ArgoCD is widely used for enabling CD GitOps. ArgoCD internally builds manifest from source data in Git repository, and auto-sync it with target clusters.

Overview

ArgoCD Interlace

ArgoCD is widely used for enabling CD GitOps. ArgoCD internally builds manifest from source data in Git repository, and auto-sync it with target clusters.

ArgoCD Interlace enhances ArgoCD capability from end-to-end software supply chain security viewpoint. Interlace adds authenticity of the manifest and the traceability to the source to ArgoCD.

ArgoCD Interlace works as a Kubernetes Custom Resource Definition (CRD) controller. Interlace monitors the trigger from state changes of Application resources on the ArgoCD cluster. When detecting new manifest build, Interlace sign the manifest, record the detail of manifest build such as the source files for the build, the command to produce the manifest for reproducibility. Interlace stores those details as provenance records in in-toto format and upload it to Sigstore log for verification.

ArgoCD-Interlace-Arch

The features are

  • Pluggable to ArgoCD
  • Capture manifest and provenance from application.status automatically
  • Sign manifest
  • Record provenance in intoto format

Installation

Prerequisite: Install ArgoCD on your Kubernetes cluster before you install ArgoCD Interlace.

To install the latest version of ArgoCD Interlace to your cluster, run:

kubectl apply --filename https://raw.githubusercontent.com/IBM/argocd-interlace/main/releases/release.yaml

This creates a default installation of ArgoCD Interlace, however you will need futher setup for seeing it in action.

To verify that installation was successful, ensure Status of pod argocd-interlace-controller become Running:

$ kubectl get pod -n argocd-interlace -w
NAME                                              READY   STATUS    RESTARTS   AGE
pod/argocd-interlace-controller-f57fd69fb-72l4h   1/1     Running   0          19m

Setup

To complete setting up ArgoCD Interlace, configure secrets for:

Example Scenario

To see ArgoCD Interlace in action, check the example scenario.

Demo

intro

Comments
  • Switch DSSE provider to go-securesystemslib

    Switch DSSE provider to go-securesystemslib

    The DSSE implementation added to in-toto-golang has now been split into its own package which lives at https://github.com/secure-systems-lab/go-securesystemslib/. The next step is the removal of this code from in-toto, so I'm submitting changes to dependent packages. :)

    See: https://github.com/in-toto/in-toto-golang/pull/122

    opened by adityasaky 2
  • Kubernetes CRD controller for Application resources

    Kubernetes CRD controller for Application resources

    Implement Kubernetes CRD controller for Application resources.

    • monitors the trigger from state changes of Application resources
    • detect new manifest build and captures desired manifests from ArgoCD REST API
    • sign the manifest
    • record the detail of manifest build
      • the source files, git url, revision, commits for the manifest build
      • the command to produce the manifest for reproducibility.
    • store the details as provenance records in in-toto format.
    enhancement 
    opened by yuji-watanabe-jp 2
  • add SECURITY.md to the root directory and configure a related github action

    add SECURITY.md to the root directory and configure a related github action

    Signed-off-by: Hirokuni-Kitahara1 [email protected]

    • add SECURITY.md to the root directory for solving https://github.com/argoproj-labs/argocd-interlace/issues/20
    • configure github action for lint
    opened by hirokuni-kitahara 1
  • improve installation step to make it clearer and to remove unnecessary configuration

    improve installation step to make it clearer and to remove unnecessary configuration

    Signed-off-by: Hirokuni-Kitahara1 [email protected]

    • make installation step clearer
      • enable 1 yaml installation
      • enable setup with just 2 kubectl patch commands
      • improve the way to load configuration (config loading without pod restart)
      • remove unnecessary configuration
    • update the corresponding docs
    opened by hirokuni-kitahara 1
  • fix github action configuration for linting

    fix github action configuration for linting

    Signed-off-by: Hirokuni-Kitahara1 [email protected]

    • fix github action to solve an issue that go modules are not installed before lint action
    opened by hirokuni-kitahara 0
  • add ApplicationProvenance so that users can check generated provenance easily

    add ApplicationProvenance so that users can check generated provenance easily

    Signed-off-by: Hirokuni-Kitahara1 [email protected]

    • add a CRD ApplicationProvenance for users to check provenance data easily
    • add api and client codes for the CRD
    • update README.md
    opened by hirokuni-kitahara 0
  • make the provenance data available in Application annotation

    make the provenance data available in Application annotation

    Signed-off-by: Hirokuni-Kitahara1 [email protected]

    • update codes to store generated provenance data in Application annotation interlace.argocd.dev/provenance
    • update README so that users can check result with the annotation instead of checking pod log.
    opened by hirokuni-kitahara 0
  • improve user experience around installation and setup

    improve user experience around installation and setup

    Signed-off-by: Hirokuni-Kitahara1 [email protected]

    • enable 1 command installation
      • create setup.sh to automate installation and setup
    • make it easy for users to try examples
      • create sign-source-repo.sh to automate signing for source repo
      • add examples/signed-application.yaml to check application
    opened by hirokuni-kitahara 0
  • ArgoCD Interlace supports Helm based application

    ArgoCD Interlace supports Helm based application

    Signed-off-by: [email protected] [email protected]

    Capability to address issue: #15

    • Added support for Helm based application via Helm sigstore verification and provenance generation
    • Fixed documentation
    • Reorganized packages
    opened by gajananan 0
  • Add capability to verify signature of Helm chart and generate signature for manifest

    Add capability to verify signature of Helm chart and generate signature for manifest

    Implement a capability to support Helm based application

    • verify Helm chart using helm sigstore before signature for manifest generated.
    • attach a new signature to the generated application manifest only if the verification passed
    enhancement 
    opened by gajananan 0
  • [ImgBot] Optimize images

    [ImgBot] Optimize images

    Beep boop. Your images are optimized!

    Your image file size has been reduced by 56% 🎉

    Details

    | File | Before | After | Percent reduction | |:--|:--|:--|:--| | /images/intro.gif | 1,991.00kb | 854.85kb | 57.06% | | /images/argocd-interlace-arch.png | 112.91kb | 78.84kb | 30.17% | | | | | | | Total : | 2,103.90kb | 933.69kb | 55.62% |


    📝 docs | :octocat: repo | 🙋🏾 issues | 🏪 marketplace

    ~Imgbot - Part of Optimole family

    opened by imgbot[bot] 0
  • Add SECURITY.md

    Add SECURITY.md

    The Argo maintainers recently agreed to require all Argoproj Labs project repositories to contain a SECURITY.md file which documents:

    • Contact information for reporting security vulnerabilities
    • Some minimal information about policies, practices, with possibly links to further documentation with more details

    This will help direct vulnerability reporting to the right parties which can fix the issue.

    You are free to use the following as examples/templates:

    Also, please note that in the future we are exploring a requirement that argoproj-labs projects perform a CII self-assessment to better inform its users about which security best practices are being followed.

    opened by jessesuen 2
Releases(v0.1.0)
Owner
International Business Machines
International Business Machines
A demo repository that shows CI/CD integration using DroneCI + ArgoCD + Kubernetes.

CI/CD Demo This is the demo repo for my blog post. This tutorial shows how to build CI/CD pipeline with DroneCI and ArgoCD. In this demo, we use Drone

Hao-Ming, Hsu 41 Aug 18, 2022
Git-auto-push - Auto commit and push to github repositories

Auto commit and push to github repositories. How to use git clone https://github

Z.Q.K 3 Feb 5, 2022
Gocfg - A naive and simple cfg parser that uses maps internally done in Go

gocfg A simple ini-like parser based on maps. Key iteration can be done using th

Lucas Eduardo 2 Sep 13, 2022
PolarDB Stack is a DBaaS implementation for PolarDB-for-Postgres, as an operator creates and manages PolarDB/PostgreSQL clusters running in Kubernetes. It provides re-construct, failover swtich-over, scale up/out, high-available capabilities for each clusters.

PolarDB Stack开源版生命周期 1 系统概述 PolarDB是阿里云自研的云原生关系型数据库,采用了基于Shared-Storage的存储计算分离架构。数据库由传统的Share-Nothing,转变成了Shared-Storage架构。由原来的N份计算+N份存储,转变成了N份计算+1份存储

null 22 Jul 18, 2022
Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration, and automating updates to configuration when there is new code to deploy.

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy.

Flux project 3.9k Sep 27, 2022
KinK is a helper CLI that facilitates to manage KinD clusters as Kubernetes pods. Designed to ease clusters up for fast testing with batteries included in mind.

kink A helper CLI that facilitates to manage KinD clusters as Kubernetes pods. Table of Contents kink (KinD in Kubernetes) Introduction How it works ?

Trendyol Open Source 355 Aug 29, 2022
Flux prometheus grafana-example - A tool for keeping Kubernetes clusters in sync with sources ofconfiguration

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy.

null 0 Feb 1, 2022
grafana-sync Keep your grafana dashboards in sync.

grafana-sync Keep your grafana dashboards in sync. Table of Contents grafana-sync Table of Contents Installing Getting Started Pull Save all dashboard

Maksym Postument 161 Sep 18, 2022
kubectl plugin for signing Kubernetes manifest YAML files with sigstore

k8s-manifest-sigstore kubectl plugin for signing Kubernetes manifest YAML files with sigstore ⚠️ Still under developement, not ready for production us

sigstore 38 Sep 7, 2022
Terraform provider for Slack's App Manifest API

Terraform Provider Scaffolding (Terraform Plugin SDK) This template repository is built on the Terraform Plugin SDK. The template repository built on

Matthew de la Rosa 0 Jan 9, 2022
kube-champ 42 Sep 22, 2022
Go package exposing a simple interface for executing commands, enabling easy mocking and wrapping of executed commands.

go-runner Go package exposing a simple interface for executing commands, enabling easy mocking and wrapping of executed commands. The Runner interface

Krystal 6 Jun 15, 2022
The Oracle Database Operator for Kubernetes (a.k.a. OraOperator) helps developers, DBAs, DevOps and GitOps teams reduce the time and complexity of deploying and managing Oracle Databases

The Oracle Database Operator for Kubernetes (a.k.a. OraOperator) helps developers, DBAs, DevOps and GitOps teams reduce the time and complexity of deploying and managing Oracle Databases. It eliminates the dependency on a human operator or administrator for the majority of database operations.

Oracle 78 Sep 5, 2022
In this repository, the development of the gardener extension, which deploys the flux controllers automatically to shoot clusters, takes place.

Gardener Extension for Flux Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Its main principle

23 Technologies GmbH 13 Aug 30, 2022
Bootstrap curated Kubernetes stacks. Logging, metrics, ingress and more - delivered with gitops.

Gimlet Stack Bootstrap curated Kubernetes stacks. Logging, metrics, ingress and more - delivered with gitops. You can install logging aggregators, met

null 12 Dec 1, 2021
ORBOS - GitOps everything

ORBOS - GitOps everything ORBOS explained ORBITER BOOM Getting Started on Google Compute Engine In the following example we will create a kubernetes c

CAOS 111 Sep 13, 2022
The Elastalert Operator is an implementation of a Kubernetes Operator, to easily integrate elastalert with gitops.

Elastalert Operator for Kubernetes The Elastalert Operator is an implementation of a Kubernetes Operator. Getting started Firstly, learn How to use el

null 20 Jun 28, 2022
Cluster bootstraps for GitOps

Introduction Documentation Site Cluster bootstraps for Crossplane GitOps based on argocd, see main doc site for details PreRequisites K8 cluster eg ki

BBD Software 7 Mar 13, 2022
gokp aims to install a GitOps Native Kubernetes Platform

gokp gokp aims to install a GitOps Native Kubernetes Platform. This project is a Proof of Concept centered around getting a GitOps aware Kubernetes Pl

Christian Hernandez 24 Jul 1, 2022