Getting Started with Judge in EKS

Architecture

Flow

Overview

JUDGE enables a unified developer and cybersecurity governance experience. Starting with a build pipeline observer, it automates the collection and management of trusted telemetry, and then acts on evidence-based supply chain attestations. It yields a lower residual risk of a software supply chain attack by amplifying the Sec in DevSecOps.

Getting Started

1. Purchase on AWS Marketplace: Start by purchasing JUDGE from the AWS Marketplace.

2. Provision S3 buckets and Databses for JUDGE: See Provision and Configure Object and Database Storage for more information on how to set up object storage and databases for JUDGE.

3. Set up OAuth with your favorite git platform: See our Kratos Documentation for more information on how to set up Github and or GitLab with JUDGE.

4. Installation:

   • Access the ECR
   • Deploy to EKS using Helm, using your own values.yaml file to override values for your custom configuration:

    echo "Deploying: judge-chart"
    helm install judge oci://709825985650.dkr.ecr.us-east-1.amazonaws.com/testifysec/judge-chart --version 1.6.0 \
    -f values.yaml \
    --set global.registry=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com \
    --set global.repository="" \
    --set kratos.kratos.dsn="postgres://${PGUSER}:${PGPASSWORD//,/\\,}@${PGHOST}:${PGPORT}/kratos?max_conns=20&max_idle_conns=4" \
    --set kratos.kratos.config.selfservice.methods.oidc.config.providers[0].client_id="${GITLAB_OIDC_CLIENT_ID}" \
    --set kratos.kratos.config.selfservice.methods.oidc.config.providers[0].client_secret="${GITLAB_OIDC_CLIENT_SECRET}" \
    --set kratos.kratos.config.selfservice.methods.oidc.config.providers[1].client_id="${GITHUB_OIDC_CLIENT_ID}" \
    --set kratos.kratos.config.selfservice.methods.oidc.config.providers[1].client_secret="${GITHUB_OIDC_CLIENT_SECRET}" \
    --set dex.config.connectors[0].config.clientID="${GITLAB_OIDC_CLIENT_ID}" \
    --set dex.config.connectors[0].config.clientSecret="${GITLAB_OIDC_CLIENT_SECRET}" \
    --set judge-api.sqlStore.connectionString="postgres://${PGUSER}:${PGPASSWORD//,/\\,}@${PGHOST}:${PGPORT}/judge" \
    --set archivista.sqlStore.connectionString="postgres://${PGUSER}:${PGPASSWORD//,/\\,}@${PGHOST}:${PGPORT}/archivista" \
    --set judge-api.workflows.signer.kmsUri="awskms:///${WORKFLOWKEYARN}" \
    --set judge-api.workflows.slackIntegration.channelId="${SLACK_CHANNEL_ID}" \
    --set judge-api.workflows.slackIntegration.token="${SLACK_TOKEN}" \
    --set judge-api.dapr.pubsub.sqsQueueNameOverride="${QUEUE_NAME}" \
    --set judge-api.deployment.env[0].value="${TOPIC_NAME}" \
    --set archivista.deployment.env[0].value="${TOPIC_NAME}" \
    --wait
   

   • Configure your Load Balancer and DNS for the Cluster
   • Connect your provisioned S3 bucket and RDS instance

5. Configuring JUDGE Helm: See Getting Started with JUDGE Helm for more information on how to customize your JUDGE deployment.

Provision and Configure Object and Database Storage

JUDGE requires database and object storage to run. We recommend you provision databases for JUDGE w/ Amazon RDS and object storage with Amazon S3. Once you have provisioned these resouces, you can configure your JUDGE deployment to use them.

Setting up Object and Database Storage for JUDGE

Step 1: Create an RDS Instance

To create an RDS instance with databases for Archivista, Judge-API, and Kratos, follow these steps:

1. Log in to the AWS Management Console.
2. Navigate to the RDS service.
3. Click on "Create database" and select the desired database engine.
4. Configure the database instance settings, such as instance type, storage, and security groups.
5. Specify the database name, username, and password for each of the databases.
6. Review the configuration and click on "Create database" to create the RDS instance.

For more information, see Getting Started with JUDGE Helm

Step 2: Create an AWS S3 Bucket

To create an AWS S3 bucket, follow these steps:

1. Log in to the AWS Management Console.
2. Navigate to the S3 service.
3. Click on "Create bucket" and provide a unique name for your bucket.
4. Configure the bucket settings, such as region and access permissions.
5. Review the configuration and click on "Create bucket" to create the S3 bucket.

For more information, see Getting Started with JUDGE Helm

Step 3: Configure JUDGE Deployment

You can customize your JUDGE deployment through Helm Values.

Use the provided values.yaml file to customize your deployment here

For more information, see Configuring JUDGE Helm

Step 4: Connect RDS and S3 to JUDGE Deployment

To connect the RDS instance and S3 bucket to your JUDGE deployment using the Helm chart, follow the instructions in the Configuring JUDGE Helm guide.

Integration Guide

This section will brief you on how to integrate our products into your ecosystem.

Witness CLI

• Installation: Download Witness from https://your-archivista-domain/v1/artifacts
• Usage: Integrate Witness CLI into your pipeline for generating attestations.

Managing Attestations

• View and manage attestations via JUDGE Web UI.

Policy Enforcement

• Policy Creation: Create policies and store them in Archivista.
• Policy Enforcement: Use witness verify to enforce policies within your pipeline.

Best Practices

• Security Recommendations: Implement witness verify as close to production as possible for optimal security.

Support

For further assistance or troubleshooting, contact our support team at support@testifysec.com.