feat (jenkins): Adds new molgenis pod with vault container and secrets.

The new pod doesn't have the secrets. Keeps the existing pod with molgenis label so existing Jenkinsfiles can be fixed after this PR.
2018-08-18 23:29:18 +02:00 · 2018-08-18 23:29:18 +02:00 · df82820ef3
parent 764cda4064
commit df82820ef3
2 changed files with 50 additions and 5 deletions
--- a/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml
+++ b/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml
@ -0,0 +1,16 @@
+{{- if .Values.PipelineSecrets.Vault.Replace }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: molgenis-pipeline-vault-secret
+  labels:
+    app: {{ template "jenkins.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  token: {{ .Values.PipelineSecrets.Vault.Token | b64enc | quote }}
+  addr: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }}
+  skipVerify: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }}
+{{- end }}
--- a/molgenis-jenkins/values.yaml
+++ b/molgenis-jenkins/values.yaml
@ -368,15 +368,12 @@ jenkins:
    install: true
  Pods:
    molgenis:
-      Label: molgenis
-      NodeUsageMode: NORMAL
+      Label: molgenisv2
+      NodeUsageMode: EXCLUSIVE
      volumes:
        - type: HostPath
          hostPath: "/var/run/docker.sock"
          mountPath: "/var/run/docker.sock"
-        - type: Secret
-          secretName: molgenis-pipeline-file-secret
-          mountPath: "/root/.m2"
      Containers:
        maven:
          Image: "registry.webhosting.rug.nl/molgenis/maven"
@ -394,6 +391,34 @@ jenkins:
          Command: cat
          WorkingDir: /home/jenkins
          TTY: true
+        vault:
+          Image: "vault"
+          Command: cat
+          WorkingDir: /home/jenkins
+          TTY: true
+          EnvVars:
+            - type: Secret
+              key: VAULT_TOKEN
+              secretName: molgenis-pipeline-vault-secret
+              secretKey: token
+            - type: Secret
+              key: VAULT_SKIP_VERIFY
+              secretName: molgenis-pipeline-vault-secret
+              secretKey: skipVerify
+            - type: Secret
+              key: VAULT_ADDR
+              secretName: molgenis-pipeline-vault-secret
+              secretKey: addr
+      NodeSelector: {}
+    molgenis-legacy:
+      InheritFrom: molgenis
+      Label: molgenis
+      NodeUsageMode: NORMAL
+      volumes:
+        - type: Secret
+          secretName: molgenis-pipeline-file-secret
+          mountPath: "/root/.m2"
+      Containers:
      EnvVars:
        - type: Secret
          key: PGP_PASSPHRASE
@ -509,6 +534,10 @@ jenkins:
              memory: "512Mi"
      NodeSelector: {}
 PipelineSecrets:
+  Vault:
+    Replace: true
+    Token: xxxx
+    Addr: "https://vault-operator.vault-operator.svc:8200"
  Env:
    # Set to false to keep existing secret
    Replace: true