Skip to content

Commit 7e60bd5

Browse files
committed
deploy: edeac7e
1 parent 88bb160 commit 7e60bd5

301 files changed

Lines changed: 27060 additions & 604 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

blog/2021-12-31-medical-diagnosis/index.html

Lines changed: 68 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2566,7 +2566,7 @@
25662566
An OCI-compliant registry that is accessible from the disconnected network
25672567
A Git Repository that is accessible from the disconnected network
25682568
For more information on disconnected installation, see Validated Patterns in a disconnected Network.
2569-
`,url:"https://validatedpatterns.io/learn/quickstart/",breadcrumb:"/learn/quickstart/"},"https://validatedpatterns.io/patterns/layered-zero-trust/lzt-secure-multitier/":{title:"Secure multi-tier applications",tags:[],content:`Use case: Secure multi-tier applications This use case demonstrates securing a common application design pattern: a frontend application using a database for persistent storage.
2569+
`,url:"https://validatedpatterns.io/learn/quickstart/",breadcrumb:"/learn/quickstart/"},"https://validatedpatterns.io/patterns/layered-zero-trust/lzt-secure-multitier/":{title:"Secure multitiered applications",tags:[],content:`Use case: Secure multitiered applications This use case demonstrates securing a common application design pattern: a frontend application using a database for persistent storage.
25702570
The Layered Zero Trust Pattern includes the qtodo application, which demonstrates a secure just-in-time (JIT) credential mechanism.
25712571
Instead of relying on static credentials stored within the application, the qtodo application uses a JIT method to dynamically fetch database credentials from a central credential store.
25722572
Application components and architecture The qtodo application consists of the following key components and their security roles:
@@ -3900,7 +3900,70 @@
39003900
Pipeline 4: Build, Scan, Sign and Push to Prod Pipeline 4 demonstrates a more complete pipeline that builds, scans and also signs the image before pushing.
39013901
Pipeline 4 is the preferred DevSecOps approach and can be modified to include more security based tasks. E.g. when using a base image for a build, the signature of that image can be checked before the build step even starts.
39023902
TBD - screen shots
3903-
`,url:"https://validatedpatterns.io/patterns/devsecops/secure-supply-chain-demo/",breadcrumb:"/patterns/devsecops/secure-supply-chain-demo/"},"https://validatedpatterns.io/patterns/amd-rag-chat-qna/amd-rag-chat-qna-troubleshooting/":{title:"Troubleshooting",tags:[],content:` Troubleshooting common pattern deployment issues Problem Validated Pattern installation process is stuck on deploying Vault
3903+
`,url:"https://validatedpatterns.io/patterns/devsecops/secure-supply-chain-demo/",breadcrumb:"/patterns/devsecops/secure-supply-chain-demo/"},"https://validatedpatterns.io/patterns/layered-zero-trust/lzt-automated-secure-supply-chain/":{title:"Secure supply chain - Automated approach",tags:[],content:`Use case: Automating the secure supply chain The Secure multitiered applications use case describes how to implement a secure supply chain for application development by using Red Hat Trusted Artifact Signer (RHTAS) and the Red Hat Trusted Profile Analyzer (RHTPA). This use case demonstrates automation of the secure supply chain for application development by using Red Hat OpenShift Pipelines.
3904+
OpenShift Pipelines orchestrates the application building and certification process. The Zero Trust Validated Pattern (ZTVP) creates a pipeline in the cluster named qtodo-supply-chain.
3905+
Pipeline tasks The pipeline includes the following tasks:
3906+
qtodo-clone-repository: Clones the qtodo repository.
3907+
qtodo-build-artifact: Builds an uber-jar of the qtodo application.
3908+
qtodo-sign-artifact: Signs the generated JAR file.
3909+
qtodo-verify-artifact: Verifies the JAR signature.
3910+
qtodo-build-image: Builds a container image and uploads it to a registry.
3911+
qtodo-sign-image: Signs the container image.
3912+
qtodo-generate-sbom: Generates an SBOM from the image.
3913+
qtodo-sbom-attestation: Creates a signed attestation and attaches it to the image.
3914+
qtodo-upload-sbom: Uploads the SBOM file to RHTPA.
3915+
qtodo-verify-image: Verifies the attestation and signature.
3916+
Running the pipeline Start the pipeline by using the OpenShift Container Platform web console or the CLI.
3917+
Running the pipeline from the web console To start a pipeline execution from the OpenShift Container Platform Web console:
3918+
Procedure Log in to the OpenShift Container Platform web console.
3919+
From the left navigation bar, select Pipelines → Pipelines.
3920+
In the layered-zero-trust-hub project, find the qtodo-supply-chain pipeline.
3921+
Click the Options menu (⋮) and select Start.
3922+
Verify the parameters. Most default values are correct for single-cluster mode.
3923+
Configure the following workspaces:
3924+
For qtodo-source, select PersistentVolumeClaim and ensure the PVC name is qtodo-workspace-source.
3925+
For registry-auth-config, select Secret and ensure the secret name is qtodo-registry-auth.
3926+
Click Start.
3927+
Running the pipeline from the CLI Start a pipeline execution by creating a PipelineRun resource that references the qtodo-supply-chain pipeline.
3928+
Procedure Create a file named qtodo-pipeline.yaml with the following content:
3929+
apiVersion: tekton.dev/v1 kind: PipelineRun metadata: generateName: qtodo-manual-run- namespace: layered-zero-trust-hub spec: pipelineRef: name: qtodo-supply-chain taskRunTemplate: serviceAccountName: pipeline timeouts: pipeline: 1h0m0s workspaces: - name: qtodo-source persistentVolumeClaim: claimName: qtodo-workspace-source - name: registry-auth-config secret: secretName: qtodo-registry-auth Verify the values for the PVC storage and registry configuration.
3930+
Create the PipelineRun resource:
3931+
$ oc create -f qtodo-pipeline.yaml Verification Review the pipeline logs using the Tekton CLI:
3932+
$ tkn pipeline logs -n layered-zero-trust-hub -L -f Inspecting pipeline results Verify the status and output of the pipeline by using the web console or the CLI.
3933+
Inspecting results from the web console You can inspect the results of the pipeline execution from the OpenShift Container Platform web console.
3934+
Procedure Log in to the OpenShift Container Platform web console.
3935+
From the left navigation bar, select Pipelines → Pipelines.
3936+
In the layered-zero-trust-hub project, find the qtodo-supply-chain pipeline.
3937+
Click the PipelineRun link in the Last run column.
3938+
In the Details tab, view the summary of the pipeline execution and tasks.
3939+
Click on a task or the Logs tab to see the output of specific tasks.
3940+
Inspecting results from the CLI You can inspect the results of the pipeline execution by using the CLI.
3941+
Procedure Verify that the pipeline completed successfully:
3942+
$ oc get pipelinerun -n layered-zero-trust-hub NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME qtodo-manual-run-p46f7 True Succeeded 7m4s 2m12s Review the TaskRuns to see the results of each step:
3943+
$ oc get taskruns -n layered-zero-trust-hub NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME qtodo-manual-run-p46f7-qtodo-build-artifact True Succeeded 7m44s 5m17s qtodo-manual-run-p46f7-qtodo-build-image True Succeeded 4m55s 4m4s qtodo-manual-run-p46f7-qtodo-clone-repository True Succeeded 7m55s 7m44s ... Identify the pods associated with the tasks in the layered-zero-trust-hub namespace:
3944+
$ oc get pods -n layered-zero-trust-hub NAME READY STATUS RESTARTS AGE qtodo-manual-run-p46f7-qtodo-build-artifact-pod 0/1 Completed 0 10m qtodo-manual-run-p46f7-qtodo-build-image-pod 0/1 Completed 0 7m21s ... Review the pod logs to view the output of a specific step. For example, to view image verification messages:
3945+
$ oc logs -n layered-zero-trust-hub qtodo-manual-run-p46f7-qtodo-verify-image-pod Success: true Result: SUCCESS Violations: 0, Warnings: 0, Successes: 3 Component: Unnamed ImageRef: quay-registry-quay-quay-enterprise.apps.example.com/ztvp/qtodo@sha256:df6506e93a141cfcaeb3b4686b558cddd963410a146b10c3cbd1319122f5f880 Results: ✓ [Success] builtin.attestation.signature_check ... ✓ [Success] builtin.image.signature_check ... Reviewing integrated services The supply chain results are visible in the services used during the build process.
3946+
Reviewing images in Quay If you used Quay as the image registry, you can review the built image inside the registry.
3947+
Procedure Obtain the credentials for the Quay web interface:
3948+
Quay URL:
3949+
$ echo "https://$(oc get route -n quay-enterprise \\ -l quay-component=quay-app-route \\ -o jsonpath='{.items[0].spec.host}')" Quay username: Use the value specified in values-hub.yaml or quay-user.
3950+
Quay password:
3951+
$ oc get secret -n layered-zero-trust-hub qtodo-quay-password -o json | jq '.data["password"] | @base64d' Log in to the Quay web interface.
3952+
Select the ztvp/qtodo repository.
3953+
In the navigation menu, select Tags.
3954+
Verify that the latest tag is signed and that the .att attestation file is present.
3955+
Reviewing Rekor verification records Use the Rekor search interface to check verification records. Search by email address or record index.
3956+
Procedure Get the URL for the Rekor search interface:
3957+
$ echo "https://$(oc get route -n trusted-artifact-signer -l app.kubernetes.io/component=rekor-ui -o jsonpath='{.items[0].spec.host}')" Reviewing RHTPA results The RHTPA web UI uses OIDC for user authentication. If you are using Keycloak integrated with the pattern, use the following commands to obtain the credentials.
3958+
Procedure Get the credentials:
3959+
RHTPA URL:
3960+
$ echo "https://$(oc get route -n trusted-profile-analyzer \\ -l app.kubernetes.io/name=server \\ -o jsonpath='{.items[0].spec.host}')" RHTPA user: rhtpa-user
3961+
RHTPA user password:
3962+
$ oc get secret keycloak-users -n keycloak-system -o json \\ | jq '.data["rhtpa-user-password"] | @base64d' Review the SBOM in the RHTPA web interface:
3963+
Log in to the RHTPA web interface using Keycloak credentials.
3964+
In the navigation menu, select SBOMs.
3965+
Select the container image name from the list of available SBOMs.
3966+
`,url:"https://validatedpatterns.io/patterns/layered-zero-trust/lzt-automated-secure-supply-chain/",breadcrumb:"/patterns/layered-zero-trust/lzt-automated-secure-supply-chain/"},"https://validatedpatterns.io/patterns/amd-rag-chat-qna/amd-rag-chat-qna-troubleshooting/":{title:"Troubleshooting",tags:[],content:` Troubleshooting common pattern deployment issues Problem Validated Pattern installation process is stuck on deploying Vault
39043967
Solution Most common reason of this is that prerequisites are not satisfied. Please refer to section Getting started → Prerequisites and make sure all is done before proceeding to pattern deployment.
39053968
Problem Downloading AI model Llama-3.1-8B-Instruct using supplied Jupyter notebook is failing or deployment fails after model is downloaded
39063969
Solution Most often this is due to some network errors while downloading the model. If not sure if whole model was downloaded, please clear the storage bucket and repeat the download process.
@@ -5117,6 +5180,8 @@
51175180
Provides cryptographic signing and verification of software artifacts and container images.
51185181
Red Hat Trusted Profile Analyzer (RHTPA)
51195182
Provides the storage and management means for Software Bill of Materials (SBOMs), with cross-referencing capabilities between SBOMs and CVEs/Security Advisories.
5183+
Red Hat OpenShift Pipelines
5184+
Provides a cloud-native continuous integration and continuous deployment (CI/CD) solution on OpenShift Container Platform.
51205185
Architecture diagram The layered zero trust architecture enforces a Zero Trust model through four decoupled layers:
51215186
Identity: Keycloak manages user authentication, while SPIRE assigns short-lived, cryptographic identities to workloads for secure service-to-service recognition.
51225187
Secure Transport: Sidecar proxies intercept traffic to enforce mutual TLS (mTLS), ensuring all communication is encrypted and mutually authenticated without application code changes.
@@ -5154,6 +5219,7 @@
51545219
Red Hat Quay: Private registry for OCI images.
51555220
Red Hat Trusted Artifact Signer: Facilitates signing and verification of software artifacts.
51565221
Red Hat Trusted Profile Analyzer: Enables SBOM file analysis and vulnerability detection.
5222+
Red Hat OpenShift Pipelines: Enables a native CI/CD solution on OpenShift Container Platform.
51575223
`,url:"https://validatedpatterns.io/patterns/layered-zero-trust/",breadcrumb:"/patterns/layered-zero-trust/"},"https://validatedpatterns.io/blog/2025-08-29-new-common-makefile-structure/":{title:"From slim common to no common",tags:[],content:` Retiring the common Directory with a Smarter Makefile We’re simplifying our Validated Patterns workflow in a big way: the common directory is going away.
51585224
Why does this matter? Fewer moving parts, leaner repositories, and updates that flow automatically to every pattern. Instead of juggling wrapper scripts and redundant logic across repos, everything now runs through a centralized, smarter Makefile.
51595225
This post explains why we made the change, how it benefits you, and what you need to do to start using this streamlined approach.

0 commit comments

Comments
 (0)