External

• https://github.com/OpenShiftDemos/openshift-cd-demo

Internal

• OpenShift CI/CD Operations

Overview

This article describes the procedure to install a CI/CD pipeline based on a persistent Jenkins instance and auxiliary tools (Nexus, Gogs, SonarQube). The procedure was derived from the "CI/CD Demo - OpenShift Container Platform 3.6" https://github.com/OpenShiftDemos/openshift-cd-demo. The Jenkins instance will be a shared instance, deployed within its own dedicated "cicd" project to server any other project that may need CI/CD services.

Pre-Requisites

Create the "cicd" project to host the Jenkins instance and auxiliaries.

oc new-project cicd \
  --display-name="CI/CD" \
  --description="Shared CI/CD tools to provide release pipeline services for other projects"

Provision six 1Gi persistent volumes to be used by Jenkins, Nexus, Gogs data, Gogs Postgres, Sonar and Sonar Postrgres, and a smaller one (512Mi) for Gogs config.

Deploy Jenkins

oc new-app jenkins-persistent \
  -p MEMORY_LIMIT=1Gi \
  -p ENABLE_OAUTH=true \
  -p JVM_ARCH=x86_64 \
  -e INSTALL_PLUGINS=analysis-core:1.92,findbugs:4.71,pmd:3.49,checkstyle:3.49,dependency-check-jenkins-plugin:2.1.1,htmlpublisher:1.14,jacoco:2.2.1,analysis-collector:1.52 \
  -n cicd

For more details about template, you could run:

oc get -o yaml template jenkins-persistent -n openshift

The template will create a "jenkins" service account and will assign it sufficient privileges. The template will also enable OAuth with the Jenkins instance.

The initialization process' logs can be viewed with:

oc logs -f jenkins-1-...

Once Jenkins is fully on-line, it can be logged into via the newly deployed route, using an OpenShift user (OAuth is enabled).

Deploy Auxiliary Tools

All auxiliary tools (Gogs, Nexus, Sonarqube) and a pipeline definition will be deployed by running the following template https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/novaordis-cicd.yaml. The template is based on https://github.com/OpenShiftDemos/openshift-cd-demo/blob/ocp-3.6/cicd-template-with-sonar.yaml.

oc process -f ./novaordis-cicd.yaml \
  -p GOGS_PASSWORD=<gogs-password> \
  -p DEV_PROJECT=<dev-project-name> \
  -p STAGE_PROJECT=<stage-project-name> \

All auxiliary tools will run using the "default" service account, and the template contains configuration instructions to elevate its privileges to "edit". For more details on CI/CD security considerations see CI/CD Security Considerations.

A script that reverts the entire installation is https://github.com/NovaOrdis/playground/blob/master/openshift/auxiliary-tools/clean-cicd.sh

Validation:

• Gogs Porstgres must be on-line and the liveness and readiness probes must pass.
• Gogs must be available at https://gogs-cicd.apps.openshift.novaordis.io/.
• "openshift-tasks" must be cloned in Gogs.
• Nexus must be available at https://nexus-cicd.apps.openshift.novaordis.io

Individual components installation notes:

• OpenShift Gogs Installation.
• OpenShift Nexus Installation

At the end, run it end to end and change all passwords - do not check them in in GitHub.

REFACTOR BELOW, follow https://github.com/OpenShiftDemos/openshift-cd-demo

A special special service account ("system:serviceaccount:CICD:jenkins") will be created for Jenkins.

Additional components (Gogs, Sonar, Nexus) will also be deployed.

Create Required Image Streams

Create an Image Stream

Create Projects

Create the following projects:

1. A project for the CI/CD components, named "CICD":

oc new-project CICD --display-name="CI/CD pipeline with Jenkins"

2. A project to host development-stage containers and processes, named "dev":

oc new-project dev --display-name="Test Development Project"

3. A project to host publicly-accessible application produced by the CI/CD pipeline, named "stage":

oc new-project stage --display-name="Test Stage Project"

Grant Required Permissions

Jenkins components need to access the OpenShift API, so the service account that will run the Jenkins pod ("system:serviceaccount:CICD:jenkins") must be given appropriate permissions for the projects it must service:

Do we really need "admin" to "jenkins"?

oc policy add-role-to-user admin system:serviceaccount:CICD:jenkins

oc policy add-role-to-user edit system:serviceaccount:CICD:jenkins -n dev
oc policy add-role-to-user edit system:serviceaccount:CICD:jenkins -n stage

More details about Jenkins security considerations:

Jenkins Security Considerations

Provision a Persistent Volume

The template requires a persistent volume, which must be provisioned before the installation.

Persistent Volume Operations

Create Jenkins Components

oc project CICD

oc process -f ./cicd-template.yaml --param DEV_PROJECT=dev --param STAGE_PROJECT=stage \
| oc create -f - 

A template example for OpenShift 3.5 is available at https://github.com/OpenShiftDemos/openshift-cd-demo/blob/ocp-3.5/cicd-template.yaml. A version is also available here:

OpenShift CICD Template Example

Post-Install Adjustments

Adjust Readiness Probe Timeout

 oc set probe dc jenkins --readiness --initial-delay-seconds=500

Adjust Memory

oc project CICD
oc set resources dc/jenkins --limits=memory=1Gi

Verification

• Jenkins should start and be available at https://jenkins-cicd.apps.openshift.novaordis.io/
• Gogs should start and be available at https://gogs-cicd.apps.openshift.novaordis.io/
• Nexus should start and be available at https://nexus-cicd.apps.openshift.novaordis.io/