default pipeline

Author: rmkanda

Jenkinsfile

@@ -9,7 +9,6 @@ pipeline {
   environment {
     APP_NAME = "sample-api-service"
     IMAGE_REGISTRY = "rmkanda"
-
   }
   stages {
     stage('Setup') {
@@ -26,14 +25,11 @@ pipeline {
     stage('Build') {
       steps {
         container('maven') {
-          sh './mvnw package'
-        }
-        container('docker-tools') {
-          sh "docker build . -t ${APP_NAME}"
+          sh './mvnw package -DskipTests -Dspotbugs.skip=true -Ddependency-check.skip=true'
         }
       }
     }
-    stage('Verify') {
+    stage('Static Analysis') {
       parallel {
         stage('Unit Tests') {
           steps {
@@ -44,5 +40,35 @@ pipeline {
         }
       }
     }
+    stage('Package') {
+      steps {
+        container('docker-tools') {
+          sh "docker build . -t ${APP_NAME}"
+        }
+      }
+    }
+    stage('Publish') {
+      steps {
+        container('docker-tools') {
+          echo "Publishing docker image"
+          // sh "docker push ${APP_NAME}"
+        }
+      }
+    }
+    stage('Deploy to Dev') {
+      steps {
+        container('docker-tools') {
+          echo "Deploying the app"
+          // sh "kubectl apply -f k8s.yaml"
+        }
+      }
+    }
+    stage('Promote to Prod') {
+      steps {
+        container('docker-tools') {
+          echo "Promote to Prod"
+        }
+      }
+    }
   }
 }

PREREQUISITE.md

@@ -0,0 +1,181 @@
+# Workshop prerequisite
+
+Note: Recommended to setup these labs in your thoughtworks laptop. Also you need to have a good internet connection (mobile internet connection won’t be enough).
+
+## PreRead
+
+- Basic Jenkins Pipeline as a code knowledge (if completely new to pipeline as code, check this https://www.youtube.com/watch?v=s73nhwYBtzE )
+- Docker Basics (if you are new to docker - please watch these ROTC recordings - https://www.youtube.com/playlist?list=PLknOipHZHwwVAM2lIKMXcy7HdEoqk0Ep1 )
+
+## Installation
+
+- Install Homebrew
+
+  ```
+  /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+  ```
+
+- Install Command Line Tools for Mac
+
+  ```
+  sudo xcode-select --install
+  ```
+
+- Install Minikube v1.24
+
+  ```
+  brew install hyperkit
+  brew install minikube
+  ```
+
+- Verify Minikube and kubectl version
+
+  ```
+  ~ ❯ minikube version
+  minikube version: v1.24.0
+  commit: 76b94fb3c4e8ac5062daf70d60cf03ddcc0a741b
+  ~ ❯ kubectl version
+  Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.1", GitCommit:"86ec240af8cbd1b60bcc4c03c20da9b98005b92e", GitTreeState:"clean", BuildDate:"2021-12-16T11:33:37Z", GoVersion:"go1.17.5", Compiler:"gc", Platform:"darwin/amd64"}
+  ```
+
+- Install Helm v3.7.2
+  ```
+  brew install helm
+  ```
+- Add additional repositories for helm
+  ```
+  helm repo add jenkins https://charts.jenkins.io
+  helm repo add evryfs-oss https://evryfs.github.io/helm-charts/
+  helm repo update
+  ```
+- Install Java 17
+
+  ```
+  brew install openjdk@17
+  ```
+
+- Install Maven 3.8
+
+  ```
+  brew install maven
+  ```
+
+- Install Anchore Syft and Grype
+
+  ```
+  brew tap anchore/syft
+  brew install syft
+  brew tap anchore/grype
+  brew install grype
+  ```
+
+- Install Dockle
+
+  ```
+  brew install goodwithtech/r/dockle
+  Install Bridgecrew Checkov,
+  brew install checkov
+  ```
+
+## Setup
+
+- Start Minikube
+
+  ```
+  minikube start --nodes=1 --cpus=4 --memory 8192 --disk-size=35g --embed-certs=true --driver=hyperkit
+  ```
+
+  E.g,
+
+  ```
+  ~ ❯ minikube start --nodes=1 --cpus=4 --memory 8192 --disk-size=35g --embed-certs=true --driver=hyperkit
+  😄 minikube v1.24.0 on Darwin 12.1
+  ✨ Using the hyperkit driver based on user configuration
+  👍 Starting control plane node minikube in cluster minikube
+  🔥 Creating hyperkit VM (CPUs=4, Memory=8192MB, Disk=35840MB) ...
+  🐳 Preparing Kubernetes v1.22.3 on Docker 20.10.8 ...
+  ▪ Generating certificates and keys ...
+  ▪ Booting up control plane ...
+  ▪ Configuring RBAC rules ...
+  🔎 Verifying Kubernetes components...
+  ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
+  🌟 Enabled addons: storage-provisioner, default-storageclass
+  🏄 Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
+  ~ ❯
+  ```
+
+- Check minikube installation
+
+  ```
+  kubectl get pods --all-namespaces
+  ```
+
+  E.g,
+
+  ```
+  ~ ❯ kubectl get pods --all-namespaces
+  NAMESPACE NAME READY STATUS RESTARTS AGE
+  kube-system coredns-78fcd69978-zqqk7 1/1 Running 0 43s
+  kube-system etcd-minikube 1/1 Running 0 56s
+  kube-system kube-apiserver-minikube 1/1 Running 0 56s
+  kube-system kube-controller-manager-minikube 1/1 Running 0 56s
+  kube-system kube-proxy-gk2rt 1/1 Running 0 43s
+  kube-system kube-scheduler-minikube 1/1 Running 0 56s
+  kube-system storage-provisioner 1/1 Running 0 55s
+  ~ ❯
+  ```
+
+- Create a file with name “jenkins-values.yaml” and below contents
+
+  ```
+  # Custom values for jenkins.
+  controller:
+  # List of plugins to be installed during Jenkins controller start
+  installPlugins:
+    - kubernetes:1.30.1
+    - kubernetes-client-api:5.4.1
+    - workflow-aggregator:2.6
+    - git:4.10.1
+    - configuration-as-code:1.55
+    - blueocean:latest
+    - dependency-check-jenkins-plugin:latest
+    - dependency-track:latest
+    - warnings-ng:latest
+  ```
+
+- Install Jenkins
+
+  ```
+    helm install jenkins jenkins/jenkins -f jenkins-values.yaml
+  ```
+
+- Wait for the jenkins pod to start
+
+  ```
+  kubectl get pods --all-namespaces
+  ```
+
+- Get admin user password of Jenkins
+
+  ```
+  kubectl exec --namespace default -it svc/jenkins -c jenkins -- /bin/cat /run/secrets/chart-admin-password && echo
+  ```
+
+  Note: Make a note of the password
+
+- Forward Jenkins server port to access from local machine
+  kubectl --namespace default port-forward svc/jenkins 8080:8080
+- open http://localhost:8080
+- Login with username “admin” and the password from the above step.
+
+### [Optional]
+
+- Pull the below docker images to avoid pulling images during workshop
+  ```
+  > minikube ssh
+  > $ docker pull gradle:7-jdk17-alpine
+  > $ docker pull openjdk:17.0.1
+  > $ docker pull rmkanda/docker-tools:latest
+  > $ docker pull licensefinder/license_finder
+  > $ docker pull rmkanda/trufflehog
+  ```

k8s.yaml

@@ -0,0 +1,37 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: hostname-service
+spec:
+  type: NodePort
+  selector:
+    app: sample-api
+  ports:
+    - nodePort: 30163
+      port: 8080
+      targetPort: 8080
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: sample-api
+spec:
+  containers:
+    - name: sample-api
+      image: sample-api-service:latest
+      resources:
+        requests:
+          memory: "64Mi"
+          cpu: "250m"
+        limits:
+          memory: "128Mi"
+          cpu: "500m"
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10001
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - "ALL"
+          add: ["NET_ADMIN", "SYS_TIME"]

pom.xml

@@ -49,6 +49,74 @@
 				<groupId>org.springframework.boot</groupId>
 				<artifactId>spring-boot-maven-plugin</artifactId>
 			</plugin>
+			<plugin>
+				<groupId>org.owasp</groupId>
+				<artifactId>dependency-check-maven</artifactId>
+				<version>6.5.1</version>
+				<configuration>
+                    <format>ALL</format>
+					<failBuildOnCVSS>5</failBuildOnCVSS>
+					<suppressionFiles>
+                        <suppressionFile>sca-supressions.xml</suppressionFile>
+                    </suppressionFiles>
+                </configuration>
+				<executions>
+					<execution>
+						<goals>
+							<goal>check</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+			<plugin>
+				<groupId>com.github.spotbugs</groupId>
+				<artifactId>spotbugs-maven-plugin</artifactId>
+				<version>4.5.2.0</version>
+				<configuration>
+					<effort>Max</effort>
+					<threshold>Low</threshold>
+					<failOnError>true</failOnError>
+					<includeFilterFile>${session.executionRootDirectory}/spotbugs-security-include.xml</includeFilterFile>
+                	<excludeFilterFile>${session.executionRootDirectory}/spotbugs-security-exclude.xml</excludeFilterFile>
+					<plugins>
+						<plugin>
+							<groupId>com.h3xstream.findsecbugs</groupId>
+							<artifactId>findsecbugs-plugin</artifactId> 
+							<version>1.11.0</version>
+						</plugin>
+					</plugins>
+				</configuration>
+				<executions>
+					<execution>
+						<id>scan</id>
+						<phase>verify</phase>
+						<goals>
+							<goal>check</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+			<plugin>
+				<groupId>org.cyclonedx</groupId>
+				<artifactId>cyclonedx-maven-plugin</artifactId>
+				<version>2.5.3</version>
+				<executions>
+					<execution>
+						<phase>verify</phase>
+						<goals>
+							<goal>makeAggregateBom</goal>
+						</goals>
+					</execution>
+				</executions>
+				<configuration>
+					<includeCompileScope>true</includeCompileScope>
+					<includeProvidedScope>true</includeProvidedScope>
+					<includeRuntimeScope>true</includeRuntimeScope>
+					<includeSystemScope>true</includeSystemScope>
+					<includeTestScope>false</includeTestScope>
+					<includeDependencyGraph>true</includeDependencyGraph>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 

sca-supressions.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+<!-- <suppress>
+   <notes><![CDATA[
+   file name: log4j-api-2.14.1.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j\-api@.*$</packageUrl>
+   <cpe>cpe:/a:apache:log4j</cpe>
+</suppress> -->
+</suppressions>

secrets-exclude.txt

@@ -0,0 +1 @@
+PREREQUISITE.md

spotbugs-security-exclude.xml

@@ -0,0 +1,6 @@
+<FindBugsFilter>
+<!-- <Match>
+  <Class name="com.sample.UserManager.LoadDatabase" />
+  <Bug pattern="CRLF_INJECTION_LOGS" />
+</Match> -->
+</FindBugsFilter>

spotbugs-security-include.xml

@@ -0,0 +1,5 @@
+<FindBugsFilter>
+    <!-- <Match>
+        <Bug category="SECURITY"/>
+    </Match> -->
+</FindBugsFilter>