK --interval=5m --timeout=30s --start-period=1m --retries=3 \ - CMD curl -f http://locahost:8200/v1/sys/health?standbyok=true || exit 1 + CMD curl -f http://locahost:8200/v1/sys/health?standbyok=true || exit 1 ENTRYPOINT ["docker-entrypoint.sh"] CMD ["server"] diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 6a8081e..45a0109 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -20,20 +20,20 @@ args: labels: org.opencontainers.image.title: "vault" ## Human-readable description of the software packaged in the image - # org.opencontainers.image.description: "FIXME" + org.opencontainers.image.description: "Vault is a tool for securely accessing secrets." ## License(s) under which contained software is distributed - # org.opencontainers.image.licenses: "FIXME" + org.opencontainers.image.licenses: "MPL-2.0" ## URL to find more information on the image - # org.opencontainers.image.url: "FIXME" + org.opencontainers.image.url: "https://www.vaultproject.io/" ## Name of the distributing entity, organization or individual - # org.opencontainers.image.vendor: "FIXME" + org.opencontainers.image.vendor: "Hashicorp" org.opencontainers.image.version: "1.6.0" ## Keywords to help with search (ex. "cicd,gitops,golang") - # mil.dso.ironbank.image.keywords: "FIXME" + mil.dso.ironbank.image.keywords: "opensource" ## This value can be "opensource" or "commercial" - # mil.dso.ironbank.image.type: "FIXME" + mil.dso.ironbank.image.type: "opensource" ## Product the image belongs to for grouping multiple images - # mil.dso.ironbank.product.name: "FIXME" + mil.dso.ironbank.product.name: "Apache vault" # List of resources to make available to the offline build context resources: @@ -41,15 +41,10 @@ resources: url: docker://docker.io/library/vault@sha256:b04266db3e7ece92690df720fcf98ecf138a92ed3d1edc14dc86fe814c33ab9b # List of project maintainers -# FIXME: Fill in the following details for the current container owner in the whitelist -# FIXME: Include any other vendor information if applicable maintainers: -- email: "brianmiller@cloudfitsoftware.com" +- email: "shen_vickie@bah.com" # # The name of the current container owner -# name: "FIXME" + name: "Vickie Shen" # # The gitlab username of the current container owner -# username: "FIXME" -# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT -# - name: "FIXME" -# username: "FIXME" -# email: "FIXME" + username: "shen_vickie" + cht_member: true -- GitLab