apps-operator helm security-tips

Prepare containers and chart

Apps Operator Apps Operator Duration: 5 min | Persona: Apps Operator

In this section, you will copy the Online Boutique apps container images and the Helm chart in your private Artifact Registry. You will also scan one container image.

Initialize variables:

WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh
ONLINE_BOUTIQUE_VERSION=v0.5.0
echo "export ONLINE_BOUTIQUE_VERSION=${ONLINE_BOUTIQUE_VERSION}" >> ${WORK_DIR}acm-workshop-variables.sh
PRIVATE_ONLINE_BOUTIQUE_REGISTRY=$CONTAINER_REGISTRY_REPOSITORY/onlineboutique
echo "export PRIVATE_ONLINE_BOUTIQUE_REGISTRY=${PRIVATE_ONLINE_BOUTIQUE_REGISTRY}" >> ${WORK_DIR}acm-workshop-variables.sh
source ${WORK_DIR}acm-workshop-variables.sh

Prepare the container images

Copy the public container images to your private registry:

UPSTREAM_ONLINE_BOUTIQUE_CONTAINER_REGISTRY=gcr.io/google-samples/microservices-demo
HTTP_SERVICES="frontend loadgenerator"
TAG=$ONLINE_BOUTIQUE_VERSION
for s in $HTTP_SERVICES; do crane copy $UPSTREAM_ONLINE_BOUTIQUE_CONTAINER_REGISTRY/$s:$TAG $PRIVATE_ONLINE_BOUTIQUE_REGISTRY/$s:$TAG; done
GRPC_SERVICES="adservice cartservice checkoutservice currencyservice emailservice paymentservice productcatalogservice recommendationservice shippingservice"
TAG=$ONLINE_BOUTIQUE_VERSION-native-grpc-probes
for s in $GRPC_SERVICES; do crane copy $UPSTREAM_ONLINE_BOUTIQUE_CONTAINER_REGISTRY/$s:$TAG $PRIVATE_ONLINE_BOUTIQUE_REGISTRY/$s:$TAG; done
crane copy redis:alpine $PRIVATE_ONLINE_BOUTIQUE_REGISTRY/redis:alpine
Tip

We are making the copy of the gRPC services supporting the native Kubernetes health probes in order to get the associated optimized images, learn more about this here.

List the container images in your private registry:

gcloud artifacts docker images list $CONTAINER_REGISTRY_REPOSITORY \
    --include-tags

Scan the cartservice container image:

gcloud artifacts docker images scan $PRIVATE_ONLINE_BOUTIQUE_REGISTRY/cartservice:$ONLINE_BOUTIQUE_VERSION-native-grpc-probes \
    --project ${TENANT_PROJECT_ID} \
    --remote \
    --format='value(response.scan)' > ${WORK_DIR}scan_id.txt
gcloud artifacts docker images list-vulnerabilities $(cat ${WORK_DIR}scan_id.txt) \
    --project ${TENANT_PROJECT_ID} \
    --format='table(vulnerability.effectiveSeverity, vulnerability.cvssScore, noteName, vulnerability.packageIssue[0].affectedPackage, vulnerability.packageIssue[0].affectedVersion.name, vulnerability.packageIssue[0].fixedVersion.name)'
Tip

You could use this gcloud artifacts docker images scan command in your Continuous Integration system in order to detect as early as possible for example Critical or High vulnerabilities.

Prepare the Helm chart

Copy the public Helm chart to your private registry:

UPSTREAM_ONLINE_BOUTIQUE_HELM_CHART_REGISTRY=us-docker.pkg.dev/online-boutique-ci/charts/onlineboutique
helm pull oci://${UPSTREAM_ONLINE_BOUTIQUE_HELM_CHART_REGISTRY} --version ${ONLINE_BOUTIQUE_VERSION:1}
helm push onlineboutique-${ONLINE_BOUTIQUE_VERSION:1}.tgz oci://${CHART_REGISTRY_REPOSITORY}

List the container images in your private registry:

gcloud artifacts docker images list $CHART_REGISTRY_REPOSITORY \
    --include-tags