forked from bcgov/embc-ess
-
Notifications
You must be signed in to change notification settings - Fork 0
/
SANDBOX-Jenkinsfile
211 lines (183 loc) · 5.75 KB
/
SANDBOX-Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
APP_NAME = "embcess-sandbox"
PROJECT_NAMESPACE = "jhnamn"
DOTNET_SKIP_FIRST_TIME_EXPERIENCE="true"
class AppEnvironment {
String name
String tag
String previousTag
}
// EDIT LINE BELOW (Edit your environment TAG names)
environments = [
dev:new AppEnvironment(name:"Development",tag:"dev",previousTag:"dev-previous"),
]
// You shouldn't have to edit these if you're following the conventions
ARTIFACT_BUILD = APP_NAME
RUNTIME_CHAINED_BUILD = "${APP_NAME}"
IMAGESTREAM_NAME = "${APP_NAME}"
PATHFINDER_URL = "pathfinder.gov.bc.ca"
// Gets the container hash for the latest image in an image stream
def getLatestHash(imageStreamName) {
return sh (
script: """oc get istag ${imageStreamName}:latest -o=jsonpath='{@.image.metadata.name}' | sed -e 's/sha256://g'""",
returnStdout: true
).trim()
}
// Gets all tags already applied to this ImageStream (as a single string); e.g., 'dev test dev-previous my-other-tag ...'
def getAllTags(imageStreamName) {
return sh (
script: """oc get is ${imageStreamName} -o template --template='{{range .status.tags}}{{" "}}{{.tag}}{{end}}'""",
returnStdout: true
).trim()
}
// Checks whether we are running this pipeline for the first time by looking at what tags are available on the application's ImageStream
def tagExists(tagName, imageStream) {
def tags = getAllTags(imageStream)
def entries = tags.split(" ")
for (entry in entries) {
if (entry == tagName) {
return true
}
}
return false
}
def buildAndVerify(buildConfigName) {
echo "Building: ${buildConfigName}"
openshiftBuild(
bldCfg: buildConfigName,
showBuildLogs: 'true',
waitTime: '1200000'
)
openshiftVerifyBuild(
bldCfg: buildConfigName,
showBuildLogs: 'true',
waitTime: '1200000'
)
}
def tagImage(srcHash, destination, imageStream) {
openshiftTag(
destStream: imageStream,
verbose: 'true',
destTag: destination,
srcStream: imageStream,
srcTag: srcHash,
waitTime: '1200000'
)
}
// Keeps a copy of last good known configuration for a deployment (just in case)
def tagLatestStable(environment, backupTag, imageStream) {
// skip this on the first run... there's nothing to backup!
if (tagExists(environment, imageStream)) {
tagImage(environment, backupTag, imageStream)
}
}
def deployAndVerify(srcHash, environment, imageStream) {
echo "Deploying ${APP_NAME} to ${environment}"
tagImage(srcHash, environment, imageStream)
// verify deployment to an environment; e.g. [your-project-name]-dev
openshiftVerifyDeployment(
deploymentConfig: APP_NAME,
namespace: "${PROJECT_NAMESPACE}-${environment}",
waitTime: '1200000'
)
}
// Generates a string representation of the current code changes that triggered a build
def getChangeString() {
def MAX_MSG_LEN = 512
def changeString = ""
def changeLogSets = currentBuild.changeSets
for (int i = 0; i < changeLogSets.size(); i++) {
def entries = changeLogSets[i].items
for (int j = 0; j < entries.length; j++) {
def entry = entries[j]
truncated_msg = entry.msg.take(MAX_MSG_LEN)
changeString += " - ${truncated_msg} [${entry.author}]\n"
}
}
if (!changeString) {
changeString = "No changes"
}
return changeString
}
def notifyGood(title, description) {
// TODO: Send notifications to Slack
echo title
if (description) {
echo description
}
}
def notifyError(title, description) {
// TODO: Send notifications to Slack
echo title
if (description) {
echo description
}
}
node('master') {
stage('Startup') {
// stop pending builds.
sh "oc cancel-build bc/${RUNTIME_CHAINED_BUILD}"
}
stage('Build') {
echo "Building Application image..."
buildAndVerify(ARTIFACT_BUILD)
IMAGE_HASH = getLatestHash(IMAGESTREAM_NAME)
echo ">> IMAGE_HASH: ${IMAGE_HASH}"
}
/* Deploying to DEV
- backing up latest stable deployment
- deploying newly built image
- notifying of success or failure
*/
stage("Deploy to ${environments.dev.name}") {
def environment = environments.dev.tag
def stableTag = environments.dev.previousTag
node {
try {
// hold on to a copy of the last stable DEV environment (in case the upcoming deployment fails...)
tagLatestStable(environment, stableTag, IMAGESTREAM_NAME)
deployAndVerify(IMAGE_HASH, environment, IMAGESTREAM_NAME)
// all is good!
notifyGood(
"New ${APP_NAME} in ${environment} :)",
"Changes: ${getChangeString()}"
)
} catch(error) {
notifyError(
"Couldn't deploy ${APP_NAME} to ${environment} :(",
"Error: '${error.message}'"
)
throw error
}
}
}
}
// ZAP security scan
podTemplate(label: 'owasp-zap2', name: 'owasp-zap2', serviceAccount: 'jenkins', cloud: 'openshift', containers: [
containerTemplate(
name: 'jnlp',
image: '172.50.0.2:5000/openshift/jenkins-slave-zap',
resourceRequestCpu: '500m',
resourceLimitCpu: '1000m',
resourceRequestMemory: '3Gi',
resourceLimitMemory: '4Gi',
workingDir: '/home/jenkins',
command: '',
args: '${computer.jnlpmac} ${computer.name}'
)
])
{
stage('ZAP Security Scan')
{
node('owasp-zap2') {
//the checkout is mandatory
echo "checking out source"
echo "Build: ${BUILD_ID}"
checkout scm
dir('/zap') {
def retVal = sh returnStatus: true, script: '/zap/zap-baseline.py -r baseline.html -t https://embcess-develop-jhnamn.pathfinder.gov.bc.ca '
publishHTML([allowMissing: false, alwaysLinkToLastBuild: false, keepAll: true, reportDir: '/zap/wrk', reportFiles: 'baseline.html', reportName: 'ZAP Baseline Scan', reportTitles: 'ZAP Baseline Scan'])
echo "Return value is: ${retVal}"
}
}
}
}