From b7fab997e4b90abd0a2ec6d0528534525775d207 Mon Sep 17 00:00:00 2001 From: Kenneth Peeples Date: Thu, 6 Feb 2025 12:07:26 -0500 Subject: [PATCH 1/2] scenario template --- scenarios/README.md | 37 +++++++------------------------------ scenarios/scenario1.md | 35 ++++++++++++----------------------- 2 files changed, 19 insertions(+), 53 deletions(-) diff --git a/scenarios/README.md b/scenarios/README.md index 4ee13b2..918604d 100644 --- a/scenarios/README.md +++ b/scenarios/README.md @@ -1,36 +1,13 @@ -# Multicluster Devsecops +# Scenario Scope [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ## Start Here -If you've followed a link to this repository, but are not really sure what it contains -or how to use it, head over to [Multicluster Devsecops](https://hybrid-cloud-patterns.io/devsecops/) -for additional context and installation instructions +Please build out a scenario document for each scenario and then rank as a high, medium, low priority with a high being a customer requested scenario. Each scenario document file should indicate the scope, products/operators used and priority. -## Cluster requirements - -This pattern depends on having three clusters. - -* Central Hub - where all the infrastructure components run. - * Red Hat Advanced Cluster Management - * Red Hat Advanced Cluster Security (Central) - * Red Hat Quay Enterprise - * Secrets management -* Development - where CI/CD pipelines and testing run - * Red Hat OpenShift Pipelines - * Red Hat OpenShift GitOps - * Red Hat Advanced Cluster Security (Secured) -* Production - where the applications run - -It can be modified to run everything in a single cluster. Components of `values-development.yaml` and `values-production.yaml` would need to be merged into `values-hub.yaml` where applicable. *Use caution*. In the future the pattern may be enhanced to combine into a single cluster. - -## Products/projects used - -* Red Hat OpenShift GitOps -* Red Hat Advanced Cluster Management -* Red Hat Advanced Cluster Security -* Red Hat Open Data Foundation -* Red Hat Quay -* Red Hat OpenShift Pipelines -* Hashicorp Vault (Community) +Scenario 1 - Medium - Zero Trust with SPIFFE/SPIRE +Scenario 2 - Medium - Short Lived credentials for the stepping stone to Zero Trust +Scenario 3 - Medium - Zero Trust with Service Mesh +Scenario 4 - Medium - AI Zero Trust Advanced Maturity for the DoD COA 1 +Scenario 5 - Medium - Zero Trust RMF with the DoD Overlay \ No newline at end of file diff --git a/scenarios/scenario1.md b/scenarios/scenario1.md index 4ee13b2..f83177c 100644 --- a/scenarios/scenario1.md +++ b/scenarios/scenario1.md @@ -1,36 +1,25 @@ -# Multicluster Devsecops +# Scenario One - Zero Trust with SPIFFE/SPIRE [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) -## Start Here +## Scope of Scenario One -If you've followed a link to this repository, but are not really sure what it contains -or how to use it, head over to [Multicluster Devsecops](https://hybrid-cloud-patterns.io/devsecops/) -for additional context and installation instructions -## Cluster requirements +## Priority and explanation for this scenario pattern -This pattern depends on having three clusters. -* Central Hub - where all the infrastructure components run. - * Red Hat Advanced Cluster Management - * Red Hat Advanced Cluster Security (Central) - * Red Hat Quay Enterprise - * Secrets management -* Development - where CI/CD pipelines and testing run - * Red Hat OpenShift Pipelines - * Red Hat OpenShift GitOps - * Red Hat Advanced Cluster Security (Secured) -* Production - where the applications run +## Pillars, Capabilities, Activities shown in this pattern -It can be modified to run everything in a single cluster. Components of `values-development.yaml` and `values-production.yaml` would need to be merged into `values-hub.yaml` where applicable. *Use caution*. In the future the pattern may be enhanced to combine into a single cluster. -## Products/projects used +## Products/projects used for this scenario pattern * Red Hat OpenShift GitOps * Red Hat Advanced Cluster Management * Red Hat Advanced Cluster Security -* Red Hat Open Data Foundation -* Red Hat Quay -* Red Hat OpenShift Pipelines -* Hashicorp Vault (Community) + +## References and supporting material + +https://next.redhat.com/2024/06/27/spiffe-spire-on-red-hat-openshift/ +https://developers.redhat.com/learn/openshift/implement-cross-cloud-identity-framework-spiffespire-openshift +https://www.youtube.com/watch?v=eyj0UCmJfjo +https://www.youtube.com/watch?v=izYzTQYNCMc From f1b9587bf647d11754f219f1f22359c0f4205db1 Mon Sep 17 00:00:00 2001 From: Kenneth Peeples Date: Thu, 6 Feb 2025 12:20:10 -0500 Subject: [PATCH 2/2] update workflow and main readme --- .github/workflows/ansible-lint.yml | 18 -------- .github/workflows/linter.yml | 68 ------------------------------ .github/workflows/superlinter.yml | 38 ----------------- README.md | 12 +++--- 4 files changed, 5 insertions(+), 131 deletions(-) delete mode 100644 .github/workflows/ansible-lint.yml delete mode 100644 .github/workflows/linter.yml delete mode 100644 .github/workflows/superlinter.yml diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml deleted file mode 100644 index f0943b5..0000000 --- a/.github/workflows/ansible-lint.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: Ansible Lint # feel free to pick your own name - -on: [push, pull_request] - -jobs: - build: - runs-on: ubuntu-latest - - steps: - # Important: This sets up your GITHUB_WORKSPACE environment variable - - uses: actions/checkout@v2 - - - name: Lint Ansible Playbook - # Using the latest as of today (2022-06-23) v6.2.1 - uses: ansible/ansible-lint-action@v6.2.1 - # Let's point it to the path - with: - path: "ansible/" diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml deleted file mode 100644 index 316e1c4..0000000 --- a/.github/workflows/linter.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -name: Unit tests - -# -# Documentation: -# https://help.github.com/en/articles/workflow-syntax-for-github-actions -# - -############################# -# Start the job on all push # -############################# -on: [push, pull_request] - -############### -# Set the Job # -############### -jobs: - build: - # Name the Job - name: Unit Test Code Base - # Set the agent to run on - runs-on: ubuntu-latest - - ################## - # Load all steps # - ################## - steps: - ########################## - # Checkout the code base # - ########################## - - name: Checkout Code - uses: actions/checkout@v2 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - name: Setup helm - uses: azure/setup-helm@v1 - # with: - # version: '' # default is latest stable - id: install - - ################################ - # Run Linter against code base # - ################################ - # - name: Lint Code Base - # uses: github/super-linter@v4 - # env: - # VALIDATE_ALL_CODEBASE: false - # DEFAULT_BRANCH: main - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Run make common-test - run: | - make common-test - - - name: Run make test - run: | - make test - - - name: Run make helmlint - run: | - make helmlint - - - name: Run make helm kubeconform - run: | - curl -L -O https://github.com/yannh/kubeconform/releases/download/v0.4.13/kubeconform-linux-amd64.tar.gz - tar xf kubeconform-linux-amd64.tar.gz - sudo mv -v kubeconform /usr/local/bin - make kubeconform diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml deleted file mode 100644 index bc53e6d..0000000 --- a/.github/workflows/superlinter.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -name: Super linter - -on: [push, pull_request] - -jobs: - build: - # Name the Job - name: Super linter - # Set the agent to run on - runs-on: ubuntu-latest - - steps: - - name: Checkout Code - uses: actions/checkout@v2 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - ################################ - # Run Linter against code base # - ################################ - - name: Lint Code Base - uses: github/super-linter/slim@v4 - env: - VALIDATE_ALL_CODEBASE: true - DEFAULT_BRANCH: main - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # These are the validation we disable atm - VALIDATE_BASH: false - VALIDATE_JSCPD: false - VALIDATE_KUBERNETES_KUBEVAL: false - VALIDATE_YAML: false - VALIDATE_ANSIBLE: false - # VALIDATE_DOCKERFILE_HADOLINT: false - # VALIDATE_MARKDOWN: false - # VALIDATE_NATURAL_LANGUAGE: false - # VALIDATE_TEKTON: false diff --git a/README.md b/README.md index e09fd81..499b4f2 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Multicloud Gitops +# Zero Trust Validated Pattern with Scenarios [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) @@ -6,14 +6,12 @@ ## Start Here -If you've followed a link to this repository, but are not really sure what it contains -or how to use it, head over to [Multicloud GitOps](https://validatedpatterns.io/patterns/multicloud-gitops/) -for additional context and installation instructions +The goal of this pattern is to be able to easily consume pieces that apply to our products to assist customers to move from traditional to an optimal ZTA maturity. The first step is to build the scenarios and then be apply to apply a scenario or set of scenarios to the overall pattern. ## Rationale The goal for this pattern is to: -* Use a GitOps approach to manage hybrid and multi-cloud deployments across both public and private clouds. -* Enable cross-cluster governance and application lifecycle management. -* Securely manage secrets across the deployment. +* Show that ZTA is not to complex to addopt +* Show how to move through the ZTA maturity levels +* Provide examples and scenarios to test and demonstrate \ No newline at end of file