feature(github): delegation to github for user management
This commit is contained in:
sido
parent
b291f5450e
commit
10557d2d8f
@ -25,48 +25,58 @@ Array values can be added as {value, value, value}.
|
|||||||
jenkins.Master.HostName=jenkins.molgenis.org
|
jenkins.Master.HostName=jenkins.molgenis.org
|
||||||
jenkins.Master.AdminPassword=pa$$word
|
jenkins.Master.AdminPassword=pa$$word
|
||||||
jenkins.Persistence.Enabled=false
|
jenkins.Persistence.Enabled=false
|
||||||
jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1}
|
jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1, blueocean:1.6.2, github-oauth:0.29}
|
||||||
|
jenkins.Master.Security.UseGitHub=false
|
||||||
|
## if UseGitHub=true
|
||||||
|
jenkins.Master.Security.GitHub.ClientID=id
|
||||||
|
jenkins.Master.Security.GitHub.ClientSecret=S3cr3t
|
||||||
|
## end UseGitHub=true
|
||||||
PipelineSecrets.Env.PGPPassphrase=literal:S3cr3t
|
PipelineSecrets.Env.PGPPassphrase=literal:S3cr3t
|
||||||
```
|
```
|
||||||
|
|
||||||
You can use [all configuration values of the jenkins subchart](https://github.com/kubernetes/charts/tree/master/stable/jenkins).
|
You can use [all configuration values of the jenkins subchart](https://github.com/kubernetes/charts/tree/master/stable/jenkins).
|
||||||
> Because we use jenkins as a sub-chart, you should prefix all value keys with `jenkins`!
|
> Because we use jenkins as a sub-chart, you should prefix all value keys with `jenkins`!
|
||||||
|
|
||||||
|
### GitHub Authentication delegation
|
||||||
|
You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new).
|
||||||
|
|
||||||
|
### Additional configuration
|
||||||
There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`:
|
There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`:
|
||||||
## PipelineSecrets
|
|
||||||
|
|
||||||
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
|
* PipelineSecrets
|
||||||
build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
|
|
||||||
each other with their own secrets.
|
|
||||||
|
|
||||||
You can override the values at deploy time but otherwise also configure them
|
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
|
||||||
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
|
build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
|
||||||
|
each other with their own secrets.
|
||||||
|
|
||||||
### Env
|
You can override the values at deploy time but otherwise also configure them
|
||||||
Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
|
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
|
||||||
in the slave pods.
|
|
||||||
|
|
||||||
| Parameter | Description | Default |
|
* Env
|
||||||
| ---------------------------------- | ---------------------------------------- | --------------- |
|
|
||||||
| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
|
Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
|
||||||
| `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` |
|
in the slave pods.
|
||||||
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
|
|
||||||
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
|
|
||||||
| `PipelineSecrets.Env.NexusPassword`| token for molgenis-jenkins user in NEXUS | `xxxx` |
|
|
||||||
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | |
|
|
||||||
|
|
||||||
### File
|
| Parameter | Description | Default |
|
||||||
|
| ---------------------------------- | ---------------------------------------- | --------------- |
|
||||||
|
| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
|
||||||
|
| `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` |
|
||||||
|
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
|
||||||
|
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
|
||||||
|
| `PipelineSecrets.Env.NexusPassword`| token for molgenis-jenkins user in NEXUS | `xxxx` |
|
||||||
|
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | |
|
||||||
|
|
||||||
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
|
* File
|
||||||
in the `/root/.m2` directory of the slave pods.
|
|
||||||
> The settings.xml file references the
|
|
||||||
|
|
||||||
| Parameter | Description | Default |
|
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
|
||||||
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
|
in the `/root/.m2` directory of the slave pods.
|
||||||
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
|
> The settings.xml file references the
|
||||||
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
|
|
||||||
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
|
|
||||||
|
|
||||||
|
| Parameter | Description | Default |
|
||||||
|
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
|
||||||
|
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
|
||||||
|
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
|
||||||
|
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
|
||||||
|
|
||||||
## Command line use
|
## Command line use
|
||||||
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
|
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
|
||||||
@ -78,5 +88,5 @@ For example,
|
|||||||
$ helm install --name jenkins -f values.yaml molgenis-jenkins
|
$ helm install --name jenkins -f values.yaml molgenis-jenkins
|
||||||
```
|
```
|
||||||
|
|
||||||
> **Tip**: You can use the default [values.yaml](values.yaml)
|
> **Tip**: You can use the default [values.yaml](values.yaml)
|
||||||
|
|
||||||
|
|||||||
@ -15,7 +15,17 @@ data:
|
|||||||
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
|
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
|
||||||
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
|
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
|
||||||
</authorizationStrategy>
|
</authorizationStrategy>
|
||||||
|
{{- if .Values.Security.UseGitHub }}
|
||||||
|
<securityRealm class="org.jenkinsci.plugins.GithubSecurityRealm">
|
||||||
|
<githubWebUri>https://github.com</githubWebUri>
|
||||||
|
<githubApiUri>https://api.github.com</githubApiUri>
|
||||||
|
<clientID>{{ .Values.Master.Security.Github.ClientID }}</clientID>
|
||||||
|
<clientSecret>{{ .Values.Master.Security.Github.ClientSecret }}</clientSecret>
|
||||||
|
<oauthScopes>read:org,user:email</oauthScopes>
|
||||||
|
</securityRealm>
|
||||||
|
{{- else }}
|
||||||
<securityRealm class="hudson.security.LegacySecurityRealm"/>
|
<securityRealm class="hudson.security.LegacySecurityRealm"/>
|
||||||
|
{{- end }}
|
||||||
<disableRememberMe>false</disableRememberMe>
|
<disableRememberMe>false</disableRememberMe>
|
||||||
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
|
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
|
||||||
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULLNAME}</workspaceDir>
|
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULLNAME}</workspaceDir>
|
||||||
|
|||||||
@ -10,7 +10,13 @@ jenkins:
|
|||||||
- git:3.9.1
|
- git:3.9.1
|
||||||
- github-branch-source:2.3.6
|
- github-branch-source:2.3.6
|
||||||
- kubernetes-credentials-provider:0.9
|
- kubernetes-credentials-provider:0.9
|
||||||
- blueocean:1.6.1
|
- blueocean:1.6.2
|
||||||
|
- github-oauth:0.29
|
||||||
|
Security:
|
||||||
|
UseGitHub: false
|
||||||
|
GitHub:
|
||||||
|
ClientID: ""
|
||||||
|
ClienSecret: ""
|
||||||
Jobs: |-
|
Jobs: |-
|
||||||
molgenis: |-
|
molgenis: |-
|
||||||
<?xml version='1.1' encoding='UTF-8'?>
|
<?xml version='1.1' encoding='UTF-8'?>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user