P129679
/
molgenis-ops-docker-helm
1
0
Fork 0
Code Releases Activity

chore (molgenis-jenkins): Retrieve pipeline secrets from vault when possible.

This commit is contained in:
Fleur Kelpin 2018-09-10 17:13:55 +02:00
parent 008fd5261e
commit a836ab4e6e
11 changed files with 117 additions and 305 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
molgenis-jenkins/README.md
View File

@ -40,57 +40,62 @@ You can use [all configuration values of the jenkins subchart](https://github.co
### GitHub Authentication delegation ### GitHub Authentication delegation
You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new). You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new).
### Additional configuration ### Secrets
There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`:
* PipelineSecrets When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins.
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
each other with their own secrets.
You can override the values at deploy time but otherwise also configure them You can override the values at deploy time but otherwise also configure them
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl. [in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
* Vault #### Vault
New vault token to be used by the pods to retrieve their tokens from the vault. The vault secret gets mounted in the vault pod so pipeline scripts can retrieve secrets from the vault.
| Parameter | Description | Default | | Parameter | Description | Default |
| ---------------------------------- | ------------------------------------------ | ---------------------------------------------- | | ------------------------- | ------------------------------------------ | ---------------------------------------------- |
| `PipelineSecrets.Vault.Replace` | Replace the molgenis-pipeline-vault secret | `true` | | `secret.vault.token` | Token to log into the hashicorp vault | `xxxx` |
| `PipelineSecrets.Vault.Token` | Token to log into the hashicorp vault | `xxxx` | | `secret.vault.addr` | Address of the vault | `https:vault-operator.vault-operator.svc:8200` |
| `PipelineSecrets.Vault.Addr` | Address of the vault | `https:vault-operator.vault-operator.svc:8200` | | `secret.vault.skipVerify` | Skip verification of the https connection | `1` |
| `PipelineSecrets.Vault.SkipVerify` | Skip verification of the https connection | `1` |
* Env #### GitHub
Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables Token used by Jenkins to authenticate on GitHub.
in the slave pods.
| Parameter | Description | Default | | Parameter | Description | Default |
| --------------------------------------- | ----------------------------------------- | --------------- | | --------------------- | ------------------------ | ------------------ |
| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` | | `secret.gitHub.user` | username for the account | `molgenis-jenkins` |
| `PipelineSecrets.Env.PGPPassphrase` | passphrase for the pgp signing key | `literal:xxxx` | | `secret.gitHub.token` | token for the account | `xxxx` |
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
| `PipelineSecrets.Env.NexusPassword` | token for molgenis-jenkins user in NEXUS | `xxxx` |
| `PipelineSecrets.Env.DockerHubPassword` | token for molgenis user in hub.docker.com | `xxxx` |
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` |
| `PipelineSecrets.Env.NpmToken` | token for npmjs.org | `xxxx` |
| `PipelineSecrets.Env.SauceAccessKey` | token for saucelabs.com | `xxxx` |
* File #### Gogs
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files Token used by Jenkins to authenticate on the [RuG Webhosting Gogs](https://git.webhosting.rug.nl).
in the `/root/.m2` directory of the slave pods.
> The settings.xml file references the
| Parameter | Description | Default | | Parameter | Description | Default |
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- | | ------------------- | ------------------------ | --------- |
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` | | `secret.gogs.user` | username for the account | `p281392` |
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` | | `secret.gogs.token` | token for the account | `xxxx` |
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
#### Legacy:
##### Docker Hub
Account used in pipeline builds to push docker images to `hub.docker.com`.
> They should read `secret/gcc/account/dockerhub` from vault instead!
| Parameter | Description | Default |
| --------------------------- | ------------------------ | --------------- |
| `secret.dockerHub.user` | username for the account | `molgenisci` |
| `secret.dockerHub.password` | password for the account | `xxxx` |
##### Registry
Account used in pipeline builds to push docker images to `registry.molgenis.org`.
> They should read `secret/ops/account/nexus` from vault instead!
| Parameter | Description | Default |
| --------------------------- | ------------------------ | --------- |
| `secret.dockerHub.user` | username for the account | `admin` |
| `secret.dockerHub.password` | password for the account | `xxxx` |
## Command line use ## Command line use
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.

6
molgenis-jenkins/templates/molgenis-jenkins-dockerhub-secret.yaml
View File

@ -8,9 +8,9 @@ metadata:
"jenkins.io/credentials-type": "usernamePassword" "jenkins.io/credentials-type": "usernamePassword"
annotations: { annotations: {
# description - can not be a label as spaces are not allowed # description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "user to authenticate against Docker Hub (hub.docker.com)" "jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to Docker Hub (hub.docker.com)"
} }
type: Opaque type: Opaque
data: data:
username: {{ "molgenisci" | b64enc | quote }} username: {{ .Values.secret.registry.user | b64enc | quote }}
password: {{ .Values.PipelineSecrets.Env.DockerHubPassword | b64enc | quote }} password: {{ .Values.secret.registry.password | b64enc | quote }}

6
molgenis-jenkins/templates/molgenis-jenkins-github-secret.yaml
View File

@ -8,9 +8,9 @@ metadata:
"jenkins.io/credentials-type": "usernamePassword" "jenkins.io/credentials-type": "usernamePassword"
annotations: { annotations: {
# description - can not be a label as spaces are not allowed # description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "oauth token for the molgenis-jenkins github user" "jenkins.io/credentials-description" : "Oauth token for the {{.Values.secret.gitHub.user}} GitHub user"
} }
type: Opaque type: Opaque
data: data:
username: {{ "molgenis-jenkins" | b64enc | quote }} username: {{ .Values.secret.gitHub.user | b64enc | quote }}
password: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }} password: {{ .Values.secret.gitHub.token | b64enc | quote }}

6
molgenis-jenkins/templates/molgenis-jenkins-gogs-secret.yaml
View File

@ -8,9 +8,9 @@ metadata:
"jenkins.io/credentials-type": "usernamePassword" "jenkins.io/credentials-type": "usernamePassword"
annotations: { annotations: {
# description - can not be a label as spaces are not allowed # description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "user to authenticate against GOGS (git.webhosting.rug.nl)" "jenkins.io/credentials-description" : "Account used to authenticate against RuG Webhosting Gogs."
} }
type: Opaque type: Opaque
data: data:
username: {{ "p281392" | b64enc | quote }} username: {{ .Values.secret.gogs.user | b64enc | quote }}
password: {{ .Values.PipelineSecrets.Env.GogsToken | b64enc | quote }} password: {{ .Values.secret.gogs.token | b64enc | quote }}

16
molgenis-jenkins/templates/molgenis-jenkins-nexus-secret.yaml
View File

@ -1,16 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
name: "molgenis-jenkins-nexus-secret"
labels:
# so we know what type it is.
"jenkins.io/credentials-type": "usernamePassword"
annotations: {
# description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "user to authenticate against NEXUS"
}
type: Opaque
data:
username: {{ "admin" | b64enc | quote }}
password: {{ .Values.PipelineSecrets.Env.NexusPassword | b64enc | quote }}

17
molgenis-jenkins/templates/molgenis-jenkins-registry-secret.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: Secret
metadata:
name: molgenis-jenkins-registry-secret
labels:
app: {{ template "jenkins.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
annotations: {
# description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to registry.molgenis.org."
}
type: Opaque
data:
username: {{ .Values.secret.registry.user | b64enc | quote }}
password: {{ .Values.secret.registry.password | b64enc | quote }}

16
molgenis-jenkins/templates/molgenis-jenkins-saucelabs-secret.yaml
View File

@ -1,16 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
name: "molgenis-jenkins-saucelabs-secret"
labels:
# so we know what type it is.
"jenkins.io/credentials-type": "usernamePassword"
annotations: {
# description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "user to authenticate against Saucelabs (saucelabs.com)"
}
type: Opaque
data:
username: {{ "molgenis-jenkins" | b64enc | quote }}
password: {{ .Values.PipelineSecrets.Env.SauceAccessKey | b64enc | quote }}

18
molgenis-jenkins/templates/molgenis-pipeline-env-secret.yaml
View File

@ -1,18 +0,0 @@
{{- if .Values.PipelineSecrets.Env.Replace }}
apiVersion: v1
kind: Secret
metadata:
name: molgenis-pipeline-env-secret
labels:
app: {{ template "jenkins.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: Opaque
data:
pgpPassphrase: {{ .Values.PipelineSecrets.Env.PGPPassphrase | b64enc | quote }}
codecovToken: {{ .Values.PipelineSecrets.Env.CodecovToken | b64enc | quote }}
githubToken: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}
sonarToken: {{ .Values.PipelineSecrets.Env.SonarToken | b64enc | quote }}
npmToken: {{ .Values.PipelineSecrets.Env.NpmToken | b64enc | quote }}
{{- end }}

15
molgenis-jenkins/templates/molgenis-pipeline-file-secret.yaml
View File

@ -1,15 +0,0 @@
{{- if .Values.PipelineSecrets.File.Replace }}
apiVersion: v1
kind: Secret
metadata:
name: molgenis-pipeline-file-secret
labels:
app: {{ template "jenkins.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: Opaque
data:
key.asc: {{ .Values.PipelineSecrets.File.PGPPrivateKeyAsc | b64enc | quote }}
settings.xml: {{ .Values.PipelineSecrets.File.MavenSettingsXML | b64enc | quote }}
{{- end }}

8
molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml
View File

@ -1,4 +1,3 @@
{{- if .Values.PipelineSecrets.Vault.Replace }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@ -10,7 +9,6 @@ metadata:
heritage: "{{ .Release.Service }}" heritage: "{{ .Release.Service }}"
type: Opaque type: Opaque
data: data:
token: {{ .Values.PipelineSecrets.Vault.Token | b64enc | quote }} token: {{ .Values.secret.vault.token | b64enc | quote }}
addr: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }} addr: {{ .Values.secret.vault.addr | b64enc | quote }}
skipVerify: {{ .Values.PipelineSecrets.Vault.SkipVerify | b64enc | quote }} skipVerify: {{ .Values.secret.vault.skipVerify | b64enc | quote }}
{{- end }}

221
molgenis-jenkins/values.yaml
View File

@ -368,8 +368,8 @@ jenkins:
install: true install: true
Pods: Pods:
molgenis: molgenis:
Label: molgenisv2 Label: molgenis
NodeUsageMode: EXCLUSIVE NodeUsageMode: NORMAL
volumes: volumes:
- type: HostPath - type: HostPath
hostPath: "/var/run/docker.sock" hostPath: "/var/run/docker.sock"
@ -417,39 +417,6 @@ jenkins:
secretName: molgenis-pipeline-vault-secret secretName: molgenis-pipeline-vault-secret
secretKey: addr secretKey: addr
NodeSelector: {} NodeSelector: {}
molgenis-legacy:
InheritFrom: molgenis
Label: molgenis
NodeUsageMode: NORMAL
volumes:
- type: Secret
secretName: molgenis-pipeline-file-secret
mountPath: "/home/jenkins/.m2"
Containers:
EnvVars:
- type: Secret
key: PGP_PASSPHRASE
secretName: molgenis-pipeline-env-secret
secretKey: pgpPassphrase
- type: KeyValue
key: PGP_SECRETKEY
value: "keyfile:/home.jenkins/.m2/key.asc"
- type: KeyValue
key: npm_config_registry
value: "http://nexus.molgenis-nexus:8081/repository/npm-central/"
- type: Secret
key: SONAR_TOKEN
secretName: molgenis-pipeline-env-secret
secretKey: sonarToken
- type: Secret
key: CODECOV_TOKEN
secretName: molgenis-pipeline-env-secret
secretKey: codecovToken
- type: Secret
key: GITHUB_TOKEN
secretName: molgenis-pipeline-env-secret
secretKey: githubToken
NodeSelector: {}
node: node:
Label: node-carbon Label: node-carbon
NodeUsageMode: EXCLUSIVE NodeUsageMode: EXCLUSIVE
@ -461,155 +428,45 @@ jenkins:
Command: cat Command: cat
WorkingDir: /home/jenkins WorkingDir: /home/jenkins
TTY: true TTY: true
vault:
Image: "vault"
Command: cat
WorkingDir: /home/jenkins
TTY: true
EnvVars: EnvVars:
- type: KeyValue
key: npm_config_registry
value: "http://nexus.molgenis-nexus:8081/repository/npm-central/"
- type: Secret - type: Secret
key: CODECOV_TOKEN key: VAULT_TOKEN
secretName: molgenis-pipeline-env-secret secretName: molgenis-pipeline-vault-secret
secretKey: codecovToken secretKey: token
- type: Secret - type: Secret
key: GITHUB_TOKEN key: VAULT_SKIP_VERIFY
secretName: molgenis-pipeline-env-secret secretName: molgenis-pipeline-vault-secret
secretKey: githubToken secretKey: skipVerify
- type: Secret - type: Secret
key: NPM_TOKEN key: VAULT_ADDR
secretName: molgenis-pipeline-env-secret secretName: molgenis-pipeline-vault-secret
secretKey: npmToken secretKey: addr
NodeSelector: {} NodeSelector: {}
molgenis-it: #secret contains configuration for the kubernetes secrets that jenkins can access
InheritFrom: molgenis secret:
Label: molgenis-it # vault configures the vault secret
NodeUsageMode: EXCLUSIVE vault:
Containers: token: xxxx
elasticsearch: addr: "https://vault-operator.vault-operator.svc:8200"
Image: docker.elastic.co/elasticsearch/elasticsearch skipVerify: "1"
ImageTag: 5.5.3 # githubToken contains access token for jenkins bot account on github.com
resources: gitHub:
requests: user: "molgenis-jenkins"
cpu: "100m" token: xxxx
memory: "1Gi" # gogs contains access token for jenkins bot account on RuG GoGs
limits: gogs:
cpu: "1" user: p281392
memory: "1500Mi" token: xxxx
EnvVars: # registry contains credentials for registry.molgenis.org
- type: KeyValue registry:
key: ES_JAVA_OPTS user: admin
value: "-Xms512m -Xmx512m" password: xxxx
- type: KeyValue # dockerHubPassword contains password for hub.docker.com
key: cluster.name dockerHub:
value: molgenis user: molgenisci
- type: KeyValue password: xxxx
key: bootstrap.memory_lock
value: "true"
- type: KeyValue
key: xpack.security.enabled
value: "false"
- type: KeyValue
key: discovery.type
value: single-node
postgres:
Image: postgres
ImageTag: 9.6-alpine
resources:
requests:
cpu: "100m"
memory: "250Mi"
limits:
cpu: "1"
memory: "250Mi"
EnvVars:
- type: KeyValue
key: POSTGRES_USER
value: molgenis
- type: KeyValue
key: POSTGRES_PASSWORD
value: molgenis
- type: KeyValue
key: POSTGRES_DB
value: molgenis
opencpu:
Image: molgenis/opencpu
AlwaysPullImage: true
resources:
requests:
cpu: "100m"
memory: "256Mi"
limits:
cpu: "1"
memory: "512Mi"
NodeSelector: {}
PipelineSecrets:
Vault:
Replace: true
Token: xxxx
Addr: "https://vault-operator.vault-operator.svc:8200"
SkipVerify: 1
Env:
# Set to false to keep existing secret
Replace: true
# Passphrase for the pgp private key file, prefixed with literal:
PGPPassphrase: literal:xxxx
# Token for codecov.io service
CodecovToken: xxxx
# Token for github bot account
GitHubToken: xxxx
# Token for github bot account
GogsToken: xxxx
# Token for sonarcloud.io
SonarToken: xxxx
# Token for npmjs.org
NpmToken: xxxx
# Password Local NEXUS
NexusPassword: xxxx
# Password hub.docker.com
DockerHubPassword: xxxx
# Access key for saucelabs.com
SauceAccessKey: xxxx
File:
# Set to false to keep existing secret
Replace: true
# PGP Private key in ascii format used to sign artifacts
PGPPrivateKeyAsc: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
xxxxx
-----END PGP PRIVATE KEY BLOCK-----
# maven.settings file
MavenSettingsXML: |-
<settings>
<localRepository>${user.home}/.mvnrepository</localRepository>
<interactiveMode>false</interactiveMode>
<mirrors>
<mirror>
<id>nexus</id>
<mirrorOf>external:*</mirrorOf>
<url>http://nexus.molgenis-nexus:8081/repository/maven-central/</url>
</mirror>
</mirrors>
<servers>
<!-- for snapshot builds of the master -->
<server>
<id>sonatype-nexus-staging</id>
<username>molgenis</username>
<password>xxxx</password>
</server>
<server>
<id>local-nexus</id>
<url>http://nexus.molgenis-nexus:8081/repository/maven-snapshots/</url>
<username>admin</username>
<password>xxxxx</password>
</server>
<!-- for docker images-->
<server>
<id>registry.molgenis.org</id>
<username>admin</username>
<password>xxxx</password>
</server>
<server>
<id>registry.hub.docker.com</id>
<username>molgenisci</username>
<password>xxxx</password>
</server>
</servers>
</settings>