diff --git a/README.md b/README.md index b9d4adb6b301b7e505418f53673b32b0c98f07dd..b3b09e23ec29833a9e821615e85ee577b577b558 100644 --- a/README.md +++ b/README.md @@ -1,305 +1,10 @@ -# Fortify App +# Fortify +See the [README in the *docs* folder](https://repo1.dsop.io/platform-one/apps/fortify/-/blob/dev-keegan/docs/README.md) for documentation -## Overview +Copy the *deploy* folder into the appropriate spot in your bootstrap repo to add Fortify to your deployment (be sure to check the docs for additional instructions) -Used to deploy Fortify's Software Security Center web app. The core of the app is the helm chart in base/fortify-pkg, provided by Fortify and sourced from our [Kuberneetes](https://gitlab.platform1.ninja/platform/devops/kubeernetes) (sic) GitLab repo. It's supported by additional object defined in base/resource: a Namespace, a VirtualService, and a Job to configure the MySQL database. +Use the *prep-fortify-mysql-img* folder to build the image used in preparing Fortify's MySQL database -In addition to the base directory, there should be an additional dir for each application environment / deployment target. It contains the secrets for that environment, a "values.yaml" file containing application-specific variables consumed by the Helm chart, and the root **kustomization.yaml** file defining that app env's deployment. -Lastly, there's the "prep-fortify-mysql-img" directory with the files to build a UBI-based MySQL image. This is used by the aforementioned Job for configuring the Aurora MySQL DB. - - -## Deployment - -This repo has been set up to be used with Big Bang bootstrap repos, and deployed using ArgoCD. - -1. If you haven't already, add this repository to your bootstrap repo using `kpt` -2. Confirm that the entries in base/fortify-pkg/values.yaml are accurate, namely "urlHost" (*haven't tested overriding w/ dev/values.yaml*) -3. Confirm the host URLs in base/resources/virtual-service.yaml are accurate -4. Update dev/secrets/mysql-pass.enc.env and dev/secrets/ssc.enc.autoconfig with your database details - - -## Secrets - -1. fortify-secret (fortify app dir; fortify-secret-generator.yaml) - * Combines five files into a K8s secret - 1. The fortify license: fortify.enc.license - 2. The keystore file: httpCertificateKeystoreFile.enc.key (not sure if this is used, but Fortify needs it to start) - 3. The keystore file password: httpCertificateKeystorePassword.enc.key (same note as above) - 4. The key password: httpCertificateKeyPassword.enc.key (same note as keystore file) - 5. Fortify's autoconfig file: ssc.enc.autoconfig - * For the license, keystore file, and autoconfig file, the files themselves are encrypted w/ SOPS - * The two passwords are stored in files as plain text (and then encrypted w/ SOPS) -2. mysql-pass (common app dir; generator-mysql-creds.yaml) - * Credentials for the Aurora MySQL database deployed by terraform (see the common-dependencies module) - * Sets 4 environment variables - 1. **DBUSER**: general-purpose dabase user - 2. **DBPASSWORD**: password for DBUSER - 3. **DBHOST**: hostname for the database (*may need to change based on deployment target*) - 4. **JDBC_DRIVER_URI**: URI to download the driver JAR file used by fortify to interface w/ the DB - 5. **MYSQL_ROOT_PASSWORD**: The root password for the database (*not currently used; supplying a fake value*) -3. repo1-registry-read-creds (common app dir; repo1-registry-read-creds-generator.yaml) - * Image pull secret for the big bang container registry - * Used to pull the fortify image, as well as the MySQL image used to prepare the database. - - -### Links - -[Fortify SSC 20.1 install guide](https://www.microfocus.com/documentation/fortify-software-security-center/2010/SSC_Help_20.1.0/index.htm#SSC_UG/Intro_New%20UI_20.1.0.htm%3FTocPath%3DIntroduction%7C_____2) - -[PDF Verison](https://www.microfocus.com/documentation/fortify-software-security-center/2010/SSC_Guide_20.1.0.pdf) - -[Fortify 20.1 zip file] (https://gitlab.platform1.ninja/platform/devops/kubeernetes/-/tree/master/fortify%2Finstall) Unzip this file and dig down into the SSC.zip file to find the helm chart for SSC that is mentioned below. - - -### README for SSCDEMO image - -Note: The Fortify SSC image is not currently approved by IB. It was cloned from the Fortify private dockerhub repo to the Big Bang container registry. Since the images were already downloaded from Dockerhub, a lot of the instructions below about pulling the Fortify SSC image from dockerhub can be ignored. - -Fortify Docker Demo Suite - -Supported tags: -20.1.0.0169, 20.1.0, latest -19.2.0.3191, 19.2.0 -19.1.0.3010, 19.1.0 -18.20 - - -#### Docker Demo Suite Instructions - -The SSC demo suite is in a private repository that requires that your Docker username be explicitly granted access permission. To request access, email James Rabon directly (james.rabon@microfocus.com). - -Once you have access permission, run the following: - -`docker run -m 6g -e SSC_MAX_MEM_MB=4096 -v /Users/Desktop/fortify:/fortify -p 8080:8080 --name sscdemo fortifydocker/sscdemo` - -where: - -* -m represents the amount of memory available to your container. (This must be at least 6GB.) -* -e sets an environment variable named SSC_MAX_MEM_MB to allocate the max heap to Fortify Software Security Center. -* -v mounts a volume at the location specified. - -Note: The command will work on Linux and Mac operating systems, but Windows may require /c/, where c is the drive letter. -For example, on Windows 10: `-v /c/Users/docker:/fortify` - -This command searches your machine for a Docker image named sscdemo and, if the image does not exist or needs to be updated, pulls the latest version from Docker Hub. The remote location of the Fortify image on Docker Hub is fortifydocker/sscdemo. -A message on the console indicates that you need to copy the fortify.license file to /fortify. - -`docker cp /Users/Desktop/fortify.license sscdemo:/fortify` - -Important! Please make sure that your container is healthy before you view Fortify Software Security Center in your browser. -To check the status of your container at any time, run: - -`docker ps -a` - -After you copy the license file to the correct directory, the deployment is complete and Fortify Software Security Center should be available in your browser. Go to http://localhost:8080/ssc and log in with the default username / password pairing of admin / admin (requires a password change). - -Going forward, to stop or start your container, run: `docker stop sscdemo` or `docker start sscdemo` - - -##### Troubleshooting - -On Windows, docker sharing volumes can be blocked by a firewall (company restrictions). In case you cannot bind mount a volume, you can use a “named volume” approach instead. The named volume is managed by Docker itself. It is automatically created if it does not yet exist. Even if the container is deleted, the named volume is not deleted and can be reused. - -`docker run -m 6g -e SSC_MAX_MEM_MB=4096 -v sscdemovolume:/fortify -p 8080:8080 --name sscdemo fortifydocker/sscdemo` - -To check existing Docker volumes, run: - -`docker volume ls` - -To check the status of your container at any time, run: - -`docker ps -a` - -If you want to get more information about not healthy container, please use this command: - -`docker logs sscdemo` - - -#### Overview for ssc-webapp - -Kubernetes deployment 20.1.0 - - -##### SSC System requirements for Kubernetes deployments - -Kubernetes: Versions 1.14--1.17 - -Persistent volume support - -(Recommended) A load balancer service - -At least 7 GB of RAM and 1 CPU on a single node (with default configuration) - -Maximum usage: 28 GB of RAM and 8 CPUs on a single node (with default configuration) - -4 GiB of storage for persistent volume (with default configuration) - -Locally-Installed Tools Required - -A kubectl command-line tool - Fortify recommends using the same version as the Kubernetes cluster version (1.14--1.17) - -Helm command-line tool, version 3.0 or 3.1 - -Air-gapped installation only - (Recommended) A Docker clientClosed and serverClosed installation (any version) - - -##### Additional Requirements - -Kubeconfig file for the Kubernetes cluster - -Docker Hub account with access to Fortify Software Security Center images - -Note: If you need access to Fortify Docker Organization on Docker Hub, contact FortifyDocker@microfocus.com with your first name, your last name, and your Docker account name. Micro Focus Fortify will then give you access to the Fortify Docker organization that contains the Fortify Software Security Center images. - -DNS name for the Fortify Software Security Center web applicationClosed (address used to access the service) - -Java keystore for setting up HTTPS (For details, see the Micro Focus Fortify Software Security Center User Guide) The keystore must contain a CA certificateClosed and a server certificate for the Fortify Software Security Center DNS name with an associated private key. - -Keystore password - -Private key password - -An installed Oracle, SQL Server, or **MySQL** for database server - -Database server host name - -Name of the Fortify Software Security Center database - -Username and password for an account that has permission to manage the Fortify Software Security Center schema and data - -(Oracle or MySQL database only) An HTTP server that is accessible from the Kubernetes cluster for distributing the JDBC driver. For supported driver versions, see Fortify Software Security Center Database. - -Fortify Software Security Center license - - -##### Preparing for Fortify SSC Kubernetes Deployment - -The following steps describe how to prepare for Fortify SSC Kubernetes deployment. For information about supported versions of the required software, see System requirements. -To prepare for your Fortify SSC Kubernetes deployment, do the following: - - -Install and set up kubectl. For instructions, see https://kubernetes.io/docs/tasks/tools/install-kubectl. - - -Install helm. To download the software, see https://github.com/helm/helm/releases. For installation instructions, see https://helm.sh/docs/intro/install/. - - -(air gapped installation only) Install Docker. For installation instructions, see https://docs.docker.com/get-docker/. - - -Extract contents of helm directory from SSC distribution ZIP into directory. Enter the directory and copy ssc-values-example.yaml file to ssc-values.yaml. - - -##### Fortify SSC Kubernetes Deployment - -You can deploy Fortify SSC in an environment with Internet access, or in an air-gapped environment. If you will deploy the application in an environment with Internet access, the SSC Docker image can be pulled from Docker Hub registry. If you must deploy the application in an air-gapped environment, you must use a private registry for the deployment and transfer the SSC Docker image to it. -Deploying Fortify SSC to Kubernetes cluster - -The procedure used to deploy Fortify SSC in environment with Internet access is almost identical to the procedure used to deploy the product in an air-gapped environment. The only difference is that, for an air-gapped deployment, you must push the Fortify SSC image to a private registry accessible from your Kubernetes cluster. -To deploy Fortify SSC: - - -Create a Docker Hub account, and then supply your account name to Fortify Support (https://softwaresupport.softwaregrp.com). -Note: Fortify Support will provide you with access to the Fortify repository on the Docker Hub (fortifydocker organization). - - -(Perform this step only for an air-gapped installation, or if you want to use a private registry. A running Docker server and Docker client are assumed.) Transfer the Fortify SSC image to your private registry, as follows: - - -Log in to the Docker Hub, run: -`docker login` - - -Log in to your private registry, run: -`docker login `` - - -Transfer the SSC Docker image: - -`docker pull fortifydocker/ssc-webapp` - -`docker tag fortifydocker/ssc-webapp platform-one/private/big-bang/apps/fortify/ssc-webapp` - -`docker push platform-one/private/big-bang/apps/fortify/ssc-webapp`` - -**Important!** The image name (ssc-webapp) and the tag must stay the same! -Note: To learn the value to be used for the , inspect a ssc-+.tgz file in the directory. The part should be used for the value. - - -Enter the // as the value for image.repositoryPrefix parameter in the values.yaml file. -Note: The value you specify for the image.repositoryPrefix parameter must include a trailing forward slash (/). - - - - -Create a Kubernetes secret for pulling images from the registry (Docker Hub or private registry). For instructions, see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry and enter the secret name as the value for the imagePullSecrets parameter in the /ssc-values-example.yaml file. Would created secret be regcred, the format is: - -imagePullSecrets: - - - name: regcred - -Note: The imagePullSecrets value is required for access to the Docker Hub registry. If you have a private repository that can be accessed without credentials, then there is no need to specify imagePullSecrets. - - -Create another Kubernetes secret containing data required by the deployment. Inspect - - -Inspect a secretRef.keys for list of data accepted. A minimal required set is httpCertificateKeystoreFileEntry, httpCertificateKeystorePasswordEntry, httpCertificateKeyPasswordEntry. - - -Create a directory and for each key in secretRef.keys you must or want to provide, create a file in the containing the value. E.g. for the httpCertificateKeystoreFileEntry, there should be a file containing the keystore; for the httpCertificateKeystorePasswordEntry, there should be a file containing the password. - - -Create the secret using kubectl command: - -kubectl create secret generic --from-file - -Note: References to keys in the Fortify helm chart's values.yaml file will use periods (.) to denote subkeys (ex. secretRef.name would be the "name" subkey under "secretRef") - -Enter the secret name as the value for secretRef.name parameter in the values.yaml file. - - -For each file provided in the fortify k8s secret, enter the filename as a value for the related the secretRef.keys. - - - - -Enter any other required parameters to values.yaml file. - - -The urlHost must contain the fully qualified DNS name intended accessing Fortify SSC. The address for accessing the Fortify SSC installation will be https://:/. E.g. https://ssc.example.com:443/. If the port is 443, it can be omitted from the URL: https://ssc.example.com/ - - -We recommend to set the service.type parameter to LoadBalancer for easy usage. - - -The jdbcDriverUri parameter must contain a URL where the required JDBC driver JAR can be downloaded. The URL is accessed from the Fortify SSC container. - - -Note: Most values you specify for parameters in the values.yaml file can always be changed later. You can then redeploy Fortify SSC to implement the changes. Depending on the Kubernetes cluster, the exception might be parameters for the persistentVolumeClaim. - - -To initially deploy Fortify SSC run the following: - - helm install ssc-1.0.169+20.1.0.0169.tgz - -For subsequent deployments, run the following: - - helm upgrade ssc-1.0.169+20.1.0.0169.tgz - -Notes: -* Swap out the helm chart file name if you use a different version (or just change the name) -* If you change the name of the values file from the default `values.yaml`, be sure to use the -f flag to specify the new filename - -Follow the [SSC UG](https://www.microfocus.com/documentation/fortify-software-security-center/1820/SSC_Guide_18.20.pdf) for further configuration. - - -## Dependencies - -* Multiple secrets come from a "common" app directory. Be sure to include this directory as a "base" for each environment in the kustomization.yaml file. -* Two images should be available for use. We're currently storing them in `registry.dsop.io/platform-one/private/big-bang/apps/fortify/` - * The fortify-ssc image - * An image w/ a MySQL driver/binary for configuring the MySQL database diff --git a/base/fortify-pkg/kustomization.yaml b/base/fortify-pkg/kustomization.yaml deleted file mode 100644 index 1bca7d18e4b446633392f2136595072c4d5cfad5..0000000000000000000000000000000000000000 --- a/base/fortify-pkg/kustomization.yaml +++ /dev/null @@ -1,3 +0,0 @@ -# NOTE: Generator below is used a reference only, due to the nature of helm and generators, we don't use this `package` as _the_ base -# generators: -# - chart.yaml diff --git a/deploy/fortify-pkg/README.md b/deploy/fortify-pkg/README.md new file mode 100644 index 0000000000000000000000000000000000000000..af3325792cc61766c86f4efa64fa0b39150bd460 --- /dev/null +++ b/deploy/fortify-pkg/README.md @@ -0,0 +1,3 @@ +# fortify-pkg + +[Documentation](https://repo1.dsop.io/platform-one/apps/fortify/-/blob/dev-keegan/docs/) \ No newline at end of file diff --git a/base/fortify-pkg/chart.yaml b/deploy/fortify-pkg/chart.yaml similarity index 100% rename from base/fortify-pkg/chart.yaml rename to deploy/fortify-pkg/chart.yaml diff --git a/deploy/fortify-pkg/kustomization.yaml b/deploy/fortify-pkg/kustomization.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2f21fa905e2435ee9c0159a30e4f91b35e254b4f --- /dev/null +++ b/deploy/fortify-pkg/kustomization.yaml @@ -0,0 +1,2 @@ +generators: + - chart.yaml diff --git a/base/fortify-pkg/ssc-1.0.169+20.1.0.0169.tgz b/deploy/fortify-pkg/ssc-1.0.169+20.1.0.0169.tgz similarity index 100% rename from base/fortify-pkg/ssc-1.0.169+20.1.0.0169.tgz rename to deploy/fortify-pkg/ssc-1.0.169+20.1.0.0169.tgz diff --git a/base/fortify-pkg/values.yaml b/deploy/fortify-pkg/values.yaml similarity index 100% rename from base/fortify-pkg/values.yaml rename to deploy/fortify-pkg/values.yaml diff --git a/base/kustomization.yaml b/deploy/kustomization.yaml similarity index 83% rename from base/kustomization.yaml rename to deploy/kustomization.yaml index 4a6b601cb30f25ff5e238f3fe0ee2f286674b25f..ce817ac2f5e9ac290aeb1d63175b1177e0e40e8e 100644 --- a/base/kustomization.yaml +++ b/deploy/kustomization.yaml @@ -1,7 +1,7 @@ namespace: fortify -# bases: -# - fortify-pkg/ +bases: + - fortify-pkg/ resources: - resources/app-db-provisioner/db-configmap1.yaml @@ -10,6 +10,3 @@ resources: - resources/namespace.yaml - resources/virtual-service.yaml - resources/app-db-provisioner/db-provisioner.yaml - -# patchesStrategicMerge: -# - diff --git a/base/resources/app-db-provisioner/create-tables.sql b/deploy/resources/app-db-provisioner/create-tables.sql similarity index 100% rename from base/resources/app-db-provisioner/create-tables.sql rename to deploy/resources/app-db-provisioner/create-tables.sql diff --git a/base/resources/app-db-provisioner/db-configmap1.yaml b/deploy/resources/app-db-provisioner/db-configmap1.yaml similarity index 100% rename from base/resources/app-db-provisioner/db-configmap1.yaml rename to deploy/resources/app-db-provisioner/db-configmap1.yaml diff --git a/base/resources/app-db-provisioner/db-configmap2.yaml b/deploy/resources/app-db-provisioner/db-configmap2.yaml similarity index 100% rename from base/resources/app-db-provisioner/db-configmap2.yaml rename to deploy/resources/app-db-provisioner/db-configmap2.yaml diff --git a/base/resources/app-db-provisioner/db-configmap3.yaml b/deploy/resources/app-db-provisioner/db-configmap3.yaml similarity index 100% rename from base/resources/app-db-provisioner/db-configmap3.yaml rename to deploy/resources/app-db-provisioner/db-configmap3.yaml diff --git a/base/resources/app-db-provisioner/db-provisioner.yaml b/deploy/resources/app-db-provisioner/db-provisioner.yaml similarity index 100% rename from base/resources/app-db-provisioner/db-provisioner.yaml rename to deploy/resources/app-db-provisioner/db-provisioner.yaml diff --git a/base/resources/namespace.yaml b/deploy/resources/namespace.yaml similarity index 100% rename from base/resources/namespace.yaml rename to deploy/resources/namespace.yaml diff --git a/base/resources/virtual-service.yaml b/deploy/resources/virtual-service.yaml similarity index 100% rename from base/resources/virtual-service.yaml rename to deploy/resources/virtual-service.yaml diff --git a/dev/.DS_Store b/dev/.DS_Store deleted file mode 100644 index 1d7dfe408e2ab9f30a144742dd34510fc4112014..0000000000000000000000000000000000000000 Binary files a/dev/.DS_Store and /dev/null differ diff --git a/dev/chart.yaml b/dev/chart.yaml deleted file mode 100644 index 35693a8774d93333f4f84bd730db23268d3de151..0000000000000000000000000000000000000000 --- a/dev/chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: p1.dsop.io/v1beta1 -kind: HelmGenerator -metadata: - name: helmGenerator -releaseName: fortify -chartPath: ../base/fortify-pkg/ssc-1.0.169+20.1.0.0169.tgz -namespace: fortify -valueFiles: - - ../base/fortify-pkg/values.yaml - - values.yaml diff --git a/dev/kustomization.yaml b/dev/kustomization.yaml deleted file mode 100644 index 2a0e8d43b0706f93d8233b476b8ce8988460b8ef..0000000000000000000000000000000000000000 --- a/dev/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ -namespace: fortify - -bases: - - ../base/ - - ../../common/dev/ - - secrets/ - -generators: - - chart.yaml - -# patchesStrategicMerge: -# - patches/ diff --git a/dev/secrets/.DS_Store b/dev/secrets/.DS_Store deleted file mode 100644 index 5008ddfcf53c02e82d7eee2e57c38e5672ef89f6..0000000000000000000000000000000000000000 Binary files a/dev/secrets/.DS_Store and /dev/null differ diff --git a/dev/secrets/fortify-secret-generator.yaml b/dev/secrets/fortify-secret-generator.yaml deleted file mode 100644 index b1286d693110c92dcb3f810a643862f3fb7dd075..0000000000000000000000000000000000000000 --- a/dev/secrets/fortify-secret-generator.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: goabout.com/v1beta1 -kind: SopsSecretGenerator -metadata: - name: fortify-secret - namespace: fortify -disableNameSuffixHash: true -files: - - fortify-license=fortify.enc.license - - httpCertificateKeystoreFile=httpCertificateKeystoreFile.enc.key - - httpCertificateKeystorePassword=httpCertificateKeystorePassword.enc.key - - httpCertificateKeyPassword=httpCertificateKeyPassword.enc.key - - fortify-autoconfig=ssc.enc.autoconfig diff --git a/dev/secrets/fortify.enc.license b/dev/secrets/fortify.enc.license deleted file mode 100644 index 4a03976fa9893f800a1725cb0279443bd7ce7a37..0000000000000000000000000000000000000000 --- a/dev/secrets/fortify.enc.license +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:md+w17xlHnjif81v2A4+E5v9sXIzsij0cV2mu8BcS3s/nKCO/7KVKj097ZNmId1l1LKoa1OJm1P6S9Bw0w1HTSLOfQ3n0q4H3qHcpuNVCOc1SVoz4NLizAq55bsJp0rTT85RFdnIh0Vk2kgRFX1HedVAFa94OHvnPSJp2762JzfSaSzZN7VvhS6SlRe+sx0UHAWYtCjwLTx/yct3z1/s9Gi8gxPfPE8A1gd4WV2jS67Sh+u0HuwWdwCnI+XF5tJ8aeuYAPy08Z/Bho5fElqs8esoX2ZWfslIhzMjzSpkNDPyWNrvwRIFAsz3SGMWuEHFQfLapf3FFriFxQ4NTz8KMR7wS9y2qZufCLi5ILk8Gum6Wrnj2Pdp2pa6K5F0HEZKSfPX+S2CrCwtDReeFHjrfUXOwigji89JaMvY800z8BnrIc8G7BGERSoI9oY1sezTsBnnXDFU7ZnjJm+tyktjdl8MAu2wKCBQxzU9cRugATLOg6tIdrSMpndptdgE9DdB+RvlryA0LUpTI0TJIfTSasBeuOYykAR3XH+rcmk76dGCqxZqfYD6TKKzukL945qulqP6Mwxi2usZXhFtXc/hENepK9IGaB84LX3bjxKdU84uQQGy5psroc8FEHiQPfYHV9H6NY4wnrxiOc/I2OYadJ61glnKaUkKaZB8sv8N1WM6uXr03wG+TDOmjjJpiqPrF2w4lnPpbcK5lexmqDIcvXr9KpVt3U+jsVcOkzOHXCyoFIMfy7netyeCneb/MCh27dgSW2kNEGz+U03qgJsU33/vYMv6POXhSeSr1wm4S21I9YqvLFWLBYv4vkOmOh2uZyxQA9x8X8yL6c8oNzl9HxB0YZEzEIzFEeytM+Ahxzlp2P/eHbhcyiC5C9sJUGb2drcNOIp7nd415bSDmoDuFz4Ikj5m0R3+ydklLOhgOjZfBreN19J6rQ8EHxm9vdKeilAtcUYnQjqGcRrqYuQrHDDwb0vwX4WU49Lv5lqmUMT/DT6JaPZRDmveuQfdrQ59lymjg4+PL6/rC44Icl8UHJWDHcwPZwhA3GwIfnHNMf+Bk43C6E3wrGC5iXNj7U6z28pTXQUesQzGxukguA6NR+3mK5yS23oPyjMb6N+A1OMdpkfqyJE2UuPmsDG9I21zVHOwchCd/JOl0pXU1/bM1B8=,iv:xOF7w9k+AER5zVJBX7mD/rSBRTkFXbnev/kUGs4ROOo=,tag:5SkQ6w4WlC0Aez2r09H7fw==,type:str]", - "sops": { - "kms": [ - { - "arn": "arn:aws-us-gov:kms:us-gov-west-1:927962728993:key/f131e19c-a804-4185-b75f-69b995eb9e6a", - "created_at": "2020-06-30T19:01:52Z", - "enc": "AQICAHiBokhIqRyovOZILp3cL4ZLeOMUIKZsOV08m7PNyQevrgFyU4AHvV4gIaqjIOkEsgdSAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMQk1cba+a6NePInNJAgEQgDv47NS3VWBY84zXcxPaJ8UveEeZsRJaMXp45E7uu/dOcr25QMJYCfsORt3RvGvIKYJwdhGr9SEPXxdZ1w==", - "aws_profile": "" - } - ], - "gcp_kms": null, - "azure_kv": null, - "lastmodified": "2020-06-30T19:01:53Z", - "mac": "ENC[AES256_GCM,data:TlEriWmC4AaBS/2CPb/qZJa0dpMIgU7lFrzBLHVIe/9YSbZQz9DkiYSIykZ9Wa8Bq2TZuiARfpN+mqj09qgu1eNxqzxg7ead14elBam2YiRsDTWL2gRmn8WOpnKIf5T7qX81y/rxo6+iKl7R0cK7hZLhv2KmSFyf38TPG5e8F7c=,iv:2JLSnAuGI1q4c7WZH+NNa6Y+ppRVotUCMpQ87kdQfmo=,tag:vVlGAbduZCxVhyXOuIyoRA==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.5.0" - } -} \ No newline at end of file diff --git a/dev/secrets/httpCertificateKeyPassword.enc.key b/dev/secrets/httpCertificateKeyPassword.enc.key deleted file mode 100644 index 3e4788da6903492f6f3c3ceb2db68c0441bb65d1..0000000000000000000000000000000000000000 --- a/dev/secrets/httpCertificateKeyPassword.enc.key +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:ZY3zcN4oplk9XGr1ztYcckQKfQ==,iv:9tR/FpcnFTq7Nld6tt0KUmPhwDs6/SDfp+kwLf6kJ4E=,tag:oLGjC5LhiTNu5PMFsNBiRw==,type:str]", - "sops": { - "kms": [ - { - "arn": "arn:aws-us-gov:kms:us-gov-west-1:927962728993:key/f131e19c-a804-4185-b75f-69b995eb9e6a", - "created_at": "2020-06-30T19:02:11Z", - "enc": "AQICAHiBokhIqRyovOZILp3cL4ZLeOMUIKZsOV08m7PNyQevrgE13DMpQA/hWa1v2KqhAaMYAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMNZGD858ndJTmMoFMAgEQgDuzsWrapcj8EJ2fuv2iP1BxLT+v3DzCY29VFgBpGK0eVOP0oMexzEuuRgmumJRgt43GjpU5m7Yx1/n1lg==", - "aws_profile": "" - } - ], - "gcp_kms": null, - "azure_kv": null, - "lastmodified": "2020-06-30T19:02:12Z", - "mac": "ENC[AES256_GCM,data:2+JX7FCUX4jQDOGeNx/6JKzwYyEdL5oPcoseGAbOIZ6/ombEAFmQbrBlwvdK+RHBO/epnUxVPNzDvO7vCApqu8N/3whjRAEyyg4WMDtzDKXLH88XOYJmNIl8WFedl4f/MPB3R6FKnRadLUsXfMNhyXhqhHfWjwXYPoXat7b668U=,iv:JbsSMIDI7GkgiwXHyyCVsYxXvgEk7qN8hFWV4lyAJ/E=,tag:/F+1utcYxkzPiSezbHBWsg==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.5.0" - } -} \ No newline at end of file diff --git a/dev/secrets/httpCertificateKeystoreFile.enc.key b/dev/secrets/httpCertificateKeystoreFile.enc.key deleted file mode 100644 index 88e5f97e2a03a57a027c1cee973a4eeec3803367..0000000000000000000000000000000000000000 --- a/dev/secrets/httpCertificateKeystoreFile.enc.key +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:z7v+fuBTlePeOfDPH5bk+Jj3gPd+QxtFytvvKnub6KbSgxsJQGl0itc8bk+B31nDox46S7/cLqjHVfLfKr28CKuRJpIPDKMvc4RuvugNlmcsgGIBs2HIExMATzwzhh2cfKPavTGrIhg+CZpDe6T7nc9uX7IZ1CjvApo3IZc3FruL5YK8AcbihHcfQuXFXmmTANtgiq2Z2lT00kvj+rCrJBb2zbf/dVd66oA1QWXDVUKlnbAyJCMmy+v+34eccH9fJp0sW+Ac0BEBMjtH4FE7BYVmQ4w/yD/z42rZWO3Bpc+mmWm2EKFmkyGek13NswE/qCZUFcckwDqGEqWk32HzbOVDpj0v6An8IQfAvz9Ow+1VA+upJ2OGqFmQgTmzSfan3Fy0XuWphYRsd3cR4wJTRY1im5GdjMo+oCT4gTWodawvSFWdtKuLo8vanoQky+6AeAsMRPuL/f+x+dVRoceMUnij59AA9TADT7yNC8SWEtkS7/aPFVZvuTiqc7caR6zNVr8h6XsFo3ZjlPRuYtdBqcf6hjPU+lVP3QkDSxZuZ6dwKF0I6IiJoXQTEEXa3hy99WSmGOfObOzUFXSkuNFcrWF65AW9XSxcgL0y5DZ2Ly3O+NDj0N4/K5eUES9y0SAir2OIUDYCF1w3yzasZt84unDVaaKiJ9r6HvuDMzDq0WhHxd/wfv2QHLZN1xylmVDuj0mHcohYBgH8izEI39jBo3iQD4qaxyI4QgEgF1f/aCq8wB/yKA7wL7ZYGtvI1g7MSrTySsvQteeJG6vEJzDR4NnisLuPUHdnPcL8kQ/qICZz5tzL2mBdCDLZ/8gaOGkAwn3Qy40DpYXOyDNFaz6oIdkaow8rzg4FrP5XB8oiMvfSrEvZTCXfijER/ehB/J8sz4TtxarUZCGdwEWQllgV1zqkb5iFD5ZF6AEYTXwmVjj/hgPtPQYIhAeOQnCr5EWMZy3tk4maGFIR2UYgMYfLFAno4m6lk+r4GtU9/Tljk6TqgNkNqpx3s4Q5lVE80qIJqjTRFfX4MMZqUdQeMA78Jhk89jId1FD9MbxoRf8XUURvC/KwQVk527KaTeFMbUWP6QDuOLB/MdPUyHzxNzSZ8IP/SRtTiGVtMygQjqozKVCN5fXOa9OnJCvJDtPXhN5ShDmcDUd6MFxktwJAS1KkNi4ZxdmOlgP6nvRIE5Lyfl53V96SJo57ukQOKj7TFsC4Wp0mp1m6KRlzX4QglKoCMYLADZZjjJUXGKpx9bJzFY0VG5ACeeKjO+0U7xBtAGHs9XoDT+y+5cloejT69PkIMTqH0lYPdWvNMVI3eW2PP+kZit6rhZqbgl87/gLPsclh9GplD/TFtOQSlCA3PR8AEr7GQ+PSHlXGH+3QGCtoqgFcdq8jwqun04ww0cPGXTj52rHDwR/qRwBiVoVuP4i6tACO+GW8TLPby4T7vwSkXQLHRvB+fuJvok/at5SlVKDEKX/ioXiFs/lf2y0q8ZgiT1FwowCp/Qbu7ytu9OWgHcXwLVumSxsgsowWMZzbD07MhaTrgus3Hn/LIEQGu+Hy1KDjfTloFGpkT0GBW8zOYjHGSejiVrz58aTuxeSR0axRmeI+0jCjhQUCvjL3kekpekGGUcwxMt7i8PDZfZwwMfelYRGndw95FiQRj1zvrHq6ibfz76+dxDuvmlpH05G9Rwe8I0Rl0tOXBBynZKIcvTRKRuZ7RNbZXKAlqGp70BOcuOIa2p5J0IQs+xjZ5wiYwNi1WM5GhD0Xry/l6B6W7Ou7sA295EAwfsMmkQq5a0VegRecrF183vJ9V6M7fVHMFk043VAayKYa94q/C0vfp+ku+h4NISUXaGhYCMqcoD7WWWlLZ1ew0ys5fELD3P8/1MBD/8QkdNyS30d2u6ULZuSoW0Imfw/r1JzpBObKlOXlueWNmHmruwbTbB7AgNsU2lt2HEEMwoehDrrs3n5qYgSjsQguL1ZTOyBP6OxMD+AwB8gJjmHn7lCtsHjNcodq6vzMSlTcAnMgS5EMmGVLYJMEaEo1qNcYTwShRRMCSrFSZvRViiJf87c35z/qHZkO/RQ4eIu3FhpRyp5lpdciJh5+kxSFX1EPCjO2qAuaEt/b7mzig8YsLL2KGyTe+6NzS58L6g1uWWbBCTOZ+yu84Ij4PWQmJ8tRU/CYw4fgIiMzQ98kK2RGXLSn8FkPnt+WqUKPdiKzy7ZaSb4tQ1sFoaQXYcJr1zYRA7pe3VFiKUYjBsML4rT5sawFdCYcTSf8Jd8H9ixfBKqBdDTKdj0SRQjF/UlDiW0X+ZcAsLZVJ4Uv+fiB7IJhtsLAHg4pgnvlghcZGit0FKl/xad9bb8xuoiVcKL7mQUyNzZn/z8mRB+VShWfAG7MKOQ2DbR9ibdaZfrkb5bn+CVx9AfcPp2t3F48UzVzPUlTWJe6FqRPqrauaw2pL4xSxlpgfC9rjQDBe87uhWw7S0XARs940bIaa8YmTGwl7eywKQNsLsnChQ764sR/alBMPtSd3NouelctjReBDP0Kk/li5JwxM8ZghK2nz2MkBRCPCtn48xeiwNSdK4t+meBsDRXBAVMMNI54fi10jziV0dn1qfDacfagpIeOxJHkIBO+KtihChFB++XtFN9FcAmi1vPK28qbzUFqAU7/YAl9ngmyD5eaH8L8igcJWwAPb4n461E0D+NIo69l3r/SKhW36Y0mblKHEyuZURJRqz3eR4npi8Yq5MaP4MlF8HzWmqSRSpESWtBJYGCHB3GoK0zbuNYKjSUevS0BbkrCU/+ixV9Ju/1m61UFslxMpongOzYMLRKC+EzMVQ8uqth6taZTo9b0947CFS+XFLHk8xIeEQdU/6HVmnozti7yYSVFHQEkJ6HHK0eXroKdmi/hqLIks3/g8/5yu/l82NVHB70a1gTTJXRbnKqijk00Fwi62V1FT9HTLSMYQhfDBO2bOzbKBiUy,iv:YcNtkZZwjOv02xTJEWm5fOsi/wVyGul3JuZb1U4tz94=,tag:fGbjpLyqhV3uYxSXGfodGw==,type:str]", - "sops": { - "kms": [ - { - "arn": "arn:aws-us-gov:kms:us-gov-west-1:927962728993:key/f131e19c-a804-4185-b75f-69b995eb9e6a", - "created_at": "2020-06-30T19:02:32Z", - "enc": "AQICAHiBokhIqRyovOZILp3cL4ZLeOMUIKZsOV08m7PNyQevrgGwqi52961wiGCffWZQVzyVAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMvjMUXDPnXVT0q3biAgEQgDtlPSOWpqH1HTsmwTSJXhO0FnCVYgfRAd6HSirdpwLIxO2cZefkIUmK0gHdRuxVtTvhBzDb8xv2hMPh5g==", - "aws_profile": "" - } - ], - "gcp_kms": null, - "azure_kv": null, - "lastmodified": "2020-06-30T19:02:32Z", - "mac": "ENC[AES256_GCM,data:KMzTqEnC03rGjDsOxwZ8nElx/6wi5rqTPMQlTEZctOCFpj7QqlgeuRqUswLheqYI7dGTE8SObeEyKdSXiRg22ijiA2y9nfQHoFOtG9BFPzArHwDp3mpbP3ww0EC11rG4RfoQvTEDPPwgf6nx//cfU48C5LlhlkputqjUDh6UhIs=,iv:DO8E87hDp0kS8hzRye6pBs3NkTKPqt8dg5vbaZKOALY=,tag:qZKZJ0Gb3eiQhwp2PxBkrg==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.5.0" - } -} \ No newline at end of file diff --git a/dev/secrets/httpCertificateKeystorePassword.enc.key b/dev/secrets/httpCertificateKeystorePassword.enc.key deleted file mode 100644 index ed25eaa5d6e6f59a53fd7643d0d9053242fe7630..0000000000000000000000000000000000000000 --- a/dev/secrets/httpCertificateKeystorePassword.enc.key +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:h8T2uQryCYhlOflAE9t95+On,iv:CrBxKqRgsbuGkA+9Q7q5vlA7ynh4tBTh7dr/MYV9g4A=,tag:BeUJXTqsCEZ59Id/6atG1Q==,type:str]", - "sops": { - "kms": [ - { - "arn": "arn:aws-us-gov:kms:us-gov-west-1:927962728993:key/f131e19c-a804-4185-b75f-69b995eb9e6a", - "created_at": "2020-06-30T19:02:42Z", - "enc": "AQICAHiBokhIqRyovOZILp3cL4ZLeOMUIKZsOV08m7PNyQevrgEYand9sI28V0BYfpJ8N96kAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMum5PKo163xNx1GouAgEQgDsCtP1SnX4+gsShYyHoQSZrYtSDAWPNTGl4oVfAUdRT+7NlYge1NxpApR1q5nHmDzo8TKrb7oxaOfsWEg==", - "aws_profile": "" - } - ], - "gcp_kms": null, - "azure_kv": null, - "lastmodified": "2020-06-30T19:02:43Z", - "mac": "ENC[AES256_GCM,data:Ey8MywgRMGl4ec4rsrLQEPbHxmaCmMPvoPnpybAP4LG8KwHaDPQgSXEL0N9AdFJzVSQfF2DNE+FA03lNnellzGD4bEbGFlinIxqnQzJB+CpJLRZ9vZ6RludO2I0JwqQjS6lbdAvDJ6QqTOTxxAHEOlcLRcVhBQCYSs+p+jUbS4c=,iv:7E5KwUgaDhAkV1qKeRpgRoLcqH3SEniO5JPqQY7VJKs=,tag:kfNvYilOfi6ua+Y4uur/dA==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.5.0" - } -} \ No newline at end of file diff --git a/dev/secrets/kustomization.yaml b/dev/secrets/kustomization.yaml deleted file mode 100644 index 8a9b0a32fbdf3a205a386dfec0903141556c4f2e..0000000000000000000000000000000000000000 --- a/dev/secrets/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -generators: - - fortify-secret-generator.yaml \ No newline at end of file diff --git a/dev/secrets/ssc.enc.autoconfig b/dev/secrets/ssc.enc.autoconfig deleted file mode 100644 index 056057e9d6968b5f00fcab09e727eba653956471..0000000000000000000000000000000000000000 --- a/dev/secrets/ssc.enc.autoconfig +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:dybI2G7asnCf3Y94fduaSp1/OxjDwPVVl+n3mwGG6kfFJ2fO2AkJZI/prW4X18iwdjwhiQ+ufmXmgmChZeYjckBP64OEvbzPx87E+mMFvdeQK7RpKbSrjZq/YYHzsDVGKZWBDwqSMQ/qinzNNrIIx+mkGtojNvQ0MFqa65VzhJXwKNwvZmW+sA7c+K/dLM+duNhBaJaimx1oFEUijfobk8V1BVMz9AfNt1MzZvoKABZNuoRtF6kVctRtUYM0i3IytWk1bmR+QsMTXIRk6M39o7zO9NfjkRALNAJziEmB5bn79hSCm1WDBou7k5faT94G8ySHUBEIP723/Jx/5yDmp34+qVSRtrjv5gS+tT2KUmuf+fIKMqX6APfwsrjWTZa0b5xWRfALy96aPHMyEl65Z9xKdDibM87Lj8rXnB7c1qGvAQW5cM2HdwqsMFOS8WqgAxk4ZCEZoBg9ZhSgknS/QQFSWz8MjZ2BdHtKq9pJmBZ/PoGXOdA8CuRSgY5jQIEuFoSK6OjrLpexCl6zacNsRqHkgpbyt5TvsU4ptAZtuLs1Hn61cdCpB8hXo/sXIUUROGSZbuulPmQwNIwgRZXz316Br9uGE+8/5irID6H+3f2Hs0J+JlfiwUAB2e07HTM5QrL02FqVxdWREA2GSZ7piyCUwA0H/VPdEeb79cg8YZpsBRgvJTOezVWw/OEvq78eHMK4Aimz47JFPE0QLlHbpTg5yiugEtMPVRIKfMRy311COviOi7yiZymmpZRSFsiaPhhQksgD2mHrmB0MlZdhW2VA1ctmE9p0WSlQ1xalWdv8VxQ1Yzhg7Pv3XEGziPNLdcOiJH9LunpDuAN90hwmf4iwYExGZm/yXZAV8G/vPqLHrHVj173H3ZOI8cfuBc3bAVX5Svd/WVnDzKz1sfaFndTvjlZKE+d2DPGUJEiqGwJZSbZZo5YCz1KQMIzbyLuEyydeqqkdy/VbYlwP0BI5sfOsIqh9pZQ4MNwL5Km/B5hFD1X82HHEcsTu4+jQIimdIa4wzP0nIq0zpaSx9FXwpbo+KP5NMiChjmHVna1wFEQrkYAkOBXBnidP9NM1+9eED/YwBEhPOIBbN7fKWhQDTwrUk2YosTy3anTEjHtklbjCA4Km+s97tqIfdIouBvjw0SNrE6V3zZb/TZczvtyzipoV5jI=,iv:PUHzilPvz1SwdGjVG5gHRVTb1X5Lz+PMpelU1K53Ha8=,tag:mZyeV6xvdwk8zKMk0I04lw==,type:str]", - "sops": { - "kms": [ - { - "arn": "arn:aws-us-gov:kms:us-gov-west-1:927962728993:key/f131e19c-a804-4185-b75f-69b995eb9e6a", - "created_at": "2020-07-24T17:34:07Z", - "enc": "AQICAHiBokhIqRyovOZILp3cL4ZLeOMUIKZsOV08m7PNyQevrgH33PX+y2aACulOqdppdz/nAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMPUgBhnwipiyktgSQAgEQgDvT74s6Jz5blkmAMXQpDN6FhdrhPCrfyJ5eUB86LVxjazhKxraomBOaB/ME/U+hMMNLquDYlF1Uj71lFw==", - "aws_profile": "" - } - ], - "gcp_kms": null, - "azure_kv": null, - "lastmodified": "2020-07-24T17:34:07Z", - "mac": "ENC[AES256_GCM,data:7XJrO+cIJi8YW/lulqYufwFbanOPf7hAW3DZpeXhWX+eR+i5t9n4KKWiqrO6B7yP86R2b0SRyiP0Apr/QLmaJO8o36Pwt+QwIdxO/Nnq9xn+4s947diQFXRwiOffjHAFoI8gPQ8Or21yt7MHhPokEtH4vdwnx3EGjKbQ5DlgXJQ=,iv:Yjxf8nsp/PalI1BzPouTTj/4CGeVqr4oKaKWqLH8lVY=,tag:hp+UX4jsuCQdWe3w8pkgJQ==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.5.0" - } -} \ No newline at end of file diff --git a/dev/values.yaml b/dev/values.yaml deleted file mode 100644 index 7b8fd675d959d0b9de6a391d29d29583929f3d85..0000000000000000000000000000000000000000 --- a/dev/values.yaml +++ /dev/null @@ -1 +0,0 @@ -# leaving empty for now \ No newline at end of file diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000000000000000000000000000000000000..443b3e41b8695d49699b85152f83e4d921aaec83 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,352 @@ +# Fortify App + + +## Overview + +Used to deploy Fortify's Software Security Center web app. The core of the app is the helm chart in deploy/fortify-pkg, provided by Fortify and sourced from our [Kubeernetes](https://gitlab.platform1.ninja/platform/devops/kubeernetes) (sic) GitLab repo. It's supported by additional objects defined in base/resource: a Namespace, a VirtualService, and a Job to configure the MySQL database. + +The docs repo is for storing any relevant documentation + +The "prep-fortify-mysql-img" directory contains the resources to build a UBI-based MySQL image. This is used by the K8s Job for configuring the Aurora MySQL DB. + +## Prerequisites + +In addition to typical bootstrap dependencies... + +1. A functioning MySQL server (e.g. a MySQL RDS instance) that Fortify can use, along with a designated user & DB +2. Access to the Fortify SSC container image ([See README for SSCDEMO image for details](#README for SSCDEMO image)) + +## Deployment + +This repo has been set up to be used with Big Bang bootstrap repos, and deployed using ArgoCD. + +1. If you haven't already, add the *deploy* folder to your bootstrap repo using `kpt` +2. Add the necessary K8s secrets +3. Confirm that the entries in deploy/fortify-pkg/values.yaml are accurate, namely "urlHost" +4. Confirm the host URLs in deploy/resources/virtual-service.yaml are accurate + +### Folder Layout in Bootstrap Repo + +An example folder layout in a bootstrap repo + +``` +/apps +|– fortify +| |– base **the deploy folder copied w/ kpt** +| | |– fortify-pkg **helm chart & default values file** +| | | |– chart.yaml **Kustomize generator for helm chart** +| | | |– kustomization.yaml **COMMENT OUT OR DELETE if using separate values files & HelmChartGenerators per app environment** +| | | |– values.yaml **default values file** +| | |– resources **manifests for job & script to configure MySQL DB; namespace; virtual-service** +| | |– kustomization.yaml +| |– env **create a copy of this for each app env (ex. dev, stage, prod); it should contain the relevant secrets & config changes** +| |– secrets +| | |– fortify-secret-generator.yaml +| | |– fortify-enc.license +| | |– httpCertificateKeyPassword.enc.key +| | |– httpCertificateKeystoreFile.enc.key +| | |– httpCertificateKeystorePassword.enc.key +| | |– kustomization.yaml **tells kustomization/argo to use the fortify-secret-generator** +| | |– ssc.autoconfig.enc +| |– chart.yaml **if not using base/fortify-pkg/chart.yaml** +| |– values.yaml **Any overrides for the base values.yaml** +|– common + |– env **create a copy of this for each app env + |– db-creds-mysql.enc.env + |- generator-mysql-creds.yaml + |– repo1-registry-read-creds-generator.yaml + |– repo1-registry-read-creds.enc.json + +``` + + + +### Secrets + +1. fortify-secret + * Combines five files into a K8s secret + 1. The fortify license: fortify.enc.license + 2. The keystore file: httpCertificateKeystoreFile.enc.key (not sure if this is used, but Fortify needs it to start) + 3. The keystore file password: httpCertificateKeystorePassword.enc.key (same note as above) + 4. The key password: httpCertificateKeyPassword.enc.key (same note as keystore file) + 5. Fortify's autoconfig file: ssc.enc.autoconfig + * For the license, keystore file, and autoconfig file, the files themselves are encrypted w/ SOPS + * The two passwords are stored in files as plain text (and then encrypted w/ SOPS) +2. mysql-pass + * Credentials for the Aurora MySQL database deployed by terraform (see the common-dependencies module) + * Sets 4 environment variables + 1. **DBUSER**: general-purpose dabase user + 2. **DBPASSWORD**: password for DBUSER + 3. **DBHOST**: hostname for the database (*may need to change based on deployment target*) + 4. **JDBC_DRIVER_URI**: URI to download the driver JAR file used by fortify to interface w/ the DB + 5. **MYSQL_ROOT_PASSWORD**: The root password for the database (*not currently used; supplying a fake value*) + * takes a SOPS-encrypted env. +3. repo1-registry-read-creds + * (name refers to our container registry; feel free to change this) + * Image pull secret for the big bang container registry + * Used to pull the fortify image, as well as the MySQL image used to prepare the database. + * Replace this with credentials for your own repository as necessary + +#### fortify-secret + +Note: Since other apps may use the database and/or container registry credentials, it may help to store them in a separate, "common app" and import them with your kustomization file + +## Links + +[Fortify SSC 20.1 install guide](https://www.microfocus.com/documentation/fortify-software-security-center/2010/SSC_Help_20.1.0/index.htm#SSC_UG/Intro_New%20UI_20.1.0.htm%3FTocPath%3DIntroduction%7C_____2) + +[PDF Verison](https://www.microfocus.com/documentation/fortify-software-security-center/2010/SSC_Guide_20.1.0.pdf) + +[Platform 1's Fortify 20.1 zip file](https://gitlab.platform1.ninja/platform/devops/kubeernetes/-/tree/master/fortify%2Finstall) Unzip this file and dig down into the SSC.zip file to find the helm chart for SSC that is mentioned below. If not part of the Platform 1 team, get the Fortify SSC chart from MicroFocus + + +## README for SSCDEMO image + +Note: The Fortify SSC image is not currently approved by IB/DCCSCR. It was cloned from the Fortify private DockerHub repo to the Big Bang container registry. Since the images were already downloaded from Dockerhub, a lot of the instructions below about pulling the Fortify SSC image from dockerhub can be ignored. + +Fortify Docker Demo Suite + +Supported tags: +20.1.0.0169, 20.1.0, latest +19.2.0.3191, 19.2.0 +19.1.0.3010, 19.1.0 +18.20 + + +### Docker Demo Suite Instructions + +The SSC demo suite is in a private repository that requires that your Docker username be explicitly granted access permission. To request access, email James Rabon directly (james.rabon@microfocus.com). + +Once you have access permission, run the following: + +`docker run -m 6g -e SSC_MAX_MEM_MB=4096 -v /Users/Desktop/fortify:/fortify -p 8080:8080 --name sscdemo fortifydocker/sscdemo` + +where: + +* -m represents the amount of memory available to your container. (This must be at least 6GB.) +* -e sets an environment variable named SSC_MAX_MEM_MB to allocate the max heap to Fortify Software Security Center. +* -v mounts a volume at the location specified. + +Note: The command will work on Linux and Mac operating systems, but Windows may require /c/, where c is the drive letter. +For example, on Windows 10: `-v /c/Users/docker:/fortify` + +This command searches your machine for a Docker image named sscdemo and, if the image does not exist or needs to be updated, pulls the latest version from Docker Hub. The remote location of the Fortify image on Docker Hub is fortifydocker/sscdemo. +A message on the console indicates that you need to copy the fortify.license file to /fortify. + +`docker cp /Users/Desktop/fortify.license sscdemo:/fortify` + +Important! Please make sure that your container is healthy before you view Fortify Software Security Center in your browser. +To check the status of your container at any time, run: + +`docker ps -a` + +After you copy the license file to the correct directory, the deployment is complete and Fortify Software Security Center should be available in your browser. Go to http://localhost:8080/ssc and log in with the default username / password pairing of admin / admin (requires a password change). + +Going forward, to stop or start your container, run: `docker stop sscdemo` or `docker start sscdemo` + + +#### Troubleshooting + +On Windows, docker sharing volumes can be blocked by a firewall (company restrictions). In case you cannot bind mount a volume, you can use a “named volume” approach instead. The named volume is managed by Docker itself. It is automatically created if it does not yet exist. Even if the container is deleted, the named volume is not deleted and can be reused. + +`docker run -m 6g -e SSC_MAX_MEM_MB=4096 -v sscdemovolume:/fortify -p 8080:8080 --name sscdemo fortifydocker/sscdemo` + +To check existing Docker volumes, run: + +`docker volume ls` + +To check the status of your container at any time, run: + +`docker ps -a` + +If you want to get more information about not healthy container, please use this command: + +`docker logs sscdemo` + + +### Overview for ssc-webapp + +Kubernetes deployment 20.1.0 + + +#### SSC System requirements for Kubernetes deployments + +Kubernetes: Versions 1.14--1.17 + +Persistent volume support + +(Recommended) A load balancer service + +At least 7 GB of RAM and 1 CPU on a single node (with default configuration) + +Maximum usage: 28 GB of RAM and 8 CPUs on a single node (with default configuration) + +4 GiB of storage for persistent volume (with default configuration) + +Locally-Installed Tools Required + +A kubectl command-line tool - Fortify recommends using the same version as the Kubernetes cluster version (1.14--1.17) + +Helm command-line tool, version 3.0 or 3.1 + +Air-gapped installation only - (Recommended) A Docker clientClosed and serverClosed installation (any version) + + +#### Additional Requirements + +Kubeconfig file for the Kubernetes cluster + +Docker Hub account with access to Fortify Software Security Center images + +Note: If you need access to Fortify Docker Organization on Docker Hub, contact FortifyDocker@microfocus.com with your first name, your last name, and your Docker account name. Micro Focus Fortify will then give you access to the Fortify Docker organization that contains the Fortify Software Security Center images. + +DNS name for the Fortify Software Security Center web applicationClosed (address used to access the service) + +Java keystore for setting up HTTPS (For details, see the Micro Focus Fortify Software Security Center User Guide) The keystore must contain a CA certificateClosed and a server certificate for the Fortify Software Security Center DNS name with an associated private key. + +Keystore password + +Private key password + +An installed Oracle, SQL Server, or **MySQL** for database server + +Database server host name + +Name of the Fortify Software Security Center database + +Username and password for an account that has permission to manage the Fortify Software Security Center schema and data + +(Oracle or MySQL database only) An HTTP server that is accessible from the Kubernetes cluster for distributing the JDBC driver. For supported driver versions, see Fortify Software Security Center Database. + +Fortify Software Security Center license + + +#### Preparing for Fortify SSC Kubernetes Deployment + +The following steps describe how to prepare for Fortify SSC Kubernetes deployment. For information about supported versions of the required software, see System requirements. +To prepare for your Fortify SSC Kubernetes deployment, do the following: + + +Install and set up kubectl. For instructions, see https://kubernetes.io/docs/tasks/tools/install-kubectl. + + +Install helm. To download the software, see https://github.com/helm/helm/releases. For installation instructions, see https://helm.sh/docs/intro/install/. + + +(air gapped installation only) Install Docker. For installation instructions, see https://docs.docker.com/get-docker/. + + +Extract contents of helm directory from SSC distribution ZIP into directory. Enter the directory and copy ssc-values-example.yaml file to ssc-values.yaml. + + +#### Fortify SSC Kubernetes Deployment + +You can deploy Fortify SSC in an environment with Internet access, or in an air-gapped environment. If you will deploy the application in an environment with Internet access, the SSC Docker image can be pulled from Docker Hub registry. If you must deploy the application in an air-gapped environment, you must use a private registry for the deployment and transfer the SSC Docker image to it. +Deploying Fortify SSC to Kubernetes cluster + +The procedure used to deploy Fortify SSC in environment with Internet access is almost identical to the procedure used to deploy the product in an air-gapped environment. The only difference is that, for an air-gapped deployment, you must push the Fortify SSC image to a private registry accessible from your Kubernetes cluster. +To deploy Fortify SSC: + + +Create a Docker Hub account, and then supply your account name to Fortify Support (https://softwaresupport.softwaregrp.com). +Note: Fortify Support will provide you with access to the Fortify repository on the Docker Hub (fortifydocker organization). + + +(Perform this step only for an air-gapped installation, or if you want to use a private registry. A running Docker server and Docker client are assumed.) Transfer the Fortify SSC image to your private registry, as follows: + + +Log in to the Docker Hub, run: +`docker login` + + +Log in to your private registry, run: +`docker login `` + + +Transfer the SSC Docker image: + +`docker pull fortifydocker/ssc-webapp` + +`docker tag fortifydocker/ssc-webapp platform-one/private/big-bang/apps/fortify/ssc-webapp` + +`docker push platform-one/private/big-bang/apps/fortify/ssc-webapp`` + +**Important!** The image name (ssc-webapp) and the tag must stay the same! +Note: To learn the value to be used for the , inspect a ssc-+.tgz file in the directory. The part should be used for the value. + + +Enter the // as the value for image.repositoryPrefix parameter in the values.yaml file. +Note: The value you specify for the image.repositoryPrefix parameter must include a trailing forward slash (/). + + + + +Create a Kubernetes secret for pulling images from the registry (Docker Hub or private registry). For instructions, see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry and enter the secret name as the value for the imagePullSecrets parameter in the /ssc-values-example.yaml file. Would created secret be regcred, the format is: + +imagePullSecrets: + + - name: regcred + +Note: The imagePullSecrets value is required for access to the Docker Hub registry. If you have a private repository that can be accessed without credentials, then there is no need to specify imagePullSecrets. + + +Create another Kubernetes secret containing data required by the deployment. Inspect + + +Inspect a secretRef.keys for list of data accepted. A minimal required set is httpCertificateKeystoreFileEntry, httpCertificateKeystorePasswordEntry, httpCertificateKeyPasswordEntry. + + +Create a directory and for each key in secretRef.keys you must or want to provide, create a file in the containing the value. E.g. for the httpCertificateKeystoreFileEntry, there should be a file containing the keystore; for the httpCertificateKeystorePasswordEntry, there should be a file containing the password. + + +Create the secret using kubectl command: + +kubectl create secret generic --from-file + +Note: References to keys in the Fortify helm chart's values.yaml file will use periods (.) to denote subkeys (ex. secretRef.name would be the "name" subkey under "secretRef") + +Enter the secret name as the value for secretRef.name parameter in the values.yaml file. + + +For each file provided in the fortify k8s secret, enter the filename as a value for the related the secretRef.keys. + + + + +Enter any other required parameters to values.yaml file. + + +The urlHost must contain the fully qualified DNS name intended accessing Fortify SSC. The address for accessing the Fortify SSC installation will be https://:/. E.g. https://ssc.example.com:443/. If the port is 443, it can be omitted from the URL: https://ssc.example.com/ + + +We recommend to set the service.type parameter to LoadBalancer for easy usage. + + +The jdbcDriverUri parameter must contain a URL where the required JDBC driver JAR can be downloaded. The URL is accessed from the Fortify SSC container. + + +Note: Most values you specify for parameters in the values.yaml file can always be changed later. You can then redeploy Fortify SSC to implement the changes. Depending on the Kubernetes cluster, the exception might be parameters for the persistentVolumeClaim. + + +To initially deploy Fortify SSC run the following: + + helm install ssc-1.0.169+20.1.0.0169.tgz + +For subsequent deployments, run the following: + + helm upgrade ssc-1.0.169+20.1.0.0169.tgz + +Notes: +* Swap out the helm chart file name if you use a different version (or just change the name) +* If you change the name of the values file from the default `values.yaml`, be sure to use the -f flag to specify the new filename + +Follow the [SSC UG](https://www.microfocus.com/documentation/fortify-software-security-center/1820/SSC_Guide_18.20.pdf) for further configuration. + + +## Dependencies + +* Multiple secrets come from a "common" app directory. Be sure to include this directory as a "base" for each environment in the kustomization.yaml file. +* Two images should be available for use. We're currently storing them in `registry.dsop.io/platform-one/private/big-bang/apps/fortify/` + * The fortify-ssc image + * An image w/ a MySQL driver/binary for configuring the MySQL database + diff --git a/staging/.DS_Store b/staging/.DS_Store deleted file mode 100644 index 1d7dfe408e2ab9f30a144742dd34510fc4112014..0000000000000000000000000000000000000000 Binary files a/staging/.DS_Store and /dev/null differ diff --git a/staging/chart.yaml b/staging/chart.yaml deleted file mode 100644 index 35693a8774d93333f4f84bd730db23268d3de151..0000000000000000000000000000000000000000 --- a/staging/chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: p1.dsop.io/v1beta1 -kind: HelmGenerator -metadata: - name: helmGenerator -releaseName: fortify -chartPath: ../base/fortify-pkg/ssc-1.0.169+20.1.0.0169.tgz -namespace: fortify -valueFiles: - - ../base/fortify-pkg/values.yaml - - values.yaml diff --git a/staging/kustomization.yaml b/staging/kustomization.yaml deleted file mode 100644 index b4fc56f1423e4d9949369c0f809f1469afc9e103..0000000000000000000000000000000000000000 --- a/staging/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ -namespace: fortify - -bases: - - ../base/ - - ../../common/staging/ - - secrets/ - -generators: - - chart.yaml - -# patchesStrategicMerge: -# - patches/ diff --git a/staging/secrets/.DS_Store b/staging/secrets/.DS_Store deleted file mode 100644 index 5008ddfcf53c02e82d7eee2e57c38e5672ef89f6..0000000000000000000000000000000000000000 Binary files a/staging/secrets/.DS_Store and /dev/null differ diff --git a/staging/secrets/fortify-secret-generator.yaml b/staging/secrets/fortify-secret-generator.yaml deleted file mode 100644 index b1286d693110c92dcb3f810a643862f3fb7dd075..0000000000000000000000000000000000000000 --- a/staging/secrets/fortify-secret-generator.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: goabout.com/v1beta1 -kind: SopsSecretGenerator -metadata: - name: fortify-secret - namespace: fortify -disableNameSuffixHash: true -files: - - fortify-license=fortify.enc.license - - httpCertificateKeystoreFile=httpCertificateKeystoreFile.enc.key - - httpCertificateKeystorePassword=httpCertificateKeystorePassword.enc.key - - httpCertificateKeyPassword=httpCertificateKeyPassword.enc.key - - fortify-autoconfig=ssc.enc.autoconfig diff --git a/staging/secrets/fortify.enc.license b/staging/secrets/fortify.enc.license deleted file mode 100644 index 598d8898ece9222eba6664feb0bdd690bb66458e..0000000000000000000000000000000000000000 --- a/staging/secrets/fortify.enc.license +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:QwPIMzUtSgk7KXJ23TKD+4WdYiGrbKrSHRyjFFz6Y/Is1al1OM0dfFm/lAUY2LCAcCX32XpYPR0uPjd6S+3LOr/zihH+LLoIVJdD57XBoWKpbwfA8QIIbFP+xEXqYhl9GLcoA1ydmcVYr1mCx8vHOtu3WVaiBhPryo9wBa1atyQjaKmOCbuXTNL3XyK98HENkFPy/Vrbu12qyFHpzsur55qtU9Bb12W8V1i3G69XnE3fUhq3epYM60+0PQgf14xeIDt34TVy2SK/w6FYh1xB88qTnIYho6lYSFB1x+P0Zyw1R5FmSmvJYTUlnCn60a+vPjvCatW8c0O4ztVGhh4oeTZ0aUZK364sSHFmIbreSAatIykfMAYdMV1qeQQf2fdY2LOLaTEhhn4qwXYk2foQm/MQFXhfNi63UIW5uPAFQXHFyUCFCSfVNVdE/InNKR62OzH2nWj1+4QgqROy60ZxuS7czP2izdH6PCH8fG8tRXyj2zS1dvDoJy95/8NcubYI+sCewRW5+rv/J4kqo3LVkfJRLpBh9P3dDDfDxK0ox0RgtfVTdjlcP3S7v6VzM4IOaEqG2yWx0mbsQvKlHkqRxLyDHdc1YCgvh66FKB2xJZ6y2Bg1JDN9cGfrlOQscFCla87fmPY46zYZptHHtM3plzN3P5q/5bw6w+Z6rJ5HSPJ5uAKCOMD5oADD7o7j1jauX1CYbJEaF6mSy5ZklYZlBsdLaG8pE/OUkyeJ0tMMVm2zCSRInYH76u4HpLdQftw6vNvJkdG94QoEQ5DG9o+tzfFd/cZNhQFPuw45SpuFphJgtzD3riSDgxmQNBkH2IPL/Hj4+otwt8/BF1ngEDDkSd3vfbcZqhgjIGDy5+Rl5T/Qixzu+uQP9s6csHC4iB+c2vyME7d0WeoYgRROSUr1dKOAmreSJljlie57PYO79w+GhLStnpVBOCMN/tLfvgb8byCCQMkd7VgBRR0smQeRX8ba263596371WSiUX8QOhbcFXX8WXME0aWedei/cbTynpDWzP7aaBNZ1ugNJ+jRpJhzEpKKzz5YByY9pRx0b9mwfMiB+5F9yMPRoCxVkH2V9x1SPELDLx6MfO0yaKsdfnlHadL+xy34OMwhE6nRySu6lBc+pek0i23rint1WHF/fqXfQNUwTdnZM+GhXpM21dw=,iv:Gcunkp88GVSWP2O8YVm6j7G+KYX5Adfia1fHtnvHd5s=,tag:ArprZa2/0aurbTpnagVwSw==,type:str]", - "sops": { - "kms": [ - { - "arn": "arn:aws-us-gov:kms:us-gov-west-1:927962728993:key/b85cc8d8-b27d-4bb6-bb51-02cc91cf3f0f", - "created_at": "2020-07-24T17:26:10Z", - "enc": "AQICAHhdj+SZ8s8HM8bAYRsOJCrxeOAkAv/MkwU+yL/pU0A2dAFi57ozQkmZH48RtAL+4V2hAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMVS4u0dYKJj6Bsg1xAgEQgDv+VDwQBm1Gi4x9hKgERKzXvdBOV+INrBJwN2Xkd9wjg3OAcRqPcJvkdPOyfj2advtFFetARoJMWuRoew==", - "aws_profile": "" - } - ], - "gcp_kms": null, - "azure_kv": null, - "lastmodified": "2020-07-24T17:26:11Z", - "mac": "ENC[AES256_GCM,data:NcxnjvNGT92pIkx1qzIWOMjitySSaHULY3iJ53VwF69hj3EY7EqKglSSM4zLqq3QEysPU4ijKug9QZYe96JRzo88TytdmBRYkxfNWVgEoFfYW36SHadUfdMSgu6GExiW54rFqpeosShVLo3JflUeVAs985awZC6pHnyqqt/khj0=,iv:3w2X2QdLs8PM6QtttSiKDodGf+NyzbHDxkKejZsWfRU=,tag:AqOF+DvbCdm4Qz5NjRcF9w==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.5.0" - } -} \ No newline at end of file diff --git a/staging/secrets/httpCertificateKeyPassword.enc.key b/staging/secrets/httpCertificateKeyPassword.enc.key deleted file mode 100644 index 3cf373249a4b5970aacc4e688a3770054f178255..0000000000000000000000000000000000000000 --- a/staging/secrets/httpCertificateKeyPassword.enc.key +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:0jHMGjwPz9+XXX2IVAvpRqHF4w==,iv:YrqfMg5+YFAb2f1yY/FDABQWdCh3n6dq3O2TMmiI6cE=,tag:JWk8NVqJEKs9nk47Z968aA==,type:str]", - "sops": { - "kms": [ - { - "arn": "arn:aws-us-gov:kms:us-gov-west-1:927962728993:key/b85cc8d8-b27d-4bb6-bb51-02cc91cf3f0f", - "created_at": "2020-07-24T17:30:39Z", - "enc": "AQICAHhdj+SZ8s8HM8bAYRsOJCrxeOAkAv/MkwU+yL/pU0A2dAEQzuW7Ub+SYQds7nAl8KuoAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMN3lVSfN6V79eczS0AgEQgDv1aAmWDmu7p06gCw87aZx8619LTZ+XApf8hOSQUhLomX5THihYFKIQsyaka5EQ+ysxIlz+fd38a+3xug==", - "aws_profile": "" - } - ], - "gcp_kms": null, - "azure_kv": null, - "lastmodified": "2020-07-24T17:30:40Z", - "mac": "ENC[AES256_GCM,data:KZc2Re5jBQZL/eLofYlI6+WTBM3A7N3BXdvFkfQBcrFJNiL8WigJhvRultc8ied+piLsR9rMCR3DaFzGco4OyoabyXkeeIXx4G3efIOWepOOMQdRj695VM7//xwDWqYRvhx38VChWHtbQW+nbVlcWqdWdLVPsRpqpyt5miIA31Y=,iv:rZn7WcFbFBpBv1utSUAUHWZXDqFI9CJxM2A0FA1YIkY=,tag:oF8pOxgEBfq06EFHzDbgRQ==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.5.0" - } -} \ No newline at end of file diff --git a/staging/secrets/httpCertificateKeystoreFile.enc.key b/staging/secrets/httpCertificateKeystoreFile.enc.key deleted file mode 100644 index 871f01e7198c3c793371a4c3b3b0079498562b3b..0000000000000000000000000000000000000000 --- a/staging/secrets/httpCertificateKeystoreFile.enc.key +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:hhYzmIOGcGqjT2EgR8Q2Y2bmU9K6blopdtc3ZqZAOZ4NdBIVMKj0Vf7XtIuB4X2XVGq89elyMLYpz/vTcTpVtByINjFhiJUoKdhE6OJ9d0qsAqGNgliS4mHQIK3bi01vjKbleXKDJkJ9Rc4+FNgp50zuiDPq1Tx93kFHDako+KU6oLTELOQNpLHKqklg7x0zvXSL0NmgB4J2cHB/GzyPoSWHFbrDFUMl3DKZUpgZvJjViHgxHVfWaACoqYq8YggdZvcrlpwAOK4aeRmkhQ3ovQ33e9I4kkvpTdspDB1th8tjx4evzO/jGYdpfMeZDh1C2W3g20nv6/5TwbPr6MeTD4feDR50fWn6ixo8OTcpAbgeNTrc73pBNSQJ8fQyLBm5QI6F3rD27i21Uosc1ZywfmkF8jlW0aMDh64rqUcaBftz6z/TJV4iI+x6x5bvrj67JH9v8bd5tKfzINOWvONV/p1qk3DVLJjavX55fwX+mLmbSWdT4c63K7HX4ARjN78tMt69k0T7pf9dqZLQ1hnsxqhLoeoVRINMYe8CMqYByWrlq5ZBzhISotDg4N+zTNHZUL57xOgqPE8lFQAzUVgkzzMZxGExyIRCi2SBJ+3nc6+BwLgGc25rMH0K84evwPt/+IkYvaWvBAN7R0QDFSsR4a41cJ7FH8HSsH9v8mn7uolaA79iS4KcwHfb9e9LIpgD1qqDVBgQdJBrP9iANt06MUqVyUCcMq4CudKGS3zivZFgv/ZL8/SHSBD2QZCsIZhklIlNQSi8mQKIW6CU7ApfYQA393nKtTkxbZAz0/GVIUKDy1WxSOtKn0zDBVQqg8c3QPEWBUgtUWNhYOQFD4p5j+JRHYdSLo5OP9lcLMmi3SbRS24BUwTkBzl2oE4lUjMpYsf3bwbdIvc7W0bMmcteHoCn3M8VnAlRdAUTcb+NOc/2DU2xmWX5CYGO3ffeRr6KigcM3UXvyyCVAkqVinwAyZQ74+Bv7WczXPS19DMI2EcClOTirNRAgronUy4KZDdGz2AbwU0Jla5jMaubPL+OqoxIfcK5fZhayenX8NFQBZEmPFtUPf9fisoUt6jSISTwea1nR4H/a0rt+abS+3oLm4csXRaKNJaLI9sKwI19GldW/DtPZS1oH5bKn0M5kh2ZWeS9lKYE3MPZGVMpDGSXHklWp8gbDo3JDiHL0cZ1KOb5G6wl40WDE3WVL8knrEo3l6hDKjooUkxk7guGHDwUd718yHyVJaqWSznJ2MHZ/FGtvHKaP/EUq1+okxJWO2EBNlcrJASuA8RPgkWdKrPK/KwACd8j2QFgvgkv8i/Pu2+e7A98cMsY0+acNBwv+hS8dZpRCo/Wdtg4Wx+9HetgjtsHWqqus7R8oLepzQijDtgN6prd2FLtdxVXLWnip8bEacd1aYDLyEly4VpNFW40if69+smrjyD/q4TH5xRIUFTFnYenKvb8krROFuovrNTjrnq9XQF2WAzviRe0bQT0YP7EHdun2cxE7BCxE5M6fD5PJk8om2VedVTWjmcCeI4vGcZFamaWzBgtzTblq11ErENAXbKHI+6cVwM8F4ihrekaZ8ZAC9lyxDWlTtSffJi0EpvYzqhazTRik7oEbrMLJ+5k6sz+jt1glxnUmmvmoCLIJnh6/8GmY5GtmyUcZOAeJaedLhYof2SEphV4hvER463AEwCgK/++0AHv+1n6xK3pPeL1USUEMoaOg4wED32G2KtClgoDf8g21Dv4o2yPoysG4C/Brb3n2rzzVL+BB3Vx3PWepI3+NxAHk4Ux/RcBvrdnW8FpqN8fritRQ8P8a6i4qPjQo4PkJBzCr9C7jQ51WckiZKbdWDokWU6FTpbdURaX6XBN0+VscrNibgfO3PQy1+sf9PUgL2WTikayviRzOMC9DzAJJrMfL0qd8Q4oGUjLYoSDv76no1LtL+AkAeFO3rc3yNP9C/Mlq8Z/eIlgJf6VNor/8OwEyKVkdbgD+AW7ftqZ344pdNuSxdjZ4h0LNLQmAPWKJWDcSikoQ/VMSY/R/hnGSaJNljk/xZKUFUl8e+RxZT5/OuZo0XRh8Xz1K8ipE2knRBQ3YzOWFND49IYVi/ozTsXXTxgWjaDAVmFM18dSxTUlpUkpWgpE27+8EeVemjE3umZCieMOLvO10VhaMVdMV2+JUq3mhItfghMoO7ykEXiv/MwVsy84DDm0rh5mp4MlQemZskRySJHALHTXFz7c/3u/N6aUU1EjNwr2PF6IJphDxDuZykk3bMezhu0Jwc+/8TxLxskZxxtzS4C7HV6+vRNTV1Cuo4BodfoAFoUNFjtJz3w+O9xv5NVE9lyo68dtVLhey6HTQYlqzQOOq8vJV8rd83cvhOyUToJ+8PorSJcLkOdt45vLvoZPqBKFLjrAd+WwlJcBr9Qi5FDT/l0vQjVycgCTnWfqdR8Ylmvo+GBeiMcmLZxA71Ca8JCqJj/j6+G7ocIrILD2GLkmILnsM+KUhkU5GW05e5Dfx9P+tsh7hZVMilpvBWD044mej1INOxtVxozNMShaeUEsuVGuUCM7Qk1S9UVyXoD8vVBixm3vZgS04Zd6nM0QsgNjmE/Sw6XepWVErmvqgMps+lyth5GVCOWGGw3ZGcvUQoYv1nTS5NP8cvLGJ/IwReIRLoWAotMWgpdpS9FwEurITYIO5iCXh2gu2rRLId7zOrNRH6xxlkG1FkibKFPYcYY3bHjucYiVX7xiDGYbRVdTywlHPKfQHAAawefuFlU0X+/L8KTfsy4Y8zHSAYNg7DjyLOsul43pqivczJqiszf/mEcW8AVwnNUsWHOzwUbCUu3kN7GpB4v2yIHISNoyh1Yo9T9GoJKW0Kb9VHUEjBsdsEch1Iy/KYRYk47li9wil1sCL5OltN/Hlh+OzkocHMKq8Rfvz9jP6wYaY5LsZTXNM+4X0vIEYxupYh+F2JDy2zPglymp,iv:IorG8bMLn4CpHaDrYMJU0lcjKENIyQhcpLGBa13XGJw=,tag:aeJtJU6MhqH8pTFs8mO//w==,type:str]", - "sops": { - "kms": [ - { - "arn": "arn:aws-us-gov:kms:us-gov-west-1:927962728993:key/b85cc8d8-b27d-4bb6-bb51-02cc91cf3f0f", - "created_at": "2020-07-24T17:30:47Z", - "enc": "AQICAHhdj+SZ8s8HM8bAYRsOJCrxeOAkAv/MkwU+yL/pU0A2dAGadbHhXlylcSo+YRGsWUDoAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM1xhUbtbDZw77SGauAgEQgDv0qNnRBBokQJvIX3S2LGIVgeGVl0Jh5AgGySNmYJt1x4zDaP+73xyOsGF3LPXcjcpIrqmnlGRhu0m9VA==", - "aws_profile": "" - } - ], - "gcp_kms": null, - "azure_kv": null, - "lastmodified": "2020-07-24T17:30:47Z", - "mac": "ENC[AES256_GCM,data:S4xa5S7rb5k3q2QzBYrfhCVSbAJ7cQZ7d+QO9kdd8YJt5WgMhrKfTH1fYphrF7pnuWtkHzlnmPqJxbMrQ7PEpou8qibFCrzAKOEu35JpJOR29RZvq2CndHxQcOen7YyEwrlwCN3oA4lG3hysG00FCDsasvkIi4UW7+zyPjYm+HE=,iv:4xIGYtXedn23Fuj0R+5TYJV5zKksl1R2K8fousNwoWE=,tag:mwD9/GFLsNbLOeJMN50tZw==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.5.0" - } -} \ No newline at end of file diff --git a/staging/secrets/httpCertificateKeystorePassword.enc.key b/staging/secrets/httpCertificateKeystorePassword.enc.key deleted file mode 100644 index 36338707344b26fc6c37018574cf5e9c6c0df52c..0000000000000000000000000000000000000000 --- a/staging/secrets/httpCertificateKeystorePassword.enc.key +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:i2hJYRa1NtnZAvJhlIe6ByX8,iv:JQS9wFoJuAA8PxTCnmjskaAHspRZuYBpT7DTRR2jNqw=,tag:jbkrHS7FxVMlSaG/4tjXRQ==,type:str]", - "sops": { - "kms": [ - { - "arn": "arn:aws-us-gov:kms:us-gov-west-1:927962728993:key/b85cc8d8-b27d-4bb6-bb51-02cc91cf3f0f", - "created_at": "2020-07-24T17:30:54Z", - "enc": "AQICAHhdj+SZ8s8HM8bAYRsOJCrxeOAkAv/MkwU+yL/pU0A2dAEL8JTZW5cgbysmg9Mfn1e1AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMiDlTDQpM4kkgUNHpAgEQgDu6B/902bFqGWkREDF7TPU+3tTj5ohyXMNRzHw9/Lwcrnou7QeSEkHzZ9bGnDvf7Mg2MmB7iA3B7zLSFg==", - "aws_profile": "" - } - ], - "gcp_kms": null, - "azure_kv": null, - "lastmodified": "2020-07-24T17:30:55Z", - "mac": "ENC[AES256_GCM,data:iSnzq590qGxLs14AvtOQwy33o4vZq4/9B7ZKTgO30LAUT6BfIN82Ly6ihb0Z1JBQuj+ZM+3ty7urdB9PGdPzPkXJgk47BxvttU88GL+X413Q77d/OEfiHQXJrJ1BOsZftrlLjjJ22siEnd46+tp6g/UEADhuRNS8uTr2sT2ipQY=,iv:A1NZgS7URamR30fX8h84g6molP/0J06F7sKoOK/zkoM=,tag:7srr+WQOT3G1FgWKc7bJNg==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.5.0" - } -} \ No newline at end of file diff --git a/staging/secrets/kustomization.yaml b/staging/secrets/kustomization.yaml deleted file mode 100644 index 8a9b0a32fbdf3a205a386dfec0903141556c4f2e..0000000000000000000000000000000000000000 --- a/staging/secrets/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -generators: - - fortify-secret-generator.yaml \ No newline at end of file diff --git a/staging/secrets/ssc.enc.autoconfig b/staging/secrets/ssc.enc.autoconfig deleted file mode 100644 index c5122283369b6ae8ba9587c2067701b326070e00..0000000000000000000000000000000000000000 --- a/staging/secrets/ssc.enc.autoconfig +++ /dev/null @@ -1,20 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:qOdjIGi/upHd4weGLynZYkMmU6ZRGTKQEkzd05wZYCGRviKhviFe1sZOUyn15xcIh96Q4QMOuC3dFwSuZFRqH/xy6p9+txAq24qXwUJpQcN8dTAsgvbXKoAUMbR34nkjBMTpc+GYE0yHPdvLy3AlqyC1REVYpqkE6U/g1+nt+oIAnxzr5jNydRHzpmYmmxF8664C8OvHP1S8Zfkvy+CRVuIZbBuCKkH/c+YkYppw0lGojIm1TmLP+RqQfuhcat3I9XLXGDfCdpMrBbdvKahszII7EaIrbY9GguYeNd2Mabpekfh3Xv3bSz4m/7ORPjdhIBFqfLLhsqccZJMcmbnCquBuV8wZtQHMp/VdQZkK+NXxp53ZYVbBR0iPubSaATYts58poRRzwBaZWheJ0fTKe/+qMqZrp4yWZn8d11RpCop7Z3Mv58+sh3STzPMZyJ/cdzQrapij7XgeA+rFjVYXgfJ3JedoegV+04TZCEvcO6VebZPdjaDSVMQSnTkgaCWaF74qDmzA/fYdMFJq8QutxrAQkW8pSne0taQuLAj6y83ly0uwz/YoBIwQKTbeM8QangLWwaYw7Fub/2J+nDWIFAuiuYr4U2BnALscZcAvo/PpV6D/C04/wmJ6dKOLBKyZz4AWN4DazDO9j8P2jnhxyehtQG1WNE0EeIkfhyu8ogMm8gEtJQ2v70MezVTa3C9HHLS1Sc/NS3D5S7mTlOxfX5/PZmWRvSd3doSMtFExZ4NthIgSideuVP6GjGGAFwyV9FPPVXdzZM711DCcL9RhupsW7Qp3jzNyspmnEF9bnJAZQ9Dai8pyKVXhq9cbILSlgBSbhgLFokZCmZ8gf3JGEJ7BJ6AnXAP6m13Ga8rck4uZTgQ+ckBTZDuF/e3hdgxR4QaiVW62sdbNboCjHkxGQ6C3LJwnWhYnHuuMtC14PsbQ20pJCNzxsW1ZToylTjc2xKH6SEwzOJ60BCQgNAOTqzj6AUPMV0aOMDo1jW6Q2UPBTs29yfkZSly1NHKl/2PHTBh58GT7PpGdKBOs0QdQOn+X7cTetjoHUkJpBSdOeEVnl3w0g0kRal/ErHd04SlnVoBF3CpKngW6XfA1Xx2nU3fxgFjemVnfrUK+pmgWUABO+IMFj+0mCZoLVcXx3f/YpA/swpiliC726GGxFiaraUI4FHM=,iv:tdEBrLM2pDbNQ33C22J9WXJwX0Tvz7DNwLrQ0XGOyXc=,tag:MGFVBBhNgDs/Vy8Ip8dpDg==,type:str]", - "sops": { - "kms": [ - { - "arn": "arn:aws-us-gov:kms:us-gov-west-1:927962728993:key/b85cc8d8-b27d-4bb6-bb51-02cc91cf3f0f", - "created_at": "2020-07-24T17:33:11Z", - "enc": "AQICAHhdj+SZ8s8HM8bAYRsOJCrxeOAkAv/MkwU+yL/pU0A2dAHYoI4WejGUVOHp1ctG0DzcAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMoeNAQ0gdt/XWI5SjAgEQgDtu3ZglErJ0ck00WszNM6i1gwSy+P10Uh29bxTm3TLGrn5oNchQtNyBcuz+/vLsT+23p0ztT92OH9kf9w==", - "aws_profile": "" - } - ], - "gcp_kms": null, - "azure_kv": null, - "lastmodified": "2020-07-24T17:33:11Z", - "mac": "ENC[AES256_GCM,data:w+KYw0OACPMEiasspQsasJ7U6PfL7bCFk0iQ78BobmlSKCTAc5bx6XwF0+yWyUOl17OurXoYJVol8T3yllcAn77cMr7OUmc9ISJuiyFlSo3NhXruA+T9xLnLVWgqEiLcGWuGW0qNsO6VMDe17UulovjtxiEUfyAXu3Ut58kMk8A=,iv:2ON7j9Uy6kKQInDMNdOL3peCMQJWrHZD5XcKa/Q6WHg=,tag:wRrWCn1u9/OhexoAmiT9Ow==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.5.0" - } -} \ No newline at end of file diff --git a/staging/values.yaml b/staging/values.yaml deleted file mode 100644 index 7b8fd675d959d0b9de6a391d29d29583929f3d85..0000000000000000000000000000000000000000 --- a/staging/values.yaml +++ /dev/null @@ -1 +0,0 @@ -# leaving empty for now \ No newline at end of file