-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure spring boot pipeline #73
Secure spring boot pipeline #73
Conversation
added a shared vars file and updated docs
secure-spring-boot/.openshift-applier/inventory/group_vars/seed-hosts.yml
Outdated
Show resolved
Hide resolved
Nice work! Yes, I like this because it reduces the amount of copy pasta, and definitely encourages reuse + ansible variables. My main concern will be that this does feel more complex. But I will definitely put those feelings on pause because I am hoping the next iteration of the applier or "IaC at Labs" uses a bit more technology native pieces to reduce complexity. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sherl0cks Environment provisioned successfully, however, hitting the following error in the pipeline
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Code Analysis)
[Pipeline] withSonarQubeEnv
Injecting SonarQube environment variables using the configuration: sonar
[Pipeline] {
[Pipeline] echo
Validating webhook with name jenkins exists...
[Pipeline] sh
+ grep jenkins
+ curl -k -u ******: http://sonarqube:9000/api/webhooks/list
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 15 100 15 0 0 419 0 --:--:-- --:--:-- --:--:-- 428
[Pipeline] echo
Return Value is 1
[Pipeline] error
[Pipeline] }
WARN: Unable to locate 'report-task.txt' in the workspace. Did the SonarScanner succeeded?
secure-spring-boot/README.md
Outdated
## Advisories | ||
|
||
- Running the pipeline for the first time will take ~10 minutes because all maven dependencies and NIST DB need to be downloaded. Subsequent builds will be faster. Also see https://github.com/redhat-cop/container-pipelines/issues/71 | ||
- If you have issues with Nexus certificate like seen [here](https://github.com/redhat-cop/infra-ansible/issues/342), then you can set the ansible var `nexus_validate_certs: false` as a work around. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want provide the -e nexus_validate_certs=false
instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can do
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed per your request
@haithamshahin333 see above from @sabre1041 |
@sabre1041 @sherl0cks I just provisioned the tooling to my environment and no issues. Your error is related to the jenkins webhook not being created in sonarqube. It should be run as a post-hook in the deployment. @sabre1041 Can you re-provision and check out why that post-hook did not work / send the logs over for review? |
OK - we need to provide some guidance as to why its failing @haithamshahin333 and potentially offer a fix. At minimum, I need you to help debug this. |
Aaaand it looks like that's exactly our ask, I just missed it. That's my bad Haitham. My apologies. |
@sabre1041 any word on this? |
@sherl0cks @haithamshahin333 reprovisioned environment. got past webhook error. new one
|
@sabre1041 @sherl0cks Per the changes made in labs-ci-cd and [container-quickstarts] (redhat-cop/containers-quickstarts@9ccc44b) the maven slave image has been updated and it has a newer version of the OC client which fixes your issue above, which was a result of trying to instantiate the build by using the /oapi endpoint. |
@haithamshahin333 we probably need to cut a tag in Labs CI/CD and update the galaxy requirements here |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sherl0cks @sabre1041 With this change included, this has been tested and successful in a v4.0 and v3.11 environment. @sabre1041 you can view the test in your environment in the 'secure-spring-boot-hs-ci-cd' namespace.
secure-spring-boot/requirements.yml
Outdated
# This is the Ansible Galaxy requirements file to pull in the correct roles | ||
- src: https://github.com/rht-labs/labs-ci-cd | ||
scm: git | ||
version: v3.11.4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be updated to v3.11.5 or master @sherl0cks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sherl0cks @haithamshahin333 Redeployed entire environment and pipeline succeeded.
Great work all!
What does this PR do?
Add's a new pipeline for a secure pipeline line for Spring Boot. Relies on labs-ci-cd tooling, so the applier inventory only contains the spring boot app.
How should this be tested?
Just follow the readme
Is there a relevant Issue open for this?
Resolves #5
Who would you like to review this?
cc: @redhat-cop/containers-approvers