Skip to content

Commit 3944899

Browse files
committed
deploy: 2564380
1 parent ae30a11 commit 3944899

285 files changed

Lines changed: 23190 additions & 5051 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

blog/2021-12-31-medical-diagnosis/index.html

Lines changed: 60 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -384,12 +384,16 @@
384384
If everything is setup correctly go to tab Models again to check status of TGI. It should be looking like this:
385385
RAG Chat demo After whole setup is complete demo application is ready to use. Chat QnA UI address can be obtained by running following command:
386386
echo "http://$(oc -n gaudi-llm get route chatqna-gaudi-ui-server -ojsonpath='{.spec.host}')" `,url:"https://validatedpatterns.io/patterns/gaudi-rag-chat-qna/gaudi-rag-chat-qna-getting-started/",breadcrumb:"/patterns/gaudi-rag-chat-qna/gaudi-rag-chat-qna-getting-started/"},"https://validatedpatterns.io/patterns/layered-zero-trust/lzt-getting-started/":{title:"Getting started",tags:[],content:`Deploying the Layered Zero Trust pattern Follow these instructions to configure and deploy the Layered Zero Trust pattern.
387-
Prerequisites An OpenShift Container Platform cluster with publicly signed certificates for Ingress
388-
A GitHub account and a token for it with repositories permissions, to read from and write to your forks.
387+
Prerequisites An OpenShift Container Platform 4.19 or newer cluster with:
388+
publicly signed certificates for Ingress.
389+
default StorageClass which provides dynamic PersistentVolume storage.
390+
To customize the default configuration, you must have a GitHub account and a token with repositories permissions, to read from and write to your forks.
389391
Access to Podman (or Docker) for execution of the container images used by pattern.sh script for provisioning.
390-
Useful additions:
391-
The Helm binary, for instructions, see Installing Helm
392-
Additional installation tool dependencies. For details, see Patterns quick start.
392+
Fulfill the general prerequisites for Validated Patterns.
393+
Depending on the characteristics of your cluster, you might need additional hardware resources for the Advanced Cluster Management (ACM) component. For a single-node cluster, you can start with 4 vCPUs, 16 GB of memory, and 120 GB of storage.
394+
For more details about ACM sizing, see Sizing your cluster.
395+
(Optional) The Helm binary, for instructions, see Installing Helm.
396+
The Layered Zero Trust pattern’s default deployment assumes that none of its components have been installed previously. Verify that your OpenShift Container Platform environment does not already contain any of the listed components before proceeding.
393397
Repository setup Follow these instructions for setting up the project repository:
394398
Fork the layered-zero-trust repository from GitHub. You must fork the repository because your fork is updated as part of the GitOps and DevOps processes.
395399
Clone your forked repository.
@@ -414,10 +418,11 @@
414418
Log in with the retrieved token:
415419
$ oc login --token=<retrieved_token> --server=https://api.<your_cluster>.<domain>:6443 By using KUBECONFIG:
416420
$ export KUBECONFIG=~/<path_to_kubeconfig> Run the pattern deployment script:
417-
$ ./pattern.sh make install Verify the deployment You can use the OpenShift Container Platform console and ArgoCD applications to verify the deployment.
418-
In the OpenShift Container Platform web console, navigate to the Operators → Installed Operators page.
419-
Check that Red Hat OpenShift GitOps Operator is installed in the openshift-operators namespace and its status is Succeeded.
420-
Use the Application Launcher within the OpenShift Container Platform console to confirm that all applications have synchronized successfully to both Hub and Cluster Argo CD instances.
421+
$ ./pattern.sh make install Verify the deployment The Layered Zero-Trust pattern provisions every component and manages them through OpenShift Container Platform GitOps. After you deploy the pattern, verify that all components are running correctly.
422+
The Layered Zero-Trust pattern installs the following two OpenShift Container Platform GitOps instances on your Hub cluster. You can view these instances in the OpenShift Container Platform web console by using the Application Selector (the icon with nine small squares) in the top navigation bar.
423+
Cluster Argo CD: Deploys an App-of-Apps application named layered-zero-trust-hub. This application installs the pattern’s components.
424+
Hub Argo CD: Manages Cluster Argo CD instance and the individual components that belong to the pattern on the hub OpenShift Container Platform instance.
425+
If every Argo CD application reports a Healthy status, the pattern has been deployed successfully.
421426
`,url:"https://validatedpatterns.io/patterns/layered-zero-trust/lzt-getting-started/",breadcrumb:"/patterns/layered-zero-trust/lzt-getting-started/"},"https://validatedpatterns.io/patterns/mlops-fraud-detection/mfd-getting-started/":{title:"Getting started",tags:[],content:` Deploying the MLOps Fraud Detection pattern Prerequisites An OpenShift cluster (Go to the OpenShift console). Cluster must have a dynamic StorageClass to provision PersistentVolumes.
422427
A GitHub account (and a token for it with repositories permissions, to read from and write to your forks)
423428
For installation tooling dependencies, see Patterns quick start.
@@ -2313,7 +2318,40 @@
23132318
An OCI-compliant registry that is accessible from the disconnected network
23142319
A Git Repository that is accessible from the disconnected network
23152320
For more information on disconnected installation, see Validated Patterns in a disconnected Network.
2316-
`,url:"https://validatedpatterns.io/learn/quickstart/",breadcrumb:"/learn/quickstart/"},"https://validatedpatterns.io/patterns/devsecops/devel-cluster/":{title:"Secured Development Cluster",tags:[],content:`Having a development cluster (devel) join the hub Introduction Development clusters are responsible for building applications and delivering the applications to a secured registry. The development cluster defines a secure pipeline that includes code and image scans and image signing before delivering them to the registry. OpenShift Pipelines is used for the continuous integration (CI). The Quay registry is deployed on the hub and therefore integration is required for the development pipeline to push images to the registry.
2321+
`,url:"https://validatedpatterns.io/learn/quickstart/",breadcrumb:"/learn/quickstart/"},"https://validatedpatterns.io/patterns/layered-zero-trust/lzt-secure-multitier/":{title:"Secure multi-tier applications",tags:[],content:`Use case: Secure multi-tier applications This use case demonstrates securing a common application design pattern: a frontend application using a database for persistent storage.
2322+
The Layered Zero Trust Pattern includes the qtodo application, which demonstrates a secure just-in-time (JIT) credential mechanism.
2323+
Instead of relying on static credentials stored within the application, the qtodo application uses a JIT method to dynamically fetch database credentials from a central credential store.
2324+
Application components and architecture The qtodo application consists of the following key components and their security roles:
2325+
The qtodo application: A Quarkus-based frontend application protected by OpenID Connect (OIDC) authentication. Users are managed in an external identity store which uses Red Hat Build of Keycloak (RHBK).
2326+
PostgreSQL: The relational database used by the qtodo application. Its credentials are dynamically generated and stored within HashiCorp Vault.
2327+
External Identity store: Contains the provisioned users and configured OIDC clients that enable access to the qtodo frontend.
2328+
HashiCorp Vault: Stores sensitive values for components, including PostgreSQL and RHBK. Implements JSON Web Token (JWT)-based authentication to enable access by using Zero Trust Workload Identity Manager (ZTWIM)-based identities.
2329+
Zero Trust Workload Identity Manager: It assigns an identity to the qtodo application, allowing it to communicate with HashiCorp Vault and obtain the necessary PostgreSQL credentials.
2330+
spiffe-helper: A supplemental sidecar component for the qtodo application used to dynamically fetch JWT-based identities from the SPIFFE Workload API.
2331+
Exploring the qtodo application The qtodo application is a key component of the Layered Zero Trust Pattern, demonstrating the secure JIT fetching of credentials. To explore how the application implements Zero Trust principles, use the OpenShift Container Platform web console of the Hub cluster to investigate the resources in the qtodo project.
2332+
Procedure In the OpenShift Container Platform web console, navigate to the Projects page and select the qtodo project. This namespace contains the qtodo Quarkus application and the qtodo-db PostgreSQL database.
2333+
Select Workloads → Pods from the left-hand navigation bar. Explore both the qtodo and qtodo-db pods.
2334+
The qtodo pod uses a series of init containers and sidecar containers to supply the application with the credentials required for operation.
2335+
Locating the application address You can access the qtodo application through the OpenShift Container Platform route.
2336+
Procedure In the OpenShift Container Platform web console, navigate to the Projects page and select the qtodo project.
2337+
Select Networking → Routes from the left-hand navigation bar. Note the URL for the qtodo application in the Location column.
2338+
Open a new browser tab and navigate to the qtodo application URL.
2339+
The RHBK login page appears.
2340+
Locating the application credentials The default External Identity Provider, RHBK, is provisioned with two users: qtodo-admin and qtodo-user. You can find the initial credentials in a Secret within the keycloak-system namespace called keycloak-users.
2341+
Procedure In the OpenShift Container Platform web console, navigate to the Projects page and select the keycloak-system project.
2342+
Select Workloads → Secrets from the left-hand navigation bar.
2343+
Select the keycloak-users secret.
2344+
Click the Reveal values link to see the credentials.
2345+
Accessing the application Procedure Navigate to the RHBK login page, as described in the Locate the application’s address section.
2346+
Enter the username and password for one of the users, using the values found in the Locate the application credentials section.
2347+
After you log in, follow the on-screen instructions to change the temporary password.
2348+
Set a new password and confirm the change.
2349+
After the password change is complete, the qtodo application appears.
2350+
Verifying integration The qtodo application uses PostgreSQL for persistent storage. You can verify that the application is correctly integrated with the database by creating a new to-do item.
2351+
Procedure In the qtodo application, add new items to the list of to-dos and remove existing items.
2352+
Refresh the page to verify that the items persist.
2353+
By successfully modifying the list, you confirm that the integration between the Quarkus application and the PostgreSQL database—using credentials sourced dynamically from HashiCorp Vault—was successful.
2354+
`,url:"https://validatedpatterns.io/patterns/layered-zero-trust/lzt-secure-multitier/",breadcrumb:"/patterns/layered-zero-trust/lzt-secure-multitier/"},"https://validatedpatterns.io/patterns/devsecops/devel-cluster/":{title:"Secured Development Cluster",tags:[],content:`Having a development cluster (devel) join the hub Introduction Development clusters are responsible for building applications and delivering the applications to a secured registry. The development cluster defines a secure pipeline that includes code and image scans and image signing before delivering them to the registry. OpenShift Pipelines is used for the continuous integration (CI). The Quay registry is deployed on the hub and therefore integration is required for the development pipeline to push images to the registry.
23172355
Development clusters also need to be secured and so one part of the deployment is Advanced Cluster Security with a secured configuration. This allows ACS to monitor and report on security issues on the cluster. ACS secured sites report to an ACS Central application that is deployed on the hub.
23182356
Allow ACM to deploy the devel applications to a subset of clusters By default the devel applications are deployed on any development clusters that ACM knows about.
23192357
managedClusterGroups: - name: devel helmOverrides: - name: clusterGroup.isHubCluster value: "false" clusterSelector: matchLabels: clusterGroup: devel matchExpressions: - key: vendor operator: In values: - OpenShift Remember to commit the changes and push to GitHub so that GitOps can see your changes and apply them.
@@ -4593,13 +4631,17 @@
45934631
External secret management integration.
45944632
Architecture The Layered Zero Trust pattern architecture consists of many components that work together to offer a secure environment for applications and workloads.
45954633
The pattern consists of the following key components:
4596-
Zero Trust Workload Identity Manager: Implements workload identity using SPIFFE/SPIRE.
4597-
HashiCorp Vault: Provides secure secret storage and management.
4598-
Red Hat build of Keycloak (RHBK): Manages identity and access for users and services.
4599-
OpenShift Cert Manager: Manages the lifecycle of certificates for secure communication.
4600-
External Secrets Operator: Synchronizes secrets from external systems into the cluster.
4601-
QTodo application: Serves as a Quarkus-based application to show zero trust principles.
4602-
PostgreSQL database: Provides the backend database for the demonstration application.
4634+
Compliance Operator
4635+
Provides OpenShift Container Platform cluster hardening.
4636+
Red Hat build of Keycloak (RHBK)
4637+
Provides identities for pattern components.
4638+
Provides an OIDC client that authenticates users to a web application.
4639+
Red Hat Zero Trust Workload Identity Manager
4640+
Provides identities to workloads running in OpenShift Container Platform.
4641+
HashiCorp Vault
4642+
Stores sensitive assets securely.
4643+
External Secrets Operator (ESO)
4644+
Synchronizes secrets stored in HashiCorp Vault with OpenShift Container Platform.
46034645
Sidecar pattern The sidecar pattern is a deployment model where a separate container or process, known as a sidecar, runs alongside the main application to handle auxiliary tasks. In an OpenShift Container Platform environment, pods simplify this by ensuring the sidecar and main application share the same lifecycle. This approach benefits Zero Trust architectures by enabling centralized enforcement of security policies such as authentication, authorization, traffic encryption (mTLS), rate limiting, auditing, and logging, without requiring developers to add this logic to every microservice. It separates concerns, simplifies development, and allows security policies to be updated independently of the main application.
46044646
While sidecars are often criticized for adding complexity and resource usage, these are often misconceptions:
46054647
Complexity: Sidecars simplify the main application by offloading tasks, and modern platforms, such as OpenShift Container Platform, are designed to manage them efficiently.
@@ -4609,7 +4651,7 @@
46094651
About the technology The following technologies are used in this solution:
46104652
Zero Trust Workload Identity Manager: Implements workload identity using SPIFFE/SPIRE.
46114653
HashiCorp Vault: Provides secure secret storage and management.
4612-
Red Hat build of Keycloak (RHBK): Manages identity and access for users and services.
4654+
Red Hat build of Keycloak: Manages identity and access for users and services.
46134655
Red Hat OpenShift GitOps: A GitOps continuous delivery (CD) solution based on ArgoCD
46144656
OpenShift Cert Manager: Manages the lifecycle of certificates for secure communication.
46154657
External Secrets Operator: Synchronizes secrets from external systems into the cluster.

0 commit comments

Comments
 (0)