chapi-dev/telco-devsecops-demo
GitHub: chapi-dev/telco-devsecops-demo
面向电信行业的云原生网络功能DevSecOps全生命周期参考实现,在Azure与GitHub上集成供应链安全、GitOps交付与策略治理的完整流水线。
Stars: 0 | Forks: 0
# telco-devsecops-demo
[](https://github.com/chapi-dev/telco-devsecops-demo/actions/workflows/ci-cnf.yml)
[](https://github.com/chapi-dev/telco-devsecops-demo/actions/workflows/codeql.yml)
## 它展示了什么
| 能力 | GitHub 功能 | 本仓库 |
|------------|----------------|-----------|
| 持续集成 | Actions · matrix · OIDC · self-hosted runners | [`.github/workflows/ci-cnf.yml`](.github/workflows/ci-cnf.yml) |
| 持续交付 | Argo CD · Flux · Nephio Porch | [`gitops/argocd/applicationset.yaml`](gitops/argocd/applicationset.yaml) |
| 持续验证 | Required checks · environments · CNF Test Suite · OPA | [`policy/opa/conftest.rego`](policy/opa/conftest.rego) |
| 安全验证 | GHAS — CodeQL · Secret Scanning · Dep Review | [`.github/workflows/codeql.yml`](.github/workflows/codeql.yml) · [`docs/SECRET_SCANNING.md`](docs/SECRET_SCANNING.md) |
| 供应链 | Cosign · SLSA L3 · SBOM (SPDX / CycloneDX) | [`ci-cnf.yml` cosign + attest 步骤](.github/workflows/ci-cnf.yml) |
| 依赖管理 | Dependabot Helm (2025) · Docker · Actions · Terraform · Go | [`.github/dependabot.yml`](.github/dependabot.yml) |
| 可部署的 IaC | Terraform (AKS + ACR + MI + Federated Cred) | [`infra/terraform/`](infra/terraform/) |
| 网络即代码 | Multus 二级网络 (N3 / N6) | [`charts/demo-upf/templates/networkattachmentdefinition.yaml`](charts/demo-upf/templates/networkattachmentdefinition.yaml) |
| 控制平面即代码 | Kubernetes Operators (CRD + reconciler) | [`src/demo-nf/`](src/demo-nf/) |
| 策略执行 | Kyverno verify-cosign + OPA conftest | [`policy/kyverno/verify-cosign.yaml`](policy/kyverno/verify-cosign.yaml) |
## 仓库布局
```
telco-devsecops-demo/
├── .github/
│ ├── workflows/
│ │ ├── ci-cnf.yml # build + scan + SBOM + sign + push Helm chart
│ │ ├── build-vnf-iso.yml # Packer + Cosign attest (legacy VNF)
│ │ ├── codeql.yml # SAST on Go operator
│ │ └── security-reusable.yml # Trivy + Checkov, callable across NF repos
│ ├── dependabot.yml # Helm + Docker + Go + Actions + Terraform
│ ├── secret_scanning.yml # IMSI / SUPI / K / OPc patterns (documented)
│ └── CODEOWNERS
├── charts/
│ └── demo-upf/ # 5G UPF Helm chart (Multus, PSS-restricted)
├── src/
│ └── demo-nf/ # Go operator stub: CRD + reconciler + main
├── infra/
│ └── terraform/ # AKS + ACR + Managed Identity + Fed Cred
├── gitops/
│ ├── argocd/applicationset.yaml # Fan-out to N clusters
│ └── envs/{dev,prod-edge-london}/ # Environment-specific values overrides
├── policy/
│ ├── kyverno/verify-cosign.yaml # Enforce Sigstore at admission
│ └── opa/conftest.rego # PSS, image trust, no-:latest, requests req'd
├── scripts/ # bootstrap-azure.{sh,ps1}, install-{argocd,kyverno}.sh
└── docs/
├── DEMO_SCRIPT.md # 15–20 min walkthrough
├── ARCHITECTURE.md # How everything wires together
├── SETUP.md # One-time Azure + GitHub setup
└── SECRET_SCANNING.md # IMSI / SUPI / K / OPc custom patterns
```
## 快速开始
### 1. 配置 Azure(一次性,约 10 分钟)
```
# 使用 Terraform...
cd infra/terraform && terraform init && terraform apply -var "github_owner=chapi-dev"
# ...或纯 Azure CLI
GITHUB_OWNER=chapi-dev ./scripts/bootstrap-azure.sh
```
两种方式都会生成三个值,您可以将它们设置为 **GitHub Actions secrets**:
```
gh secret set AZURE_CLIENT_ID -b ""
gh secret set AZURE_TENANT_ID -b ""
gh secret set AZURE_SUBSCRIPTION_ID -b ""
```
### 2. 在 AKS 上安装 GitOps 和策略
```
./scripts/install-argocd.sh
./scripts/install-kyverno.sh
```
### 3. 触发演示
推送任何变更到 `main` → CI 运行 `helm lint → kubeconform → trivy → syft →
helm push (OCI) → cosign sign → cosign attest SBOM → SLSA build provenance` →
Argo CD 进行对账 → Kyverno 在准入时验证 Sigstore 签名。
有关完整的 15-20 分钟演练,请参见 [`docs/DEMO_SCRIPT.md`](docs/DEMO_SCRIPT.md)。
## 本地验证供应链
```
cosign verify \
--certificate-identity-regexp 'https://github.com/chapi-dev/telco-devsecops-demo/.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
acrtelcodemo.azurecr.io/charts/demo-upf:1.0.0
```
## 实现的行业参考
- **Vodafone Telco Cloud** (OpenShift + 用于 5G 的 GitOps) — 相同的 Argo CD + PR 门控对账模式。
- **Nephio R6** (LF Networking) — KRM 意图自动化,`ApplicationSet` 镜像了每个站点的变体扇出。
- **CNCF CNF WG** — “一切皆代码,面向 CNF 的 GitOps”要求。
- **LFN Anuket / O-RAN SC / Sylva / free5GC / Open Air Interface / Magma** — 相同的 GitHub 原生 CI 模式。
## 许可证
[Apache-2.0](LICENSE)
标签:5G, ACR, AKS, Argo CD, Azure, CI, CISA项目, CNF, CodeQL, Cosign, CycloneDX, Dependabot, DevSecOps, Docker, EC2, ECS, EVTX分析, Flux, GHAS, GitOps, Helm, IaC, Java安全, Lerna, Multus, OPA, Operator, SBOM, Sigstore, SLSA L3, SPDX, Terraform, VNF, Web截图, 上游代理, 依赖审查, 依赖管理, 安全合规, 安全评估工具, 安全防御评估, 容器安全, 开源框架, 持续交付, 持续集成, 持续验证, 控制平面, 日志审计, 生命周期管理, 电信, 硬件无关, 秘密扫描, 策略执行, 网络代理, 网络功能虚拟化, 网络即代码, 请求拦截, 跌倒检测, 软件物料清单, 靶场