P129679
/
molgenis-ops-docker-helm
1
0
Fork 0
Code Releases Activity

Merge branch 'master' of https://git.webhosting.rug.nl/molgenis/molgenis-ops-docker-helm

This commit is contained in:
Fleur Kelpin 2018-07-13 12:48:35 +02:00
parent 8de779afa0 24220fd982
commit 88ab5374d5
4 changed files with 73 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
molgenis-jenkins/README.md
View File

@ -25,47 +25,59 @@ Array values can be added as {value, value, value}.
jenkins.Master.HostName=jenkins.molgenis.org jenkins.Master.HostName=jenkins.molgenis.org
jenkins.Master.AdminPassword=pa$$word jenkins.Master.AdminPassword=pa$$word
jenkins.Persistence.Enabled=false jenkins.Persistence.Enabled=false
jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1} jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1, blueocean:1.6.2, github-oauth:0.29}
jenkins.Master.Security.UseGitHub=false
## if UseGitHub=true
jenkins.Master.Security.GitHub.ClientID=id
jenkins.Master.Security.GitHub.ClientSecret=S3cr3t
## end UseGitHub=true
PipelineSecrets.Env.PGPPassphrase=literal:S3cr3t PipelineSecrets.Env.PGPPassphrase=literal:S3cr3t
``` ```
You can use [all configuration values of the jenkins subchart](https://github.com/kubernetes/charts/tree/master/stable/jenkins). You can use [all configuration values of the jenkins subchart](https://github.com/kubernetes/charts/tree/master/stable/jenkins).
> Because we use jenkins as a sub-chart, you should prefix all value keys with `jenkins`! > Because we use jenkins as a sub-chart, you should prefix all value keys with `jenkins`!
### GitHub Authentication delegation
You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new).
### Additional configuration
There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`: There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`:
## PipelineSecrets
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins * PipelineSecrets
build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
each other with their own secrets.
You can override the values at deploy time but otherwise also configure them When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl. build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
each other with their own secrets.
### Env You can override the values at deploy time but otherwise also configure them
Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables [in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
in the slave pods.
| Parameter | Description | Default | * Env
| ---------------------------------- | ------------------------------------ | --------------- |
| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` | Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
| `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` | in the slave pods.
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | |
### File | Parameter | Description | Default |
| -------------------------------------- | ----------------------------------------- | --------------- |
| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
| `PipelineSecrets.Env.PGPPassphrase` | passphrase for the pgp signing key | `literal:xxxx` |
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
| `PipelineSecrets.Env.NexusPassword` | token for molgenis-jenkins user in NEXUS | `xxxx` |
| `PipelineSecrets.Env.DockerHubPassword`| token for molgenis user in hub.docker.com | `xxxx` |
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | |
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files * File
in the `/root/.m2` directory of the slave pods.
> The settings.xml file references the
| Parameter | Description | Default | Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- | in the `/root/.m2` directory of the slave pods.
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` | > The settings.xml file references the
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
| Parameter | Description | Default |
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
## Command line use ## Command line use
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.

10
molgenis-jenkins/templates/config.tpl
View File

@ -15,7 +15,17 @@ data:
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy"> <authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess> <denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy> </authorizationStrategy>
{{- if .Values.jenkins.Master.Security.UseGitHub }}
<securityRealm class="org.jenkinsci.plugins.GithubSecurityRealm">
<githubWebUri>https://github.com</githubWebUri>
<githubApiUri>https://api.github.com</githubApiUri>
<clientID>{{ .Values.jenkins.Master.Security.Github.ClientID }}</clientID>
<clientSecret>{{ .Values.jenkins.Master.Security.Github.ClientSecret }}</clientSecret>
<oauthScopes>read:org,user:email</oauthScopes>
</securityRealm>
{{- else }}
<securityRealm class="hudson.security.LegacySecurityRealm"/> <securityRealm class="hudson.security.LegacySecurityRealm"/>
{{- end }}
<disableRememberMe>false</disableRememberMe> <disableRememberMe>false</disableRememberMe>
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/> <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULLNAME}</workspaceDir> <workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULLNAME}</workspaceDir>

16
molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
name: "molgenis-jenkins-dockerhub-secret"
labels:
# so we know what type it is.
"jenkins.io/credentials-type": "usernamePassword"
annotations: {
# description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "user to authenticate against Docker Hub (hub.docker.com)"
}
type: Opaque
data:
username: {{ "molgenisci" | b64enc | quote }}
password: {{ .Values.PipelineSecrets.Env.DockerHubPassword | b64enc | quote }}

10
molgenis-jenkins/values.yaml
View File

@ -10,7 +10,13 @@ jenkins:
- git:3.9.1 - git:3.9.1
- github-branch-source:2.3.6 - github-branch-source:2.3.6
- kubernetes-credentials-provider:0.9 - kubernetes-credentials-provider:0.9
- blueocean:1.6.1 - blueocean:1.6.2
- github-oauth:0.29
Security:
UseGitHub: false
GitHub:
ClientID: ""
ClienSecret: ""
Jobs: |- Jobs: |-
molgenis: |- molgenis: |-
<?xml version='1.1' encoding='UTF-8'?> <?xml version='1.1' encoding='UTF-8'?>
@ -269,6 +275,8 @@ PipelineSecrets:
SonarToken: xxxx SonarToken: xxxx
# Password Local NEXUS # Password Local NEXUS
NexusPassword: xxxx NexusPassword: xxxx
# Password hub.docker.com
DockerHubPassword: xxxx
File: File:
# Set to false to keep existing secret # Set to false to keep existing secret
Replace: true Replace: true