blob: 83cbe524ae9e8c8c2ef9ead630a1047d2e60b910 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
# ECOMP is a trademark and service mark of AT&T Intellectual Property.
# rkt-ice-jenkins (for kubernetes)
## design considerations
### goals
- bog standard jenkins
- one admin user
- admin password defined in vault, not generated by jenkins
- no interactive setup on first launch
- ssh keys set
- turn on security by default (so anonymous doesn't have admin!)
### ideas
- no need for massive "initial home" tarball; just place the stuff we want and jenkins will install the rest as usual
- use groovy to set admin password
- nope: fragile, unreliable, and groovy is gross
- write users/admin/config.xml as templated k8s secret, insert password hash
- okay, but ansible has no bcrypt filter. need to store hashed.
- but paul says prefer environment variables
- but then any jenkins job has access to the hashed password
- write jenkins.install.InstallUtil.lastExecVersion jenkins.install.UpgradeWizard.state
- can't simply mount them; need some process to copy into place
## design
- tweak base image to insert bootstrap wrapper script
- store secrets wherever (/etc/secrets), bootstrap can apply them
- bootstrap can generate jenkins.install.InstallUtil.lastExecVersion & jenkins.install.UpgradeWizard.state
|
