chore (molgenis-jenkins): Retrieve pipeline secrets from vault when possible.
This commit is contained in:
parent
008fd5261e
commit
a836ab4e6e
@ -40,57 +40,62 @@ You can use [all configuration values of the jenkins subchart](https://github.co
|
||||
### GitHub Authentication delegation
|
||||
You need to setup a MOLGENIS - Jenkins GitHub OAuth App. You can do this by accessing this url: [add new OAuth app](https://github.com/settings/applications/new).
|
||||
|
||||
### Additional configuration
|
||||
There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`:
|
||||
### Secrets
|
||||
|
||||
* PipelineSecrets
|
||||
|
||||
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
|
||||
build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
|
||||
each other with their own secrets.
|
||||
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins.
|
||||
|
||||
You can override the values at deploy time but otherwise also configure them
|
||||
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
|
||||
|
||||
* Vault
|
||||
#### Vault
|
||||
|
||||
New vault token to be used by the pods to retrieve their tokens from the vault.
|
||||
The vault secret gets mounted in the vault pod so pipeline scripts can retrieve secrets from the vault.
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| ---------------------------------- | ------------------------------------------ | ---------------------------------------------- |
|
||||
| `PipelineSecrets.Vault.Replace` | Replace the molgenis-pipeline-vault secret | `true` |
|
||||
| `PipelineSecrets.Vault.Token` | Token to log into the hashicorp vault | `xxxx` |
|
||||
| `PipelineSecrets.Vault.Addr` | Address of the vault | `https:vault-operator.vault-operator.svc:8200` |
|
||||
| `PipelineSecrets.Vault.SkipVerify` | Skip verification of the https connection | `1` |
|
||||
| Parameter | Description | Default |
|
||||
| ------------------------- | ------------------------------------------ | ---------------------------------------------- |
|
||||
| `secret.vault.token` | Token to log into the hashicorp vault | `xxxx` |
|
||||
| `secret.vault.addr` | Address of the vault | `https:vault-operator.vault-operator.svc:8200` |
|
||||
| `secret.vault.skipVerify` | Skip verification of the https connection | `1` |
|
||||
|
||||
* Env
|
||||
#### GitHub
|
||||
|
||||
Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
|
||||
in the slave pods.
|
||||
Token used by Jenkins to authenticate on GitHub.
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| --------------------------------------- | ----------------------------------------- | --------------- |
|
||||
| `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
|
||||
| `PipelineSecrets.Env.PGPPassphrase` | passphrase for the pgp signing key | `literal:xxxx` |
|
||||
| `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
|
||||
| `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
|
||||
| `PipelineSecrets.Env.NexusPassword` | token for molgenis-jenkins user in NEXUS | `xxxx` |
|
||||
| `PipelineSecrets.Env.DockerHubPassword` | token for molgenis user in hub.docker.com | `xxxx` |
|
||||
| `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` |
|
||||
| `PipelineSecrets.Env.NpmToken` | token for npmjs.org | `xxxx` |
|
||||
| `PipelineSecrets.Env.SauceAccessKey` | token for saucelabs.com | `xxxx` |
|
||||
| Parameter | Description | Default |
|
||||
| --------------------- | ------------------------ | ------------------ |
|
||||
| `secret.gitHub.user` | username for the account | `molgenis-jenkins` |
|
||||
| `secret.gitHub.token` | token for the account | `xxxx` |
|
||||
|
||||
* File
|
||||
#### Gogs
|
||||
|
||||
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
|
||||
in the `/root/.m2` directory of the slave pods.
|
||||
> The settings.xml file references the
|
||||
Token used by Jenkins to authenticate on the [RuG Webhosting Gogs](https://git.webhosting.rug.nl).
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
|
||||
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
|
||||
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
|
||||
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
|
||||
| Parameter | Description | Default |
|
||||
| ------------------- | ------------------------ | --------- |
|
||||
| `secret.gogs.user` | username for the account | `p281392` |
|
||||
| `secret.gogs.token` | token for the account | `xxxx` |
|
||||
|
||||
#### Legacy:
|
||||
|
||||
##### Docker Hub
|
||||
|
||||
Account used in pipeline builds to push docker images to `hub.docker.com`.
|
||||
> They should read `secret/gcc/account/dockerhub` from vault instead!
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| --------------------------- | ------------------------ | --------------- |
|
||||
| `secret.dockerHub.user` | username for the account | `molgenisci` |
|
||||
| `secret.dockerHub.password` | password for the account | `xxxx` |
|
||||
|
||||
##### Registry
|
||||
|
||||
Account used in pipeline builds to push docker images to `registry.molgenis.org`.
|
||||
> They should read `secret/ops/account/nexus` from vault instead!
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| --------------------------- | ------------------------ | --------- |
|
||||
| `secret.dockerHub.user` | username for the account | `admin` |
|
||||
| `secret.dockerHub.password` | password for the account | `xxxx` |
|
||||
|
||||
## Command line use
|
||||
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
|
||||
|
@ -8,9 +8,9 @@ metadata:
|
||||
"jenkins.io/credentials-type": "usernamePassword"
|
||||
annotations: {
|
||||
# description - can not be a label as spaces are not allowed
|
||||
"jenkins.io/credentials-description" : "user to authenticate against Docker Hub (hub.docker.com)"
|
||||
"jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to Docker Hub (hub.docker.com)"
|
||||
}
|
||||
type: Opaque
|
||||
data:
|
||||
username: {{ "molgenisci" | b64enc | quote }}
|
||||
password: {{ .Values.PipelineSecrets.Env.DockerHubPassword | b64enc | quote }}
|
||||
username: {{ .Values.secret.registry.user | b64enc | quote }}
|
||||
password: {{ .Values.secret.registry.password | b64enc | quote }}
|
@ -8,9 +8,9 @@ metadata:
|
||||
"jenkins.io/credentials-type": "usernamePassword"
|
||||
annotations: {
|
||||
# description - can not be a label as spaces are not allowed
|
||||
"jenkins.io/credentials-description" : "oauth token for the molgenis-jenkins github user"
|
||||
"jenkins.io/credentials-description" : "Oauth token for the {{.Values.secret.gitHub.user}} GitHub user"
|
||||
}
|
||||
type: Opaque
|
||||
data:
|
||||
username: {{ "molgenis-jenkins" | b64enc | quote }}
|
||||
password: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}
|
||||
username: {{ .Values.secret.gitHub.user | b64enc | quote }}
|
||||
password: {{ .Values.secret.gitHub.token | b64enc | quote }}
|
@ -8,9 +8,9 @@ metadata:
|
||||
"jenkins.io/credentials-type": "usernamePassword"
|
||||
annotations: {
|
||||
# description - can not be a label as spaces are not allowed
|
||||
"jenkins.io/credentials-description" : "user to authenticate against GOGS (git.webhosting.rug.nl)"
|
||||
"jenkins.io/credentials-description" : "Account used to authenticate against RuG Webhosting Gogs."
|
||||
}
|
||||
type: Opaque
|
||||
data:
|
||||
username: {{ "p281392" | b64enc | quote }}
|
||||
password: {{ .Values.PipelineSecrets.Env.GogsToken | b64enc | quote }}
|
||||
username: {{ .Values.secret.gogs.user | b64enc | quote }}
|
||||
password: {{ .Values.secret.gogs.token | b64enc | quote }}
|
@ -1,16 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
# this is the jenkins id.
|
||||
name: "molgenis-jenkins-nexus-secret"
|
||||
labels:
|
||||
# so we know what type it is.
|
||||
"jenkins.io/credentials-type": "usernamePassword"
|
||||
annotations: {
|
||||
# description - can not be a label as spaces are not allowed
|
||||
"jenkins.io/credentials-description" : "user to authenticate against NEXUS"
|
||||
}
|
||||
type: Opaque
|
||||
data:
|
||||
username: {{ "admin" | b64enc | quote }}
|
||||
password: {{ .Values.PipelineSecrets.Env.NexusPassword | b64enc | quote }}
|
@ -0,0 +1,17 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: molgenis-jenkins-registry-secret
|
||||
labels:
|
||||
app: {{ template "jenkins.fullname" . }}
|
||||
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
|
||||
release: "{{ .Release.Name }}"
|
||||
heritage: "{{ .Release.Service }}"
|
||||
annotations: {
|
||||
# description - can not be a label as spaces are not allowed
|
||||
"jenkins.io/credentials-description" : "(deprecated by vault) Account used in pipeline builds to push docker images to registry.molgenis.org."
|
||||
}
|
||||
type: Opaque
|
||||
data:
|
||||
username: {{ .Values.secret.registry.user | b64enc | quote }}
|
||||
password: {{ .Values.secret.registry.password | b64enc | quote }}
|
@ -1,16 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
# this is the jenkins id.
|
||||
name: "molgenis-jenkins-saucelabs-secret"
|
||||
labels:
|
||||
# so we know what type it is.
|
||||
"jenkins.io/credentials-type": "usernamePassword"
|
||||
annotations: {
|
||||
# description - can not be a label as spaces are not allowed
|
||||
"jenkins.io/credentials-description" : "user to authenticate against Saucelabs (saucelabs.com)"
|
||||
}
|
||||
type: Opaque
|
||||
data:
|
||||
username: {{ "molgenis-jenkins" | b64enc | quote }}
|
||||
password: {{ .Values.PipelineSecrets.Env.SauceAccessKey | b64enc | quote }}
|
@ -1,18 +0,0 @@
|
||||
{{- if .Values.PipelineSecrets.Env.Replace }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: molgenis-pipeline-env-secret
|
||||
labels:
|
||||
app: {{ template "jenkins.fullname" . }}
|
||||
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
|
||||
release: "{{ .Release.Name }}"
|
||||
heritage: "{{ .Release.Service }}"
|
||||
type: Opaque
|
||||
data:
|
||||
pgpPassphrase: {{ .Values.PipelineSecrets.Env.PGPPassphrase | b64enc | quote }}
|
||||
codecovToken: {{ .Values.PipelineSecrets.Env.CodecovToken | b64enc | quote }}
|
||||
githubToken: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}
|
||||
sonarToken: {{ .Values.PipelineSecrets.Env.SonarToken | b64enc | quote }}
|
||||
npmToken: {{ .Values.PipelineSecrets.Env.NpmToken | b64enc | quote }}
|
||||
{{- end }}
|
@ -1,15 +0,0 @@
|
||||
{{- if .Values.PipelineSecrets.File.Replace }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: molgenis-pipeline-file-secret
|
||||
labels:
|
||||
app: {{ template "jenkins.fullname" . }}
|
||||
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
|
||||
release: "{{ .Release.Name }}"
|
||||
heritage: "{{ .Release.Service }}"
|
||||
type: Opaque
|
||||
data:
|
||||
key.asc: {{ .Values.PipelineSecrets.File.PGPPrivateKeyAsc | b64enc | quote }}
|
||||
settings.xml: {{ .Values.PipelineSecrets.File.MavenSettingsXML | b64enc | quote }}
|
||||
{{- end }}
|
@ -1,4 +1,3 @@
|
||||
{{- if .Values.PipelineSecrets.Vault.Replace }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
@ -10,7 +9,6 @@ metadata:
|
||||
heritage: "{{ .Release.Service }}"
|
||||
type: Opaque
|
||||
data:
|
||||
token: {{ .Values.PipelineSecrets.Vault.Token | b64enc | quote }}
|
||||
addr: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }}
|
||||
skipVerify: {{ .Values.PipelineSecrets.Vault.SkipVerify | b64enc | quote }}
|
||||
{{- end }}
|
||||
token: {{ .Values.secret.vault.token | b64enc | quote }}
|
||||
addr: {{ .Values.secret.vault.addr | b64enc | quote }}
|
||||
skipVerify: {{ .Values.secret.vault.skipVerify | b64enc | quote }}
|
@ -368,8 +368,8 @@ jenkins:
|
||||
install: true
|
||||
Pods:
|
||||
molgenis:
|
||||
Label: molgenisv2
|
||||
NodeUsageMode: EXCLUSIVE
|
||||
Label: molgenis
|
||||
NodeUsageMode: NORMAL
|
||||
volumes:
|
||||
- type: HostPath
|
||||
hostPath: "/var/run/docker.sock"
|
||||
@ -417,39 +417,6 @@ jenkins:
|
||||
secretName: molgenis-pipeline-vault-secret
|
||||
secretKey: addr
|
||||
NodeSelector: {}
|
||||
molgenis-legacy:
|
||||
InheritFrom: molgenis
|
||||
Label: molgenis
|
||||
NodeUsageMode: NORMAL
|
||||
volumes:
|
||||
- type: Secret
|
||||
secretName: molgenis-pipeline-file-secret
|
||||
mountPath: "/home/jenkins/.m2"
|
||||
Containers:
|
||||
EnvVars:
|
||||
- type: Secret
|
||||
key: PGP_PASSPHRASE
|
||||
secretName: molgenis-pipeline-env-secret
|
||||
secretKey: pgpPassphrase
|
||||
- type: KeyValue
|
||||
key: PGP_SECRETKEY
|
||||
value: "keyfile:/home.jenkins/.m2/key.asc"
|
||||
- type: KeyValue
|
||||
key: npm_config_registry
|
||||
value: "http://nexus.molgenis-nexus:8081/repository/npm-central/"
|
||||
- type: Secret
|
||||
key: SONAR_TOKEN
|
||||
secretName: molgenis-pipeline-env-secret
|
||||
secretKey: sonarToken
|
||||
- type: Secret
|
||||
key: CODECOV_TOKEN
|
||||
secretName: molgenis-pipeline-env-secret
|
||||
secretKey: codecovToken
|
||||
- type: Secret
|
||||
key: GITHUB_TOKEN
|
||||
secretName: molgenis-pipeline-env-secret
|
||||
secretKey: githubToken
|
||||
NodeSelector: {}
|
||||
node:
|
||||
Label: node-carbon
|
||||
NodeUsageMode: EXCLUSIVE
|
||||
@ -461,155 +428,45 @@ jenkins:
|
||||
Command: cat
|
||||
WorkingDir: /home/jenkins
|
||||
TTY: true
|
||||
EnvVars:
|
||||
- type: KeyValue
|
||||
key: npm_config_registry
|
||||
value: "http://nexus.molgenis-nexus:8081/repository/npm-central/"
|
||||
- type: Secret
|
||||
key: CODECOV_TOKEN
|
||||
secretName: molgenis-pipeline-env-secret
|
||||
secretKey: codecovToken
|
||||
- type: Secret
|
||||
key: GITHUB_TOKEN
|
||||
secretName: molgenis-pipeline-env-secret
|
||||
secretKey: githubToken
|
||||
- type: Secret
|
||||
key: NPM_TOKEN
|
||||
secretName: molgenis-pipeline-env-secret
|
||||
secretKey: npmToken
|
||||
NodeSelector: {}
|
||||
molgenis-it:
|
||||
InheritFrom: molgenis
|
||||
Label: molgenis-it
|
||||
NodeUsageMode: EXCLUSIVE
|
||||
Containers:
|
||||
elasticsearch:
|
||||
Image: docker.elastic.co/elasticsearch/elasticsearch
|
||||
ImageTag: 5.5.3
|
||||
resources:
|
||||
requests:
|
||||
cpu: "100m"
|
||||
memory: "1Gi"
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: "1500Mi"
|
||||
vault:
|
||||
Image: "vault"
|
||||
Command: cat
|
||||
WorkingDir: /home/jenkins
|
||||
TTY: true
|
||||
EnvVars:
|
||||
- type: KeyValue
|
||||
key: ES_JAVA_OPTS
|
||||
value: "-Xms512m -Xmx512m"
|
||||
- type: KeyValue
|
||||
key: cluster.name
|
||||
value: molgenis
|
||||
- type: KeyValue
|
||||
key: bootstrap.memory_lock
|
||||
value: "true"
|
||||
- type: KeyValue
|
||||
key: xpack.security.enabled
|
||||
value: "false"
|
||||
- type: KeyValue
|
||||
key: discovery.type
|
||||
value: single-node
|
||||
postgres:
|
||||
Image: postgres
|
||||
ImageTag: 9.6-alpine
|
||||
resources:
|
||||
requests:
|
||||
cpu: "100m"
|
||||
memory: "250Mi"
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: "250Mi"
|
||||
EnvVars:
|
||||
- type: KeyValue
|
||||
key: POSTGRES_USER
|
||||
value: molgenis
|
||||
- type: KeyValue
|
||||
key: POSTGRES_PASSWORD
|
||||
value: molgenis
|
||||
- type: KeyValue
|
||||
key: POSTGRES_DB
|
||||
value: molgenis
|
||||
opencpu:
|
||||
Image: molgenis/opencpu
|
||||
AlwaysPullImage: true
|
||||
resources:
|
||||
requests:
|
||||
cpu: "100m"
|
||||
memory: "256Mi"
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: "512Mi"
|
||||
- type: Secret
|
||||
key: VAULT_TOKEN
|
||||
secretName: molgenis-pipeline-vault-secret
|
||||
secretKey: token
|
||||
- type: Secret
|
||||
key: VAULT_SKIP_VERIFY
|
||||
secretName: molgenis-pipeline-vault-secret
|
||||
secretKey: skipVerify
|
||||
- type: Secret
|
||||
key: VAULT_ADDR
|
||||
secretName: molgenis-pipeline-vault-secret
|
||||
secretKey: addr
|
||||
NodeSelector: {}
|
||||
PipelineSecrets:
|
||||
Vault:
|
||||
Replace: true
|
||||
Token: xxxx
|
||||
Addr: "https://vault-operator.vault-operator.svc:8200"
|
||||
SkipVerify: 1
|
||||
Env:
|
||||
# Set to false to keep existing secret
|
||||
Replace: true
|
||||
# Passphrase for the pgp private key file, prefixed with literal:
|
||||
PGPPassphrase: literal:xxxx
|
||||
# Token for codecov.io service
|
||||
CodecovToken: xxxx
|
||||
# Token for github bot account
|
||||
GitHubToken: xxxx
|
||||
# Token for github bot account
|
||||
GogsToken: xxxx
|
||||
# Token for sonarcloud.io
|
||||
SonarToken: xxxx
|
||||
# Token for npmjs.org
|
||||
NpmToken: xxxx
|
||||
# Password Local NEXUS
|
||||
NexusPassword: xxxx
|
||||
# Password hub.docker.com
|
||||
DockerHubPassword: xxxx
|
||||
# Access key for saucelabs.com
|
||||
SauceAccessKey: xxxx
|
||||
File:
|
||||
# Set to false to keep existing secret
|
||||
Replace: true
|
||||
# PGP Private key in ascii format used to sign artifacts
|
||||
PGPPrivateKeyAsc: |-
|
||||
-----BEGIN PGP PRIVATE KEY BLOCK-----
|
||||
xxxxx
|
||||
-----END PGP PRIVATE KEY BLOCK-----
|
||||
# maven.settings file
|
||||
MavenSettingsXML: |-
|
||||
<settings>
|
||||
<localRepository>${user.home}/.mvnrepository</localRepository>
|
||||
<interactiveMode>false</interactiveMode>
|
||||
<mirrors>
|
||||
<mirror>
|
||||
<id>nexus</id>
|
||||
<mirrorOf>external:*</mirrorOf>
|
||||
<url>http://nexus.molgenis-nexus:8081/repository/maven-central/</url>
|
||||
</mirror>
|
||||
</mirrors>
|
||||
<servers>
|
||||
<!-- for snapshot builds of the master -->
|
||||
<server>
|
||||
<id>sonatype-nexus-staging</id>
|
||||
<username>molgenis</username>
|
||||
<password>xxxx</password>
|
||||
</server>
|
||||
<server>
|
||||
<id>local-nexus</id>
|
||||
<url>http://nexus.molgenis-nexus:8081/repository/maven-snapshots/</url>
|
||||
<username>admin</username>
|
||||
<password>xxxxx</password>
|
||||
</server>
|
||||
<!-- for docker images-->
|
||||
<server>
|
||||
<id>registry.molgenis.org</id>
|
||||
<username>admin</username>
|
||||
<password>xxxx</password>
|
||||
</server>
|
||||
<server>
|
||||
<id>registry.hub.docker.com</id>
|
||||
<username>molgenisci</username>
|
||||
<password>xxxx</password>
|
||||
</server>
|
||||
</servers>
|
||||
</settings>
|
||||
#secret contains configuration for the kubernetes secrets that jenkins can access
|
||||
secret:
|
||||
# vault configures the vault secret
|
||||
vault:
|
||||
token: xxxx
|
||||
addr: "https://vault-operator.vault-operator.svc:8200"
|
||||
skipVerify: "1"
|
||||
# githubToken contains access token for jenkins bot account on github.com
|
||||
gitHub:
|
||||
user: "molgenis-jenkins"
|
||||
token: xxxx
|
||||
# gogs contains access token for jenkins bot account on RuG GoGs
|
||||
gogs:
|
||||
user: p281392
|
||||
token: xxxx
|
||||
# registry contains credentials for registry.molgenis.org
|
||||
registry:
|
||||
user: admin
|
||||
password: xxxx
|
||||
# dockerHubPassword contains password for hub.docker.com
|
||||
dockerHub:
|
||||
user: molgenisci
|
||||
password: xxxx
|
Loading…
Reference in New Issue
Block a user