From b291f5450e02c6416838906cc228b75d9699db64 Mon Sep 17 00:00:00 2001 From: sido Date: Mon, 2 Jul 2018 14:10:58 +0200 Subject: [PATCH 1/6] add nexus password environment --- molgenis-jenkins/README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/molgenis-jenkins/README.md b/molgenis-jenkins/README.md index 9fe7bd6..2ee45ea 100644 --- a/molgenis-jenkins/README.md +++ b/molgenis-jenkins/README.md @@ -46,13 +46,14 @@ You can override the values at deploy time but otherwise also configure them Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables in the slave pods. -| Parameter | Description | Default | -| ---------------------------------- | ------------------------------------ | --------------- | -| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` | -| `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` | -| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` | -| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` | -| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | | +| Parameter | Description | Default | +| ---------------------------------- | ---------------------------------------- | --------------- | +| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` | +| `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` | +| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` | +| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` | +| `PipelineSecrets.Env.NexusPassword`| token for molgenis-jenkins user in NEXUS | `xxxx` | +| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | | ### File From 800d7a934c97f76ca21a5c0318d0647264540a4a Mon Sep 17 00:00:00 2001 From: sido Date: Mon, 2 Jul 2018 20:13:01 +0200 Subject: [PATCH 2/6] add docker hub credentials --- molgenis-jenkins/README.md | 17 +++++++++-------- .../molgenis-jenkins-dockerhub-secret.yaml | 16 ++++++++++++++++ molgenis-jenkins/values.yaml | 2 ++ 3 files changed, 27 insertions(+), 8 deletions(-) create mode 100644 molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml diff --git a/molgenis-jenkins/README.md b/molgenis-jenkins/README.md index 2ee45ea..c4e134a 100644 --- a/molgenis-jenkins/README.md +++ b/molgenis-jenkins/README.md @@ -46,14 +46,15 @@ You can override the values at deploy time but otherwise also configure them Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables in the slave pods. -| Parameter | Description | Default | -| ---------------------------------- | ---------------------------------------- | --------------- | -| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` | -| `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` | -| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` | -| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` | -| `PipelineSecrets.Env.NexusPassword`| token for molgenis-jenkins user in NEXUS | `xxxx` | -| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | | +| Parameter | Description | Default | +| -------------------------------------- | ----------------------------------------- | --------------- | +| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` | +| `PipelineSecrets.Env.PGPPassphrase` | passphrase for the pgp signing key | `literal:xxxx` | +| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` | +| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` | +| `PipelineSecrets.Env.NexusPassword` | token for molgenis-jenkins user in NEXUS | `xxxx` | +| `PipelineSecrets.Env.DockerHubPassword`| token for molgenis user in hub.docker.com | `xxxx` | +| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | | ### File diff --git a/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml new file mode 100644 index 0000000..cac25e2 --- /dev/null +++ b/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Secret +metadata: +# this is the jenkins id. + name: "molgenis-jenkins-dockerhub-secret" + labels: +# so we know what type it is. + "jenkins.io/credentials-type": "usernamePassword" + annotations: { +# description - can not be a label as spaces are not allowed + "jenkins.io/credentials-description" : "user to authenticate against GOGS (git.webhosting.rug.nl)" + } +type: Opaque +data: + username: {{ "molgenis" | b64enc | quote }} + password: {{ .Values.PipelineSecrets.Env.DockerHubPassword | b64enc | quote }} \ No newline at end of file diff --git a/molgenis-jenkins/values.yaml b/molgenis-jenkins/values.yaml index 76e6db6..7b44096 100644 --- a/molgenis-jenkins/values.yaml +++ b/molgenis-jenkins/values.yaml @@ -269,6 +269,8 @@ PipelineSecrets: SonarToken: xxxx # Password Local NEXUS NexusPassword: xxxx + # Password hub.docker.com + DockerHubPassword: xxxx File: # Set to false to keep existing secret Replace: true From 238da8b22bb2c57438a41f3236b0aea67781f536 Mon Sep 17 00:00:00 2001 From: sido Date: Mon, 2 Jul 2018 20:23:09 +0200 Subject: [PATCH 3/6] changed name because of weird policy dockerhub --- .../templates/molgenis-jenkins-dockerhub-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml index cac25e2..5646e8b 100644 --- a/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml +++ b/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml @@ -12,5 +12,5 @@ metadata: } type: Opaque data: - username: {{ "molgenis" | b64enc | quote }} + username: {{ "molgenisci" | b64enc | quote }} password: {{ .Values.PipelineSecrets.Env.DockerHubPassword | b64enc | quote }} \ No newline at end of file From 10557d2d8f143ce579a9a80a20923a20ac41356c Mon Sep 17 00:00:00 2001 From: sido Date: Tue, 3 Jul 2018 23:44:36 +0200 Subject: [PATCH 4/6] feature(github): delegation to github for user management --- molgenis-jenkins/README.md | 66 +++++++++++++++------------ molgenis-jenkins/templates/config.tpl | 10 ++++ molgenis-jenkins/values.yaml | 8 +++- 3 files changed, 55 insertions(+), 29 deletions(-) diff --git a/molgenis-jenkins/README.md b/molgenis-jenkins/README.md index 2ee45ea..dcb1a3c 100644 --- a/molgenis-jenkins/README.md +++ b/molgenis-jenkins/README.md @@ -25,48 +25,58 @@ Array values can be added as {value, value, value}. jenkins.Master.HostName=jenkins.molgenis.org jenkins.Master.AdminPassword=pa$$word jenkins.Persistence.Enabled=false -jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1} +jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1, blueocean:1.6.2, github-oauth:0.29} +jenkins.Master.Security.UseGitHub=false +## if UseGitHub=true +jenkins.Master.Security.GitHub.ClientID=id +jenkins.Master.Security.GitHub.ClientSecret=S3cr3t +## end UseGitHub=true PipelineSecrets.Env.PGPPassphrase=literal:S3cr3t ``` You can use [all configuration values of the jenkins subchart](https://github.com/kubernetes/charts/tree/master/stable/jenkins). > Because we use jenkins as a sub-chart, you should prefix all value keys with `jenkins`! +### GitHub Authentication delegation +You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new). + +### Additional configuration There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`: -## PipelineSecrets -When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins -build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside -each other with their own secrets. +* PipelineSecrets -You can override the values at deploy time but otherwise also configure them -[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl. + When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins + build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside + each other with their own secrets. -### Env -Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables -in the slave pods. + You can override the values at deploy time but otherwise also configure them + [in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl. -| Parameter | Description | Default | -| ---------------------------------- | ---------------------------------------- | --------------- | -| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` | -| `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` | -| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` | -| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` | -| `PipelineSecrets.Env.NexusPassword`| token for molgenis-jenkins user in NEXUS | `xxxx` | -| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | | +* Env + + Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables + in the slave pods. -### File + | Parameter | Description | Default | + | ---------------------------------- | ---------------------------------------- | --------------- | + | `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` | + | `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` | + | `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` | + | `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` | + | `PipelineSecrets.Env.NexusPassword`| token for molgenis-jenkins user in NEXUS | `xxxx` | + | `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | | -Environment variables stored in molgenis-pipeline-file secret, to be mounted as files -in the `/root/.m2` directory of the slave pods. -> The settings.xml file references the +* File -| Parameter | Description | Default | -| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- | -| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` | -| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` | -| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `[...]` (see actual [values.yaml](values.yaml)) | + Environment variables stored in molgenis-pipeline-file secret, to be mounted as files + in the `/root/.m2` directory of the slave pods. + > The settings.xml file references the + | Parameter | Description | Default | + | -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- | + | `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` | + | `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` | + | `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `[...]` (see actual [values.yaml](values.yaml)) | ## Command line use Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. @@ -78,5 +88,5 @@ For example, $ helm install --name jenkins -f values.yaml molgenis-jenkins ``` -> **Tip**: You can use the default [values.yaml](values.yaml) +> **Tip**: You can use the default [values.yaml](values.yaml) diff --git a/molgenis-jenkins/templates/config.tpl b/molgenis-jenkins/templates/config.tpl index 570ce05..7f32b25 100644 --- a/molgenis-jenkins/templates/config.tpl +++ b/molgenis-jenkins/templates/config.tpl @@ -15,7 +15,17 @@ data: true +{{- if .Values.Security.UseGitHub }} + + https://github.com + https://api.github.com + {{ .Values.Master.Security.Github.ClientID }} + {{ .Values.Master.Security.Github.ClientSecret }} + read:org,user:email + +{{- else }} +{{- end }} false ${JENKINS_HOME}/workspace/${ITEM_FULLNAME} diff --git a/molgenis-jenkins/values.yaml b/molgenis-jenkins/values.yaml index 76e6db6..1d6e559 100644 --- a/molgenis-jenkins/values.yaml +++ b/molgenis-jenkins/values.yaml @@ -10,7 +10,13 @@ jenkins: - git:3.9.1 - github-branch-source:2.3.6 - kubernetes-credentials-provider:0.9 - - blueocean:1.6.1 + - blueocean:1.6.2 + - github-oauth:0.29 + Security: + UseGitHub: false + GitHub: + ClientID: "" + ClienSecret: "" Jobs: |- molgenis: |- From 79832a74cbb4b12b76525629a62d1d573ea3c24b Mon Sep 17 00:00:00 2001 From: sido Date: Tue, 3 Jul 2018 23:58:50 +0200 Subject: [PATCH 5/6] updated docker description --- .../templates/molgenis-jenkins-dockerhub-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml index 5646e8b..e5a6214 100644 --- a/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml +++ b/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml @@ -8,7 +8,7 @@ metadata: "jenkins.io/credentials-type": "usernamePassword" annotations: { # description - can not be a label as spaces are not allowed - "jenkins.io/credentials-description" : "user to authenticate against GOGS (git.webhosting.rug.nl)" + "jenkins.io/credentials-description" : "user to authenticate against Docker Hub (hub.docker.com)" } type: Opaque data: From d8324a937cefff90c48a359dbf51d0f93d641697 Mon Sep 17 00:00:00 2001 From: sido Date: Wed, 4 Jul 2018 00:04:13 +0200 Subject: [PATCH 6/6] update keys in config.tpl according to values.yml --- molgenis-jenkins/templates/config.tpl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/molgenis-jenkins/templates/config.tpl b/molgenis-jenkins/templates/config.tpl index 7f32b25..1626be9 100644 --- a/molgenis-jenkins/templates/config.tpl +++ b/molgenis-jenkins/templates/config.tpl @@ -15,12 +15,12 @@ data: true -{{- if .Values.Security.UseGitHub }} +{{- if .Values.jenkins.Master.Security.UseGitHub }} https://github.com https://api.github.com - {{ .Values.Master.Security.Github.ClientID }} - {{ .Values.Master.Security.Github.ClientSecret }} + {{ .Values.jenkins.Master.Security.Github.ClientID }} + {{ .Values.jenkins.Master.Security.Github.ClientSecret }} read:org,user:email {{- else }}