Continuous Delivery

Goal

This guide will show you, how to configure Jenkins continuous integration server, to automatically deploy policies and rules to Consul.

Prerequisites

  • You application is deployed and protected
  • Consul deployed and connected to MicroPerimeter™ Security
  • Jenkins CI server
  • Version Control server

Step 1. Store your policies files in Version Control System

Prepare a new repository in your Version Control System.

Next store policies and rules file in your repository. Create a sample policy

$ cat my-app-policies.yaml

my-app-name.sn-default.cloudentity:
  properties:
    withSidecar: false
  endpoints:
  - pathPattern: "/social/getAdmins"
    method: GET
  - pathPattern: "/social/getActivity"
    method: GET
  rules:
  - default:
      targetHost: http://my-app-host
      targetPort: 8080
      targetSsl: fasle
      requestPlugins: []
    endpoints:
    - endpointName: ''
      pathPattern: "/social/getAdmins"
      method: GET
      requestPlugins:
      - conf:
          policy: ADMIN_ACCESS
        name: authz
    - endpointName: ''
      pathPattern: "/social/getActivity"
      method: GET
      requestPlugins:
      - conf:
          entities:
          - jwt
          methods:
          - authorizationCodeOAuth
        name: authn
  policies:
  - policyName: ADMIN_ACCESS
    validators:
    - name: false

Step 2. Configure Jenkins agent and plan

Make sure the mpctl is installed on Jenkins agent my-agent-with-mpctl, which will be used to delivery policies and rules to Consul.

$ mpctl

  mpctl [command]

Available Commands:
  configure   Prepare configuration for sidecar
  export      Export from consul to yaml
  generate    generate configuration from a template
  help        Help about any command
  import      Import from yaml to consul

   (...)

Make sure that you can communicate with Consul from Jenkins agent:

$ curl http://consul:8500/v1/health/node/my-node -v

* Connected to consul port 8500 (#0)
> GET /v1/health/node/my-node HTTP/1.1
< HTTP/1.1 200 OK

[
  {
    "Node":"my-node",
    "CheckID":"serfHealth",
    "Name":"Serf Health Status",
    "Status":"passing",
    "Notes":"",
    "Output":"Agent alive and reachable",
    "ServiceID":"",
    "ServiceName":"",
    "ServiceTags":[],
    "Definition":{},
    "CreateIndex":5,
    "ModifyIndex":5
    }
]

Now you can create a new build job in Jenkins with Version Control System. Depends on your requirement you can use freestyle job, pipeline, multibranch. For this example purpose, we going to use pipeline job, as a Version Control - Git.

Example plan to upload policies and rules file:

pipeline {
  agent {
    label "my-agent-with-mpctl"
  }

  parameters {
    string(name: 'CONSUL_URL', defaultValue: 'https://consul', description: 'Consul URL')
    string(name: 'CONSUL_PORT', defaultValue: '8500', description: 'Consul Port')
  }

  stages {
    stage ("Git Checkout") {
      steps {
        checkout([$class: 'GitSCM',
        branches: [[name: '*/master']],
        userRemoteConfigs: [[credentialsId: '', url: 'git@bitbucket.org:syntegritynet/my-app-policies.git']]])
      }
    }

    stage("Mpctl import policies") {
      steps {
        sh "mpctl import my-app-policies.yaml -c ${params.CONSUL_URL}:${params.CONSUL_PORT}"
      }
    }
  }
}

Example job above is executed without any external triggers, like timer, other jobs, SCM changes. In a real-life CI/CD system, the delivery job should be triggered depending on the requirements and purpose.

In this example we execute this job manually:

Execute Jenkins job

Result

Result of Jenkins job

Step 3. Check Consul

To check if policies and rules were delivered correctly, you can check Consul UI in Key/Value tab

Consul uploaded rules

Consul uploaded policies