summaryrefslogtreecommitdiffstats
path: root/README.md
blob: 83cbe524ae9e8c8c2ef9ead630a1047d2e60b910 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# ECOMP is a trademark and service mark of AT&T Intellectual Property.
# rkt-ice-jenkins (for kubernetes)

## design considerations

### goals

- bog standard jenkins
- one admin user
  - admin password defined in vault, not generated by jenkins
- no interactive setup on first launch
- ssh keys set
- turn on security by default (so anonymous doesn't have admin!)

### ideas

- no need for massive "initial home" tarball; just place the stuff we want and jenkins will install the rest as usual
- use groovy to set admin password
    - nope: fragile, unreliable, and groovy is gross
- write users/admin/config.xml as templated k8s secret, insert password hash
    - okay, but ansible has no bcrypt filter. need to store hashed.
    - but paul says prefer environment variables
      - but then any jenkins job has access to the hashed password
- write jenkins.install.InstallUtil.lastExecVersion jenkins.install.UpgradeWizard.state
    - can't simply mount them; need some process to copy into place

## design

- tweak base image to insert bootstrap wrapper script
- store secrets wherever (/etc/secrets), bootstrap can apply them
- bootstrap can generate jenkins.install.InstallUtil.lastExecVersion & jenkins.install.UpgradeWizard.state