-
Notifications
You must be signed in to change notification settings - Fork 1
/
PaC-jenkinsfile
86 lines (70 loc) · 3.63 KB
/
PaC-jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
node {
def app
def P0
environment {
guestbook = "${env.ns}"
}
stage('Startup Process') {
sh 'rm -f -r -d *'
sh 'rm -f -r -d .[!.]* ..?*'
}
stage('cloneRepository') {
checkout scm
}
stage('Deploy Guestbook App') {
withKubeConfig([credentialsId: 'k8s_config',
caCertificate: '',
serverUrl: '',
contextName: '',
clusterName: '',
namespace: ''
]) {
sh "kubectl create namespace ${env.ns} --dry-run -o yaml | kubectl apply -f - && \
kubectl apply -f redis-leader-deployment.yaml -n ${env.ns} && \
kubectl apply -f redis-leader-service.yaml -n ${env.ns} && \
kubectl apply -f redis-follower-deployment.yaml -n ${env.ns} && \
kubectl apply -f redis-follower-service.yaml -n ${env.ns} && \
kubectl apply -f frontend-deployment.yaml -n ${env.ns} && \
kubectl apply -f frontend-service.yaml -n ${env.ns}"
}
}
stage('Get Microsegmentation Creds') {
withCredentials([file(credentialsId: 'pipeline.creds', variable: 'APOCTL_CREDS')]) {
sh "cp \$APOCTL_CREDS $WORKSPACE/default.creds"
}
}
stage('Policy as Code: Create Ruleset for Guestbook App') {
sh 'curl -o apoctl https://download.aporeto.com/prismacloud/app/apoctl/linux/apoctl'
sh 'chmod +x apoctl'
withEnv(["APOCTL_CREDS=$WORKSPACE/default.creds"]) {
// Rules for guestbook app
sh "./apoctl api import -n /${env.tenant}/${env.cloudAccount}/${env.group}/${env.ns} -f guestbook-ruleset.yaml \
--set tenant=${env.tenant} --set cloudAccount=${env.cloudAccount} --set group=${env.group} --set ns=${env.ns}"
// Rules to allow DNS traffic to KubeDNS service needed to grant the proper work of the app
sh "./apoctl api import -n /${env.tenant}/${env.cloudAccount}/${env.group} -f dns-ruleset.yaml \
--set tenant=${env.tenant} --set cloudAccount=${env.cloudAccount} --set group=${env.group} "
}
}
stage('Policy as Code: Reject not allowed traffic for App') {
// Once you configured the guestbook ruleset you can configure the default rule to reject all In/Out traffic for app namespace
withEnv(["APOCTL_CREDS=$WORKSPACE/default.creds"]) {
// sh "./apoctl api update namespace ${env.nsID} --namespace /${env.tenant}/${env.cloudAccount}/${env.group} -k 'defaultPUIncomingTrafficAction=Reject' "
// sh "./apoctl api update namespace ${env.nsID} --namespace /${env.tenant}/${env.cloudAccount}/${env.group} -k 'defaultPUOutgoingTrafficAction=Reject' "
P0 = sh(
script: " ./apoctl api list namespace --recursive -f name==/${env.tenant}/${env.cloudAccount}/${env.group}/${env.ns} -c ID -o yaml | awk '{ print \$3}' ",
returnStdout: true,
).trim()
// sh "PO=\$(apoctl api list namespace --recursive -f name==/\${env.tenant}/\${env.cloudAccount}/\${env.group}/\${env.ns} -c ID -o yaml | awk '{ print $3}') "
sh " ./apoctl api update namespace $P0 --namespace /${env.tenant}/${env.cloudAccount}/${env.group} -k 'defaultPUIncomingTrafficAction=Reject' "
sh " ./apoctl api update namespace $P0 --namespace /${env.tenant}/${env.cloudAccount}/${env.group} -k 'defaultPUOutgoingTrafficAction=Reject' "
}
}
stage('Generate traffic') {
sh('chmod +x ./entrypoint.sh')
sh('chmod +x ./traffic-gen.sh && ./traffic-gen.sh')
}
stage('Finish Process') {
sh 'rm -f -r -d *'
sh 'rm -f -r -d .[!.]* ..?*'
}
}