ECOMP is a trademark and service mark of AT&T Intellectual Property.
rkt-ice-jenkins (for kubernetes)
design considerations
goals
- bog standard jenkins
- one admin user
- admin password defined in vault, not generated by jenkins
- no interactive setup on first launch
- ssh keys set
- turn on security by default (so anonymous doesn't have admin!)
ideas
- no need for massive "initial home" tarball; just place the stuff we want and jenkins will install the rest as usual
- use groovy to set admin password
- nope: fragile, unreliable, and groovy is gross
- write users/admin/config.xml as templated k8s secret, insert password hash
- okay, but ansible has no bcrypt filter. need to store hashed.
- but paul says prefer environment variables
- but then any jenkins job has access to the hashed password
- write jenkins.install.InstallUtil.lastExecVersion jenkins.install.UpgradeWizard.state
- can't simply mount them; need some process to copy into place
design
- tweak base image to insert bootstrap wrapper script
- store secrets wherever (/etc/secrets), bootstrap can apply them
- bootstrap can generate jenkins.install.InstallUtil.lastExecVersion & jenkins.install.UpgradeWizard.state