nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests
commit 572bf2021869bac119c46be17224cde8f1f3f131
parent 166004904d078be4dead27478556a5a7bae2e272
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Sat, 27 Jul 2024 23:40:08 +0200

feat(jenkins): workload identity & approle

Diffstat:

Mdocker/docker-jenkins-inbound-agent/README | 43+++++++++++++++++++++++++++++++++++++++++++


Mhcl/default/jenkins/jenkins.nomad | 7+++----


Mhcl/default/jenkins/templates/jenkins.yaml.tmpl | 29++++++++++++++++++++++++++---


3 files changed, 72 insertions(+), 7 deletions(-)

diff --git a/docker/docker-jenkins-inbound-agent/README b/docker/docker-jenkins-inbound-agent/README
@@ -169,6 +169,49 @@ directories will still be created with old GIDs.
  systemctl stop user@1312 # removes /run/user/1312
  rm -rf /run/user/1312
 
+== /home/jenkins (local) and /var/jenkins_home (NFS) ==
+
+* There exists a truststore `/home/jenkins/nomad-agent-ca.p12` on each Nomad
+  node, the Nomad provisioning script configures this truststore in
+  `/home/jenkins`
+* This truststore only contains the public CA certificate of the Nomad API
+  (:4646), password is irrelevant here
+* The Jenkins Nomad server job mounts the p12 truststore from `/home/jenkins`
+  to `/etc/ssl/certs/` in the Jenkins server container
+* `/var/jenkins_home` is the path of the CSI volume mount in the Jenkins server
+  container, it contains for instance all the plugins of the Jenkins server
+* The Jenkins workspaces `/home/jenkins/workspace` are not stored on the CSI
+  volume, but mounted directly to the downstream jenkins podman workers
+
+To summarize:
+
+ $ nomad node status | grep jenkins
+ jenkins                        service         50        running  2024-07-27T23:08:10+02:00
+ jenkins-podman-122de767400f    batch           50        running  2024-07-27T23:17:03+02:00
+
+The Jenkins server container has the CSI volume mounted as `/var/jenkins_home`.
+
+The jenkins-podman downstream containers have the `/home/jenkins/workspace`
+folder mounted at `/home/jenkins/workspace`.
+
+TODO: Can we move the storage of the jenkins-podman downstream containers to
+the CSI volume as well? Can we add the volume_mounts section to the json
+template of the nomad cloud configuration?
+
+```json
+ "VolumeMounts": [
+   {
+     "Volume": "jenkins",
+     "Destination": "/home/jenkins",
+     "ReadOnly": false,
+     "PropagationMode": "private",
+     "SELinuxLabel": ""
+   }
+ ],
+```
+
+The workspaces would then probably be created on the CSI volume as well.
+
 == Example build process ==
 
 To configure a different UID/GID for the Jenkins user, it is also required to
diff --git a/hcl/default/jenkins/jenkins.nomad b/hcl/default/jenkins/jenkins.nomad
@@ -1,10 +1,7 @@
 job "jenkins" {
   datacenters = ["dc1"]
 
-  vault {
-    policies = ["jenkins"]
-    change_mode = "noop"
-  }
+  vault {}
 
   group "server" {
     count = 1
@@ -95,6 +92,8 @@ job "jenkins" {
         volumes = [
           # mount the templated config from the task directory to the container
           "local/jenkins.yaml:/var/jenkins_home/jenkins.yaml",
+          # mount the Nomad server truststore
+          "/home/jenkins/nomad-agent-ca.p12:/etc/ssl/certs/nomad-agent-ca.p12",
           # Required to test the functionality of the socket in the settings on
           # the Jenkins controller (only for Docker cloud, docker-plugin)
           # https://jenkins.in0rdr.ch/manage/cloud/docker/configure
diff --git a/hcl/default/jenkins/templates/jenkins.yaml.tmpl b/hcl/default/jenkins/templates/jenkins.yaml.tmpl
@@ -1,3 +1,15 @@
+credentials:
+  system:
+    domainCredentials:
+    - credentials:
+      - vaultAppRoleCredential:
+          description: "Jenkins approle on vault.in0rdr.ch"
+          id: "vault.in0rdr.ch"
+          path: "approle"
+          roleId: "f22e8fa1-600b-8b3f-8d1f-5e1dbb7ffc76"
+          scope: GLOBAL
+          secretId: "{AQAAABAAAAAwkvKMbKxXt32PvPfvk1uKGiUy4Ah/+ns+/VBls3heRBJb0l2TtJ+e63J+CKf6hXtcbPPi44W+UCIR2DElovaIKA==}"
+          usePolicies: false
 unclassified:
   location:
     adminAddress: "{{ if nomadVarExists "nomad/jobs/jenkins" -}}
@@ -6,7 +18,7 @@ unclassified:
     url: "https://jenkins.in0rdr.ch"
   hashicorpVault:
     configuration:
-      vaultCredentialId: "vaultToken"
+      vaultCredentialId: "vault.in0rdr.ch"
       vaultUrl: "https://vault.in0rdr.ch"
   globalLibraries:
     libraries:
@@ -43,10 +55,22 @@ jenkins:
       users:
         - id: in0rdr
           password: "{{with secret "kv/jenkins/users"}}{{index .Data.data.in0rdr}}{{end}}"
+  globalNodeProperties:
+  - envVars:
+      env:
+      - key: "GIT_AUTHOR_EMAIL"
+        value: "jenkins@jenkins.in0rdr.ch"
+      - key: "GIT_AUTHOR_NAME"
+        value: "jenkins"
   clouds:
   - nomad:
       name: "nomad"
-      nomadUrl: "http://{{env "attr.unique.network.ip-address"}}:4646"
+      nomadUrl: "https://{{env "attr.unique.network.ip-address"}}:4646"
+      tlsEnabled: true
+      serverCertificate: "/etc/ssl/certs/nomad-agent-ca.p12"
+      # the truststore only contains public certificates, password is irrelevant here
+      serverPassword: "123456"
+      clientPassword:
       prune: true
       templates:
       - idleTerminationInMinutes: 10
@@ -112,7 +136,6 @@ jenkins:
         numExecutors: 1
         prefix: "jenkins-podman"
         reusable: true
-      tlsEnabled: false
       workerTimeout: 1
   # Configuration example for the Docker cloud to spawn Jenkins agents directly
   # in Docker containers without intermediary Nomad jobs: