Git storage support, document update and refactoring (#7)

* initial implementation of argocd-interlace Signed-off-by: [email protected] <[email protected]> * Feature/initial implementation (#3) * fixed paths in Dockerfile, changes git cloning approach, fixed dependencies Signed-off-by: [email protected] <[email protected]> * fixed retriving yq in Dockerfile, added licenses to all files Signed-off-by: [email protected] <[email protected]> * fixed error handling, lint check, removed hardcoded server url Signed-off-by: [email protected] <[email protected]> * removed secrets from kustomization.yaml, skip changes to application that manages manifest Signed-off-by: [email protected] <[email protected]> * Added getting started doc Signed-off-by: [email protected] <[email protected]> * Fixed dependencies, Dockerfile, refactored packages Signed-off-by: [email protected] <[email protected]> * Fixed dependencies, error handling, refactored packages Signed-off-by: [email protected] <[email protected]> * Change storage method name, error handling, constant names, fixed generating manifest bundle Signed-off-by: [email protected] <[email protected]> * Fixed manifest generattion and provenance creation flow, error handleing, added simple document Signed-off-by: [email protected] <[email protected]> * Fix/review init implementation (#4) * Removed unnecessary code, improved error handling, changed rbac, license year Signed-off-by: [email protected] <[email protected]> * load config from setup * load config from setup, validation of config, role and rolebinding * removed manifest application * Moved env settings out of deployment yaml to patch.yaml * Fixed document, rest API url * Fixed document * Fixed retriving latest revision if it is missing in application status, fixed dependency * Fixed readme documentation * Fixed readme documentation * Feature/git storage (#6) * Added support for gitops based manifest bundle storage * Added support for application set based mangest bundle distribution * Added logging for showing demo steps * Fixed secret name * Added logging for showing the flow * Added simplified document for quick start (#5) * Added simplified document for quick start * Added simplified document for quick start * Added simplified document for quick start, fixed links * Fixed document for quick start and other setup * Fixed documents, and env variable settings * Fixed documents * Added new animation demo intro * Fixed deployment manifests * Fixed deployment manifests (#7) * Fixed manifests * Rearranged readme, and fixed missing information to get the flow correctly (#8) * Resolved conflicts with upstream main before PR merge (#9) * Fix/upstream merge (#10) * Resolved conflicts with upstream main before PR merge * Resolved conflicts with upstream main before PR merge, fixed license year * Resolved conflicts with upstream main before PR merge, fixed readme * Resolved conflicts with upstream main before PR merge, fixed readme * Remove private registry name, removed unused documents * Reorganized readme docs * Fixed Readme sentences * Fixed Readme and docs links * Fixed Readme and docs links * Fixed typo * Fixed readme and docs
argoproj-labs · Aug 30, 2021 · 50532ec · 50532ec
1 parent 188918e
commit 50532ec
Show file tree

Hide file tree

Showing 27 changed files with 1,127 additions and 341 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 #
-# Copyright 2020 IBM Corporation
+# Copyright 2021 IBM Corporation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ ArgoCD is widely used for enabling CD GitOps. ArgoCD internally builds manifest
 
 ArgoCD Interlace enhances ArgoCD capability from end-to-end software supply chain security viewpoint. Interlace adds authenticity of the manifest and the traceability to the source to ArgoCD.
 
-ArgoCD Interlace works as a Kubernetes Custom Resource Definition (CRD) controller. Interlace monitors the trigger from state changes of Application resources on the ArgoCD cluster. When detecting new manifest build, Interlace sign the manifest, record the detail of manifest build such as the source files for the build, the command to produce the manifest for reproducibility. Interlace stores those details as provenance records in in-toto format. 
+ArgoCD Interlace works as a Kubernetes Custom Resource Definition (CRD) controller. Interlace monitors the trigger from state changes of Application resources on the ArgoCD cluster. When detecting new manifest build, Interlace sign the manifest, record the detail of manifest build such as the source files for the build, the command to produce the manifest for reproducibility. Interlace stores those details as provenance records in [in-toto](https://in-toto.io) format and upload it to [Sigstore](https://sigstore.dev/) log for verification.
 
 ![ArgoCD-Interlace-Arch](./images/argocd-interlace-arch.png)
 
@@ -15,6 +15,34 @@ The features are
 - Sign manifest
 - Record provenance in intoto format
 
+### Installation
+Prerequisite: Install [ArgoCD](https://argo-cd.readthedocs.io/en/stable/getting_started/) on your Kubernetes cluster before you install ArgoCD Interlace.
 
- Demo
+
+To install the latest version of ArgoCD Interlace to your cluster, run:
+```
+kubectl apply --filename https://raw.githubusercontent.com/IBM/argocd-interlace/main/releases/release.yaml
+```
+This creates a default installation of ArgoCD Interlace, however you will need futher setup for seeing it in action.
+
+To verify that installation was successful, ensure Status of pod `argocd-interlace-controller` become `Running`:
+```shell
+$ kubectl get pod -n argocd-interlace -w
+NAME                                              READY   STATUS    RESTARTS   AGE
+pod/argocd-interlace-controller-f57fd69fb-72l4h   1/1     Running   0          19m
+```
+
+### Setup
+
+To complete setting up ArgoCD Interlace, configure secrets for:
+* [ArgoCD REST API authentication for querying  ArgoCD REST API to retrive desired manifest for an application](docs/argo_setup.md)
+* [OCI image registry authentication for pushing OCI images generated by Interlace](docs/oci_setup.md)
+* [Cosign based signing keys for creating signature for desired manifest.](docs/signing_key_setup.md)
+
+
+## Example Scenario
+To see ArgoCD Interlace in action, check the [example scenario](docs/example_scenario.md).
+
+
+ ### Demo
  ![intro](images/intro.gif?)
diff --git a/deploy/application-set.yaml b/deploy/application-set.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: akmebank
+  namespace: argocd 
+spec:
+  generators:
+    - clusters: {}
+  template:
+    metadata:
+      name: '{{name}}-manifest-bundles'
+    spec:
+      project: default
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+      source:
+        repoURL: https://github.com/gajananan/interlace-manifests
+        targetRevision: main
+        path: manifest-bundles/{{name}}
+      destination:
+        server: '{{server}}'
+        namespace: bundle-manifests
diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml
@@ -4,6 +4,7 @@ resources:
     - role_binding.yaml
     - deployment.yaml
     - service_account.yaml
+    - secrets.yaml
 
 patchesJson6902:
 - target:

diff --git a/deploy/patch.yaml b/deploy/patch.yaml
@@ -4,29 +4,68 @@
     - name: DOCKER_CONFIG
       value: /tmp/.docker/
     - name: MANIFEST_STORAGE_TYPE
-      value: oci #/git
+      value: oci #/git/oci
     - name: OCI_IMAGE_REGISTRY
-      value: gcr.io/kg-image-registry
+      value: gcr.io/<some-registry-name>
     - name: OCI_IMAGE_PREFIX
-      value: "argocd.apps.ma4kmc2"
+      value: "argocd.apps"
     - name: OCI_IMAGE_TAG
       value: "mnf"        
     - name: REKOR_SERVER
       value: https://rekor.sigstore.dev
     - name: COSIGN_PASSWORD
       value: ""
+    - name: MANIFEST_ARGOCD_PROJECT
+      value: default
     - name: MANIFEST_GITREPO_URL  
-      value: ""     
+      valueFrom:
+        secretKeyRef:
+          name: interlace-manifest-git-secret
+          key: MANIFEST_GITREPO_URL
+    - name: MANIFEST_GITREPO_SUFFIX
+      valueFrom:
+        secretKeyRef:
+          name: interlace-manifest-git-secret
+          key: MANIFEST_GITREPO_SUFFIX
+    - name: MANIFEST_GITREPO_BRANCH
+      valueFrom:
+        secretKeyRef:
+          name: interlace-manifest-git-secret
+          key: MANIFEST_GITREPO_BRANCH
     - name: MANIFEST_GITREPO_TOKEN
-      value: "" 
+      valueFrom:
+        secretKeyRef:
+          name: interlace-manifest-git-secret
+          key: MANIFEST_GITREPO_TOKEN
     - name: MANIFEST_GITREPO_USER
-      value: "" 
+      valueFrom:
+        secretKeyRef:
+          name: interlace-manifest-git-secret
+          key: MANIFEST_GITREPO_USER
     - name: MANIFEST_GITREPO_USEREMAIL
-      value: "" 
+      valueFrom:
+        secretKeyRef:
+          name: interlace-manifest-git-secret
+          key: MANIFEST_GITREPO_USEREMAIL
+    - name: MANIFEST_DEST_NAMESPACE
+      valueFrom:
+        secretKeyRef:
+          name: interlace-manifest-git-secret
+          key: MANIFEST_DEST_NAMESPACE
+    - name: MANIFEST_GITREPO_MODE
+      valueFrom:
+        secretKeyRef:
+          name: interlace-manifest-git-secret
+          key: MANIFEST_GITREPO_MODE
     - name: K8S_MANIFEST_SIGSTORE_LOG_LEVEL
       value: info
     - name: ARGOCD_INTERLACE_LOG_LEVEL
       value: info
+    - name: "ARGOCD_NAMESPACE"  
+      valueFrom:
+        secretKeyRef:
+          name: argocd-token-secret
+          key: ARGOCD_NAMESPACE
     - name: ARGOCD_API_BASE_URL
       valueFrom:
         secretKeyRef:

diff --git a/deploy/secrets.yaml b/deploy/secrets.yaml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: signing-secrets
+    namespace: argocd-interlace
+type: Opaque    
+data:
+   cosign.key: UkVQTEFDRSBUSElTCg==
+   cosign.pub: UkVQTEFDRSBUSElTCg==
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: argocd-interlace-gcr-secret
+    namespace: argocd-interlace
+type: Opaque    
+data:
+   .dockerconfigjson: UkVQTEFDRSBUSElTCg==
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: argocd-token-secret
+    namespace: argocd-interlace
+type: Opaque    
+data:
+   ARGOCD_API_BASE_URL: UkVQTEFDRSBUSElTCg==
+   ARGOCD_NAMESPACE: YXJnb2NkCg==
+   ARGOCD_TOKEN: UkVQTEFDRSBUSElTCg==
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: interlace-manifest-git-secret
+    namespace: argocd-interlace
+type: Opaque
+data:
+    MANIFEST_GITREPO_URL: UkVQTEFDRSBUSElTCg==
+    MANIFEST_GITREPO_BRANCH: UkVQTEFDRSBUSElTCg==
+    MANIFEST_GITREPO_TOKEN: UkVQTEFDRSBUSElTCg==
+    MANIFEST_GITREPO_USER: UkVQTEFDRSBUSElTCg==
+    MANIFEST_GITREPO_USEREMAIL: UkVQTEFDRSBUSElTCg==
+    MANIFEST_DEST_NAMESPACE: UkVQTEFDRSBUSElTCg==
+    MANIFEST_GITREPO_SUFFIX: UkVQTEFDRSBUSElTCg==
+    MANIFEST_GITREPO_MODE: UkVQTEFDRSBUSElTCg==