-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdevops-camp-jenkinsfile
123 lines (120 loc) · 5.04 KB
/
devops-camp-jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
pipeline {
agent {
label 'jenkins-agent'
}
environment {
PIPELINE_HASH = sh(script: 'git rev-parse --short HEAD', returnStdout: true).trim()
HARBOR_REGISTRY = 'registry.dev.afsmtddso.com'
HARBOR_PROJECT = 'mhoffmann-harbor-project'
APP_IMAGE_NAME = 'app'
CREDENTIALS_ID = 'mhoffmann-harbor-auth'
EKS_NAMESPACE = 'mhoffmann'
DOCKER_CONFIG_LOCATION = ''
IMAGE_DIGEST = ''
}
stages {
stage('Application repository') {
steps {
echo "Cloning application repository"
sh 'git clone https://github.com/McGoffmann/afs-labs-student.git'
dir('afs-labs-student') {
script {
env.COMMIT_HASH = sh(script: 'git rev-parse --short HEAD', returnStdout: true).trim()
}
}
}
}
stage('Application docker build') {
steps {
build_image('application', APP_IMAGE_NAME, './app/Dockerfile')
}
post {
always {
clean_image(APP_IMAGE_NAME)
}
}
}
stage('Security scanning') {
steps {
withCredentials([usernamePassword(credentialsId: CREDENTIALS_ID, usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
echo "Scanning $APP_IMAGE_NAME image"
sh 'python harbor_scanner.py -i $APP_IMAGE_NAME -r $HARBOR_REGISTRY -p $HARBOR_PROJECT -c ${USERNAME}:${PASSWORD}'
}
}
}
stage('Sign Image') {
steps {
echo "Signing Container Image"
withCredentials([usernameColonPassword(credentialsId: CREDENTIALS_ID, variable: 'HARBOR-AUTH')]) {
script {
docker.withRegistry('https://$HARBOR_REGISTRY', CREDENTIALS_ID) {
DOCKER_CONFIG_LOCATION = sh (
script: 'docker login https://$HARBOR_REGISTRY/ 2>&1',
returnStdout: true
).trim()
DOCKER_CONFIG_LOCATION = (DOCKER_CONFIG_LOCATION =~ /stored unencrypted in (.+)/)[ 0 ][ 1 ]
DOCKER_CONFIG_LOCATION = DOCKER_CONFIG_LOCATION.substring(0, DOCKER_CONFIG_LOCATION.length() - 1)
script {
sh 'docker build -t cosign-$COMMIT_HASH -f ./cosign/Dockerfile .'
sh "yes | docker run -i -v /var/run/docker.sock:/var/run/docker.sock -v $DOCKER_CONFIG_LOCATION:/root/.docker/config.json --rm cosign-$COMMIT_HASH sign --key cosign.key $HARBOR_REGISTRY/$HARBOR_PROJECT/$APP_IMAGE_NAME@$IMAGE_DIGEST"
}
}
}
}
}
post {
always {
echo "Clean local cosign image"
script {
try {
sh "docker rmi cosign-$COMMIT_HASH:latest"
} catch (err) {
echo err.getMessage()
}
}
}
}
}
stage('Deploy') {
steps {
echo "Deployment stage"
sh 'kubectl -n $EKS_NAMESPACE apply -f ./afs-labs-student/kubernetes/config-map.yaml'
sh 'kubectl -n $EKS_NAMESPACE set image deployment/app-deployment app-deployment=$HARBOR_REGISTRY/$HARBOR_PROJECT/$APP_IMAGE_NAME:$COMMIT_HASH-$PIPELINE_HASH'
}
}
}
post {
cleanup {
echo "Clean workspace"
sh 'rm -rf .git ./*'
}
}
}
def build_image(type, IMAGE_NAME, dockerfile_location) {
echo "Building $type image"
withCredentials([usernameColonPassword(credentialsId: CREDENTIALS_ID, variable: 'HARBOR-AUTH')]) {
script {
sh "docker build -t $IMAGE_NAME-$COMMIT_HASH -f $dockerfile_location ./afs-labs-student"
docker.withRegistry('https://$HARBOR_REGISTRY', CREDENTIALS_ID) {
sh "docker tag $IMAGE_NAME-$COMMIT_HASH $HARBOR_REGISTRY/$HARBOR_PROJECT/$IMAGE_NAME:$COMMIT_HASH-$PIPELINE_HASH"
IMAGE_DIGEST = sh (
script: "docker push $HARBOR_REGISTRY/$HARBOR_PROJECT/$IMAGE_NAME:$COMMIT_HASH-$PIPELINE_HASH",
returnStdout: true
).trim()
IMAGE_DIGEST = (IMAGE_DIGEST =~ /$COMMIT_HASH-$PIPELINE_HASH: digest: (sha256:.+) size/)[ 0 ][ 1 ]
echo "IMAGE_DIGEST = $IMAGE_DIGEST"
}
}
}
}
def clean_image(IMAGE_NAME) {
echo "Clean local $IMAGE_NAME image"
script {
try {
sh "docker rmi $IMAGE_NAME-$COMMIT_HASH:latest"
sh "docker rmi $HARBOR_REGISTRY/$HARBOR_PROJECT/$IMAGE_NAME:$COMMIT_HASH-$PIPELINE_HASH"
} catch (err) {
echo err.getMessage()
}
}
}