E2E DevSecOps Implementation in Jenkins by integrating with Azure Devops & ACR —Part 1
The “End-to-End (E2E) DevSecOps Implementation in Jenkins by integrating with Azure DevOps & Azure Container Registry (ACR)” refers to a comprehensive setup and workflow in the field of DevSecOps (Development, Security, and Operations) that spans the entire software development lifecycle.
Installing jenkins into ubuntu — https://pkg.jenkins.io/debian-stable/
#!/bin/bash
sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \
https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
https://pkg.jenkins.io/debian-stable binary/ | sudo tee \
/etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt-get update
sudo apt-get install fontconfig openjdk-17-jre
sudo apt-get install jenkins -y
sudo systemctl start jenkins
sudo systemctl status jenkinsAccess the jenkins on the port 8080 by default & please make sure you opened the inbound port on the NIC , refer the below path on the vm and pass that in the text box
After key in the password , you can install the suggested plugins by one click
Install the docker into ubuntu using the below script
#!/bin/bash
# Update the package index
sudo apt update
# Install packages to allow apt to use a repository over HTTPS
sudo apt install -y apt-transport-https ca-certificates curl software-properties-common
# Add Docker's official GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
# Set up the stable Docker repository
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Update the package index again
sudo apt update
# Install the latest version of Docker
sudo apt install -y docker-ce docker-ce-cli containerd.io
# Add your user to the docker group to run Docker without sudo
sudo usermod -aG docker $USER
# Print a message to inform the user to restart their session
echo "Docker has been installed. Please restart your session to apply group changes."
sudo usermod -aG docker $USER #my case is azureuser
newgrp docker
sudo chmod 777 /var/run/docker.sockOpen the port 9090 on the NIC and try to run the container using the below command
docker run -d --name sonar -p 9000:9000 sonarqube:lts-community
launh the url at the VMIP:9000
username admin
password admin
Install trivy into the vm
sudo apt-get install wget apt-transport-https gnupg lsb-release -y
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy -ySpecifically, search for and install the following plugins
- JDK Plugin: Provides support for building Java applications -Eclipse Temurin installer
- SonarQube Scanner Plugin: Integrates Jenkins with SonarQube for continuous inspection of code quality.
- Maven Integration Plugin: Allows Jenkins to use Maven to build and manage projects.
- OWASP Dependency-Check Plugin: Integrates OWASP Dependency-Check into the Jenkins build process for identifying project dependencies and checking if there are any known, publicly disclosed, vulnerabilities
Configure Java ,Maven, Docker & sonar scanner as below in Global Tool Configuration
Setting up the credentials such as sonar-token, azure-repo-id & myAzureCredential at the jenkins global section
To create the Sonar token, navigate to the administration section, then go to security, click on the tokens column, provide a name for the token, and lastly, click on the generate button.
To create the azure-repo-id, use the azure creds from azure Devops Repos
To setup the myAzureCredential you can follow the below link in setting up the service principal and provide the relevant access to RG
The comprehensive pipeline for docker build & push is outlined as below, encompassing all necessary environment values and stages.
environment{
SCANNER_HOME= tool 'sonar-scanner'
AZURE_SUBSCRIPTION_ID='491e112'
AZURE_CLIENT_SECRET='S6p8Q~R3ZtNjJZg'
AZURE_CLIENT_ID='b7d9f0a4-47'
AZURE_TENANT_ID='2047b1'
CONTAINER_REGISTRY='project231.azurecr.io'
RESOURCE_GROUP='AZ-NEW-22'
REPO="services"
IMAGE_NAME="springboot-app"
TAG="latest"
}
stage('Docker Build & Push') {
steps {
withCredentials([usernamePassword(credentialsId: 'myAzureCredential', passwordVariable: 'AZURE_CLIENT_SECRET', usernameVariable: 'AZURE_CLIENT_ID')]) {
sh 'az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET -t $AZURE_TENANT_ID'
sh 'az account set -s $AZURE_SUBSCRIPTION_ID'
sh 'az acr login --name $CONTAINER_REGISTRY --resource-group $RESOURCE_GROUP'
sh 'docker build -t service-backend .'
sh "docker tag service-backend $CONTAINER_REGISTRY/$REPO/$IMAGE_NAME:$TAG"
sh "docker push $CONTAINER_REGISTRY/$REPO/$IMAGE_NAME:$TAG"
}
}
}
stage('Docker Image Pull & Deploy') {
steps {
withCredentials([usernamePassword(credentialsId: 'myAzureCredential', passwordVariable: 'AZURE_CLIENT_SECRET', usernameVariable: 'AZURE_CLIENT_ID')]) {
sh 'az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET -t $AZURE_TENANT_ID'
sh 'az account set -s $AZURE_SUBSCRIPTION_ID'
sh 'az acr login --name $CONTAINER_REGISTRY --resource-group $RESOURCE_GROUP'
sh 'docker pull $CONTAINER_REGISTRY/$REPO/$IMAGE_NAME:$TAG'
sh "docker run -d -p 8081:8081 $CONTAINER_REGISTRY/$REPO/$IMAGE_NAME:$TAG"
}
}
}
}