This repository contains a demo / example of Rode's functionality.

Included in the repo is a /tf folder that includes the necessary Terraform automation to deploy the services required to run Rode.

Inside the /app folder, there is a sample hello-world node app based on an Alpine image with two known medium vulnerabilities that will build on a deployed Jenkins CI server.

Simply change the base image in the Dockerfile to node:current-alpine3.12, to resolve the vulnerabilities.

• Terraform >= 0.13.0
• Terragrunt
• A Kubernetes cluster (the cluster that comes with Docker Desktop for Mac is recommended)
• kubectl

For local access to Jenkins and Harbor through the created ingress, new entries need to be created inside your local hosts file.

sudo vi /etc/hosts

Copy and paste the two lines below to your /etc/hosts file.

127.0.0.1 harbor.localhost
127.0.0.1 jenkins.localhost

Additionally, a rewrite may need to be added to your clusters DNS server to send Harbor traffic through the nginx controller. Automation is in place to update the CoreDNS configmap to include this rewrite, but in the event of a failed image deployment to Harbor inside the cluster, you may look to add the rewrite show below in the data block. (If your cluster is not using CoreDNS, you can disable this automation by setting the variable update_coredns to false. You will need to find another way to direct traffic to Harbor.)

rewrite name harbor.localhost ingress-nginx-controller.nginx.svc.cluster.local

To deploy the Rode stack locally, switch to the tf directory, then run

terragrunt apply-all

To retrieve the Jenkins admin password for authentication use the command below to copy it to your clipboard.

kubectl get secret -n jenkins jenkins -o jsonpath="{.data.jenkins-admin-password}" | base64 --decode | pbcopy

To retrieve the Harbor admin password for authentication use the command below to copy it to your clipboard.

kubectl get secret -n harbor harbor-harbor-core -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode | pbcopy

Some manual setup for Harbor is required after Harbor has been deployed. You can log in with the admin user using the credentials you obtained in the previous section to do this.

After logging in, navigate to the "library" project. In the "Configuration" tab, check the box labeled "Automatically scan images on push", then save your changes.

Next, navigate to the "Webhooks" tab, and add a new webhook with the following settings:

• Name: You can set this to any string you want
• Notify Type: http
• Event Type:
  • Artifact Pushed
  • Scanning Finished
  • Scanning Failed
• Endpoint URL: http://rode-collector-harbor.rode-demo.svc.cluster.local/webhook/event

When running locally using an auto-generated certificate for Harbor, you will need to add Harbor as an insecure Docker registry.

Before pushing an image, you will need to log in to Harbor using the Docker CLI:

$ docker login harbor.localhost -u admin -p ${admin_password}

Then, you can push an image using docker push. We recommend pulling an existing image, tagging it, then pushing it to Harbor:

$ docker pull alpine:latest
$ docker tag alpine:latest harbor.localhost/library/alpine:latest
$ docker push harbor.localhost/library/alpine:latest