Init docs website

Signed-off-by: Stefan Prodan <[email protected]>

.github/workflows/docs.yaml

@@ -0,0 +1,26 @@
+name: docs
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ 'docs*' ]
+    tags: [ 'v*' ]
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      - name: Run mkdocs
+        uses: mhausenblas/mkdocs-deploy-gh-pages@e55ecab6718b449a90ebd4313f1320f9327f1386 # master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          #CUSTOM_DOMAIN: timoni.sh
+          CONFIG_FILE: mkdocs.yml
+          REQUIREMENTS: docs/.mkdocs/requirements.txt

docs/.mkdocs/requirements.txt

@@ -0,0 +1,16 @@
+# Requirements for mkdocs
+jinja2~=3.0
+markdown~=3.2
+mkdocs~=1.5,>=1.5.3
+mkdocs-material~=9.4
+mkdocs-material-extensions~=1.3
+pygments~=2.16
+pymdown-extensions~=10.2
+
+# Requirements for mkdocs plugins
+babel~=2.10
+colorama~=0.4
+mkdocs-redirects~=1.2
+paginate~=0.5
+regex>=2022.4
+requests~=2.26

docs/distribution/install.md

@@ -0,0 +1,49 @@
+# Flux Distribution Installation
+
+ControlPlane offers a seamless transition from CNCF Flux to the enterprise distribution with no
+impact to Flux availability. The hardened container images provided by ControlPlane are fully
+compatible with the upstream Flux installation and bootstrap procedure.
+
+## Bootstrap
+
+Customers can bootstrap Flux with the enterprise distribution using the Flux CLI or the Flux Terraform provider.
+To access the ControlPlane registry, customers need to provide their credentials using the
+`--registry-creds` flag.
+
+Example of bootstrapping Flux with the FIPS-compliant distribution:
+
+```bash
+flux bootstrap github \
+  --owner=customer-org \
+  --repository=customer-repo \
+  --branch=main \
+  --path=clusters/production \
+  --image-pull-secret=flux-enterprise-auth \
+  --registry-creds=flux:$ENTERPRISE_TOKEN \
+  --registry=ghcr.io/controlplaneio-fluxcd/distroless
+```
+
+Running the bootstrap command for a cluster with an existing Flux installation will trigger
+an in-place upgrade of the Flux controllers to the ControlPlane distribution.
+
+## Automated Updates to Bootstrap Repositories
+
+For keeping the Flux controllers images digests
+and manifests up-to-date with the latest version of the Enterprise Distribution, ControlPlane
+provides Kustomize images patches for the Flux manifests, which can be found in the
+[distribution repository](https://github.com/controlplaneio-fluxcd/distribution/tree/main/images).
+
+Customers using GitHub can leverage the ControlPlane GitHub Actions to automate the
+update of the Flux manifests in their bootstrap repositories. For more information, see the
+[Update Flux GitHub Action](actions/update/README.md) documentation.
+
+For customers using other Git providers, ControlPlane provides support for configuring
+automated updates for the Flux enterprise distribution.
+
+## Flux Operator
+
+The ControlPlane distribution includes the [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator),
+which provides a declarative API for the installation and upgrade of the Flux controllers. The operator
+automates the patching of hotfixes and CVEs affecting the Flux container images.
+
+For more information, see the Flux Operator [documentation](../operator/introduction.md).

docs/distribution/introduction.md

@@ -0,0 +1,45 @@
+# Flux Distribution Introduction
+
+The [ControlPlane](https://control-plane.io) distribution for [Flux CD](https://fluxcd.io)
+comes with enterprise-hardened Flux controllers including:
+
+- Hardened container images and SBOMs in-sync with upstream Flux releases.
+- Continuous scanning and CVE patching for Flux container base images.
+- SLAs for remediation of critical vulnerabilities affecting Flux functionality.
+- FIPS-compliant Flux builds based on FIPS 140-2 validated BoringSSL.
+- Extended compatibility of Flux controllers for the latest six minor releases of Kubernetes.
+- Assured compatibility with OpenShift and Kubernetes LTS versions provided by cloud vendors.
+
+The ControlPlane distribution is offered on a
+[yearly subscription basis](https://control-plane.io/enterprise-for-flux-cd/) and includes
+enterprise-grade support services for running Flux in production.
+
+## Distribution Channels
+
+ControlPlane offers two distribution channels for the Flux controllers:
+
+- [FIPS-compliant](#fips-compliant) images hosted at `ghcr.io/controlplaneio-fluxcd/distroless`.
+- [Mainline](#mainline) images hosted at `ghcr.io/controlplaneio-fluxcd/alpine`.
+
+The ControlPlane container images are continuously scanned for vulnerabilities and patched accordingly.
+
+### FIPS-compliant
+
+The ControlPlane distribution offers hardened
+[Google Distrosless](https://github.com/GoogleContainerTools/distroless)-based Flux images
+to organizations that must comply with NIST FIPS-140-2 standards.
+
+The Flux controller binaries are statically linked against the
+[Google BoringSSL](https://boringssl.googlesource.com/boringssl/) libraries,
+and the Go runtime restricts all TLS configuration to FIPS-approved settings
+by importing the `crypto/tls/fipsonly` package.
+
+### Mainline
+
+The mainline distribution channel offers
+[Alpine Linux](https://www.alpinelinux.org/)-based
+images fully compatible with the upstream Flux feature set.
+
+The major difference between the Flux upstream images and mainline images is the
+continuous scanning and CVE patching for the container base images, OS packages,
+and Go dependencies.

docs/distribution/security.md

@@ -0,0 +1,91 @@
+# Supply Chain Security
+
+The build, release and provenance portions of the ControlPlane distribution supply chain meet
+[SLSA Build Level 3](https://slsa.dev/spec/v1.0/levels).
+
+## Software Bill of Materials
+
+The ControlPlane images come with SBOMs in SPDX format for each CPU architecture.
+
+Example of extracting the SBOM from the source-controller image:
+
+```shell
+docker buildx imagetools inspect \
+    <registry>/source-controller:v1.3.0 \
+    --format "{{ json (index .SBOM \"linux/amd64\").SPDX}}"
+```
+
+## Signature Verification
+
+The ControlPlane images are signed using Sigstore Cosign and GitHub OIDC.
+
+Example of verifying the signature of the source-controller image:
+
+```shell
+cosign verify <registry>/source-controller:v1.3.0 \
+  --certificate-identity-regexp=^https://github\\.com/controlplaneio-fluxcd/.*$ \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+```
+
+## SLSA Provenance Verification
+
+The provenance attestations are generated at build time with Docker Buildkit and
+include facts about the build process such as:
+
+- Build timestamps
+- Build parameters and environment
+- Version control metadata
+- Source code details
+- Materials (files, scripts) consumed during the build
+
+Example of extracting the SLSA provenance JSON for the source-controller image:
+
+```shell
+docker buildx imagetools inspect \
+  <registry>/source-controller:v1.3.0 \
+  --format "{{ json (index .Provenance \"linux/amd64\").SLSA}}"
+```
+
+The provenance of the build artifacts is generated with the official
+[SLSA GitHub Generator](https://github.com/slsa-framework/slsa-github-generator).
+
+Example of verifying the provenance of the source-controller image:
+
+```shell
+cosign verify-attestation --type slsaprovenance \
+  --certificate-identity-regexp=^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml.*$ \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  <registry>/source-controller:v1.3.0
+```
+
+## Vulnerability Exploitability eXchange
+
+The Flux controllers (source code, binaries and container images) are continuously
+scanned for CVEs. Once a CVE is detected, the ControlPlane team assesses
+the exploitability of the vulnerability. If the vulnerability is proven to be exploitable,
+the ControlPlane team provides a patch within the agreed SLA and issues
+a security bulletin to customers containing the CVE details and the container images
+digests that include the fix.
+
+There are cases where the vulnerability is not exploitable in the context of the Flux
+controllers, and in such cases, the ControlPlane team issues a CVE exception in the
+[OpenVEX](https://github.com/openvex/spec/blob/v0.2.0/OPENVEX-SPEC.md) format.
+
+For each Flux minor release, the ControlPlane team maintains a VEX document with the
+list of vulnerabilities that do not affect the Flux controllers. The VEX documents
+are available in the enterprise distribution repository under the `vex` directory.
+
+Example of scanning the source-controller image with [Trivy](https://github.com/aquasecurity/trivy)
+using the VEX document:
+
+```console
+$ trivy image <registry>/source-controller:v1.2.2 --vex ./vex/v2.2.json --show-suppressed
+
+Suppressed Vulnerabilities (Total: 1)
+
+┌─────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────────┬─────────┐
+│     Library     │ Vulnerability  │ Severity │    Status    │          Statement          │ Source  │
+├─────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────────┼─────────┤
+│ helm.sh/helm/v3 │ CVE-2019-25210 │ MEDIUM   │ not_affected │ vulnerable_code_not_present │ OpenVEX │
+└─────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────────┴─────────┘
+```

docs/index.md

@@ -0,0 +1,4 @@
+---
+template: home.html
+title: Home
+---