Skip to content
Snippets Groups Projects
Commit 6ccebb3f authored by OZGCloud's avatar OZGCloud
Browse files

Merge branch 'master' into ozg-6647-network-policy-for-scraper

parents 945dd360 eb0a88af
No related branches found
No related tags found
No related merge requests found
...@@ -113,21 +113,17 @@ pipeline { ...@@ -113,21 +113,17 @@ pipeline {
script { script {
FAILED_STAGE = env.STAGE_NAME FAILED_STAGE = env.STAGE_NAME
withCredentials([usernamePassword(credentialsId: 'jenkins-nexus-login', usernameVariable: 'USER', passwordVariable: 'PASSWORD')]) { buildAndPushImage("zufi-manager-server")
configFileProvider([configFile(fileId: 'maven-settings', variable: 'MAVEN_SETTINGS')]) { }
sh '''
mvn -pl zufi-manager-server \
-s $MAVEN_SETTINGS spring-boot:build-image \
-DskipTests \
-Dmaven.wagon.http.retryHandler.count=3 \
$BUILD_PROFILE \
-Ddocker.publishRegistry.username=${USER} \
-Ddocker.publishRegistry.password=${PASSWORD} \
-DimageTag=$IMAGE_TAG \
-DpublishImage=true
'''
} }
} }
stage('Build, Tag and Push zufi-manager-pvog Docker image') {
steps {
script {
FAILED_STAGE = env.STAGE_NAME
buildAndPushImage("zufi-manager-pvog")
} }
} }
} }
...@@ -161,23 +157,6 @@ pipeline { ...@@ -161,23 +157,6 @@ pipeline {
} }
} }
stage ('OWASP Dependency-Check Vulnerabilities') {
steps {
dependencyCheck additionalArguments: '''
-o "./"
-s "./"
-f "ALL"
-d /dependency-check-data
--suppression dependency-check-supressions.xml
--disableKnownExploited
--noupdate
--disableArchive
--prettyPrint''', odcInstallation: 'dependency-check-owasp'
dependencyCheckPublisher pattern: 'dependency-check-report.xml'
}
}
stage('Sonar Checks') { stage('Sonar Checks') {
when { when {
branch 'master' branch 'master'
...@@ -271,18 +250,32 @@ pipeline { ...@@ -271,18 +250,32 @@ pipeline {
} }
} }
Void buildAndPushImage(String applicationName){
withCredentials([usernamePassword(credentialsId: 'jenkins-nexus-login', usernameVariable: 'USER', passwordVariable: 'PASSWORD')]) {
configFileProvider([configFile(fileId: 'maven-settings', variable: 'MAVEN_SETTINGS')]) {
sh script: """
mvn -pl ${applicationName} \
-s \$MAVEN_SETTINGS spring-boot:build-image \
-DskipTests \
-Dmaven.wagon.http.retryHandler.count=3 \
\$BUILD_PROFILE \
-Ddocker.publishRegistry.username=\$USER \
-Ddocker.publishRegistry.password=\$PASSWORD \
-DimageTag=\$IMAGE_TAG \
-DpublishImage=true
"""
}
}
}
Void deployHelmChart(String helmChartName, String helmChartVersion) { Void deployHelmChart(String helmChartName, String helmChartVersion) {
def helmChartArchive = "${helmChartName}-${helmChartVersion}.tgz"
withCredentials([usernamePassword(credentialsId: 'jenkins-nexus-login', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) { withCredentials([usernamePassword(credentialsId: 'jenkins-nexus-login', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
if (isReleaseBranch()) { if (isReleaseBranch()) {
result = sh script: ''' result = deployChartToNexus('$USERNAME:$PASSWORD', helmChartArchive, "ozg-base-apps")
curl -u $USERNAME:$PASSWORD \
https://nexus.ozg-sh.de/service/rest/v1/components?repository=ozg-base-apps \
-F file=@''' + "${helmChartName}-${helmChartVersion}.tgz", returnStdout: true
} else { } else {
result = sh script: ''' result = deployChartToNexus('$USERNAME:$PASSWORD', helmChartArchive, "ozg-base-apps-snapshot")
curl -u $USERNAME:$PASSWORD \
https://nexus.ozg-sh.de/service/rest/v1/components?repository=ozg-base-apps-snapshot \
-F file=@''' + "${helmChartName}-${helmChartVersion}.tgz", returnStdout: true
} }
if (result != '') { if (result != '') {
...@@ -291,6 +284,14 @@ Void deployHelmChart(String helmChartName, String helmChartVersion) { ...@@ -291,6 +284,14 @@ Void deployHelmChart(String helmChartName, String helmChartVersion) {
} }
} }
String deployChartToNexus(String usernamePassword, String helmChartArchive, String repository) {
return sh(script: """
curl -u "${usernamePassword}" \
"https://nexus.ozg-sh.de/service/rest/v1/components?repository=${repository}" \
-F file=@${helmChartArchive}
""", returnStdout: true).trim()
}
String generateHelmChartVersion() { String generateHelmChartVersion() {
def chartVersion = getRootPomVersion() def chartVersion = getRootPomVersion()
......
...@@ -51,8 +51,8 @@ spec: ...@@ -51,8 +51,8 @@ spec:
- port: 27017 - port: 27017
protocol: TCP protocol: TCP
- to: - to:
- ipBlock: #ip for domain public.demo.pvog.cloud-bdc.dataport.de and domain private.demo.pvog.cloud-bdc.dataport.de - ipBlock:
cidr: 141.91.177.27/32 cidr: {{ required "oidc.client.pvogServerIP must be set" ((.Values.oidc).client).pvogServerIP }}
- to: - to:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
......
...@@ -48,6 +48,12 @@ spec: ...@@ -48,6 +48,12 @@ spec:
image: "{{ .Values.image.repo }}/{{ .Values.image.name }}:{{ coalesce (.Values.image).tag "latest" }}" image: "{{ .Values.image.repo }}/{{ .Values.image.name }}:{{ coalesce (.Values.image).tag "latest" }}"
imagePullPolicy: Always imagePullPolicy: Always
env: env:
- name: OZGCLOUD_PVOG_OAUTH2_CLIENT-SECRET
valueFrom:
secretKeyRef:
name: pvog-oidc-secret
key: pvog-client-secret
optional: false
- name: OZGCLOUD_PVOG_OAUTH2_AUTH-SERVER-URL - name: OZGCLOUD_PVOG_OAUTH2_AUTH-SERVER-URL
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
...@@ -74,12 +80,6 @@ spec: ...@@ -74,12 +80,6 @@ spec:
name: pvog-client-configmap name: pvog-client-configmap
key: id key: id
optional: false optional: false
- name: OZGCLOUD_PVOG_OAUTH2_CLIENT-SECRET
valueFrom:
secretKeyRef:
name: oidc-client-credential
key: secret
optional: false
{{- if not (.Values.database).useExternal }} {{- if not (.Values.database).useExternal }}
- name: spring_data_mongodb_uri - name: spring_data_mongodb_uri
valueFrom: valueFrom:
......
...@@ -22,7 +22,7 @@ ...@@ -22,7 +22,7 @@
# unter der Lizenz sind dem Lizenztext zu entnehmen. # unter der Lizenz sind dem Lizenztext zu entnehmen.
# #
suite: test deyploment less than 63 chars suite: test deployment less than 63 chars
release: release:
name: zufi-manager name: zufi-manager
namespace: zufi-manager namespace: zufi-manager
......
#
# Copyright (C) 2024 Das Land Schleswig-Holstein vertreten durch den
# Ministerpräsidenten des Landes Schleswig-Holstein
# Staatskanzlei
# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
#
# Lizenziert unter der EUPL, Version 1.2 oder - sobald
# diese von der Europäischen Kommission genehmigt wurden -
# Folgeversionen der EUPL ("Lizenz");
# Sie dürfen dieses Werk ausschließlich gemäß
# dieser Lizenz nutzen.
# Eine Kopie der Lizenz finden Sie hier:
#
# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
#
# Sofern nicht durch anwendbare Rechtsvorschriften
# gefordert oder in schriftlicher Form vereinbart, wird
# die unter der Lizenz verbreitete Software "so wie sie
# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
# ausdrücklich oder stillschweigend - verbreitet.
# Die sprachspezifischen Genehmigungen und Beschränkungen
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
suite: network policy error message test
release:
namespace: by-helm-test
templates:
- templates/network_policy.yaml
tests:
- it: test network policy dnsServerNamespace must be set message
set:
networkPolicy:
disabled: false
oidc:
client:
pvogServerIP: 141.91.177.27/32
asserts:
- failedTemplate:
errorMessage: networkPolicy.dnsServerNamespace must be set
- it: should allow configured PVOG IP in Egress
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- failedTemplate:
errorMessage: oidc.client.pvogServerIP must be set
\ No newline at end of file
...@@ -27,6 +27,12 @@ release: ...@@ -27,6 +27,12 @@ release:
namespace: by-helm-test namespace: by-helm-test
templates: templates:
- templates/network_policy.yaml - templates/network_policy.yaml
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
oidc:
client:
pvogServerIP: 141.91.177.27/32
tests: tests:
- it: should match apiVersion - it: should match apiVersion
...@@ -38,17 +44,11 @@ tests: ...@@ -38,17 +44,11 @@ tests:
of: networking.k8s.io/v1 of: networking.k8s.io/v1
- it: should match kind - it: should match kind
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- isKind: - isKind:
of: NetworkPolicy of: NetworkPolicy
- it: should match metadata - it: should match metadata
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- equal: - equal:
path: metadata path: metadata
...@@ -57,9 +57,6 @@ tests: ...@@ -57,9 +57,6 @@ tests:
namespace: by-helm-test namespace: by-helm-test
- it: should generate spec - it: should generate spec
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- equal: - equal:
path: spec path: spec
...@@ -99,7 +96,6 @@ tests: ...@@ -99,7 +96,6 @@ tests:
- it: add ingress rule by values local - it: add ingress rule by values local
set: set:
networkPolicy: networkPolicy:
dnsServerNamespace: test-dns-namespace
additionalIngressConfigLocal: additionalIngressConfigLocal:
- from: - from:
- podSelector: - podSelector:
...@@ -116,7 +112,6 @@ tests: ...@@ -116,7 +112,6 @@ tests:
- it: add ingress rule by values global - it: add ingress rule by values global
set: set:
networkPolicy: networkPolicy:
dnsServerNamespace: test-dns-namespace
additionalIngressConfigGlobal: additionalIngressConfigGlobal:
- from: - from:
- podSelector: - podSelector:
...@@ -134,7 +129,6 @@ tests: ...@@ -134,7 +129,6 @@ tests:
- it: add egress rules by values local - it: add egress rules by values local
set: set:
networkPolicy: networkPolicy:
dnsServerNamespace: test-dns-namespace
additionalEgressConfigLocal: additionalEgressConfigLocal:
- to: - to:
- ipBlock: - ipBlock:
...@@ -149,7 +143,6 @@ tests: ...@@ -149,7 +143,6 @@ tests:
- it: add egress rules by values Global - it: add egress rules by values Global
set: set:
networkPolicy: networkPolicy:
dnsServerNamespace: test-dns-namespace
additionalEgressConfigGlobal: additionalEgressConfigGlobal:
- to: - to:
- ipBlock: - ipBlock:
...@@ -162,34 +155,31 @@ tests: ...@@ -162,34 +155,31 @@ tests:
- ipBlock: - ipBlock:
cidr: 1.2.3.4/32 cidr: 1.2.3.4/32
- it: test network policy disabled - it: disable network policy disabled when configured
set: set:
networkPolicy: networkPolicy:
disabled: true disabled: true
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- hasDocuments: - hasDocuments:
count: 0 count: 0
- it: test network policy unset should be disabled - it: should disable network policy when unset
set: set:
networkPolicy: networkPolicy:
disabled: false disabled: false
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- hasDocuments: - hasDocuments:
count: 1 count: 1
- it: test network policy dnsServerNamespace must be set message - it: should have one default network policy enabled
set:
networkPolicy:
disabled: false
asserts:
- failedTemplate:
errorMessage: networkPolicy.dnsServerNamespace must be set
- it: test by default network policy enabled
set:
networkPolicy:
dnsServerNamespace: test-ns
asserts: asserts:
- hasDocuments: - hasDocuments:
count: 1 count: 1
- it: should have allowed PVOG IP in Egress
asserts:
- contains:
path: spec.egress
content:
to:
- ipBlock:
cidr: 141.91.177.27/32
\ No newline at end of file
...@@ -22,7 +22,7 @@ ...@@ -22,7 +22,7 @@
# unter der Lizenz sind dem Lizenztext zu entnehmen. # unter der Lizenz sind dem Lizenztext zu entnehmen.
# #
suite: test deyploment less than 63 chars suite: test deployment less than 63 chars
release: release:
name: zufi-server name: zufi-server
namespace: zufi-server namespace: zufi-server
......
...@@ -41,7 +41,9 @@ oidc: ...@@ -41,7 +41,9 @@ oidc:
auth_server: https://auth_server.local auth_server: https://auth_server.local
pvog_url: https://pvog_url.local pvog_url: https://pvog_url.local
realm: realm realm: realm
pvogServerIP: 1.1.1.1
networkPolicy: networkPolicy:
dnsServerNamespace: test-ns dnsServerNamespace: test-ns
fachstellenProxyNamespace: proxy fachstellenProxyNamespace: proxy
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment