diff --git a/buildspecs/census-pki.bundle.crt b/buildspecs/census-pki.bundle.crt deleted file mode 100644 index 8aacf3b..0000000 --- a/buildspecs/census-pki.bundle.crt +++ /dev/null @@ -1,267 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFSDCCBDCgAwIBAgIJAMn9gqHMdnl3MA0GCSqGSIb3DQEBBQUAMIGfMQswCQYD -VQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxGzAZBgNVBAoTElUuUy4gQ2Vuc3Vz -IEJ1cmVhdTEiMCAGA1UECxMZVGVsZWNvbW11bmljYXRpb25zIE9mZmljZTEaMBgG -A1UEAxMRY2EudGNvLmNlbnN1cy5nb3YxIDAeBgkqhkiG9w0BCQEWEWNhQHRjby5j -ZW5zdXMuZ292MB4XDTEyMDgxNTE2MTM0OFoXDTMyMDgxMDE2MTM0OFowgZ8xCzAJ -BgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDEbMBkGA1UEChMSVS5TLiBDZW5z -dXMgQnVyZWF1MSIwIAYDVQQLExlUZWxlY29tbXVuaWNhdGlvbnMgT2ZmaWNlMRow -GAYDVQQDExFjYS50Y28uY2Vuc3VzLmdvdjEgMB4GCSqGSIb3DQEJARYRY2FAdGNv -LmNlbnN1cy5nb3YwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSqB5S -s674S6Hnpnl+/cT3OLrUCmuM1KZs+Uo5EsFcZzm4Me/XiF8izGSydFtAKFRbyyk5 -j/K5WLGxo7Ix6eCA1PZXWu6aJOfMmPRb1LaeIst1IlSCpjUoZ8pl60fjYLtbEK79 -STM/nrdV0E2EqcJu7dfzMB1oK96NG6tu8C7m7UgIbSv15NDapgDhyril6J4wVQJU -DOUGRbWjv0Qo6Re0NPBkRFf3owToopNQlQSGZU2UnUehheqXPzk4VQisPrhcVsbg -iu4c98gjtGHK1k2DyJOwsFq2hWmAByLZLJXR7pTqv7Ue8gogFl/ggbvuWrKlVmCh -wKln1pPSLYZ/txTZAgMBAAGjggGDMIIBfzA4BgNVHR8EMTAvMC2gK6AphidodHRw -Oi8vY2EuYXBwcy50Y28uY2Vuc3VzLmdvdi9jZXJ0cy9jcmwwHQYDVR0OBBYEFA8x -pgy5aVvXWgTVO8E7yyO3kp9yMIHUBgNVHSMEgcwwgcmAFA8xpgy5aVvXWgTVO8E7 -yyO3kp9yoYGlpIGiMIGfMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQx -GzAZBgNVBAoTElUuUy4gQ2Vuc3VzIEJ1cmVhdTEiMCAGA1UECxMZVGVsZWNvbW11 -bmljYXRpb25zIE9mZmljZTEaMBgGA1UEAxMRY2EudGNvLmNlbnN1cy5nb3YxIDAe -BgkqhkiG9w0BCQEWEWNhQHRjby5jZW5zdXMuZ292ggkAyf2Cocx2eXcwDwYDVR0T -AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwLwYDVR0RBCgwJoERY2FAdGNvLmNlbnN1 -cy5nb3aCEWNhLnRjby5jZW5zdXMuZ292MA0GCSqGSIb3DQEBBQUAA4IBAQCLNU9/ -OxA2adbFXwiAh8XztL3MN7OUeXasSKtSDo00Ays/Sph1DXkUozSwx3B2JHtfrMj+ -A64qzjRm/Y7sDaM4SFa+Y3rdt7U9UY2UxQLo92zHQMqIbQhrdKBTiCVMrBvBzwWg -SI7KPi2lel499yb0vH/I6czuyQNTuYzHAsufYKeMMq4CeiBbboAegClpYJi5jJLl -dFQZpDUwSs+Pfb95CjPlfc0V3AH6GazbS3BNMMghECpL4rF0m7F7L3nDCklx1PsC -z2chyETY1X74Cg3D1mFV3iUjIvr6+eIZDQ3BStGwFjzxmdH2U2yh1nJnJzNXka9g -lUpluNENkgVZmOys ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIF0zCCA7ugAwIBAgITLgAAAA+ydH8TcbjZAgAAAAAADzANBgkqhkiG9w0BAQwF -ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz -MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz -IEJ1cmVhdSBSb290IENBMB4XDTIyMDkyMjE0NDQwOFoXDTI3MDkyMjE0NTQwOFow -YTETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czES -MBAGCgmSJomT8ixkARkWAmFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1IENB -IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiUqJa4e90dNdAFC0W -ju9arRst3FchtNxT0ZPdg/2UpDFN35PFBQ4G1RJxGVGuhpkRmqLdtI9t9BQHZ/tk -QZ6ELJRJVxQMPONBuoXlUbnS3CHwDT5+YIvVZr3jHjv96tq6C2SYJ1BNeqDYjhdK -gF3WXUJpb6lbAwZtv7aHZUSVXcnW/hCkfI2aRZoGXCcgi6hbcJRC74HCGW0eLtCZ -M0Y5+lEGdKLAOiIsl4kea+34Uh5eHjIp9LHCicIfx+5RT5xor4hOJldu2pOmjzrg -FBCz59/5wZHIyQCHOu92p/VGO9eeCxCDlT8DWa78c2HjCnf0FvymlxoHPdH89Rhv -idPFAgMBAAGjggF3MIIBczAQBgkrBgEEAYI3FQEEAwIBAjAjBgkrBgEEAYI3FQIE -FgQUFE9/OhOsohsjHyLcCd1NqTNkdQYwHQYDVR0OBBYEFMSLwaPcjo2CqYcxhzj8 -U1q1Px/KMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAP -BgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFMdeIHdBm/YaIFKQSuoag5Pxw6se -MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNvLmNlbnN1cy5nb3YvQ2Vy -dEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJvb3QlMjBDQS5jcmwwZQYI -KwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8vcGtpLnRjby5jZW5zdXMu -Z292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIwQ0Eu -Y3J0MA0GCSqGSIb3DQEBDAUAA4ICAQCdYsU2TVWTAzVjqPqlO+PtxTcoDxBjlvo+ -L519/iTxzlcz0Kiao83fGhsSitzNf0LsSTOWrAuCprX0sn5If4pasZKqVp+ZJnjF -H9Wpi/4gsaCtvY3V4Hm5ZS1BffUHrre/kR//pn9f2Axu3tTVfHNAEVr0kRvq9wPD -yMe5BzLtm9amOwFvAYP/69zXk4ig88mbOmXjK+EC5AUzwBhg9oI/Kv2AeLbKx+nr -DuguMe6RCp4NXBS1X3/cjRN37+ayJEHynFdWKiVNcvxABVFLGVHBA4fMD9kTjT2a -cf413mhywUcVTfpoj/94Kcqvl3oxgHWGIig9RWExMkvmrkYT5hGqfws+NIGrCGaZ -GA0cUYAY5cbkAg8If3Htt4aSCdTu6g/RbatMFND2GURO2fHPajBILBiDxCJM6OmT -SUQPghQC3QvE48CM5J6KAjPosGh8Ay454FhKv0ShvhKTaHzN6anBih8AbwU5G8iP -XeoNY+jZbkv1gBJ4J+8nffm1n5aFbssbxazppqTLpFDXimduWUxSXZbjwGGwHc7G -FmLj14c8og+ItE+meToVXt6oFSF9hkri5Lmanen9SqU9IPgxiTv91olwmXW6d/3Y -D202odbWVpAIIjiVJngfyOulCeEQsz5WjmPyIjFkXNz8NiwAJSJu1XtBtAMdaCDe -6z6OUG7UaQ== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIF1jCCA76gAwIBAgITLgAAAAmcP+bslIv04AAAAAAACTANBgkqhkiG9w0BAQwF -ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz -MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz -IEJ1cmVhdSBSb290IENBMB4XDTE5MDgwNjE1MDc0NVoXDTI0MDgwNjE1MTc0NVow -YTETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czES -MBAGCgmSJomT8ixkARkWAmFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1IENB -IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiUqJa4e90dNdAFC0W -ju9arRst3FchtNxT0ZPdg/2UpDFN35PFBQ4G1RJxGVGuhpkRmqLdtI9t9BQHZ/tk -QZ6ELJRJVxQMPONBuoXlUbnS3CHwDT5+YIvVZr3jHjv96tq6C2SYJ1BNeqDYjhdK -gF3WXUJpb6lbAwZtv7aHZUSVXcnW/hCkfI2aRZoGXCcgi6hbcJRC74HCGW0eLtCZ -M0Y5+lEGdKLAOiIsl4kea+34Uh5eHjIp9LHCicIfx+5RT5xor4hOJldu2pOmjzrg -FBCz59/5wZHIyQCHOu92p/VGO9eeCxCDlT8DWa78c2HjCnf0FvymlxoHPdH89Rhv -idPFAgMBAAGjggF6MIIBdjAQBgkrBgEEAYI3FQEEAwIBATAjBgkrBgEEAYI3FQIE -FgQUNDptGIuzWncMER7QFKnL+JZPMwswHQYDVR0OBBYEFMSLwaPcjo2CqYcxhzj8 -U1q1Px/KMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAS -BgNVHRMBAf8ECDAGAQH/AgEBMB8GA1UdIwQYMBaAFMdeIHdBm/YaIFKQSuoag5Px -w6seMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNvLmNlbnN1cy5nb3Yv -Q2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJvb3QlMjBDQS5jcmww -ZQYIKwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8vcGtpLnRjby5jZW5z -dXMuZ292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIw -Q0EuY3J0MA0GCSqGSIb3DQEBDAUAA4ICAQAvLJiXBncvqEq2WjU4CtvB+g9GKgna -MIeu8D41/BdkhTpLR/Cus6Oq+N18cCyyBHNCPS4pz/cDzyzQvNMIDTP7tpcTwEfc -QW/WgPvfJtEmzOaRtNeSBBci1bySX4OMKnzB9ZQbGphaqYaVAG6n+NLCkg1MSvqK -cexAf8wkAJyjx2YOUh+xqwhXRE6UKlc9TVK0b2anVtg4FLNiUznZ6KerEKXx/wxv -XvOZRAY902P2FIRY9qbkEdAshNSA5HlY27pbdH4eZCTyk5uSTlIZQRtngL6w1Gy8 -Xh70AIv+kj38iKp8N4VgksHWS0Viw3Cg4h+3/hY08E/uLCzUKjdZt9I46bM1YKMv -K2LUA8xrWp0IN+wcdp2UUrAlVSHEp6LW+NR+VHtl0QiMYjXA+AvkoRvcoEotgeZP -mqfK9auR+3WiDUrkVLzPoPMQHWE9QXt+eErzBh+YXqqvPgPBGqA25CGwzyrs8iBT -jlhbJArFNO6KzQUwyf/Vw3dwX5oOebGuoh+KX9yRaN+q1ZqqWL1Jn40NXF8KQyLk -Ro4c9m+fpkTWhuxW6zW8YIbnmtNDk2X3YfAY1dIKAUIW24Si0SMka8pC2d9qaL2m -fyD0JoF+49cPDtTNHsUP5QR3a+JjqAT8haladoSyiNmO24ysueI7sg9A+zY8oJrM -Gi2tB39Jg7J6/w== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIF0zCCA7ugAwIBAgITLgAAABDGRuhzKgVoqQAAAAAAEDANBgkqhkiG9w0BAQwF -ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz -MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz -IEJ1cmVhdSBSb290IENBMB4XDTIyMDkyMjE0NDUxN1oXDTI3MDkyMjE0NTUxN1ow -YTETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czES -MBAGCgmSJomT8ixkARkWAmFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1IENB -IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFLt4b/8hnKu0yk7IC -C0qY8gAF20DZrbE6rILe2quYeSQcztIw3H6K2+uAsvpCRjRc4+ra+bKQWLpTv5gP -6l6iDMlun3po1+Qqlga4S4/kJMoYP52AbcdHog33vdvpmtRhL2WLBdHfXLfahVx3 -OB1WkrZMFP4T3L4mTo8SW4abdIf5Q7SmClrHzy+znv4jhKEU9tiY7NXJBCINETx3 -5B8PE8F0r1s0Mv+yhoDHWk2Poa/rC+CrXZ+NdzWfI2ajUc1Nb2b+6f4Wrpc9qC+a -kxYywDcrUoGnwqJYDoIFZY2ErqTQUw7JGQkG/i+7gYs+VaHPcD3DNQq3iFzab26I -0vG5AgMBAAGjggF3MIIBczAQBgkrBgEEAYI3FQEEAwIBAjAjBgkrBgEEAYI3FQIE -FgQUxgMHEbdrxtDC64yaqubXVeW060owHQYDVR0OBBYEFOpnUT2Oc868n6qxmUrj -FdfUn3tOMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAP -BgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFMdeIHdBm/YaIFKQSuoag5Pxw6se -MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNvLmNlbnN1cy5nb3YvQ2Vy -dEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJvb3QlMjBDQS5jcmwwZQYI -KwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8vcGtpLnRjby5jZW5zdXMu -Z292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIwQ0Eu -Y3J0MA0GCSqGSIb3DQEBDAUAA4ICAQB/Kn2/ohaTr4XDgu5msLiKzjA3Rqb4Wf4r -FmzpJXcaB9N4Tyg19qgZ9l57AVDO6DWlXBENY+FXERe/qrvhFawZqActT7dPqJJv -Z30hwBcXc8ELjNxVp54MDJfd2oHUkXwJ46i1GphHfie0Q/csoraRpf/DjXuaruxM -Vgt4Roo6zBGf2nSCfqVLR2NZ93orfSybg5g2eutYuftkd5tzbcxdhHlTlhhbNpIV -quVaT46hN1h/q1bMmS4bGBdLUQggY5BtY9RM4gDhcyh1K8k5auM+uPyWqnnd10wI -vuRSu2zNueWlqVstSTbnZdf138nssj+MzN8xcmn+mXH7z8COXwhJLBKRr7Xg7l7G -UMmc86eYbmpphs3LhzZNMooAGUedm15Ln1u9wgywtP6CbpvBVIcSxmjJeiN6bXy6 -dtbZCCziijO1UehOqc81jZy/jdG158D0WfOumNkx1biGwZ/YR+oGslaSkMr58e/7 -abPBMlQmDwvlTWeiUqMZJAzNHk13c8jSeMtaGXtE9D9Sv2oPVGwjeB2krn1Lb8uU -YeEl0YmQ2W1GpoYC4zU7gnnNjSbLr13L8Gjsmk9FYy4HWDRgJvAvF2O3DldldxP2 -MurPmXriFtEUNo4e1UKJciPJlYChWz1/0Hwncab8AWaw3MPkyYpELKis+vTELriO -iHAYOPwOJg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIF1jCCA76gAwIBAgITLgAAAApfi2u0+zjcuQAAAAAACjANBgkqhkiG9w0BAQwF -ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz -MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz -IEJ1cmVhdSBSb290IENBMB4XDTE5MDgwNjE1MDc0M1oXDTI0MDgwNjE1MTc0M1ow -YTETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czES -MBAGCgmSJomT8ixkARkWAmFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1IENB -IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFLt4b/8hnKu0yk7IC -C0qY8gAF20DZrbE6rILe2quYeSQcztIw3H6K2+uAsvpCRjRc4+ra+bKQWLpTv5gP -6l6iDMlun3po1+Qqlga4S4/kJMoYP52AbcdHog33vdvpmtRhL2WLBdHfXLfahVx3 -OB1WkrZMFP4T3L4mTo8SW4abdIf5Q7SmClrHzy+znv4jhKEU9tiY7NXJBCINETx3 -5B8PE8F0r1s0Mv+yhoDHWk2Poa/rC+CrXZ+NdzWfI2ajUc1Nb2b+6f4Wrpc9qC+a -kxYywDcrUoGnwqJYDoIFZY2ErqTQUw7JGQkG/i+7gYs+VaHPcD3DNQq3iFzab26I -0vG5AgMBAAGjggF6MIIBdjAQBgkrBgEEAYI3FQEEAwIBATAjBgkrBgEEAYI3FQIE -FgQU6ZLQoy5LJaVqTI5Em9TBptKdLmAwHQYDVR0OBBYEFOpnUT2Oc868n6qxmUrj -FdfUn3tOMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAS -BgNVHRMBAf8ECDAGAQH/AgEBMB8GA1UdIwQYMBaAFMdeIHdBm/YaIFKQSuoag5Px -w6seMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNvLmNlbnN1cy5nb3Yv -Q2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJvb3QlMjBDQS5jcmww -ZQYIKwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8vcGtpLnRjby5jZW5z -dXMuZ292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIw -Q0EuY3J0MA0GCSqGSIb3DQEBDAUAA4ICAQCYQm6VusLYzHy9PM0P4dSkHSUVGug+ -8Q/Gn1qQ+pejTpx0fR+pxq8DP8Ua3qgWsIz3scrONairxWVUW5AA4E0VXU0fO6n+ -4DLdJnwwIEIkV410p5w79l9Dl2NiI31Ijv0Y8PwEzXmcSvcz1Qc05TyRV+1yv6Uh -nHfnu4kHXj26NOOsPjrEJ60l0tcOT4p3edkwYRf3XzQ19k4ITEBeYF76y1FX8H+W -RTIjQNr8BXUVt+afJZXgUgSB0xHfSRBhTUXiFvKbs1BpICNQmhbFIaz7GJZkvx9r -b+7Um2EQNIQKxoe4rG4mar62Ux3k0i9o8O9nccQSl9VCuSvTyCmtpKpsKRRitMf2 -vBQ9D14p5pzDdFZQC75B8lkibXpuk8fQ3/CIMqK4547wIO8tgz4wqN8ID4tEBgqZ -Fot9XSJpDAZHYKx5GWVwKmhqwefACqqASjHR8NVakAd3EkcQ06SEzGYTTq2duWhi -fOxpJKtMtw9JTfbOG9Az28rRWGCk1vVHmtkVHApD3XdAV3RG6w/AqjNu/IY70fmd -wULhegJxbVdQucgwR4WyNbx7hCJYvoEyL5L7ZQwBpFXHnOI7wJFGw2eo5xIUehUS -4jPpb2OolWHEOjMkEkRfgfrJsnt/blpKXRmYRFUd1+c5VBOtsaYv3iYArxZziQxf -pR508zEDCd9cRQ== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIF1DCCA7ygAwIBAgITLgAAAA4zbBR3VlxWyAAAAAAADjANBgkqhkiG9w0BAQwF -ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz -MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz -IEJ1cmVhdSBSb290IENBMB4XDTIyMDIyODE3NTUxOFoXDTI3MDIyODE4MDUxOFow -YjETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czET -MBEGCgmSJomT8ixkARkWA2VhZDEeMBwGA1UEAxMVVVMgQ2Vuc3VzIEJ1cmVhdSBD -QSAzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA+7bWM9ZExFO/ZN -uFodd+ktg0TWojeV8QJTYAdtwzMquqDl/zMLgkHPD8xC730qMdKB6Df74i3moN5c -6h9S087T0tdf02U0J95AfO06oZiaGNzq/zacINhfbxWf2ZAyZCiwpcQL3w3uAjS1 -MK++iC8ZWDBnd5z64ewCDFS8d9FD5RrJ0GxGCcC4IJ8DyhOq7i3a/Td29wLTP1wz -QuFLVD/5JFWirqnJwgqVVEUdzf8ZK3MSk9DAZcIjY/mIZgnnZ+ukcD0TtYkOnPU7 -j7EGeqo6Jby3T75p4x3uRlNaEKAqXBqiu7bVx+T0cTtuJEjtw4l/8WEGEFGI6Jfs -0Du9+QIDAQABo4IBdzCCAXMwEAYJKwYBBAGCNxUBBAMCAQEwIwYJKwYBBAGCNxUC -BBYEFE2wPwIWNvlAbZy05X4kklJu09q8MB0GA1UdDgQWBBQgeDnrT+0C8IDam1yA -6LKRQtYpxDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYw -DwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTHXiB3QZv2GiBSkErqGoOT8cOr -HjBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vcGtpLnRjby5jZW5zdXMuZ292L0Nl -cnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIwQ0EuY3JsMGUG -CCsGAQUFBwEBBFkwVzBVBggrBgEFBQcwAoZJaHR0cDovL3BraS50Y28uY2Vuc3Vz -Lmdvdi9DZXJ0RW5yb2xsL1VTJTIwQ2Vuc3VzJTIwQnVyZWF1JTIwUm9vdCUyMENB -LmNydDANBgkqhkiG9w0BAQwFAAOCAgEAjDWz6k+6ModUkHRJgTjv8nHfPJv1qI9d -WUejF3YSwU6ExE44C5C2oEXPtEAWR+LiEsW+U4ZZ8Zgi/F5qI3AblQbNXDplAbo/ -6UoKeieBftV5cf7WgbdFoVFuX2HppSVrDQPf4t6DpCM6qVs8/EIrBQOeKhVckhB1 -XgiuFTb3sRoOmWvRramBf3xp7WJ1P4T76gBUg2I6GMFV3EO/mv8XWM9QzFZ1nFOQ -z8/zRa1x53WuAc36d8ESGqL0ZxjNjSNU/HtpJnwtYj3hzJIsYgm938nU5p1diF00 -C89+a0CKkVnL7JW6tC8MQqnyE7TBBWjSmssxa4FHT753W/NaU6JVIJqOwuGTTenv -bQlHi+NxfqL0alNXX3ukUNDPB5XfGWCEBMGZ9xUNDXdxTS7lJzZGAddjqu94e5gd -KgDiEq52RQgkbZ8d+DYwpo/4XY7rj/bC4jvVXUhVd8E/NAbzTSo3VppK0pi/wDri -lm4p8WlzrCoGTVPeiZdCApa/bOoaq+X7/vN4HDUakJZFEPfxIwznfJbDEu7hrVE3 -fck3YuSBrQx6yYtmpLEnybaB5so0w+djeswxBVQSlBODYhrMFW+l3VIRa9PqHQWw -8TvAglbHxFUWWtlHBbwXgVdOqAVlh1LHU8mfbtkY8D4h+iXk+4nvBY1aKdDaZFTB -kDgqyXZwIww= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFsjCCA5qgAwIBAgITLgAAAAvaREPe3QGJiAAAAAAACzANBgkqhkiG9w0BAQwF -ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz -MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz -IEJ1cmVhdSBSb290IENBMB4XDTE5MDgwNjE1MDc0MVoXDTI0MDgwNjE1MTc0MVow -YjETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czET -MBEGCgmSJomT8ixkARkWA2VhZDEeMBwGA1UEAxMVVVMgQ2Vuc3VzIEJ1cmVhdSBD -QSAzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA+7bWM9ZExFO/ZN -uFodd+ktg0TWojeV8QJTYAdtwzMquqDl/zMLgkHPD8xC730qMdKB6Df74i3moN5c -6h9S087T0tdf02U0J95AfO06oZiaGNzq/zacINhfbxWf2ZAyZCiwpcQL3w3uAjS1 -MK++iC8ZWDBnd5z64ewCDFS8d9FD5RrJ0GxGCcC4IJ8DyhOq7i3a/Td29wLTP1wz -QuFLVD/5JFWirqnJwgqVVEUdzf8ZK3MSk9DAZcIjY/mIZgnnZ+ukcD0TtYkOnPU7 -j7EGeqo6Jby3T75p4x3uRlNaEKAqXBqiu7bVx+T0cTtuJEjtw4l/8WEGEFGI6Jfs -0Du9+QIDAQABo4IBVTCCAVEwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFCB4 -OetP7QLwgNqbXIDospFC1inEMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsG -A1UdDwQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEBMB8GA1UdIwQYMBaAFMdeIHdB -m/YaIFKQSuoag5Pxw6seMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNv -LmNlbnN1cy5nb3YvQ2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJv -b3QlMjBDQS5jcmwwZQYIKwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8v -cGtpLnRjby5jZW5zdXMuZ292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJl -YXUlMjBSb290JTIwQ0EuY3J0MA0GCSqGSIb3DQEBDAUAA4ICAQCGmm3uxuTvZcWm -ihlWtSa/0H88MM3ubcOAqYmNHWCzynemR9CxUZfuR/qi8HvRKHm5HwDVT1LtL3Wf -K+9Lc7mcBHStZUdNgINVsqZzNi1L54v/UD3lAu79M/yh16DREvEnWLlc1CUhti+Q -P6aooRfF1VIAzoNZz3iUBj43uRJLewYhlFYRy8GFzRhoKJ/HNZI9nqlV7notKtvV -P2Ae++stlTGzrUEYi91tgJdoSOKweDg4EDjEr4y51yY2l8eJJTXtRRIMDdtv1wbF -XVpxcbWDvAFmYKFjpspaEiD3gAEdSDGcCv23KGFxZCMw5Chblg2drWCSCbJQ2VE/ -XiHcHGxrTQVru+ocZgEqH600BDAC+/nrVP1lJyfKsY2KUh9X/vzbAbx7r45l7LJh -Q173miuG1Hjm60OEtUsNobtVOG/TCxqHflRuMgVK5mGb00Hu5SxMel/ma5bhvWCS -ZQIYEIwo2b6GBicTuhHhBo0e4BdA3vvz8WroUTiezmMo8BveyYViqyWFCB26Wvhy -NB4pfg+GFfTl0wiHSpc1RfBFuoohkGgUMt0ci0jJp1ofb6MeK+p3DqBfKyhQiz+7 -EsgudLUeALpj38b5mWjvN17YBby5suRJnH8lv7+Z1nooo+MqapZZyrRu56PtEBJM -3m7NDAL9JACMk8yF5WDToKtcPuTgpg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFszCCA5ugAwIBAgIQGVCQdFyalIVHZ1OchWiMYDANBgkqhkiG9w0BAQwFADBs -MRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3VzMQww -CgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3VzIEJ1 -cmVhdSBSb290IENBMB4XDTE5MDcyNTE4MTAyOVoXDTI5MDcyNTE4MjAyN1owbDET -MBEGCgmSJomT8ixkARkWA0dvdjEWMBQGCgmSJomT8ixkARkWBkNlbnN1czEMMAoG -A1UECxMDVENPMQwwCgYDVQQLEwNQS0kxITAfBgNVBAMTGFVTIENlbnN1cyBCdXJl -YXUgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMWX8I9p -slFaUueuPpEFExgqKcGgoyTOBxFUCXNBnucL3cKRx9MC47kWOwQ94WYvI3LMcehC -6pOwIf5AuhrIdVrJaHSz317ENuDaiur9/qN3fBRidijHphynR/rwJSxiI3VQtj8G -SO4JmCA8dMsKayIl1RiKlQHPoNnSWyDEspAfenr0qq7PzbjKOEPXoO4eXO0plfB3 -aYd+qMRwHKQre4gRGpMfWu1w5JZqFItbXE/RSC38SoZWjkcMcjyTCDTSGY+j/aJw -SHx98riQ8SLQszL5Be0AmF0KHwMZNOsoaa5u/bF++g207W9guLVgO2Ak5D4Unyo3 -D7kcFSuBOVYdeT0XRi3iD0AwEkoCsVzeEOIqjAasj6hYD43O8GjfHpwGpAeASqTT -nbDajtuTsJrrBlLwpz49J5dihJ3Ah7jTirzQciEUZTXv3L7XpdBlt3/sv73Gn0F6 -jZPDANmHIfNHz0xWa9iES9sLPKln9cjnkJs/QlpooTJSrVuovGyzsbu1mb7PfBji -IMF8lVptjQYaWvvMXqXNx2+L6+uBVkEfmuZIs7Xen4ZNz4NP5MixTs3Tq2h81Hym -TbIlJUtSdwZ98jsX6YLerBYYMPawtSIH4Yfdq/Wpt7IHED47dTWdFfC0peqYfHIN -PoRG+eFYq5nHxadkGaifElPnNdvGblRLDj27AgMBAAGjUTBPMAsGA1UdDwQEAwIB -hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTHXiB3QZv2GiBSkErqGoOT8cOr -HjAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQwFAAOCAgEAdXsv6igAKGnq -VS79nePbjGj2Z+SFdM2jRVibv06mWR3uVqFNCz2zqlIXzX7PJmK7HycWDK82UWMh -8J0cn1O+PYWFalzhPWk7t1c6EK8wV63/iKj+voqNwZWL7L1/EQiQ8B4OPIyf7v5Y -j3/jqrvufLgGCyz+0JhBY8CBEGZ1knijrHxTv0DOV0ykKI0OpUIes+8SOTdszTDb -XujzE4ekSRTDqWJOCbsQb3KbBUr/k8APVq/Ir/xmS1WmauyP3zBIxMlPMmu9XTw/ -5nRUKKQe8FrVHELLO32iS+6bqdTNmkD7z/VyzWmBA0FVt8upD6Bs8U/bHjoiL/Jk -W3BQ6owq7u+B5w/Cl+WsgQcgVlDLlBZWMKnEng1n2MhqUnzf0dDGA99vrzLPVcPT -yoexQe1E1Y2EoORgaGbsnjkRTwppUnpnxkWrzObBieYB1ir0rRTbKS5hgwXu55Uc -6ypmCLUnQaDVWIZyKKwtmr4n/rX5KJPxj/zT0F+jH1WDyMDVg6jYyu1HIPcABkAU -OlsSr7Tfct75/JGf18oPSFMkV1kzeLUK21vflcMp+ZK0m2TRZyCLvMB/lEsRjsSM -wrgYk7cR14RqJ+RTA7IJqFQfNAXqV1ra+stZYYoLI83oK4shOhHLiO9lR6hSi43f -0w7ALm+8qd1Ih+E5BjmKBJAEFB5Zyzs= ------END CERTIFICATE----- diff --git a/buildspecs/terragrunt.yml b/buildspecs/terragrunt.yml index 58e46fe..6b8a1d4 100644 --- a/buildspecs/terragrunt.yml +++ b/buildspecs/terragrunt.yml @@ -3,17 +3,13 @@ version: 0.2 env: variables: BASE_DIR: "lab" - TF_VERSION: "1.5.5" - TG_VERSION: "0.72.0" TOOLS_DIR: "/tmp/build-tools" - CERT_DIR: "/tmp/certs" exported-variables: - TERRAGRUNT_PATH cache: paths: - '/tmp/build-tools/**/*' - - '/tmp/certs/**/*' phases: install: @@ -24,37 +20,24 @@ phases: - export http_proxy=$PROXY_CONFIG - export https_proxy=$PROXY_CONFIG - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev - - # Set up certificate for proxy access - - mkdir -p $CERT_DIR - - cp buildspecs/census-pki.bundle.crt $CERT_DIR/ - - export SSL_CERT_FILE=$CERT_DIR/census-pki.bundle.crt - - export REQUESTS_CA_BUNDLE=$CERT_DIR/census-pki.bundle.crt - - export NODE_EXTRA_CA_CERTS=$CERT_DIR/census-pki.bundle.crt - - export CURL_CA_BUNDLE=$CERT_DIR/census-pki.bundle.crt - - export AWS_CA_BUNDLE=$CERT_DIR/census-pki.bundle.crt # Create tools directory if it doesn't exist - mkdir -p $TOOLS_DIR/bin - # Check if cached Terraform exists and matches required version + # Get tools from S3 artifacts bucket instead of downloading from internet - | - if [ -f "$TOOLS_DIR/bin/terraform" ] && [ "$($TOOLS_DIR/bin/terraform version | head -n1 | grep -o "v$TF_VERSION")" = "v$TF_VERSION" ]; then - echo "Using cached Terraform v$TF_VERSION" - else - echo "Downloading Terraform v$TF_VERSION" - curl -fsSLo /tmp/terraform.zip "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip" - unzip -o /tmp/terraform.zip -d $TOOLS_DIR/bin/ + # Terraform + if [ ! -f "$TOOLS_DIR/bin/terraform" ]; then + echo "Copying Terraform from S3 artifacts bucket" + aws s3 cp s3://${ARTIFACTS_BUCKET}/tools/terraform/terraform.zip $TOOLS_DIR/ + unzip -o $TOOLS_DIR/terraform.zip -d $TOOLS_DIR/bin/ chmod +x $TOOLS_DIR/bin/terraform fi - # Check if cached Terragrunt exists and matches required version - - | - if [ -f "$TOOLS_DIR/bin/terragrunt" ] && [ "$($TOOLS_DIR/bin/terragrunt --version | grep -o "v$TG_VERSION")" = "v$TG_VERSION" ]; then - echo "Using cached Terragrunt v$TG_VERSION" - else - echo "Downloading Terragrunt v$TG_VERSION" - curl -fsSLo $TOOLS_DIR/bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${TG_VERSION}/terragrunt_linux_amd64" + # Terragrunt + if [ ! -f "$TOOLS_DIR/bin/terragrunt" ]; then + echo "Copying Terragrunt from S3 artifacts bucket" + aws s3 cp s3://${ARTIFACTS_BUCKET}/tools/terragrunt/terragrunt $TOOLS_DIR/bin/ chmod +x $TOOLS_DIR/bin/terragrunt fi diff --git a/docs/sboms.txt b/docs/sboms.txt new file mode 100644 index 0000000..be4cbd5 --- /dev/null +++ b/docs/sboms.txt @@ -0,0 +1,65 @@ +IRONBANK SHOULD NOT BE INVALIDATED FROM THIS PROCESS. +EVERY image that gets pulled into the census env needs to be scanned and have sboms generated +EVERY image that gets consumed needs the sboms updated relative to the consumer +SBOM === software bill of materials - a list of all libraries and binaries included on an image +SBOMs are required for ATO process for any system that uses container images + +SBOMs must be signed to prove the attestation is associated with a given image +PE team as the first consumer of the Enterprise ECR is trying to figure out what process we will expect all customers to follow for use of images at census + +Conversation thus far has indicated we should generate/sign each image at both times, enterprise ecr ingest and customer ecr ingest, as the name changes with location + +SBOM processes need to support lifecycle management for the containers with which they are generated + + + +1. Image Acquisition: + • Pull a container image from an external registry + • Validate that SBOM is cryptographically linked to the immutable image digest -> we will do this. +2. SBOM Creation (If Needed): + • If a vendor-supplied signed SBOM is unavailable or unverifiable: -> we create one with Trivy + • Generate an SBOM internally using a trusted tool (Trivy, DockerSlim) + • Document the SBOM generation process, including: -> these steps should be part of automation, where that automation lives is a separate topic + • Tools and versions used + • Scan logs + • Known coverage gaps or limitations + • The internally-generated SBOM is a compensating control…it may lack complete build-time dependency visibility without vendor attestation. -> disagree +3. SBOM Validation, Binding, and Promotion: + • Validate the SBOM (vendor-supplied or internally-generated) against policy controls: ??? + • Cross-reference component list with vulnerability databases (NVD, OSS Index, VulnDB). -> this should be done by a tool, like trivy or os-wasp-dep-check or nexus-iq? + (Future) • Validate against allowlists/denylists (approved base images, banned packages). -> is this an internally maintained list? -> What tool will be used to maintain/power this? + (Future) • Check for license compliance issues. -> this should be a tool also, like nexus or something else? + • Bind the SBOM to the immutable image digest: -> this is done via cosign + • Store the SBOM as an OCI artifact or metadata annotation alongside the image. -> push to ecr alongside image + • Promote the validated image + SBOM to the enterprise ECR with: -> to the enterprise ecr or to the customer ecr? + +pull image from the internet -> retag the image -> Regen the SBOM here (to store in enterprise ecr) OR -> wait until customer pulls form enterprise ecr and then gen the sbom that will be individial for that team for that image for their usecase + + +4. Continuous Monitoring & Vulnerability Re-Evaluation: +For all images in the artifact repository: +Continuous vulnerability monitoring is mandatory, regardless of SBOM source: + • Regularly re-evaluate the SBOM’s component list against updated vulnerability feeds (e.g., new CVEs published). + • Generate alerts and findings if new vulnerabilities impact components listed in the SBOM. +Important Distinction: + • If the SBOM is vendor-supplied, signed, and validated: + • Do not generate a new SBOM. + • Continue using the original SBOM as authoritative. + • Overlay vulnerability findings without replacing the SBOM. + If the SBOM was internally-generated: + • A new SBOM may be created during rescans to improve visibility, accuracy, or capture components missed initially. + • Each regenerated SBOM must be documented and version-controlled. +5. Findings Integration and Policy Enforcement: + • Push SBOM-derived vulnerability findings into Security Hub custom findings. + • Feed findings into: + • Policy enforcement engines + • CI/CD pipeline gates + • Registry tag or quarantine policies (e.g., ECR lifecycle policies). +Enforce deployment controls to ensure: + • Only signed, validated images from the enterprise artifact repository can be deployed (e.g., Kubernetes admission controllers). + • Deployment blocked if image linked to unresolved critical vulnerabilities or non-compliant SBOM. +6. Runtime Monitoring: + • Continuously monitor deployed containers for: + • Drift from SBOM-declared component inventory. + • New CVEs affecting SBOM components. + • Automate alerts, isolation, or patching workflows based on findings. diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 7f6fcc6..d7ca543 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -55,7 +55,7 @@ locals { # Optional modules with their default enablement state enabled_modules = { "eks-arcgis" = false - "eks-cribl" = true + "eks-cribl" = false "eks-gatekeeper" = true "eks-grafana" = true "eks-k8s-dashboard" = true @@ -63,7 +63,7 @@ locals { "eks-kiali" = true "eks-loki" = true "eks-otel" = true - "eks-pipeline" = true + "eks-pipeline" = false "eks-postgresql" = false "eks-prometheus" = true "eks-tempo" = true diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index b7902e7..f900271 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -59,7 +59,7 @@ inputs = { buildspec_path = "terragrunt.yml" privileged_mode = true environment_variables = { - TERRAGRUNT_PATH = "lab/development/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" + TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" REGION = include.root.inputs.aws_region ENVIRONMENT = include.root.inputs.environment_abbr AWS_ACCOUNT_ID = include.root.inputs.aws_account_id