pipeline {
agent { label 'docker-paas-agent-04 || docker-paas-agent' }
environment {
ORCHENT_AGENT_ACCOUNT='infn-cloud-ops'
ORCHENT_URL='https://my.cloud.infn.it/orchestrator'
}
stages {
stage ('Test environment'){
steps {
withCredentials([
sshUserPrivateKey(credentialsId: "ssh_scans", keyFileVariable: 'keyfile'),
usernamePassword(credentialsId: "jenkins_scans_creds", usernameVariable: 'GMP_USER', passwordVariable: 'GMP_PASSWORD')
]) {
sh '''#!/bin/bash
env
# Orchent connection test
orchent depls > depls.output
if grep -q ERROR depls.output
then
echo "orchent depls: NOT ok"
cat depls.output
exit 1
else
echo "orchent depls: OK"
fi
# Create ssh tunnel
cp ${keyfile} /home/jenkins/.ssh/id_rsa
ssh -o StrictHostKeyChecking=no -f -N -L localhost:9390:192.168.235.234:9390 jenkins@scans.cloud.infn.it
# Greenbone connection test
/usr/local/bin/gvm-cli --gmp-username $GMP_USER --gmp-password $GMP_PASSWORD tls --hostname 127.0.0.1 --xml "<get_version/>" > gvm.output
if grep -q OK gvm.output
then
echo "gvm check: OK"
else
echo "gvm check: NOT ok"
cat gvm.output
exit 1
fi
'''
}
}
post {
failure {
emailext body: '$DEFAULT_CONTENT', subject: '$PROJECT_NAME - Build # $BUILD_NUMBER: Error during environmenti checking!', to: '$RECIPIENTS'
}
}
}
stage ('Create test deployment'){
steps {
sh '''#!/bin/bash
wget -O site.yaml "${PLAYBOOK_URL}"
ansible-playbook site.yaml --extra-vars "paas_ci_test_step='create_deployment'"
'''
}
post {
failure {
archiveArtifacts artifacts: '*deployment.txt', allowEmptyArchive: true
emailext attachmentsPattern: '*deployment.txt', body: '$DEFAULT_CONTENT', subject: '$PROJECT_NAME - Build # $BUILD_NUMBER: Error during deployment!', to: '$RECIPIENTS'
}
}
}
stage ('Scan endpoints'){
steps {
withCredentials([
sshUserPrivateKey(credentialsId: "ssh_scans", keyFileVariable: 'keyfile'),
usernamePassword(credentialsId: "jenkins_scans_creds", usernameVariable: 'GMP_USER', passwordVariable: 'GMP_PASSWORD'),
usernamePassword(credentialsId: "security-scans-cred", usernameVariable: 'GIT_SEC_USER', passwordVariable: 'GIT_SEC_TOKEN')
]) {
sh '''#!/bin/bash
cp ${keyfile} /home/jenkins/.ssh/id_rsa
export ANSIBLE_STDOUT_CALLBACK=debug
ansible-playbook site.yaml --extra-vars "paas_ci_test_step='scan'"
'''
}
}
post {
failure {
archiveArtifacts artifacts: '*report.pdf, oids.txt', allowEmptyArchive: true
emailext attachmentsPattern: '*report.pdf, oids.txt', body: '$DEFAULT_CONTENT', subject: '$PROJECT_NAME - Build # $BUILD_NUMBER: Vulnerabilities detected!', to: '$RECIPIENTS'
}
}
}
}
post {
always {
sh '''#!/bin/bash
ansible-playbook site.yaml --extra-vars "paas_ci_test_step='clean'"
'''
}
failure {
script {
if ( fileExists ('severity.json')) {
emailext body: '$DEFAULT_CONTENT', subject: '$DEFAULT_SUBJECT', to: '$RECIPIENTS'
}
}
}
}
}