RedHatTraining/rht-labs-docs.git

donal

2018-04-18 ebd5e4a0deb64d04ff9ae9fe2e3ce4b5f7fd4ce7

commit \| author \| age
e36a5b	1	# An Enslaved Hope
43f2f2	2
dd12d4	3	> In this exercise we'll break free from the chains of point'n'click Jenkins by introducing pipeline as code in the form of `Jenkinsfile`. Following this we will introduce some new Jenkins slaves that will be used in later labs.
e36a5b	4
D	5	There are a number of ways pipeline as code can be achieved in Jenkins.
	6	* The Job DSL Plugin - this is a slightly older but very functional DSL mechanism to create reusable pipelines. Create a `groovy` file to run Jenkins Domain Specific Language to create jobs, functions and other items. In Jenkins; you then can execute this file which will build all of the config.xml files needed for each Job.
dd12d4	7	* The Scripted Pipeline - The scripted pipeline introduced the Jenkinsfile and the ability for developers to write their jenkins setup as groovy code. A repo with a Jenkinsfile in it's root can be pointed to by Jenkins and it will automatically build out each of the stages described within. The scripted pipeline is ultimately Groovy at it's core.
A	8	* The Declarative Pipeline - This approach looks to simplify and opinionate what you can do and when you can do it in a pipeline. It does this by giving you top level `block` which define sections, directives and steps. The declarative syntax is not run as groovy but you can execute groovy inside script blocks. The advantage of it over scripted is validation of the config and lighter approach with requirement to understand all of the `groovy` syntax
e36a5b	9
43f2f2	10	_____
D	11
	12	## Learning Outcomes
	13	As a learner you will be able to
e36a5b	14	- Use a Jenkinsfile to create a declarative pipeline to build, bake and deploy the Todolist App
D	15	- Identify the differences between scripted, declarative and DSL pipelines
	16	- Create Jenkins slave nodes for use in builds in future labs
43f2f2	17
D	18	## Tools and Frameworks
	19	> Name of tool - short description and link to docs or website
	20
e36a5b	21	1. [Pipeline](https://jenkins.io/doc/book/pipeline/) - Overview of the Jenkinsfile approach
D	22	1. [Pipeline Syntax](https://jenkins.io/doc/book/pipeline/syntax/) - Documentation for the declarative pipeline
	23	1. [Groovy](http://groovy-lang.org/) - Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities, for the Java platform aimed at improving developer productivity thanks to a concise, familiar and easy to learn syntax. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming.
b664dc	24	1. [Zed Attack Proxy](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) - The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
D	25	1. [Arachni Crawler](http://www.arachni-scanner.com/) - Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications. It is free, with its source code public and available for review. It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform. In addition, its simple REST API makes integration a cinch.
43f2f2	26
D	27	## Big Picture
	28	This exercise begins cluster containing blah blah
	29
	30	_____
	31
	32	## 10,000 Ft View
e36a5b	33	> The goal of this exercise is to move to using the Jenkinsfile in the todolist-api and todolist-fe projects. Additionally we will create new slaves for use in the next lab
43f2f2	34
e36a5b	35	2. On Jenkins; create a multibranch pipeline project to scan the GitLab endpoint for each app. Use the Jenkinsfile provided to run the stages. Replace the `<YOUR_NAME>` with appropriate variable.
43f2f2	36
e36a5b	37	2. Create two new Jenkins slaves for the `OWASP ZAP` scanner and the `Arachni` WebCrawler
43f2f2	38
D	39	## Step by Step Instructions
e36a5b	40	> This is a fairly structured guide with references to exact filenames and sections of text to be added.
43f2f2	41
e36a5b	42	### Part 1 - The Jenkinsfile
D	43	> _In this exercise we'll replace the Pipeline we created in Lab 2 with a Jenkinsfile approach_
43f2f2	44
e36a5b	45	2. On your terminal navigate to your `todolist-api` project and checkout the pipeline feature branch that's been already created for you.
D	46	```bash
	47	$ git checkout feature/jenkinsfile
43f2f2	48	```
D	49
e36a5b	50	2. Open up your `todolist-api` application in your favourite editor and move to the `Jenkinsfile` in the root of the project. The highlevel structure of the file is shown collapsed below.
D	51	![pipeline-overview](../images/exercise4/pipeline-overview.png)
	52	Some of the key things to note:
	53	* `pipeline {}` is how all declarative jenkins pipelines begin.
	54	* `environment {}` defines environment varibales to be used across all build stages
	55	* `options {}` contains specific Job specs you want to run globally across the jobs eg setting the terminal colour
	56	* `stage {}` all jobs must have one stage. This is the logical part of the build that will be executed eg `bake-image`
	57	* `steps {}` each `stage` has one or more steps involved. These could be execute shell or git checkout etc.
	58	* `agent {}` specifies the node the build should be run on eg `jenkins-slave-npm`
	59	* `post {}` hook is used to specify the post-build-actions. Jenkins declarative provides very useful callbacks for `success`, `failure` and `always` which are useful for controlling the job flow
	60	* `when {}` is used for flow control. It can be used at stage level and be used to stop pipeline entering that stage. eg when branch is master; deploy to `test` environment.
	61
	62	2. The Jenkinsfile is mostly complete to do all the testing etc that was done in previous labs. Some minor changes will be needed to orchestrate namespaces. Find and replace all instances of `<YOUR_NAME>` in the Jenkinsfile and update the `GITLAB_DOMAIN` accordingly.
	63	```groovy
	64	environment {
	65	// GLobal Vars
dd12d4	66	PIPELINES_NAMESPACE = "<YOUR_NAME>-ci-cd"
e36a5b	67	APP_NAME = "todolist-api"
D	68
	69	JENKINS_TAG = "${JOB_NAME}.${BUILD_NUMBER}".replace("/", "-")
	70	JOB_NAME = "${JOB_NAME}".replace("/", "-")
	71
	72	GIT_SSL_NO_VERIFY = true
	73	GIT_CREDENTIALS = credentials('jenkins-git-creds')
dd12d4	74	GITLAB_DOMAIN = "gitlab-<YOUR_NAME>-ci-cd.apps.somedomain.com"
A	75	GITLAB_PROJECT = "<YOUR_NAME>"
e36a5b	76	}
D	77	```
	78
	79	2. With these changes in place, push your changes to the `feature/jenkinsfile` branch.
	80	```bash
	81	$ git add Jenkinsfile
	82	$ git commit -m "ADD - namespace and git repo to pipeline"
	83	$ git push
	84	```
	85
	86	2. When the changes have been successfully pushed; Open Jenkins.
	87
	88	2. Create a `New Item` on Jenkins. Give it the name `todolist-api` and select `Multibranch Pipeline` from the bottom of the list as the job type.
	89	![multibranch-select](../images/exercise4/multibranch-select.png)
	90
	91	2. On the job's configure page; set the Branch Sources to `git`
	92	![multibranch-select-git](../images/exercise4/multibranch-select-git.png)
	93
	94	2. Fill in the Git settings with your `todolist-api` project url and setting the credentials
	95	![multibranch-git](../images/exercise4/multibranch-git.png)
	96
	97	2. Set the `Scan Multibranch Pipeline Triggers` to be periodical and the internal to 1 minute. This will poll the gitlab instance for new branches or change sets to build.
	98	![multibranch-scan-time](../images/exercise4/multibranch-scan-time.png)
	99
	100	2. Save the Job configuration to run the intial scan. The log will show scans for `master` and `develop` branch which have no `Jenkinsfile` so are skipped. The resulting view will show the `feature/jenkisifle` job corresponding the only branch that currently has one. The build should run automatically.
	101	![todolist-api-multi](../images/exercise4/todolist-api-multi.png)
	102
dd12d4	103	2. The pipeline file is setup to only run `bake` & `deploy` stages when on `master` or `develop` branch. This is to provide us with very fast feedback for team members working on feature or bug fix branches. Each time someone commits or creates a new branch a basic build with testing occurs to give very rapid feedback to the team. Let's now update our branches to include the Jenkinsfile and delete the feature branch.
e36a5b	104	```bash
D	105	$ git checkout develop
	106	$ git merge feature/jenkinsfile
	107	$ git checkout master
	108	$ git merge develop
	109	$ git push -u origin --all
	110	# this is to delete the branch from the remote
	111	$ git push origin :feature/jenkinsfile
	112	```
	113
	114	2. Back on Jenkins we should see our `todolist-api` pipelines have changed with the `develop` and `master` now appearing. The feature was deleted so this job should have gone away.
	115	![todolist-api-multi-dev-test](../images/exercise4/todolist-api-multi-dev-test.png)
	116
	117	2. With the builds running for `develop` and `master` we can explore the Blue Ocean View for Jenkins. On the Job overview page, hit the Open Blue Ocean ![open-blue-ocean](../images/exercise4/open-blue-ocean.png)
	118	button on the side to see what modern Jenkins looks like.
	119	![blue-ocean-todolist-api](../images/exercise4/blue-ocean-todolist-api.png)
	120
	121	2. We can move on to the `todolist-fe` job. The process is the same as before, checkout the feature branch
	122	```bash
	123	$ cd todolist-fe
	124	$ git checkout feature/jenkinsfile
	125	```
	126
	127	2. Open up your `todolist-fe` application in your favourite editor and move to the `Jenkinsfile` in the root of the project. Update all `<YOUR_NAME>` and `GITLAB_DOMAIN` references accordingly.
	128
	129	2. Commit your changes to your feature branch as you did previously.
	130	```bash
	131	$ git add Jenkinsfile
	132	$ git commit -m "ADD - namespace and git repo to pipeline"
	133	$ git push
	134	```
	135
	136	2. This time update your master and develop branches before creating config in Jenkins
	137	```
	138	git checkout develop
	139	git merge feature/jenkinsfile
	140	git checkout master
	141	git merge develop
	142	git push -u origin --all
	143	```
	144
	145	2. On Jenkins; create a new `Multibranch Pipeline` job called `todolist-fe`.
	146
	147	2. Add the `todolist-fe` git repository and set the credentials for git accordingly.
	148
	149	2. Set the trigger to scan every minute as done previously. Save the configuration and we should see the collection of Jobs as shown below.
	150	![todolist-fe-multi](../images/exercise4/todolist-fe-multi.png)
	151
6769e3	152	2. Run the jobs and validate the app is working as expected in the `test` environment!
e36a5b	153
D	154	### Part 2 - Security Scanning Slaves
	155	> _This exercise focuses on updating the `enablement-ci-cd` repo with some new jenkins-slave pods for use in future exercise_
43f2f2	156
6769e3	157	#### Part 2a - OWASP ZAP
A	158	> _OWASP ZAP (Zed Attack Proxy) is a free open source security tool used for finding security vulnerabilities in web applications._
	159
	160
fd433b	161	3. First we're going to take the generic jenkins slave template from our exercise4/zap branch and the params.
6769e3	162	```bash
fd433b	163	$ git checkout exercise4/zap-and-arachni params/ templates/jenkins-slave-generic-template.yml
6769e3	164	```
A	165
	166	3. This should have created the following files:
fd433b	167	- `templates/jenkins-slave-generic-template.yml`
b664dc	168	- `params/zap-build-pod` and `params/arachni-build-pod`
6769e3	169
054490	170	3. Create an object in `inventory/host_vars/ci-cd-tooling.yml` called `zap-build-pod` and add the following content:
A	171	```yaml
6769e3	172	- name: "zap-build-pod"
b664dc	173	namespace: "{{ ci_cd_namespace }}"
D	174	template: "{{ playbook_dir }}/templates/jenkins-slave-generic-template.yml"
	175	params: "{{ playbook_dir }}/params/zap-build-pod"
	176	tags:
	177	- zap
6769e3	178	```
b664dc	179	<p class="tip">
D	180	NOTE- Install your Openshift Applier dependency if it's disappeared.
	181	```
	182	$ ansible-galaxy install -r requirements.yml --roles-path=roles
6769e3	183	```
fd433b	184	</p>
6769e3	185
A	186	3. Run the ansible playbook filtering with tag `zap` so only the zap build pods are run.
	187	```bash
b664dc	188	$ ansible-playbook apply.yml -e target=tools \
D	189	-i inventory/ \
	190	-e "filter_tags=zap"
6769e3	191	```
A	192
b664dc	193	3. Head to (https://console.somedomain.com/console/project/<YOUR_NAME>-ci-cd/browse/builds) on Openshift and you should see `zap-build-pod`.
6769e3	194	include screenshot here.
A	195
	196	#### Part 2b - Arachni Scan
	197	> _Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications._
	198
fd433b	199	3. Create an object in `inventory/host_vars/ci-cd-tooling.yml` called `arachni-build-pod` with the following content:
054490	200	```yaml
6769e3	201	- name: "arachni-build-pod"
b664dc	202	namespace: "{{ ci_cd_namespace }}"
D	203	template: "{{ playbook_dir }}/templates/jenkins-slave-generic-template.yml"
	204	params: "{{ playbook_dir }}/params/arachni-build-pod"
	205	tags:
	206	- arachni
6769e3	207	```
A	208
fd433b	209	3. Run the ansible playbook filtering with tag `arachni` so only the arachni build pods are run.
6769e3	210	```bash
b664dc	211	$ ansible-playbook apply.yml -e target=tools \
D	212	-i inventory/ \
	213	-e "filter_tags=arachni"
6769e3	214	```
A	215
b664dc	216	3. Head to (https://console.somedomain.com/console/project/<YOUR_NAME>-ci-cd/browse/builds) on Openshift and you should see `arachni-build-pod`.
054490	217	![todolist-fe-multi](../images/exercise4/builds-zap-arachni.png)
43f2f2	218
D	219	_____
	220
	221	## Extension Tasks
	222	> _Ideas for go-getters. Advanced topic for doers to get on with if they finish early. These will usually not have a solution and are provided for additional scope._
	223
e36a5b	224	OpenShift Sync plugin
D	225	- Use the `Jenkinsfile` provided to create a pipeline that runs in OpenShift's pipeline ie using it as the BuildConfig.
	226
	227	Jenkins S2I
	228	- Add the multi-branch configuration to the S2I to have Jenkins come alive with the `todolist-api` and `-fe` configuration cooked into it for future uses.
	229
d608d6	230	Jenkins Pipeline Extension
D	231	- Add an extension to the pipeline that promotes code to UAT environment once the master job has been successful.
	232	- Use a WAIT to allow for manual input to appove the promotion
	233
	234	Jenkins e2e extension (blue/green)
	235	- Add a step in the pipeline to only deploy to the `test` environment if the e2e tests have run successfully against which ever environemnt (blue or green) is not deployed.
43f2f2	236
D	237	## Additional Reading
	238	> List of links or other reading that might be of use / reference for the exercise
	239
	240	## Slide links
dd12d4	241	> link back to the deck for the supporting material