chore (molgenis-jenkins): Retrieve pipeline secrets from vault when possible.

2018-09-10 17:13:55 +02:00
parent 008fd5261e
commit a836ab4e6e
11 changed files with 117 additions and 305 deletions
--- a/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml
@ -8,9 +8,9 @@ metadata:
    "jenkins.io/credentials-type": "usernamePassword"
  annotations: {
 # description - can not be a label as spaces are not allowed
-    "jenkins.io/credentials-description" : "user to authenticate against Docker Hub (hub.docker.com)"
+    "jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to Docker Hub (hub.docker.com)"
  }
 type: Opaque
 data:
-  username: {{ "molgenisci" | b64enc | quote }}
-  password: {{ .Values.PipelineSecrets.Env.DockerHubPassword | b64enc | quote }}
+  username: {{ .Values.secret.registry.user | b64enc | quote }}
+  password: {{ .Values.secret.registry.password | b64enc | quote }}
--- a/molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml
@ -8,9 +8,9 @@ metadata:
    "jenkins.io/credentials-type": "usernamePassword"
  annotations: {
 # description - can not be a label as spaces are not allowed
-    "jenkins.io/credentials-description" : "oauth token for the molgenis-jenkins github user"
+    "jenkins.io/credentials-description" : "Oauth token for the {{.Values.secret.gitHub.user}} GitHub user"
  }
 type: Opaque
 data:
-  username: {{ "molgenis-jenkins" | b64enc | quote }}
-  password: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}
+  username: {{ .Values.secret.gitHub.user | b64enc | quote }}
+  password: {{ .Values.secret.gitHub.token | b64enc | quote }}
--- a/molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml
@ -8,9 +8,9 @@ metadata:
    "jenkins.io/credentials-type": "usernamePassword"
  annotations: {
 # description - can not be a label as spaces are not allowed
-    "jenkins.io/credentials-description" : "user to authenticate against GOGS (git.webhosting.rug.nl)"
+    "jenkins.io/credentials-description" : "Account used to authenticate against RuG Webhosting Gogs."
  }
 type: Opaque
 data:
-  username: {{ "p281392" | b64enc | quote }}
-  password: {{ .Values.PipelineSecrets.Env.GogsToken | b64enc | quote }}
+  username: {{ .Values.secret.gogs.user | b64enc | quote }}
+  password: {{ .Values.secret.gogs.token | b64enc | quote }}
--- a/molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml
@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-# this is the jenkins id.
-  name: "molgenis-jenkins-nexus-secret"
-  labels:
-# so we know what type it is.
-    "jenkins.io/credentials-type": "usernamePassword"
-  annotations: {
-# description - can not be a label as spaces are not allowed
-    "jenkins.io/credentials-description" : "user to authenticate against NEXUS"
-  }
-type: Opaque
-data:
-  username: {{ "admin" | b64enc | quote }}
-  password: {{ .Values.PipelineSecrets.Env.NexusPassword | b64enc | quote }}
--- a/molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml
@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: molgenis-jenkins-registry-secret
+  labels:
+    app: {{ template "jenkins.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  annotations: {
+# description - can not be a label as spaces are not allowed
+    "jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to registry.molgenis.org."
+  }
+type: Opaque
+data:
+  username: {{ .Values.secret.registry.user | b64enc | quote }}
+  password: {{ .Values.secret.registry.password | b64enc | quote }}
--- a/molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml
@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-# this is the jenkins id.
-  name: "molgenis-jenkins-saucelabs-secret"
-  labels:
-# so we know what type it is.
-    "jenkins.io/credentials-type": "usernamePassword"
-  annotations: {
-# description - can not be a label as spaces are not allowed
-    "jenkins.io/credentials-description" : "user to authenticate against Saucelabs (saucelabs.com)"
-  }
-type: Opaque
-data:
-  username: {{ "molgenis-jenkins" | b64enc | quote }}
-  password: {{ .Values.PipelineSecrets.Env.SauceAccessKey | b64enc | quote }}
--- a/molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml
@ -1,18 +0,0 @@
-{{- if .Values.PipelineSecrets.Env.Replace }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: molgenis-pipeline-env-secret
-  labels:
-    app: {{ template "jenkins.fullname" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    release: "{{ .Release.Name }}"
-    heritage: "{{ .Release.Service }}"
-type: Opaque
-data:
-  pgpPassphrase: {{ .Values.PipelineSecrets.Env.PGPPassphrase | b64enc | quote }}
-  codecovToken: {{ .Values.PipelineSecrets.Env.CodecovToken | b64enc | quote }}
-  githubToken: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}
-  sonarToken: {{ .Values.PipelineSecrets.Env.SonarToken | b64enc | quote }}
-  npmToken: {{ .Values.PipelineSecrets.Env.NpmToken | b64enc | quote }}
-{{- end }}
--- a/molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml
@ -1,15 +0,0 @@
-{{- if .Values.PipelineSecrets.File.Replace }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: molgenis-pipeline-file-secret
-  labels:
-    app: {{ template "jenkins.fullname" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    release: "{{ .Release.Name }}"
-    heritage: "{{ .Release.Service }}"
-type: Opaque
-data:
-  key.asc: {{ .Values.PipelineSecrets.File.PGPPrivateKeyAsc | b64enc | quote }}
-  settings.xml: {{ .Values.PipelineSecrets.File.MavenSettingsXML | b64enc | quote }}
-{{- end }}
--- a/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml
@ -1,4 +1,3 @@
-{{- if .Values.PipelineSecrets.Vault.Replace }}
 apiVersion: v1
 kind: Secret
 metadata:
@ -10,7 +9,6 @@ metadata:
    heritage: "{{ .Release.Service }}"
 type: Opaque
 data:
-  token: {{ .Values.PipelineSecrets.Vault.Token | b64enc | quote }}
-  addr: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }}
-  skipVerify: {{ .Values.PipelineSecrets.Vault.SkipVerify | b64enc | quote }}
-{{- end }}
+  token: {{ .Values.secret.vault.token | b64enc | quote }}
+  addr: {{ .Values.secret.vault.addr | b64enc | quote }}
+  skipVerify: {{ .Values.secret.vault.skipVerify | b64enc | quote }}