IBM Cloud Docs
Setting up a CD toolchain

Setting up a CD toolchain

With this tutorial, you can use the toolchain template for continuous deployment (CD) with Security and Compliance Center related practices in DevSecOps. The template is preconfigured with the settings. You can validate and provide your configuration to complete the tutorial.

Before you begin

  1. Complete Setting up the prerequisites.
  2. Complete Setting up a CI toolchain.
  3. View the Getting started with DevSecOps in IBM Cloud - Part 2 video.
  4. Refer to, the DevSecOps practices to deploy a secure CD application.

Start the CD toolchain setup

The Continuous Delivery service provides templates that guide you through the CD toolchain setup. Follow the steps to access the template for the CD toolchain.

  1. In the IBM Cloud console, click the Menu icon Menu icon > Platform Automation > Toolchains.
  2. On the Toolchains page, click Create toolchain.
  3. Click CD - Deploy a secure app with DevSecOps practices tile to view the template.

Set up toolchain settings

The Welcome page summarizes the purpose of the toolchain along with pointers to the documentation and related materials.

  1. Click Start.

  2. Enter a unique Toolchain name. Note that the toolchain region can differ from cluster and Container Registry region.

  3. Select a region and Select a resource group are listed. Note you can edit the regions.

  4. Optionally you can Choose the associated continuous integration (CI) toolchain from the dropdown. This copies some of the CI configuration to aid in the setup for the CD toolchain. Note this might overwrite some of the values that you already entered.

  5. Click Continue.

    You can advance to the next step only when the configuration for the current step is complete and valid. You can always click Back to view previous steps in the guided installer. The toolchain installer retains all the configuration settings from the successive steps.

    Some steps include a Switch to advanced configuration toggle button. These steps by default present you with the minimum configuration. However, advanced users that need finer grained control can click the Switch to advanced configuration toggle to reveal the options for the underlying integration.

Set up tool integrations

If you already linked to an existing CI toolchain in the step, the toolchain name, region, repositories, and other fields are prepopulated. Review the repository URLs, and then continue to the next steps.

Inventory

  1. Select the Repository URL of the inventory repository configured in your CI toolchain.
  2. Click Continue.

Issues

  1. Select the Repository URL to record the issues while the CD pipeline is running. Note that you use an existing issues repository that was created during the CI toolchain.
  2. Click Continue.

Pipeline Configuration

The pipeline configuration repository contains YAML files and scripts that are needed for deployment, testing, and other custom tasks.

  1. Accept the default settings for Source Provider.

    If you do not have a configuration repository, enable the Advanced configuration toggle, and select the Clone repository type. The toolchain clones the sample configuration in your Git organization. For more information about Git repos, see Configuring your Git Repos and Issue Tracking. For more information about customizable scripts, see Custom scripts.

  2. Enter a unique New repository name.

  3. Click Continue.

Secrets

  1. This tutorial uses IBM Cloud® Secrets Manager as the vault for secrets. The Region, Resource group, and Service name fields are automatically populated based on available choices. Click the drop-down indicators to see the other choices.
  2. Type your Secrets Manager instance name.
  3. Select the Authorization type from the dropdown list.
  4. Click Continue.

Evidence storage

  1. Select an Use existing evidence locker repository.
  2. Select the Repository URL that was created when you configured the continuous integration (CI) toolchain. For more information about evidence storage, see Evidence.
  3. Toggle the IBM Cloud Object Storage bucket slider to store all the evidence in the IBM Cloud Object Storage bucket.
  4. Click Continue.

Cloud Object Storage bucket

  1. Verify and accept the automatically populated IBM Cloud Object Storage details. For more information about configuring a bucket that can act as a compliance evidence locker, see Configuring Object Storage for storing evidence.
  2. Provide your Service API key to write to a IBM Cloud Object Storage instance.
  3. Click Continue.

Artifact Signing

  1. Optionally enter Code Signing Certificate to verify the validity of signatures for Artifacts. For example, Docker artifacts that are built and signed by the CI pipeline before they are deployed into production.
  2. Click Continue.

Deployment target

  1. Accept the Single cluster (push based deployment) to deploy your application to targets such as Virtual Server Instance or customize the deployment process, use the Custom option.
  2. Click Continue to view the cluster page.
  3. Enter the IBM Cloud API Key field to interact with the CLI tool in several tasks. Note an existing key can be imported from a secrets vault by clicking the key icon.
  4. Verify your Cluster region, Resource group, Cluster name, and Cluster namespace fields where your target cluster is created.
  5. Click Continue.

Change request management

  1. Accept the populated values for change request management. For more information, see Automating change management.
  2. Enter a unique New repository name.
  3. Set the Target Environment purpose as Production.
  4. Set the Target Environment detail.
  5. Click Continue.

DevOps Insights toolchain

Use an IBM Cloud-hosted Git Repos and Issue Tracking repository to manage change requests. For more information, see Automating change management.

The CD toolchain can publish the deployment records to an existing DevOps Insights instance. To enable this feature, provide the ID of the toolchain that contains the existing DevOps Insights instance by selecting in the DevOps Insights toolchain ID list.

The IBM Cloud DevOps Insights is included in the toolchain. View your pipeline test results for every build, from every deployment and environment.

  1. Provide your DevOps Insights IBM Cloud API Key.
  2. Accept the default configuration.
  3. Click Continue.

Optional tools

Slack

Configure the Slack to receive notifications about your pull requests, or CI pipeline events. You can also add the Slack tool after the toolchain creation.

  1. Enter your Slack webhook. For more information, see Slack webhook.
  2. Enter your Slack channel to post message.
  3. Enter the Slack team name. For example, if your team URL is https://team.slack.com, the team name is team.
  4. Choosing Automated Slack Notifications for the events which you want to receive notifications.
  5. Click Continue.

Optionally, you can toggle sending notifications with the slack-notifications environment property in your CD pipeline by using 0 = off, and 1 = on.

Security and Compliance Center

  1. Accept or edit the automatically populated settings. For more information, see Security and Compliance Center and the tool integration configuration process.
  2. Click Continue to view the Summary page.

Create the CD toolchain

The individual toolchain integrations can be configured after the pipeline creation.

  1. On the Summary page, click Create toolchain, and wait for the toolchain to be created.

DevSecOps CD toolchain created
DevSecOps CD toolchain created

Explore the CD toolchain

  1. Now that the CD toolchain is created, click the cd-pipeline tile to open and run the promotion pipeline.

Run the promotion pipeline

Make sure that the CI pipeline ran successfully before you run the promotion pipeline.

  1. Click cd-pipeline.

  2. Click Run for Manual Promotion Trigger pipeline.

  3. Click Run to trigger the pipeline.

  4. Click Manual Promotion Trigger > #1promotion-pipelinerun pipeline. Wait for the promotion pipeline run to complete and check the execution log.

    The promotion pipeline creates a pull request with the content of the inventory on the inventory source environment such as master branch targeting the inventory target environment branch such as staging or production.

  5. After the promotion pipeline finishes successfully, the promote task log provides a link to the pull request in the inventory repository. The pull request name is of the format promote <inventory source environment> to <inventory target environment>, for example, promote master to prod

  6. Open the pull request in your browser with the link provided in the log. Complete the details in the following sections:

    • Priority: (mandatory) set as Critical, High, Moderate, Low, or Planning.
    • Change Request assignee: (mandatory) Email-ID of the assignee.
    • Additional Description: Description about the changes in the application.
    • Purpose/Goal: Purpose of the changes that are made to the application.
    • Explanation of Impact: Impact of the change to the application behavior or environment.
    • Backout Plan: Steps to back out if there is a deployment failure.

  7. Complete the fields in the Pull Request and save.

  8. Add the EMERGENCY label to your pull request if any compliance checks in CI failed and you want to continue with deployment

  9. Merge the pull request from Git Repos and Issue Tracking.

The details of the pull request are used during the CD pipeline that is run to create and update in the change request repository.

Run the CD pipeline

You can trigger a CD pipeline in manual or automatic way. You can trigger the CD pipeline manually anytime, but if no changes since the last successful deployment, the CD pipeline stops early as nothing to deploy. You can add and use force-redeploy variable to rerun the CD with no code changes. View the successful screen capture of the DevSecOps CD pipeline.

DevSecOps CD pipeline successful
DevSecOps CD pipeline successful

You can find the sample app that is running on the production namespace. The app URL can be found under run stage substep's log of prod deployment step of CD pipeline run. Use that URL to verify that the app is running.

Next steps

You successfully created a DevSecOps CD toolchain, ran the cd-pipeline to trigger manually in the production environment.

Now, continue with Setting up a CC toolchain.