feat: anchore and jenkins guides with snippets (#682)

Co-authored-by: Lucas Severo Alves <lucassalves65@gmail.com>
Co-authored-by: Surjit Bains <surjit.bains@gmail.com>

docs/examples-anchore-engine-credentials.md

@@ -0,0 +1,31 @@
+# Getting started
+
+Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, and certification of container images. With Kubernetes, it also brings nice features like preventing unscanned images from being deployed into your clusters
+
+## Installing with Helm
+
+There are several parts of the installation that require credentials these being :-
+
+ANCHORE_ADMIN_USERNAME
+ANCHORE_ADMIN_PASSWORD
+ANCHORE_DB_PASSWORD
+db-url
+db-user
+postgres-password
+
+
+Creating the following external secret ensure the credentials are drawn from the backend provider of choice. The example shown here works with Hashicorp Vault and AWS Secrets Manager providers.
+
+#### Hashicorp Vault
+
+``` yaml
+{% include 'vault-anchore-engine-access-credentials-external-secret.yaml' %}
+```
+
+
+#### AWS Secrets Manager
+
+``` yaml
+{% include 'aws-anchore-engine-access-credentials-external-secret.yaml' %}
+```
+

docs/snippets/aws-anchore-engine-access-credentials-external-secret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: anchore-access-credentials
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: cluster-secrets-store
+    kind: ClusterSecretStore
+  target:
+    name: anchore-access-credentials
+  dataFrom:
+  - key: service/anchore-engine/engineAccess

docs/snippets/aws-jenkins-credential-github-ssh-external-secret.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: github-ssh-access
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: cluster-parameter-store
+    kind: ClusterSecretStore
+  target:
+    name: github-ssh-access
+    template:
+      metadata:
+        labels:
+          "jenkins.io/credentials-type": "basicSSHUserPrivateKey"
+        annotations:
+          "jenkins.io/credentials-description": "github-ssh-access key"
+  data:
+    - secretKey: username
+      remoteRef:
+        key: /service/github/sshUserPrivateKeyUserName
+    - secretKey: privateKey
+      remoteRef:
+        key: /service/github/sshUserPrivateKey
+

docs/snippets/aws-jenkins-credential-sonarqube-api-token-external-secret.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: sonarqube-api-token
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: cluster-secrets-store
+    kind: ClusterSecretStore
+  target:
+    name: sonarqube-api-token
+    template:
+      metadata:
+        labels:
+          "jenkins.io/credentials-type": "secretText"
+        annotations:
+          "jenkins.io/credentials-description": "Sonar API token"
+  data:
+    - secretKey: text
+      remoteRef:
+        key: service/sonarqube/apiToken

docs/snippets/aws-jenkins-credentials-harbor-chart-robot-external-secret.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: harbor-chart-robot
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: cluster-secrets-store
+    kind: ClusterSecretStore
+  target:
+    name: harbor-chart-robot
+    template:
+      metadata:
+        labels:
+          "jenkins.io/credentials-type": "usernamePassword"
+        annotations:
+          "jenkins.io/credentials-description": "harbor chart robot access"
+  data:
+    - secretKey: password
+      remoteRef:
+        key: service/harbor/chartRobot
+        property: password
+    - secretKey: username
+      remoteRef:
+        key: service/harbor/chartRobot
+        property: username

docs/snippets/vault-anchore-engine-access-credentials-external-secret.yaml

@@ -0,0 +1,55 @@
+{% raw %}
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: anchore-access-credentials
+  namespace: security
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: anchore-access-credentials
+    template:
+
+      data:
+        ANCHORE_ADMIN_USERNAME: >-
+          {{ printf "{{ .username | toString }}" }}
+        ANCHORE_ADMIN_PASSWORD: >-
+          {{ printf "{{ .password | toString }}" }}
+        ANCHORE_DB_PASSWORD: >-
+          {{ printf "{{ .dbPassword | toString }}" }}
+        db-url: >-
+          {{ printf "{{ .dbUrl | toString }}" }}
+        db-user: >-
+          {{ printf "{{ .dbUser | toString }}" }}
+        postgres-password: >-
+          {{ printf "{{ .postgresPassword | toString }}" }}
+
+  data:
+    - secretKey: password
+      remoteRef:
+        key: anchore-engine
+        property: ANCHORE_ADMIN_PASSWORD
+    - secretKey: username
+      remoteRef:
+        key: anchore-engine
+        property: ANCHORE_ADMIN_USERNAME
+    - secretKey: dbPassword
+      remoteRef:
+        key: anchore-engine
+        property: ANCHORE_DB_PASSWORD
+    - secretKey: dbUrl
+      remoteRef:
+        key: anchore-engine
+        property: db-url
+    - secretKey: dbUser
+      remoteRef:
+        key: anchore-engine
+        property: db-user
+    - secretKey: postgresPassword
+      remoteRef:
+        key: anchore-engine
+        property: postgres-password
+{% endraw %}

docs/snippets/vault-jenkins-credential-github-ssh-access-external-secret.yaml

@@ -0,0 +1,34 @@
+{% raw %}
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: github-ssh-access
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: github-ssh-access
+    template:
+      metadata:
+        labels:
+          "jenkins.io/credentials-type": "basicSSHUserPrivateKey"
+        annotations:
+          "jenkins.io/credentials-description": "github-ssh-access key"
+      data:
+        username: >-
+          {{ printf "{{ .username | toString }}" }}
+        privateKey: >-
+          {{ printf "{{ .privateKey | toString }}" }}
+  data:
+    - secretKey: username
+      remoteRef:
+        key: my-kv
+        property: github-ssh-access-username
+    - secretKey: privateKey
+      remoteRef:
+        key: my-kv
+        property: github-ssh-access-private-key
+{% endraw %}

docs/snippets/vault-jenkins-credential-harbor-chart-robot-external-secret.yaml

@@ -0,0 +1,34 @@
+{% raw %}
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: harbor-chart-robot
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: harbor-chart-robot
+    template:
+      metadata:
+        labels:
+          "jenkins.io/credentials-type": "usernamePassword"
+        annotations:
+          "jenkins.io/credentials-description": "harbor chart robot"
+      data:
+        username: >-
+          {{ printf "{{ .username | toString }}" }}
+        password: >-
+          {{ printf "{{ .password | toString }}" }}
+  data:
+    - secretKey: username
+      remoteRef:
+        key: my-kv
+        property: harbor-chart-robot-username
+    - secretKey: password
+      remoteRef:
+        key: my-kv
+        property: harbor-chart-robot-token
+{% endraw %}

docs/snippets/vault-jenkins-credential-sonarqube-api-token-external-secret.yaml

@@ -0,0 +1,28 @@
+{% raw %}
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: sonarqube-api-token
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: sonarqube-api-token
+    template:
+      metadata:
+        labels:
+          "jenkins.io/credentials-type": "secretText"
+        annotations:
+          "jenkins.io/credentials-description": "sonarqube api token"
+      data:
+        text: >-
+          {{ printf "{{ .password | toString }}" }}
+  data:
+    - secretKey: password
+      remoteRef:
+        key: jenkins-credentials
+        property: sonarqube-api-token
+{% endraw %}

hack/api-docs/mkdocs.yml

@@ -41,7 +41,6 @@ nav:
     - Multi Tenancy: guides-multi-tenancy.md
     - Metrics: guides-metrics.md
     - Using Latest Image: guides-using-latest-image.md
-    - GitOps using FluxCD: guides-gitops-using-fluxcd.md
   - Provider:
     - AWS:
       - Secrets Manager: provider-aws-secrets-manager.md
@@ -62,6 +61,10 @@ nav:
       - Oracle Vault: provider-oracle-vault.md
     - Webhook: provider-webhook.md
     - Fake: provider-fake.md
+  - Examples:
+    - FluxCD: examples-gitops-using-fluxcd.md
+    - Anchore Engine: examples-anchore-engine-credentials.md
+    - Jenkins: examples-jenkins-kubernetes-credentials.md
   - References:
     - API specification: spec.md
   - Contributing: