- Servers: I will be making use of AWS virtual machines for this and will require 6 servers for the project which includes:
- nginx server: This would act as the reverse proxy server to our site and tool.
- Jenkins server: To be used to implement your CI/CD workflows or pipelines. Select a t2.medium at least, Ubuntu 20.04 and Security group should be open to port 8080
- SonarQube server: To be used for Code quality analysis. Select a t2.medium at least, Ubuntu 20.04 and Security group should be open to port 9000
- -Artifactory server: To be used as the binary repository where the outcome of your build process is stored. Select a t2.medium at least and Security group should be open to port 8081
- Database server: To server as the databse server for the Todo application
- Todo webserver: To host the Todo web application.
- Secuirty groups: For the purposes of this project, you can have one security group that is open to all traffic. This should however not be attempted in a real DevOps enviroment.
- Your Ansible inventory should look like this
├── ci
├── dev
├── pentest
├── pre-prod
├── prod
├── sit
└── uat
focus will be mainly on the CI, Dev and Pentest enviroments
- Ansible roles for the CI environment. In addition to the previous Ansible roles from project 13, in your ansibile-config-mgt repo add 2 more roles: Sonarqube and Artifactory.
- Set up SSH-agent:
eval `ssh-agent -s`
ssh-add <path-to-private-key>
- Connect to your Jenkins instance on VScode.
- Install the following packages and dependencies on the server:
- Install git :
sudo apt install git - Clone dwn the Asible-config-mgt repository:
git clone https://github.com/ChinenyenwaN1/ansible-config-mgt-prj14 - Install Jenkins and its dependencies. Steps to install Jenkins can be found here
- Configure Ansible For Jenkins Deployment. See Project 9 -Continuous Integration for the initial setup of Jenkins. Here I will be comfiguring Jenkins to run Ansible commands in Jenkins UI.
-
Navigate to Jenkins URL:
<Jenkins-server-public-IP>:8080 -
In the Jenkins dashboard, click on Manage Jenkins -> Manage plugins and search for Blue Ocean plugin. Install and open Blue Ocean plugin.
-
In the Blue Ocean UI create a new pipeline.
-
Select GitHub as where you store your code.
-
Create access token, then enter the newly create access token. Login to GitHub & generate an Access
-
Copy Access token and paste in the new pipeline, then connect.
-
Select which organisation the repository belongs to.
-
At this point you do not have a Jenkinsfile in the Ansible repository, so Blue Ocean will attempt to give you some guidance to create one. We do not need that, rather we will create one ourselves. So, click on Administration to exit the Blue Ocean console.
-
In our Jenkins dashboard you will find the newly created pipeline.
- Let us create our Jenkinsfile.
-
In Vscode, inside the Ansible project, create a new directory and name it deploy, create a new file Jenkinsfile inside the directory.
-
Add the code snippet below to start building the test Jenkinsfile gradually. This pipeline currently has just one stage called Build and the only thing we are doing is using the shell script module to echo Building Stage
pipeline {
agent any
stages {
stage('Build') {
steps {
script {
sh 'echo "Building Stage"'
}
}
}
}
}
-
Next go back into the Ansible pipeline in Jenkins, and select configure
-
Scroll down to Build Configuration section and specify the location of the Jenkinsfile at deploy/Jenkinsfile
8.Back to the pipeline again, this time click "Build now"
9. This will trigger a build and you will be able to see the effect of our test Jenkinsfile configuration by going through the console output of the build.
To really appreciate and feel the difference of Cloud Blue UI, it is recommended to try triggering the build again from Blue Ocean interface. Click on Blue Ocean
10. Select your project and click on the play button against the branch
11. This pipeline is a multibranch one. This means, if there were more than one branch in GitHub, Jenkins would have scanned the repository to discover them all and we would have been able to trigger a build for each branch. To see this in action: Create a new git branch and name it feature/jenkinspipeline-stages
Currently we only have the Build stage. Let us add another stage called Test. Paste the code snippet below and push the new changes to GitHub.
pipeline {
agent any
stages {
stage('Build') {
steps {
script {
sh 'echo "Building Stage"'
}
}
}
stage('Test') {
steps {
script {
sh 'echo "Testing Stage"'
}
}
}
}
}
- To make your new branch show up in Jenkins, we need to tell Jenkins to scan the repository. Click on the "Administration" button and navigate to the Ansible project and click on "Scan repository now"
- Refresh the page and both branches will start building automatically. You can go into Blue Ocean and see both branches there too.
- In Blue Ocean, you can now see how the Jenkinsfile has caused a new step in the pipeline launch build for the new branch.
- Install Ansible on Jenkins your ubuntu VM.
- Install Ansible plugin in Jenkins UI
- Create Jenkinsfile from scratch. (Delete all you currently have in there and start all over to get Ansible to run successfully) Note: Ensure that Ansible runs against the Dev environment successfully.
pipeline {
agent any
environment {
ANSIBLE_CONFIG="${WORKSPACE}/deploy/ansible.cfg"
}
stages {
stage("Initial cleanup") {
steps {
dir("${WORKSPACE}") {
deleteDir()
}
}
}
stage('Checkout SCM') {
steps{
git branch: 'main', url: 'https://github.com/ChinenyenwaN1/ansible-config-mgt-prj14'
}
}
stage('Prepare Ansible For Execution') {
steps {
sh 'echo ${WORKSPACE}'
sh 'sed -i "3 a roles_path=${WORKSPACE}/roles" ${WORKSPACE}/deploy/ansible.cfg'
}
}
stage('Run Ansible playbook') {
steps {
ansiblePlaybook become: true, credentialsId: 'private-key', disableHostKeyChecking: true, installation: 'ansible', inventory: 'inventory/dev, playbook: 'playbooks/site.yml'
}
}
stage('Clean Workspace after build') {
steps{
cleanWs(cleanWhenAborted: true, cleanWhenFailure: true, cleanWhenNotBuilt: true, cleanWhenUnstable: true, deleteDirs: true)
}
}
}
}
Some possible errors to watch out for:
- Ensure that the git module in Jenkinsfile is checking out SCM to main branch instead of master (GitHub has discontinued the use of Master)
- Jenkins needs to export the ANSIBLE_CONFIG environment variable. You can put the .ansible.cfg file alongside Jenkinsfile in the deploy directory. This way, anyone can easily identify that everything in there relates to deployment. Then, using the Pipeline Syntax tool in Ansible, generate the syntax to create environment variables to set. Enter this into the ancible.cfg file:
timeout = 160
callback_whitelist = profile_tasks
log_path=~/ansible.log
host_key_checking = False
gathering = smart
ansible_python_interpreter=/usr/bin/python3
allow_world_readable_tmpfiles=true
[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ControlPath=/tmp/ansible-ssh-%h-%p-%r -o ServerAliveInterval=60 -o ServerAliveCountMax=60 -o ForwardAgent=yes
-
Remember that ansible.cfg must be exported to environment variable so that Ansible knows where to find Roles. But because you will possibly run Jenkins from different git branches, the location of Ansible roles will change. Therefore, you must handle this dynamically. You can use Linux Stream Editor sed to update the section roles_path each time there is an execution. You may not have this issue if you run only from the main branch.
-
If you push new changes to Git so that Jenkins failure can be fixed. You might observe that your change may sometimes have no effect. Even though your change is the actual fix required. This can be because Jenkins did not download the latest code from GitHub. Ensure that you start the Jenkinsfile with a clean up step to always delete the previous workspace before running a new one. Sometimes you might need to login to the Jenkins Linux server to verify the files in the workspace to confirm that what you are actually expecting is there. Otherwise, you can spend hours trying to figure out why Jenkins is still failing, when you have pushed up possible changes to fix the error.
-
Another possible reason for Jenkins failure sometimes, is because you have indicated in the Jenkinsfile to check out the main git branch, and you are running a pipeline from another branch. So, always verify by logging onto the Jenkins box to check the workspace, and run git branch command to confirm that the branch you are expecting is there.
- Parameterizing Jenkinsfile For Ansible Deployment. So far we have been deploying to dev environment, what if we need to deploy to other environments? We will use parameterization so that at the point of execution, the appropriate values are applied. To parameterize Jenkinsfile For Ansible Deployment, Update CI inventory with new servers
[tooling]
<SIT-Tooling-Web-Server-Private-IP-Address>
[todo]
<SIT-Todo-Web-Server-Private-IP-Address>
[nginx]
<SIT-Nginx-Private-IP-Address>
[db:vars]
ansible_user=ec2-user
ansible_python_interpreter=/usr/bin/python
[db]
<SIT-DB-Server-Private-IP-Address>
- Update Jenkinsfile to introduce parameterization. Below is just one parameter. It has a default value in case if no value is specified at execution. It also has a description so that everyone is aware of its purpose.
pipeline {
agent any
parameters {
string(name: 'inventory', defaultValue: 'dev', description: 'This is the inventory file for the environment to deploy configuration')
}
...
- In the Ansible execution section of the Jenkinsfile, remove the hardcoded inventory/dev and replace with
${inventory}
Our goal here is to deploy the Todo application onto servers directly from Artifactory rather than from git.
-
Updated Ansible with an Artifactory role, use this guide to create an Ansible role for Artifactory (ignore the Nginx part). Configure Artifactory on Ubuntu 20.04
-
Now, open your web browser and type the URL https://. You will be redirected to the Jfrog Atrifactory page. Enter default username and password: admin/password. Once in create username and password and create your new repository. (Take note of the reopsitory name)
-
Next, fork the Todo repository below into your GitHub account
https://github.com/darey-devops/php-todo.git -
On you Jenkins server, install PHP, its dependencies and Composer tool
sudo apt install -y zip libapache2-mod-php phploc php-{xml,bcmath,bz2,intl,gd,mbstring,mysql,zip} -
In Jenkins UI install the following Jenkins plugins: Plot plugin to display tests reports, and code coverage information. Artifactory plugin will be used to easily upload code artifacts into an Artifactory server.
-
In Jenkins UI configure Artifactory
- Go to Dashboard
- System configuration
- Configure the server ID, URL and Credentials, run Test Connection.
-
In VScode create a new Jenkinsfile in the Todo repository
-
Using Blue Ocean, create a multibranch Jenkins pipeline
-
Istall my sql client:
sudo apt install mysql -y -
Login into the DB-server(mysql server) and set the the bind address to 0.0.0.0: sudo vi /etc/mysql/mysql.conf.d/mysqld.cnf
-
Restart the my sql- server:
sudo systemctl restart mysql -
On the database server, create database and user
Create database homestead;
CREATE USER 'homestead'@'%' IDENTIFIED BY 'sePret^i';
GRANT ALL PRIVILEGES ON * . * TO 'homestead'@'%';
- Update the database connectivity requirements in the file .env.sample (DB_Host is the Private IP of the DB-server)
DB_HOST=172.31.87.194
DB_DATABASE=homestead
DB_USERNAME=homestead
DB_PASSWORD=sePret^i
DB_CONNECTION=mysql
DB_PORT=3306
-
Log into mysql from VScode: mysql -h 172.31.87.194 -u homestead -p (at the promot enter pasword)
-
Update Jenkinsfile with proper pipeline configuration. In the Checkout SCM stage ensure you specify the branch as main and change the git repository to yours.
pipeline {
agent any
stages {
stage("Initial cleanup") {
steps {
dir("${WORKSPACE}") {
deleteDir()
}
}
}
stage('Checkout SCM') {
steps {
git branch: 'main', url: 'https://github.com/ChinenyenwaN1/php-todo'
}
}
stage('Prepare Dependencies') {
steps {
sh 'mv .env.sample .env'
sh 'composer install'
sh 'php artisan migrate'
sh 'php artisan db:seed'
sh 'php artisan key:generate'
}
}
}
}
Notice the Prepare Dependencies section
- The required file by PHP is .env so we are renaming .env.sample to .env
- Composer is used by PHP to install all the dependent libraries used by the application. php artisan uses the .env file to setup the required database objects – (After the successful run of this step, login to the database, run show tables and you will see the tables being created for you)
-
Commit to main repo and run the build on Jenkins
-
Update the Jenkinsfile to include Unit tests step
stage('Execute Unit Tests') {
steps {
sh './vendor/bin/phpunit'
}
For PHP the most commonly tool used for code quality analysis is phploc. Read the article here for more The data produced by phploc can be ploted onto graphs in Jenkins.
- Install phploc:
sudo dnf --enablerepo=remi install php-phpunit-phploc
wget -O phpunit https://phar.phpunit.de/phpunit-7.phar
chmod +x phpunit
- Add the code analysis step in Jenkinsfile. The output of the data will be saved in build/logs/phploc.csv file.
stage('Code Analysis') {
steps {
sh 'phploc app/ --log-csv build/logs/phploc.csv'
}
}
- Plot the data using Plot Jenkins plugin. This plugin provides generic plotting (or graphing) capabilities in Jenkins. It will plot one or more single values variations across builds in one or more plots. Plots for a particular job (or project) are configured in the job configuration screen, where each field has additional help information. Each plot can have one or more lines (called data series). After each build completes the plots’ data series latest values are pulled from the CSV file generated by phploc.
stage('Plot Code Coverage Report') {
steps {
plot csvFileName: 'plot-396c4a6b-b573-41e5-85d8-73613b2ffffb.csv', csvSeries: [[displayTableFlag: false, exclusionValues: 'Lines of Code (LOC),Comment Lines of Code (CLOC),Non-Comment Lines of Code (NCLOC),Logical Lines of Code (LLOC) ', file: 'build/logs/phploc.csv', inclusionFlag: 'INCLUDE_BY_STRING', url: '']], group: 'phploc', numBuilds: '100', style: 'line', title: 'A - Lines of code', yaxis: 'Lines of Code'
plot csvFileName: 'plot-396c4a6b-b573-41e5-85d8-73613b2ffffb.csv', csvSeries: [[displayTableFlag: false, exclusionValues: 'Directories,Files,Namespaces', file: 'build/logs/phploc.csv', inclusionFlag: 'INCLUDE_BY_STRING', url: '']], group: 'phploc', numBuilds: '100', style: 'line', title: 'B - Structures Containers', yaxis: 'Count'
plot csvFileName: 'plot-396c4a6b-b573-41e5-85d8-73613b2ffffb.csv', csvSeries: [[displayTableFlag: false, exclusionValues: 'Average Class Length (LLOC),Average Method Length (LLOC),Average Function Length (LLOC)', file: 'build/logs/phploc.csv', inclusionFlag: 'INCLUDE_BY_STRING', url: '']], group: 'phploc', numBuilds: '100', style: 'line', title: 'C - Average Length', yaxis: 'Average Lines of Code'
plot csvFileName: 'plot-396c4a6b-b573-41e5-85d8-73613b2ffffb.csv', csvSeries: [[displayTableFlag: false, exclusionValues: 'Cyclomatic Complexity / Lines of Code,Cyclomatic Complexity / Number of Methods ', file: 'build/logs/phploc.csv', inclusionFlag: 'INCLUDE_BY_STRING', url: '']], group: 'phploc', numBuilds: '100', style: 'line', title: 'D - Relative Cyclomatic Complexity', yaxis: 'Cyclomatic Complexity by Structure'
plot csvFileName: 'plot-396c4a6b-b573-41e5-85d8-73613b2ffffb.csv', csvSeries: [[displayTableFlag: false, exclusionValues: 'Classes,Abstract Classes,Concrete Classes', file: 'build/logs/phploc.csv', inclusionFlag: 'INCLUDE_BY_STRING', url: '']], group: 'phploc', numBuilds: '100', style: 'line', title: 'E - Types of Classes', yaxis: 'Count'
plot csvFileName: 'plot-396c4a6b-b573-41e5-85d8-73613b2ffffb.csv', csvSeries: [[displayTableFlag: false, exclusionValues: 'Methods,Non-Static Methods,Static Methods,Public Methods,Non-Public Methods', file: 'build/logs/phploc.csv', inclusionFlag: 'INCLUDE_BY_STRING', url: '']], group: 'phploc', numBuilds: '100', style: 'line', title: 'F - Types of Methods', yaxis: 'Count'
plot csvFileName: 'plot-396c4a6b-b573-41e5-85d8-73613b2ffffb.csv', csvSeries: [[displayTableFlag: false, exclusionValues: 'Constants,Global Constants,Class Constants', file: 'build/logs/phploc.csv', inclusionFlag: 'INCLUDE_BY_STRING', url: '']], group: 'phploc', numBuilds: '100', style: 'line', title: 'G - Types of Constants', yaxis: 'Count'
plot csvFileName: 'plot-396c4a6b-b573-41e5-85d8-73613b2ffffb.csv', csvSeries: [[displayTableFlag: false, exclusionValues: 'Test Classes,Test Methods', file: 'build/logs/phploc.csv', inclusionFlag: 'INCLUDE_BY_STRING', url: '']], group: 'phploc', numBuilds: '100', style: 'line', title: 'I - Testing', yaxis: 'Count'
plot csvFileName: 'plot-396c4a6b-b573-41e5-85d8-73613b2ffffb.csv', csvSeries: [[displayTableFlag: false, exclusionValues: 'Logical Lines of Code (LLOC),Classes Length (LLOC),Functions Length (LLOC),LLOC outside functions or classes ', file: 'build/logs/phploc.csv', inclusionFlag: 'INCLUDE_BY_STRING', url: '']], group: 'phploc', numBuilds: '100', style: 'line', title: 'AB - Code Structure by Logical Lines of Code', yaxis: 'Logical Lines of Code'
plot csvFileName: 'plot-396c4a6b-b573-41e5-85d8-73613b2ffffb.csv', csvSeries: [[displayTableFlag: false, exclusionValues: 'Functions,Named Functions,Anonymous Functions', file: 'build/logs/phploc.csv', inclusionFlag: 'INCLUDE_BY_STRING', url: '']], group: 'phploc', numBuilds: '100', style: 'line', title: 'H - Types of Functions', yaxis: 'Count'
plot csvFileName: 'plot-396c4a6b-b573-41e5-85d8-73613b2ffffb.csv', csvSeries: [[displayTableFlag: false, exclusionValues: 'Interfaces,Traits,Classes,Methods,Functions,Constants', file: 'build/logs/phploc.csv', inclusionFlag: 'INCLUDE_BY_STRING', url: '']], group: 'phploc', numBuilds: '100', style: 'line', title: 'BB - Structure Objects', yaxis: 'Count'
}
}
You should now see a Plot menu item on the left menu. Click on it to see the charts.
- Bundle the application code into an artifact (archived package) and upload to Artifactory
- Install Zip: Sudo apt install zip -y
stage ('Package Artifact') {
steps {
sh 'zip -qr php-todo.zip ${WORKSPACE}/*'
}
}
- Publish the resulted artifact into Artifactory making sure ti specify the target as the name of the artifactory repository you created earlier
stage ('Upload Artifact to Artifactory') {
steps {
script {
def server = Artifactory.server 'artifactory-server'
def uploadSpec = """{
"files": [
{
"pattern": "php-todo.zip",
"target": "PBL/php-todo",
"props": "type=zip;status=ready"
}
]
}"""
server.upload spec: uploadSpec
}
}
}
-
Push and run your build in Jenkins
-
Log in to your repository in Jfrog artifactory to see the packaged artifact.
-
Deploy the application to the dev environment by launching Ansible pipeline. Ensure you update your inventory/dev with the Private IP of your TODO-server and your site.yml file is updated with todo play.
stage ('Deploy to Dev Environment') {
steps {
build job: 'ansible-project/main', parameters: [[$class: 'StringParameterValue', name: 'env', value: 'dev']], propagate: false, wait: true
}
}
- This particular stage, once it completes the upload to arifactory, it would trigger a call to the your ansible-config-mgt/static-assignments/deployment.yml file and execute the instructions there. Ensure you update the "Download the artifact" instruction with your artifactory url_username and url_password for your artifactory repo.
-
Next we want to ensure that the code being deployed has the quality that meets corporate and customer requirements. We have implemented Unit Tests and Code Coverage Analysis with phpunit and phploc, we still need to implement Quality Gate to ensure that ONLY code with the required code coverage, and other quality standards make it through to the environments. To achieve this, we need to configure SonarQube – An open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities.
-
Install SonarQube on Ubuntu 20.04 With PostgreSQL as Backend Database, Create Sonarqube roles. You can do this manaually or write a script with the directions below or go to Ansible Galaxy to find a sonarqube role
-
Ensure your Sonarqube server is listed on your inventory/ci file.
-
Update your site.yml with sonarqube play instruction.
-
Next copy your paste your public IP for your sonarqube server in your browser to access the SonarQube UI: sonar-public-IP:9000/sonar
-
Login with Username and Password as admin/admin
-
Confiure Sonar in Jenkins
-
install SonarQube Scanner plugin
-
Navigate to configure system in Jenkins. Add SonarQube server:
Manage Jenkins > Configure System -
To generate authentication token in SonarQube to to:
User > My Account > Security > Generate Tokens -
Configure Quality Gate Jenkins Webhook in SonarQube – The URL should point to your Jenkins server http://{JENKINS_HOST}/sonarqube-webhook/ Go to:
Administration > Configuration > Webhooks > Create -
Setup SonarQube scanner from Jenkins – Global Tool Configuration. Go to:
Manage Jenkins > Global Tool Configuration
- Update Jenkins Pipeline to include SonarQube scanning and Quality Gate. Making sure to place it before the "package artifact stage" Below is the snippet for a Quality Gate stage in Jenkinsfile.
stage('SonarQube Quality Gate') {
environment {
scannerHome = tool 'SonarQubeScanner'
}
steps {
withSonarQubeEnv('sonarqube') {
sh "${scannerHome}/bin/sonar-scanner"
}
}
}
NOTE: The above step will fail because we have not updated sonar-scanner.properties
16. Configure sonar-scanner.properties – From the step above, Jenkins will install the scanner tool on the Linux server. You will need to go into the tools directory on the server to configure the properties file in which SonarQube will require to function during pipeline execution.
cd /var/lib/jenkins/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQubeScanner/conf/
17. Open sonar-scanner.properties file: sudo vi sonar-scanner.properties
18. Add configuration related to php-todo project
sonar.host.url=http://<SonarQube-Server-IP-address>:9000
sonar.projectKey=php-todo
#----- Default source code encoding
sonar.sourceEncoding=UTF-8
sonar.php.exclusions=**/vendor/**
sonar.php.coverage.reportPaths=build/logs/clover.xml
sonar.php.tests.reportPath=build/logs/junit.xml
Congratulations on the job so far. If everything has worked out for you so far, you should have a view like below:
But we are not completely done yet. The quality gate we just included has no effect. Why? Well, because if you go to the SonarQube UI, you will realise that we just pushed a poor-quality code onto the development environment. Navigate to php-todo project in SonarQube, there are bugs, and there is 0.0% code coverage. (code coverage is a percentage of unit tests added by developers to test functions and objects in the code)
If you click on php-todo project for further analysis, you will see that there is 6 hours’ worth of technical debt, code smells and security issues in the code. First, we will include a When condition to run Quality Gate whenever the running branch is either develop, hotfix, release, main, or master when { branch pattern: "^develop*|^hotfix*|^release*|^main*", comparator: "REGEXP"} Then we add a timeout step to wait for SonarQube to complete analysis and successfully finish the pipeline only when code quality is acceptable. timeout(time: 1, unit: 'MINUTES') { waitForQualityGate abortPipeline: true } The complete stage will now look like this:
stage('SonarQube Quality Gate') {
when { branch pattern: "^develop*|^hotfix*|^release*|^main*", comparator: "REGEXP"}
environment {
scannerHome = tool 'SonarQubeScanner'
}
steps {
withSonarQubeEnv('sonarqube') {
sh "${scannerHome}/bin/sonar-scanner -Dproject.settings=sonar-project.properties"
}
timeout(time: 1, unit: 'MINUTES') {
waitForQualityGate abortPipeline: true
}
}
}
To test, create different branches and push to GitHub. You will realise that only branches other than develop, hotfix, release, main, or master will be able to deploy the code.
If everything goes well, you should be able to see something like this: