Pipeline Policies

Pipeline Policies are runtime validations that work for both scripted and declarative pipelines, and provide administrators a way to include warnings for or block the execution of pipelines that do not comply with the policies applied to your managed controller.

Create a Pipeline Policy

In this lab you will use CloudBees CI CasC for controllers to create a Pipeline Policy to enforce that all Pipeline jobs that run on your CloudBees CI managed controller (Jenkins instance) have a maximum 30 minute global timeout set.

1. Navigate to your cloudbees-ci-config-bundle repository in GitHub and click on the Pull requests link.
2. On the next screen, click on the Pipeline Policies lab updates pull request and then click on the Files changed tab to review the requested configuration changes. Note the addition of the cloudbees-pipeline-policies configuration at the top of the jenkins.yaml file. We also updated the bundle version and the Jenkins system message.
3. Once you have reviewed the changed files, click on the Conversation tab, scroll down and click the green Merge pull request button and then the Confirm merge button.
4. Navigate to the config-bundle-ops Multibranch Pipeline project under the template-jobs folder on your CloudBees CI managed controller.
5. Shortly after the main branch job completes successfully navigate to the top-level of your managed controller.
6. Click on the Manage Jenkins link in the left navigation menu and then click on the CloudBees Configuration as Code export and update configuration link.
7. On the next screen, click on the Bundle Update link and you should see that a new version of the configuration bundle is available. Click the Reload Configuration button and on the next screen click the Yes button to apply the updated configuration bundle.

9. After the updated configuration bundle has finished loading, click on the Pipeline Policies link in the left menu.

10. Next, on the Pipeline Policies screen, you will see a policy with the following settings - matching the configuration from the updated CasC bundle:

    • Name: Timeout policy
    • Action: Fail
    • A Rule with a Pipeline Timeout of 30 MINUTES

11. Navigate to the config-bundle-ops Mutlibranch project in the template-jobs folder, click on the main branch job and then click the Build Now link in the left menu.

12. Navigate to the logs for that build and you will see that the build failed due to Validation Errors.

13. To fix this we will have to once again update the Jenkinsfile of the CloudBees CI Configuration Bundle template in your copy of the pipeline-template-catalog repository - remember, even though we are building from the cloudbees-ci-config-bundle repository, the Jenkinsfile is actually coming from the CloudBees CI Configuration Bundle template. Navigate to that Jenkinsfile and click the pencil icon to open it in the GitHub file editor.

14. In the GitHub file editor, change the time value of the timeout pipeline option from 60 to 10 (it needs to be 30 minutes or less to successfully validate against the Timeout policy) and then click the Commit changes (directly to the main branch) button to commit the updated Jenkinsfile to your main branch.

    expand to copy edited Jenkinsfile

    library 'pipeline-library'
    pipeline {
      agent none
      options {
        buildDiscarder(logRotator(numToKeepStr: '2'))
        timeout(time: 10, unit: 'MINUTES')
      }
      stages {
        stage('Publish CasC Bundle Update Event') {
          agent { label 'default' }
          when {
            beforeAgent true
            branch 'main'
          }
          environment { CASC_UPDATE_SECRET = credentials('casc-update-secret') }
          steps {
            gitHubParseOriginUrl()
            publishEvent event:jsonEvent("""
              {
                'controller':{'name':'${BUNDLE_ID}','action':'casc_bundle_update','bundle_id':'${BUNDLE_ID}'},
                'github':{'organization':'${GITHUB_ORG}','repository':'${GITHUB_REPO}'},
                'secret':'${CASC_UPDATE_SECRET}',
                'casc':{'auto_reload':'false'}
              }
            """), verbose: true
          }
        }
      }
    }
    

15. Next, to ensure that we are using the updated CloudBees CI Configuration Bundle template, we will check the Pipeline Template Catalog Import Log. Navigate to the top-level of your CloudBees CI managed controller and click on Pipeline Template Catalogs link in the left menu and then click the workshopCatalog link.

16. On the next screen, click the Import Log link to ensure the catalog was imported successfully and recently.
17. After the import is complete, navigate back to the main branch job in the config-bundle-ops Mutlibranch project in the template-jobs folder and click the Build Now link in the left menu. The build will complete successfully and the logs for that build will show that the Pipeline policy validated successfully.

For instructor led workshops please return to the workshop slides