Container Pipeline Exercise Part 2

Inside the devsecops repo cd ~/environments/devsecopspipeline/ we are going to manually push our application image to AWS ECR

AWS ECR

Let’s push our docker image to ECR that was created from Terraform

make docker_push

Expand me...

ECR scans our images for vulnerabilities

make ecr_scan_findings

Expand me...

In the Console it would look this

https://us-west-2.console.aws.amazon.com/ecr/repositories

AWS CodePipeline

Now that we have a CodePipeline setup thanks to terraform let’s push our code there and watch the pipeline run, and do everything we just did but in the CodePipeline

First We need to give our Codepipeline Role access to the cluster make cluster_iam

eksctl create iamidentitymapping --cluster devsecops --arn arn:aws:iam::123456789012:role/devsecops-codemash-codebuild   --username admin \
--group system:masters
2021-09-18 20:33:43 []  eksctl version 0.67.0
2021-09-18 20:33:43 []  using region us-west-2
2021-09-18 20:33:43 []  adding identity "arn:aws:iam::123456789012:role/devsecops-codemash-codebuild" to auth ConfigMap

We clone the repo from GitHub but now let’s push it to AWS CodeCommit

If you don’t remember the name we can use the aws cli to find it for use aws codecommit list-repositories --region us-west-2

{
    "repositories": [
        {
            "repositoryName": "codemash-devsecops-repo", 
            "repositoryId": "568b8724-36c5-44fe-9848-42e2db43a861"
        }
}

Use the repositoryName to construct the http endpoint for the AWS remote

For example:

git remote add aws https://git-codecommit.us-west-2.amazonaws.com/v1/repos/codemash-devsecops-repo

Update the ~/environment/devsecopspipeline/VERSION.txt to the number you think is appropriate

Now we can push the repo to AWS Code commit

git add -A
git commit -m "add to AWS"
git push aws

Navigate to the CodePipeline console to build in progress

Once our deployment finishes we can test the cluster in AWS kubectl get svc clusterip-service

NAME                TYPE           CLUSTER-IP       EXTERNAL-IP                                                              PORT(S)        AGE
clusterip-service   LoadBalancer   10.100.254.156   a9d40a7cc91b447e7a7830a6aa4a1b97-970438419.us-west-2.elb.amazonaws.com   80:30430/TCP   87m

Take that EXTERNAL-IP and test the application

curl a9d40a7cc91b447e7a7830a6aa4a1b97-970438419.us-west-2.elb.amazonaws.com/
{"message":"Default Page"}

curl a9d40a7cc91b447e7a7830a6aa4a1b97-970438419.us-west-2.elb.amazonaws.com/data
{"message":"Database Connected"}

curl a9d40a7cc91b447e7a7830a6aa4a1b97-970438419.us-west-2.elb.amazonaws.com/host
{"message":"NODE: ip-192-168-62-23.us-west-2.compute.internal, POD IP:192.168.51.0"}