1
0
Fork 0

Merge branch 'add-github-delegation' of p281392/molgenis-ops-docker-helm into master

This commit is contained in:
Fleur Kelpin 2018-07-04 12:41:08 +02:00 committed by Gogs
commit 24220fd982
3 changed files with 55 additions and 29 deletions

View File

@ -25,49 +25,59 @@ Array values can be added as {value, value, value}.
jenkins.Master.HostName=jenkins.molgenis.org
jenkins.Master.AdminPassword=pa$$word
jenkins.Persistence.Enabled=false
jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1}
jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1, blueocean:1.6.2, github-oauth:0.29}
jenkins.Master.Security.UseGitHub=false
## if UseGitHub=true
jenkins.Master.Security.GitHub.ClientID=id
jenkins.Master.Security.GitHub.ClientSecret=S3cr3t
## end UseGitHub=true
PipelineSecrets.Env.PGPPassphrase=literal:S3cr3t
```
You can use [all configuration values of the jenkins subchart](https://github.com/kubernetes/charts/tree/master/stable/jenkins).
> Because we use jenkins as a sub-chart, you should prefix all value keys with `jenkins`!
### GitHub Authentication delegation
You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new).
### Additional configuration
There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`:
## PipelineSecrets
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
each other with their own secrets.
* PipelineSecrets
You can override the values at deploy time but otherwise also configure them
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
each other with their own secrets.
### Env
Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
in the slave pods.
You can override the values at deploy time but otherwise also configure them
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
| Parameter | Description | Default |
| -------------------------------------- | ----------------------------------------- | --------------- |
| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
| `PipelineSecrets.Env.PGPPassphrase` | passphrase for the pgp signing key | `literal:xxxx` |
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
| `PipelineSecrets.Env.NexusPassword` | token for molgenis-jenkins user in NEXUS | `xxxx` |
| `PipelineSecrets.Env.DockerHubPassword`| token for molgenis user in hub.docker.com | `xxxx` |
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | |
* Env
Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
in the slave pods.
### File
| Parameter | Description | Default |
| -------------------------------------- | ----------------------------------------- | --------------- |
| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
| `PipelineSecrets.Env.PGPPassphrase` | passphrase for the pgp signing key | `literal:xxxx` |
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
| `PipelineSecrets.Env.NexusPassword` | token for molgenis-jenkins user in NEXUS | `xxxx` |
| `PipelineSecrets.Env.DockerHubPassword`| token for molgenis user in hub.docker.com | `xxxx` |
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | |
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
in the `/root/.m2` directory of the slave pods.
> The settings.xml file references the
* File
| Parameter | Description | Default |
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
in the `/root/.m2` directory of the slave pods.
> The settings.xml file references the
| Parameter | Description | Default |
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
## Command line use
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.

View File

@ -15,7 +15,17 @@ data:
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy>
{{- if .Values.jenkins.Master.Security.UseGitHub }}
<securityRealm class="org.jenkinsci.plugins.GithubSecurityRealm">
<githubWebUri>https://github.com</githubWebUri>
<githubApiUri>https://api.github.com</githubApiUri>
<clientID>{{ .Values.jenkins.Master.Security.Github.ClientID }}</clientID>
<clientSecret>{{ .Values.jenkins.Master.Security.Github.ClientSecret }}</clientSecret>
<oauthScopes>read:org,user:email</oauthScopes>
</securityRealm>
{{- else }}
<securityRealm class="hudson.security.LegacySecurityRealm"/>
{{- end }}
<disableRememberMe>false</disableRememberMe>
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULLNAME}</workspaceDir>

View File

@ -10,7 +10,13 @@ jenkins:
- git:3.9.1
- github-branch-source:2.3.6
- kubernetes-credentials-provider:0.9
- blueocean:1.6.1
- blueocean:1.6.2
- github-oauth:0.29
Security:
UseGitHub: false
GitHub:
ClientID: ""
ClienSecret: ""
Jobs: |-
molgenis: |-
<?xml version='1.1' encoding='UTF-8'?>