Pipelines

Quality checklist and overview of pipelines in Azure DevOps

Quality Checklist

  • all sensitive information is marked as secret. Read more about setting variables as secret here.
  • verify that no sensitive information is available in the exported API JSON definition (https://dev.azure.com/brreg/d0be3bbb-9145-4490-8d76-fd8024277467/_apis/pipelines/{definitionId})
  • make sure that no secrets are shared with forks of github repos if you are using a github integrated pipeline. Read more about that here.
  • if it exists a built in task for the job the pipeline should do, this should be prefered over writing your own scripts. Both for maintainability and security reasons.
  • referencing other pipelines is done by definitionId.

Build Pipelines

The build pipelines are grouped in folders based on either the part of the solution they are used for or the purpose of the pipeline. See build pipelines here.

altinn-apps

There are pull request and master pipelines for app frontend and kubernetes wrapper.

The pull request pipeline builds a dockerimage and is triggered whenever a pull request is created or updated that modifies code related to the component.

The master pipeline builds a docker image and pushes it to Azure Container Registry. The pipeline is triggered whenever new code is merged into the master branch that modifies code related to the component.

Remaing pipelines in this folder are described below.

altinn-studio-build-app-image

  • trigger: triggered by app developers in Altinn Studio
  • details: builds a docker image of an app and pushes it to Container Registery.
  • cloud component integrations: Azure Container Registry

altinn-studio-deploy-app-image

  • trigger: triggered by app developers in Altinn Studio.
  • details: Gets APIM Subscription key if required and deploys a new helm release to the correct AKS cluster.
  • cloud component integrations: Azure API Management, Azure Kubernetes services

altinn-studio-update-deploy-release-db

  • trigger: final step in build/deploy app image pipelines
  • details: Sends request to designer to update status of a given buil or release of an app.

altinn-platform / altinn-studio

Pipelines in altinn-platform and altinn-studio share the same structure. There is a pull request and master pipeline for each component.

The pull request pipeline builds a dockerimage and is triggered whenever a pull request is created or updated that modifies code related to the component.

The master pipeline builds a docker image and pushes it to Azure Container Registry. The pipeline is triggered whenever new code is merged into the master branch that modifies code related to the component.

The pull request pipeline for the .net app template does not build a docker image, but simply ensures that it is possible to build the app template used by Altinn Studio.

Pipelines follow this naming standard: [component]-(master/pull-request).

code-analysis

Each component in the solution has their own analysis pipeline. The pipeline runs unit and integration tests and triggers a sonar cloud analysis of the code.

Pipelines follow this naming standard: [component]-analysis-[langugage].

load-test

The load-test pipelines are administered by the load-testing team. The pipelines run k6 tests aimed at YT01.

test

There are automated tests that are aimed at our running solutions and that can be run in any environment.

The pipelines in this project have varying triggers. Some are on a schedule and regularily run in one or all of our environments. Others are triggered when a new release is deployed to an environment.

apps-and-platform-postman

  • trigger: nightly schedule
  • environment: at22
  • details: tests platform and app APIs

studio-testcafe

  • trigger: final task in release pipeline for Designer
  • environment: all
  • details: runs test café test in Altinn Studio to validate most common functionality.

apps-k6

  • trigger: N/A
  • environment: N/A
  • details: k6 tests to verify Altinn Apps behavior

platform-k6

  • trigger: final task in release pipeline for relevant platform components.
  • environment: all except YT01.
  • details: k6 tests to verify Altinn Platform functionality.

Release Pipelines

See all release pipelines here.

Our release pipelines are set up with multiple stages. This allows for different policies related to deploy and varying triggers.

Common for all release pipelines is that they rely on an artifact containing the helm chart which is packed in Azure Studio Ops project.

Deploy to TT02 or production requires approval from a team member. Weekly releases are scheduled for these environments.

HOWTO

Setting a variable as secret

Marking a variable is secret is straight forward. Navigate to the pipeline variables.

Pipeline variable

Pipeline variable

All that is needed in order for a variable to be secured in the pipeline is click on the lock icon at the right hand side.

Pipeline variable marked secret

Pipeline variable marked secret

Disable sharing of secrets on github forks

Disabling of secret sharing on repo forks are done by navigating from the pipeline to Triggers and selecting the github integration under “Pull Request Validation”. Here you can disable secret sharing by disabling the build on forks.

Disable fork sercret sharing

Disable fork sercret sharing