Skip to content

Commit

Permalink
Add Jenkinsfile
Browse files Browse the repository at this point in the history
  • Loading branch information
@Ioannis
Ioannis committed May 19, 2025
1 parent 1fcdb3c commit c9be0c2
Showing 1 changed file with 211 additions and 0 deletions.
211 changes: 211 additions & 0 deletions Jenkinsfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@

pipeline {
agent { node { label 'docker-multi-arch' } }
environment {
maintainer = "t"
imagename = 's'
tag = 'l'
comanage_version = 'develop'
DOCKERHUBPW=credentials('tieradmin-dockerhub-pw')
BUILDVERSION = sh(script: "echo `date +%s`", returnStdout: true).trim()
}
stages {
stage('Setting build context') {
steps {
script {
maintainer = maintain()
imagename = imagename()
comanage_version = comanage_version()
if(env.BRANCH_NAME == "main") {
tag = "latest"
} else {
// tag = "${env.BRANCH_NAME.toLowerCase()}-${BUILDVERSION.toLowerCase()}"
tag = "${env.BRANCH_NAME.toLowerCase()}"
}
if(!imagename){
echo "You must define an image name in common.bash"
currentBuild.result = 'FAILURE'
}
echo "Building tag: ${tag}"
sh 'mkdir -p tmp && mkdir -p bin'
dir('tmp'){
git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
sh 'rm -rf ../bin/*'
sh 'mv ./bin/* ../bin/.'
}
// Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
// We don't care if there are more 'tag' assignments there. The latest one wins.
sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
}
}
}
stage('Clean') {
steps {
script {
try{
sh 'bin/destroy.sh >> debug'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Build') {
steps {
script {
try{
sh "./jenkins/build.sh ${imagename} ${tag} ${comanage_version} $DOCKERHUBPW"
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
sh "rm -f ./farm.txt"
handleError(message)
}
}
}
}
stage('Test') {
steps {
script {
try {
echo "Starting tests..."
//sh 'bats tests'
echo "Skipping tests for now"
} catch (error) {
def error_details = readFile('./debug')
def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Scan') {
steps {
script {
try {
echo "Starting security scan..."
// Install trivy and HTML template
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.62.1'
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'

// Scan container for all vulnerability levels
echo "Scanning for all vulnerabilities..."
sh 'mkdir -p reports'
// Scan both for os and libraries
// Trivy Database update issue
// https://github.com/aquasecurity/trivy/discussions/7538
sh "trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --ignore-unfixed --pkg-types os,library --severity CRITICAL,HIGH --no-progress --scanners vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
sh "trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --ignore-unfixed --pkg-types os,library --severity CRITICAL,HIGH --no-progress --scanners vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'container-scan.html',
reportName: 'Security Scan',
reportTitles: 'Security Scan'
]
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'container-scan-arm.html',
reportName: 'Security Scan (ARM)',
reportTitles: 'Security Scan (ARM)'
]
// Scan again and fail on CRITICAL vulns
echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
// Scan both for os and libraries
sh "trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --ignore-unfixed --pkg-types os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
sh "trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --ignore-unfixed --pkg-types os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Push') {
steps {
script {
try{
sh "docker login -u tieradmin -p $DOCKERHUBPW"
sh "docker buildx inspect --bootstrap"
sh "echo 'Pushing image to dockerhub...'"
sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} --build-arg=\"COMANAGE_REGISTRY_VERSION=${comanage_version}\" ."
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem pushing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
sh "rm -f ./farm.txt"
handleError(message)
}
}
}
}
stage('Cleanup') {
steps {
script {
try{
echo "Cleaning up artifacts from the build..."
sh "./jenkins/cleanup.sh ${imagename} ${tag}"
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}"
sh "rm -f ./debug"
sh "rm -f ./farm.txt"
handleError(message)
}
}
}
}
stage('Notify') {
steps{
echo "$maintainer"
slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
}
}
}
post {
always {
echo 'Done Building.'
}
failure {
slackSend color: 'good', message: "Build failed"
handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
}
}
}


def maintain() {
def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
matcher ? matcher[0][1] : 'tier'
}

def imagename() {
def matcher = readFile('common.bash') =~ 'imagename="(.+)"'
matcher ? matcher[0][1] : null
}

def comanage_version() {
def matcher = readFile('common.bash') =~ 'comanage_version="(.+)"'
matcher ? matcher[0][1] : null
}

def handleError(String message){
echo "${message}"
currentBuild.setResult("FAILED")
slackSend color: 'danger', message: "${message}"
step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true])
sh 'exit 1'
}

0 comments on commit c9be0c2

Please sign in to comment.