Verify you can pull from Repo1 and IronBank💣
Note
Platform One has 4 Useful Places to pull from
- Repo1’s Gitlab Git Repo: repo1.dso.mil
Repo1’s Gitlab Git Repo is the Upstream Source of Truth Git Repo for P1’s IaC/CaC
-
IronBank’s Frontend GUI (where justifications and risk assessment are stored): ironbank.dso.mil
-
IronBank’s Harbor Docker Registry: registry1.dso.mil
Source of truth for IronBank Images.
- Repo1’s Gitlab Docker Registry:
registry.dso.mil
The Big Bang team rarely stores docker images here. All project specific images have been deleted in favor of moving them to a group like
bigbang-staging
orbigbang-ci
in Registry1 to fulfill the registry requirements.
Task 1: Clone the Engineering Cohort Repo from Repo1’s Gitlab Git Repo: repo1.dso.mil💣
Repo1’s Gitlab Git Repo is the Upstream Source of Truth Git Repo for P1’s IaC/CaC
cd ~/Desktop
git config --global user.name "FIRST_NAME LAST_NAME"
git config --global user.email "MY_NAME@workemail.com or .mil"
cat ~/.gitconfig #or cat ~/.git/config
git clone https://repo1.dso.mil/platform-one/onboarding/big-bang/engineering-cohort.git
Note
cd ~/Desktop
command does not apply to Ubuntu/WSL users
Task 2: Update your local clone of the Big Bang Residency git repo, by pulling the latest changes💣
Note
- This path is based on assumption that you cloned to the location shown above.
- Also, git commands are sensitive to your current working directory
cd ~/Desktop/engineering-cohort
git pull origin master
Note
cd ~/Desktop/engineering-cohort
does not apply to Ubuntu/WSL users
Task 3: Pull an Image from Repo1 Gitlab’s Docker Registry💣
docker pull registry.dso.mil/platform-one/plugins/kustomize/all:v0.1.1
# Note for Ubuntu users, if you get the following error (rare edge case)
# Error response from daemon: Get "https://registry.dso.mil/v2/": dial tcp: lookup registry.dso.mil: Temporary failure in name resolution
# then try
sudo systemctl restart systemd-resolved.service
# If this does not work, try running the command as a root user
The above container image is publicly accessible (no auth needed).
If an image does require auth use a Gitlab Personal Access token for credentials.
Task 4: Visit the IronBank Frontend website💣
-
In Chrome visit ironbank.dso.mil
-
Navigate to Project ironbank
-
Search the image catalog for
argocd
and click on the image -
On the left hand side, click on the drop down to view different
Tags
-
You can use the command located under
Registry One Pull
, to pull the image locally.
Note
Use this command to pull this container from Registry One. You must be registered and logged in to Registry One in order for the docker pull command to work.
Task 5: Pull a Docker Image from IronBank💣
Tip
UBI stands for Red Hat Universal Base Image
-
Visit registry1.dso.mil
-
Login via OIDC Provider
-
Navigate to Project ironbank
-
You’ll see a search magnifying glass on the header, search for
ironbank/redhat/ubi/ubi9
and click on it as it up under repositiories -
On the right hand side, click the search magnifying glass, then you’ll have the option to filter repositories using the drop down (located next to the search magnifying glass), filter by
Tags
, then click in the search box, a drop down will appear (containing:Tagged
,Untagged
,All
), clickTagged
-
Scroll down to find the latest tag (located near the top of the list), this will also have a green check mark in the
Signed by Cosign
column -
Click the Button in the
Pull Command column
that corresponds to the latest tag mentioned in theTags Column
, to copy it to your clipboard. -
Make a mental note of the tag that is present (at the time of writing, latest is 9.2)
The command will contain the SHA 256 value associated with the image, attached to the end of the docker command
- Paste that command into your terminal (initial error is expected and will be fixed in a subsequent step)
docker pull registry1.dso.mil/ironbank/redhat/ubi/ubi9@sha256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # Note: the Xs represent the SHA value copied from Harbor # Error response from daemon: unauthorized: unauthorized to access repository: ironbank/redhat/ubi/ubi9, # action: pull: unauthorized to access repository: ironbank/redhat/ubi/ubi9, action: pull
-
In Harbor, click your name in the top right, then go to User Profile
-
Your User Profile section will have a CLI secret that you can copy by clicking the icon by
CLI secret
, and you’ll see green feedback “copy success” -
Type Login Command into Bash, here’s an example
Use the
-u
option for username (use your own)
docker login registry1.dso.mil -u cmcgrath
The above command will prompt you for a password, that’s your CLI secret from Harbor
-
Retry the docker pull command and it’ll now work.
-
Run the below docker command using a tag reference instead of a SHA256 reference
Note
The latest tag at the time of writing was 9.2
, during Harbor steps you may end up seeing a newer tag, if a newer tag like :9.3
exists, use that instead.
docker pull registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.2
Task 6: Rotate your IronBank Docker Pull Credential💣
How to Rotate IB Docker Pull Credentials (useful if your credentials expire or you need to change your CLI secret):
- In a web browser go to registry1.dso.mil
- Login via OIDC provider
- Top right of the page, click your name –> User Profile
- your username is what you’ll put into the file’s username spot
- your CLI secret is what you’ll use as a password
- There are icon next to CLI secret, click it, and you’ll see green feedback “copy success”
- Paste into a notepad
- Click the 3 dots
- Press Generate, a pop up will ask “Are you sure you can regenerate secret?”
- Press Confirm, and you’ll see green feedback “Cli secret setting is successful”
- Click the icon next to the CLI secret, and you’ll see green feedback “copy success”
- Paste into a notepad to verify the credentials have been rotated
-
Log into docker registry again shown below.
Use the
-u
option for username (use your own)docker login registry1.dso.mil -u cmcgrath
Note
The above command will prompt you for a password, that’s your new CLI secret from Harbor
Task 7: Record your Registry1 IronBank Docker Image Pull Credentials💣
- Write your Registry1 username and password into a text file
- You will need to plug both sets of credentials into an encrypted config file in a future lab guide. (That lab guide will have a reminder saying that in this one you were supposed to write the creds into a text file for use in 5th lab guide’s 3rd lab.)
Task 8: Create a Repo1 Gitlab Personal Access Token💣
- Login to repo1.dso.mil/users/sign_in which has a register button if needed.
- In the top right of the GUI, click your user icon, a dropdown will appear, Select Settings
- In the Bottom Left of the screen you’ll see “>>”, which when clicked will change to “<< Collapse sidebar”
- Click “>>” to expand the sidebar, then click Access Tokens
- You’ll end up on this page: repo1.dso.mil/profile/personal_access_tokens
- Create a Personal Access Token
- It will ask you what scope you want the token to have, select all.
- It will ask you when you want the token to expire (have it expire 1 day from now, we won’t actually be using it as part of the labs, but it’s good info to know.)
Note
The name can be arbitrary, but as a convention it’s best to have it match you’re username. When you click on the button that says [Create personal access token]
, it’ll show you the token which is effectively a password.
There is no need to save or store the personal access token in a password manager, because it’s very easy to revoke and provision a new one.
You won’t use it as part of the labs, but it’s useful to know how to privision as it allows commiting to repos and accessing private repos.
Useful Background Info💣
Your newly rotated IB Docker Pull Credentials are still tied to a OIDC token, just an OIDC token created with offline flag so it lasts for 30 days vs 30 minutes. Thus you’ll want to login to the GUI once every 30 days to refresh it and prevent it from expiring. For production deployments ask your Big Bang Liaison or P1 Customer Success to request the Container Hardening Team provision an IronBank Robo Credential, which lasts for 6 months. Personal IB creds are intended for per user clusters, IronBank Robo Creds are intended for production deployments