From 6ad7b6be35a30e27ac419c8c0da7a1c1bc3d1176 Mon Sep 17 00:00:00 2001 From: Tommy Falgout Date: Fri, 11 Aug 2017 14:48:09 -0500 Subject: [PATCH 01/19] Update Jenkins install to be up-to-date + Add Secret fetching to registry --- DEMO.md | 7 ++++++- Jenkinsfile | 2 +- charts/croc-hunter/templates/croc-hunter.yaml | 4 +++- jenkins-values.yaml | 11 +++++++---- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/DEMO.md b/DEMO.md index 4e090de5..6747f743 100644 --- a/DEMO.md +++ b/DEMO.md @@ -61,6 +61,11 @@ open ${JENKINS_URL}/login printf $(kubectl get secret --namespace jenkins jenkins-jenkins -o jsonpath="{.data.jenkins-admin-password}" | base64 --decode) | pbcopy ``` +## Add Credentials for private Container Registry +``` +kubectl create secret docker-registry croc-hunter-secrets --docker-server=$DOCKER_SERVER --docker-username=$DOCKER_USERNAME --docker-password=$DOCKER_PASSWORD --docker-email=$DOCKER_EMAIL --namespace=croc-hunter +``` + ## Login and configure Jenkins and setup pipeline ``` # username: admin @@ -147,4 +152,4 @@ open https://github.com/lachie83/croc-hunter # PR builds # merge the PR # master builds and deploys new version -``` \ No newline at end of file +``` diff --git a/Jenkinsfile b/Jenkinsfile index 360b7332..8fc6a530 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -97,7 +97,7 @@ volumes:[ // perform docker login to quay as the docker-pipeline-plugin doesn't work with the next auth json format withCredentials([[$class : 'UsernamePasswordMultiBinding', credentialsId: config.container_repo.jenkins_creds_id, usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) { - sh "docker login -e ${config.container_repo.dockeremail} -u ${env.USERNAME} -p ${env.PASSWORD} quay.io" + sh "docker login -u ${env.USERNAME} -p ${env.PASSWORD} quay.io" } // build and publish container diff --git a/charts/croc-hunter/templates/croc-hunter.yaml b/charts/croc-hunter/templates/croc-hunter.yaml index b96d2b68..1bcce9b3 100644 --- a/charts/croc-hunter/templates/croc-hunter.yaml +++ b/charts/croc-hunter/templates/croc-hunter.yaml @@ -40,6 +40,8 @@ spec: chart: "{{.Chart.Name}}-{{.Chart.Version}}" component: "{{.Release.Name}}-{{.Values.component}}" spec: + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} containers: - name: {{ template "fullname" . }} image: "{{.Values.image}}:{{.Values.imageTag}}" @@ -61,4 +63,4 @@ spec: readinessProbe: httpGet: path: /healthz - port: http \ No newline at end of file + port: http diff --git a/jenkins-values.yaml b/jenkins-values.yaml index 5712a663..1a8064c1 100644 --- a/jenkins-values.yaml +++ b/jenkins-values.yaml @@ -7,19 +7,22 @@ Master: HostName: jenkins.acs.az.estrado.io ServiceType: ClusterIP InstallPlugins: - - kubernetes:0.11 + - kubernetes:0.12 - workflow-aggregator:2.5 - - credentials-binding:1.12 - - git:3.3.1 + - credentials-binding:1.13 + - git:3.5.1 - pipeline-github-lib:1.0 - ghprb:1.39.0 - - blueocean:1.1.4 + - blueocean:1.1.6 ScriptApproval: - "method groovy.json.JsonSlurperClassic parseText java.lang.String" - "new groovy.json.JsonSlurperClassic" - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods leftShift java.util.Map java.util.Map" - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods split java.lang.String" + - "method java.util.Collection toArray" + - "staticMethod org.kohsuke.groovy.sandbox.impl.Checker checkedCall java.lang.Object boolean boolean java.lang.String java.lang.Object[]" + - "staticMethod org.kohsuke.groovy.sandbox.impl.Checker checkedGetProperty java.lang.Object boolean boolean java.lang.Object" Ingress: Annotations: From 8a398684875631fe032ab6e960b2d517e3e5b37b Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Thu, 17 Aug 2017 15:02:45 -0700 Subject: [PATCH 02/19] pinned jenkins version --- jenkins-values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/jenkins-values.yaml b/jenkins-values.yaml index 1a8064c1..19da0a3d 100644 --- a/jenkins-values.yaml +++ b/jenkins-values.yaml @@ -3,6 +3,7 @@ # helm --namespace jenkins --name jenkins -f ./jenkins-values.yaml install stable/jenkins Master: + ImageTag: "2.67" Memory: "512Mi" HostName: jenkins.acs.az.estrado.io ServiceType: ClusterIP From 910aef125e3123d5c516e65cfe52c729e042418b Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Thu, 17 Aug 2017 15:30:53 -0700 Subject: [PATCH 03/19] Use dev pipeline branch use container registry name variable update helm deploy to use new extensible set update helm to 2.6.0 --- Jenkinsfile | 44 +++++++++++++++++++++++++------------------- Jenkinsfile.json | 6 +++--- jenkins-values.yaml | 4 ++-- 3 files changed, 30 insertions(+), 24 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index f13c160b..8a405028 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -2,14 +2,14 @@ // load pipeline functions // Requires pipeline-github-lib plugin to load library from github -@Library('github.com/lachie83/jenkins-pipeline@master') +@Library('github.com/lachie83/jenkins-pipeline@dev') def pipeline = new io.estrado.Pipeline() podTemplate(label: 'jenkins-pipeline', containers: [ containerTemplate(name: 'jnlp', image: 'jenkinsci/jnlp-slave:2.62', args: '${computer.jnlpmac} ${computer.name}', workingDir: '/home/jenkins', resourceRequestCpu: '200m', resourceLimitCpu: '200m', resourceRequestMemory: '256Mi', resourceLimitMemory: '256Mi'), containerTemplate(name: 'docker', image: 'docker:1.12.6', command: 'cat', ttyEnabled: true), containerTemplate(name: 'golang', image: 'golang:1.8.3', command: 'cat', ttyEnabled: true), - containerTemplate(name: 'helm', image: 'lachlanevenson/k8s-helm:v2.5.0', command: 'cat', ttyEnabled: true), + containerTemplate(name: 'helm', image: 'lachlanevenson/k8s-helm:v2.6.0', command: 'cat', ttyEnabled: true), containerTemplate(name: 'kubectl', image: 'lachlanevenson/k8s-kubectl:v1.4.8', command: 'cat', ttyEnabled: true) ], volumes:[ @@ -79,12 +79,14 @@ volumes:[ dry_run : true, name : config.app.name, namespace : config.app.name, - version_tag : image_tags_list.get(0), chart_dir : chart_dir, - replicas : config.app.replicas, - cpu : config.app.cpu, - memory : config.app.memory, - hostname : config.app.hostname + set : [ + "imageTag": image_tags_list.get(0) + "replicas": config.app.replicas, + "cpu": config.app.cpu, + "memory": config.app.memory, + "ingress.hostname": config.app.hostname, + ] ) } @@ -94,10 +96,10 @@ volumes:[ container('docker') { - // perform docker login to quay as the docker-pipeline-plugin doesn't work with the next auth json format + // perform docker login to container registry as the docker-pipeline-plugin doesn't work with the next auth json format withCredentials([[$class : 'UsernamePasswordMultiBinding', credentialsId: config.container_repo.jenkins_creds_id, usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) { - sh "docker login -u ${env.USERNAME} -p ${env.PASSWORD} quay.io" + sh "docker login -u ${env.USERNAME} -p ${env.PASSWORD} ${config.container_repo.host}" } // build and publish container @@ -121,12 +123,14 @@ volumes:[ dry_run : false, name : env.BRANCH_NAME.toLowerCase(), namespace : env.BRANCH_NAME.toLowerCase(), - version_tag : image_tags_list.get(0), chart_dir : chart_dir, - replicas : config.app.replicas, - cpu : config.app.cpu, - memory : config.app.memory, - hostname : config.app.hostname + set : [ + "imageTag": image_tags_list.get(0) + "replicas": config.app.replicas, + "cpu": config.app.cpu, + "memory": config.app.memory, + "ingress.hostname": config.app.hostname, + ] ) // Run helm tests @@ -153,12 +157,14 @@ volumes:[ dry_run : false, name : config.app.name, namespace : config.app.name, - version_tag : image_tags_list.get(0), chart_dir : chart_dir, - replicas : config.app.replicas, - cpu : config.app.cpu, - memory : config.app.memory, - hostname : config.app.hostname + set : [ + "imageTag": image_tags_list.get(0) + "replicas": config.app.replicas, + "cpu": config.app.cpu, + "memory": config.app.memory, + "ingress.hostname": config.app.hostname, + ] ) // Run helm tests diff --git a/Jenkinsfile.json b/Jenkinsfile.json index ec4fc20c..32c5d3af 100644 --- a/Jenkinsfile.json +++ b/Jenkinsfile.json @@ -5,7 +5,7 @@ "cpu": "10m", "memory": "128Mi", "test": true, - "hostname": "croc-hunter.onesix.az.estrado.io" + "hostname": "croc-hunter.acs.az.estrado.io" }, "container_repo": { "host": "quay.io", @@ -20,7 +20,7 @@ "enabled": true, "debug": false, "library": { - "branch": "master" + "branch": "dev" } } -} \ No newline at end of file +} diff --git a/jenkins-values.yaml b/jenkins-values.yaml index 19da0a3d..1a7bddf6 100644 --- a/jenkins-values.yaml +++ b/jenkins-values.yaml @@ -3,7 +3,7 @@ # helm --namespace jenkins --name jenkins -f ./jenkins-values.yaml install stable/jenkins Master: - ImageTag: "2.67" + ImageTag: "2.74" Memory: "512Mi" HostName: jenkins.acs.az.estrado.io ServiceType: ClusterIP @@ -14,7 +14,7 @@ Master: - git:3.5.1 - pipeline-github-lib:1.0 - ghprb:1.39.0 - - blueocean:1.1.6 + - blueocean:1.1.7 ScriptApproval: - "method groovy.json.JsonSlurperClassic parseText java.lang.String" From 8c6037e5cbfce8fa7844c8cf566724a9700bf949 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Thu, 17 Aug 2017 15:39:40 -0700 Subject: [PATCH 04/19] fix missing comma in set --- Jenkinsfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 8a405028..5052a40a 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -81,7 +81,7 @@ volumes:[ namespace : config.app.name, chart_dir : chart_dir, set : [ - "imageTag": image_tags_list.get(0) + "imageTag": image_tags_list.get(0), "replicas": config.app.replicas, "cpu": config.app.cpu, "memory": config.app.memory, @@ -125,7 +125,7 @@ volumes:[ namespace : env.BRANCH_NAME.toLowerCase(), chart_dir : chart_dir, set : [ - "imageTag": image_tags_list.get(0) + "imageTag": image_tags_list.get(0), "replicas": config.app.replicas, "cpu": config.app.cpu, "memory": config.app.memory, @@ -159,7 +159,7 @@ volumes:[ namespace : config.app.name, chart_dir : chart_dir, set : [ - "imageTag": image_tags_list.get(0) + "imageTag": image_tags_list.get(0), "replicas": config.app.replicas, "cpu": config.app.cpu, "memory": config.app.memory, From 761e2b4399c38f1069851959ddc4a5b99989f474 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Thu, 17 Aug 2017 16:12:19 -0700 Subject: [PATCH 05/19] conditionalize imagepullsecret creation --- charts/croc-hunter/Chart.yaml | 2 +- charts/croc-hunter/templates/croc-hunter.yaml | 2 ++ charts/croc-hunter/values.yaml | 6 ++++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/charts/croc-hunter/Chart.yaml b/charts/croc-hunter/Chart.yaml index bd84a793..0f82589a 100755 --- a/charts/croc-hunter/Chart.yaml +++ b/charts/croc-hunter/Chart.yaml @@ -1,6 +1,6 @@ name: croc-hunter home: https://github.com/lachie83/croc-hunter -version: 0.3.0 +version: 0.3.1 description: Live out your dream hunting Crocs sources: - https://github.com/lachie83/croc-hunter diff --git a/charts/croc-hunter/templates/croc-hunter.yaml b/charts/croc-hunter/templates/croc-hunter.yaml index 1bcce9b3..9d70dd27 100644 --- a/charts/croc-hunter/templates/croc-hunter.yaml +++ b/charts/croc-hunter/templates/croc-hunter.yaml @@ -40,8 +40,10 @@ spec: chart: "{{.Chart.Name}}-{{.Chart.Version}}" component: "{{.Release.Name}}-{{.Values.component}}" spec: + {{- if .Values.imagePullSecrets }} imagePullSecrets: - name: {{ .Values.imagePullSecrets }} + {{- end }} containers: - name: {{ template "fullname" . }} image: "{{.Values.image}}:{{.Values.imageTag}}" diff --git a/charts/croc-hunter/values.yaml b/charts/croc-hunter/values.yaml index f548b774..2afcebe3 100644 --- a/charts/croc-hunter/values.yaml +++ b/charts/croc-hunter/values.yaml @@ -11,9 +11,11 @@ replicas: 3 image: "quay.io/lachie83/croc-hunter" imageTag: "latest" imagePullPolicy: "Always" +## If you have a private registry you specify a secret to use +#imagePullSecrets: cpu: "10m" memory: "128Mi" -# Ingress settings +## Ingress settings ingress: enabled: true hostname: croc-hunter.acs.az.estrado.io @@ -21,7 +23,7 @@ ingress: kubernetes.io/ingress.class: nginx kubernetes.io/tls-acme: "true" tls: true -# PodDisruptionBudget +## PodDisruptionBudget pdb: enabled: false minAvailable: 2 From be3bf7c4598019e1a7300a9dcbe851e92b673878 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Thu, 17 Aug 2017 16:19:07 -0700 Subject: [PATCH 06/19] updated container registry secret details --- DEMO.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/DEMO.md b/DEMO.md index 6747f743..81b646b1 100644 --- a/DEMO.md +++ b/DEMO.md @@ -61,10 +61,11 @@ open ${JENKINS_URL}/login printf $(kubectl get secret --namespace jenkins jenkins-jenkins -o jsonpath="{.data.jenkins-admin-password}" | base64 --decode) | pbcopy ``` -## Add Credentials for private Container Registry +## Add credentials for private container registry (optional) ``` kubectl create secret docker-registry croc-hunter-secrets --docker-server=$DOCKER_SERVER --docker-username=$DOCKER_USERNAME --docker-password=$DOCKER_PASSWORD --docker-email=$DOCKER_EMAIL --namespace=croc-hunter ``` +Reference to the secret name must also be added to the chart values.yaml or set on install. ## Login and configure Jenkins and setup pipeline ``` From 7d58f41a7d1dc934cbbd51a2a8b5c5bcd54a7f52 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 28 Aug 2017 22:57:39 -0700 Subject: [PATCH 07/19] add anchore scanning --- Jenkinsfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index 5052a40a..84fe8ee2 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -101,6 +101,12 @@ volumes:[ usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) { sh "docker login -u ${env.USERNAME} -p ${env.PASSWORD} ${config.container_repo.host}" } + + println "Add container image tags to anchore scanning list" + for (int i = 0; i < image_tags_list.size(); i++) { + def tag = image_tags_list.get(i) + sh "echo ${config.container_repo.host}/${acct}/${config.container_repo.repo}:${tag} ${WORKSPACE}/Dockerfile > anchore_images" + } // build and publish container pipeline.containerBuildPub( From 72c4c32e92376636f76f8ccab6f12e01ea2a42cc Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 28 Aug 2017 23:09:36 -0700 Subject: [PATCH 08/19] add anchor pipline steps --- Jenkinsfile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 84fe8ee2..7c24b8e0 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -23,6 +23,11 @@ volumes:[ checkout scm + // anchore image scanning configuration + def imageLine = '6cba161501c8' + ' ' + env.WORKSPACE + '/DockerFile' + writeFile file: 'anchore_images', text: imageLine + anchore name: 'anchore_images', inputQueries: [[query: 'list-packages all'], [query: 'list-files all'], [query: 'cve-scan all'], [query: 'show-pkg-diffs base']] + // read in required jenkins workflow config values def inputFile = readFile('Jenkinsfile.json') def config = new groovy.json.JsonSlurperClassic().parseText(inputFile) @@ -101,7 +106,7 @@ volumes:[ usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) { sh "docker login -u ${env.USERNAME} -p ${env.PASSWORD} ${config.container_repo.host}" } - + println "Add container image tags to anchore scanning list" for (int i = 0; i < image_tags_list.size(); i++) { def tag = image_tags_list.get(i) From dd5894d153ed4bf44ad2dbba54e03f68597a1596 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 28 Aug 2017 23:12:02 -0700 Subject: [PATCH 09/19] move anchore pipeline def --- Jenkinsfile | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 7c24b8e0..2624f521 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -23,11 +23,6 @@ volumes:[ checkout scm - // anchore image scanning configuration - def imageLine = '6cba161501c8' + ' ' + env.WORKSPACE + '/DockerFile' - writeFile file: 'anchore_images', text: imageLine - anchore name: 'anchore_images', inputQueries: [[query: 'list-packages all'], [query: 'list-files all'], [query: 'cve-scan all'], [query: 'show-pkg-diffs base']] - // read in required jenkins workflow config values def inputFile = readFile('Jenkinsfile.json') def config = new groovy.json.JsonSlurperClassic().parseText(inputFile) @@ -106,7 +101,11 @@ volumes:[ usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) { sh "docker login -u ${env.USERNAME} -p ${env.PASSWORD} ${config.container_repo.host}" } - + + // anchore image scanning configuration + def imageLine = '6cba161501c8' + ' ' + env.WORKSPACE + '/DockerFile' + writeFile file: 'anchore_images', text: imageLine + anchore name: 'anchore_images', inputQueries: [[query: 'list-packages all'], [query: 'list-files all'], [query: 'cve-scan all'], [query: 'show-pkg-diffs base']] println "Add container image tags to anchore scanning list" for (int i = 0; i < image_tags_list.size(); i++) { def tag = image_tags_list.get(i) From 7b7df269ee777250a109d949b72a5fdf6cce5c4f Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 28 Aug 2017 23:34:38 -0700 Subject: [PATCH 10/19] update jnlp-slave image repo --- Jenkinsfile | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 2624f521..2c092a4e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -6,7 +6,7 @@ def pipeline = new io.estrado.Pipeline() podTemplate(label: 'jenkins-pipeline', containers: [ - containerTemplate(name: 'jnlp', image: 'jenkinsci/jnlp-slave:2.62', args: '${computer.jnlpmac} ${computer.name}', workingDir: '/home/jenkins', resourceRequestCpu: '200m', resourceLimitCpu: '200m', resourceRequestMemory: '256Mi', resourceLimitMemory: '256Mi'), + containerTemplate(name: 'jnlp', image: 'lachlanevenson/jnlp-slave:2.62', args: '${computer.jnlpmac} ${computer.name}', workingDir: '/home/jenkins', resourceRequestCpu: '200m', resourceLimitCpu: '200m', resourceRequestMemory: '256Mi', resourceLimitMemory: '256Mi'), containerTemplate(name: 'docker', image: 'docker:1.12.6', command: 'cat', ttyEnabled: true), containerTemplate(name: 'golang', image: 'golang:1.8.3', command: 'cat', ttyEnabled: true), containerTemplate(name: 'helm', image: 'lachlanevenson/k8s-helm:v2.6.0', command: 'cat', ttyEnabled: true), @@ -103,14 +103,10 @@ volumes:[ } // anchore image scanning configuration + println "Add container image tags to anchore scanning list" def imageLine = '6cba161501c8' + ' ' + env.WORKSPACE + '/DockerFile' writeFile file: 'anchore_images', text: imageLine anchore name: 'anchore_images', inputQueries: [[query: 'list-packages all'], [query: 'list-files all'], [query: 'cve-scan all'], [query: 'show-pkg-diffs base']] - println "Add container image tags to anchore scanning list" - for (int i = 0; i < image_tags_list.size(); i++) { - def tag = image_tags_list.get(i) - sh "echo ${config.container_repo.host}/${acct}/${config.container_repo.repo}:${tag} ${WORKSPACE}/Dockerfile > anchore_images" - } // build and publish container pipeline.containerBuildPub( From bfb2f736d2ddf1ac18e43f15e3c94c4ccdc3a1e3 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 28 Aug 2017 23:49:30 -0700 Subject: [PATCH 11/19] correct Dockerfile name --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 2c092a4e..4046c05a 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -104,7 +104,7 @@ volumes:[ // anchore image scanning configuration println "Add container image tags to anchore scanning list" - def imageLine = '6cba161501c8' + ' ' + env.WORKSPACE + '/DockerFile' + def imageLine = '6cba161501c8' + ' ' + env.WORKSPACE + '/Dockerfile' writeFile file: 'anchore_images', text: imageLine anchore name: 'anchore_images', inputQueries: [[query: 'list-packages all'], [query: 'list-files all'], [query: 'cve-scan all'], [query: 'show-pkg-diffs base']] From cb2f58c9e52238f2cd4257a33b5b7239e54a0f0e Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 28 Aug 2017 23:57:46 -0700 Subject: [PATCH 12/19] move anchore def until after build --- Jenkinsfile | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 4046c05a..69c17a50 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -102,12 +102,6 @@ volumes:[ sh "docker login -u ${env.USERNAME} -p ${env.PASSWORD} ${config.container_repo.host}" } - // anchore image scanning configuration - println "Add container image tags to anchore scanning list" - def imageLine = '6cba161501c8' + ' ' + env.WORKSPACE + '/Dockerfile' - writeFile file: 'anchore_images', text: imageLine - anchore name: 'anchore_images', inputQueries: [[query: 'list-packages all'], [query: 'list-files all'], [query: 'cve-scan all'], [query: 'show-pkg-diffs base']] - // build and publish container pipeline.containerBuildPub( dockerfile: config.container_repo.dockerfile, @@ -117,6 +111,15 @@ volumes:[ tags : image_tags_list, auth_id : config.container_repo.jenkins_creds_id ) + + // anchore image scanning configuration + println "Add container image tags to anchore scanning list" + + def tag = image_tags_list.get(0) + def imageLine = '${config.container_repo.host}/${acct}/${config.container_repo.repo}:${args.tag}' + ' ' + env.WORKSPACE + '/Dockerfile' + writeFile file: 'anchore_images', text: imageLine + anchore name: 'anchore_images', inputQueries: [[query: 'list-packages all'], [query: 'list-files all'], [query: 'cve-scan all'], [query: 'show-pkg-diffs base']] + } } From d0cb471c7ef6e0812c8e978ce417279ba97940a4 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Tue, 29 Aug 2017 00:03:15 -0700 Subject: [PATCH 13/19] add quotes for var interpolation --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 69c17a50..f59a4d54 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -116,7 +116,7 @@ volumes:[ println "Add container image tags to anchore scanning list" def tag = image_tags_list.get(0) - def imageLine = '${config.container_repo.host}/${acct}/${config.container_repo.repo}:${args.tag}' + ' ' + env.WORKSPACE + '/Dockerfile' + def imageLine = "${config.container_repo.host}/${acct}/${config.container_repo.repo}:${args.tag}" + ' ' + env.WORKSPACE + '/Dockerfile' writeFile file: 'anchore_images', text: imageLine anchore name: 'anchore_images', inputQueries: [[query: 'list-packages all'], [query: 'list-files all'], [query: 'cve-scan all'], [query: 'show-pkg-diffs base']] From ee00803d944f07fb29206d7bada5c20695f4b8fb Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Tue, 29 Aug 2017 00:06:11 -0700 Subject: [PATCH 14/19] update tag var --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index f59a4d54..8c8f5384 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -116,7 +116,7 @@ volumes:[ println "Add container image tags to anchore scanning list" def tag = image_tags_list.get(0) - def imageLine = "${config.container_repo.host}/${acct}/${config.container_repo.repo}:${args.tag}" + ' ' + env.WORKSPACE + '/Dockerfile' + def imageLine = "${config.container_repo.host}/${acct}/${config.container_repo.repo}:${tag}" + ' ' + env.WORKSPACE + '/Dockerfile' writeFile file: 'anchore_images', text: imageLine anchore name: 'anchore_images', inputQueries: [[query: 'list-packages all'], [query: 'list-files all'], [query: 'cve-scan all'], [query: 'show-pkg-diffs base']] From 16ae721d44d31f856ff7a6897c16fa31002e8b8b Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Tue, 29 Aug 2017 00:58:38 -0700 Subject: [PATCH 15/19] bump resource limits --- Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 8c8f5384..5fa4e11e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -6,8 +6,8 @@ def pipeline = new io.estrado.Pipeline() podTemplate(label: 'jenkins-pipeline', containers: [ - containerTemplate(name: 'jnlp', image: 'lachlanevenson/jnlp-slave:2.62', args: '${computer.jnlpmac} ${computer.name}', workingDir: '/home/jenkins', resourceRequestCpu: '200m', resourceLimitCpu: '200m', resourceRequestMemory: '256Mi', resourceLimitMemory: '256Mi'), - containerTemplate(name: 'docker', image: 'docker:1.12.6', command: 'cat', ttyEnabled: true), + containerTemplate(name: 'jnlp', image: 'lachlanevenson/jnlp-slave:2.62', args: '${computer.jnlpmac} ${computer.name}', workingDir: '/home/jenkins', resourceRequestCpu: '200m', resourceLimitCpu: '300m', resourceRequestMemory: '256Mi', resourceLimitMemory: '512Mi'), + containerTemplate(name: 'docker', image: 'docker:1.12.6', command: 'cat', ttyEnabled: true), containerTemplate(name: 'golang', image: 'golang:1.8.3', command: 'cat', ttyEnabled: true), containerTemplate(name: 'helm', image: 'lachlanevenson/k8s-helm:v2.6.0', command: 'cat', ttyEnabled: true), containerTemplate(name: 'kubectl', image: 'lachlanevenson/k8s-kubectl:v1.4.8', command: 'cat', ttyEnabled: true) From a06a863967f62a556465c7bdc86a98dc96b9606c Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Tue, 29 Aug 2017 11:09:03 -0700 Subject: [PATCH 16/19] update agent version --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 5fa4e11e..546fcd54 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -6,7 +6,7 @@ def pipeline = new io.estrado.Pipeline() podTemplate(label: 'jenkins-pipeline', containers: [ - containerTemplate(name: 'jnlp', image: 'lachlanevenson/jnlp-slave:2.62', args: '${computer.jnlpmac} ${computer.name}', workingDir: '/home/jenkins', resourceRequestCpu: '200m', resourceLimitCpu: '300m', resourceRequestMemory: '256Mi', resourceLimitMemory: '512Mi'), + containerTemplate(name: 'jnlp', image: 'lachlanevenson/jnlp-slave:3.7-1-alpine', args: '${computer.jnlpmac} ${computer.name}', workingDir: '/home/jenkins', resourceRequestCpu: '200m', resourceLimitCpu: '300m', resourceRequestMemory: '256Mi', resourceLimitMemory: '512Mi'), containerTemplate(name: 'docker', image: 'docker:1.12.6', command: 'cat', ttyEnabled: true), containerTemplate(name: 'golang', image: 'golang:1.8.3', command: 'cat', ttyEnabled: true), containerTemplate(name: 'helm', image: 'lachlanevenson/k8s-helm:v2.6.0', command: 'cat', ttyEnabled: true), From 330942617ab80aad5a594112991a4fa43be97d43 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Tue, 29 Aug 2017 11:22:33 -0700 Subject: [PATCH 17/19] update agent image --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 546fcd54..380f1e80 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -6,7 +6,7 @@ def pipeline = new io.estrado.Pipeline() podTemplate(label: 'jenkins-pipeline', containers: [ - containerTemplate(name: 'jnlp', image: 'lachlanevenson/jnlp-slave:3.7-1-alpine', args: '${computer.jnlpmac} ${computer.name}', workingDir: '/home/jenkins', resourceRequestCpu: '200m', resourceLimitCpu: '300m', resourceRequestMemory: '256Mi', resourceLimitMemory: '512Mi'), + containerTemplate(name: 'jnlp', image: 'lachlanevenson/jnlp-slave:3.10-1-alpine', args: '${computer.jnlpmac} ${computer.name}', workingDir: '/home/jenkins', resourceRequestCpu: '200m', resourceLimitCpu: '300m', resourceRequestMemory: '256Mi', resourceLimitMemory: '512Mi'), containerTemplate(name: 'docker', image: 'docker:1.12.6', command: 'cat', ttyEnabled: true), containerTemplate(name: 'golang', image: 'golang:1.8.3', command: 'cat', ttyEnabled: true), containerTemplate(name: 'helm', image: 'lachlanevenson/k8s-helm:v2.6.0', command: 'cat', ttyEnabled: true), From 9cec3983c6a4c01c77f8740dedaa5e31ae174f30 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Tue, 29 Aug 2017 13:21:23 -0700 Subject: [PATCH 18/19] update buildpub function to add image scanning --- Jenkinsfile | 3 ++- Jenkinsfile.json | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 380f1e80..3e60476b 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -109,7 +109,8 @@ volumes:[ acct : acct, repo : config.container_repo.repo, tags : image_tags_list, - auth_id : config.container_repo.jenkins_creds_id + auth_id : config.container_repo.jenkins_creds_id, + image_scanning: config.container_repo.image_scanning ) // anchore image scanning configuration diff --git a/Jenkinsfile.json b/Jenkinsfile.json index 32c5d3af..c353c457 100644 --- a/Jenkinsfile.json +++ b/Jenkinsfile.json @@ -14,7 +14,8 @@ "jenkins_creds_id": "quay_creds", "repo": "croc-hunter", "dockeremail": ".", - "dockerfile": "./" + "dockerfile": "./", + "image_scanning": true }, "pipeline": { "enabled": true, From 422aafec8f91d48f963b20f25e03337fde437f88 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Tue, 29 Aug 2017 13:26:19 -0700 Subject: [PATCH 19/19] update base image --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f201727f..ae8d5e6f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.7-alpine +FROM golang:1.8-alpine3.6 MAINTAINER Lachlan Evenson