Red Hat SummitChapter 4. Deploying application and view security insights
Deploy applications using Argo CD in OpenShift GitOps to enable continuos deployment. Argo CD uses your Git repository as a single source of truth for infrastructure configurations. Updates to the repository trigger deployments across development, staging, and production environments.
The procedures provide an example deployment workflow. Customize it to fit your organization’s requirements.
4.1. Promoting a build to a pre-production or production environment
Promote a build by updating the GitOps repository through a pull request (PR).
- In RHDH, select Catalog.
- From the Kind dropdown list, select Resource, and then select a GitOps repository.
- Open the Overview tab and select View Source to access the repository.
(Optional) Alternatively, select Catalog, open the Overview tab, and select View TechDocs.
- In the Home > Repository section, select the GitOps repository.
Clone your GitOps repository.
NoteEnsure that the local clone is up-to-date.
- Create a new branch.
-
Navigate to the
component/<app-name>/overlaysdirectory, which contains subdirectories fordevelopment,stage, andprod. Follow these steps to promote the application:
Expand To move your application Do this From development to stage environment
-
Open th
development/deployment-patch.yamlfile and copy the container image URL. For example, quay.io/<username>/imageName:imageHash. -
Open the
stage/deployment-patch.yamlfile and replace the container image URL with the one you copied.
NoteTo include additional configuration changes (for example, replicas), copy them from the
development/deployment-patch.yamlfile to thestage/deployment-patch.yamlfile.From stage to production environment
-
Open the
stage/deployment-patch.yamlfile and copy the containers image URL. For example, quay.io/<username>/imageName:imageHash. -
Open the
prod/deployment-patch.yamlfile and replace container image URL with the one you copied.
NoteTo include additional configuration changes (for example, replicas), copy them from the
stage/deployment-patch.yamlfile to theprod/deployment-patch.yamlfile.-
Open th
- Commit and push your updates.
Create a PR to start a promotion pipeline. The pipeline validates the changes against Red Hat Enterprise Contract (Enterprise Contract) policies.
- Check the pipeline run in the CI tab of RHDH.
- Merge the PR to trigger Argo CD, which applies the changes and promotes the build to the next environment.
Verification
- Use the Topology tab in RHDH to confirm the application distribution across namespace.
- Use CD tab to view deployment details, including the status, updates, commit message (for example, Promote stage to prod), and container image changes.
4.2. Viewing security insights
The promotion pipeline includes several tasks to ensure secure and compliant deployments. The pipeline tasks include:
-
git-clone: Clones the repository into the workspace using thegit-clonetask. -
gather-deploy-images: Extracts the container images from deployment YAML files for validation. -
verify-enterprise-contract: Validates the container images using Enterprise Contract (EC) policies and Sigstore’s cosign tool. -
deploy-images: Deploys validates images to the target environment. -
download-sbom-from-url-in-attestations: Retrieves SBOMs for images by downloading OCI blobs referenced in image attestations. -
upload-sbom-to-trustification: Uploads SBOMs to Trustification using the BOMbastic API.
4.2.1. Enterprise contract task
The Enterprise Contract (EC) is a suite of tools designed to maintain software supply chain security. It helps maintain the integrity of container images by verifying that they meet defined requirements before being promoted to production. If an image does not comply with the set policies, the EC generates a report identifying the issues that must be resolved.
The Red Hat Trusted Application Pipeline build process generates a signed in-toto attestation of the build pipeline. These attestation cryptographically verify the build’s integrity. The EC then evaluates the build against defined policies, ensuring it complies with the organizational security standards.
Visualizing Red Hat Enterprise Contract (Enterprise Contract) reports
In Red Hat Developer Hub, under the CI tab, the Pipeline Runs section displays detailed compliance reports in a structured pop-up interface. The insights from Enterprise Contract compliance reports help you prioritize security and compliance tasks.
- Review policy compliance: Confirm that your application meets standards such as Supply Chain Levels for Software Artifacts (SLSA). Address any compliance gaps based on the recommendations in the report.
- Streamline review: Apply filters to focus on critical issues. This approach enables a faster, more efficient review process.
Viewing Enterprise Contract reports when using Tekton as the CI provider
- Select Catalog and select the component you want to review.
- Select the CI tab, and in the Actions column, select the View output to review the detailed Enterprise Contract report for the selected component.
Figure 4.1. The EC report
Viewing Enterprise Contract reports when using other CI providers
If you use another CI provider, such as Jenkins or GitLab:
- Navigate to the build logs of the respective application.
-
Search
Step: verify-enterprise-contractto review the detailed Enterprise Contract report.
Interpreting compliance reports
EC compliance reports provide detailed insights into application security and adherence to policies. Here’s how to understand these reports:
- Policy compliance overview: Displays the checks performed, their status, (success, warning, or failure) , and messages explaining warnings or failures.
Details provided: Policy reports detail:
- Successful checks: Lists the policies that passed validation.
- Warnings and failures: Highlights policies that triggered warnings or failed checks, with explanations.
- Rule compliance: Shows how the application adheres to individual policy rules, such as source code references or attestation validations.
Using compliance insights
The insights from EC compliance reports help prioritize security and compliance tasks:
- Review policy compliance: Ensure your application meets standards such as Supply Chain Levels for Software Artifacts (SLSA). Address any compliance gaps based on the recommendations in the report.
- Streamline review: Use filters in the reports to focus on critical issues, enabling a faster and more efficient review process.
Revised on 2025-04-30 09:28:22 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}