feature(github): delegation to github for user management
This commit is contained in:
sido
parent
b291f5450e
commit
10557d2d8f
|
|
@ -25,48 +25,58 @@ Array values can be added as {value, value, value}.
|
|||
jenkins.Master.HostName=jenkins.molgenis.org
|
||||
jenkins.Master.AdminPassword=pa$$word
|
||||
jenkins.Persistence.Enabled=false
|
||||
jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1}
|
||||
jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1, blueocean:1.6.2, github-oauth:0.29}
|
||||
jenkins.Master.Security.UseGitHub=false
|
||||
## if UseGitHub=true
|
||||
jenkins.Master.Security.GitHub.ClientID=id
|
||||
jenkins.Master.Security.GitHub.ClientSecret=S3cr3t
|
||||
## end UseGitHub=true
|
||||
PipelineSecrets.Env.PGPPassphrase=literal:S3cr3t
|
||||
```
|
||||
|
||||
You can use [all configuration values of the jenkins subchart](https://github.com/kubernetes/charts/tree/master/stable/jenkins).
|
||||
> Because we use jenkins as a sub-chart, you should prefix all value keys with `jenkins`!
|
||||
|
||||
### GitHub Authentication delegation
|
||||
You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new).
|
||||
|
||||
### Additional configuration
|
||||
There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`:
|
||||
## PipelineSecrets
|
||||
|
||||
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
|
||||
build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
|
||||
each other with their own secrets.
|
||||
* PipelineSecrets
|
||||
|
||||
You can override the values at deploy time but otherwise also configure them
|
||||
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
|
||||
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
|
||||
build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
|
||||
each other with their own secrets.
|
||||
|
||||
### Env
|
||||
Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
|
||||
in the slave pods.
|
||||
You can override the values at deploy time but otherwise also configure them
|
||||
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| ---------------------------------- | ---------------------------------------- | --------------- |
|
||||
| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
|
||||
| `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` |
|
||||
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
|
||||
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
|
||||
| `PipelineSecrets.Env.NexusPassword`| token for molgenis-jenkins user in NEXUS | `xxxx` |
|
||||
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | |
|
||||
* Env
|
||||
|
||||
Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
|
||||
in the slave pods.
|
||||
|
||||
### File
|
||||
| Parameter | Description | Default |
|
||||
| ---------------------------------- | ---------------------------------------- | --------------- |
|
||||
| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
|
||||
| `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` |
|
||||
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
|
||||
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
|
||||
| `PipelineSecrets.Env.NexusPassword`| token for molgenis-jenkins user in NEXUS | `xxxx` |
|
||||
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | |
|
||||
|
||||
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
|
||||
in the `/root/.m2` directory of the slave pods.
|
||||
> The settings.xml file references the
|
||||
* File
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
|
||||
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
|
||||
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
|
||||
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
|
||||
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
|
||||
in the `/root/.m2` directory of the slave pods.
|
||||
> The settings.xml file references the
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
|
||||
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
|
||||
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
|
||||
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
|
||||
|
||||
## Command line use
|
||||
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
|
||||
|
|
@ -78,5 +88,5 @@ For example,
|
|||
$ helm install --name jenkins -f values.yaml molgenis-jenkins
|
||||
```
|
||||
|
||||
> **Tip**: You can use the default [values.yaml](values.yaml)
|
||||
> **Tip**: You can use the default [values.yaml](values.yaml)
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,17 @@ data:
|
|||
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
|
||||
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
|
||||
</authorizationStrategy>
|
||||
{{- if .Values.Security.UseGitHub }}
|
||||
<securityRealm class="org.jenkinsci.plugins.GithubSecurityRealm">
|
||||
<githubWebUri>https://github.com</githubWebUri>
|
||||
<githubApiUri>https://api.github.com</githubApiUri>
|
||||
<clientID>{{ .Values.Master.Security.Github.ClientID }}</clientID>
|
||||
<clientSecret>{{ .Values.Master.Security.Github.ClientSecret }}</clientSecret>
|
||||
<oauthScopes>read:org,user:email</oauthScopes>
|
||||
</securityRealm>
|
||||
{{- else }}
|
||||
<securityRealm class="hudson.security.LegacySecurityRealm"/>
|
||||
{{- end }}
|
||||
<disableRememberMe>false</disableRememberMe>
|
||||
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
|
||||
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULLNAME}</workspaceDir>
|
||||
|
|
|
|||
|
|
@ -10,7 +10,13 @@ jenkins:
|
|||
- git:3.9.1
|
||||
- github-branch-source:2.3.6
|
||||
- kubernetes-credentials-provider:0.9
|
||||
- blueocean:1.6.1
|
||||
- blueocean:1.6.2
|
||||
- github-oauth:0.29
|
||||
Security:
|
||||
UseGitHub: false
|
||||
GitHub:
|
||||
ClientID: ""
|
||||
ClienSecret: ""
|
||||
Jobs: |-
|
||||
molgenis: |-
|
||||
<?xml version='1.1' encoding='UTF-8'?>
|
||||
|
|
|
|||
Loading…
Reference in New Issue