CI/CD Infrastructure Setup: Difference between revisions
No edit summary |
|||
(36 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=External= | =External= | ||
* https://github.com/OpenShiftDemos/openshift-cd-demo | * https://github.com/OpenShiftDemos/openshift-cd-demo/tree/ocp-3.6 | ||
=Internal= | =Internal= | ||
Line 12: | Line 12: | ||
=Pre-Requisites= | =Pre-Requisites= | ||
==cicd Project== | |||
Create the "cicd" project to host the Jenkins instance and auxiliaries. | Create the "cicd" project to host the Jenkins instance and auxiliaries. | ||
Line 19: | Line 21: | ||
--description="Shared CI/CD tools to provide release pipeline services for other projects" | --description="Shared CI/CD tools to provide release pipeline services for other projects" | ||
[[OpenShift_PersistentVolume_Operations#Create_a_NFS_Persistent_Volume|Provision]] six 1Gi persistent volumes to be used by Jenkins, Nexus, Gogs data, Gogs | ==Persistent Volumes== | ||
[[OpenShift_PersistentVolume_Operations#Create_a_NFS_Persistent_Volume|Provision]] six 1Gi persistent volumes to be used by Jenkins, Nexus, Gogs data, Gogs PostgreSQL, Sonar and Sonar Postrgres, and a smaller one (512Mi) for Gogs config. | |||
{{Internal|OpenShift_PersistentVolume_Operations#Overview|Persistent Volume Operations}} | |||
==Development and Production Projects== | |||
oc new-project novaordis-dev --display-name="CI/CD Demo Development Project" | |||
oc new-project novaordis-prod --display-name="CI/CD Demo Production Project" | |||
=Deploy Jenkins= | =Deploy Jenkins= | ||
oc new-app jenkins-persistent \ | oc new-app jenkins-persistent \ | ||
-p MEMORY_LIMIT= | -p MEMORY_LIMIT=6Gi \ | ||
-p ENABLE_OAUTH=true \ | -p ENABLE_OAUTH=true \ | ||
-p JVM_ARCH=x86_64 \ | -p JVM_ARCH=x86_64 \ | ||
-p CONTAINER_HEAP_PERCENT="0.75" \ | |||
-p JAVA_GC_OPTS="-XX:+UseParallelGC -XX:MinHeapFreeRatio=20 -XX:MaxHeapFreeRatio=40 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:MaxMetaspaceSize=384m" | |||
-e INSTALL_PLUGINS=analysis-core:1.92,findbugs:4.71,pmd:3.49,checkstyle:3.49,dependency-check-jenkins-plugin:2.1.1,htmlpublisher:1.14,jacoco:2.2.1,analysis-collector:1.52 \ | -e INSTALL_PLUGINS=analysis-core:1.92,findbugs:4.71,pmd:3.49,checkstyle:3.49,dependency-check-jenkins-plugin:2.1.1,htmlpublisher:1.14,jacoco:2.2.1,analysis-collector:1.52 \ | ||
-n cicd | -n cicd | ||
For Java heap sizing considerations, see [[OpenShift_CI/CD_Concepts#Jenkins_Heap_Sizing|Jenkins Heap Sizing]]. | |||
For more details about template, you could run: | For more details about template, you could run: | ||
Line 34: | Line 49: | ||
oc get -o yaml template jenkins-persistent -n openshift | oc get -o yaml template jenkins-persistent -n openshift | ||
The template will create a "jenkins" service account and will assign it sufficient privileges. The template will also enable OAuth with the Jenkins instance. | The template will create a "system:serviceaccount:CICD:jenkins" service account and will assign it sufficient privileges. The template will also enable OAuth with the Jenkins instance. | ||
The initialization process' logs can be viewed with: | The initialization process' logs can be viewed with: | ||
Line 41: | Line 56: | ||
Once Jenkins is fully on-line, it can be logged into via the newly deployed route, using an OpenShift user (OAuth is enabled). | Once Jenkins is fully on-line, it can be logged into via the newly deployed route, using an OpenShift user (OAuth is enabled). | ||
==Access Permissions== | |||
Jenkins will perform CI/CD services for "novaordis-dev" and "novaordis-prod", so the service account that is associated with the Jenkins pod ("jenkins") must have "edit" permission in those projects: | |||
oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n novaordis-dev | |||
oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n novaordis-prod | |||
More details on CI/CD security considerations: {{Internal|OpenShift CI/CD Concepts#Security_Considerations|Jenkins Security Considerations}} | |||
=Share Jenkins= | |||
It is probably a good idea to leave Jenkins auto-provisioning enabled in [[Master-config.yml#autoProvisionEnabled|master-config.yml]], for all projects that are not configured to share a Jenkins instance and need CI/CD services. For those projects that should use the shared Jenkins instances, <font color=red>TODO</font>. | |||
=Deploy Auxiliary Tools= | =Deploy Auxiliary Tools= | ||
Line 53: | Line 81: | ||
All auxiliary tools will run using the "default" service account, and the template contains configuration instructions to elevate its privileges to "edit". For more details on CI/CD security considerations see [[OpenShift_CI/CD_Concepts#Security_Considerations|CI/CD Security Considerations]]. | All auxiliary tools will run using the "default" service account, and the template contains configuration instructions to elevate its privileges to "edit". For more details on CI/CD security considerations see [[OpenShift_CI/CD_Concepts#Security_Considerations|CI/CD Security Considerations]]. | ||
A script that reverts the entire installation is https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/clean-cicd.sh | |||
Validation: | |||
* Gogs Porstgres must be on-line and the liveness and readiness probes must pass. | |||
* Gogs must be available at https://gogs-cicd.apps.openshift.novaordis.io/. | |||
* "openshift-tasks" must be cloned in Gogs. | |||
* Nexus must be available at https://nexus-cicd.apps.openshift.novaordis.io | |||
* Sonarqube must be available at https://sonarqube-cicd.apps.openshift.novaordis.io | |||
Individual components installation notes: | |||
* [[OpenShift Gogs#Installation|OpenShift Gogs Installation]]. | |||
* [[OpenShift_Nexus#Installation|OpenShift Nexus Installation]] | |||
* [[OpenShift_SonarQube#Operations|OpenShift SonarQube Installation]] | |||
At the end, run it end to end and change all passwords - do not check them in in GitHub. | |||
Latest revision as of 06:58, 19 October 2018
External
Internal
Overview
This article describes the procedure to install a CI/CD pipeline based on a persistent Jenkins instance and auxiliary tools (Nexus, Gogs, SonarQube). The procedure was derived from the "CI/CD Demo - OpenShift Container Platform 3.6" https://github.com/OpenShiftDemos/openshift-cd-demo. The Jenkins instance will be a shared instance, deployed within its own dedicated "cicd" project to server any other project that may need CI/CD services.
Pre-Requisites
cicd Project
Create the "cicd" project to host the Jenkins instance and auxiliaries.
oc new-project cicd \ --display-name="CI/CD" \ --description="Shared CI/CD tools to provide release pipeline services for other projects"
Persistent Volumes
Provision six 1Gi persistent volumes to be used by Jenkins, Nexus, Gogs data, Gogs PostgreSQL, Sonar and Sonar Postrgres, and a smaller one (512Mi) for Gogs config.
Development and Production Projects
oc new-project novaordis-dev --display-name="CI/CD Demo Development Project" oc new-project novaordis-prod --display-name="CI/CD Demo Production Project"
Deploy Jenkins
oc new-app jenkins-persistent \ -p MEMORY_LIMIT=6Gi \ -p ENABLE_OAUTH=true \ -p JVM_ARCH=x86_64 \ -p CONTAINER_HEAP_PERCENT="0.75" \ -p JAVA_GC_OPTS="-XX:+UseParallelGC -XX:MinHeapFreeRatio=20 -XX:MaxHeapFreeRatio=40 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:MaxMetaspaceSize=384m" -e INSTALL_PLUGINS=analysis-core:1.92,findbugs:4.71,pmd:3.49,checkstyle:3.49,dependency-check-jenkins-plugin:2.1.1,htmlpublisher:1.14,jacoco:2.2.1,analysis-collector:1.52 \ -n cicd
For Java heap sizing considerations, see Jenkins Heap Sizing.
For more details about template, you could run:
oc get -o yaml template jenkins-persistent -n openshift
The template will create a "system:serviceaccount:CICD:jenkins" service account and will assign it sufficient privileges. The template will also enable OAuth with the Jenkins instance.
The initialization process' logs can be viewed with:
oc logs -f jenkins-1-...
Once Jenkins is fully on-line, it can be logged into via the newly deployed route, using an OpenShift user (OAuth is enabled).
Access Permissions
Jenkins will perform CI/CD services for "novaordis-dev" and "novaordis-prod", so the service account that is associated with the Jenkins pod ("jenkins") must have "edit" permission in those projects:
oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n novaordis-dev oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n novaordis-prod
More details on CI/CD security considerations:
It is probably a good idea to leave Jenkins auto-provisioning enabled in master-config.yml, for all projects that are not configured to share a Jenkins instance and need CI/CD services. For those projects that should use the shared Jenkins instances, TODO.
Deploy Auxiliary Tools
All auxiliary tools (Gogs, Nexus, Sonarqube) and a pipeline definition will be deployed by running the following template https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/novaordis-cicd.yaml. The template is based on https://github.com/OpenShiftDemos/openshift-cd-demo/blob/ocp-3.6/cicd-template-with-sonar.yaml.
oc process -f ./novaordis-cicd.yaml \ -p GOGS_PASSWORD=<gogs-password> \ -p DEV_PROJECT=<dev-project-name> \ -p STAGE_PROJECT=<stage-project-name> \
All auxiliary tools will run using the "default" service account, and the template contains configuration instructions to elevate its privileges to "edit". For more details on CI/CD security considerations see CI/CD Security Considerations.
A script that reverts the entire installation is https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/clean-cicd.sh
Validation:
- Gogs Porstgres must be on-line and the liveness and readiness probes must pass.
- Gogs must be available at https://gogs-cicd.apps.openshift.novaordis.io/.
- "openshift-tasks" must be cloned in Gogs.
- Nexus must be available at https://nexus-cicd.apps.openshift.novaordis.io
- Sonarqube must be available at https://sonarqube-cicd.apps.openshift.novaordis.io
Individual components installation notes:
At the end, run it end to end and change all passwords - do not check them in in GitHub.