-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdevops-camp-db-jenkinsfile
121 lines (121 loc) · 5.93 KB
/
devops-camp-db-jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
pipeline {
agent {
label 'jenkins-agent'
}
environment {
PIPELINE_HASH = sh(script: 'git rev-parse --short HEAD', returnStdout: true).trim()
HARBOR_REGISTRY = 'registry.dev.afsmtddso.com'
HARBOR_PROJECT = 'mhoffmann-harbor-project'
DB_IMAGE_NAME = 'db'
CREDENTIALS_ID = 'mhoffmann-harbor-auth'
EKS_NAMESPACE = 'mhoffmann'
}
stages {
stage('Application repository') {
steps {
echo "Cloning application repository"
sh 'git clone https://github.com/McGoffmann/afs-labs-student.git'
dir('afs-labs-student') {
script {
env.COMMIT_HASH = sh(script: 'git log --format=format:%h -1 --follow database/database.sql', returnStdout: true).trim()
}
}
withCredentials([usernamePassword(credentialsId: CREDENTIALS_ID, usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
script {
env.BUILD_DB = sh(script: 'python check_harbor_db.py -h $COMMIT_HASH -i $DB_IMAGE_NAME -r $HARBOR_REGISTRY -p $HARBOR_PROJECT -c ${USERNAME}:${PASSWORD}', returnStdout: true).trim()
}
}
}
}
stage('DB changes: true') {
when {
environment name: 'BUILD_DB', value: 'true'
}
stages {
stage('Database docker build') {
steps {
echo "Building database image"
withCredentials([usernameColonPassword(credentialsId: CREDENTIALS_ID, variable: 'HARBOR-AUTH')]) {
script {
sh 'docker build -t $DB_IMAGE_NAME-$COMMIT_HASH -f ./db/Dockerfile ./afs-labs-student'
docker.withRegistry('https://$HARBOR_REGISTRY', CREDENTIALS_ID) {
sh 'docker tag $DB_IMAGE_NAME-$COMMIT_HASH $HARBOR_REGISTRY/$HARBOR_PROJECT/$DB_IMAGE_NAME:$COMMIT_HASH-$PIPELINE_HASH'
IMAGE_DIGEST = sh (
script: "docker push $HARBOR_REGISTRY/$HARBOR_PROJECT/$DB_IMAGE_NAME:$COMMIT_HASH-$PIPELINE_HASH",
returnStdout: true
).trim()
IMAGE_DIGEST = (IMAGE_DIGEST =~ /$COMMIT_HASH-$PIPELINE_HASH: digest: (sha256:.+) size/)[ 0 ][ 1 ]
echo "IMAGE_DIGEST = $IMAGE_DIGEST" }
}
}
}
post {
always {
echo "Clean local $DB_IMAGE_NAME image"
script {
try {
sh 'docker rmi $DB_IMAGE_NAME-$COMMIT_HASH:latest'
sh 'docker rmi $HARBOR_REGISTRY/$HARBOR_PROJECT/$DB_IMAGE_NAME:$COMMIT_HASH-$PIPELINE_HASH'
} catch (err) {
echo err.getMessage()
}
}
}
}
}
stage('Security scanning') {
steps {
withCredentials([usernamePassword(credentialsId: CREDENTIALS_ID, usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
echo "Scanning $DB_IMAGE_NAME image"
sh 'python harbor_scanner.py -i $DB_IMAGE_NAME -r $HARBOR_REGISTRY -p $HARBOR_PROJECT -c ${USERNAME}:${PASSWORD}'
}
}
}
stage('Sign Image') {
steps {
echo "Signing Container Image"
withCredentials([usernameColonPassword(credentialsId: CREDENTIALS_ID, variable: 'HARBOR-AUTH')]) {
script {
docker.withRegistry('https://$HARBOR_REGISTRY', CREDENTIALS_ID) {
DOCKER_CONFIG_LOCATION = sh (
script: 'docker login https://$HARBOR_REGISTRY/ 2>&1',
returnStdout: true
).trim()
DOCKER_CONFIG_LOCATION = (DOCKER_CONFIG_LOCATION =~ /stored unencrypted in (.+)/)[ 0 ][ 1 ]
DOCKER_CONFIG_LOCATION = DOCKER_CONFIG_LOCATION.substring(0, DOCKER_CONFIG_LOCATION.length() - 1)
script {
sh 'docker build -t cosign-$COMMIT_HASH -f ./cosign/Dockerfile .'
sh "yes | docker run -i -v /var/run/docker.sock:/var/run/docker.sock -v $DOCKER_CONFIG_LOCATION:/root/.docker/config.json --rm cosign-$COMMIT_HASH sign --key cosign.key $HARBOR_REGISTRY/$HARBOR_PROJECT/$DB_IMAGE_NAME@$IMAGE_DIGEST"
}
}
}
}
}
post {
always {
echo "Clean local cosign image"
script {
try {
sh "docker rmi cosign-$COMMIT_HASH:latest"
} catch (err) {
echo err.getMessage()
}
}
}
}
}
stage('Deploy') {
steps {
echo "Deployment stage"
sh 'kubectl -n $EKS_NAMESPACE set image deployment/db-deployment db-deployment=$HARBOR_REGISTRY/$HARBOR_PROJECT/$DB_IMAGE_NAME:$COMMIT_HASH-$PIPELINE_HASH' }
}
}
}
}
post {
cleanup {
echo "Clean workspace"
sh 'rm -rf .git ./*'
}
}
}