CI/CD Infrastructure Setup: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 60: Line 60:
  oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n novaordis-prod
  oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n novaordis-prod


{{Internal|OpenShift CI/CD Concepts#Security_Considerations|Jenkins Security Considerations}}
More details on CI/CD security considerations: {{Internal|OpenShift CI/CD Concepts#Security_Considerations|Jenkins Security Considerations}}


=Deploy Auxiliary Tools=
=Deploy Auxiliary Tools=

Revision as of 04:24, 6 December 2017

External

Internal

Overview

This article describes the procedure to install a CI/CD pipeline based on a persistent Jenkins instance and auxiliary tools (Nexus, Gogs, SonarQube). The procedure was derived from the "CI/CD Demo - OpenShift Container Platform 3.6" https://github.com/OpenShiftDemos/openshift-cd-demo. The Jenkins instance will be a shared instance, deployed within its own dedicated "cicd" project to server any other project that may need CI/CD services.

Pre-Requisites

cicd Project

Create the "cicd" project to host the Jenkins instance and auxiliaries.

oc new-project cicd \
  --display-name="CI/CD" \
  --description="Shared CI/CD tools to provide release pipeline services for other projects"

Persistent Volumes

Provision six 1Gi persistent volumes to be used by Jenkins, Nexus, Gogs data, Gogs Postgres, Sonar and Sonar Postrgres, and a smaller one (512Mi) for Gogs config.

Persistent Volume Operations

Development and Production Projects

oc new-project novaordis-dev --display-name="CI/CD Demo Development Project"
oc new-project novaordis-prod --display-name="CI/CD Demo Production Project"

Deploy Jenkins

oc new-app jenkins-persistent \
  -p MEMORY_LIMIT=1Gi \
  -p ENABLE_OAUTH=true \
  -p JVM_ARCH=x86_64 \
  -e INSTALL_PLUGINS=analysis-core:1.92,findbugs:4.71,pmd:3.49,checkstyle:3.49,dependency-check-jenkins-plugin:2.1.1,htmlpublisher:1.14,jacoco:2.2.1,analysis-collector:1.52 \
  -n cicd

For more details about template, you could run:

oc get -o yaml template jenkins-persistent -n openshift

The template will create a "system:serviceaccount:CICD:jenkins" service account and will assign it sufficient privileges. The template will also enable OAuth with the Jenkins instance.

The initialization process' logs can be viewed with:

oc logs -f jenkins-1-...

Once Jenkins is fully on-line, it can be logged into via the newly deployed route, using an OpenShift user (OAuth is enabled).

Access Permissions

Jenkins will perform CI/CD services for "novaordis-dev" and "novaordis-prod", so the service account that is associated with the Jenkins pod ("jenkins") must have "edit" permission in those projects:

oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n novaordis-dev
oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n novaordis-prod

More details on CI/CD security considerations:

Jenkins Security Considerations

Deploy Auxiliary Tools

All auxiliary tools (Gogs, Nexus, Sonarqube) and a pipeline definition will be deployed by running the following template https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/novaordis-cicd.yaml. The template is based on https://github.com/OpenShiftDemos/openshift-cd-demo/blob/ocp-3.6/cicd-template-with-sonar.yaml.

oc process -f ./novaordis-cicd.yaml \
  -p GOGS_PASSWORD=<gogs-password> \
  -p DEV_PROJECT=<dev-project-name> \
  -p STAGE_PROJECT=<stage-project-name> \

All auxiliary tools will run using the "default" service account, and the template contains configuration instructions to elevate its privileges to "edit". For more details on CI/CD security considerations see CI/CD Security Considerations.

A script that reverts the entire installation is https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/clean-cicd.sh

Validation:

Individual components installation notes:

At the end, run it end to end and change all passwords - do not check them in in GitHub.