diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 91a7d5ff..2887491e 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -13,7 +13,7 @@ permissions: read-all env: TERRAFORM_DOCS_VERSION: v0.16.0 - TFLINT_VERSION: v0.50.3 + TFLINT_VERSION: v0.51.1 concurrency: group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' diff --git a/blueprints/02-at-scale/README.md b/blueprints/02-at-scale/README.md index cbbc09c7..5e97b5ed 100644 --- a/blueprints/02-at-scale/README.md +++ b/blueprints/02-at-scale/README.md @@ -58,6 +58,7 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta |------|-------------|------|---------|:--------:| | hosted_zone | Amazon Route 53 hosted zone. CloudBees CI applications are configured to use subdomains in this hosted zone. | `string` | n/a | yes | | trial_license | CloudBees CI trial license details for evaluation. | `map(string)` | n/a | yes | +| secret_file | Relative location of the Secret file to be converted into a Kubernetes Secret. secrets-values.yml is not stored in the repository but it is generated as copy from secrets-values.yml.example. | `string` | `"k8s/secrets-values.yml"` | no | | suffix | Unique suffix to assign to all resources. When adding the suffix, changes are required in CloudBees CI for the validation phase. | `string` | `""` | no | | tags | Tags to apply to resources. | `map(string)` | `{}` | no | @@ -110,7 +111,10 @@ In addition to the minimum required settings explained in [Get started - Deploy] ### Create the secrets file -You must create your secrets file by copying the contents of [secrets-values.yml.example](k8s/secrets-values.yml.example) to `secrets-values.yml`. This provides [Kubernetes secrets](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) that can be consumed by CasC. +You must create your secrets file by copying the contents of [secrets-values.yml.example](k8s/secrets-values.yml.example) to `secrets-values.yml`. The content of this file will be served as [Kubernetes secrets](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) that can be consumed by CasC. + +> [!IMPORTANT] +> Do not update parametrized values in the `secrets-values.yml` file. These values are automatically replaced by Terraform during the deployment phase (e.g. `sec_ldapPassword: ${ldap_password}` ). ### Update Amazon S3 bucket settings @@ -164,10 +168,10 @@ Once the resources have been created, a `kubeconfig` file is created in the [/k8 1. Complete the steps to [validate CloudBees CI](../01-getting-started/README.md#cloudbees-ci), if you have not done so already. -2. Authentication in this blueprint is based on LDAP and uses two types of personas (Admin and Developer), each with a different authorization level. Each persona uses a different username (cn); you can find the password in [.docker/ldap/data.ldif](./../../.docker/ldap/data.ldif). The authorization level defines a set of permissions configured using [RBAC](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/rbac). Additionally, the operations center and controller use [single sign-on (SS0)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/using-sso). Issue the following command to retrieve the password of the `admin_cbci_a` user +2. Authentication in this blueprint is based on LDAP using user cn (available in [k8s/openldap-stack-values.yml](./k8s/openldap-stack-values.yml)) and the global password. The authorization level defines a set of permissions configured using [RBAC](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/rbac). Additionally, the operations center and controller use [single sign-on (SS0)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/using-sso). Issue the following command to retrieve the global password: ```sh - eval $(terraform output --raw ldap_admin_password) + eval $(terraform output --raw global_password) ``` 3. CasC is enabled for the [operations center](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-oc/) (`cjoc`) and [controllers](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-controller/) (`team-b` and `team-c-ha`). `team-a` is not using CasC, to illustrate the difference between the two approaches. Issue the following command to verify that all controllers are in a `Running` state: diff --git a/blueprints/02-at-scale/k8s/openldap-stack-values.yml b/blueprints/02-at-scale/k8s/openldap-stack-values.yml index d87b43b5..43946319 100644 --- a/blueprints/02-at-scale/k8s/openldap-stack-values.yml +++ b/blueprints/02-at-scale/k8s/openldap-stack-values.yml @@ -116,4 +116,4 @@ ltb-passwd: # Enable the phpldapadmin web UI service for LDAP management after deployment. phpldapadmin: - enabled: false \ No newline at end of file + enabled: false diff --git a/blueprints/02-at-scale/main.tf b/blueprints/02-at-scale/main.tf index 0d3a7a57..0792cc96 100644 --- a/blueprints/02-at-scale/main.tf +++ b/blueprints/02-at-scale/main.tf @@ -51,7 +51,7 @@ locals { fluentbit_s3_location = "${module.cbci_s3_bucket.s3_bucket_arn}/fluentbit" velero_s3_location = "${module.cbci_s3_bucket.s3_bucket_arn}/velero" - epoch_millis = time_static.epoch.unix * 1000 + epoch_millis = time_static.epoch.unix * 1000 global_password = random_string.global_pass_string.result cloudwatch_logs_expiration_days = 7 @@ -64,10 +64,10 @@ locals { velero_controller_backup_selector = "tenant=${local.velero_controller_backup}" velero_schedule_name = "schedule-${local.velero_controller_backup}" - cbci_agents_ns = "cbci-agents" + cbci_agents_ns = "cbci-agents" cbci_agent_podtemplname_validation = "maven-and-go-ondemand" - cbci_admin_user = "admin_cbci_a" + cbci_admin_user = "admin_cbci_a" global_pass_jsonpath = "'{.data.sec_globalPassword}'" } @@ -107,9 +107,9 @@ module "eks_blueprints_addon_cbci" { } create_k8s_secrets = true - k8s_secrets = templatefile("k8s/secrets-values.yml", { - global_password = local.global_password - }) + k8s_secrets = templatefile(var.secret_file, { + global_password = local.global_password + }) prometheus_target = true diff --git a/blueprints/02-at-scale/providers.tf b/blueprints/02-at-scale/providers.tf index 9f952d29..49400d71 100644 --- a/blueprints/02-at-scale/providers.tf +++ b/blueprints/02-at-scale/providers.tf @@ -28,6 +28,11 @@ terraform { source = "hashicorp/null" version = ">= 3.1.0" } + + random = { + source = "hashicorp/random" + version = ">= 3.6.1" + } } } diff --git a/blueprints/02-at-scale/variables.tf b/blueprints/02-at-scale/variables.tf index 2da41ad3..20b72fc6 100644 --- a/blueprints/02-at-scale/variables.tf +++ b/blueprints/02-at-scale/variables.tf @@ -24,3 +24,9 @@ variable "suffix" { error_message = "The suffix can contain 10 characters or less." } } + +variable "secret_file" { + description = "Relative location of the Secret file to be converted into a Kubernetes Secret. secrets-values.yml is not stored in the repository but it is generated as copy from secrets-values.yml.example." + default = "k8s/secrets-values.yml" + type = string +} diff --git a/blueprints/helpers.sh b/blueprints/helpers.sh index 6bbfe917..a3d767ab 100755 --- a/blueprints/helpers.sh +++ b/blueprints/helpers.sh @@ -113,11 +113,11 @@ probes () { INFO "Initial Admin Password: $INITIAL_PASS." fi if [ "$root" == "02-at-scale" ]; then - ADMIN_CBCI_A_PASS=$(eval "$(tf-output "$root" ldap_admin_password)") && \ - if [ -n "$ADMIN_CBCI_A_PASS" ]; then - INFO "Password for admin_cbci_a: $ADMIN_CBCI_A_PASS." + GLOBAL_PASS=$(eval "$(tf-output "$root" global_password)") && \ + if [ -n "$GLOBAL_PASS" ]; then + INFO "Password for admin_cbci_a: $GLOBAL_PASS." else - ERROR "Problem while getting Password for admin_cbci_a." + ERROR "Problem while getting Global Pass." fi until [ "$(eval "$(tf-output "$root" cbci_controllers_pods)" | awk '{ print $3 }' | grep -v STATUS | grep -v -c Running)" == 0 ]; do sleep $wait && echo "Waiting for Controllers Pod to get into Ready State..."; done ;\ eval "$(tf-output "$root" cbci_controllers_pods)" && INFO "All Controllers Pods are Ready."