Feature/dev 1

.kubernetes/create_aks.ps1

@@ -0,0 +1,33 @@
+# Login to Azure (Uncomment the next line if you need to login or switch accounts)
+# az login
+
+# Set Variables
+$resourceGroupName = "devsecops"
+$location = "northeurope"
+$aksClusterName = "Devsecops-aks"
+$aksVersion = "1.29.0"
+
+# Create Resource Group if it doesn't exist
+$resourceGroupExists = az group exists --name $resourceGroupName
+if (-not $resourceGroupExists) {
+    Write-Output "Creating resource group '$resourceGroupName' in location '$location'."
+    az group create --name $resourceGroupName --location $location
+} else {
+    Write-Output "Resource group '$resourceGroupName' already exists."
+}
+
+# Create AKS Cluster
+Write-Output "Creating AKS cluster named '$aksClusterName' in resource group '$resourceGroupName'."
+az aks create `
+  --resource-group $resourceGroupName `
+  --name $aksClusterName `
+  --node-count 1 `
+  --enable-addons monitoring `
+  --kubernetes-version $aksVersion `
+  --generate-ssh-keys `
+  --location $location `
+  --node-vm-size Standard_B2s `
+  --load-balancer-sku basic `
+  --no-wait
+
+Write-Output "AKS cluster creation command has been executed. It may take a few minutes for the cluster to be fully operational."

.pydevproject

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<?eclipse-pydev version="1.0"?><pydev_project>
+    <pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property>
+    <pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python interpreter</pydev_property>
+    <pydev_pathproperty name="org.python.pydev.PROJECT_SOURCE_PATH">
+        <path>/${PROJECT_DIR_NAME}/devops-spring-project</path>
+    </pydev_pathproperty>
+</pydev_project>

.talismanrc

@@ -0,0 +1,4 @@
+fileignoreconfig:
+- filename: Jenkinsfile
+  checksum: a4c9cd41b0402afd7b2324cc30a6628cbd0aade31a0d852ef2664b297e2bc117
+version: ""

.vscode/settings.json

@@ -0,0 +1,4 @@
+{
+    "java.compile.nullAnalysis.mode": "automatic",
+    "java.configuration.updateBuildConfiguration": "interactive"
+}

Dockerfile

@@ -1,5 +1,7 @@
 FROM openjdk:8-jdk-alpine
 EXPOSE 8080
 ARG JAR_FILE=target/*.jar
-ADD ${JAR_FILE} app.jar
-ENTRYPOINT ["java","-jar","/app.jar"]
+RUN addgroup -S pipeline && adduser -S k8s-pipeline -G pipeline
+COPY ${JAR_FILE} /home/k8s-pipeline/app.jar
+USER k8s-pipeline
+ENTRYPOINT ["java","-jar","/home/k8s-pipeline/app.jar"]

Jenkinsfile

@@ -1,12 +1,194 @@
 pipeline {
-  agent any
+    agent any
 
-  stages {
-      stage('Build Artifact') {
+    environment {
+        // Set JVM options for Maven
+        deploymentName = "devsecops"
+        containerName = "devsecops-container"
+        serviceName = "devsecops-svc"
+        imageName = "manlikeabz/numeric-app:${GIT_COMMIT}"
+        applicationURL = "http://devsecops-abzconsultancies.eastus.cloudapp.azure.com/"
+        applicationURI = "/increment/99"
+        MAVEN_OPTS = "--add-opens java.base/java.lang=ALL-UNNAMED"
+        AKS_CLUSTER_NAME = 'Devsecops-aks'
+        NAMESPACE = 'default'
+    }
+
+    stages {
+        stage('Build Artifact') {
+            steps {
+                // Use environment variable for Maven options
+                sh 'mvn clean package -DskipTests=true'
+                archiveArtifacts artifacts: 'target/*.jar', onlyIfSuccessful: true
+            }
+        }
+
+        stage('Unit Tests - JUnit and Jacoco') {
+            steps {
+                sh "mvn test"
+            }
+            post {
+                always {
+                    junit 'target/surefire-reports/*.xml'
+                    jacoco execPattern: 'target/jacoco.exec'
+                }
+            }
+        }
+
+        stage('Mutation Tests - PIT') {
+            steps {
+                sh 'mvn org.pitest:pitest-maven:mutationCoverage'
+            }
+            post {
+                always {
+                    pitmutation mutationStatsFile: '**/pit-reports/**/mutations.xml'
+                }
+            }
+        }
+
+        stage('SonarQube - SAST') {
+            steps {
+                withSonarQubeEnv('SonarQube') {
+                    sh "mvn sonar:sonar -Dsonar.projectKey=numeric-application -Dsonar.host.url=http://devsecops-abzconsultancies.eastus.cloudapp.azure.com:9000 -Dsonar.token=squ_b0ffa602f401442384e12c06cbd73a66b51a7d2a"
+                    // Make sure the SonarQube scanner has finished before proceeding
+                }
+                script {
+                    // It will wait indefinitely for the SonarQube analysis to complete
+                    def qg = waitForQualityGate()
+                    if (qg.status != 'OK') {
+                        error "Quality gate not passed: ${qg.status}"
+                    }
+                }
+            }
+        }
+
+        stage('Vulnerability Scan - Docker') {
+            parallel {
+                stage('Maven Dependency Check') {
+                    steps {
+                        script {
+                            sh "mvn dependency-check:check"
+                        }
+                    }
+                    post {
+                        always {
+                            dependencyCheckPublisher pattern: 'target/dependency-check-report.xml'
+                        }
+                    }
+                }
+                stage('Trivy Scan') {
+                    steps {
+                        script {
+                            sh "bash trivy-docker-image-scan.sh"
+                            //trivy image --exit-code 0 --severity HIGH,CRITICAL manlikeabz/numeric-app:${GIT_COMMIT}
+                        }
+                    }
+                }
+                stage('OPA Conftest') {
+                    steps {
+                        script {
+                            // Run OPA Conftest against the Dockerfile
+                            sh 'docker run --rm -v $(pwd):/project openpolicyagent/conftest test --policy opa-docker-security.rego Dockerfile'
+                        }
+                    }
+                }
+            }
+        }
+
+        stage('Docker Build and Push') {
+            steps {
+                script {
+                    // Ensure GIT_COMMIT is populated
+                    GIT_COMMIT = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
+                    echo "Building and pushing Docker image for commit: ${GIT_COMMIT}"
+
+                    // Docker login using credentials securely
+                    withDockerRegistry([credentialsId: "90cf476e-ad01-40fe-86fa-4b0599ac41ff", url: ""]) {
+                        sh "printenv"
+
+                        // Docker build and push commands
+                        sh "docker build -t manlikeabz/numeric-app:${GIT_COMMIT} ."
+                        sh "docker push manlikeabz/numeric-app:${GIT_COMMIT}"
+                    }
+                }
+            }
+        }
+
+        // stage('Vulneability Scan - Kubernetes') {
+        //     steps {
+        //         script {
+        //             // Run OPA Conftest scan against the Kubernetes deployment file
+        //             sh "docker run --rm -v $pwd:/project openpolicyagent/conftest test --policy opa-k8s-security.rego k8s_deployment_service.yaml"
+        //         }
+        //     }
+        // }
+
+        stage('Vulnerability Scan - Kubernetes') {
             steps {
-              sh "mvn clean package -DskipTests=true"
-              archive 'target/*.jar' //so that they can be downloaded later
+                parallel(
+                    "OPA Scan": {
+                        script {
+                            // Run OPA Conftest scan against the Kubernetes deployment file
+                            sh "docker run --rm -v $(pwd):/project openpolicyagent/conftest test --policy opa-k8s-security.rego k8s_deployment_service.yaml"
+                        }
+                    },
+                    "Kubesec Scan": {
+                        sh "bsh kubesec-scan.sh"
+                    }
+                    }
+                )
             }
-        }   
+        }
+
+        // stage('Kubernetes Deployment - DEV') {
+        //     steps {
+        //         withKubeConfig([credentialsId: 'kubeconfig']) {
+        //             sh "kubectl config use-context ${AKS_CLUSTER_NAME}"
+        //             sh "sed -i 's#replace#manlikeabz/numeric-app:${GIT_COMMIT}#g' k8s_deployment_service.yaml"
+        //             sh "kubectl apply -f k8s_deployment_service.yaml"
+        //         }
+        //     }
+        // }
+
+        stage('Integration Tests - DEV') {
+            steps {
+                script {
+                  try {
+                    withKubeConfig([credentialsId: 'kubeconfig']) {
+                      sh "bash integration-tests.sh"
+                    }
+                  } catch (Exception e) {
+                    withKubeConfig([credentialsId: 'kubeconfig']) {
+                      sh "kubectl rollout undo deployment ${deploymentName}"
+                    }
+                    throw e  
+                }
+            }
+        }
+
+        stage('K8s Deployment - Dev'){
+            steps{
+              parallel(
+                "Deploynment": {
+                  withKubeConfig([credentialsId: 'kubeconfig']) {
+                    sh "bash k8s-deployment.sh"
+                  }
+                },
+                "Rollout Status": {
+                  withKubeConfig([credentialsId: 'kubeconfig']) {
+                    sh "bash k8s-deployment-rollout-status.sh"
+                  }
+                }
+              )
+            }
+        }
+    }
+
+    post {
+        always {
+            // Cleanup after Docker to avoid logged in credentials hanging around
+            sh "docker logout"
+            echo 'Pipeline execution complete.'
+        }
     }
-}
+}

clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: deployment-manager-binding
+  namespace: default
+subjects:
+- kind: ServiceAccount
+  name: jenkins-deployer
+  namespace: default
+roleRef:
+  kind: Role
+  name: deployment-manager
+  apiGroup: rbac.authorization.k8s.io
+

integration-test.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+#integration-test.sh
+
+sleep 5s
+
+PORT=$(kubectl -n default get svc ${serviceName} -o json | jq .spec.ports[].nodePort)
+echo $PORT
+echo $applicationURL:$PORT/$applicationURI
+
+if [[ ! -z "$PORT" ]]
+then
+    response=$(curl -s $applicationURL:$PORT$applicationURI)
+    http_code=$(curl -s -o /dev/null -w "%{http_code}" $applicationURL:$PORT$applicationURI)
+
+    if [[ "$response" == 100 ]];
+    then
+        echo "Increment Test Passed"
+    else
+        echo "Increment Test Failed"
+        exit 1;
+    fi;
+
+    if [[ "$http_code" == 200 ]];
+    then
+        echo "HTTP Status Code Test Passed"
+    else
+        echo "HTTP Status code is not 200"
+        exit 1;
+    fi;
+else
+    echo "The Service does not have a NodePort"
+    exit 1;
+fi;

k8s-deployment-rollout-status.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+sleep 60s
+
+if [[ $(kubectl -n default rollout status deployment/${deploymentName} --timeout 5s) != *"successfully rolled out"* ]];
+then
+    echo "Deployment ${deploymentName} rolled out has failed"
+    kubectl rollout undo deployment/${deploymentName} -n default
+else
+    echo "Deployment ${deploymentName} rollout success"
+fi

k8s-deployment.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+sed -i "s#replace#${imageName}#g" k8s_deployment_service.yaml
+# kubectl -n default get deployment ${deploymentName} &> /dev/null
+
+# if [[ $? -ne 0]]; then
+#      echo "deployment ${deploymentName} not found, creating new deployment"
+#      kubectl apply -f k8s_deployment_service.yaml -n default
+# else
+#       echo "deployment ${deploymentName} found, updating deployment"
+#       echo "image name - ${imageName}"
+#       kubectl set image deployment/${deploymentName} ${containerName}=${imageName} -n default
+#   fi 
+
+kubectl apply -f k8s_deployment_service.yaml -n default

k8s_deployment_service.yaml

@@ -15,9 +15,27 @@ spec:
       labels:
         app: devsecops
     spec:
+      volumes:
+      - name: vol
+        emptyDir: {}
+      serviceAccount: default
       containers:
       - image: replace
         name: devsecops-container
+        volumeMounts:
+        - name: vol
+          mountPath: /tmp
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 100
+          readOnlyRootFilesystem: true
+        resources:
+          limits:
+            cpu: "1"
+            memory: "1Gi"
+          requests:
+            cpu: "100m"
+            memory: "256Mi"
 ---
 apiVersion: v1
 kind: Service