RedHatTraining/rht-labs-docs.git

donal

2018-05-29 40c0ca61d8a44c6212aa1dab6210ac2455d8cee3

commit \| author \| age
e36a5b	1	# An Enslaved Hope
43f2f2	2
b5d705	3	> In this exercise we'll break free from the chains of point'n'click Jenkins by introducing pipeline as code in the form of `Jenkinsfile`. Following this we will introduce some new Jenkins slaves that will be used in later exercises.
e36a5b	4
921415	5	![jenkins-fail-meme](../images/exercise4/jenkins-fail-meme.jpeg)
D	6
e36a5b	7	There are a number of ways pipeline as code can be achieved in Jenkins.
D	8	* The Job DSL Plugin - this is a slightly older but very functional DSL mechanism to create reusable pipelines. Create a `groovy` file to run Jenkins Domain Specific Language to create jobs, functions and other items. In Jenkins; you then can execute this file which will build all of the config.xml files needed for each Job.
dd12d4	9	* The Scripted Pipeline - The scripted pipeline introduced the Jenkinsfile and the ability for developers to write their jenkins setup as groovy code. A repo with a Jenkinsfile in it's root can be pointed to by Jenkins and it will automatically build out each of the stages described within. The scripted pipeline is ultimately Groovy at it's core.
A	10	* The Declarative Pipeline - This approach looks to simplify and opinionate what you can do and when you can do it in a pipeline. It does this by giving you top level `block` which define sections, directives and steps. The declarative syntax is not run as groovy but you can execute groovy inside script blocks. The advantage of it over scripted is validation of the config and lighter approach with requirement to understand all of the `groovy` syntax
e36a5b	11
43f2f2	12	_____
D	13
	14	## Learning Outcomes
	15	As a learner you will be able to
e36a5b	16	- Use a Jenkinsfile to create a declarative pipeline to build, bake and deploy the Todolist App
D	17	- Identify the differences between scripted, declarative and DSL pipelines
b5d705	18	- Create Jenkins slave nodes for use in builds in future exercises
43f2f2	19
D	20	## Tools and Frameworks
	21	> Name of tool - short description and link to docs or website
	22
e36a5b	23	1. [Pipeline](https://jenkins.io/doc/book/pipeline/) - Overview of the Jenkinsfile approach
D	24	1. [Pipeline Syntax](https://jenkins.io/doc/book/pipeline/syntax/) - Documentation for the declarative pipeline
	25	1. [Groovy](http://groovy-lang.org/) - Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities, for the Java platform aimed at improving developer productivity thanks to a concise, familiar and easy to learn syntax. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming.
b664dc	26	1. [Zed Attack Proxy](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) - The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
D	27	1. [Arachni Crawler](http://www.arachni-scanner.com/) - Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications. It is free, with its source code public and available for review. It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform. In addition, its simple REST API makes integration a cinch.
43f2f2	28
D	29	## Big Picture
	30	This exercise begins cluster containing blah blah
	31
	32	_____
	33
	34	## 10,000 Ft View
b5d705	35	> The goal of this exercise is to move to using the Jenkinsfile in the todolist-api and todolist-fe projects. Additionally we will create new slaves for use in the next exercise.
43f2f2	36
e36a5b	37	2. On Jenkins; create a multibranch pipeline project to scan the GitLab endpoint for each app. Use the Jenkinsfile provided to run the stages. Replace the `<YOUR_NAME>` with appropriate variable.
43f2f2	38
e36a5b	39	2. Create two new Jenkins slaves for the `OWASP ZAP` scanner and the `Arachni` WebCrawler
43f2f2	40
D	41	## Step by Step Instructions
e36a5b	42	> This is a fairly structured guide with references to exact filenames and sections of text to be added.
43f2f2	43
e36a5b	44	### Part 1 - The Jenkinsfile
b5d705	45	> _In this exercise we'll replace the Pipeline we created in Exercise 2 with a Jenkinsfile approach_
43f2f2	46
e36a5b	47	2. On your terminal navigate to your `todolist-api` project and checkout the pipeline feature branch that's been already created for you.
D	48	```bash
fad576	49	git checkout feature/jenkinsfile
43f2f2	50	```
D	51
e36a5b	52	2. Open up your `todolist-api` application in your favourite editor and move to the `Jenkinsfile` in the root of the project. The highlevel structure of the file is shown collapsed below.
D	53	![pipeline-overview](../images/exercise4/pipeline-overview.png)
	54	Some of the key things to note:
	55	* `pipeline {}` is how all declarative jenkins pipelines begin.
db509f	56	* `environment {}` defines environment variables to be used across all build stages
A	57	* `options {}` contains specific Job specs you want to run globally across the jobs e.g. setting the terminal colour
	58	* `stage {}` all jobs must have one stage. This is the logical part of the build that will be executed e.g. `bake-image`
e36a5b	59	* `steps {}` each `stage` has one or more steps involved. These could be execute shell or git checkout etc.
D	60	* `agent {}` specifies the node the build should be run on eg `jenkins-slave-npm`
	61	* `post {}` hook is used to specify the post-build-actions. Jenkins declarative provides very useful callbacks for `success`, `failure` and `always` which are useful for controlling the job flow
	62	* `when {}` is used for flow control. It can be used at stage level and be used to stop pipeline entering that stage. eg when branch is master; deploy to `test` environment.
	63
b5d705	64	2. The Jenkinsfile is mostly complete to do all the testing etc that was done in previous exercises. Some minor changes will be needed to orchestrate namespaces. Find and replace all instances of `<YOUR_NAME>` in the Jenkinsfile. Update the `<GIT_USERNAME>` to the one you login to the cluster with; this variable is used in the namespace of your git projects when checking out code etc. Ensure the `GITLAB_DOMAIN` matches your git host.
e36a5b	65	```groovy
D	66	environment {
	67	// GLobal Vars
dd12d4	68	PIPELINES_NAMESPACE = "<YOUR_NAME>-ci-cd"
e36a5b	69	APP_NAME = "todolist-api"
D	70
	71	JENKINS_TAG = "${JOB_NAME}.${BUILD_NUMBER}".replace("/", "-")
	72	JOB_NAME = "${JOB_NAME}".replace("/", "-")
	73
	74	GIT_SSL_NO_VERIFY = true
	75	GIT_CREDENTIALS = credentials('jenkins-git-creds')
e340eb	76	GITLAB_DOMAIN = "gitlab.apps.<SOME_DOMAIN>.com"
70ba2a	77	GITLAB_PROJECT = "<GIT_USERNAME>"
e36a5b	78	}
D	79	```
	80
	81	2. With these changes in place, push your changes to the `feature/jenkinsfile` branch.
	82	```bash
fad576	83	git add Jenkinsfile
D	84	```
	85	```bash
	86	git commit -m "ADD - namespace and git repo to pipeline"
	87	```
	88	```bash
	89	git push
e36a5b	90	```
D	91
	92	2. When the changes have been successfully pushed; Open Jenkins.
	93
	94	2. Create a `New Item` on Jenkins. Give it the name `todolist-api` and select `Multibranch Pipeline` from the bottom of the list as the job type.
	95	![multibranch-select](../images/exercise4/multibranch-select.png)
	96
	97	2. On the job's configure page; set the Branch Sources to `git`
	98	![multibranch-select-git](../images/exercise4/multibranch-select-git.png)
	99
33c738	100	2. Fill in the Git settings with your `todolist-api` GitLab url and set the credentials as you've done before. `https://gitlab.apps.lader.rht-labs.com/<YOUR_NAME>/todolist-api.git`
e36a5b	101	![multibranch-git](../images/exercise4/multibranch-git.png)
D	102
44d41c	103	2. Set the `Scan Multibranch Pipeline Triggers` to be periodic and the interval to 1 minute. This will poll the gitlab instance for new branches or change sets to build.
e36a5b	104	![multibranch-scan-time](../images/exercise4/multibranch-scan-time.png)
D	105
2ff842	106	2. Save the Job configuration to run the intial scan. The log will show scans for `master` and `develop` branch which have no `Jenkinsfile` so are skipped. The resulting view will show the `feature/jenkinsfile` job corresponding the only branch that currently has one. The build should run automatically.
e36a5b	107	![todolist-api-multi](../images/exercise4/todolist-api-multi.png)
D	108
ed472a	109	2. The pipeline file is setup to only run `bake` & `deploy` stages when on `master` or `develop` branch. This is to provide us with very fast feedback for team members working on feature or bug fix branches. Each time someone commits or creates a new branch a basic build with testing occurs to give very rapid feedback to the team. Let's now update our `master` and `develop` branches to include the Jenkinsfile and delete the feature branch.
e36a5b	110	```bash
fad576	111	git checkout develop
D	112	```
	113	```bash
	114	git merge feature/jenkinsfile
ed472a	115	# you may get merge conflicts at this point
fad576	116	```
D	117	```bash
	118	git add .
	119	```
	120	```bash
	121	git commit -m "Jenkinsfile updates"
	122	```
	123	```bash
	124	git checkout master
	125	```
	126	```bash
	127	git merge develop
	128	```
	129	```bash
	130	git push -u origin --all
	131	```
	132	```bash
e36a5b	133	# this is to delete the branch from the remote
fad576	134	git push origin :feature/jenkinsfile
e36a5b	135	```
D	136
	137	2. Back on Jenkins we should see our `todolist-api` pipelines have changed with the `develop` and `master` now appearing. The feature was deleted so this job should have gone away.
	138	![todolist-api-multi-dev-test](../images/exercise4/todolist-api-multi-dev-test.png)
	139
	140	2. With the builds running for `develop` and `master` we can explore the Blue Ocean View for Jenkins. On the Job overview page, hit the Open Blue Ocean ![open-blue-ocean](../images/exercise4/open-blue-ocean.png)
	141	button on the side to see what modern Jenkins looks like.
	142	![blue-ocean-todolist-api](../images/exercise4/blue-ocean-todolist-api.png)
	143
	144	2. We can move on to the `todolist-fe` job. The process is the same as before, checkout the feature branch
	145	```bash
fad576	146	cd todolist-fe
D	147	```
	148	```bash
	149	git checkout feature/jenkinsfile
e36a5b	150	```
D	151
ed472a	152	2. Open up your `todolist-fe` application in your favourite editor and move to the `Jenkinsfile` in the root of the project. Update all `<YOUR_NAME>` and `<GIT_USERNAME>` as you did before, including in the prepare environment steps. Check the `GITLAB_DOMAIN` is set too.
D	153	![jenkinsfile-prep](../images/exercise4/jenkinsfile-prep.png)
e36a5b	154
D	155	2. Commit your changes to your feature branch as you did previously.
	156	```bash
fad576	157	git add Jenkinsfile
D	158	```
	159	```bash
	160	git commit -m "ADD - namespace and git repo to pipeline"
	161	```
	162	```bash
	163	git push
e36a5b	164	```
D	165
	166	2. This time update your master and develop branches before creating config in Jenkins
	167	```
fad576	168	git checkout develop
D	169	```
	170	```bash
	171	git merge feature/jenkinsfile
ed472a	172	# you may get merge conflicts at this point
fad576	173	```
D	174	```bash
	175	git add .
	176	```
	177	```bash
	178	git commit -m "Jenkinsfile updates"
	179	```
	180	```bash
	181	git checkout master
	182	```
	183	```bash
	184	git merge develop
	185	```
	186	```bash
ed472a	187	# this is to delete the branch from the remote
fad576	188	git push origin :feature/jenkinsfile
D	189	```
	190	```bash
	191	git push -u origin --all
e36a5b	192	```
D	193
	194	2. On Jenkins; create a new `Multibranch Pipeline` job called `todolist-fe`.
	195
	196	2. Add the `todolist-fe` git repository and set the credentials for git accordingly.
	197
	198	2. Set the trigger to scan every minute as done previously. Save the configuration and we should see the collection of Jobs as shown below.
	199	![todolist-fe-multi](../images/exercise4/todolist-fe-multi.png)
	200
6769e3	201	2. Run the jobs and validate the app is working as expected in the `test` environment!
ed472a	202	![todolist-test](../images/exercise4/todolist-test.png)
34fb36	203
D	204	### Part 2 - OCP Pipeline
	205	> _This exercise adds a new BuildConfig to our cluster for the todolist-apps to run their pipelines in OpenShift using the OpenShift Jenkins Sync Plugin. We will use the OpenShift Applier to create the content in the cluster_
	206
b2ce13	207	2. Open the `todolist-fe` app in your favourite editor. Move to the `.openshift-applier` directory. Explore the `template/ocp-pipeline`. This template creates a BuildConfig for OpenShift with a Jenkinsfile from a given repo. In this case; it will be the `Jenkinsfile` at the root of our application.
34fb36	208
D	209	2. Open the `params/ocp-pipeline` file and update `PIPELINE_SOURCE_REPOSITORY_URL` with the git url of your project (Don't forget to add the `.git` at the end). For example:
	210	```
e340eb	211	PIPELINE_SOURCE_REPOSITORY_URL=https://gitlab.apps.<SOME_DOMAIN>.com/<GIT_USERNAME>/todolist-fe.git
34fb36	212	PIPELINE_SOURCE_REPOSITORY_REF=develop
D	213	NAME=todolist-fe
	214	```
	215
b2ce13	216	2. Create a new object in `inventory/group_vars/all.yml` to drive the `ocp-pipeline` template with the parameters file you've just created. It can be put under the existing `todolist-fe-build` object.
34fb36	217	```yaml
D	218	- name: todolist-ocp-pipeline
	219	template: "{{ playbook_dir }}/templates/ocp-pipeline.yml"
	220	params: "{{ playbook_dir }}/params/ocp-pipeline"
	221	namespace: "{{ ci_cd_namespace }}"
	222	tags:
	223	- pipeline
	224	```
	225	![ocp-pipeline-applier](../images/exercise4/ocp-pipeline-applier.png)
	226
	227	2. Use the OpenShift Applier to create the cluster content
	228	```bash
fad576	229	cd .openshift-applier
D	230	```
	231	```bash
	232	ansible-playbook apply.yml -i inventory/ \
34fb36	233	-e "filter_tags=pipeline"
D	234	```
	235
d4f1fa	236	2. With these changes in place, commit your changes to GitLab
D	237	```bash
fad576	238	git add .
D	239	```
	240	```bash
	241	git commit -m "ADD - ocp pipeline in git repo"
	242	```
	243	```bash
	244	git push
d4f1fa	245	```
D	246
34fb36	247	2. Login to your OpenShift Cluster and go to the `<YOUR_NAME>-ci-cd` namespace. On the side menu; hit Builds > Pipeline to see your newly created pipeline running in OCP Land.
D	248	![ocp-pipeline-view](../images/exercise4/ocp-pipeline-view.png)
	249
	250	2. Running the pipeline from here will run it in Jenkins. You can see the job sync between OpenShift and Jenkins if you login to Jenkins. You should see a folder with `<YOUR_NAME>-ci-cd` and your pipeline jobs inside of it.
	251	![ocp-pipeline-jenkins](../images/exercise4/ocp-pipeline-jenkins.png)
	252
	253	2. With the configuration in place for the `todolist-fe`; repeat the process for the `todolist-api`. Update the `todolist-api/.openshift-applier/inventory/group_vars/all.yml` with a new object to drive the params and template
	254	```yaml
d4f1fa	255	- name: todolist-ocp-pipeline
34fb36	256	template: "{{ playbook_dir }}/templates/ocp-pipeline.yml"
D	257	params: "{{ playbook_dir }}/params/ocp-pipeline"
	258	namespace: "{{ ci_cd_namespace }}"
	259	tags:
	260	- pipeline
	261	```
	262
	263	2. Update the `todolist-api/.openshift-applier/params/ocp-pipeline`
	264	```
e340eb	265	PIPELINE_SOURCE_REPOSITORY_URL=https://gitlab.apps.<SOME_DOMAIN>.com/<GIT_USERNAME>/todolist-api.git
34fb36	266	PIPELINE_SOURCE_REPOSITORY_REF=develop
D	267	NAME=todolist-api
	268	```
	269
	270	2. Use the OpenShift Applier to create the cluster content
	271	```bash
fad576	272	cd todolist-api/.openshift-applier
D	273	```
	274	```bash
	275	ansible-playbook apply.yml -i inventory/ \
34fb36	276	-e "filter_tags=pipeline"
D	277	```
	278
	279	2. Login to your OpenShift Cluster and go to the `<YOUR_NAME>-ci-cd` namespace. On the side menu; hit Builds > Pipeline to see your newly created pipeline running in OCP Land.
	280	![ocp-pipeline-view2](../images/exercise4/ocp-pipeline-view2.png)
	281
d4f1fa	282	2. Commit your changes to GitLab
D	283	```bash
fad576	284	git add .
D	285	```
	286	```bash
	287	git commit -m "ADD - ocp pipeline in git repo"
	288	```
	289	```bash
	290	git push
d4f1fa	291	```
34fb36	292
D	293	### Part 3 - Security Scanning Slaves
e36a5b	294	> _This exercise focuses on updating the `enablement-ci-cd` repo with some new jenkins-slave pods for use in future exercise_
43f2f2	295
d4f1fa	296	#### 3a - OWASP ZAP
6769e3	297	> _OWASP ZAP (Zed Attack Proxy) is a free open source security tool used for finding security vulnerabilities in web applications._
A	298
40c0ca	299	3. On your terminal; move to the `enablement-ci-cd` repo. We need to checkout a template for OpenShift to build our Jenkins Slave images and some parameters for the `zap` slave.
6769e3	300	```bash
40c0ca	301	git checkout exercise4/zap-and-arachni params/jenkins-slave-zap templates/jenkins-slave-generic-template.yml
6769e3	302	```
A	303
5b1604	304	3. This should have created the following files which we will fill out. We will use a `ZAP` image hosted on the `rht-labs/ci-cd` repo so there will be no `Dockerfile` needed:
e32e5c	305	- `params/jenkins-slave-zap`
6769e3	306
da9923	307	3. Create an object in `inventory/host_vars/ci-cd-tooling.yml` called `jenkins-slave-zap` and add the following content:
054490	308	```yaml
da9923	309	- name: "jenkins-slave-zap"
b664dc	310	namespace: "{{ ci_cd_namespace }}"
D	311	template: "{{ playbook_dir }}/templates/jenkins-slave-generic-template.yml"
da9923	312	params: "{{ playbook_dir }}/params/jenkins-slave-zap"
b664dc	313	tags:
D	314	- zap
6769e3	315	```
2c15b7	316	![zap-object](../images/exercise4/zap-object.png)
6769e3	317
A	318	3. Run the ansible playbook filtering with tag `zap` so only the zap build pods are run.
	319	```bash
fad576	320	ansible-playbook apply.yml -e target=tools \
b664dc	321	-i inventory/ \
D	322	-e "filter_tags=zap"
6769e3	323	```
A	324
33c738	325	3. Head to https://console.lader.rht-labs.com on Openshift and move to your ci-cd project > builds. You should see `jenkins-slave-zap` has been built.
e32e5c	326	![zap-build](../images/exercise4/zap-build.png)
6769e3	327
d4f1fa	328	#### 3b - Arachni Scan
6769e3	329	> _Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications._
e32e5c	330
D	331	3. On your terminal; checkout the params and Docker file. The Dockerfile for the `Arachni` scanner is included here and we will point the build to it.
	332	```bash
fad576	333	git checkout exercise4/zap-and-arachni params/jenkins-slave-arachni docker/jenkins-slave-arachni
e32e5c	334	```
6769e3	335
da9923	336	3. Create an object in `inventory/host_vars/ci-cd-tooling.yml` called `jenkins-slave-arachni` with the following content:
054490	337	```yaml
da9923	338	- name: "jenkins-slave-arachni"
b664dc	339	namespace: "{{ ci_cd_namespace }}"
D	340	template: "{{ playbook_dir }}/templates/jenkins-slave-generic-template.yml"
da9923	341	params: "{{ playbook_dir }}/params/jenkins-slave-arachni"
b664dc	342	tags:
D	343	- arachni
6769e3	344	```
A	345
2ff842	346	3. Update the `jenkins-slave-arachni` files `SOURCE_REPOSITORY_URL` to point to your gitlab's hosted version of the `enablement-ci-cd` repo.
e32e5c	347	```
d43bf4	348	SOURCE_REPOSITORY_URL=https://gitlab.apps.lader.rht-labs.com/<GIT_USERNAME>/enablement-ci-cd.git
e32e5c	349	SOURCE_CONTEXT_DIR=docker/jenkins-slave-arachni
D	350	BUILDER_IMAGE_NAME=registry.access.redhat.com/openshift3/jenkins-slave-base-rhel7:latest
	351	NAME=jenkins-slave-arachni
	352	SOURCE_REPOSITORY_REF=master
	353	```
	354
	355	3. With these changes in place, push your changes to the `master` branch.
	356	```bash
fad576	357	git add .
D	358	```
	359	```bash
	360	git commit -m "ADD - Arachni scanning image"
	361	```
	362	```bash
	363	git push
e32e5c	364	```
D	365
fd433b	366	3. Run the ansible playbook filtering with tag `arachni` so only the arachni build pods are run.
6769e3	367	```bash
fad576	368	ansible-playbook apply.yml -e target=tools \
b664dc	369	-i inventory/ \
D	370	-e "filter_tags=arachni"
6769e3	371	```
A	372
33c738	373	3. Head to https://console.lader.rht-labs.com on Openshift and move to your ci-cd project > builds. You should see `jenkins-slave-arachni`.
D	374	![builds-zap-arachni](../images/exercise4/builds-zap-arachni.png)
43f2f2	375
D	376	_____
	377
	378	## Extension Tasks
	379	> _Ideas for go-getters. Advanced topic for doers to get on with if they finish early. These will usually not have a solution and are provided for additional scope._
e36a5b	380
D	381	Jenkins S2I
	382	- Add the multi-branch configuration to the S2I to have Jenkins come alive with the `todolist-api` and `-fe` configuration cooked into it for future uses.
	383
d608d6	384	Jenkins Pipeline Extension
D	385	- Add an extension to the pipeline that promotes code to UAT environment once the master job has been successful.
	386	- Use a WAIT to allow for manual input to appove the promotion
	387
	388	Jenkins e2e extension (blue/green)
db509f	389	- Add a step in the pipeline to only deploy to the `test` environment if the e2e tests have run successfully against which ever environment (blue or green) is not deployed.
43f2f2	390
D	391	## Additional Reading
	392	> List of links or other reading that might be of use / reference for the exercise
	393
01c4da	394	## Slide Links
RH	395
	396	- [Intro](https://docs.google.com/presentation/d/1B3Fv4g66zZ8ZkqBq9TYmImJhUDvMecXCt4q3DXGWhjc/)
	397	- [Wrap-up](https://docs.google.com/presentation/d/1EOk6y798Xh1hsaQlxRuqyr23FIIf7sNY4any_yXIL7A/)
	398	- [All Material](https://drive.google.com/drive/folders/1oCjpl33Db7aPocmpu3NNF0B9czRvFq3m)