diff --git a/molgenis-jenkins/README.md b/molgenis-jenkins/README.md
index a2d1866..48c0a53 100644
--- a/molgenis-jenkins/README.md
+++ b/molgenis-jenkins/README.md
@@ -40,57 +40,62 @@ You can use [all configuration values of the jenkins subchart](https://github.co
### GitHub Authentication delegation
You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new).
-### Additional configuration
-There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`:
+### Secrets
-* PipelineSecrets
-
- When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
- build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
- each other with their own secrets.
+ When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins.
You can override the values at deploy time but otherwise also configure them
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
-* Vault
+#### Vault
- New vault token to be used by the pods to retrieve their tokens from the vault.
+The vault secret gets mounted in the vault pod so pipeline scripts can retrieve secrets from the vault.
+
+| Parameter | Description | Default |
+| ------------------------- | ------------------------------------------ | ---------------------------------------------- |
+| `secret.vault.token` | Token to log into the hashicorp vault | `xxxx` |
+| `secret.vault.addr` | Address of the vault | `https:vault-operator.vault-operator.svc:8200` |
+| `secret.vault.skipVerify` | Skip verification of the https connection | `1` |
+
+#### GitHub
+
+Token used by Jenkins to authenticate on GitHub.
+
+| Parameter | Description | Default |
+| --------------------- | ------------------------ | ------------------ |
+| `secret.gitHub.user` | username for the account | `molgenis-jenkins` |
+| `secret.gitHub.token` | token for the account | `xxxx` |
+
+#### Gogs
+
+Token used by Jenkins to authenticate on the [RuG Webhosting Gogs](https://git.webhosting.rug.nl).
+
+| Parameter | Description | Default |
+| ------------------- | ------------------------ | --------- |
+| `secret.gogs.user` | username for the account | `p281392` |
+| `secret.gogs.token` | token for the account | `xxxx` |
+
+#### Legacy:
+
+##### Docker Hub
- | Parameter | Description | Default |
- | ---------------------------------- | ------------------------------------------ | ---------------------------------------------- |
- | `PipelineSecrets.Vault.Replace` | Replace the molgenis-pipeline-vault secret | `true` |
- | `PipelineSecrets.Vault.Token` | Token to log into the hashicorp vault | `xxxx` |
- | `PipelineSecrets.Vault.Addr` | Address of the vault | `https:vault-operator.vault-operator.svc:8200` |
- | `PipelineSecrets.Vault.SkipVerify` | Skip verification of the https connection | `1` |
+Account used in pipeline builds to push docker images to `hub.docker.com`.
+> They should read `secret/gcc/account/dockerhub` from vault instead!
-* Env
+| Parameter | Description | Default |
+| --------------------------- | ------------------------ | --------------- |
+| `secret.dockerHub.user` | username for the account | `molgenisci` |
+| `secret.dockerHub.password` | password for the account | `xxxx` |
+
+##### Registry
- Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
- in the slave pods.
+Account used in pipeline builds to push docker images to `registry.molgenis.org`.
+> They should read `secret/ops/account/nexus` from vault instead!
- | Parameter | Description | Default |
- | --------------------------------------- | ----------------------------------------- | --------------- |
- | `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
- | `PipelineSecrets.Env.PGPPassphrase` | passphrase for the pgp signing key | `literal:xxxx` |
- | `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
- | `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
- | `PipelineSecrets.Env.NexusPassword` | token for molgenis-jenkins user in NEXUS | `xxxx` |
- | `PipelineSecrets.Env.DockerHubPassword` | token for molgenis user in hub.docker.com | `xxxx` |
- | `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` |
- | `PipelineSecrets.Env.NpmToken` | token for npmjs.org | `xxxx` |
- | `PipelineSecrets.Env.SauceAccessKey` | token for saucelabs.com | `xxxx` |
-
-* File
-
- Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
- in the `/root/.m2` directory of the slave pods.
- > The settings.xml file references the
-
- | Parameter | Description | Default |
- | -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
- | `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
- | `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
- | `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `[...]` (see actual [values.yaml](values.yaml)) |
+| Parameter | Description | Default |
+| --------------------------- | ------------------------ | --------- |
+| `secret.dockerHub.user` | username for the account | `admin` |
+| `secret.dockerHub.password` | password for the account | `xxxx` |
## Command line use
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
diff --git a/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml
index e5a6214..5c35b46 100644
--- a/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml
@@ -8,9 +8,9 @@ metadata:
"jenkins.io/credentials-type": "usernamePassword"
annotations: {
# description - can not be a label as spaces are not allowed
- "jenkins.io/credentials-description" : "user to authenticate against Docker Hub (hub.docker.com)"
+ "jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to Docker Hub (hub.docker.com)"
}
type: Opaque
data:
- username: {{ "molgenisci" | b64enc | quote }}
- password: {{ .Values.PipelineSecrets.Env.DockerHubPassword | b64enc | quote }}
\ No newline at end of file
+ username: {{ .Values.secret.registry.user | b64enc | quote }}
+ password: {{ .Values.secret.registry.password | b64enc | quote }}
\ No newline at end of file
diff --git a/molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml
index 2e7eba7..dc2b8df 100644
--- a/molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml
@@ -8,9 +8,9 @@ metadata:
"jenkins.io/credentials-type": "usernamePassword"
annotations: {
# description - can not be a label as spaces are not allowed
- "jenkins.io/credentials-description" : "oauth token for the molgenis-jenkins github user"
+ "jenkins.io/credentials-description" : "Oauth token for the {{.Values.secret.gitHub.user}} GitHub user"
}
type: Opaque
data:
- username: {{ "molgenis-jenkins" | b64enc | quote }}
- password: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}
\ No newline at end of file
+ username: {{ .Values.secret.gitHub.user | b64enc | quote }}
+ password: {{ .Values.secret.gitHub.token | b64enc | quote }}
\ No newline at end of file
diff --git a/molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml
index a16303d..ff6ae17 100644
--- a/molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml
@@ -8,9 +8,9 @@ metadata:
"jenkins.io/credentials-type": "usernamePassword"
annotations: {
# description - can not be a label as spaces are not allowed
- "jenkins.io/credentials-description" : "user to authenticate against GOGS (git.webhosting.rug.nl)"
+ "jenkins.io/credentials-description" : "Account used to authenticate against RuG Webhosting Gogs."
}
type: Opaque
data:
- username: {{ "p281392" | b64enc | quote }}
- password: {{ .Values.PipelineSecrets.Env.GogsToken | b64enc | quote }}
\ No newline at end of file
+ username: {{ .Values.secret.gogs.user | b64enc | quote }}
+ password: {{ .Values.secret.gogs.token | b64enc | quote }}
\ No newline at end of file
diff --git a/molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml
deleted file mode 100644
index 4518e15..0000000
--- a/molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-# this is the jenkins id.
- name: "molgenis-jenkins-nexus-secret"
- labels:
-# so we know what type it is.
- "jenkins.io/credentials-type": "usernamePassword"
- annotations: {
-# description - can not be a label as spaces are not allowed
- "jenkins.io/credentials-description" : "user to authenticate against NEXUS"
- }
-type: Opaque
-data:
- username: {{ "admin" | b64enc | quote }}
- password: {{ .Values.PipelineSecrets.Env.NexusPassword | b64enc | quote }}
\ No newline at end of file
diff --git a/molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml
new file mode 100644
index 0000000..b853055
--- /dev/null
+++ b/molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: molgenis-jenkins-registry-secret
+ labels:
+ app: {{ template "jenkins.fullname" . }}
+ chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+ release: "{{ .Release.Name }}"
+ heritage: "{{ .Release.Service }}"
+ annotations: {
+# description - can not be a label as spaces are not allowed
+ "jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to registry.molgenis.org."
+ }
+type: Opaque
+data:
+ username: {{ .Values.secret.registry.user | b64enc | quote }}
+ password: {{ .Values.secret.registry.password | b64enc | quote }}
\ No newline at end of file
diff --git a/molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml
deleted file mode 100644
index 382ba17..0000000
--- a/molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-# this is the jenkins id.
- name: "molgenis-jenkins-saucelabs-secret"
- labels:
-# so we know what type it is.
- "jenkins.io/credentials-type": "usernamePassword"
- annotations: {
-# description - can not be a label as spaces are not allowed
- "jenkins.io/credentials-description" : "user to authenticate against Saucelabs (saucelabs.com)"
- }
-type: Opaque
-data:
- username: {{ "molgenis-jenkins" | b64enc | quote }}
- password: {{ .Values.PipelineSecrets.Env.SauceAccessKey | b64enc | quote }}
\ No newline at end of file
diff --git a/molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml b/molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml
deleted file mode 100644
index ffdfd64..0000000
--- a/molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-{{- if .Values.PipelineSecrets.Env.Replace }}
-apiVersion: v1
-kind: Secret
-metadata:
- name: molgenis-pipeline-env-secret
- labels:
- app: {{ template "jenkins.fullname" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
-type: Opaque
-data:
- pgpPassphrase: {{ .Values.PipelineSecrets.Env.PGPPassphrase | b64enc | quote }}
- codecovToken: {{ .Values.PipelineSecrets.Env.CodecovToken | b64enc | quote }}
- githubToken: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}
- sonarToken: {{ .Values.PipelineSecrets.Env.SonarToken | b64enc | quote }}
- npmToken: {{ .Values.PipelineSecrets.Env.NpmToken | b64enc | quote }}
-{{- end }}
\ No newline at end of file
diff --git a/molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml b/molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml
deleted file mode 100644
index 65ac30b..0000000
--- a/molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-{{- if .Values.PipelineSecrets.File.Replace }}
-apiVersion: v1
-kind: Secret
-metadata:
- name: molgenis-pipeline-file-secret
- labels:
- app: {{ template "jenkins.fullname" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
-type: Opaque
-data:
- key.asc: {{ .Values.PipelineSecrets.File.PGPPrivateKeyAsc | b64enc | quote }}
- settings.xml: {{ .Values.PipelineSecrets.File.MavenSettingsXML | b64enc | quote }}
-{{- end }}
diff --git a/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml b/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml
index aa50fe7..da4598b 100644
--- a/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml
@@ -1,4 +1,3 @@
-{{- if .Values.PipelineSecrets.Vault.Replace }}
apiVersion: v1
kind: Secret
metadata:
@@ -10,7 +9,6 @@ metadata:
heritage: "{{ .Release.Service }}"
type: Opaque
data:
- token: {{ .Values.PipelineSecrets.Vault.Token | b64enc | quote }}
- addr: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }}
- skipVerify: {{ .Values.PipelineSecrets.Vault.SkipVerify | b64enc | quote }}
-{{- end }}
\ No newline at end of file
+ token: {{ .Values.secret.vault.token | b64enc | quote }}
+ addr: {{ .Values.secret.vault.addr | b64enc | quote }}
+ skipVerify: {{ .Values.secret.vault.skipVerify | b64enc | quote }}
\ No newline at end of file
diff --git a/molgenis-jenkins/values.yaml b/molgenis-jenkins/values.yaml
index a5ac886..6962082 100644
--- a/molgenis-jenkins/values.yaml
+++ b/molgenis-jenkins/values.yaml
@@ -368,8 +368,8 @@ jenkins:
install: true
Pods:
molgenis:
- Label: molgenisv2
- NodeUsageMode: EXCLUSIVE
+ Label: molgenis
+ NodeUsageMode: NORMAL
volumes:
- type: HostPath
hostPath: "/var/run/docker.sock"
@@ -417,39 +417,6 @@ jenkins:
secretName: molgenis-pipeline-vault-secret
secretKey: addr
NodeSelector: {}
- molgenis-legacy:
- InheritFrom: molgenis
- Label: molgenis
- NodeUsageMode: NORMAL
- volumes:
- - type: Secret
- secretName: molgenis-pipeline-file-secret
- mountPath: "/home/jenkins/.m2"
- Containers:
- EnvVars:
- - type: Secret
- key: PGP_PASSPHRASE
- secretName: molgenis-pipeline-env-secret
- secretKey: pgpPassphrase
- - type: KeyValue
- key: PGP_SECRETKEY
- value: "keyfile:/home.jenkins/.m2/key.asc"
- - type: KeyValue
- key: npm_config_registry
- value: "http://nexus.molgenis-nexus:8081/repository/npm-central/"
- - type: Secret
- key: SONAR_TOKEN
- secretName: molgenis-pipeline-env-secret
- secretKey: sonarToken
- - type: Secret
- key: CODECOV_TOKEN
- secretName: molgenis-pipeline-env-secret
- secretKey: codecovToken
- - type: Secret
- key: GITHUB_TOKEN
- secretName: molgenis-pipeline-env-secret
- secretKey: githubToken
- NodeSelector: {}
node:
Label: node-carbon
NodeUsageMode: EXCLUSIVE
@@ -461,155 +428,45 @@ jenkins:
Command: cat
WorkingDir: /home/jenkins
TTY: true
- EnvVars:
- - type: KeyValue
- key: npm_config_registry
- value: "http://nexus.molgenis-nexus:8081/repository/npm-central/"
- - type: Secret
- key: CODECOV_TOKEN
- secretName: molgenis-pipeline-env-secret
- secretKey: codecovToken
- - type: Secret
- key: GITHUB_TOKEN
- secretName: molgenis-pipeline-env-secret
- secretKey: githubToken
- - type: Secret
- key: NPM_TOKEN
- secretName: molgenis-pipeline-env-secret
- secretKey: npmToken
- NodeSelector: {}
- molgenis-it:
- InheritFrom: molgenis
- Label: molgenis-it
- NodeUsageMode: EXCLUSIVE
- Containers:
- elasticsearch:
- Image: docker.elastic.co/elasticsearch/elasticsearch
- ImageTag: 5.5.3
- resources:
- requests:
- cpu: "100m"
- memory: "1Gi"
- limits:
- cpu: "1"
- memory: "1500Mi"
+ vault:
+ Image: "vault"
+ Command: cat
+ WorkingDir: /home/jenkins
+ TTY: true
EnvVars:
- - type: KeyValue
- key: ES_JAVA_OPTS
- value: "-Xms512m -Xmx512m"
- - type: KeyValue
- key: cluster.name
- value: molgenis
- - type: KeyValue
- key: bootstrap.memory_lock
- value: "true"
- - type: KeyValue
- key: xpack.security.enabled
- value: "false"
- - type: KeyValue
- key: discovery.type
- value: single-node
- postgres:
- Image: postgres
- ImageTag: 9.6-alpine
- resources:
- requests:
- cpu: "100m"
- memory: "250Mi"
- limits:
- cpu: "1"
- memory: "250Mi"
- EnvVars:
- - type: KeyValue
- key: POSTGRES_USER
- value: molgenis
- - type: KeyValue
- key: POSTGRES_PASSWORD
- value: molgenis
- - type: KeyValue
- key: POSTGRES_DB
- value: molgenis
- opencpu:
- Image: molgenis/opencpu
- AlwaysPullImage: true
- resources:
- requests:
- cpu: "100m"
- memory: "256Mi"
- limits:
- cpu: "1"
- memory: "512Mi"
+ - type: Secret
+ key: VAULT_TOKEN
+ secretName: molgenis-pipeline-vault-secret
+ secretKey: token
+ - type: Secret
+ key: VAULT_SKIP_VERIFY
+ secretName: molgenis-pipeline-vault-secret
+ secretKey: skipVerify
+ - type: Secret
+ key: VAULT_ADDR
+ secretName: molgenis-pipeline-vault-secret
+ secretKey: addr
NodeSelector: {}
-PipelineSecrets:
- Vault:
- Replace: true
- Token: xxxx
- Addr: "https://vault-operator.vault-operator.svc:8200"
- SkipVerify: 1
- Env:
- # Set to false to keep existing secret
- Replace: true
- # Passphrase for the pgp private key file, prefixed with literal:
- PGPPassphrase: literal:xxxx
- # Token for codecov.io service
- CodecovToken: xxxx
- # Token for github bot account
- GitHubToken: xxxx
- # Token for github bot account
- GogsToken: xxxx
- # Token for sonarcloud.io
- SonarToken: xxxx
- # Token for npmjs.org
- NpmToken: xxxx
- # Password Local NEXUS
- NexusPassword: xxxx
- # Password hub.docker.com
- DockerHubPassword: xxxx
- # Access key for saucelabs.com
- SauceAccessKey: xxxx
- File:
- # Set to false to keep existing secret
- Replace: true
- # PGP Private key in ascii format used to sign artifacts
- PGPPrivateKeyAsc: |-
- -----BEGIN PGP PRIVATE KEY BLOCK-----
- xxxxx
- -----END PGP PRIVATE KEY BLOCK-----
- # maven.settings file
- MavenSettingsXML: |-
-
- ${user.home}/.mvnrepository
- false
-
-
- nexus
- external:*
- http://nexus.molgenis-nexus:8081/repository/maven-central/
-
-
-
-
-
- sonatype-nexus-staging
- molgenis
- xxxx
-
-
- local-nexus
- http://nexus.molgenis-nexus:8081/repository/maven-snapshots/
- admin
- xxxxx
-
-
-
- registry.molgenis.org
- admin
- xxxx
-
-
- registry.hub.docker.com
- molgenisci
- xxxx
-
-
-
\ No newline at end of file
+#secret contains configuration for the kubernetes secrets that jenkins can access
+secret:
+ # vault configures the vault secret
+ vault:
+ token: xxxx
+ addr: "https://vault-operator.vault-operator.svc:8200"
+ skipVerify: "1"
+ # githubToken contains access token for jenkins bot account on github.com
+ gitHub:
+ user: "molgenis-jenkins"
+ token: xxxx
+ # gogs contains access token for jenkins bot account on RuG GoGs
+ gogs:
+ user: p281392
+ token: xxxx
+ # registry contains credentials for registry.molgenis.org
+ registry:
+ user: admin
+ password: xxxx
+ # dockerHubPassword contains password for hub.docker.com
+ dockerHub:
+ user: molgenisci
+ password: xxxx
\ No newline at end of file