Skip to content

Commit

Permalink
Merge pull request #141 from cloudbees/ldap
Browse files Browse the repository at this point in the history
[Blueprint 02-At scale] Migration to helm-openldap/openldap-stack-ha (part II)
  • Loading branch information
carlosrodlop authored May 21, 2024
2 parents 4a7dc29 + 9be23c7 commit d4a54d3
Show file tree
Hide file tree
Showing 7 changed files with 30 additions and 15 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/terraform.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ permissions: read-all

env:
TERRAFORM_DOCS_VERSION: v0.16.0
TFLINT_VERSION: v0.50.3
TFLINT_VERSION: v0.51.1

concurrency:
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
Expand Down
10 changes: 7 additions & 3 deletions blueprints/02-at-scale/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta
|------|-------------|------|---------|:--------:|
| hosted_zone | Amazon Route 53 hosted zone. CloudBees CI applications are configured to use subdomains in this hosted zone. | `string` | n/a | yes |
| trial_license | CloudBees CI trial license details for evaluation. | `map(string)` | n/a | yes |
| secret_file | Relative location of the Secret file to be converted into a Kubernetes Secret. secrets-values.yml is not stored in the repository but it is generated as copy from secrets-values.yml.example. | `string` | `"k8s/secrets-values.yml"` | no |
| suffix | Unique suffix to assign to all resources. When adding the suffix, changes are required in CloudBees CI for the validation phase. | `string` | `""` | no |
| tags | Tags to apply to resources. | `map(string)` | `{}` | no |

Expand Down Expand Up @@ -110,7 +111,10 @@ In addition to the minimum required settings explained in [Get started - Deploy]
### Create the secrets file

You must create your secrets file by copying the contents of [secrets-values.yml.example](k8s/secrets-values.yml.example) to `secrets-values.yml`. This provides [Kubernetes secrets](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) that can be consumed by CasC.
You must create your secrets file by copying the contents of [secrets-values.yml.example](k8s/secrets-values.yml.example) to `secrets-values.yml`. The content of this file will be served as [Kubernetes secrets](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) that can be consumed by CasC.

> [!IMPORTANT]
> Do not update parametrized values in the `secrets-values.yml` file. These values are automatically replaced by Terraform during the deployment phase (e.g. `sec_ldapPassword: ${ldap_password}` ).
### Update Amazon S3 bucket settings

Expand Down Expand Up @@ -164,10 +168,10 @@ Once the resources have been created, a `kubeconfig` file is created in the [/k8

1. Complete the steps to [validate CloudBees CI](../01-getting-started/README.md#cloudbees-ci), if you have not done so already.

2. Authentication in this blueprint is based on LDAP and uses two types of personas (Admin and Developer), each with a different authorization level. Each persona uses a different username (cn); you can find the password in [.docker/ldap/data.ldif](./../../.docker/ldap/data.ldif). The authorization level defines a set of permissions configured using [RBAC](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/rbac). Additionally, the operations center and controller use [single sign-on (SS0)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/using-sso). Issue the following command to retrieve the password of the `admin_cbci_a` user
2. Authentication in this blueprint is based on LDAP using user cn (available in [k8s/openldap-stack-values.yml](./k8s/openldap-stack-values.yml)) and the global password. The authorization level defines a set of permissions configured using [RBAC](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/rbac). Additionally, the operations center and controller use [single sign-on (SS0)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/using-sso). Issue the following command to retrieve the global password:

```sh
eval $(terraform output --raw ldap_admin_password)
eval $(terraform output --raw global_password)
```

3. CasC is enabled for the [operations center](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-oc/) (`cjoc`) and [controllers](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-controller/) (`team-b` and `team-c-ha`). `team-a` is not using CasC, to illustrate the difference between the two approaches. Issue the following command to verify that all controllers are in a `Running` state:
Expand Down
2 changes: 1 addition & 1 deletion blueprints/02-at-scale/k8s/openldap-stack-values.yml
Original file line number Diff line number Diff line change
Expand Up @@ -116,4 +116,4 @@ ltb-passwd:

# Enable the phpldapadmin web UI service for LDAP management after deployment.
phpldapadmin:
enabled: false
enabled: false
12 changes: 6 additions & 6 deletions blueprints/02-at-scale/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ locals {
fluentbit_s3_location = "${module.cbci_s3_bucket.s3_bucket_arn}/fluentbit"
velero_s3_location = "${module.cbci_s3_bucket.s3_bucket_arn}/velero"

epoch_millis = time_static.epoch.unix * 1000
epoch_millis = time_static.epoch.unix * 1000
global_password = random_string.global_pass_string.result

cloudwatch_logs_expiration_days = 7
Expand All @@ -64,10 +64,10 @@ locals {
velero_controller_backup_selector = "tenant=${local.velero_controller_backup}"
velero_schedule_name = "schedule-${local.velero_controller_backup}"

cbci_agents_ns = "cbci-agents"
cbci_agents_ns = "cbci-agents"
cbci_agent_podtemplname_validation = "maven-and-go-ondemand"

cbci_admin_user = "admin_cbci_a"
cbci_admin_user = "admin_cbci_a"
global_pass_jsonpath = "'{.data.sec_globalPassword}'"
}

Expand Down Expand Up @@ -107,9 +107,9 @@ module "eks_blueprints_addon_cbci" {
}

create_k8s_secrets = true
k8s_secrets = templatefile("k8s/secrets-values.yml", {
global_password = local.global_password
})
k8s_secrets = templatefile(var.secret_file, {
global_password = local.global_password
})

prometheus_target = true

Expand Down
5 changes: 5 additions & 0 deletions blueprints/02-at-scale/providers.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,11 @@ terraform {
source = "hashicorp/null"
version = ">= 3.1.0"
}

random = {
source = "hashicorp/random"
version = ">= 3.6.1"
}
}

}
Expand Down
6 changes: 6 additions & 0 deletions blueprints/02-at-scale/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,9 @@ variable "suffix" {
error_message = "The suffix can contain 10 characters or less."
}
}

variable "secret_file" {
description = "Relative location of the Secret file to be converted into a Kubernetes Secret. secrets-values.yml is not stored in the repository but it is generated as copy from secrets-values.yml.example."
default = "k8s/secrets-values.yml"
type = string
}
8 changes: 4 additions & 4 deletions blueprints/helpers.sh
Original file line number Diff line number Diff line change
Expand Up @@ -113,11 +113,11 @@ probes () {
INFO "Initial Admin Password: $INITIAL_PASS."
fi
if [ "$root" == "02-at-scale" ]; then
ADMIN_CBCI_A_PASS=$(eval "$(tf-output "$root" ldap_admin_password)") && \
if [ -n "$ADMIN_CBCI_A_PASS" ]; then
INFO "Password for admin_cbci_a: $ADMIN_CBCI_A_PASS."
GLOBAL_PASS=$(eval "$(tf-output "$root" global_password)") && \
if [ -n "$GLOBAL_PASS" ]; then
INFO "Password for admin_cbci_a: $GLOBAL_PASS."
else
ERROR "Problem while getting Password for admin_cbci_a."
ERROR "Problem while getting Global Pass."
fi
until [ "$(eval "$(tf-output "$root" cbci_controllers_pods)" | awk '{ print $3 }' | grep -v STATUS | grep -v -c Running)" == 0 ]; do sleep $wait && echo "Waiting for Controllers Pod to get into Ready State..."; done ;\
eval "$(tf-output "$root" cbci_controllers_pods)" && INFO "All Controllers Pods are Ready."
Expand Down

0 comments on commit d4a54d3

Please sign in to comment.