diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..8be4432 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,211 @@ + +pipeline { + agent { node { label 'docker-multi-arch' } } + environment { + maintainer = "t" + imagename = 's' + tag = 'l' + comanage_version = 'develop' + DOCKERHUBPW=credentials('tieradmin-dockerhub-pw') + BUILDVERSION = sh(script: "echo `date +%s`", returnStdout: true).trim() + } + stages { + stage('Setting build context') { + steps { + script { + maintainer = maintain() + imagename = imagename() + comanage_version = comanage_version() + if(env.BRANCH_NAME == "main") { + tag = "latest" + } else { +// tag = "${env.BRANCH_NAME.toLowerCase()}-${BUILDVERSION.toLowerCase()}" + tag = "${env.BRANCH_NAME.toLowerCase()}" + } + if(!imagename){ + echo "You must define an image name in common.bash" + currentBuild.result = 'FAILURE' + } + echo "Building tag: ${tag}" + sh 'mkdir -p tmp && mkdir -p bin' + dir('tmp'){ + git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ]) + sh 'rm -rf ../bin/*' + sh 'mv ./bin/* ../bin/.' + } + // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing. + // We don't care if there are more 'tag' assignments there. The latest one wins. + sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash" + } + } + } + stage('Clean') { + steps { + script { + try{ + sh 'bin/destroy.sh >> debug' + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Build') { + steps { + script { + try{ + sh "./jenkins/build.sh ${imagename} ${tag} ${comanage_version} $DOCKERHUBPW" + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + sh "rm -f ./farm.txt" + handleError(message) + } + } + } + } + stage('Test') { + steps { + script { + try { + echo "Starting tests..." + //sh 'bats tests' + echo "Skipping tests for now" + } catch (error) { + def error_details = readFile('./debug') + def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Scan') { + steps { + script { + try { + echo "Starting security scan..." + // Install trivy and HTML template + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.62.1' + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' + + // Scan container for all vulnerability levels + echo "Scanning for all vulnerabilities..." + sh 'mkdir -p reports' + // Scan both for os and libraries + // Trivy Database update issue + // https://github.com/aquasecurity/trivy/discussions/7538 + sh "trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --ignore-unfixed --pkg-types os,library --severity CRITICAL,HIGH --no-progress --scanners vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" + sh "trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --ignore-unfixed --pkg-types os,library --severity CRITICAL,HIGH --no-progress --scanners vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" + publishHTML target : [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'container-scan.html', + reportName: 'Security Scan', + reportTitles: 'Security Scan' + ] + publishHTML target : [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'container-scan-arm.html', + reportName: 'Security Scan (ARM)', + reportTitles: 'Security Scan (ARM)' + ] + // Scan again and fail on CRITICAL vulns + echo "Scanning for CRITICAL vulnerabilities only (fatal)..." + // Scan both for os and libraries + sh "trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --ignore-unfixed --pkg-types os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}" + sh "trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --ignore-unfixed --pkg-types os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64" + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Push') { + steps { + script { + try{ + sh "docker login -u tieradmin -p $DOCKERHUBPW" + sh "docker buildx inspect --bootstrap" + sh "echo 'Pushing image to dockerhub...'" + sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} --build-arg=\"COMANAGE_REGISTRY_VERSION=${comanage_version}\" ." + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem pushing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + sh "rm -f ./farm.txt" + handleError(message) + } + } + } + } + stage('Cleanup') { + steps { + script { + try{ + echo "Cleaning up artifacts from the build..." + sh "./jenkins/cleanup.sh ${imagename} ${tag}" + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}" + sh "rm -f ./debug" + sh "rm -f ./farm.txt" + handleError(message) + } + } + } + } + stage('Notify') { + steps{ + echo "$maintainer" + slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" + } + } + } + post { + always { + echo 'Done Building.' + } + failure { + slackSend color: 'good', message: "Build failed" + handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.") + } + } +} + + +def maintain() { + def matcher = readFile('common.bash') =~ 'maintainer="(.+)"' + matcher ? matcher[0][1] : 'tier' +} + +def imagename() { + def matcher = readFile('common.bash') =~ 'imagename="(.+)"' + matcher ? matcher[0][1] : null +} + +def comanage_version() { + def matcher = readFile('common.bash') =~ 'comanage_version="(.+)"' + matcher ? matcher[0][1] : null +} + +def handleError(String message){ + echo "${message}" + currentBuild.setResult("FAILED") + slackSend color: 'danger', message: "${message}" + step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true]) + sh 'exit 1' +} +