From 3a720a8a8578206486e39c17d33256db4ae77832 Mon Sep 17 00:00:00 2001 From: Fleur Kelpin Date: Sat, 18 Aug 2018 23:40:57 +0200 Subject: [PATCH 1/5] feat (jenkins): Add vault secret --- molgenis-jenkins/README.md | 11 +++++++++++ .../molgenis-pipeline-vault-secret.yaml | 16 ++++++++++++++++ molgenis-jenkins/values.yaml | 4 ++++ 3 files changed, 31 insertions(+) create mode 100644 molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml diff --git a/molgenis-jenkins/README.md b/molgenis-jenkins/README.md index c53571c..a61670a 100644 --- a/molgenis-jenkins/README.md +++ b/molgenis-jenkins/README.md @@ -52,6 +52,17 @@ There is one additional group of configuration items specific for this chart, so You can override the values at deploy time but otherwise also configure them [in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl. +* Vault + + New vault token to be used by the pods to retrieve their tokens from the vault. + + | Parameter | Description | Default | + | ----------------------------------|--------------------------------------------|-----------------------------------------------| + | `PipelineSecrets.Vault.Replace` | Replace the molgenis-pipeline-vault secret |`true` | + | `PipelineSecrets.Vault.Token` | Token to log into the hashicorp vault |`xxxx` | + | `PipelineSecrets.Vault.Addr` | Address of the vault |`https:vault-operator.vault-operator.svc:8200` | + | `PipelineSecrets.Vault.skipVerify`| Skip verification of the https connection |`1` | + * Env Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables diff --git a/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml b/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml new file mode 100644 index 0000000..e713c85 --- /dev/null +++ b/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.PipelineSecrets.Vault.Replace }} +apiVersion: v1 +kind: Secret +metadata: + name: molgenis-pipeline-vault-secret + labels: + app: {{ template "jenkins.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + token: {{ .Values.PipelineSecrets.Vault.Token | b64enc | quote }} + addr: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }} + skipVerify: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/molgenis-jenkins/values.yaml b/molgenis-jenkins/values.yaml index 875b9c1..3e0a32e 100644 --- a/molgenis-jenkins/values.yaml +++ b/molgenis-jenkins/values.yaml @@ -509,6 +509,10 @@ jenkins: memory: "512Mi" NodeSelector: {} PipelineSecrets: + Vault: + Replace: true + Token: xxxx + Addr: "https://vault-operator.vault-operator.svc:8200" Env: # Set to false to keep existing secret Replace: true From 2fae637eee82cc755a4c1c2699c043798dfbb447 Mon Sep 17 00:00:00 2001 From: Fleur Kelpin Date: Sat, 18 Aug 2018 23:43:21 +0200 Subject: [PATCH 2/5] feat (jenkins): Create new molgenis pod with vault container and without the secrets. The new pod has label molgenisv2, the legacy one is still labeled molgenis so existing scripts will keep working. --- molgenis-jenkins/values.yaml | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/molgenis-jenkins/values.yaml b/molgenis-jenkins/values.yaml index 3e0a32e..f994646 100644 --- a/molgenis-jenkins/values.yaml +++ b/molgenis-jenkins/values.yaml @@ -368,15 +368,12 @@ jenkins: install: true Pods: molgenis: - Label: molgenis - NodeUsageMode: NORMAL + Label: molgenisv2 + NodeUsageMode: EXCLUSIVE volumes: - type: HostPath hostPath: "/var/run/docker.sock" mountPath: "/var/run/docker.sock" - - type: Secret - secretName: molgenis-pipeline-file-secret - mountPath: "/root/.m2" Containers: maven: Image: "registry.webhosting.rug.nl/molgenis/maven" @@ -394,6 +391,34 @@ jenkins: Command: cat WorkingDir: /home/jenkins TTY: true + vault: + Image: "vault" + Command: cat + WorkingDir: /home/jenkins + TTY: true + EnvVars: + - type: Secret + key: VAULT_TOKEN + secretName: molgenis-pipeline-vault-secret + secretKey: token + - type: Secret + key: VAULT_SKIP_VERIFY + secretName: molgenis-pipeline-vault-secret + secretKey: skipVerify + - type: Secret + key: VAULT_ADDR + secretName: molgenis-pipeline-vault-secret + secretKey: addr + NodeSelector: {} + molgenis-legacy: + InheritFrom: molgenis + Label: molgenis + NodeUsageMode: NORMAL + volumes: + - type: Secret + secretName: molgenis-pipeline-file-secret + mountPath: "/root/.m2" + Containers: EnvVars: - type: Secret key: PGP_PASSPHRASE From e088ad894238638916a66fcad8c1e9e160e7ce35 Mon Sep 17 00:00:00 2001 From: Fleur Kelpin Date: Sun, 19 Aug 2018 13:46:18 +0200 Subject: [PATCH 3/5] fix (jenkins): Move maven's user.home dir to /home/jenkins so that it gets shared between containers in the molgenis pod --- molgenis-jenkins/values.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/molgenis-jenkins/values.yaml b/molgenis-jenkins/values.yaml index f994646..a73f3e9 100644 --- a/molgenis-jenkins/values.yaml +++ b/molgenis-jenkins/values.yaml @@ -386,6 +386,13 @@ jenkins: requests: cpu: "1" memory: "4Gi" + EnvVars: + - type: KeyValue + key: MAVEN_OPTS + value: "-Duser.home=/home/jenkins" + - type: KeyValue + key: MAVEN_CONFIG + value: "/home/jenkins/.m2" alpine: Image: "spotify/alpine" Command: cat @@ -417,7 +424,7 @@ jenkins: volumes: - type: Secret secretName: molgenis-pipeline-file-secret - mountPath: "/root/.m2" + mountPath: "/home/jenkins/.m2" Containers: EnvVars: - type: Secret @@ -426,7 +433,7 @@ jenkins: secretKey: pgpPassphrase - type: KeyValue key: PGP_SECRETKEY - value: "keyfile:/root/.m2/key.asc" + value: "keyfile:/home.jenkins/.m2/key.asc" - type: KeyValue key: npm_config_registry value: "http://nexus.molgenis-nexus:8081/repository/npm-central/" From 8f7dfe9ec0e6610db3f2e3867e65e1d37a0fcc45 Mon Sep 17 00:00:00 2001 From: Fleur Kelpin Date: Sun, 19 Aug 2018 23:05:53 +0200 Subject: [PATCH 4/5] fix (jenkins) Fix skip verify value in vault secret --- molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml | 2 +- molgenis-jenkins/values.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml b/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml index e713c85..aa50fe7 100644 --- a/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml +++ b/molgenis-jenkins/templates/molgenis-pipeline-vault-secret.yaml @@ -12,5 +12,5 @@ type: Opaque data: token: {{ .Values.PipelineSecrets.Vault.Token | b64enc | quote }} addr: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }} - skipVerify: {{ .Values.PipelineSecrets.Vault.Addr | b64enc | quote }} + skipVerify: {{ .Values.PipelineSecrets.Vault.SkipVerify | b64enc | quote }} {{- end }} \ No newline at end of file diff --git a/molgenis-jenkins/values.yaml b/molgenis-jenkins/values.yaml index a73f3e9..a6ec1c2 100644 --- a/molgenis-jenkins/values.yaml +++ b/molgenis-jenkins/values.yaml @@ -545,6 +545,7 @@ PipelineSecrets: Replace: true Token: xxxx Addr: "https://vault-operator.vault-operator.svc:8200" + SkipVerify: 1 Env: # Set to false to keep existing secret Replace: true From 6e4a3faa4646aa62e018d78c3a30e36e1c6ad39e Mon Sep 17 00:00:00 2001 From: Fleur Kelpin Date: Sun, 19 Aug 2018 23:09:56 +0200 Subject: [PATCH 5/5] doc (jenkins) Fix chart README --- molgenis-jenkins/README.md | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/molgenis-jenkins/README.md b/molgenis-jenkins/README.md index a61670a..a2d1866 100644 --- a/molgenis-jenkins/README.md +++ b/molgenis-jenkins/README.md @@ -56,29 +56,29 @@ There is one additional group of configuration items specific for this chart, so New vault token to be used by the pods to retrieve their tokens from the vault. - | Parameter | Description | Default | - | ----------------------------------|--------------------------------------------|-----------------------------------------------| - | `PipelineSecrets.Vault.Replace` | Replace the molgenis-pipeline-vault secret |`true` | - | `PipelineSecrets.Vault.Token` | Token to log into the hashicorp vault |`xxxx` | - | `PipelineSecrets.Vault.Addr` | Address of the vault |`https:vault-operator.vault-operator.svc:8200` | - | `PipelineSecrets.Vault.skipVerify`| Skip verification of the https connection |`1` | + | Parameter | Description | Default | + | ---------------------------------- | ------------------------------------------ | ---------------------------------------------- | + | `PipelineSecrets.Vault.Replace` | Replace the molgenis-pipeline-vault secret | `true` | + | `PipelineSecrets.Vault.Token` | Token to log into the hashicorp vault | `xxxx` | + | `PipelineSecrets.Vault.Addr` | Address of the vault | `https:vault-operator.vault-operator.svc:8200` | + | `PipelineSecrets.Vault.SkipVerify` | Skip verification of the https connection | `1` | * Env Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables in the slave pods. - | Parameter | Description | Default | - | -------------------------------------- | ----------------------------------------- | --------------- | - | `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` | - | `PipelineSecrets.Env.PGPPassphrase` | passphrase for the pgp signing key | `literal:xxxx` | - | `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` | - | `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` | - | `PipelineSecrets.Env.NexusPassword` | token for molgenis-jenkins user in NEXUS | `xxxx` | - | `PipelineSecrets.Env.DockerHubPassword`| token for molgenis user in hub.docker.com | `xxxx` | - | `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | - | `PipelineSecrets.Env.NpmToken` | token for npmjs.org | `xxxx` | - | `PipelineSecrets.Env.SauceAccessKey` | token for saucelabs.com | `xxxx` | + | Parameter | Description | Default | + | --------------------------------------- | ----------------------------------------- | --------------- | + | `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` | + | `PipelineSecrets.Env.PGPPassphrase` | passphrase for the pgp signing key | `literal:xxxx` | + | `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` | + | `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` | + | `PipelineSecrets.Env.NexusPassword` | token for molgenis-jenkins user in NEXUS | `xxxx` | + | `PipelineSecrets.Env.DockerHubPassword` | token for molgenis user in hub.docker.com | `xxxx` | + | `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | + | `PipelineSecrets.Env.NpmToken` | token for npmjs.org | `xxxx` | + | `PipelineSecrets.Env.SauceAccessKey` | token for saucelabs.com | `xxxx` | * File