nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests |Archive

commit 572bf2021869bac119c46be17224cde8f1f3f131
parent 166004904d078be4dead27478556a5a7bae2e272
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Sat, 27 Jul 2024 23:40:08 +0200

feat(jenkins): workload identity & approle

Diffstat:
Mdocker/docker-jenkins-inbound-agent/README | 43+++++++++++++++++++++++++++++++++++++++++++
Mhcl/default/jenkins/jenkins.nomad | 7+++----
Mhcl/default/jenkins/templates/jenkins.yaml.tmpl | 29++++++++++++++++++++++++++---
3 files changed, 72 insertions(+), 7 deletions(-)

diff --git a/docker/docker-jenkins-inbound-agent/README b/docker/docker-jenkins-inbound-agent/README @@ -169,6 +169,49 @@ directories will still be created with old GIDs. systemctl stop user@1312 # removes /run/user/1312 rm -rf /run/user/1312 +== /home/jenkins (local) and /var/jenkins_home (NFS) == + +* There exists a truststore `/home/jenkins/nomad-agent-ca.p12` on each Nomad + node, the Nomad provisioning script configures this truststore in + `/home/jenkins` +* This truststore only contains the public CA certificate of the Nomad API + (:4646), password is irrelevant here +* The Jenkins Nomad server job mounts the p12 truststore from `/home/jenkins` + to `/etc/ssl/certs/` in the Jenkins server container +* `/var/jenkins_home` is the path of the CSI volume mount in the Jenkins server + container, it contains for instance all the plugins of the Jenkins server +* The Jenkins workspaces `/home/jenkins/workspace` are not stored on the CSI + volume, but mounted directly to the downstream jenkins podman workers + +To summarize: + + $ nomad node status | grep jenkins + jenkins service 50 running 2024-07-27T23:08:10+02:00 + jenkins-podman-122de767400f batch 50 running 2024-07-27T23:17:03+02:00 + +The Jenkins server container has the CSI volume mounted as `/var/jenkins_home`. + +The jenkins-podman downstream containers have the `/home/jenkins/workspace` +folder mounted at `/home/jenkins/workspace`. + +TODO: Can we move the storage of the jenkins-podman downstream containers to +the CSI volume as well? Can we add the volume_mounts section to the json +template of the nomad cloud configuration? + +```json + "VolumeMounts": [ + { + "Volume": "jenkins", + "Destination": "/home/jenkins", + "ReadOnly": false, + "PropagationMode": "private", + "SELinuxLabel": "" + } + ], +``` + +The workspaces would then probably be created on the CSI volume as well. + == Example build process == To configure a different UID/GID for the Jenkins user, it is also required to diff --git a/hcl/default/jenkins/jenkins.nomad b/hcl/default/jenkins/jenkins.nomad @@ -1,10 +1,7 @@ job "jenkins" { datacenters = ["dc1"] - vault { - policies = ["jenkins"] - change_mode = "noop" - } + vault {} group "server" { count = 1 @@ -95,6 +92,8 @@ job "jenkins" { volumes = [ # mount the templated config from the task directory to the container "local/jenkins.yaml:/var/jenkins_home/jenkins.yaml", + # mount the Nomad server truststore + "/home/jenkins/nomad-agent-ca.p12:/etc/ssl/certs/nomad-agent-ca.p12", # Required to test the functionality of the socket in the settings on # the Jenkins controller (only for Docker cloud, docker-plugin) # https://jenkins.in0rdr.ch/manage/cloud/docker/configure diff --git a/hcl/default/jenkins/templates/jenkins.yaml.tmpl b/hcl/default/jenkins/templates/jenkins.yaml.tmpl @@ -1,3 +1,15 @@ +credentials: + system: + domainCredentials: + - credentials: + - vaultAppRoleCredential: + description: "Jenkins approle on vault.in0rdr.ch" + id: "vault.in0rdr.ch" + path: "approle" + roleId: "f22e8fa1-600b-8b3f-8d1f-5e1dbb7ffc76" + scope: GLOBAL + secretId: "{AQAAABAAAAAwkvKMbKxXt32PvPfvk1uKGiUy4Ah/+ns+/VBls3heRBJb0l2TtJ+e63J+CKf6hXtcbPPi44W+UCIR2DElovaIKA==}" + usePolicies: false unclassified: location: adminAddress: "{{ if nomadVarExists "nomad/jobs/jenkins" -}} @@ -6,7 +18,7 @@ unclassified: url: "https://jenkins.in0rdr.ch" hashicorpVault: configuration: - vaultCredentialId: "vaultToken" + vaultCredentialId: "vault.in0rdr.ch" vaultUrl: "https://vault.in0rdr.ch" globalLibraries: libraries: @@ -43,10 +55,22 @@ jenkins: users: - id: in0rdr password: "{{with secret "kv/jenkins/users"}}{{index .Data.data.in0rdr}}{{end}}" + globalNodeProperties: + - envVars: + env: + - key: "GIT_AUTHOR_EMAIL" + value: "jenkins@jenkins.in0rdr.ch" + - key: "GIT_AUTHOR_NAME" + value: "jenkins" clouds: - nomad: name: "nomad" - nomadUrl: "http://{{env "attr.unique.network.ip-address"}}:4646" + nomadUrl: "https://{{env "attr.unique.network.ip-address"}}:4646" + tlsEnabled: true + serverCertificate: "/etc/ssl/certs/nomad-agent-ca.p12" + # the truststore only contains public certificates, password is irrelevant here + serverPassword: "123456" + clientPassword: prune: true templates: - idleTerminationInMinutes: 10 @@ -112,7 +136,6 @@ jenkins: numExecutors: 1 prefix: "jenkins-podman" reusable: true - tlsEnabled: false workerTimeout: 1 # Configuration example for the Docker cloud to spawn Jenkins agents directly # in Docker containers without intermediary Nomad jobs: