add an example mounting the Openshift SA secret for internal registry (#9)

airadier · web-flow · commit be3068777ade · 2021-03-02T11:39:18.000+01:00
diff --git a/docs/index.md b/docs/index.md
@@ -131,10 +131,11 @@ The `no_proxy` variable can be used to define a list of hosts that don't use the
 In this [repository](https://github.com/sysdiglabs/secure-inline-scan-examples/) you can find the following examples in alphabetical order:
 
 * [Google Cloud Build](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/google-cloud-build)
-* Jenkins
+* [Jenkins](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins)
   * [Scan from repository](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-scan-from-repo)
   * [Build and scan](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-and-scan)
   * [Build, push and scan from repository](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-push-scan-from-repo)
+  * [Build, push and scan using Openshift internal registry](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-openshift-internal-registry)
 * [Tekton](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton)
   * [Tekton alpha API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/alpha)
   * [Tekton beta API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/beta)
diff --git a/jenkins/jenkins-openshift-internal-registry/Jenkinsfile b/jenkins/jenkins-openshift-internal-registry/Jenkinsfile
@@ -0,0 +1,100 @@
+pipeline {
+    agent {
+        kubernetes {
+            yaml """
+apiVersion: v1
+kind: Pod
+metadata:
+    name: inline-scan-worker
+spec:
+    containers:
+      - name: jnlp
+        volumeMounts:
+        # Mount the Openshift SA dockercfg secret as .dockercfg
+        - mountPath: /home/jenkins/agent/.dockercfg
+          name: sa-dockercfg
+          subPath: .dockercfg
+      - name: maven
+        image: maven:3.6-jdk-11
+        command: ['cat']
+        tty: true
+      - name: builder
+        image: gcr.io/kaniko-project/executor:debug
+        command: ['cat']
+        tty: true
+        env:
+        - name: DOCKER_CONFIG
+          value: /home/jenkins/agent
+      - name: inline-scan
+        image: quay.io/sysdig/secure-inline-scan:2
+        command: ['cat']
+        tty: true
+    volumes:
+    - name: sa-dockercfg
+      secret:
+        defaultMode: 420
+        # Name of the secret in Kubernetes used by the Service Account
+        # Requires push and pull access to the internal registry.
+        # See https://docs.openshift.com/container-platform/4.6/registry/accessing-the-registry.html
+        secretName: jenkins-dockercfg-nr7sd
+"""
+       }
+   }
+
+    parameters {
+        string(name: 'IMAGE_NAME', defaultValue: 'image-registry.openshift-image-registry.svc.cluster.local:5000/default/test-maven-app', description: 'Name of the image to be built andscanned (e.g.: myrepo/dummy-app)')
+    }
+
+    environment {
+        SECURE_API_KEY = credentials('sysdig-secure-airadier')
+    }
+
+    stages {
+
+        stage('Checkout') {
+            steps {
+                git 'https://github.com/openshift/test-maven-app'
+            }
+        }
+
+        stage('Prepare internal registry credentials') {
+            steps {
+                // We need to convert old .dockercfg format to config.json wrapping in "auth" field
+                sh "echo -n \"{ \\\"auths\\\": \"  > /home/jenkins/agent/config.json"
+                sh "cat /home/jenkins/agent/.dockercfg >> /home/jenkins/agent/config.json"
+                sh "echo \"}\" >>/home/jenkins/agent/config.json"
+            }
+        }
+
+        stage('Build app') {
+            steps {
+                container("maven") {
+                    sh "mvn package"
+                }
+            }
+        }
+
+        stage('Build image and push') {
+            steps {
+                container("builder") {
+                    sh """cat > Dockerfile <<EOF
+FROM gcr.io/distroless/java:11
+COPY target/hello.jar /hello.jar
+CMD /hello.jar
+EOF
+                    """
+                    sh "/kaniko/executor --context . --destination ${IMAGE_NAME} --skip-tls-verify"
+                }
+            }
+        }
+
+        stage('Scanning Image pulled from repository') {
+            steps {
+                container("inline-scan") {
+                    sh "/sysdig-inline-scan.sh -k ${SECURE_API_KEY_PSW} --registry-skip-tls --registry-auth-file /home/jenkins/agent/config.json ${IMAGE_NAME}"
+                }
+            }
+        }
+
+   }
+}
