when the code analysis runs sometimes are failing raising this type of error:

[�[1;31mERROR�[m] /workspace/source/spring-petclinic/src/test/java/org/springframework/samples/petclinic/service/ClinicServiceTests.java:[30,51] cannot access org.springframework.samples.petclinic.owner.Pet
  bad class file: /workspace/source/spring-petclinic/target/classes/org/springframework/samples/petclinic/owner/Pet.class
    class file contains wrong class: org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest
    Please remove or make sure it appears in the correct subdirectory of the classpath.
[�[1;34mINFO�[m] 1 error
[�[1;34mINFO�[m] -------------------------------------------------------------
[�[1;34mINFO�[m] 
[�[1;34mINFO�[m] �[1m------------------------------------------------------------------------�[m
[�[1;34mINFO�[m] �[1mSkipping petclinic�[m
[�[1;34mINFO�[m] This project has been banned from the build due to previous failures.
[�[1;34mINFO�[m] �[1m------------------------------------------------------------------------�[m
[�[1;34mINFO�[m] �[1m------------------------------------------------------------------------�[m
[�[1;34mINFO�[m] �[1;31mBUILD FAILURE�[m
[�[1;34mINFO�[m] �[1m------------------------------------------------------------------------�[m
[�[1;34mINFO�[m] Total time: 01:08 min
[�[1;34mINFO�[m] Finished at: 2021-07-22T06:09:15Z
[�[1;34mINFO�[m] Final Memory: 118M/1460M
[�[1;34mINFO�[m] �[1m------------------------------------------------------------------------�[m
[�[1;31mERROR�[m] Failed to execute goal �[32morg.apache.maven.plugins:maven-compiler-plugin:3.8.1:testCompile�[m �[1m(default-testCompile)�[m on project �[36mspring-petclinic�[m: �[1;31mCompilation failure�[m
[�[1;31mERROR�[m] �[1;31m/workspace/source/spring-petclinic/src/test/java/org/springframework/samples/petclinic/service/ClinicServiceTests.java:[30,51] cannot access org.springframework.samples.petclinic.owner.Pet�[m
[�[1;31mERROR�[m] �[1;31m  bad class file: /workspace/source/spring-petclinic/target/classes/org/springframework/samples/petclinic/owner/Pet.class�[m
[�[1;31mERROR�[m] �[1;31m    class file contains wrong class: org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest�[m
[�[1;31mERROR�[m] �[1;31m    Please remove or make sure it appears in the correct subdirectory of the classpath.�[m
[�[1;31mERROR�[m] �[1;31m�[m
[�[1;31mERROR�[m] -> �[1m[Help 1]�[m
[�[1;31mERROR�[m] 
[�[1;31mERROR�[m] To see the full stack trace of the errors, re-run Maven with the �[1m-e�[m switch.
[�[1;31mERROR�[m] Re-run Maven using the �[1m-X�[m switch to enable full debug logging.
[�[1;31mERROR�[m] 
[�[1;31mERROR�[m] For more information about the errors and possible solutions, please read the following articles:
[�[1;31mERROR�[m] �[1m[Help 1]�[m http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

Please, consider adding an open source license file to this project.

Use the image registry.connect.redhat.com/sonatype/nexus-repository-manager:3.36.0-ubi-1

Check also the deployment to be used in the bootstrap demo

./install.sh

INFO: Installing Demo
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [Install the ACS Demo] ********************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************
ok: [localhost]

TASK [Install Gitops] **************************************************************************************************************************************************

TASK [ocp4-install-gitops : Create Namespaces] *************************************************************************************************************************
changed: [localhost]

TASK [ocp4-install-gitops : Install GitOps Operator] *******************************************************************************************************************
changed: [localhost]

TASK [ocp4-install-gitops : Wait for GitOps CRD to exist] **************************************************************************************************************
FAILED - RETRYING: Wait for GitOps CRD to exist (30 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (29 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (28 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (27 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (26 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (25 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (24 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (23 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (22 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (21 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (20 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (19 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (18 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (17 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (16 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (15 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (14 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (13 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (12 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (11 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (10 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (9 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (8 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (7 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (6 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (5 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (4 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (3 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (2 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (1 retries left).
failed: [localhost] (item=applications.argoproj.io) => {"ansible_loop_var": "item", "api_found": false, "attempts": 30, "changed": false, "item": "applications.argoproj.io", "msg": "Failed to find API for resource with apiVersion "apiextensions.k8s.io/v1beta1" and kind "CustomResourceDefinition"", "resources": []}
FAILED - RETRYING: Wait for GitOps CRD to exist (30 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (29 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (28 retries left).
FAILED - RETRYING: Wait for GitOps CRD to exist (27 retries left).

CRDS and Pods appear to have been created so the reason for the failure is not clear.

[jwilms@jwilms ~]$ oc get crd | grep gitops
gitopsservices.pipelines.openshift.io 2021-12-15T00:56:50Z

And it also appears that everything is running ok in the openshift-gitops namespace:

[jwilms@jwilms ~]$ oc get pods
NAME READY STATUS RESTARTS AGE
pod/cluster-86f5997f56-jsm7z 1/1 Running 0 6m16s
pod/kam-8579df68c8-9d8pt 1/1 Running 0 6m15s
pod/openshift-gitops-application-controller-0 1/1 Running 0 6m14s
pod/openshift-gitops-applicationset-controller-76dfff754b-4rzxm 1/1 Running 0 6m14s
pod/openshift-gitops-dex-server-6cf4f8d67c-vswn4 1/1 Running 0 6m14s
pod/openshift-gitops-redis-7867d74fb4-shzfg 1/1 Running 0 6m15s
pod/openshift-gitops-repo-server-bb4f985c8-fksj5 1/1 Running 0 6m15s
pod/openshift-gitops-server-6cfc85cbb8-rbpgg 1/1 Running 0 6m14s

https://github.com/tektoncd/chains

https://gkovan.medium.com/a-zero-trust-approach-for-securing-the-supply-chain-of-microservices-packaged-as-container-images-89d2f5b7293b

https://github.com/ztsc/tekton

Enable OAUTH in ArgoCD 1.2

oc -n openshift-gitops patch argocd openshift-gitops --type='json' -p='[{"op": "add", "path": "/spec/sso", "value": {"provider": "keycloak"} }]'

Enable the admin role in ArgoCD

oc patch cm/argocd-rbac-cm -n openshift-gitops --type=merge -p '{"data":{"policy.default":"role:admin"}}'

Git Secrets could be a nice addon to the pipeline in order to ensure that the git repo have not any exposed secret. Additionally ACS includes out of the box config management for avoid expose any secret/CM in the k8s cluster.

Hi,

I tried to install the demo, but it seems it fails due that it tries to pull postgresql image from dockerhub. Nowadays dockerhub requires auth, so it fails as the demo doesn't add credentials.

This should be implemented into demo:

https://docs.openshift.com/container-platform/4.7/openshift_images/managing_images/using-image-pull-secrets.html#images-pulling-from-private-registries_using-image-pull-secrets

Due to the newer version of Openshift GitOps 1.3, the CRs changed. Further investigation it's required.

< TASK [ocp4-install-gitops : Wait for GitOps CRD to exist] >
 -----------------------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

ok: [localhost] => (item=applications.argoproj.io)

FAILED - RETRYING: Wait for GitOps CRD to exist (1 retries left).
failed: [localhost] (item=applicationsets.argoproj.io) => {"ansible_loop_var": "item", "api_found": true, "attempts": 30, "changed": false, "item": "applicationsets.argoproj.io", "resources": []}
ok: [localhost] => (item=appprojects.argoproj.io)
ok: [localhost] => (item=argocds.argoproj.io)

• https://github.com/sigstore/cosign#registry-support

Possible Issue: Quay needs to be used, because the OCP Internal registry it's not supported.

Use the following devsecops description

The GitOps / ArgoCD Server have not the proper certificate SAN for the openshift-gitops-server.openshift-gitops, and for this reason is failing to login and to do the app sync. Needs to be updated with insecure or use the http instead of https inside of the cluster.

step-login-wait
+ [ -z ]
+ yes
+ argocd login openshift-gitops-server.openshift-gitops:443 --username=admin --password=czX6GbpBg4UaODnM1yKvdlRm8FsYE3fW
WARNING: server certificate had error: x509: certificate is valid for openshift-gitops, openshift-gitops-grpc, openshift-gitops.openshift-gitops.svc.cluster.local, not openshift-gitops-server.openshift-gitops. Proceed insecurely (y/n)? 'admin:login' logged in successfully
Context 'openshift-gitops-server.openshift-gitops:443' updated

step-sync
+ argocd app sync dev-spring-petclinic --revision HEAD --
time="2022-02-25T13:14:53Z" level=fatal msg="Failed to establish connection to openshift-gitops-server.openshift-gitops:443: x509: certificate is valid for openshift-gitops, openshift-gitops-grpc, openshift-gitops.openshift-gitops.svc.cluster.local, not openshift-gitops-server.openshift-gitops"

Include signing of the commits in Git Servers using PGP:

• in Gitea -> https://docs.gitea.io/en-us/signing/
• in GitHub -> https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits

Hello,

I tried to deploy this demo on a 4.11 OCP cluster.

Pre-requisites are installed :

$ pip3 list | grep -e kubernetes -e openshift -e jmespath 
jmespath            1.0.1
kubernetes          24.2.0
openshift           0.13.1

$ ansible --version 
ansible [core 2.13.4]
  config file = None
  configured module search path = ['/Users/slallema/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/slallema/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.10.7 (main, Sep 14 2022, 22:38:23) [Clang 14.0.0 (clang-1400.0.29.102)]
  jinja version = 3.1.2
  libyaml = True

I have a first issue with the install.sh phase and the ocp4-post-acs task :

TASK [ocp4-post-acs : Get the secret that contains the token of sa pipeline] ***************************************************************
ok: [localhost] => {"ansible_facts": {"token_sa_pipeline_secret": []}, "changed": false}

TASK [ocp4-post-acs : Get token in the secret for the sa pipeline and decode] **************************************************************
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: list object has no element 0\n\nThe error appears to be in '/Users/slallema/GIT/github.com/slallemand/devsecops-demo/bootstrap/roles/ocp4-post-acs/tasks/post_ci.yaml': line 68, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Get token in the secret for the sa pipeline and decode\n  ^ here\n"}

PLAY RECAP *********************************************************************************************************************************
localhost                  : ok=70   changed=6    unreachable=0    failed=1    skipped=3    rescued=0    ignored=0   

Anyway, i did try to start the pipeline with the ./demo.sh start but the pipeline is failing at the build-image task.
I have those errors :

STEP-GEN-ENV-FILE

2022/10/05 13:03:28 warning: unsuccessful cred copy: ".docker" from "/tekton/creds" to "/": unable to create destination directory: mkdir /.docker: permission denied
UID uid=1001(1001) gid=0(root) groups=0(root),1000660000
Generated Env file
------------------------------
MAVEN_CLEAR_REPO=false
MAVEN_MIRROR_URL=http://nexus:8081/repository/maven-public/
------------------------------
STEP-GENERATE

2022/10/05 13:03:29 warning: unsuccessful cred copy: ".docker" from "/tekton/creds" to "/": unable to create destination directory: mkdir /.docker: permission denied
UID uid=1001(1001) gid=0(root) groups=0(root),1000660000 s2i build spring-petclinic/target image-registry.openshift-image-registry.svc:5000/openshift/java:11 --image-scripts-url image:///usr/local/s2i --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-params/env-file
STEP-BUILD

Error: error writing "0 0 4294967295\n" to /proc/29/uid_map: write /proc/29/uid_map: operation not permitted
level=error msg="error writing \"0 0 4294967295\\n\" to /proc/29/uid_map: write /proc/29/uid_map: operation not permitted"
level=error msg="(unable to determine exit status)"
STEP-PUSH-TAG

2022/10/05 13:03:31 Skipping step because a previous step failed
STEP-PUSH-LATEST

2022/10/05 13:03:32 Skipping step because a previous step failed

Could that be relative to the install error ?
Any idea on that ?

Hi,
Getting this in image-check task on OCP 4.10 during pipelinerun.
oc -n cicd logs petclinic-build-dev-75x4fy-image-check-pod -c step-rox-image-check
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 65.2M 100 65.2M 0 0 247M 0 --:--:-- --:--:-- --:--:-- 247M
Getting roxctl
ERROR: Checking image failed: could not check build-time alerts: rpc error: code = Internal desc = image enrichment error: error getting metadata for image: image-registry.openshift-image-registry.svc:5000/cicd/spring-petclinic@sha256:4b6e957cb83f6e5687b71c012343308fb15ac0bce23c1be85d9e2a29d340b29c error: getting metadata from registry: "Autogenerated https://image-registry.openshift-image-registry.svc:5000 for cluster development": Failed to get the manifest digest : Head "https://image-registry.openshift-image-registry.svc:5000/v2/cicd/spring-petclinic/manifests/sha256:4b6e957cb83f6e5687b71c012343308fb15ac0bce23c1be85d9e2a29d340b29c": http: non-successful response (status=401 body=""). Retrying after 3 seconds...

I found this: https://access.redhat.com/solutions/6993372
So wondering how this is working on your side..
Thanks

change images used in this demo from dockerhub to quay and registry.redhat.io

Since I have a free docker.io account, I am getting this error. Is it possible to avoid this?

PodPpetclinic-build-dev-cw8uq2-deploy-check-s7lww-pod-9ts67
NamespaceNScicd
5 minutes ago
Generated from kubelet on ip-10-0-184-15.us-west-1.compute.internal
5 times in the last 13 minutes
Failed to pull image "centos": rpc error: code = Unknown desc = Error reading manifest latest in docker.io/library/centos: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

Due to the image of the Sonarqube image have more than 90 days, we need to update towards the 9.1.0-community with tag "sonarqube:9.1.0-community", and test it in the devsecops demo.

Due to updates and deprecations in roxctl the format output is no longer supporting pretty for the formatting:

## Scanning image image-registry.openshift-image-registry.svc:5000/cicd/spring-petclinic@sha256:48cea137aab4dfad9189f0d733b8c11ef1466ef74f78043d11a9fa8c527fef7c
Flag --format has been deprecated, please use --output/-o to specify the output format. NOTE: The new JSON / CSV format contains breaking changes, make sure you adapt to the new structure before migrating.
ERROR:	invalid arguments: invalid output format "pretty" used. You can only specify json or csv
## Go to https://central-stackrox.apps.cluster-m7mtg.m7mtg.xxx.opentlc.com:443/main/vulnerability-management/image/sha256:48cea137aab4dfad9189f0d733b8c11ef1466ef74f78043d11a9fa8c527fef7c to check more info

Integrate the ACS OAuth into DevSecOps demo to authenticate with the OAuth Credentials instead of hardcoded password - https://redhat-scholars.github.io/acs-workshop/acs-workshop/11-integrations.html#integrate_acs_oauth

The pipelines operator was not coming up in my OCP 4.11 install. I had to deinstall the operator, and install it from the OperatorHub. Then, relaunching the install.sh worked.

Did not have time to investigate really the cause, but I thought I'd share the issue.