In this code pattern, we show you how to deploy a microservices-based back end in Red Hat OpenShift 4 using a toolchain that scans for security risks. As part of the release of IBM Cloud for Financial Services support for containerized applications, this code pattern explains how to create the toolchain with a Tekton-based delivery pipeline that integrates the Code Risk Analyzer component of IBM Cloud Continuous Delivery with the Vulnerability Advisor component of IBM Cloud Container Registry. Code Risk Analyzer runs an infrastructure and deployment artifact scan against your GitHub repository as part of the overall SecDevOps (or DevSecOps) system.
This code pattern uses the Example Bank project from a previous code pattern, which deploys a set of microservices to act as a back end for a mobile bank application. It implements a few important data privacy features inspired by real data privacy regulations, such as authorization verification using IBM Cloud App ID and opt-in consent for data collection by users. The pattern demonstrates a deploy mechanism to integrate modern SecDevOps practices. The following IBM Cloud for Financial Services Validated services for cloud-native, containerized workloads are used during deployment:
- Scan deployment artifacts such as Dockerfiles, package manifests, and deployment YAML files with Code Risk Analyzer.
- Use IBM Cloud Container Registry as a private registry.
- Identify vulnerabilities in the container registry with help from the IBM Cloud Security and Compliance Center.
- Use a toolchain to deploy to Red Hat OpenShift on IBM Cloud on a virtual private cloud.
The Example Bank back-end system includes several microservices for handling user authentication and transaction mechanics, as demonstrated in the following architecture flow diagram.
- User accesses OpenShift route for the front-end mobile simulator service.
- Mobile simulator logs in the user or creates a new user with App ID.
- User service verifies user authentication with App ID and records the user in the PostgreSQL database. The user service also records whether the consent box is checked during the sign-up step.
- User creates transactions by clicking on the mobile simulator purchase view.
- Transaction service records user activity in the PostgreSQL database.
In this pattern, the toolchain creates a pull request (PR) pipeline and a continuous delivery (CD) pipeline to conduct the risk assessment and deploy the application to OpenShift, as demonstrated in the following diagram.
The PR pipeline is triggered automatically after you create or update a PR. In this pipeline, Code Risk Analyzer is configured to scan the pull request and discover your code repo dependencies, such as application packages, container images, or operating system packages. Code Risk Analyzer identifies whether there are any vulnerabilities associated with the dependencies and then shares its deployment configuration analysis, vulnerability report, and bill of materials as comments in your PR. Code Risk Analyzer also sets a status to the PR, so an administrator can set gates to block any changes that have security problems.
The CD pipeline is automatically triggered after the PR is merged to deploy the updated app. This pipeline creates the container image by using your Dockerfile, pushes the built image to the IBM Cloud Container Registry, and scans the image using Vulnerability Advisor. It then deploys the service to your OpenShift cluster using the deployment configuration.
The detailed steps for this code pattern are available in the README.md file.
- Clone the code pattern repository.
- Create a project in your OpenShift cluster.
- Set up a namespace in the IBM Cloud Container Registry.
- Configure the IBM Cloud App ID service.
- Create the required secrets in your OpenShift project.
- Set up the PostgreSQL database.
- Configure two pipelines in a toolchain.
- Deploy the application using your toolchain.
- Access the application.