Hello everyone! I started to write a blog about DevSecOps walkthrough, which includes a local DevOps + Security Tools environment.
SCM: GitLab
CI/CD: Jenkins
Image Repository: Nexus
Ticketing: Jira Free Version
Kubernetes distribution: k3s
Target Application: DVJA - Damn Vulnerable Java Application
CPU: AMD Ryzen 9 5900X (24) @ 5.619GHz
Memory: 23909MiB
Swap: 4GB
OS: ArchLinux 6.12.4-zen1-1-zen
Terminal: 5.2.37
Docker version 27.3.1, build ce1223035a
k3s version v1.31.3+k3s1 (6e6af988)
go version go1.22.8
ATTENTION! The configurations will make your machine vulnerable.
All configurations are done in order to setup the environment with easiness. You should take notes what you changed, no responsibilities are taken if you break something, you warned...
./scripts/change_hosts_file.sh- This script will overwrite your/etc/hosts/file with new IPs of applications, run the script whenever you add a new tool!./scripts/create_directories.sh- [ VULNERABLE CONFIG ] This script will create persistent directories for each tool../yamls/basic/- This directory has the minimal DevOps setup. You can deploy this setup withsudo k3s kubectl apply -f ./base_yamls/. The detailed installation steps are in the second blog../yamls/app/deployment.yaml- You should put this deployment configuration file into your local copy ofdvja, which is also located at your local GitLab instance../jenkinsfiles/Jenkinsfile.basic- This Jenkinsfile configuration has the minimal CI/CD steps. Which are;Pull Code->Build Code->Create Docker Image->Push Docker Image->Deploy
- DevSecOps Series I - Introduction
- DevSecOps Series II - the Simple DevOps Environment
- DevSecOps Series III - SAST
- DevSecOps Series IV - DAST
- DevSecOps Series V - SCA
- DevSecOps Series VI - Container Security Scan
-
/var/run/docker.sockmust be there all operations before, start your docker daemon first!-
VULNERABLE ADVICE: you can also run
sudo chmod 777 /var/run/docker.sockto work without root. -
BETTER: add yourself to docker group to work with daemon.
-
-
HTTP response for HTTPS service
You have to define insecure-registries both in /etc/rancher/k3s/registries.yaml and /etc/docker/daemon.json
Check your nexus.local entry /etc/hosts and refresh it with change_hosts_file.sh (you can delete /etc/hosts if needed)
-
Domains in jenkins steps Domains are just for requests from docker.sock and yourself,
/etc/hostsrows are not valid for the pods, watch out. -
If you are in doubt just erase all of them and start again:
$ sudo k3s kubectl delete -f base_yamls/ -
Jenkins Plugins are important, check again if something is broken or not found.
-
Check your credentials if they are saved correctly
Used Credentials;
1) One private key for the SSH connection (Jenkins)
2) One private key for the Git SSH (Jenkins)
3) One user:passwd for the nexus login (Jenkins)
4) One nexus kubectl secret docker-registry, configured from the CLI
-
Check Jenkins Plugins
- Docker API Plugin
- Docker Commons Plugin
- Docker Pipeline
- Docker plugin
- Config File Provider Plugin
- Maven Integration plugin
- Pipeline Maven Integration Plugin
- Pipeline Maven Plugin API
- SSH Agent
-
Delete the deployed DVJA before new build:
$ sudo k3s kubectl delete -f /tmp/deployment.yaml # from your host machine -
If something is broken, and you would like to setup it again you can seperately delete them too!
$ sudo k3s kubectl delete -f base_yamls/nexus-deployment.yaml
$ sudo k3s kubectl delete -f base_yamls/nexus-data-persistentvolumeclaim.yaml
$ sudo k3s kubectl delete -f base_yamls/nexus-service.yaml
- You cant commit something or pull:
Just edit ~/.ssh/config:
Host gitlab.local
HostName gitlab.local
Port 2222
User git
-
Add
yamls/app/deployment.yamlfile into local dvja's repository. -
Also add the
nexus_passsecret to login nexus from the host itself.$ sudo k3s kubectl create secret docker-registry nexus_pass --docker-server=nexus.local:8082 --docker-username=admin --docker-password='wowsuchchar8!'