From 97a35b0a9afb5e220679492e6f5c5c3fc065e012 Mon Sep 17 00:00:00 2001 From: Hala Herbly Date: Fri, 24 Jan 2025 17:00:47 -0600 Subject: [PATCH 1/6] updates procedure for signing EEs --- ...ing-your-system-for-container-signing.adoc | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc b/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc index 351ac8f407..f904ebe1a8 100644 --- a/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc +++ b/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc @@ -5,6 +5,25 @@ {HubNameStart} implements image signing to offer better security for the {ExecEnvShort} container images. +.Prerequisites +* You have already link:{URLHubManagingContent}/managing-containers-hub#populate-container-registry[created and synced a container registry] in the Remote Registry section of {PlatformNameShort}. + +.Procedure + +. Log in to {PlatformNameShort} and, from the navigation panel, select {MenuACAdminSignatureKeys}. If you followed the steps in [NEW CONTENT FROM CONTAINERIZED INSTALL GUIDE] during setup, you should see a key labeled `container-default`. +. From the navigation panel, select {MenuACExecEnvironments}. +. Click btn:[Create execution environment] and enter the relevant information in the fields that appear. +.. The *Name* field displays the name of the {ExecEnvName} on your local registry. +.. The *Upstream name* field is the name of the image on the remote server. For example, if the upstream name is set to "alpine" and the *Name* field is "local/alpine," the alpine image is downloaded from the remote and renamed "local/alpine." +.. Set a list of tags to include or exclude. Note that syncing an {ExecEnvNameSing} with a large number of tags is time consuming and uses a lot of disk space. +. Click btn:[Create execution environment]. You should see your new {ExecEnvNameSing} in the list that appears. +. Sync and sign your new {ExecEnvNameSing}. +.. Click the btn:[More Actions] icon *{MoreActionsIcon}* and select *Sync execution environment*. +.. Click the btn:[More Actions] icon *{MoreActionsIcon}* and select *Sign execution environment*. +. Click on your new {ExecEnvNameSing}. On the Details page, find the *Signed* label to determine that your {ExecEnvNameSing} has been signed. + + +//// To deploy your system so that it is ready for container signing, create a signing script. [NOTE] @@ -67,3 +86,4 @@ automationhub_container_signing_service_script = /absolute/path/to/script/that/s ==== The `container-default` service is created by the {PlatformNameShort} installer. ==== +//// \ No newline at end of file From 1cc205b92aa05b3e4ed7cd87cd09138d6d8baccf Mon Sep 17 00:00:00 2001 From: Hala Herbly Date: Thu, 30 Jan 2025 17:06:01 -0600 Subject: [PATCH 2/6] linking new content in containerized install guide --- ...ing-your-system-for-container-signing.adoc | 23 +------------------ 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc b/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc index f904ebe1a8..9ce4e191f1 100644 --- a/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc +++ b/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc @@ -3,28 +3,8 @@ = Deploying your system for container signing -{HubNameStart} implements image signing to offer better security for the {ExecEnvShort} container images. -.Prerequisites -* You have already link:{URLHubManagingContent}/managing-containers-hub#populate-container-registry[created and synced a container registry] in the Remote Registry section of {PlatformNameShort}. - -.Procedure - -. Log in to {PlatformNameShort} and, from the navigation panel, select {MenuACAdminSignatureKeys}. If you followed the steps in [NEW CONTENT FROM CONTAINERIZED INSTALL GUIDE] during setup, you should see a key labeled `container-default`. -. From the navigation panel, select {MenuACExecEnvironments}. -. Click btn:[Create execution environment] and enter the relevant information in the fields that appear. -.. The *Name* field displays the name of the {ExecEnvName} on your local registry. -.. The *Upstream name* field is the name of the image on the remote server. For example, if the upstream name is set to "alpine" and the *Name* field is "local/alpine," the alpine image is downloaded from the remote and renamed "local/alpine." -.. Set a list of tags to include or exclude. Note that syncing an {ExecEnvNameSing} with a large number of tags is time consuming and uses a lot of disk space. -. Click btn:[Create execution environment]. You should see your new {ExecEnvNameSing} in the list that appears. -. Sync and sign your new {ExecEnvNameSing}. -.. Click the btn:[More Actions] icon *{MoreActionsIcon}* and select *Sync execution environment*. -.. Click the btn:[More Actions] icon *{MoreActionsIcon}* and select *Sign execution environment*. -. Click on your new {ExecEnvNameSing}. On the Details page, find the *Signed* label to determine that your {ExecEnvNameSing} has been signed. - - -//// -To deploy your system so that it is ready for container signing, create a signing script. +To deploy your system so that it is ready for container signing, first ensure that you have link:{URLContainerizedInstall}/aap-containerized-installation#enabling-automation-hub-collection-and-container-signing_aap-containerized-installation [enabled automation content collection and container signing]. Then you can create a signing script, or xref:proc-adding-containers-remotely-to-the-automation-hub.adoc[add and sign containers remotely]. [NOTE] ==== @@ -86,4 +66,3 @@ automationhub_container_signing_service_script = /absolute/path/to/script/that/s ==== The `container-default` service is created by the {PlatformNameShort} installer. ==== -//// \ No newline at end of file From 902efa96aaf7493c4971571415ebb4cbd4813145 Mon Sep 17 00:00:00 2001 From: Hala Herbly Date: Thu, 30 Jan 2025 17:09:35 -0600 Subject: [PATCH 3/6] fixed link --- .../hub/proc-deploying-your-system-for-container-signing.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc b/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc index 9ce4e191f1..3c98e053a8 100644 --- a/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc +++ b/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc @@ -4,7 +4,7 @@ = Deploying your system for container signing -To deploy your system so that it is ready for container signing, first ensure that you have link:{URLContainerizedInstall}/aap-containerized-installation#enabling-automation-hub-collection-and-container-signing_aap-containerized-installation [enabled automation content collection and container signing]. Then you can create a signing script, or xref:proc-adding-containers-remotely-to-the-automation-hub.adoc[add and sign containers remotely]. +To deploy your system so that it is ready for container signing, first ensure that you have link:{URLContainerizedInstall}/aap-containerized-installation#enabling-automation-hub-collection-and-container-signing_aap-containerized-installation[enabled automation content collection and container signing]. Then you can create a signing script, or xref:proc-adding-containers-remotely-to-the-automation-hub.adoc[add and sign containers remotely]. [NOTE] ==== From b504973ac3b19ff107dffc1d875b375fc114c8ea Mon Sep 17 00:00:00 2001 From: Hala Herbly Date: Fri, 31 Jan 2025 15:15:34 -0600 Subject: [PATCH 4/6] updates proc for signing an EE --- .../proc-adding-an-execution-environment.adoc | 24 ++++++++++++------- ...ing-your-system-for-container-signing.adoc | 2 +- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/downstream/modules/hub/proc-adding-an-execution-environment.adoc b/downstream/modules/hub/proc-adding-an-execution-environment.adoc index 2585fa74b5..c296899db6 100644 --- a/downstream/modules/hub/proc-adding-an-execution-environment.adoc +++ b/downstream/modules/hub/proc-adding-an-execution-environment.adoc @@ -1,26 +1,32 @@ [id="adding-an-execution-environment"] -= Adding an {ExecEnvShort} += Adding and signing an {ExecEnvShort} {ExecEnvNameStart} are container images that make it possible to incorporate system-level dependencies and collection-based content. Each {ExecEnvShort} allows you to have a customized image to run jobs, and each of them contain only what you need when running the job. .Procedure . From the navigation panel, select {MenuACExecEnvironments}. -. Click btn:[Create execution environment]. +. Click btn:[Create execution environment] and enter the relevant information in the fields that appear. -. Enter the name of the {ExecEnvShort}. +.. The *Name* field displays the name of the {ExecEnvShort} on your local registry. -. Enter the upstream name. +.. The *Upstream name* field is the name of the image on the remote server. -. Under *Registry*, select the name of the registry from the drop-down menu. +.. Under *Registry*, select the name of the registry from the drop-down menu. -. Enter tags in the *Add tag(s) to include* field. +.. Optional: Enter tags in the *Add tag(s) to include* field. If the field is blank, all the tags are passed. You must specify which repository-specific tags to pass. -. Optional: Enter tags to exclude in *Add tag(s) to exclude*. +.. Optional: Enter tags to exclude in *Add tag(s) to exclude*. -. Click btn:[Create {ExecEnvName}]. +. Click btn:[Create {ExecEnvShort}]. You should see your new {ExecEnvNameSing} in the list that appears. -. Synchronize the image. +. Sync and sign your new {ExecEnvNameSing}. + +.. Click the btn:[More Actions] icon *{MoreActionsIcon}* and select *Sync execution environment*. + +.. Click the btn:[More Actions] icon *{MoreActionsIcon}* and select *Sign execution environment*. + +. Click on your new {ExecEnvNameSing}. On the Details page, find the *Signed* label to determine that your {ExecEnvNameSing} has been signed. diff --git a/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc b/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc index 3c98e053a8..264c4fa3c2 100644 --- a/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc +++ b/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc @@ -4,7 +4,7 @@ = Deploying your system for container signing -To deploy your system so that it is ready for container signing, first ensure that you have link:{URLContainerizedInstall}/aap-containerized-installation#enabling-automation-hub-collection-and-container-signing_aap-containerized-installation[enabled automation content collection and container signing]. Then you can create a signing script, or xref:proc-adding-containers-remotely-to-the-automation-hub.adoc[add and sign containers remotely]. +To deploy your system so that it is ready for container signing, first ensure that you have link:{URLContainerizedInstall}/aap-containerized-installation#enabling-automation-hub-collection-and-container-signing_aap-containerized-installation[enabled automation content collection and container signing]. Then you can create a signing script, or xref:proc-adding-an-execution-environment.adoc[add and sign an {ExecEnvShort}}] manually. [NOTE] ==== From 628ae937e981ed9b69dc0b38b58950d33b523d1e Mon Sep 17 00:00:00 2001 From: Hala Herbly Date: Fri, 31 Jan 2025 15:25:31 -0600 Subject: [PATCH 5/6] removes one errant bracket --- .../hub/proc-deploying-your-system-for-container-signing.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc b/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc index 264c4fa3c2..656efd679f 100644 --- a/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc +++ b/downstream/modules/hub/proc-deploying-your-system-for-container-signing.adoc @@ -4,7 +4,7 @@ = Deploying your system for container signing -To deploy your system so that it is ready for container signing, first ensure that you have link:{URLContainerizedInstall}/aap-containerized-installation#enabling-automation-hub-collection-and-container-signing_aap-containerized-installation[enabled automation content collection and container signing]. Then you can create a signing script, or xref:proc-adding-an-execution-environment.adoc[add and sign an {ExecEnvShort}}] manually. +To deploy your system so that it is ready for container signing, first ensure that you have link:{URLContainerizedInstall}/aap-containerized-installation#enabling-automation-hub-collection-and-container-signing_aap-containerized-installation[enabled automation content collection and container signing]. Then you can create a signing script, or xref:proc-adding-an-execution-environment.adoc[add and sign an {ExecEnvShort}] manually. [NOTE] ==== From e0d6f3e5a36dafc877e7f748328a2408831669f9 Mon Sep 17 00:00:00 2001 From: Hala Herbly Date: Fri, 31 Jan 2025 15:38:01 -0600 Subject: [PATCH 6/6] edit based on peer review feedback --- .../modules/hub/proc-adding-an-execution-environment.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/downstream/modules/hub/proc-adding-an-execution-environment.adoc b/downstream/modules/hub/proc-adding-an-execution-environment.adoc index c296899db6..1c6bd30b50 100644 --- a/downstream/modules/hub/proc-adding-an-execution-environment.adoc +++ b/downstream/modules/hub/proc-adding-an-execution-environment.adoc @@ -19,7 +19,7 @@ If the field is blank, all the tags are passed. You must specify which repository-specific tags to pass. -.. Optional: Enter tags to exclude in *Add tag(s) to exclude*. +.. Optional: Enter tags to exclude in the *Add tag(s) to exclude* field. . Click btn:[Create {ExecEnvShort}]. You should see your new {ExecEnvNameSing} in the list that appears.