CI/CD Infrastructure Setup: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
 
(48 intermediate revisions by the same user not shown)
Line 1: Line 1:
=External=
=External=


* https://github.com/OpenShiftDemos/openshift-cd-demo
* https://github.com/OpenShiftDemos/openshift-cd-demo/tree/ocp-3.6


=Internal=
=Internal=
Line 12: Line 12:


=Pre-Requisites=
=Pre-Requisites=
==cicd Project==


Create the "cicd" project to host the Jenkins instance and auxiliaries.
Create the "cicd" project to host the Jenkins instance and auxiliaries.
Line 19: Line 21:
   --description="Shared CI/CD tools to provide release pipeline services for other projects"
   --description="Shared CI/CD tools to provide release pipeline services for other projects"


[[OpenShift_PersistentVolume_Operations#Create_a_NFS_Persistent_Volume|Provision]] 6 1Gi persistent volumes to be used by Jenkins, Nexus, Gogs data, Gogs  Postgres, Sonar and Sonar Postrgres, and a smaller one (512Mi) for Gogs config.
==Persistent Volumes==


=Deploy Jenkins=
[[OpenShift_PersistentVolume_Operations#Create_a_NFS_Persistent_Volume|Provision]] six 1Gi persistent volumes to be used by Jenkins, Nexus, Gogs data, Gogs  PostgreSQL, Sonar and Sonar Postrgres, and a smaller one (512Mi) for Gogs config.


oc new-app jenkins-persistent --param=MEMORY_LIMIT=1Gi -e INSTALL_PLUGINS=analysis-core:1.92,findbugs:4.71,pmd:3.49,checkstyle:3.49,dependency-check-jenkins-plugin:2.1.1,htmlpublisher:1.14,jacoco:2.2.1,analysis-collector:1.52 -n cicd
{{Internal|OpenShift_PersistentVolume_Operations#Overview|Persistent Volume Operations}}


=Template=
==Development and Production Projects==


The template is available at https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/all-cicd.yaml. It is based on https://github.com/OpenShiftDemos/openshift-cd-demo/blob/ocp-3.6/cicd-template-with-sonar.yaml
oc new-project novaordis-dev --display-name="CI/CD Demo Development Project"
oc new-project novaordis-prod --display-name="CI/CD Demo Production Project"


oc process -f ./all-cicd.yaml \
=Deploy Jenkins=
  -p GOGS_PASSWORD=<''gogs-password''> \
  -p DEV_PROJECT=<''dev-project-name''> \
  -p STAGE_PROJECT=<''stage-project-name''> \


oc new-app jenkins-persistent \
  -p MEMORY_LIMIT=6Gi \
  -p ENABLE_OAUTH=true \
  -p JVM_ARCH=x86_64 \
  -p CONTAINER_HEAP_PERCENT="0.75" \
  -p JAVA_GC_OPTS="-XX:+UseParallelGC -XX:MinHeapFreeRatio=20 -XX:MaxHeapFreeRatio=40 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:MaxMetaspaceSize=384m"
  -e INSTALL_PLUGINS=analysis-core:1.92,findbugs:4.71,pmd:3.49,checkstyle:3.49,dependency-check-jenkins-plugin:2.1.1,htmlpublisher:1.14,jacoco:2.2.1,analysis-collector:1.52 \
  -n cicd


Since the entire project is dedicated to CI/CD, instead of creating individual service accounts for individual services, we use the project's default service account "default" and we elevate its privileges to "edit". For more details on CI/CD security considerations see [[OpenShift_CI/CD_Concepts#Security_Considerations|CI/CD Security Considerations]].
For Java heap sizing considerations, see [[OpenShift_CI/CD_Concepts#Jenkins_Heap_Sizing|Jenkins Heap Sizing]].


Before Running:
For more details about template, you could run:


* Verify that all required images are available in the internal docker registry.
oc get -o yaml template jenkins-persistent -n openshift
* Who creates the database for gogs and sonarqube postgreses?
* Modify all routes to make sure the are Edge terminate and they not allow not-https.
* Verify that -p V='K' works.


The template will create a "system:serviceaccount:CICD:jenkins" service account and will assign it sufficient privileges. The template will also enable OAuth with the Jenkins instance.


The initialization process' logs can be viewed with:


oc logs -f jenkins-1-...


Once Jenkins is fully on-line, it can be logged into via the newly deployed route, using an OpenShift user (OAuth is enabled).


==Access Permissions==


Jenkins will perform CI/CD services for "novaordis-dev" and "novaordis-prod", so the service account that is associated with the Jenkins pod ("jenkins") must have "edit" permission in those projects:


oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n novaordis-dev
oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n novaordis-prod


More details on CI/CD security considerations: {{Internal|OpenShift CI/CD Concepts#Security_Considerations|Jenkins Security Considerations}}


A special special service account ("system:serviceaccount:CICD:jenkins") will be created for Jenkins.
=Share Jenkins=


Additional components (Gogs, Sonar, Nexus) will also be deployed.
It is probably a good idea to leave Jenkins auto-provisioning enabled in [[Master-config.yml#autoProvisionEnabled|master-config.yml]], for all projects that are not configured to share a Jenkins instance and need CI/CD services. For those projects that should use the shared Jenkins instances, <font color=red>TODO</font>.


=Create Required Image Streams=
=Deploy Auxiliary Tools=


{{Internal|OpenShift_Image_and_ImageStream_Operations#Create_an_Image_Stream|Create an Image Stream}}
All auxiliary tools (Gogs, Nexus, Sonarqube) and a pipeline definition will be deployed by running the following template  https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/novaordis-cicd.yaml. The template is based on https://github.com/OpenShiftDemos/openshift-cd-demo/blob/ocp-3.6/cicd-template-with-sonar.yaml.


=Create Projects=
  oc process -f ./novaordis-cicd.yaml \
 
  -p GOGS_PASSWORD=<''gogs-password''> \
Create the following projects:
  -p DEV_PROJECT=<''dev-project-name''> \
 
  -p STAGE_PROJECT=<''stage-project-name''> \
1. A project for the CI/CD components, named "CICD":
 
  oc new-project CICD --display-name="CI/CD pipeline with Jenkins"
 
2. A project to host development-stage containers and processes, named "dev":
 
oc new-project dev --display-name="Test Development Project"
 
3. A project to host publicly-accessible application produced by the CI/CD pipeline, named "stage":
 
oc new-project stage --display-name="Test Stage Project"
 
=Grant Required Permissions=
 
Jenkins components need to access the OpenShift API, so the service account that will run the Jenkins pod ("system:serviceaccount:CICD:jenkins") must be given appropriate permissions for the projects it must service:
 
<font color=red>Do we really need "admin" to "jenkins"?</font>
 
[[Oc_policy#add-role-to-user|oc policy add-role-to-user]] admin system:serviceaccount:CICD:jenkins
 
[[Oc_policy#add-role-to-user|oc policy add-role-to-user]] edit system:serviceaccount:CICD:jenkins -n dev
[[Oc_policy#add-role-to-user|oc policy add-role-to-user]] edit system:serviceaccount:CICD:jenkins -n stage
 
More details about Jenkins security considerations:
 
{{Internal|OpenShift CI/CD Concepts#Security_Considerations|Jenkins Security Considerations}}
 
=Provision a Persistent Volume=
 
The template requires a persistent volume, which must be provisioned before the installation.
 
{{Internal|OpenShift_PersistentVolume_Operations#Overview|Persistent Volume Operations}}
 
=Create Jenkins Components=
 
oc project CICD
[[Oc process|oc process]] -f ./cicd-template.yaml --param DEV_PROJECT=dev --param STAGE_PROJECT=stage \
| oc create -f -  
 
A template example for OpenShift 3.5 is available at https://github.com/OpenShiftDemos/openshift-cd-demo/blob/ocp-3.5/cicd-template.yaml. A version is also available here:
 
{{Internal|OpenShift CICD Template Example|OpenShift CICD Template Example}}
 
=Post-Install Adjustments=
 
==Adjust Readiness Probe Timeout==


  [[Oc_set#probe|oc set probe]] dc jenkins --readiness --initial-delay-seconds=500
All auxiliary tools will run using the "default" service account, and the template contains configuration instructions to elevate its privileges to "edit". For more details on CI/CD security considerations see [[OpenShift_CI/CD_Concepts#Security_Considerations|CI/CD Security Considerations]].


==Adjust Memory==
A script that reverts the entire installation is https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/clean-cicd.sh


oc project CICD
Validation:
[[Oc_set#resources|oc set resources]] dc/jenkins --limits=memory=1Gi
* Gogs Porstgres must be on-line and the liveness and readiness probes must pass.
* Gogs must be available at https://gogs-cicd.apps.openshift.novaordis.io/.
* "openshift-tasks" must be cloned in Gogs.
* Nexus must be available at https://nexus-cicd.apps.openshift.novaordis.io
* Sonarqube must be available at https://sonarqube-cicd.apps.openshift.novaordis.io


=Verification=
Individual components installation notes:
* [[OpenShift Gogs#Installation|OpenShift Gogs Installation]].
* [[OpenShift_Nexus#Installation|OpenShift Nexus Installation]]
* [[OpenShift_SonarQube#Operations|OpenShift SonarQube Installation]]


* Jenkins should start and be available at https://jenkins-cicd.apps.openshift.novaordis.io/
At the end, run it end to end and change all passwords - do not check them in in GitHub.
* Gogs should start and be available at https://gogs-cicd.apps.openshift.novaordis.io/
* Nexus should start and be available at https://nexus-cicd.apps.openshift.novaordis.io/

Latest revision as of 06:58, 19 October 2018

External

Internal

Overview

This article describes the procedure to install a CI/CD pipeline based on a persistent Jenkins instance and auxiliary tools (Nexus, Gogs, SonarQube). The procedure was derived from the "CI/CD Demo - OpenShift Container Platform 3.6" https://github.com/OpenShiftDemos/openshift-cd-demo. The Jenkins instance will be a shared instance, deployed within its own dedicated "cicd" project to server any other project that may need CI/CD services.

Pre-Requisites

cicd Project

Create the "cicd" project to host the Jenkins instance and auxiliaries.

oc new-project cicd \
  --display-name="CI/CD" \
  --description="Shared CI/CD tools to provide release pipeline services for other projects"

Persistent Volumes

Provision six 1Gi persistent volumes to be used by Jenkins, Nexus, Gogs data, Gogs PostgreSQL, Sonar and Sonar Postrgres, and a smaller one (512Mi) for Gogs config.

Persistent Volume Operations

Development and Production Projects

oc new-project novaordis-dev --display-name="CI/CD Demo Development Project"
oc new-project novaordis-prod --display-name="CI/CD Demo Production Project"

Deploy Jenkins

oc new-app jenkins-persistent \
  -p MEMORY_LIMIT=6Gi \
  -p ENABLE_OAUTH=true \
  -p JVM_ARCH=x86_64 \
  -p CONTAINER_HEAP_PERCENT="0.75" \
  -p JAVA_GC_OPTS="-XX:+UseParallelGC -XX:MinHeapFreeRatio=20 -XX:MaxHeapFreeRatio=40 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:MaxMetaspaceSize=384m"
  -e INSTALL_PLUGINS=analysis-core:1.92,findbugs:4.71,pmd:3.49,checkstyle:3.49,dependency-check-jenkins-plugin:2.1.1,htmlpublisher:1.14,jacoco:2.2.1,analysis-collector:1.52 \
  -n cicd

For Java heap sizing considerations, see Jenkins Heap Sizing.

For more details about template, you could run:

oc get -o yaml template jenkins-persistent -n openshift

The template will create a "system:serviceaccount:CICD:jenkins" service account and will assign it sufficient privileges. The template will also enable OAuth with the Jenkins instance.

The initialization process' logs can be viewed with:

oc logs -f jenkins-1-...

Once Jenkins is fully on-line, it can be logged into via the newly deployed route, using an OpenShift user (OAuth is enabled).

Access Permissions

Jenkins will perform CI/CD services for "novaordis-dev" and "novaordis-prod", so the service account that is associated with the Jenkins pod ("jenkins") must have "edit" permission in those projects:

oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n novaordis-dev
oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n novaordis-prod

More details on CI/CD security considerations:

Jenkins Security Considerations

Share Jenkins

It is probably a good idea to leave Jenkins auto-provisioning enabled in master-config.yml, for all projects that are not configured to share a Jenkins instance and need CI/CD services. For those projects that should use the shared Jenkins instances, TODO.

Deploy Auxiliary Tools

All auxiliary tools (Gogs, Nexus, Sonarqube) and a pipeline definition will be deployed by running the following template https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/novaordis-cicd.yaml. The template is based on https://github.com/OpenShiftDemos/openshift-cd-demo/blob/ocp-3.6/cicd-template-with-sonar.yaml.

oc process -f ./novaordis-cicd.yaml \
  -p GOGS_PASSWORD=<gogs-password> \
  -p DEV_PROJECT=<dev-project-name> \
  -p STAGE_PROJECT=<stage-project-name> \

All auxiliary tools will run using the "default" service account, and the template contains configuration instructions to elevate its privileges to "edit". For more details on CI/CD security considerations see CI/CD Security Considerations.

A script that reverts the entire installation is https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/clean-cicd.sh

Validation:

Individual components installation notes:

At the end, run it end to end and change all passwords - do not check them in in GitHub.