|
| 1 | +pipeline { |
| 2 | + agent { |
| 3 | + label 'docker-node-name' |
| 4 | + } |
| 5 | + |
| 6 | + options { |
| 7 | + timestamps() |
| 8 | + } |
| 9 | + |
| 10 | + environment { |
| 11 | + PROD_IMAGE = "myapp-prod" |
| 12 | + STAGE_IMAGE = "myapp-stage" |
| 13 | + // common section in the URL to the ECR that's part of AWS' ECS |
| 14 | + ECR_URI = 'dkr.ecr.us-west-2.amazonaws.com' |
| 15 | + } |
| 16 | + |
| 17 | + parameters { |
| 18 | + choice( |
| 19 | + name: 'environ', |
| 20 | + choices: "STAGE\nPROD", |
| 21 | + description: 'Environment for which the Docker image should be built.' |
| 22 | + ) |
| 23 | + string( |
| 24 | + name: 'VERSION', |
| 25 | + defaultValue: 'v3.1', |
| 26 | + description: 'Supply the version that will be used to tag the image.' |
| 27 | + ) |
| 28 | + } |
| 29 | + |
| 30 | + stages { |
| 31 | + stage('Git-Prep') { |
| 32 | + steps { |
| 33 | + script { |
| 34 | + // Extract first 9 digits of Git commit's SHA-1 id |
| 35 | + env.GIT_HASH = sh(returnStdout: true, |
| 36 | + script: "git rev-parse --verify HEAD --short=9" |
| 37 | + ).trim() |
| 38 | + } |
| 39 | + } |
| 40 | + } |
| 41 | + stage('Build-Tag-Push') { |
| 42 | + steps { |
| 43 | + script { |
| 44 | + docker_image = docker.build("${PROD_IMAGE}") |
| 45 | + println "newly built image, " + docker_image.id |
| 46 | + // Use boto3 Python module to extract service account's id which |
| 47 | + // is represented as numerical digits. |
| 48 | + sh "python <custom-python-script-to-extract-service-account-id> " |
| 49 | + // Assuption: Python script that's executed using the 'sh' step in |
| 50 | + // line 48, creates a file, 'service_account.txt' that contains the |
| 51 | + // id of the service account in AWS. |
| 52 | + env.AWS_ACCOUNT = readFile("service_account.txt").trim() |
| 53 | + /* |
| 54 | + with docker v17 and above, email option should be off for docker login |
| 55 | + https://github.com/aws/aws-cli/blob/9417311ddf284eaa02155aff850dd90b3e5d2c43/awscli/customizations/ecr.py#L53 |
| 56 | + https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login.html |
| 57 | + */ |
| 58 | + // Assumptions & Requirements: |
| 59 | + // 1. Build node should have AWS CLI installed. |
| 60 | + // 2. AWS' service account has sufficient permissions to upload images to ECR |
| 61 | + // 3. Image registry should have been setup using the service account as per line 48. |
| 62 | + // For cross account policies, see AWS documentation on IAM, ECS. |
| 63 | + // Below threads have useful info on why 'eval' should be used, |
| 64 | + // https://stackoverflow.com/questions/43733396/jenkins-amazon-ecr-no-basic-auth-credentials |
| 65 | + // http://www.tikalk.com/devops/ecr-in-pipeline/ |
| 66 | + sh "eval \$(aws ecr get-login --region us-west-2 --no-include-email --registry-ids ${env.AWS_ACCOUNT} | sed 's|https://||')" |
| 67 | + env.REGISTRY = "https://" + "${env.AWS_ACCOUNT}" + "." + "${env.ECR_URI}" |
| 68 | + docker.withRegistry("${env.REGISTRY}") { // without withRegistry usage, push refers to docker.io |
| 69 | + docker_image.push("${GIT_HASH}") |
| 70 | + docker_image.push("${params.VERSION}") |
| 71 | + docker_image.push("latest") |
| 72 | + } |
| 73 | + // If the same pipeline is used to build images for both PROD and STAGE |
| 74 | + // then, this can be handy to visually represent which build job was |
| 75 | + // executed to build image for which environment i.e. STAGE or PROD. |
| 76 | + currentBuild.displayName = "${env.BUILD_NUMBER}" + "-" + params.environ + "-" + params.VERSION + "-" + "${env.GIT_HASH}" |
| 77 | + } |
| 78 | + } |
| 79 | + } |
| 80 | + } |
| 81 | + post { |
| 82 | + always { |
| 83 | + cleanWs() |
| 84 | + } |
| 85 | + } |
| 86 | +} |
0 commit comments