See #1: update the pipeline to work with the NPM 2FA system (tokens)

8 years ago · d3d6a70b1b
4 changed files with 45 additions and 62 deletions
--- a/41
+++ b/41
@ -5,9 +5,8 @@
 *  - Credentials Binding (https://plugins.jenkins.io/credentials-binding)
 *
 * This pipeline accepts the following parameters :
- *  - NPM_CREDENTIALS_ID: The Jenkins Credentials ID that holds login and password to login on NPM Registry
+ *  - NPM_CREDENTIALS_ID: The Jenkins Credentials ID that holds the NPM token to login on NPM Registry
- *  - NPM_EMAIL: The email address associated with the NPM Account pointed by NPM_CREDENTIALS_ID
+ *  - NPM_TAG: The tag to use to publish the package to the NPM registry (defaults to 'latest')
 *  - NPM_REGISTRY: Private NPM registry to log in to (Default if not provided: https://registry.npmjs.org)
 *  - OPENSHIFT_IMAGE_STREAM: The ImageStream name to use to tag the built images
 *  - OPENSHIFT_BUILD_CONFIG: The BuildConfig name to use
 *  - OPENSHIFT_SERVICE: The Service object to update (either green or blue)
@ -33,32 +32,28 @@ node('nodejs') {
  def newVersion = "$currentVersion-$BUILD_NUMBER"
  def packageName = thisPackage.name
  def packageSpec = "$packageName@$newVersion"
-
+  def packageTag = (params.NPM_TAG != null && params.NPM_TAG != "") ? params.NPM_TAG : 'latest'
  // You will need the "credential binding" plugin. See here how to install it :
  // https://support.cloudbees.com/hc/en-us/articles/203802500-Injecting-Secrets-into-Jenkins-Build-Jobs
  withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: params.NPM_CREDENTIALS_ID,
                    usernameVariable: 'NPM_USER', passwordVariable: 'NPM_PASS']]) {
      stage("Login to NPM") {
        echo "Using NPM CredentialsID = '${params.NPM_CREDENTIALS_ID}'"
        echo "About to login on NPM with ${env.NPM_USER}/${params.NPM_EMAIL}"
        sh '''
        set +x
        npm install -g npm-cli-login publish
        npm-cli-login
        '''
      }
  }
  // Run the unit tests
  stage('Unit Tests') {
    sh "npm test"
  }
-  // Package the app and publish it to NPM
+  // You will need the "credential binding" plugin. See here how to install it :
-  stage('Package and Publish to NPM') {
+  // https://support.cloudbees.com/hc/en-us/articles/203802500-Injecting-Secrets-into-Jenkins-Build-Jobs
-    echo "Will publish version $newVersion to NPM"
+  withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: params.NPM_CREDENTIALS_ID,
-    sh "npm version --no-git-tag-version $newVersion"
+                    usernameVariable: 'DUMMY', passwordVariable: 'NPM_TOKEN']]) {
-    sh "publish"
+    // Package the app and publish it to NPM
    stage('Package and Publish to NPM') {
      echo "Using NPM CredentialsID = '${params.NPM_CREDENTIALS_ID}'"
      // Store the NPM Token in the config file
      sh "npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}"
      echo "Will publish version $newVersion to NPM (tagged as 'latest')"
      sh "npm --no-git-tag-version version ${newVersion}"
      sh "npm publish --tag ${packageTag}"
    }
  }
  // Build the OpenShift Image in OpenShift using the artifacts from NPM
--- a/doc/CONFIGURE_JENKINS.md
+++ b/doc/CONFIGURE_JENKINS.md
@ -1,12 +1,28 @@
 # Configure Jenkins
 ## Login to NPM and generate a token
 Log in the NPM registry with:
 ```
 npm login
 ```
 And create a new read/write token:
 ```
 npm token create
 ```
 Keep the generated token in a safe place !
 See [the NPM documentation](https://docs.npmjs.com/getting-started/working_with_tokens) for more information.
 ## Create a credential named `npm-secret`
 Login to Jenkins with your OpenShift credentials and create a Jenkins credential with the following parameters :
 - Scope: global
 - Kind: Username with password
- - Username: \<your NPM username\>
+ - Username: `npm-secret` (or anything else, only the password is used)
- - Password: \<your NPM password\>
+ - Password: \<the token generated previously\>
 - ID: npm-secret
 To create a Jenkins Credentials :
@ -37,29 +53,18 @@ Quick reminder to install a plugin :
 __Note :__ to update a plugin, select the `Updates` tab instead of the `Available` tab.
-## Create/Update the Jenkins Pipeline
+## Create the Jenkins Pipeline (Manual Install ONLY)
 Depending if you created a JenkinsPipeline BuildConfig, OpenShift may have created
-a Jenkins pipeline for you. In such a case, the Jenkins Pipeline is named `<namespace>/<buildconfig-name>`.
+a Jenkins pipeline for you. In such a case, the Jenkins Pipeline is named `<namespace>/<buildconfig-name>`
-
+and you have nothing more to do.
 So, if you installed the demo :
 - manually, you need to create the pipeline from scratch
 - automatically with the provided template, you need to update the pipeline to add the following parameters
 __Note :__ As of today, OpenShift does not accept build environment variables with Jenkins pipelines.
 So you have to update the Jenkins pipeline created by OpenShift to add those variable.
 In the next version this may change as there is a pull request for this feature
 (see [\#11293](https://github.com/openshift/origin/issues/11293)
 and [\#12323](https://github.com/openshift/origin/pull/12323)).
-So, create a Jenkins Pipeline that accepts the following parameters or update
+Whereas if you installed the demo manually, you need to create the pipeline from scratch.
-the existing Jenkins Pipeline so that it accepts the following parameters :
+If this is the case, create a Jenkins Pipeline that accepts the following parameters :
 | Parameter Name | Parameter Type | Default Value | Description |
 | --- | --- | --- | --- |
-| NPM_CREDENTIALS_ID | String | npm-secret | The Jenkins Credentials ID that holds login and password to login on NPM Registry |
+| NPM_CREDENTIALS_ID | String | npm-secret | The Jenkins Credentials ID that holds the token to login on NPM Registry |
 | NPM_EMAIL | String | \<your NPM email\> | The email address associated with the NPM Account pointed by NPM_CREDENTIALS_ID |
 | NPM_REGISTRY | String | https://registry.npmjs.org | Private NPM registry to log in to (Default if not provided: https://registry.npmjs.org) |
 | OPENSHIFT_IMAGE_STREAM | String | openshift-demo-nodejs | The ImageStream name to use to tag the built images |
 | OPENSHIFT_BUILD_CONFIG | String | openshift-demo-nodejs | The BuildConfig name to use |
 | OPENSHIFT_SERVICE | String | openshift-demo-nodejs | The Service object to update (either green or blue) |
--- a/doc/INSTALL.md
+++ b/doc/INSTALL.md
@ -26,7 +26,7 @@ my other project : the [OpenShift-Hostpath-Provisioner](https://github.com/nmass
 Create all other objects using the template :
 ```
-oc process -f setup/all-in-one-template.yaml TEST_ROUTE_HOSTNAME=demo.test.app.openshift.test PROD_ROUTE_HOSTNAME=demo.prod.app.openshift.test NPM_EMAIL=your@npm.email > objects.json
+oc process -f setup/all-in-one-template.yaml TEST_ROUTE_HOSTNAME=demo.test.app.openshift.test PROD_ROUTE_HOSTNAME=demo.prod.app.openshift.test > objects.json
 oc create -f objects.json
 ```
@ -36,7 +36,6 @@ __Notes :__
 - Replace the `demo.test.app.openshift.test` and `demo.prod.app.openshift.test`
   by meaningful values for your environment. It will be your routes in
   TEST and PROD environments.
 - Replace `your@npm.email` by the email address associated with your NPM Account.
 All parameters are documented here :
@ -44,9 +43,7 @@ All parameters are documented here :
 | --- | --- | --- | --- |
 | TEST_ROUTE_HOSTNAME | Yes | - | The route to create in the TEST environment and which we will use to run the integration tests |
 | PROD_ROUTE_HOSTNAME | Yes | - | The route to create in the PROD environment |
-| NPM_EMAIL | Yes | - | Email address of your NPM Account |
+| NPM_CREDENTIALS_ID | No | npm-secret | The Jenkins Credentials ID that holds the token to login on NPM Registry |
 | NPM_CREDENTIALS_ID | No | npm-secret | The Jenkins Credentials ID that holds login and password to login on NPM Registry |
 | NPM_REGISTRY | No | https://registry.npmjs.org | Private NPM registry to log in to |
 | GIT_REPO | No | https://github.com/nmasse-itix/OpenShift-Demo-NodeJS.git | The GIT repository to use. This will be useful if you clone this repo. |
 | NODEJS_IMAGE_STREAM_TAG | No | nodejs:latest | Name of the ImageStreamTag to be used for the NodeJS image. Change this if you plan to use your own NodeJS S2I image. |
 | NODEJS_IMAGE_STREAM_NAMESPACE | No | openshift | The OpenShift Namespace where the NodeJS ImageStream resides. |
--- a/setup/all-in-one-template.yaml
+++ b/setup/all-in-one-template.yaml
@ -108,10 +108,6 @@ objects:
        env:
          - name: NPM_CREDENTIALS_ID
            value: ${NPM_CREDENTIALS_ID}
          - name: NPM_EMAIL
            value: ${NPM_EMAIL}
          - name: NPM_REGISTRY
            value: ${NPM_REGISTRY}
          - name: OPENSHIFT_IMAGE_STREAM
            value: openshift-demo-nodejs
          - name: OPENSHIFT_BUILD_CONFIG
@ -507,21 +503,11 @@ parameters:
  name: NODEJS_IMAGE_STREAM_TAG
  value: nodejs:latest
- description: The Jenkins Credentials ID that holds login and password to login on NPM Registry
+- description: The Jenkins Credentials ID that holds the token to login on NPM Registry
  displayName: Jenkins Credentials ID for NPM Registry
  name: NPM_CREDENTIALS_ID
  value: npm-secret
 - description: The email address associated with the NPM Account pointed by NPM_CREDENTIALS_ID
  displayName: Email address of your NPM Account
  name: NPM_EMAIL
  required: true
 - description: Private NPM registry to log in to
  displayName: NPM Registry URL
  name: NPM_REGISTRY
  value: https://registry.npmjs.org
 - description: The route to create in the TEST environment and which we will use to run the integration tests
  displayName: Application Hostname in the TEST environment
  name: TEST_ROUTE_HOSTNAME