From a836ab4e6eabe0b0875ea8c208726fe958a1a5e7 Mon Sep 17 00:00:00 2001 From: Fleur Kelpin Date: Mon, 10 Sep 2018 17:13:55 +0200 Subject: [PATCH] chore (molgenis-jenkins): Retrieve pipeline secrets from vault when possible. --- molgenis-jenkins/README.md | 87 +++---- .../molgenis-jenkins-dockerhub-secret.yaml | 6 +- .../molgenis-jenkins-github-secret.yaml | 6 +- .../molgenis-jenkins-gogs-secret.yaml | 6 +- .../molgenis-jenkins-nexus-secret.yaml | 16 -- .../molgenis-jenkins-registry-secret.yaml | 17 ++ .../molgenis-jenkins-saucelabs-secret.yaml | 16 -- .../molgenis-pipeline-env-secret.yaml | 18 -- .../molgenis-pipeline-file-secret.yaml | 15 -- .../molgenis-pipeline-vault-secret.yaml | 8 +- molgenis-jenkins/values.yaml | 227 ++++-------------- 11 files changed, 117 insertions(+), 305 deletions(-) delete mode 100644 molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml create mode 100644 molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml delete mode 100644 molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml delete mode 100644 molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml delete mode 100644 molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml diff --git a/molgenis-jenkins/README.md b/molgenis-jenkins/README.md index a2d1866..48c0a53 100644 --- a/molgenis-jenkins/README.md +++ b/molgenis-jenkins/README.md @@ -40,57 +40,62 @@ You can use [all configuration values of the jenkins subchart](https://github.co ### GitHub Authentication delegation You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new). -### Additional configuration -There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`: +### Secrets -* PipelineSecrets - - When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins - build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside - each other with their own secrets. + When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins. You can override the values at deploy time but otherwise also configure them [in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl. -* Vault +#### Vault - New vault token to be used by the pods to retrieve their tokens from the vault. +The vault secret gets mounted in the vault pod so pipeline scripts can retrieve secrets from the vault. + +| Parameter | Description | Default | +| ------------------------- | ------------------------------------------ | ---------------------------------------------- | +| `secret.vault.token` | Token to log into the hashicorp vault | `xxxx` | +| `secret.vault.addr` | Address of the vault | `https:vault-operator.vault-operator.svc:8200` | +| `secret.vault.skipVerify` | Skip verification of the https connection | `1` | + +#### GitHub + +Token used by Jenkins to authenticate on GitHub. + +| Parameter | Description | Default | +| --------------------- | ------------------------ | ------------------ | +| `secret.gitHub.user` | username for the account | `molgenis-jenkins` | +| `secret.gitHub.token` | token for the account | `xxxx` | + +#### Gogs + +Token used by Jenkins to authenticate on the [RuG Webhosting Gogs](https://git.webhosting.rug.nl). + +| Parameter | Description | Default | +| ------------------- | ------------------------ | --------- | +| `secret.gogs.user` | username for the account | `p281392` | +| `secret.gogs.token` | token for the account | `xxxx` | + +#### Legacy: + +##### Docker Hub - | Parameter | Description | Default | - | ---------------------------------- | ------------------------------------------ | ---------------------------------------------- | - | `PipelineSecrets.Vault.Replace` | Replace the molgenis-pipeline-vault secret | `true` | - | `PipelineSecrets.Vault.Token` | Token to log into the hashicorp vault | `xxxx` | - | `PipelineSecrets.Vault.Addr` | Address of the vault | `https:vault-operator.vault-operator.svc:8200` | - | `PipelineSecrets.Vault.SkipVerify` | Skip verification of the https connection | `1` | +Account used in pipeline builds to push docker images to `hub.docker.com`. +> They should read `secret/gcc/account/dockerhub` from vault instead! -* Env +| Parameter | Description | Default | +| --------------------------- | ------------------------ | --------------- | +| `secret.dockerHub.user` | username for the account | `molgenisci` | +| `secret.dockerHub.password` | password for the account | `xxxx` | + +##### Registry - Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables - in the slave pods. +Account used in pipeline builds to push docker images to `registry.molgenis.org`. +> They should read `secret/ops/account/nexus` from vault instead! - | Parameter | Description | Default | - | --------------------------------------- | ----------------------------------------- | --------------- | - | `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` | - | `PipelineSecrets.Env.PGPPassphrase` | passphrase for the pgp signing key | `literal:xxxx` | - | `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` | - | `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` | - | `PipelineSecrets.Env.NexusPassword` | token for molgenis-jenkins user in NEXUS | `xxxx` | - | `PipelineSecrets.Env.DockerHubPassword` | token for molgenis user in hub.docker.com | `xxxx` | - | `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | - | `PipelineSecrets.Env.NpmToken` | token for npmjs.org | `xxxx` | - | `PipelineSecrets.Env.SauceAccessKey` | token for saucelabs.com | `xxxx` | - -* File - - Environment variables stored in molgenis-pipeline-file secret, to be mounted as files - in the `/root/.m2` directory of the slave pods. - > The settings.xml file references the - - | Parameter | Description | Default | - | -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- | - | `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` | - | `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` | - | `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `[...]` (see actual [values.yaml](values.yaml)) | +| Parameter | Description | Default | +| --------------------------- | ------------------------ | --------- | +| `secret.dockerHub.user` | username for the account | `admin` | +| `secret.dockerHub.password` | password for the account | `xxxx` | ## Command line use Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. diff --git a/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml index e5a6214..5c35b46 100644 --- a/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml +++ b/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml @@ -8,9 +8,9 @@ metadata: "jenkins.io/credentials-type": "usernamePassword" annotations: { # description - can not be a label as spaces are not allowed - "jenkins.io/credentials-description" : "user to authenticate against Docker Hub (hub.docker.com)" + "jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to Docker Hub (hub.docker.com)" } type: Opaque data: - username: {{ "molgenisci" | b64enc | quote }} - password: {{ .Values.PipelineSecrets.Env.DockerHubPassword | b64enc | quote }} \ No newline at end of file + username: {{ .Values.secret.registry.user | b64enc | quote }} + password: {{ .Values.secret.registry.password | b64enc | quote }} \ No newline at end of file diff --git a/molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml index 2e7eba7..dc2b8df 100644 --- a/molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml +++ b/molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml @@ -8,9 +8,9 @@ metadata: "jenkins.io/credentials-type": "usernamePassword" annotations: { # description - can not be a label as spaces are not allowed - "jenkins.io/credentials-description" : "oauth token for the molgenis-jenkins github user" + "jenkins.io/credentials-description" : "Oauth token for the {{.Values.secret.gitHub.user}} GitHub user" } type: Opaque data: - username: {{ "molgenis-jenkins" | b64enc | quote }} - password: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }} \ No newline at end of file + username: {{ .Values.secret.gitHub.user | b64enc | quote }} + password: {{ .Values.secret.gitHub.token | b64enc | quote }} \ No newline at end of file diff --git a/molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml index a16303d..ff6ae17 100644 --- a/molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml +++ b/molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml @@ -8,9 +8,9 @@ metadata: "jenkins.io/credentials-type": "usernamePassword" annotations: { # description - can not be a label as spaces are not allowed - "jenkins.io/credentials-description" : "user to authenticate against GOGS (git.webhosting.rug.nl)" + "jenkins.io/credentials-description" : "Account used to authenticate against RuG Webhosting Gogs." } type: Opaque data: - username: {{ "p281392" | b64enc | quote }} - password: {{ .Values.PipelineSecrets.Env.GogsToken | b64enc | quote }} \ No newline at end of file + username: {{ .Values.secret.gogs.user | b64enc | quote }} + password: {{ .Values.secret.gogs.token | b64enc | quote }} \ No newline at end of file diff --git a/molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml deleted file mode 100644 index 4518e15..0000000 --- a/molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: -# this is the jenkins id. - name: "molgenis-jenkins-nexus-secret" - labels: -# so we know what type it is. - "jenkins.io/credentials-type": "usernamePassword" - annotations: { -# description - can not be a label as spaces are not allowed - "jenkins.io/credentials-description" : "user to authenticate against NEXUS" - } -type: Opaque -data: - username: {{ "admin" | b64enc | quote }} - password: {{ .Values.PipelineSecrets.Env.NexusPassword | b64enc | quote }} \ No newline at end of file diff --git a/molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml new file mode 100644 index 0000000..b853055 --- /dev/null +++ b/molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: molgenis-jenkins-registry-secret + labels: + app: {{ template "jenkins.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" + annotations: { +# description - can not be a label as spaces are not allowed + "jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to registry.molgenis.org." + } +type: Opaque +data: + username: {{ .Values.secret.registry.user | b64enc | quote }} + password: {{ .Values.secret.registry.password | b64enc | quote }} \ No newline at end of file diff --git a/molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml b/molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml deleted file mode 100644 index 382ba17..0000000 --- a/molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: -# this is the jenkins id. - name: "molgenis-jenkins-saucelabs-secret" - labels: -# so we know what type it is. - "jenkins.io/credentials-type": "usernamePassword" - annotations: { -# description - can not be a label as spaces are not allowed - "jenkins.io/credentials-description" : "user to authenticate against Saucelabs (saucelabs.com)" - } -type: Opaque -data: - username: {{ "molgenis-jenkins" | b64enc | quote }} - password: {{ .Values.PipelineSecrets.Env.SauceAccessKey | b64enc | quote }} \ No newline at end of file diff --git a/molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml b/molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml deleted file mode 100644 index ffdfd64..0000000 --- a/molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.PipelineSecrets.Env.Replace }} -apiVersion: v1 -kind: Secret -metadata: - name: molgenis-pipeline-env-secret - labels: - app: {{ template "jenkins.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -type: Opaque -data: - pgpPassphrase: {{ .Values.PipelineSecrets.Env.PGPPassphrase | b64enc | quote }} - codecovToken: {{ .Values.PipelineSecrets.Env.CodecovToken | b64enc | quote }} - githubToken: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }} - sonarToken: {{ .Values.PipelineSecrets.Env.SonarToken | b64enc | quote }} - npmToken: {{ .Values.PipelineSecrets.Env.NpmToken | b64enc | quote }} -{{- end }} \ No newline at end of file diff --git a/molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml b/molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml deleted file mode 100644 index 65ac30b..0000000 --- a/molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.PipelineSecrets.File.Replace }} -apiVersion: v1 -kind: Secret -metadata: - name: molgenis-pipeline-file-secret - labels: - app: {{ template "jenkins.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -type: Opaque -data: - key.asc: {{ .Values.PipelineSecrets.File.PGPPrivateKeyAsc | b64enc | quote }} - settings.xml: {{ .Values.PipelineSecrets.File.MavenSettingsXML | b64enc | quote }} -{{- end }} diff --git a/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml b/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml index aa50fe7..da4598b 100644 --- a/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml +++ b/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml @@ -1,4 +1,3 @@ -{{- if .Values.PipelineSecrets.Vault.Replace }} apiVersion: v1 kind: Secret metadata: @@ -10,7 +9,6 @@ metadata: heritage: "{{ .Release.Service }}" type: Opaque data: - token: {{ .Values.PipelineSecrets.Vault.Token | b64enc | quote }} - addr: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }} - skipVerify: {{ .Values.PipelineSecrets.Vault.SkipVerify | b64enc | quote }} -{{- end }} \ No newline at end of file + token: {{ .Values.secret.vault.token | b64enc | quote }} + addr: {{ .Values.secret.vault.addr | b64enc | quote }} + skipVerify: {{ .Values.secret.vault.skipVerify | b64enc | quote }} \ No newline at end of file diff --git a/molgenis-jenkins/values.yaml b/molgenis-jenkins/values.yaml index a5ac886..6962082 100644 --- a/molgenis-jenkins/values.yaml +++ b/molgenis-jenkins/values.yaml @@ -368,8 +368,8 @@ jenkins: install: true Pods: molgenis: - Label: molgenisv2 - NodeUsageMode: EXCLUSIVE + Label: molgenis + NodeUsageMode: NORMAL volumes: - type: HostPath hostPath: "/var/run/docker.sock" @@ -417,39 +417,6 @@ jenkins: secretName: molgenis-pipeline-vault-secret secretKey: addr NodeSelector: {} - molgenis-legacy: - InheritFrom: molgenis - Label: molgenis - NodeUsageMode: NORMAL - volumes: - - type: Secret - secretName: molgenis-pipeline-file-secret - mountPath: "/home/jenkins/.m2" - Containers: - EnvVars: - - type: Secret - key: PGP_PASSPHRASE - secretName: molgenis-pipeline-env-secret - secretKey: pgpPassphrase - - type: KeyValue - key: PGP_SECRETKEY - value: "keyfile:/home.jenkins/.m2/key.asc" - - type: KeyValue - key: npm_config_registry - value: "http://nexus.molgenis-nexus:8081/repository/npm-central/" - - type: Secret - key: SONAR_TOKEN - secretName: molgenis-pipeline-env-secret - secretKey: sonarToken - - type: Secret - key: CODECOV_TOKEN - secretName: molgenis-pipeline-env-secret - secretKey: codecovToken - - type: Secret - key: GITHUB_TOKEN - secretName: molgenis-pipeline-env-secret - secretKey: githubToken - NodeSelector: {} node: Label: node-carbon NodeUsageMode: EXCLUSIVE @@ -461,155 +428,45 @@ jenkins: Command: cat WorkingDir: /home/jenkins TTY: true - EnvVars: - - type: KeyValue - key: npm_config_registry - value: "http://nexus.molgenis-nexus:8081/repository/npm-central/" - - type: Secret - key: CODECOV_TOKEN - secretName: molgenis-pipeline-env-secret - secretKey: codecovToken - - type: Secret - key: GITHUB_TOKEN - secretName: molgenis-pipeline-env-secret - secretKey: githubToken - - type: Secret - key: NPM_TOKEN - secretName: molgenis-pipeline-env-secret - secretKey: npmToken - NodeSelector: {} - molgenis-it: - InheritFrom: molgenis - Label: molgenis-it - NodeUsageMode: EXCLUSIVE - Containers: - elasticsearch: - Image: docker.elastic.co/elasticsearch/elasticsearch - ImageTag: 5.5.3 - resources: - requests: - cpu: "100m" - memory: "1Gi" - limits: - cpu: "1" - memory: "1500Mi" + vault: + Image: "vault" + Command: cat + WorkingDir: /home/jenkins + TTY: true EnvVars: - - type: KeyValue - key: ES_JAVA_OPTS - value: "-Xms512m -Xmx512m" - - type: KeyValue - key: cluster.name - value: molgenis - - type: KeyValue - key: bootstrap.memory_lock - value: "true" - - type: KeyValue - key: xpack.security.enabled - value: "false" - - type: KeyValue - key: discovery.type - value: single-node - postgres: - Image: postgres - ImageTag: 9.6-alpine - resources: - requests: - cpu: "100m" - memory: "250Mi" - limits: - cpu: "1" - memory: "250Mi" - EnvVars: - - type: KeyValue - key: POSTGRES_USER - value: molgenis - - type: KeyValue - key: POSTGRES_PASSWORD - value: molgenis - - type: KeyValue - key: POSTGRES_DB - value: molgenis - opencpu: - Image: molgenis/opencpu - AlwaysPullImage: true - resources: - requests: - cpu: "100m" - memory: "256Mi" - limits: - cpu: "1" - memory: "512Mi" + - type: Secret + key: VAULT_TOKEN + secretName: molgenis-pipeline-vault-secret + secretKey: token + - type: Secret + key: VAULT_SKIP_VERIFY + secretName: molgenis-pipeline-vault-secret + secretKey: skipVerify + - type: Secret + key: VAULT_ADDR + secretName: molgenis-pipeline-vault-secret + secretKey: addr NodeSelector: {} -PipelineSecrets: - Vault: - Replace: true - Token: xxxx - Addr: "https://vault-operator.vault-operator.svc:8200" - SkipVerify: 1 - Env: - # Set to false to keep existing secret - Replace: true - # Passphrase for the pgp private key file, prefixed with literal: - PGPPassphrase: literal:xxxx - # Token for codecov.io service - CodecovToken: xxxx - # Token for github bot account - GitHubToken: xxxx - # Token for github bot account - GogsToken: xxxx - # Token for sonarcloud.io - SonarToken: xxxx - # Token for npmjs.org - NpmToken: xxxx - # Password Local NEXUS - NexusPassword: xxxx - # Password hub.docker.com - DockerHubPassword: xxxx - # Access key for saucelabs.com - SauceAccessKey: xxxx - File: - # Set to false to keep existing secret - Replace: true - # PGP Private key in ascii format used to sign artifacts - PGPPrivateKeyAsc: |- - -----BEGIN PGP PRIVATE KEY BLOCK----- - xxxxx - -----END PGP PRIVATE KEY BLOCK----- - # maven.settings file - MavenSettingsXML: |- - - ${user.home}/.mvnrepository - false - - - nexus - external:* - http://nexus.molgenis-nexus:8081/repository/maven-central/ - - - - - - sonatype-nexus-staging - molgenis - xxxx - - - local-nexus - http://nexus.molgenis-nexus:8081/repository/maven-snapshots/ - admin - xxxxx - - - - registry.molgenis.org - admin - xxxx - - - registry.hub.docker.com - molgenisci - xxxx - - - \ No newline at end of file +#secret contains configuration for the kubernetes secrets that jenkins can access +secret: + # vault configures the vault secret + vault: + token: xxxx + addr: "https://vault-operator.vault-operator.svc:8200" + skipVerify: "1" + # githubToken contains access token for jenkins bot account on github.com + gitHub: + user: "molgenis-jenkins" + token: xxxx + # gogs contains access token for jenkins bot account on RuG GoGs + gogs: + user: p281392 + token: xxxx + # registry contains credentials for registry.molgenis.org + registry: + user: admin + password: xxxx + # dockerHubPassword contains password for hub.docker.com + dockerHub: + user: molgenisci + password: xxxx \ No newline at end of file