Skip to Content

Wiki source code of Jenkins Shared Library

Last modified by Achim Mahnke on 2025/10/01 10:24
Show last authors
1 {{toc/}}
2
3 = DevOps-as-a-Service Open Source Pipeline Library =
4
5 DevOps-as-a-Service provides a standardized Jenkins Shared Library to be used for all your builds. See [[https:~~/~~/prd.sdc.t-systems.net/bitbucket/projects/DEVOPSAAS/repos/sdcloud-caas-jenkins-libs/browse>>url:https://prd.sdc.t-systems.net/bitbucket/projects/DEVOPSAAS/repos/sdcloud-caas-jenkins-libs/browse||shape="rect"]] for the source code and additional documentation like e.g. release notes.
6
7 == Getting Started ==
8
9 Since the Shared Library is globally configured on all Jenkins instances managed by DevOps-as-a-Service you just need to place the following very short Jenkinsfile in the root folder of your git repository to automatically build your maven or node project or simply build a container using a Dockerfile.
10
11 {{code}}
12 @Library('sdcloud') _
13
14 sdcPipeline()
15 {{/code}}
16
17 Calling sdcPipeline() starts an automatically configured, standardized build and deployment pipeline.
18 The pipeline requires a node labeled with 'docker' to execute successfully. To run on other types of Jenkins agents set the //useNode //argument as described below.
19
20 == Pipeline features ==
21
22 What the pipeline currently does is visualised in the following image which shows an example for a maven-based Java project.
23
24 [[image:attach:image2022-5-17_17-51-43.png||height="250"]]
25
26 1. Checking out the source code from git.
27 1. If a pom.xml is found your favorite JDK is selected, by default jdk11. Then a maven build is done.
28 1. If there's no pom.xml but a package.json is found a nodejs build is done.
29 1. If there is no pom.xml or package.json but a go.mod file, a go test tool run is done.
30 1. Then the following stages are executed in parallel
31 11. Analysis: For maven projects the Java source code is checked by checkstyle, pmd and spotbugs. Furthermore the job output will be checked for any warnings generated by maven, javac or javadoc. If Python modules (.py files) exist in the git repository they will be analyzed using pylint and flake8. If pylint or flake8 are not available on the Jenkins agent the steps will be skipped. Python files that are generated or downloaded into the workspace will not be checked. The results will be displayed on the classical Jenkins build page after the build. If a go.mod f
32 11. Security: If it's not a feature or bugfix branch a dependency check is done which checks if e.g. libraries are used which have known vulnerabilities. The results will be displayed in Jenkins after the build.
33 11. Docker: this will also work for projects which are neither maven or nodejs. A Dockerfile is enough to trigger this part of the pipeline.
34 111. If a Dockerfile is found a docker image is built.
35 111. The image is started as an isolated container on the Jenkins agent.
36 111. Any loglines written to stdout or stderr by the container will be displayed.
37 111. A smoke test is performed which is a simple query for a valid answer on the exposed port of the container.
38 111. If the smoke test was successful and the build was not done for a pull request the docker image will be pushed to the docker registry.
39 111. For easy identification of the image 3 image tags are defined:
40 1111. BRANCH_NAME-BUILD_NUMBER (e.g. 'production-1014')
41 1111. BRANCH_NAME-GIT_HASH (e.g. 'develop-8a7c4f2')
42 1111. BRANCH_NAME-latest (e.g. 'feature-PKEY-42-latest')
43 1111. (If BRANCH_NAME is defaultBranch the prefix 'BRANCH_NAME-' will not be included.)
44 111. When a chart/Chart.yaml is found and  it's not a pull request a Helm Chart will be created and pushed to the Helm Chart repository.
45 1. Yamllint will check all YAML files in the workspace for errors and warnings. This is done at this place since the Create Helm Chart stage modifies or creates YAML files which should be also checked before the pipeline proceeds.
46 1. When depolyHelmChart is set to true the Helm chart will be deployed to the Kubernestes cluster and namespace of your choice. Not done in the example diagram.
47
48 == {{id name="pipeline_customization"/}}Pipeline Customization ==
49
50 By passing named arguments to sdcPipline() e.g. sdcPipeline(imageName: 'nginx-demo', imageTag: 'v1.4') you can change the default configuration of the pipeline.
51
52 (% class="table-bordered" style="width:100.0%" %)
53 (% class="active" %)|=(((
54 Category
55 )))|=(((
56 Argument
57 )))|=(((
58 Default
59 )))|=(((
60 Description
61 )))
62 |=(% rowspan="4" %)(((
63 Job execution
64 )))|(((
65 decorateOutput
66 )))|(((
67 true
68 )))|(((
69 Enables timestamps and colorization for the console output when set to true.
70 )))
71 |allocateNode|true|(((
72 Specifies if a node should be allocated for executing the sdcPipeline code.
73
74 If you set this to false you will need to put your sdcPipeline() call into a node {} block.
75 )))
76 |(((
77 useNode
78 )))|(((
79 'docker'
80 )))|(((
81 Specifies which node should be allocated and used by the pipeline if allocateNode is true.
82
83 Pass a label or name of a configured Jenkins agent.
84 )))
85 |(((
86 defaultBranch
87 )))|(((
88 'master'
89 )))|(((
90 This branch will be the integration branch for work. At some points the pipeline will behave differently, if the default branch or another branch ist currently being built.
91 )))
92 |=(% rowspan="5" %)(((
93 Programming language and build tool
94 )))|(((
95 jdk
96 )))|(((
97 'jdk11'
98 )))|(((
99 JDK to use for all Java operations. Refers to a symbolic name of a Java tool configuration in Jenkins.
100 )))
101 |(((
102 mvnCommand
103 )))|(((
104 'mvn clean verify'
105 )))|(((
106 maven command to execute for building maven projects.
107 )))
108 |(((
109 mavenSettingsConfig
110 )))|(((
111 ''
112 )))|(((
113 Select a maven settings element from File Config Provider. The settings element in the settings.xml file contains elements used to define values which configure Maven execution in various ways, like the pom.xml, but should not be bundled to any specific project, or distributed to an audience. These include values such as the local repository location, alternate remote repository servers, and authentication information.
114
115 See also [[doc:Jenkins.Using Maven Artifact Repositories in Jenkins.WebHome]].
116 )))
117 |(((
118 nodejs
119 )))|(((
120 'nodejs'
121 )))|(((
122 Node.js to use for all node operations like e.g. calling npm. Refers to a symbolic name of a nodejs tool configuration in Jenkins.
123 )))
124 |(((
125 npmCommand
126 )))|(((
127 'npm install && npm run build ~-~-prod'
128 )))|(((
129 npm command to execute for building Node.JS projects.
130 )))
131 |=(% rowspan="10" %)(((
132 Docker build
133 )))|(((
134 dockerBuildPath
135 )))|(((
136 '.' (current directory)
137 )))|(((
138 Path to use for building the Docker container.
139 )))
140 |(((
141 dockerBuildArgs
142 )))|(((
143 '' (empty string)
144 )))|(((
145 Any additional arguments for Docker build.
146 )))
147 |(((
148 dockerfile
149 )))|(((
150 dockerBuildPath/Dockerfile
151 )))|(((
152 Dockerfile to use for building the Docker container.
153 )))
154 |(((
155 imageName
156 )))|(((
157 artifactId from pom.xml for maven projects
158
159 name of the build job for all other project types
160 )))|(((
161 Name to be used for the built Docker image.
162 )))
163 |(((
164 imagePath
165 )))|(((
166 Name of the project folder in Jenkins. That's the PROJECTKEY from the self-service portal
167 )))|(((
168 Path to prepend before the imageName.
169 )))
170 |(((
171 imageTag
172 )))|(((
173 nothing
174 )))|(((
175 Additional tag to set on the container. It will be automatically prefixed with the branch name, except for the defaultBranch.
176 )))
177 |(((
178 gitHashLength
179 )))|(((
180 7
181 )))|(((
182 Number of digits from the git hash that will be used as an image tag on the container image to label the build.
183 )))
184 |(((
185 gitCredentialsId
186 )))|(((
187 'PROJECTKEY-git' (credential which was added to your project folder in Jenkins when the project was set up by the self-service portal)
188 )))|(((
189 Name of credentials used to connect to Bitbucket API. May be used to connect to alternative SCM tools in the future.
190 )))
191 |(((
192 pullDockerRegistry
193 )))|(((
194 '[[https:~~/~~/registry-CUSTOMER.devops.t-systems.net>>url:https://registry-CUSTOMER.devops.t-systems.net||shape="rect"]]' (docker registry of your DOaaS instance)
195 )))|(((
196 If you need to pull base images during the Docker build from a docker registry that requires authentication you have to use this to specify it.
197 )))
198 |(((
199 pullDockerRegistryCredentialsId
200 )))|(((
201 'doaas-PROJECTKEY+jenkins-push-harbor' or 'PROJECTKEY-jenkins' (which were added to the credentials of your project folder in Jenkins when the project was set up by the DevOps Portal. While the first is added for Harbor, the second is added for Nexus OSS. That means that the library will automatically choose the best default for you. Please note that Harbor will be prefered, if both tools are used in the project.)
202 )))|(((
203 Id of the Jenkins Credentials which have to be used to authenticate to the //pullDockerRegistry//.
204 )))
205 |=(% rowspan="7" %)(((
206 Docker container test
207 )))|(((
208 skipSmokeTest
209 )))|(((
210 false
211 )))|(((
212 Set to true to skip the container smoke test after the build.
213 )))
214 |(((
215 containerArgs
216 )))|(((
217 '' (empty string)
218 )))|(((
219 Arguments to pass to the container for the smoke test.
220 )))
221 |(((
222 containerPort
223 )))|(((
224 80
225 )))|(((
226 Exposed port of the container that is used to check for an answer during the smoke test.
227 )))
228 |(((
229 containerProtocol
230 )))|(((
231 'http'
232 )))|(((
233 Protocol to use when trying to connect to the port of the container. Possible values: 'http', 'tcp', 'udp'. 'http' will be tested with curl, 'tcp' and 'udp' will be tested with ncat.
234 )))
235 |(((
236 containerContextPath
237 )))|(((
238 '' (empty string)
239 )))|(((
240 contextPath to query for the smoke test if the container protocol is 'http'
241 )))
242 |(((
243 containerMaxLoglineTime
244 )))|(((
245 15
246 )))|(((
247 After starting the container the smoke tests monitors stdout of the container for loglines. After containerMaxLoglineTime which is specified in seconds have passed without a new logline found, the container is expected to be up and running and the test query is performed. Increase if your container doesn't write loglines that often and seems to be not ready when the test query is performed.
248 )))
249 |(((
250 containerMaxStartupTime
251 )))|(((
252 180 (3 minutes)
253 )))|(((
254 Total time in seconds after which the container is expected to be up and running even if it's still writing loglines to stdout. After this time has passed the container will be queried for an answer.
255 )))
256 |=(% rowspan="2" %)(((
257 Docker push
258 )))|(((
259 pushDockerRegistry
260 )))|(((
261 '[[https:~~/~~/registry-CUSTOMER.devops.t-systems.net>>url:https://registry-CUSTOMER.devops.t-systems.net||shape="rect"]]' (docker registry of your DOaaS instance)
262 )))|(((
263 Docker registry to which the built image will be pushed after a successful smoke test.
264 )))
265 |(((
266 pushDockerRegistryCredentialsId
267 )))|(((
268 'doaas-PROJECTKEY+jenkins-push-harbor' or 'PROJECTKEY-jenkins' (which were added to the credentials of your project folder in Jenkins when the project was set up by the DevOps Portal. While the first is added for Harbor, the second is added for Nexus OSS. That means that the library will automatically choose the best default for you. Please note that Harbor will be prefered, if both tools are used in the project.)
269 )))|(((
270 Id of the Jenkins Credentials which have to be used to authenticate to the //pullDockerRegistry//.
271 )))
272 |=(% rowspan="6" %)(((
273 Helm chart
274 )))|(((
275 helmChartPath
276 )))|(((
277 './chart'
278 )))|(((
279 Specifies the path to the YAML files for the helm command.
280 )))
281 |(((
282 appName
283 )))|(((
284 artifactId from pom.xml for maven projects
285
286 name of the build job for all other project types
287 )))|(((
288 Name of the application. Used to build the name of the Helm chart.
289 )))
290 |(((
291 appVersion
292 )))|(((
293 version from pom.xml for maven projects
294
295 '1.0.0' for all other project types
296 )))|(((
297 Version of the application. Used to set the app version of the Helm chart.
298 )))
299 |(((
300 chartVersion
301 )))|(((
302 appVersion with '00' appended
303 )))|(((
304 Version of the Helm chart. Used to set the chart version of the Helm chart.
305 )))
306 |(((
307 helmRegistry
308 )))|(((
309 Nexus registry of your DOaaS instance
310 )))|(((
311 Name of registry to which the packaged Helm chart is uploaded.
312 )))
313 |(((
314 helmRegistryCredentialsId
315 )))|(((
316 'doaas-PROJECTKEY+jenkins-push-harbor' or 'PROJECTKEY-jenkins' (which were added to the credentials of your project folder in Jenkins when the project was set up by the DevOps Portal. While the first is added for Harbor, the second is added for Nexus OSS. That means that the library will automatically choose the best default for you. Please note that Harbor will be prefered, if both tools are used in the project.)
317 )))|(((
318 Id of the Jenkins Credentials which have to be used to authenticate to the Helm registry for acccessing Helm charts.
319 )))
320 |=(% rowspan="4" %)(((
321 Container image signature
322 )))|(((
323 signImages
324 )))|(((
325 false
326 )))|(((
327 When set to true, it activates signing of generated Docker images.
328 )))
329 |(((
330 signingNotaryServer
331 )))|(((
332 '[[https:~~/~~/notary.external.otc.telekomcloud.com>>url:https://notary.external.otc.telekomcloud.com||shape="rect"]]' (Magenta Trusted Registry)
333 )))|(((
334 Specifies the Notary service to be used for signing.
335 )))
336 |(((
337 signingPassphraseCredentialsId
338 )))|(((
339 'docker-trust-PROJECTKEY-passphrase'
340 )))|(((
341 Id of the Jenkins Credentials for passphrase of signers keyfile.
342 )))
343 |(((
344 signingKeyfileCredentialsId
345 )))|(((
346 'docker-trust-PROJECTKEY-keyfile'
347 )))|(((
348 Id of the Jenkins Credentials for signers private keyfile.
349 )))
350 |=(% colspan="1" rowspan="12" %)(((
351 Static Source Code Analysis
352 )))|(((
353 checkstyleConfig
354 )))|(((
355 best-practice releaxed configuration
356 )))|(((
357 Name of a config file to use for checkstyle. If not set a best-practice[[ relaxed configuration >>url:https://prd.sdc.t-systems.net/bitbucket/projects/DEVOPSAAS/repos/sdcloud-caas-jenkins-libs/browse/resources/com/tsystems/sdc/jenkinslib/checkstyle.xml||shape="rect"]]is used which is different from the original  Sun[[ Java Style>>url:https://checkstyle.org/sun_style.html||shape="rect"]].
358 To get the old behavior simply specify 'sun_checks.xml' to get the original Sun Checks. As an alternative 'google_checks.xml' can be used for the Google Checks which is another ruleset predefined in the checkstyle scanner tool.
359 For a custom configuration specify a filesystem path, a URL, or a classpath resource. This parameter expects that the contents of the location conforms to the xml format (Checkstyle Checker module) configuration of rulesets.
360 )))
361 |(((
362 skipBlames
363 )))|(((
364 false
365 )))|(((
366 If set to true all recordIssues steps will skip creating the SCM blames. This speeds up the processing of the results of static source code analyis. As a consequence you will not be able to see who introduced a problem into the code.
367 )))
368 |(((
369 yamlConfig
370 )))|(((
371 best-practice releaxed configuration
372 )))|(((
373 Name of a config file to use for yamllint. If not set a best-practice[[ relaxed configuration >>url:https://prd.sdc.t-systems.net/bitbucket/projects/DEVOPSAAS/repos/sdcloud-caas-jenkins-libs/browse/resources/com/tsystems/sdc/jenkinslib/yamllint.yml||shape="rect"]]is used which is different from the original yamllint[[ config>>url:https://yamllint.readthedocs.io/en/stable/configuration.html#default-configuration||shape="rect"]].
374 )))
375 |skipDependencyCheck|false|Set to true to skip the dependency-check.
376 |(((
377 dependencyCheckTool
378 )))|(((
379 'dependency-check'
380 )))|(((
381 Defines which named dependency-check tool should be used.
382 )))
383 |(((
384 dependencyCheckArgs
385 )))|(((
386 '~-~-disableAssembly ~-~-nvdValidForHours 720'
387 )))|(((
388 Addtional arguments which are be passed to dependency-check. See [[Dependency>>url:https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html||shape="rect"]][[ Check CLI Arguments>>url:https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html||shape="rect"]] for more information.
389 )))
390 |(((
391 dependencyCheckNvdApiKeyCredentialsId
392 )))|(((
393 'dependency-check-nvdapikey'
394 )))|(((
395 If you have your own NVD API Key, set it as a credential of type text in Jenkins. Then specify the credential id using this argument. It will be automatically passed to dependency-check. There will be no error if no credential is found. Just the NVD download will be slower. Please note, on DevOps-as-a-Service a shared NVD API Key is automatically supplied for the default credential id.
396 )))
397 |(((
398 sonarQube
399 )))|(((
400 true for the defaultBranch and for pull-requests, if a SonarQube version is detected which supports scanning multiple branches
401
402 false for all other branches
403 )))|(((
404 Set this to true to force a SonarQube scan for the current branch. Usually this makes only sense if you explicitly want to scan feature and bugfix branches.
405
406 If not set or set to false, the default branch will be scanned automatically as well as pull-requests, if a SonarQube version is detected which supports scanning multiple branches. This is currently the case for SonarQube Developer and Enterprise editions. The free SonarQube Community edition supports just one branch.
407 )))
408 |(((
409 sonarScanMavenOpts
410 )))|(((
411 ''
412 )))|(((
413 For huge source codes it can happen that the sonar scanner aborts with java.lang.OutOfMemoryError. In this case the memory that is availalbe for the sonar scanner needs to be increased. Try something like '-Xmx512m' to set a larger heap space for the JVM that is executing the maven-based sonar scan. '-Xmx3g' should be enough for most source codes, but make sure that your Jenkins agent has enough memory to cope with that.
414 )))
415 |sonarScanOpts|''|For huge source codes it can happen that the sonar scanner aborts with java.lang.OutOfMemoryError. In this case the memory that is availalbe for the sonar scanner needs to be increased. Try something like '-Xmx512m' to set a larger heap space for the JVM that is executing the
416 sonar scan. '-Xmx3g' should be enough for most source codes, but make sure that your Jenkins agent has enough memory to cope with that.
417 |(((
418 sonarSources
419 )))|(((
420 'src/main' for maven projects
421
422 null for non-maven projects
423 )))|(((
424 (% class="content-wrapper" %)
425 (((
426 Comma-separated paths to directories containing main source files to scan with SonarQube. Defaults to 'src/main' and therefore will automatically discover folders like src/main/java, src/main/webapp or src/main/resources. This makes sure to not only scan Java sources, but also for example JSP, CSS and HTML files.
427
428 Sonar scanning will fail if the configured directory itself is not found at all. This can happen if you have defined an alternative <sourceDirectory> in your pom.xml. If this is the case, you can disable sonar scanning by adding
429
430 {{code language="xml"}}
431 <properties>
432 <sonar.skip>true</sonar.skip>
433 </properties>
434 {{/code}}
435
436 to the pom.xml. If this is not what you want, set sonarSources to {{code language="none"}}null{{/code}}. This will make sure that sonar.sources are not explicitly passed to the sonar scanner. This will allow you to specify sonar.sources in the pom.xml like in the following example:
437
438 {{code language="xml"}}
439 <properties>
440 <sonar.source>src/main/java,src/main/webapp</sonar.sources>
441 </properties>
442 {{/code}}
443 )))
444 )))
445 |sonarQualityGate| |Sets the desired quality gate to use for the scan result in SonarQube.
446 If not specified, the quality gate is not changed.
447 As a default, SonarQube will use the quality gate "Sonar way" for new scan results.
448 |=(% rowspan="7" %)(((
449 Deployment
450 )))|(((
451 deployHelmChart
452 )))|(((
453 false
454 )))|(((
455 Boolean that activates or deactivates the automatic deployment of the Helm-Chart.
456 )))
457 |(((
458 kubeconfigCredentialsId
459 )))|(((
460 'kubeconfig-deployer-PROJECTKEY'
461 )))|(((
462 Id of the Jenkins credential which contains the kubeconfig file that should be used for deployment. The file is required to authorize access to the Kubernetes cluster.
463 )))
464 |(((
465 kubernetesNamespace
466 )))|(((
467 'default'
468 )))|(((
469 Name of the namespace in Kubernetes, to which the Chart will be deployed.
470 )))
471 |(((
472 helmValuesOverrideFile
473 )))|(((
474 'chart/values.yaml'
475 )))|(((
476 Name of the YAML file which contains specific values that should be overridden for the automatic deployment. The location needs to be specified relative to the Jenkinsfile.
477 )))
478 |(((
479 helmSetValues
480 )))|(((
481 ''
482 )))|(((
483 Set values using the format "key1=val1,key2=val2,..." for the automatic deployment.
484
485 While helmValuesOverrideFile is usally something static you can use this to specify different values depending on e.g. conditions in your Jenkinsfile.
486
487 Will be ignored if set to null, empty string or just white space.
488 )))
489 |(((
490 helmReleaseName
491 )))|(((
492 artifactId from pom.xml for maven projects
493
494 name of the build job for all other project types
495 )))|(((
496 Name of the Helm Release which will be installed or upgraded in your cluster.
497 )))
498 |(((
499 helmLockResource
500 )))|(((
501 null
502 )))|(((
503 Using [[lock>>url:https://www.jenkins.io/doc/pipeline/steps/lockable-resources/#lock-lock-shared-resource||shape="rect"]] the specified resource will be locked for the execution of any
504
505 (% class="code" %)
506 (((
507 helm upgrade
508 )))
509
510 or
511
512 (% class="code" %)
513 (((
514 helm uninstall
515 )))
516
517 command. This makes sense if deployHelmChart is used to upgrade an deployment in an environment which is currently used, e.g. for automated testing. In this case wrap your test in a lock statement with the same resource name. Defaults to null, which will not lock any resource.
518 )))
© 2018-2025 T-Systems International GmbH