Introduction to a Secure Supply Chain
- By: Thomas Jungbauer ( Lastmod: 2023-08-01 ) - 1 min read
The goal of the following ("short") series is to build a secure CI/CD pipeline step by step using OpenShift Pipelines (based on Tekton). The whole build process shall pull and build an image, upload it to a development environment and subsequently update the production environment.
The main focus here is security. Several steps and tools shall help to build and deploy a Secure Supply Chain.
The whole process is part of a Red Hat workshop which can present to your organization. I did some tweaks and created a step-by-step plan in order to remember it … since I am getting old :)
The Journey to Secure Supply Chain
In order to develop our Secure Supply Chain, we need an OpenShift 4 Cluster. I am currently using OpenShift 4.13. Moreover, the OpenShift Pipelines operator must be deployed. It is based on Tekton and provides a Kubernetes-native way to create CI/CD pipelines.
The operator is deployed using the Operator Hub inside your cluster. Simply search for OpenShift Pipelines and install the operator using the default settings.
Finally, you will need a GitHub account to be able to fork some repositories.
|Some steps in the pipeline are working tightly with GitHub, especially the very last one that is talking GitHub’s API. However, any Git-system should work, and probably just minor changes will be required.|
Everything else will be installed during the different steps described in the upcoming articles, while we build and tweak our pipeline.
Remember, the big goal of our pipeline is NOT to simply pull, build and push our code, but to integrate certain security tools like code scanning, image scanning and linting. Otherwise, it would be boring.
The following list of tools (or specifications) are used for our pipeline. They will be deployed when the appropriate step requires it.