-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathJenkinsfile
278 lines (253 loc) · 8.21 KB
/
Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
// Edit your app's name below
APP_NAME = "news-dashboard"
PROJECT_NAMESPACE = "05e933"
class AppEnvironment {
String name
String tag
String previousTag
}
// EDIT LINE BELOW (Edit your environment TAG names)
environments = [
dev:new AppEnvironment(name:"Development",tag:"dev",previousTag:"dev-previous"),
test:new AppEnvironment(name:"Test",tag:"test",previousTag:"test-previous"),
prod:new AppEnvironment(name:"Prod",tag:"prod",previousTag:"prod-previous")
]
// You shouldn't have to edit these if you're following the conventions
ARTIFACT_BUILD = APP_NAME
RUNTIME_CHAINED_BUILD = "${APP_NAME}-static"
// EDIT LINE BELOW (Change `IMAGESTREAM_NAME` so it matches the name of your *output*/deployable image stream.)
IMAGESTREAM_NAME = "${APP_NAME}-static"
PATHFINDER_URL = "pathfinder.gov.bc.ca"
// EDIT LINE BELOW (Add a reference to the YARN_BUILD, the builder image that compiles your frontend source code.)
YARN_BUILD = "frontend-yarn-builder"
// EDIT LINE BELOW:
// Add a reference to the NGINX_BUILD, if you are using a runtime that needs to be built.
// Otherwise comment out the line and the associated build script.
NGINX_BUILD = "frontend-nginx-runtime"
// Gets the container hash for the latest image in an image stream
def getLatestHash(imageStreamName) {
return sh (
script: """oc get istag ${imageStreamName}:latest -o=jsonpath='{@.image.metadata.name}' | sed -e 's/sha256://g'""",
returnStdout: true
).trim()
}
// Gets all tags already applied to this ImageStream (as a single string); e.g., 'dev test dev-previous my-other-tag ...'
def getAllTags(imageStreamName) {
return sh (
script: """oc get is ${imageStreamName} -o template --template='{{range .status.tags}}{{" "}}{{.tag}}{{end}}'""",
returnStdout: true
).trim()
}
// Checks whether we are running this pipeline for the first time by looking at what tags are available on the application's ImageStream
def tagExists(tagName, imageStream) {
def tags = getAllTags(imageStream)
def entries = tags.split(" ")
for (entry in entries) {
if (entry == tagName) {
return true
}
}
return false
}
def buildAndVerify(buildConfigName) {
echo "Building: ${buildConfigName}"
openshiftBuild(
bldCfg: buildConfigName,
showBuildLogs: 'true',
waitTime: '900000'
)
openshiftVerifyBuild(
bldCfg: buildConfigName,
showBuildLogs: 'true',
waitTime: '900000'
)
}
def tagImage(srcHash, destination, imageStream) {
openshiftTag(
destStream: imageStream,
verbose: 'true',
destTag: destination,
srcStream: imageStream,
srcTag: srcHash,
waitTime: '900000'
)
}
// Keeps a copy of last good known configuration for a deployment (just in case)
def tagLatestStable(environment, backupTag, imageStream) {
// skip this on the first run... there's nothing to backup!
if (tagExists(environment, imageStream)) {
tagImage(environment, backupTag, imageStream)
}
}
def deployAndVerify(srcHash, environment, imageStream) {
echo "Deploying ${APP_NAME} to ${environment}"
tagImage(srcHash, environment, imageStream)
// verify deployment to an environment; e.g. [your-project-name]-dev
openshiftVerifyDeployment(
deploymentConfig: APP_NAME,
namespace: "${PROJECT_NAMESPACE}-${environment}",
waitTime: '900000'
)
}
// Generates a string representation of the current code changes that triggered a build
def getChangeString() {
def MAX_MSG_LEN = 512
def changeString = ""
def changeLogSets = currentBuild.changeSets
for (int i = 0; i < changeLogSets.size(); i++) {
def entries = changeLogSets[i].items
for (int j = 0; j < entries.length; j++) {
def entry = entries[j]
truncated_msg = entry.msg.take(MAX_MSG_LEN)
changeString += " - ${truncated_msg} [${entry.author}]\n"
}
}
if (!changeString) {
changeString = "No changes"
}
return changeString
}
def notifyGood(title, description) {
// TODO: Send notifications to Slack
echo title
if (description) {
echo description
}
}
def notifyError(title, description) {
// TODO: Send notifications to Slack
echo title
if (description) {
echo description
}
}
/* Setup stage
- making sure builder images are available (i.e. yarn-builder, nginx-runtime)
*/
stage('Assemble Builder & Runtime') {
node {
// Assemble Yarn Builder
try {
buildAndVerify(YARN_BUILD)
} catch(error) {
notifyError(
"Problem Assembling Yarn Builder",
"Error: ${error.message}"
)
throw error
}
// Assemble Nginx Runtime
try {
buildAndVerify(NGINX_BUILD)
} catch(error) {
notifyError(
"Problem Assembling Nginx Runtime",
"Error: ${error.message}"
)
throw error
}
}
}
/* Chained Build stage
- applying OpenShift build configs
- creating OpenShift imagestreams, annotations and builds
- build time optimizations (e.g. image reuse, build scheduling/readiness)
*/
stage("Build ${APP_NAME}") {
node{
try {
// trigger the Artifact build and runtime build
buildAndVerify(ARTIFACT_BUILD)
buildAndVerify(RUNTIME_CHAINED_BUILD)
// Don't tag with BUILD_ID so the pruner can do it's job; it won't delete tagged images.
// Tag the images for deployment based on the image's hash
IMAGE_HASH = getLatestHash(IMAGESTREAM_NAME)
echo ">> IMAGE_HASH: ${IMAGE_HASH}"
} catch(error) {
notifyError(
"${APP_NAME} Build Broken :(",
"Author: ${env.CHANGE_AUTHOR_DISPLAY_NAME}\r\nError: '${error.message}'"
)
throw error
}
}
}
/* Deploying to DEV
- backing up latest stable deployment
- deploying newly built image
- notifying of success or failure
*/
stage("Deploy to ${environments.dev.name}") {
def environment = environments.dev.tag
def stableTag = environments.dev.previousTag
node {
try {
// hold on to a copy of the last stable DEV environment (in case the upcoming deployment fails...)
tagLatestStable(environment, stableTag, IMAGESTREAM_NAME)
deployAndVerify(IMAGE_HASH, environment, IMAGESTREAM_NAME)
// all is good!
notifyGood(
"New ${APP_NAME} in ${environment} :)",
"Changes: ${getChangeString()}"
)
} catch(error) {
notifyError(
"Couldn't deploy ${APP_NAME} to ${environment} :(",
"Error: '${error.message}'"
)
throw error
}
}
}
/* Deploying to TEST
- backing up latest stable deployment
- deploying newly built image
- notifying of success or failure
*/
stage("Deploy to ${environments.test.name}") {
def environment = environments.test.tag
def stableTag = environments.test.previousTag
timeout(time:4, unit: 'HOURS'){ input "Deploy to ${environment}?"}
node {
try {
// hold on to a copy of the last stable DEV environment (in case the upcoming deployment fails...)
tagLatestStable(environment, stableTag, IMAGESTREAM_NAME)
deployAndVerify(IMAGE_HASH, environment, IMAGESTREAM_NAME)
// all is good!
notifyGood(
"New ${APP_NAME} in ${environment} :)",
"Changes: ${getChangeString()}"
)
} catch(error) {
notifyError(
"Couldn't deploy ${APP_NAME} to ${environment} :(",
"Error: '${error.message}'"
)
throw error
}
}
}
//See https://github.com/jenkinsci/kubernetes-plugin
podTemplate(label: 'owasp-zap', name: 'owasp-zap', serviceAccount: 'jenkins', cloud: 'openshift', containers: [
containerTemplate(
name: 'jnlp',
image: '172.50.0.2:5000/openshift/jenkins-slave-zap',
resourceRequestCpu: '500m',
resourceLimitCpu: '1000m',
resourceRequestMemory: '3Gi',
resourceLimitMemory: '4Gi',
workingDir: '/tmp',
command: '',
args: '${computer.jnlpmac} ${computer.name}'
)
]) {
node('owasp-zap') {
stage('ZAP Security Scan') {
dir('/zap') {
def retVal = sh returnStatus: true, script: '/zap/zap-baseline.py -r baseline.html -t https://dev.dashboard.news.gov.bc.ca/last-7-day-post-list'
publishHTML(target: [allowMissing: false, alwaysLinkToLastBuild: false, keepAll: true, reportDir: '/zap/wrk', reportFiles: 'baseline.html', reportName: 'ZAP Baseline Scan', reportTitles: 'ZAP Baseline Scan'])
echo "Return value is: ${retVal}"
}
}
}
}