commit cbb0c195bb06be17917a5e136f81523b469b05cd
parent 3794921f6f6e5b97dfb62072573a9bb455a1d575
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date: Sat, 27 Jul 2024 23:41:35 +0200
feat(nomad): Jenkins p12 truststore
Diffstat:
4 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
@@ -89,6 +89,14 @@ mkdir -p tls/nomad && cd tls/nomad
nomad tls ca create
```
+Create Java truststore in pkcs12 format for Jenkins Nomad cloud config:
+```bash
+# https://plugins.jenkins.io/nomad
+# https://github.com/jenkinsci/nomad-plugin/blob/master/src/test/resources/tls/create_certs.sh
+keytool -import -file nomad-agent-ca.pem -keystore nomad-agent-ca.p12 \
+ -alias nomad -storetype pkcs12 -storepass 123456 -noprompt
+```
+
Then run the script from the projects root directory to create a new set of
certificates in the directory `./tls/nomad/certs`:
```bash
diff --git a/hashi-pi.pkr.hcl b/hashi-pi.pkr.hcl
@@ -32,6 +32,10 @@ variable "nomad_tls_ca" {
type = string
default = "./tls/nomad/nomad-agent-ca.pem"
}
+variable "nomad_tls_ca_p12" {
+ type = string
+ default = "./tls/nomad/nomad-agent-ca.p12"
+}
variable "nomad_tls_certs" {
type = string
@@ -188,6 +192,10 @@ build {
destination = "/tmp/tls/nomad-agent-ca.pem"
source = "${var.nomad_tls_ca}"
}
+ provisioner "file" {
+ destination = "/tmp/tls/nomad-agent-ca.p12"
+ source = "${var.nomad_tls_ca_p12}"
+ }
provisioner "file" {
destination = "/tmp/tls/"
diff --git a/nomad-tls.sh b/nomad-tls.sh
@@ -28,7 +28,13 @@ crt_types=("server" "cli" "client")
for type in "${crt_types[@]}"; do
# Create certificate
- nomad tls cert create -region dc1 -days 3560 -${type}
+ nomad tls cert create -region dc1 -days 3560 \
+ -additional-ipaddress 10.0.0.100 \
+ -additional-ipaddress 10.0.0.101 \
+ -additional-ipaddress 10.0.0.102 \
+ -additional-ipaddress 10.0.0.103 \
+ -additional-ipaddress 10.0.0.104 \
+ -${type}
cert="dc1-$type-nomad.pem"
key="dc1-$type-nomad-key.pem"
diff --git a/nomad.sh b/nomad.sh
@@ -17,6 +17,7 @@ mv /tmp/tls/* $TLS_DIR
chmod 640 $TLS_DIR/*.pem
chmod 644 $TLS_DIR/dc1-{cli,client,server}*
chmod 644 $TLS_DIR/nomad-agent-ca.pem
+chmod 644 $TLS_DIR/nomad-agent-ca.p12
# Install podman driver for Nomad
# https://developer.hashicorp.com/nomad/plugins/drivers/community/containerd
@@ -213,6 +214,10 @@ systemctl --user -M jenkins@ enable podman.socket
# create the mountpoint for the workspaces, podman does not create it for us
sudo -u jenkins mkdir /home/jenkins/workspace
+# move Nomad server truststore
+sudo mv $TLS_DIR/nomad-agent-ca.p12 /home/jenkins/
+sudo chown jenkins: /home/jenkins/nomad-agent-ca.p12
+
fi # endif NOMAD_CLIENT
# Configure .bashrc
@@ -223,4 +228,4 @@ export NOMAD_ADDR=https://127.0.0.1:4646
export NOMAD_CACERT=$TLS_DIR/nomad-agent-ca.pem
export NOMAD_CLIENT_CERT=$TLS_DIR/dc1-cli-nomad.pem
export NOMAD_CLIENT_KEY=$TLS_DIR/dc1-cli-nomad-key.pem
-EOF
-\ No newline at end of file
+EOF
