hacktricks-cloud/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md

# Concourse Lab Creation

{{#include ../../banners/hacktricks-training.md}}

## Testing Environment

### Running Concourse

#### With Docker-Compose

Hii faili ya docker-compose inarahisisha usanikishaji wa kufanya majaribio na concourse:
```bash
wget https://raw.githubusercontent.com/starkandwayne/concourse-tutorial/master/docker-compose.yml
docker-compose up -d
```
Unaweza kupakua amri ya `fly` kwa ajili ya OS yako kutoka mtandao katika `127.0.0.1:8080`

#### Pamoja na Kubernetes (Inapendekezwa)

Unaweza kwa urahisi kupeleka concourse katika **Kubernetes** (katika **minikube** kwa mfano) kwa kutumia helm-chart: [**concourse-chart**](https://github.com/concourse/concourse-chart).
```bash
brew install helm
helm repo add concourse https://concourse-charts.storage.googleapis.com/
helm install concourse-release concourse/concourse
# concourse-release will be the prefix name for the concourse elements in k8s
# After the installation you will find the indications to connect to it in the console

# If you need to delete it
helm delete concourse-release
```
Baada ya kuunda mazingira ya concourse, unaweza kuunda siri na kutoa ufikiaji kwa SA inayotembea katika concourse web ili kufikia siri za K8s:
```yaml
echo 'apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: read-secrets
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-secrets-concourse
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: read-secrets
subjects:
- kind: ServiceAccount
name: concourse-release-web
namespace: default

---

apiVersion: v1
kind: Secret
metadata:
name: super
namespace: concourse-release-main
type: Opaque
data:
secret: MWYyZDFlMmU2N2Rm

' | kubectl apply -f -
```
### Unda Pipeline

Pipeline inaundwa na orodha ya [Jobs](https://concourse-ci.org/jobs.html) ambayo ina orodha iliyopangwa ya [Steps](https://concourse-ci.org/steps.html).

### Steps

Aina kadhaa tofauti za hatua zinaweza kutumika:

- **hatua ya** [**`task` step**](https://concourse-ci.org/task-step.html) **inaendesha** [**task**](https://concourse-ci.org/tasks.html)
- hatua ya [`get` step](https://concourse-ci.org/get-step.html) inapata [resource](https://concourse-ci.org/resources.html)
- hatua ya [`put` step](https://concourse-ci.org/put-step.html) inasasisha [resource](https://concourse-ci.org/resources.html)
- hatua ya [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) inakamilisha [pipeline](https://concourse-ci.org/pipelines.html)
- hatua ya [`load_var` step](https://concourse-ci.org/load-var-step.html) inaloadi thamani kwenye [local var](https://concourse-ci.org/vars.html#local-vars)
- hatua ya [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) inaendesha hatua kwa pamoja
- hatua ya [`do` step](https://concourse-ci.org/do-step.html) inaendesha hatua kwa mpangilio
- mrekebishaji wa hatua ya [`across` step](https://concourse-ci.org/across-step.html#schema.across) inaendesha hatua mara nyingi; mara moja kwa kila mchanganyiko wa thamani za mabadiliko
- hatua ya [`try` step](https://concourse-ci.org/try-step.html) inajaribu kuendesha hatua na inafanikiwa hata kama hatua inashindwa

Kila [step](https://concourse-ci.org/steps.html) katika [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) inaendesha katika **konteina yake mwenyewe**. Unaweza kuendesha chochote unachotaka ndani ya konteina _(yaani, endesha majaribio yangu, endesha hii bash script, jenga picha hii, nk.)_. Hivyo basi, ikiwa una kazi yenye hatua tano, Concourse itaunda konteina tano, moja kwa kila hatua.

Kwa hivyo, inawezekana kuashiria aina ya konteina ambayo kila hatua inahitaji kuendesha ndani yake.

### Mfano wa Rahisi wa Pipeline
```yaml
jobs:
- name: simple
plan:
- task: simple-task
privileged: true
config:
# Tells Concourse which type of worker this task should run on
platform: linux
image_resource:
type: registry-image
source:
repository: busybox # images are pulled from docker hub by default
run:
path: sh
args:
- -cx
- |
sleep 1000
echo "$SUPER_SECRET"
params:
SUPER_SECRET: ((super.secret))
```

```bash
fly -t tutorial set-pipeline -p pipe-name -c hello-world.yml
# pipelines are paused when first created
fly -t tutorial unpause-pipeline -p pipe-name
# trigger the job and watch it run to completion
fly -t tutorial trigger-job --job pipe-name/simple --watch
# From another console
fly -t tutorial intercept --job pipe-name/simple
```
Angalia **127.0.0.1:8080** ili kuona mtiririko wa pipeline.

### Bash script na pipeline ya matokeo/ingizo

Inawezekana **kuhifadhi matokeo ya kazi moja katika faili** na kuashiria kwamba ni matokeo na kisha kuashiria ingizo la kazi inayofuata kama matokeo ya kazi ya awali. Kile ambacho concourse inafanya ni **kuunganisha directory ya kazi ya awali katika kazi mpya ambapo unaweza kufikia faili zilizoundwa na kazi ya awali**.

### Triggers

Huhitaji kuanzisha kazi kwa mikono kila wakati unapotaka kuzifanya, unaweza pia kuzipanga zifanyike kila wakati:

- Wakati fulani unapita: [Time resource](https://github.com/concourse/time-resource/)
- Kwa commits mpya kwenye tawi kuu: [Git resource](https://github.com/concourse/git-resource)
- PR mpya: [Github-PR resource](https://github.com/telia-oss/github-pr-resource)
- Pakua au sukuma picha ya hivi karibuni ya programu yako: [Registry-image resource](https://github.com/concourse/registry-image-resource/)

Angalia mfano wa YAML pipeline unaoanzishwa kwa commits mpya kwenye master katika [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html)

{{#include ../../banners/hacktricks-training.md}}