380 lines
13 KiB
Plaintext
380 lines
13 KiB
Plaintext
pipeline {
|
|
agent {
|
|
kubernetes {
|
|
defaultContainer 'python'
|
|
yaml """
|
|
apiVersion: v1
|
|
kind: Pod
|
|
spec:
|
|
nodeSelector:
|
|
hardware: rpi5
|
|
kubernetes.io/arch: arm64
|
|
node-role.kubernetes.io/worker: "true"
|
|
containers:
|
|
- name: jnlp
|
|
image: jenkins/inbound-agent:3355.v388858a_47b_33-2-jdk21
|
|
resources:
|
|
requests:
|
|
cpu: "25m"
|
|
memory: "256Mi"
|
|
- name: python
|
|
image: registry.bstein.dev/bstein/python:3.12-slim
|
|
command:
|
|
- cat
|
|
tty: true
|
|
- name: quality-tools
|
|
image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-arm64
|
|
command:
|
|
- cat
|
|
tty: true
|
|
"""
|
|
}
|
|
}
|
|
environment {
|
|
PIP_DISABLE_PIP_VERSION_CHECK = '1'
|
|
PYTHONUNBUFFERED = '1'
|
|
SUITE_NAME = 'titan_iac'
|
|
PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091'
|
|
SONARQUBE_HOST_URL = 'http://sonarqube.quality.svc.cluster.local:9000'
|
|
SONARQUBE_PROJECT_KEY = 'titan_iac'
|
|
SONARQUBE_TOKEN = credentials('sonarqube-token')
|
|
VM_URL = 'http://victoria-metrics-single-server.monitoring.svc.cluster.local:8428'
|
|
QUALITY_GATE_SONARQUBE_ENFORCE = '0'
|
|
QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json'
|
|
QUALITY_GATE_IRONBANK_ENFORCE = '0'
|
|
QUALITY_GATE_IRONBANK_REQUIRED = '0'
|
|
QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json'
|
|
}
|
|
options {
|
|
disableConcurrentBuilds()
|
|
buildDiscarder(logRotator(daysToKeepStr: '30', numToKeepStr: '200', artifactDaysToKeepStr: '30', artifactNumToKeepStr: '120'))
|
|
}
|
|
stages {
|
|
stage('Checkout') {
|
|
steps {
|
|
checkout scm
|
|
}
|
|
}
|
|
stage('Install deps') {
|
|
steps {
|
|
sh '''
|
|
set -eu
|
|
if ! command -v git >/dev/null 2>&1; then
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends git ca-certificates
|
|
rm -rf /var/lib/apt/lists/*
|
|
fi
|
|
pip install --no-cache-dir -r ci/requirements.txt
|
|
'''
|
|
}
|
|
}
|
|
stage('Collect SonarQube evidence') {
|
|
steps {
|
|
container('quality-tools') {
|
|
sh '''#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
mkdir -p build
|
|
args=(
|
|
"-Dsonar.host.url=${SONARQUBE_HOST_URL}"
|
|
"-Dsonar.token=${SONARQUBE_TOKEN}"
|
|
"-Dsonar.projectKey=${SONARQUBE_PROJECT_KEY}"
|
|
"-Dsonar.projectName=${SONARQUBE_PROJECT_KEY}"
|
|
"-Dsonar.sources=."
|
|
"-Dsonar.exclusions=**/.git/**,**/build/**,**/dist/**,**/node_modules/**,**/.venv/**,**/__pycache__/**,**/coverage/**,**/test-results/**,**/playwright-report/**,services/monitoring/dashboards/**,services/monitoring/grafana-dashboard-*.yaml"
|
|
"-Dsonar.test.inclusions=**/tests/**,**/testing/**,**/*_test.go,**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx"
|
|
)
|
|
[ -f build/coverage.xml ] && args+=("-Dsonar.python.coverage.reportPaths=build/coverage.xml")
|
|
set +e
|
|
sonar-scanner "${args[@]}" | tee build/sonar-scanner.log
|
|
rc=${PIPESTATUS[0]}
|
|
set -e
|
|
printf '%s\n' "${rc}" > build/sonarqube-analysis.rc
|
|
'''
|
|
}
|
|
sh '''
|
|
set -eu
|
|
mkdir -p build
|
|
python3 - <<'PY'
|
|
import base64
|
|
import json
|
|
import os
|
|
import urllib.parse
|
|
import urllib.request
|
|
|
|
host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/')
|
|
project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip()
|
|
token = os.getenv('SONARQUBE_TOKEN', '').strip()
|
|
report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json')
|
|
|
|
payload = {
|
|
"status": "ERROR",
|
|
"note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY",
|
|
}
|
|
if host and project_key:
|
|
query = urllib.parse.urlencode({"projectKey": project_key})
|
|
request = urllib.request.Request(
|
|
f"{host}/api/qualitygates/project_status?{query}",
|
|
method="GET",
|
|
)
|
|
if token:
|
|
encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
|
|
request.add_header("Authorization", f"Basic {encoded}")
|
|
try:
|
|
with urllib.request.urlopen(request, timeout=12) as response:
|
|
payload = json.loads(response.read().decode("utf-8"))
|
|
except Exception as exc: # noqa: BLE001
|
|
payload = {"status": "ERROR", "error": str(exc)}
|
|
|
|
with open(report_path, "w", encoding="utf-8") as handle:
|
|
json.dump(payload, handle, indent=2, sort_keys=True)
|
|
handle.write("\\n")
|
|
PY
|
|
'''
|
|
}
|
|
}
|
|
stage('Collect IronBank evidence') {
|
|
steps {
|
|
container('quality-tools') {
|
|
sh '''#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
mkdir -p build
|
|
set +e
|
|
trivy fs --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL .
|
|
trivy_rc=$?
|
|
set -e
|
|
if [ ! -s build/trivy-fs.json ]; then
|
|
cat > build/ironbank-compliance.json <<EOF
|
|
{"status":"failed","compliant":false,"scanner":"trivy","scan_type":"filesystem","error":"trivy did not produce JSON output","trivy_rc":${trivy_rc}}
|
|
EOF
|
|
exit 0
|
|
fi
|
|
critical="$(jq '[.Results[]? | .Vulnerabilities[]? | select(.Severity=="CRITICAL")] | length' build/trivy-fs.json)"
|
|
high="$(jq '[.Results[]? | .Vulnerabilities[]? | select(.Severity=="HIGH")] | length' build/trivy-fs.json)"
|
|
secrets="$(jq '[.Results[]? | .Secrets[]?] | length' build/trivy-fs.json)"
|
|
misconfigs="$(jq '[.Results[]? | .Misconfigurations[]? | select(.Status=="FAIL" and (.Severity=="CRITICAL" or .Severity=="HIGH"))] | length' build/trivy-fs.json)"
|
|
status=ok
|
|
compliant=true
|
|
if [ "${critical}" -gt 0 ] || [ "${secrets}" -gt 0 ] || [ "${misconfigs}" -gt 0 ]; then
|
|
status=failed
|
|
compliant=false
|
|
fi
|
|
jq -n --arg status "${status}" --argjson compliant "${compliant}" --argjson critical "${critical}" --argjson high "${high}" --argjson secrets "${secrets}" --argjson misconfigs "${misconfigs}" --argjson trivy_rc "${trivy_rc}" \
|
|
'{status:$status, compliant:$compliant, category:"artifact_security", scan_type:"filesystem", scanner:"trivy", critical_vulnerabilities:$critical, high_vulnerabilities:$high, secrets:$secrets, high_or_critical_misconfigurations:$misconfigs, trivy_rc:$trivy_rc, high_vulnerability_policy:"observe"}' > build/ironbank-compliance.json
|
|
'''
|
|
}
|
|
sh '''
|
|
set -eu
|
|
mkdir -p build
|
|
python3 - <<'PY'
|
|
import json
|
|
import os
|
|
from pathlib import Path
|
|
|
|
report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json'))
|
|
if report_path.exists():
|
|
raise SystemExit(0)
|
|
|
|
status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip()
|
|
compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower()
|
|
payload = {
|
|
"status": status or "unknown",
|
|
"compliant": compliant in {"1", "true", "yes", "on"} if compliant else None,
|
|
}
|
|
payload = {k: v for k, v in payload.items() if v is not None}
|
|
if "status" not in payload:
|
|
payload["status"] = "unknown"
|
|
payload["note"] = (
|
|
"Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT "
|
|
"or write build/ironbank-compliance.json in image-building repos."
|
|
)
|
|
|
|
report_path.parent.mkdir(parents=True, exist_ok=True)
|
|
report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8")
|
|
PY
|
|
'''
|
|
}
|
|
}
|
|
stage('Run quality gate') {
|
|
steps {
|
|
sh '''
|
|
set -eu
|
|
mkdir -p build
|
|
set +e
|
|
python3 -m testing.quality_gate --profile jenkins --build-dir build
|
|
quality_gate_rc=$?
|
|
set -e
|
|
printf '%s\n' "${quality_gate_rc}" > build/quality-gate.rc
|
|
'''
|
|
}
|
|
}
|
|
stage('Publish test metrics') {
|
|
steps {
|
|
sh '''
|
|
set -eu
|
|
export JUNIT_GLOB='build/junit-*.xml'
|
|
export QUALITY_GATE_EXIT_CODE_PATH='build/quality-gate.rc'
|
|
export QUALITY_GATE_SUMMARY_PATH='build/quality-gate-summary.json'
|
|
python3 ci/scripts/publish_test_metrics.py
|
|
'''
|
|
}
|
|
}
|
|
stage('Enforce quality gate') {
|
|
steps {
|
|
sh '''
|
|
set -euo pipefail
|
|
gate_rc="$(cat build/quality-gate.rc 2>/dev/null || echo 1)"
|
|
fail=0
|
|
if [ "${gate_rc}" -ne 0 ]; then
|
|
echo "quality gate failed with rc=${gate_rc}" >&2
|
|
fail=1
|
|
fi
|
|
|
|
enabled() {
|
|
case "$(printf '%s' "${1:-}" | tr '[:upper:]' '[:lower:]')" in
|
|
1|true|yes|on) return 0 ;;
|
|
*) return 1 ;;
|
|
esac
|
|
}
|
|
|
|
if enabled "${QUALITY_GATE_SONARQUBE_ENFORCE:-1}"; then
|
|
sonar_status="$(python3 - <<'PY'
|
|
import json
|
|
from pathlib import Path
|
|
|
|
path = Path("build/sonarqube-quality-gate.json")
|
|
if not path.exists():
|
|
print("missing")
|
|
raise SystemExit(0)
|
|
try:
|
|
payload = json.loads(path.read_text(encoding="utf-8"))
|
|
except Exception: # noqa: BLE001
|
|
print("error")
|
|
raise SystemExit(0)
|
|
status = (payload.get("status") or payload.get("projectStatus", {}).get("status") or payload.get("qualityGate", {}).get("status") or "").strip().lower()
|
|
print(status or "missing")
|
|
PY
|
|
)"
|
|
case "${sonar_status}" in
|
|
ok|pass|passed|success) ;;
|
|
*)
|
|
echo "sonarqube gate failed: ${sonar_status}" >&2
|
|
fail=1
|
|
;;
|
|
esac
|
|
fi
|
|
|
|
ironbank_required="${QUALITY_GATE_IRONBANK_REQUIRED:-0}"
|
|
if [ "${PUBLISH_IMAGES:-false}" = "true" ]; then
|
|
ironbank_required=1
|
|
fi
|
|
if enabled "${QUALITY_GATE_IRONBANK_ENFORCE:-1}"; then
|
|
supply_status="$(python3 - <<'PY'
|
|
import json
|
|
from pathlib import Path
|
|
|
|
path = Path("build/ironbank-compliance.json")
|
|
if not path.exists():
|
|
print("missing")
|
|
raise SystemExit(0)
|
|
try:
|
|
payload = json.loads(path.read_text(encoding="utf-8"))
|
|
except Exception: # noqa: BLE001
|
|
print("error")
|
|
raise SystemExit(0)
|
|
compliant = payload.get("compliant")
|
|
if compliant is True:
|
|
print("ok")
|
|
elif compliant is False:
|
|
print("failed")
|
|
else:
|
|
status = str(payload.get("status") or payload.get("result") or payload.get("compliance") or "").strip().lower()
|
|
print(status or "missing")
|
|
PY
|
|
)"
|
|
case "${supply_status}" in
|
|
ok|pass|passed|success|compliant) ;;
|
|
not_applicable|na|n/a)
|
|
if enabled "${ironbank_required}"; then
|
|
echo "supply chain gate required but status=${supply_status}" >&2
|
|
fail=1
|
|
fi
|
|
;;
|
|
*)
|
|
if enabled "${ironbank_required}"; then
|
|
echo "supply chain gate failed: ${supply_status}" >&2
|
|
fail=1
|
|
else
|
|
echo "supply chain gate not passing (${supply_status}) but not required for this run" >&2
|
|
fi
|
|
;;
|
|
esac
|
|
fi
|
|
|
|
exit "${fail}"
|
|
'''
|
|
}
|
|
}
|
|
stage('Resolve Flux branch') {
|
|
steps {
|
|
script {
|
|
env.FLUX_BRANCH = sh(
|
|
returnStdout: true,
|
|
script: "awk '/branch:/{print $2; exit}' clusters/atlas/flux-system/gotk-sync.yaml"
|
|
).trim()
|
|
if (!env.FLUX_BRANCH) {
|
|
error('Flux branch not found in gotk-sync.yaml')
|
|
}
|
|
echo "Flux branch: ${env.FLUX_BRANCH}"
|
|
}
|
|
}
|
|
}
|
|
stage('Promote') {
|
|
when {
|
|
expression {
|
|
def branch = env.BRANCH_NAME ?: (env.GIT_BRANCH ?: '').replaceFirst('origin/', '')
|
|
return env.FLUX_BRANCH && branch == env.FLUX_BRANCH
|
|
}
|
|
}
|
|
steps {
|
|
withCredentials([usernamePassword(credentialsId: 'gitea-pat', usernameVariable: 'GIT_USER', passwordVariable: 'GIT_TOKEN')]) {
|
|
sh '''
|
|
set -euo pipefail
|
|
if ! command -v git >/dev/null 2>&1; then
|
|
if command -v apk >/dev/null 2>&1; then
|
|
apk add --no-cache git >/dev/null
|
|
elif command -v apt-get >/dev/null 2>&1; then
|
|
apt-get update >/dev/null
|
|
apt-get install -y git >/dev/null
|
|
fi
|
|
fi
|
|
cd "${WORKSPACE:-$PWD}"
|
|
if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
|
|
echo "workspace is not a git checkout; skipping promote"
|
|
exit 0
|
|
fi
|
|
set +x
|
|
git config user.email "jenkins@bstein.dev"
|
|
git config user.name "jenkins"
|
|
git remote set-url origin https://${GIT_USER}:${GIT_TOKEN}@scm.bstein.dev/bstein/titan-iac.git
|
|
git push origin HEAD:${FLUX_BRANCH}
|
|
'''
|
|
}
|
|
}
|
|
}
|
|
}
|
|
post {
|
|
always {
|
|
script {
|
|
if (fileExists('build/junit-unit.xml') || fileExists('build/junit-glue.xml')) {
|
|
try {
|
|
junit allowEmptyResults: true, testResults: 'build/junit-*.xml'
|
|
} catch (Throwable err) {
|
|
echo "junit step unavailable: ${err.class.simpleName}"
|
|
}
|
|
}
|
|
}
|
|
archiveArtifacts artifacts: 'build/**', allowEmptyArchive: true, fingerprint: true
|
|
}
|
|
}
|
|
}
|