Red Hat SummitThis documentation is for a release that is no longer maintained
See documentation for the latest supported version.Chapter 4. Deploying application and view security insights
Deploy applications using Argo CD in OpenShift GitOps to enable continuos deployment. Argo CD uses your Git repository as a single source of truth for infrastructure configurations. Updates to the repository trigger deployments across development, staging, and production environments.
The procedures provide an example deployment workflow. Customize it to fit your organization’s requirements.
4.1. Promoting a build to a pre-production or production environment
Promote a build by updating the GitOps repository through a pull request (PR).
- In RHDH, select Catalog.
- From the Kind dropdown list, select Resource, and then select a GitOps repository.
- Open the Overview tab and select View Source to access the repository.
(Optional) Alternatively, select Catalog, open the Overview tab, and select View TechDocs.
- In the Home > Repository section, select the GitOps repository.
Clone your GitOps repository.
NoteEnsure that the local clone is up-to-date.
- Create a new branch.
-
Navigate to the
component/<app-name>/overlaysdirectory, which contains subdirectories fordevelopment,stage, andprod. Follow these steps to promote the application:
Expand To move your application Do this From development to stage environment
-
Open th
development/deployment-patch.yamlfile and copy the container image URL. For example, quay.io/<username>/imageName:imageHash. -
Open the
stage/deployment-patch.yamlfile and replace the container image URL with the one you copied.
NoteTo include additional configuration changes (for example, replicas), copy them from the
development/deployment-patch.yamlfile to thestage/deployment-patch.yamlfile.From stage to production environment
-
Open the
stage/deployment-patch.yamlfile and copy the containers image URL. For example, quay.io/<username>/imageName:imageHash. -
Open the
prod/deployment-patch.yamlfile and replace container image URL with the one you copied.
NoteTo include additional configuration changes (for example, replicas), copy them from the
stage/deployment-patch.yamlfile to theprod/deployment-patch.yamlfile.-
Open th
- Commit and push your updates.
Create a PR to start a promotion pipeline. The pipeline validates the changes against Red Hat Enterprise Contract (Enterprise Contract) policies.
- Check the pipeline run in the CI tab of RHDH.
- Merge the PR to trigger Argo CD, which applies the changes and promotes the build to the next environment.
Verification
- Use the Topology tab in RHDH to confirm the application distribution across namespace.
- Use CD tab to view deployment details, including the status, updates, commit message (for example, Promote stage to prod), and container image changes.
4.2. Viewing security insights
The promotion pipeline includes several tasks to ensure secure and compliant deployments. The pipeline tasks include:
-
git-clone: Clones the repository into the workspace using thegit-clonetask. -
gather-deploy-images: Extracts the container images from deployment YAML files for validation. -
verify-enterprise-contract: Validates the container images using Enterprise Contract (EC) policies and Sigstore’s cosign tool. -
deploy-images: Deploys validates images to the target environment. -
download-sbom-from-url-in-attestations: Retrieves SBOMs for images by downloading OCI blobs referenced in image attestations. -
upload-sbom-to-trustification: Uploads SBOMs to Trustification using the BOMbastic API.
4.2.1. Enterprise contract task
The Enterprise Contract (EC) is a suite of tools designed to maintain software supply chain security. It helps maintain the integrity of container images by verifying that they meet defined requirements before being promoted to production. If an image does not comply with the set policies, the EC generates a report identifying the issues that must be resolved.
The Red Hat Trusted Application Pipeline build process generates a signed in-toto attestation of the build pipeline. These attestation cryptographically verify the build’s integrity. The EC then evaluates the build against defined policies, ensuring it complies with the organizational security standards.
Interpreting compliance reports
EC compliance reports provide detailed insights into application security and adherence to policies. Here’s how to understand these reports:
- Policy compliance overview: Displays the checks performed, their status, (success, warning, or failure) , and messages explaining warnings or failures.
Details provided: Policy reports detail:
- Successful checks: Lists the policies that passed validation.
- Warnings and failures: Highlights policies that triggered warnings or failed checks, with explanations.
- Rule compliance: Shows how the application adheres to individual policy rules, such as source code references or attestation validations.
Figure 4.1. The EC report
Using compliance insights
The insights from EC compliance reports help prioritize security and compliance tasks:
- Review policy compliance: Ensure your application meets standards such as Supply Chain Levels for Software Artifacts (SLSA). Address any compliance gaps based on the recommendations in the report.
- Streamline review: Use filters in the reports to focus on critical issues, enabling a faster and more efficient review process.
Revised on 2025-02-06 17:58:30 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}