- Understand basic Kubernetes and Docker concepts
- Using IBM Kubernetes Service
- Deploying application to Kubernetes
- Building and creating Dockerfile
- Container and Application Security
- Implementing a DevSecOps Continous Delivery pipeline using Jenkins, IBM Application Security, GitHub, and Aqua Micro-Scanner
- Signup to IBM Cloud
- Signup to IBM Application Security Free Trial
- Signup to Github
- Signup to Docker Hub
- Install Kubectl
- Install Docker
- Install IBM Cloud CLI
- Install GitCli
Sample Angular Application where building, security testing, and deployment of the application is automated.
- Angular4:- Angular is a platform that makes it easy to build applications with the web. Angular combines declarative templates, dependency injection, end to end tooling, and integrated best practices to solve development challenges
- Nodejs:- An open-source JavaScript run-time environment for executing server-side JavaScript code.
- Typescript:- TypeScript is an open-source programming language developed and maintained by Microsoft. It is a strict syntactical superset of JavaScript, and adds optional static typing to the language
- Docker:- Docker is an open platform for developers and sysadmins to build, ship, and run distributed applications, whether on laptops, data center VMs, or the cloud.
- Kubernetes:- Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications
- Jenkins:- Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.
- IBM Application Security :- IBM Application Security on Cloud is a cloud app security offering that helps secure your organization's Web, cloud, mobile, and other applications. It detects dozens of today's most pervasive security vulnerabilities and enhances your application security.
- Aqua Micro Scanner:- Aqua Security's MicroScanner lets you check your container images for vulnerabilities. If your image has any known high-severity issue, MicroScanner can fail the image build, making it easy to include as a step in your CI/CD pipeline.
- Docker Cloud:- Docker Cloud is the name of the new cloud service by Docker that expands on the features of Tutum, brings a tighter integration with Docker Hub, and provides new updates and fixes
- Github:- GitHub Inc. is a web-based hosting service for version control using Git. It is mostly used for computer code
-
Go to IBM Cloud console
-
Name your cluster and create a cluster, wiat for few minutes to get it fully deployed. After it is fully deployed click on the cluster
- This shows overview of your deployed cluster
- Click on Access tab and follow the instruction on the website
- Install the container service plugin.
$ ibmcloud plugin install container-service -r Bluemix
- Log in to your IBM Cloud account.
$ ibmcloud login -a https://api.eu-de.bluemix.net
$ ibmcloud cs region-set eu-central
- Set the context for the cluster in in your CLI.
- Get the command to set the environment variable and download the Kubernetes configuration files.
$ ibmcloud cs cluster-config NameOfYourCluster
- Set the KUBECONFIG environment variable. Copy the output from the previous command and paste it in your terminal. The command output should look similar to the following.
- Verify that you can connect to your cluster by listing your worker nodes
$ kubectl get nodes
You will be able to access your cluster now hosted in IBM Kubernetes Service
- Fork the DevSecOps Repo
- Clone your forked repo locally
- Navigate to
jenkins
folder - Deploy
Kubernetes Deployment
andKubernetes services
$ kubectl create -f jenkins.yml
- Check if its deployed and running
$ kubectl get pods
This mean jenkin pod is up and running sucessfully
- Check ip to access, go to your cluster and note down ip
jenkins is hosted in port 30012
- You will be able to access jenkins http://ip:30012
- Install required plugin to create our first pipeline. Go to
Manage Jenkins
, then click onManage Plugins
, selectavailable tab
you will see something like this
- Install plugin
Custom Tools Plugin
- Install plugin
GitHub Integration Plugin
- Install plugin
IBM Application Security on Cloud
- Install plugin
Pipeline
Note: this jenkins has aready installed kubectl and docker
- Go to this link, sign up and get the token in your email
https://microscanner.aquasec.com/signup
- Replace
xxx
in line 19 with your api key
- Go to Docker Cloud and sign in, then click on
repository tab
- Click on your name on top right side and select
Personal Settings
- Select
Service Providers
- Then go
linked accounts
and activate github
- Click on
repositories
on top tab, click on create
- Give name to your docker image, then click on
github icon
, selectorganization
then select the repository you forked
You are all set! Lets double check!
- Go to your forked github repo, select
settings
, selectwebhooks
, you will see a webhook created automagically ;)
Now if you commit and push to github image build will be triggered automagically ;)
- Go to
Docker cloud
, select your image and click ontimeline
- Configure kubectl in jenkins pod
$ kubectl get pods
note down pod name
- Copy .pem and .yml file provided by IBM Kubernetes service to jenkins pod in
/bin
directory - Note down where cluster configuration files are hosted
$ ibmcloud cs cluster-config mycluster
4. copy both pem and .yml file
$ kubectl cp /Users/saifrehman/.bluemix/plugins/container-service/clusters/mycluster/kube-config-mel01-mycluster.yml podname:/bin
$ kubectl cp /Users/saifrehman/.bluemix/plugins/container-service/clusters/mycluster/ca-mel01-mycluster.pem podname:/bin
this is example, your files may have different names
- ssh to your cluster, and set the kubeconfig
$ kubectl exec -it podname /bin/bash
$ export KUBECONFIG=/bin/kube-config-mel01-mycluster.yml
- Go to service-deployent.yml file and replace image with name of your image you created
yourid/imagename
- Go to your forked github repo, select
settings
, selectwebhooks
, create a webhook, selectapplication.json
- Set your
project URL
. This is your jenkinsip:30012/github-webhook/
- Go to your
ip:30012
which has your jenkins installation - Click
New Item
, name your project and selectfreestyle project
- Select
GitHub Project
, and add your github link
- From
Source Code Management
selectGit
. Add your repository git url
-
From
Build Triggers
, selectGitHub hook trigger for GITScm polling
-
Click on add build step, select ```execute shell``
-
Paste in following code
#!/bin/bash
sleep 700
echo 'hello'
if [ ! -d "devsecops-pipeline" ]; then
su - root -c 'git clone https://github.com/SaifRehman/devsecops-pipeline.git'
fi
su - root -c "cd devsecops-pipeline && git pull && export KUBECONFIG=/bin/kube-config-mel01-mycluster.yml && kubectl delete deployments angular && kubectl apply -f service-deployment.yml"
you will have different github link, and different KUBECONFIG
- Click on
Apply
, then click onSave
- Sign in IBM Application Security
- Click on hamburger menu and select
settings/api
- Click generate, note down both
id
andsecret
Note:- dont share the credentials :) It will ask you to download
DomainVerification.html
. download that and add itsrc
folder
- Go to your jenkins instance
- Click on
Credential
, then click onsystem
, then click onGlobal credentials (unrestricted)
, selectadd credential
- Select
IBM Application Security on Cloud Credentials
fromkind
- Add valid credential you obtained.
- Click ok
- Go to jenkins homepage. Select your freestyle project you created. Click on
configure
- scroll down and click on. Click on
Add Build step
, selectRun Security Test
- Select the credentials you set before
- Give application name, and test name
- Select
dynamic analyzer
from test type
- Click on
Apply
, then click onSave
you are all set :)
Go to IBM Application Security on Cloud, then go to My Scan
from hamburger menu. you can see all your scans which were automatically generated
You can now download a sample report and look at it
- Implement docker image build in jenkins
- More to come, cant think of any now :P
You were able to create a end to end simple continuous deployment pipeline with test driven security.