Skip to content

isnuryusuf/openshift-devsecops-cicd

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CI/CD Demo - OpenShift Container Platform 3.3

This repository includes the infrastructure and pipeline definition for continuous delivery using Jenkins, Nexus and SonarQube on OpenShift. On every pipeline execution, the code goes through the following steps:

  1. Code is cloned from Gogs, built, tested and analyzed for bugs and bad patterns
  2. The WAR artifact is pushed to Nexus Repository manager
  3. A Docker image (tasks:latest) is built based on the Tasks application WAR artifact deployed on JBoss EAP 6
  4. The Tasks Docker image is deployed in a fresh new container in DEV project
  5. If tests successful, the DEV image is tagged with the application version (tasks:7.x) in the STAGE project
  6. The staged image is deployed in a fresh new container in the STAGE project

The following diagram shows the steps included in the deployment pipeline:

The application used in this pipeline is a JAX-RS application which is available on GitHub and is imported into Gogs during the setup process: https://github.com/OpenShiftDemos/openshift-tasks

Prerequisites

  • 8+ GB memory available on OpenShift nodes
  • JBoss EAP 7 imagestreams imported to OpenShift (see Troubleshooting section for details)

Setup

Follow these instructions in order to create a local OpenShift cluster. Otherwise using your current OpenShift cluster, create the following projects for CI/CD components, Dev and Stage environments:

oc new-project dev --display-name="Tasks - Dev"
oc new-project stage --display-name="Tasks - Stage"
oc new-project cicd --display-name="CI/CD"

Jenkins needs to access OpenShift API to discover slave images as well accessing container images. Grant Jenkins service account enough privileges to invoke OpenShift API for the created projects:

oc policy add-role-to-user edit system:serviceaccount:cicd:default -n dev
oc policy add-role-to-user edit system:serviceaccount:cicd:default -n stage

Create the CI/CD components based on the provided template

oc process -f cicd-template.yaml | oc create -f -

To use custom project names, change cicd, dev and stage in the above commands to your own names and use the following to create the demo:

oc process -f cicd-template.yaml -v DEV_PROJECT=dev-project-name -v STAGE_PROJECT=stage-project-name | oc create -f - -n cicd-project-name

Note: you need ~8GB memory for running this demo.

Guide

  1. A Jenkins pipeline is pre-configured which clones Tasks application source code from Gogs (running on OpenShift), builds, deploys and promotes the result through the deployment pipeline. In the CI/CD project, click on Builds and then Pipelines to see the list of defined pipelines. If the tech preview pipeline feature is not enabled on your OpenShift cluster, go directly to the pipelines section with this url: https://OPENSHIFT.MASTER/console/project/cicd/browse/pipelines

Click on tasks-pipeline and Configuration and explore the pipeline definition.

You can also explore the pipeline job in Jenkins by clicking on the Jenkins route url, logging in with the following credentials, clicking on tasks-pipeline and Configure.

Jenkins credentials: admin/password
Gogs credentials: gogs/password

  1. Run an instance of the pipeline by starting the tasks-pipeline in OpenShift or Jenkins.

  2. During pipeline execution, verify a new Jenkins slave pod is created within CI/CD project to execute the pipeline.

  3. Pipelines pauses at Deploy STAGE for approval in order to promote the build to the STAGE environment. Click on this step on the pipeline and then Promote.

  4. After pipeline completion, demonstrate the following:

  • Explore the snapshots repository in Nexus and verify openshift-tasks is pushed to the repository
  • Explore SonarQube and verify a project is created with metrics, stats, code coverage, etc
  • Explore Tasks - Dev project in OpenShift console and verify the application is deployed in the DEV environment
  • Explore Tasks - Stage project in OpenShift console and verify the application is deployed in the STAGE environment
  1. Clone and checkout the eap-7 branch of the openshift-tasks git repository and using an IDE (e.g. JBoss Developer Studio), remove the @Ignore annotation from src/test/java/org/jboss/as/quickstarts/tasksrs/service/UserResourceTest.java test methods to enable the unit tests. Commit and push to the git repo.

  2. Check out Jenkins, a pipeline instance is created and is being executed. The pipeline will fail during unit tests due to the enabled unit test.

  3. Check out the failed unit and test src/test/java/org/jboss/as/quickstarts/tasksrs/service/UserResourceTest.java and run it in the IDE.

  4. Fix the test by modifying src/main/java/org/jboss/as/quickstarts/tasksrs/service/UserResource.java and uncommenting the sort function in getUsers method.

  5. Run the unit test in the IDE. The unit test runs green. Commit and push the fix to the git repository and verify a pipeline instance is created in Jenkins and executes successfully.

Enabling OpenShift 3.3 Pipelines with "oc cluster"

Pipeline in OpenShift 3.3 is a tech preview feature and disabled by default. The steps required to enable this feature is detailed in OpenShift documentation.

Troubleshoot

  • SonarQube sometimes fails to load quality profiles requires for static analysis.

    [ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.0.1:sonar (default-cli) on project jboss-tasks-rs: No quality profiles have been found, you probably don't have any
    

    Scale down the SonarQube pod and its PostgreSQL database to 0 and then scale them up to 1 again (first PostgreSQL, then SonarQube) to re-initialize SonarQube.

  • Downloading the images might take a while depending on the network. Remove the install-gogs pod and re-create the app to retry Gogs initialization.

    $ oc delete pod install-gogs
    $ oc delete pods -l app=gogs
    $ oc process -f cicd-template.yaml | oc create -f -
    
    pod "install-gogs" created
    Error from server: routes "jenkins" already exists
    Error from server: deploymentconfigs "jenkins" already exists
    Error from server: serviceaccounts "jenkins" already exists
    Error from server: rolebinding "jenkins_edit" already exists
    ...
    
  • If the cicd-pipeline Jenkins job has disappeared, scale Jenkins pod to 0 and up to 1 again to force a job sync with OpenShift pipelines.

  • If pipeline execution fails with error: no match for "jboss-eap70-openshift", import the jboss imagestreams in OpenShift.

    oc login -u system:admin
    oc create -f https://raw.githubusercontent.com/jboss-openshift/application-templates/master/jboss-image-streams.json -n openshift
    

About

DevSecOPS and CICD Demo

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published