Verify you can pull from Repo1 and IronBank

Note

Platform One has 4 Useful Places to pull from

• Repo1’s Gitlab Git Repo: repo1.dso.mil

Repo1’s Gitlab Git Repo is the Upstream Source of Truth Git Repo for P1’s IaC/CaC

• IronBank’s Frontend GUI (where justifications and risk assessment are stored): ironbank.dso.mil

• IronBank’s Harbor Docker Registry: registry1.dso.mil

Source of truth for IronBank Images.

• Repo1’s Gitlab Docker Registry: registry.dso.mil

The Big Bang team rarely stores docker images here. All project specific images have been deleted in favor of moving them to a group like bigbang-staging or bigbang-ci in Registry1 to fulfill the registry requirements.

Task 1: Clone the Engineering Cohort Repo from Repo1’s Gitlab Git Repo: repo1.dso.mil

Repo1’s Gitlab Git Repo is the Upstream Source of Truth Git Repo for P1’s IaC/CaC

cd ~/Desktop
git config --global user.name "FIRST_NAME LAST_NAME"
git config --global user.email "MY_NAME@workemail.com or .mil"
cat ~/.gitconfig  #or cat ~/.git/config
git clone https://repo1.dso.mil/platform-one/onboarding/big-bang/engineering-cohort.git

Note

cd ~/Desktop command does not apply to Ubuntu/WSL users

Task 2: Update your local clone of the Big Bang Residency git repo, by pulling the latest changes

Note

• This path is based on assumption that you cloned to the location shown above.
• Also, git commands are sensitive to your current working directory

cd ~/Desktop/engineering-cohort
git pull origin master

Note

cd ~/Desktop/engineering-cohort does not apply to Ubuntu/WSL users

Task 3: Pull an Image from Repo1 Gitlab’s Docker Registry

(Can only be done after Docker is installed, see Docker Install)

docker pull registry.dso.mil/platform-one/plugins/kustomize/all:v0.1.1

# Note for Ubuntu users, if you get the following error (rare edge case)
# Error response from daemon: Get "https://registry.dso.mil/v2/": dial tcp: lookup registry.dso.mil: Temporary failure in name resolution
# then try
sudo systemctl restart systemd-resolved.service

# If this does not work, try running the command as a root user

The above container image is publicly accessible (no auth needed).
If an image does require auth use a Gitlab Personal Access token for credentials.

Task 4: Visit the IronBank Frontend website

(Can only be done after Docker is installed, see Docker Install)

1. In Chrome visit ironbank.dso.mil

2. Navigate to Project ironbank

3. Search the image catalog for argocd and click on the image

4. On the left hand side, click on the drop down to view different Tags

5. You can use the command located under Registry One Pull, to pull the image locally.

Note

Use this command to pull this container from Registry One. You must be registered and logged in to Registry One in order for the docker pull command to work.

Task 5: Pull a Docker Image from IronBank

(Can only be done after Docker is installed, see Docker Install)

Tip

UBI stands for Red Hat Universal Base Image

1. Visit registry1.dso.mil

2. Login via OIDC Provider

3. Navigate to Project ironbank

4. You’ll see a search magnifying glass on the header, search for ironbank/redhat/ubi/ubi9 and click on it as it up under repositiories

5. On the right hand side, click the search magnifying glass, then you’ll have the option to filter repositories using the drop down (located next to the search magnifying glass), filter by Tags, then click in the search box, a drop down will appear (containing: Tagged, Untagged, All), click Tagged

6. Scroll down to find the latest tag (located near the top of the list), this will also have a green check mark in the Signed by Cosign column

7. Click the Button in the Pull Command column that corresponds to the latest tag mentioned in the Tags Column, to copy it to your clipboard.

8. Make a mental note of the tag that is present (at the time of writing, latest is 9.2)

The command will contain the SHA 256 value associated with the image, attached to the end of the docker command

1. Paste that command into your terminal (initial error is expected and will be fixed in a subsequent step)

   docker pull registry1.dso.mil/ironbank/redhat/ubi/ubi9@sha256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   # Note: the Xs represent the SHA value copied from Harbor
   # Error response from daemon: unauthorized: unauthorized to access repository: ironbank/redhat/ubi/ubi9,
   # action: pull: unauthorized to access repository: ironbank/redhat/ubi/ubi9, action: pull
   

2. In Harbor, click your name in the top right, then go to User Profile

3. Your User Profile section will have a CLI secret that you can copy by clicking the icon by CLI secret, and you’ll see green feedback “copy success”

4. Type Login Command into Bash, here’s an example

Use the -u option for username (use your own)

docker login registry1.dso.mil -u cmcgrath

The above command will prompt you for a password, that’s your CLI secret from Harbor

1. Retry the docker pull command and it’ll now work.

2. Run the below docker command using a tag reference instead of a SHA256 reference

Note

The latest tag at the time of writing was 9.2, during Harbor steps you may end up seeing a newer tag, if a newer tag like :9.3 exists, use that instead.

docker pull registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.2

Task 6: Rotate your IronBank Docker Pull Credential

(Can only be done after Docker is installed, see Docker Install)

How to Rotate IB Docker Pull Credentials (useful if your credentials expire or you need to change your CLI secret):

1. In a web browser go to registry1.dso.mil
2. Login via OIDC provider
3. Top right of the page, click your name –> User Profile
4. your username is what you’ll put into the file’s username spot
5. your CLI secret is what you’ll use as a password
6. There are icon next to CLI secret, click it, and you’ll see green feedback “copy success”
7. Paste into a notepad
8. Click the 3 dots
9. Press Generate, a pop up will ask “Are you sure you can regenerate secret?”
10. Press Confirm, and you’ll see green feedback “Cli secret setting is successful”
11. Click the icon next to the CLI secret, and you’ll see green feedback “copy success”
12. Paste into a notepad to verify the credentials have been rotated

13. Log into docker registry again shown below.

    Use the -u option for username (use your own)

    docker login registry1.dso.mil -u cmcgrath
    

Note

The above command will prompt you for a password, that’s your new CLI secret from Harbor

Task 7: Record your Registry1 IronBank Docker Image Pull Credentials

• Write your Registry1 username and password into a text file
• You will need to plug both sets of credentials into an encrypted config file in a future lab guide. (That lab guide will have a reminder saying that in this one you were supposed to write the creds into a text file for use in 5th lab guide’s 3rd lab.)

Task 8: Create a Repo1 Gitlab Personal Access Token

1. Login to repo1.dso.mil/users/sign_in which has a register button if needed.
2. In the top right of the GUI, click your user icon, a dropdown will appear, Select Edit Profile
3. If you do not see the side bar on the left: In the Bottom Left of the screen you’ll see “>>”, which when clicked will change to “<< Collapse sidebar”
4. Click “>>” to expand the sidebar, then click Access Tokens
5. You’ll end up on this page: repo1.dso.mil/-/profile/personal_access_tokens
6. Create a Personal Access Token
7. It will ask you what scope you want the token to have, select all.
8. It will ask you when you want the token to expire (have it expire 1 day from now, we won’t actually be using it as part of the labs, but it’s good info to know.)

Note

The name can be arbitrary, but as a convention it’s best to have it match you’re username. When you click on the button that says [Create personal access token], it’ll show you the token which is effectively a password.

There is no need to save or store the personal access token in a password manager, because it’s very easy to revoke and provision a new one.

You won’t use it as part of the labs, but it’s useful to know how to provision as it allows committing to repos and accessing private repos.

Useful Background Info

Your newly rotated IB Docker Pull Credentials are still tied to a OIDC token, just an OIDC token created with offline flag so it lasts for 30 days vs 30 minutes. Thus you’ll want to login to the GUI once every 30 days to refresh it and prevent it from expiring.

For production deployments ask your Big Bang Liaison or P1 Customer Success to request the Container Hardening Team provision an IronBank Robo Credential, which lasts for 6 months.

Personal IB creds are intended for per user clusters, IronBank Robo Creds are intended for production deployments