1
0

feature(github): delegation to github for user management

This commit is contained in:
sido 2018-07-03 23:44:36 +02:00
parent b291f5450e
commit 10557d2d8f
3 changed files with 55 additions and 29 deletions

View File

@ -25,48 +25,58 @@ Array values can be added as {value, value, value}.
jenkins.Master.HostName=jenkins.molgenis.org jenkins.Master.HostName=jenkins.molgenis.org
jenkins.Master.AdminPassword=pa$$word jenkins.Master.AdminPassword=pa$$word
jenkins.Persistence.Enabled=false jenkins.Persistence.Enabled=false
jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1} jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1, blueocean:1.6.2, github-oauth:0.29}
jenkins.Master.Security.UseGitHub=false
## if UseGitHub=true
jenkins.Master.Security.GitHub.ClientID=id
jenkins.Master.Security.GitHub.ClientSecret=S3cr3t
## end UseGitHub=true
PipelineSecrets.Env.PGPPassphrase=literal:S3cr3t PipelineSecrets.Env.PGPPassphrase=literal:S3cr3t
``` ```
You can use [all configuration values of the jenkins subchart](https://github.com/kubernetes/charts/tree/master/stable/jenkins). You can use [all configuration values of the jenkins subchart](https://github.com/kubernetes/charts/tree/master/stable/jenkins).
> Because we use jenkins as a sub-chart, you should prefix all value keys with `jenkins`! > Because we use jenkins as a sub-chart, you should prefix all value keys with `jenkins`!
### GitHub Authentication delegation
You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new).
### Additional configuration
There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`: There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`:
## PipelineSecrets
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins * PipelineSecrets
build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
each other with their own secrets.
You can override the values at deploy time but otherwise also configure them When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl. build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
each other with their own secrets.
### Env You can override the values at deploy time but otherwise also configure them
Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables [in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
in the slave pods.
| Parameter | Description | Default | * Env
| ---------------------------------- | ---------------------------------------- | --------------- |
| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
| `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` |
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
| `PipelineSecrets.Env.NexusPassword`| token for molgenis-jenkins user in NEXUS | `xxxx` |
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | |
### File Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
in the slave pods.
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files | Parameter | Description | Default |
in the `/root/.m2` directory of the slave pods. | ---------------------------------- | ---------------------------------------- | --------------- |
> The settings.xml file references the | `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
| `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` |
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
| `PipelineSecrets.Env.NexusPassword`| token for molgenis-jenkins user in NEXUS | `xxxx` |
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | |
| Parameter | Description | Default | * File
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
in the `/root/.m2` directory of the slave pods.
> The settings.xml file references the
| Parameter | Description | Default |
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
## Command line use ## Command line use
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.

View File

@ -15,7 +15,17 @@ data:
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy"> <authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess> <denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy> </authorizationStrategy>
{{- if .Values.Security.UseGitHub }}
<securityRealm class="org.jenkinsci.plugins.GithubSecurityRealm">
<githubWebUri>https://github.com</githubWebUri>
<githubApiUri>https://api.github.com</githubApiUri>
<clientID>{{ .Values.Master.Security.Github.ClientID }}</clientID>
<clientSecret>{{ .Values.Master.Security.Github.ClientSecret }}</clientSecret>
<oauthScopes>read:org,user:email</oauthScopes>
</securityRealm>
{{- else }}
<securityRealm class="hudson.security.LegacySecurityRealm"/> <securityRealm class="hudson.security.LegacySecurityRealm"/>
{{- end }}
<disableRememberMe>false</disableRememberMe> <disableRememberMe>false</disableRememberMe>
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/> <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULLNAME}</workspaceDir> <workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULLNAME}</workspaceDir>

View File

@ -10,7 +10,13 @@ jenkins:
- git:3.9.1 - git:3.9.1
- github-branch-source:2.3.6 - github-branch-source:2.3.6
- kubernetes-credentials-provider:0.9 - kubernetes-credentials-provider:0.9
- blueocean:1.6.1 - blueocean:1.6.2
- github-oauth:0.29
Security:
UseGitHub: false
GitHub:
ClientID: ""
ClienSecret: ""
Jobs: |- Jobs: |-
molgenis: |- molgenis: |-
<?xml version='1.1' encoding='UTF-8'?> <?xml version='1.1' encoding='UTF-8'?>