Configuring projects for a CI/CD integration

Github offers the facility to configure a webhook that you can use to trigger an automated and secure continuous integration and continuous delivery (CI/CD) pipeline hosted in your preferred CI/CD tool. When a new snapshot of your workflow project is created, you can trigger the Github webhook by pushing a file descriptor of the project (in JSON format) to a configured Git repository, which in turn triggers the CI/CD pipeline.

Before you begin

Ensure that your environment can access the configured Github endpoint by using a network policy to open the external access.

Procedure

Complete the following configuration to push the project descriptor file of your workflow version to Github.

For workflow authoring and Workflow Process Service authoring:

  1. Create a custom.xml configuration file for the authentication alias, which has your Git user name and access token.
    <?xml version="1.0" encoding="UTF-8"?>
    <server>
       <authData id="Git-J2C-Auth-Alias-Name" user="your_user_name" password="your_access_token"/>
    </server>
  2. Create a secret using your custom.xml:
    kubectl create secret generic your-custom-secret-name --from-file=sensitiveCustom.xml=./custom.xml
  3. Add the following configuration to your custom resource (CR) file:
    bastudio_configuration:
        bastudio_custom_xml: |+
          <properties>
                  <server>
                    <git-configuration  merge="replace">
                      <git-endpoint-url>https://api.github.com/repos/user1/bawgitrepo</git-endpoint-url>
                      <git-auth-alias-name>Git-J2C-Auth-Alias-Name</git-auth-alias-name>
                    </git-configuration>
                  </server>
          </properties>
        custom_secret_name: your-custom-secret-name
    where <git-endpoint-url> is the REST API URL for your Git repository. The value should be "api.github.com" instead of "github.com".
  4. If SSL is enabled for Git, import the Git TLS certificate into Cloud Pak for Business Automation, and update your CR file.
    oc create secret generic git-ssl-secret --from-file=tls.crt=/root/gitSSL.cert
    bastudio_configuration:
        tls:
          tlsTrustList: [git-ssl-secret]
    This step is not needed if the Git website is signed with a well-known certificate authority (CA).
  5. If shared_configuration.sc_egress_configuration.sc_restricted_internet_access is set to true, the egress access is disabled for external systems. To ensure that the workflow authoring server can access the external Git server, create a network policy to allow the workflow authoring server to connect to the Git server by using the Git port. Apply the network policy as follows:
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: "bas-allow-git"
    spec:
      podSelector:
        matchLabels:
          com.ibm.cp4a.networking/egress-external-app-component: 'BAS'
      policyTypes:
      - Egress
      egress:
      - to:
        - ipBlock:
            cidr:  # IP address your git server. 
      - ports:
        - protocol: TCP
          port: # Port of your git server.

    Wait for the operator to finish reconciling.

  6. Verify the configuration:
    1. In the bastudio pod, check /opt/ibm/wlp/usr/servers/defaultServer/TeamWorksConfiguration.running.xml to see that <git-endpoint-url> and <git-auth-alias-name> are merged into the file.
    2. Also, check that the /opt/ibm/wlp/usr/shared/resources/sensitive-custom/sensitiveCustom1.xml file exists and has the <authData> of your Git user and token.