Secure spring boot pipeline

[sherl0cks]

What does this PR do?

Add's a new pipeline for a secure pipeline line for Spring Boot. Relies on labs-ci-cd tooling, so the applier inventory only contains the spring boot app.

How should this be tested?

Just follow the readme

Is there a relevant Issue open for this?

Resolves #5

Who would you like to review this?

cc: @redhat-cop/containers-approvers

[pcarney8]

Nice work! Yes, I like this because it reduces the amount of copy pasta, and definitely encourages reuse + ansible variables. My main concern will be that this does feel more complex. But I will definitely put those feelings on pause because I am hoping the next iteration of the applier or "IaC at Labs" uses a bit more technology native pieces to reduce complexity.

[sabre1041]

@sherl0cks Environment provisioned successfully, however, hitting the following error in the pipeline

[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Code Analysis)
[Pipeline] withSonarQubeEnv
Injecting SonarQube environment variables using the configuration: sonar
[Pipeline] {
[Pipeline] echo
Validating webhook with name jenkins exists...
[Pipeline] sh
+ grep jenkins
+ curl -k -u ******: http://sonarqube:9000/api/webhooks/list
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100    15  100    15    0     0    419      0 --:--:-- --:--:-- --:--:--   428
[Pipeline] echo
Return Value is 1
[Pipeline] error
[Pipeline] }
WARN: Unable to locate 'report-task.txt' in the workspace. Did the SonarScanner succeeded?

[sabre1041]

Do we want provide the -e nexus_validate_certs=false instead?

[sherl0cks]

can do

[sherl0cks]

fixed per your request

[sherl0cks]

@haithamshahin333 see above from @sabre1041

[haithamshahin333]

@sabre1041 @sherl0cks I just provisioned the tooling to my environment and no issues. Your error is related to the jenkins webhook not being created in sonarqube. It should be run as a post-hook in the deployment.

@sabre1041 Can you re-provision and check out why that post-hook did not work / send the logs over for review?

[sherl0cks]

OK - we need to provide some guidance as to why its failing @haithamshahin333 and potentially offer a fix. At minimum, I need you to help debug this.

[sherl0cks]

Aaaand it looks like that's exactly our ask, I just missed it. That's my bad Haitham. My apologies.

[sherl0cks]

@sabre1041 any word on this?

[sabre1041]

@sherl0cks @haithamshahin333 reprovisioned environment. got past webhook error. new one

Checking status of SonarQube task 'AWmj004_yolX75t2M0Vh' on server 'sonar'
SonarQube task 'AWmj004_yolX75t2M0Vh' status is 'IN_PROGRESS'
SonarQube task 'AWmj004_yolX75t2M0Vh' status is 'SUCCESS'
SonarQube task 'AWmj004_yolX75t2M0Vh' completed. Quality gate is 'OK'
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Build Container Image)
[Pipeline] echo

[Pipeline] _OcContextInit
[Pipeline] _OcContextInit
[Pipeline] readFile
[Pipeline] _OcAction
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Promote from Build to Dev)
Stage "Promote from Build to Dev" skipped due to earlier failure(s)

[haithamshahin333]

@sabre1041 @sherl0cks Per the changes made in labs-ci-cd and [container-quickstarts] (redhat-cop/containers-quickstarts@9ccc44b) the maven slave image has been updated and it has a newer version of the OC client which fixes your issue above, which was a result of trying to instantiate the build by using the /oapi endpoint.

[sherl0cks]

@haithamshahin333 we probably need to cut a tag in Labs CI/CD and update the galaxy requirements here

[haithamshahin333]

@sherl0cks @sabre1041 With this change included, this has been tested and successful in a v4.0 and v3.11 environment. @sabre1041 you can view the test in your environment in the 'secure-spring-boot-hs-ci-cd' namespace.

[haithamshahin333]

This needs to be updated to v3.11.5 or master @sherl0cks

[sherl0cks]

done

[sabre1041]

@sherl0cks @haithamshahin333 Redeployed entire environment and pipeline succeeded.

Great work all!