Merge pull request #162 from stakater/git-pat

Added vault steps for github pat token

content/for-developers/tutorials/outer-loop/github-pat/github-pat.md

@@ -1,20 +1,23 @@
-# Configure GitHub Access
+# Configure SCM (GitHub) Access
 
-In this section, you'll learn how to configure GitHub access by generating a Fine-grained Personal Access Token (PAT) and setting up webhook security. These steps are essential for establishing a secure and automated Continuous Integration/Continuous Deployment (CI/CD) pipeline using pipeline-as-code concepts.
+In this section, you'll learn how to configure GitHub access by generating a Fine-grained Personal Access Token (PAT) and securely storing it as a secret in Vault. These steps are essential for establishing a secure and automated Continuous Integration/Continuous Deployment (CI/CD) pipeline using pipeline-as-code concepts.
 
-A Fine-grained PAT ensures that your CI/CD pipeline can securely interact with your GitHub repositories. By generating a token with finely controlled permissions, you grant the pipeline only the specific access it requires, reducing potential security risks.
+A Fine-grained PAT ensures that your CI/CD pipeline can securely interact with your GitHub repositories. By generating a token with finely controlled permissions, you grant the pipeline only the specific access it requires, reducing potential security risks. Additionally, storing the PAT in Vault adds an extra layer of security to protect your credentials.
 
 ## Objectives
 
 - Generate a Fine-grained PAT with the necessary permissions for pipeline integration.
-- Obtain the necessary GitHub access credentials and permissions required for creating and integrating a pipeline-as-code setup.
+- Securely store the GitHub PAT in Vault for added protection.
 
 ## Key Results
 
 - Personal Access Token (PAT) with the specified permissions is generated successfully in the GitHub account.
+- The GitHub PAT is securely stored in Vault and can be accessed only by authorized entities, enhancing security.
 
 ## Tutorial
 
+### Generate Token (PAT) on GitHub
+
 1. Generate a Fine-grained Token (PAT) on GitHub. PAT (Fine-grained): Allows you to select repositories from your GitHub organization that can use the token.[`Create a fine-grained token`](https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/) with the below-mentioned permissions for your source code repository:
 
     - Go to your GitHub account `settings` for the top-right corner on your profile.
@@ -46,6 +49,6 @@ A Fine-grained PAT ensures that your CI/CD pipeline can securely interact with y
     <div style="text-align:center"><img src="images/pat-permissions.png" /></div>
 
     !!! note
-        Save the token cautiously, you will need this to create a secret.
+        > Save the token cautiously, you'll need to save it in `Vault` in upcoming tutorials.
 
-Awesome! Let's move to next tutorial and create a Webhook for our pipeline.
+Congratulations! You have successfully configured GitHub access. Let's move to next tutorial.

content/for-developers/tutorials/outer-loop/github-ssh/github-ssh.md

@@ -1,63 +1,30 @@
-# Securely Storing SSH Keys for Tekton PipelineRun
+# Secure Connection using SSH Keys for Tekton PipelineRun
 
-When working with Tekton Pipelines and storing your pipeline definition in a `.tekton` folder within your source code repository, it's important to keep sensitive authentication information, such as SSH keys, secure and separate from the public codebase. In this tutorial, you will learn how to securely store SSH keys using Secrets to access your code repository within your Tekton PipelineRun.
+When collaborating with Tekton Pipelines and housing your pipeline configurations within a `.tekton` directory in your source code repository, it's imperative to uphold security by isolating sensitive authentication information, like SSH keys, from the public codebase. In this tutorial, you'll be creating SSH Keys and generating the access between a pipeline and code Repository.
 
 ## Objectives
 
 - Generate SSH keys to securely access your code repository.
 - Add your public key as a deploy key in your GitHub repository.
-- Store the private SSH key in Secret to be used by your Tekton PipelineRun.
 
 ## Key Results
 
 - Successfully generate a pair of SSH keys for repository access.
 - Set up the public SSH key as a deploy key in your GitHub repository.
-- Create a Secret containing the private SSH key for Tekton PipelineRun.
 
 ## Tutorial
 
-1. Let's create SSH keys to access the repository.
+1. Let's create SSH keys to access both source code and GitOps repositories.
 
     For SSH Access:
 
     - [`Generate SSH Key Pair`](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key)
 
-1. Add your `public-key` into the `Deploy key` section of your repository:
+1. Add your `public-key` into the `Deploy key` section of your repositories:
 
     - [`Add Deploy Key to your Repository`](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys)
 
-    > Note: A deploy key is specific to a single repository and cannot be used for multiple repositories.*
+    > Note: A deploy key is specific to a single repository and cannot be used for multiple repositories.
+    > Save the keys cautiously, you'll need them to save in `Vault` in upcoming tutorials.
 
-    After adding the `Deploy keys` in your repository, now is the time to add the secret.
-
-1. Copy the below `secret` yaml.
-
-    ```yaml
-    apiVersion: v1
-    kind: Secret
-    metadata:
-      name: nordmart-ssh-creds # Name of Secret
-      namespace: <your-namespace> # Place your namespace where you want to run the pipeline
-    stringData:
-      type: git
-      sshPrivateKey: | # Paste your private key here as it is, the sshPrivateKey value will be base64 encoded in the secret. You do not need to manually encode the value before creating the secret.
-        -----BEGIN OPENSSH PRIVATE KEY-----
-        ...
-        -----END OPENSSH PRIVATE KEY-----
-    ```
-
-1. Log in to SAAP, go to Administrator > Workloads > Secrets. Create a secret with yaml.
-
-    ![secret with yaml](images/secret-yaml.png)
-
-1. Paste the `secret yaml`, add your `private key`, and your `namespace` then hit `Create`.
-
-    ![create ssh secret](images/create-ssh-secret.png)
-
-    Now look at the `nordmart-ssh-creds` secret yaml, the private key will be encoded to `base64`.
-
-    ![ssh secret](images/nordmart-ssh.png)
-
-    > Note: We will be using this secret in our `pipelineRun`.
-
-Cool! Let's move on to the next tutorial and create a pipeline.
+Cool! Let's move on to the next tutorial and store the credentials in Vault.

content/for-developers/tutorials/outer-loop/prerequisites.md

@@ -0,0 +1,31 @@
+# Prerequisites
+
+Before you embark on setting up your pipeline as code, it's essential to ensure that you have all the necessary prerequisites in place. These prerequisites are the foundation for a successful and secure automation process. Below, we've listed the key prerequisites you'll need to consider:
+
+## [Add an Environment to an Application](./add-build-environment/add-environment.md)
+
+In certain cases, you may need to add a new environment to an existing application within a tenant. For example, when incorporating a production cluster into your infrastructure, you'll want to extend your application's deployment capabilities to this new environment. Ensure you have a clear understanding of how to add and configure this environment to your application as part of your prerequisites.
+
+## [Personal Access Token (PAT)](./github-pat/github-pat.md)
+
+A Personal Access Token (PAT) is an essential component for ensuring secure and authenticated interactions with your code repositories. This token serves as a vital bridge between your pipeline and your version control system, allowing it to access and manage your code repositories. Whether it's for fetching code, creating branches, or managing pull requests, this token is the cornerstone of performing Git operations securely.
+
+## [SSH Keys for Repository Access](./github-ssh/github-ssh.md)
+
+SSH keys play a crucial role in ensuring secure access to your code repositories, particularly when employing version control systems. These cryptographic keys provide a secure means for your pipeline to authenticate itself with your version control system, allowing it to perform tasks like cloning repositories, pushing changes, and managing version-controlled code with the highest level of security and trust.
+Steps to Generate SSH Keys:
+Open a terminal or command prompt on your local machine.
+
+## Vault for Secure Credential Storage
+
+Vault serves as an indispensable component for securely safeguarding and managing the key credentials that your pipeline relies upon. Access to a Vault instance is imperative, as it is the secure repository for your sensitive data. Furthermore, a strong command of creating and effectively managing secrets within Vault is paramount to ensure the security and integrity of your pipeline, enabling you to confidently manage and utilize credentials while upholding best practices in secret management.
+
+## External Secrets Custom Resources (CRs)
+
+External Secrets Custom Resources (CRs) play a pivotal role in securely referencing and efficiently managing secrets stored within Vault. The creation of these CRs within your Kubernetes cluster is a necessary step in empowering your pipeline to access the essential secrets securely. These CRs serve as the bridge between your Kubernetes environment and Vault, ensuring a seamless and secure flow of sensitive data to fulfill the requirements of your pipeline. By creating and configuring External Secrets CRs, you establish a robust foundation for secret management, enhancing the overall security and reliability of your pipeline operations.
+
+## Access to ArgoCD Applications
+
+To deploy and manage your applications effectively with ArgoCD, it's essential to have the required access to ArgoCD applications within your SAAP (Stakater App Agility Platform). Ensure that you possess the necessary permissions and access rights that empower you to not only create but also update and synchronize ArgoCD applications. This access ensures that you can confidently orchestrate the deployment and continuous synchronization of your applications while maintaining security and compliance standards within SAAP.
+
+With these prerequisites in place, you'll be well-prepared to set up your pipeline as code and run it securely and efficiently.

content/for-developers/tutorials/outer-loop/vault-secrets/vault-secrets.md

@@ -0,0 +1,77 @@
+# Storing Credentials Securely in Vault
+
+In this tutorial, you'll learn how to securely store critical credentials in Vault, a robust platform for managing and safeguarding sensitive data. By the end of this guide, you'll have successfully saved a variety of credentials, ensuring their protection and controlled access.
+
+## Objectives
+
+- Create and store a Personal Access Token (PAT) for GitHub in Vault.
+- Securely manage SSH keys for GitOps and source code repository access and integration.
+- Store GitHub Webhook configurations for your CI/CD pipelines.
+- Safeguard Docker Registry credentials to enable secure image handling.
+- Manage Helm Registry credentials for Helm chart deployments.
+- Store SonarQube credentials for code quality analysis.
+- Securely manage MongoDB credentials for database access.
+- Store `Rox` credentials for feature flag management.
+
+## Key Results
+
+- Successfully create and store a PAT credential within the `<your-tenant>/kv` path in Vault.
+- Securely manage SSH keys for GitOps and source code repository access within the `<your-tenant>/kv` path in Vault.
+- Store GitHub Webhook configurations in the `<your-tenant>/kv` path in Vault.
+- Safeguard Docker Registry credentials within the `<your-tenant>/kv` path in Vault for secure image handling.
+- Efficiently manage Helm Registry credentials within the `<your-tenant>/kv` and `stakater/` path in Vault for Helm chart deployments.
+- Store SonarQube credentials within the `<your-tenant>/kv` path in Vault for code quality analysis.
+- Securely manage MongoDB credentials for database access within the `<your-tenant>/kv/review-api/dev/` path in Vault.
+- Store `Rox` credentials within the `<your-tenant>/kv` path in Vault for feature flag management.
+
+## Tutorial
+
+Follow the step-by-step instructions below to store each type of credential securely within Vault:
+
+### Create PAT Secret in Vault
+
+Login to Vault to view <your-tenant> path.
+
+1. Access Vault from `Forecastle` console, search `Vault` and open the `Vault` tile.
+
+    ![Forecastle-Vault](images/forecastle.png)
+
+1. From the drop-down menu under `Method`, select `OIDC` and click on `Sign in with OIDC Provider`.
+
+    ![Vault-odic-login](images/login-oidc.png)
+
+1. You will be brought to the `Vault` console. You should see the key/value path for <your-tenant>.
+
+    ![secret engines](images/secret-engines.png)
+
+1. Click on `<your-tenant>/kv/`.
+
+1. You will now be brought to the `secrets` and the `configurations` in Vault for <your-tenant>. Click on `create secret`.
+
+    ![create secret](images/create-secret.png)
+
+1. Let's create a `pat-creds` secret for our PAT GitHub token. Write the name of the secret in `path` which is `pat-creds`. Add `secret data`, key: `username`, value: (your GitHub username) and key: `password` , value: (your newly generated PAT). Hit save.
+
+    ![secret data](images/secret-data.png)
+
+### Create SSH Key Secret in Vault for Nordmart API Repo
+
+1. Let's create a `nordmart-ssh-creds` secret for our SSH Key that we created in previous tutorials. Go to <your-tenant> in `Vault`. Click on `Create secret`. Write the name of the secret in `path` which is `nordmart-ssh-creds`. Add `secret data`, key: `api_private_key`, and value: (your newly generated SSH private key). Hit save.
+
+    ![Nordmart ssh](images/nordmart.png)
+
+### Create SSH Key Secret in Vault for GitOps Repo
+
+1. Let's create a `cd-ssh-creds` secret for our SSH Key that we created in previous tutorials. Go to <your-tenant> in `Vault`. Click on `Create secret`. Write the name of the secret in `path` which is `cd-ssh-creds`. Add `secret data`, key: `private_key`, and value: (your newly generated SSH private key). Hit save.
+
+    ![cd ssh](images/cd-ssh.png)
+
+### Create PAC Repository Secret for GitHub
+
+1. Let's create a `github-webhook-config` secret for our `Repository` CR that we created in previous tutorials. Go to <your-tenant> in `Vault`. Click on `Create secret`. Write the name of the secret in `path` which is `github-webhook-config`. Add `secret data`, key: `provider.token`, value: (your GitHub PAT), key: `webhook.secret`, and value: (your webhook secret) Hit save.
+
+    ![repository secret](images/repo-secret.png)
+
+### Create Docker Registry Credentials Secret
+
+1. Let's create a `docker-reg-creds` secret for our pipeline. Write the name of the secret in `path` which is `docker-reg-creds`. Add `secret data`, key: `.dockerconfigjson`, value: , key: ``, and value: Hit save.

content/for-developers/tutorials/outer-loop/webhook-setup/webhook-setup.md

@@ -1,4 +1,4 @@
-# Setting Up Webhook for pipeline-as-code
+# Setting Up Webhook in SCM (GitHub) for Pipeline as Code
 
 The webhook setup acts as a bridge between your code repository and the CI/CD pipeline. It allows your pipeline to be triggered automatically whenever specific events occur in your repository, such as code pushes or pull requests. The webhook secret further ensures that these interactions are secured and authenticated.
 

mkdocs.yml

@@ -141,6 +141,7 @@ nav:
                 - for-developers/tutorials/inner-loop/tilt-zero-to-hero/step-by-step-guide.md
             - Outer Loop:
                 - for-developers/tutorials/outer-loop/access-cluster/access-the-cluster.md
+                - for-developers/tutorials/outer-loop/prerequisites.md
                 - for-developers/tutorials/outer-loop/add-build-environment/add-environment.md
                 - Configure Pipeline for your application:
                   - for-developers/tutorials/outer-loop/deploying-secrets.md