CI/CD Infrastructure Setup: Difference between revisions
Line 71: | Line 71: | ||
* [[OpenShift Gogs#Installation|OpenShift Gogs Installation]]. | * [[OpenShift Gogs#Installation|OpenShift Gogs Installation]]. | ||
* [[OpenShift_Nexus#Installation|OpenShift Nexus Installation]] | * [[OpenShift_Nexus#Installation|OpenShift Nexus Installation]] | ||
* [[OpenShift_SonarQube#Operations|OpenShift SonarQube Installation]] | |||
At the end, run it end to end and change all passwords - do not check them in in GitHub. | At the end, run it end to end and change all passwords - do not check them in in GitHub. |
Revision as of 02:36, 6 December 2017
External
Internal
Overview
This article describes the procedure to install a CI/CD pipeline based on a persistent Jenkins instance and auxiliary tools (Nexus, Gogs, SonarQube). The procedure was derived from the "CI/CD Demo - OpenShift Container Platform 3.6" https://github.com/OpenShiftDemos/openshift-cd-demo. The Jenkins instance will be a shared instance, deployed within its own dedicated "cicd" project to server any other project that may need CI/CD services.
Pre-Requisites
cicd Project
Create the "cicd" project to host the Jenkins instance and auxiliaries.
oc new-project cicd \ --display-name="CI/CD" \ --description="Shared CI/CD tools to provide release pipeline services for other projects"
Persistent Volumes
Provision six 1Gi persistent volumes to be used by Jenkins, Nexus, Gogs data, Gogs Postgres, Sonar and Sonar Postrgres, and a smaller one (512Mi) for Gogs config.
Deploy Jenkins
oc new-app jenkins-persistent \ -p MEMORY_LIMIT=1Gi \ -p ENABLE_OAUTH=true \ -p JVM_ARCH=x86_64 \ -e INSTALL_PLUGINS=analysis-core:1.92,findbugs:4.71,pmd:3.49,checkstyle:3.49,dependency-check-jenkins-plugin:2.1.1,htmlpublisher:1.14,jacoco:2.2.1,analysis-collector:1.52 \ -n cicd
For more details about template, you could run:
oc get -o yaml template jenkins-persistent -n openshift
The template will create a "system:serviceaccount:CICD:jenkins" service account and will assign it sufficient privileges. The template will also enable OAuth with the Jenkins instance.
The initialization process' logs can be viewed with:
oc logs -f jenkins-1-...
Once Jenkins is fully on-line, it can be logged into via the newly deployed route, using an OpenShift user (OAuth is enabled).
Deploy Auxiliary Tools
All auxiliary tools (Gogs, Nexus, Sonarqube) and a pipeline definition will be deployed by running the following template https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/novaordis-cicd.yaml. The template is based on https://github.com/OpenShiftDemos/openshift-cd-demo/blob/ocp-3.6/cicd-template-with-sonar.yaml.
oc process -f ./novaordis-cicd.yaml \ -p GOGS_PASSWORD=<gogs-password> \ -p DEV_PROJECT=<dev-project-name> \ -p STAGE_PROJECT=<stage-project-name> \
All auxiliary tools will run using the "default" service account, and the template contains configuration instructions to elevate its privileges to "edit". For more details on CI/CD security considerations see CI/CD Security Considerations.
A script that reverts the entire installation is https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/clean-cicd.sh
Validation:
- Gogs Porstgres must be on-line and the liveness and readiness probes must pass.
- Gogs must be available at https://gogs-cicd.apps.openshift.novaordis.io/.
- "openshift-tasks" must be cloned in Gogs.
- Nexus must be available at https://nexus-cicd.apps.openshift.novaordis.io
- Sonarqube must be available at https://sonarqube-cicd.apps.openshift.novaordis.io
Individual components installation notes:
At the end, run it end to end and change all passwords - do not check them in in GitHub.
REFACTOR BELOW, follow https://github.com/OpenShiftDemos/openshift-cd-demo
Create Projects
Create the following projects:
1. A project for the CI/CD components, named "CICD":
oc new-project CICD --display-name="CI/CD pipeline with Jenkins"
2. A project to host development-stage containers and processes, named "dev":
oc new-project dev --display-name="Test Development Project"
3. A project to host publicly-accessible application produced by the CI/CD pipeline, named "stage":
oc new-project stage --display-name="Test Stage Project"
Grant Required Permissions
Jenkins components need to access the OpenShift API, so the service account that will run the Jenkins pod ("system:serviceaccount:CICD:jenkins") must be given appropriate permissions for the projects it must service:
Do we really need "admin" to "jenkins"?
oc policy add-role-to-user admin system:serviceaccount:CICD:jenkins
oc policy add-role-to-user edit system:serviceaccount:CICD:jenkins -n dev oc policy add-role-to-user edit system:serviceaccount:CICD:jenkins -n stage
More details about Jenkins security considerations:
Post-Install Adjustments
Adjust Readiness Probe Timeout
oc set probe dc jenkins --readiness --initial-delay-seconds=500
Adjust Memory
oc project CICD oc set resources dc/jenkins --limits=memory=1Gi
Verification
- Jenkins should start and be available at https://jenkins-cicd.apps.openshift.novaordis.io/
- Gogs should start and be available at https://gogs-cicd.apps.openshift.novaordis.io/
- Nexus should start and be available at https://nexus-cicd.apps.openshift.novaordis.io/