From 3a19d22d79801e466c0704c706e2da6569a89e06 Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez Lopez Date: Tue, 21 May 2024 09:29:10 +0200 Subject: [PATCH 1/8] Using Global Password for validation --- blueprints/helpers.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/blueprints/helpers.sh b/blueprints/helpers.sh index 6bbfe917..a3d767ab 100755 --- a/blueprints/helpers.sh +++ b/blueprints/helpers.sh @@ -113,11 +113,11 @@ probes () { INFO "Initial Admin Password: $INITIAL_PASS." fi if [ "$root" == "02-at-scale" ]; then - ADMIN_CBCI_A_PASS=$(eval "$(tf-output "$root" ldap_admin_password)") && \ - if [ -n "$ADMIN_CBCI_A_PASS" ]; then - INFO "Password for admin_cbci_a: $ADMIN_CBCI_A_PASS." + GLOBAL_PASS=$(eval "$(tf-output "$root" global_password)") && \ + if [ -n "$GLOBAL_PASS" ]; then + INFO "Password for admin_cbci_a: $GLOBAL_PASS." else - ERROR "Problem while getting Password for admin_cbci_a." + ERROR "Problem while getting Global Pass." fi until [ "$(eval "$(tf-output "$root" cbci_controllers_pods)" | awk '{ print $3 }' | grep -v STATUS | grep -v -c Running)" == 0 ]; do sleep $wait && echo "Waiting for Controllers Pod to get into Ready State..."; done ;\ eval "$(tf-output "$root" cbci_controllers_pods)" && INFO "All Controllers Pods are Ready." From 9761d51f6edf5d54ce653f727fd0fc87f747b90f Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez Lopez Date: Tue, 21 May 2024 10:33:45 +0200 Subject: [PATCH 2/8] Docs: Amending Documentation for LDAP authetication --- blueprints/02-at-scale/README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/blueprints/02-at-scale/README.md b/blueprints/02-at-scale/README.md index b705b0f4..6d8ac4ea 100644 --- a/blueprints/02-at-scale/README.md +++ b/blueprints/02-at-scale/README.md @@ -109,7 +109,10 @@ In addition to the minimum required settings explained in [Get started - Deploy] ### Create the secrets file -You must create your secrets file by copying the contents of [secrets-values.yml.example](k8s/secrets-values.yml.example) to `secrets-values.yml`. This provides [Kubernetes secrets](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) that can be consumed by CasC. +You must create your secrets file by copying the contents of [secrets-values.yml.example](k8s/secrets-values.yml.example) to `secrets-values.yml`. The content of this file will be served as [Kubernetes secrets](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) that can be consumed by CasC. + +> [!IMPORTANT] +> Do not update parametrized values in the `secrets-values.yml` file. These values are automatically replaced by Terraform during the deployment phase (e.g. `sec_ldapPassword: ${ldap_password}` ). ### Update Amazon S3 bucket settings @@ -163,10 +166,10 @@ Once the resources have been created, a `kubeconfig` file is created in the [/k8 1. Complete the steps to [validate CloudBees CI](../01-getting-started/README.md#cloudbees-ci), if you have not done so already. -2. Authentication in this blueprint is based on LDAP and uses two types of personas (Admin and Developer), each with a different authorization level. Each persona uses a different username (cn); you can find the password in [.docker/ldap/data.ldif](./../../.docker/ldap/data.ldif). The authorization level defines a set of permissions configured using [RBAC](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/rbac). Additionally, the operations center and controller use [single sign-on (SS0)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/using-sso). Issue the following command to retrieve the password of the `admin_cbci_a` user +2. Authentication in this blueprint is based on LDAP using user cn (available in [k8s/openldap-stack-values.yml](./k8s/openldap-stack-values.yml)) and the global password. The authorization level defines a set of permissions configured using [RBAC](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/rbac). Additionally, the operations center and controller use [single sign-on (SS0)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/using-sso). Issue the following command to retrieve the global password: ```sh - eval $(terraform output --raw ldap_admin_password) + eval $(terraform output --raw global_password) ``` 3. CasC is enabled for the [operations center](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-oc/) (`cjoc`) and [controllers](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-controller/) (`team-b` and `team-c-ha`). `team-a` is not using CasC, to illustrate the difference between the two approaches. Issue the following command to verify that all controllers are in a `Running` state: From 80329c33a32a3b28aece29e0f3169f5338f57045 Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez Lopez Date: Tue, 21 May 2024 10:59:25 +0200 Subject: [PATCH 3/8] pre-commit checks update --- blueprints/02-at-scale/k8s/openldap-stack-values.yml | 2 +- blueprints/02-at-scale/main.tf | 10 +++++----- blueprints/02-at-scale/providers.tf | 5 +++++ 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/blueprints/02-at-scale/k8s/openldap-stack-values.yml b/blueprints/02-at-scale/k8s/openldap-stack-values.yml index d87b43b5..43946319 100644 --- a/blueprints/02-at-scale/k8s/openldap-stack-values.yml +++ b/blueprints/02-at-scale/k8s/openldap-stack-values.yml @@ -116,4 +116,4 @@ ltb-passwd: # Enable the phpldapadmin web UI service for LDAP management after deployment. phpldapadmin: - enabled: false \ No newline at end of file + enabled: false diff --git a/blueprints/02-at-scale/main.tf b/blueprints/02-at-scale/main.tf index 0d3a7a57..0776ff34 100644 --- a/blueprints/02-at-scale/main.tf +++ b/blueprints/02-at-scale/main.tf @@ -51,7 +51,7 @@ locals { fluentbit_s3_location = "${module.cbci_s3_bucket.s3_bucket_arn}/fluentbit" velero_s3_location = "${module.cbci_s3_bucket.s3_bucket_arn}/velero" - epoch_millis = time_static.epoch.unix * 1000 + epoch_millis = time_static.epoch.unix * 1000 global_password = random_string.global_pass_string.result cloudwatch_logs_expiration_days = 7 @@ -64,10 +64,10 @@ locals { velero_controller_backup_selector = "tenant=${local.velero_controller_backup}" velero_schedule_name = "schedule-${local.velero_controller_backup}" - cbci_agents_ns = "cbci-agents" + cbci_agents_ns = "cbci-agents" cbci_agent_podtemplname_validation = "maven-and-go-ondemand" - cbci_admin_user = "admin_cbci_a" + cbci_admin_user = "admin_cbci_a" global_pass_jsonpath = "'{.data.sec_globalPassword}'" } @@ -108,8 +108,8 @@ module "eks_blueprints_addon_cbci" { create_k8s_secrets = true k8s_secrets = templatefile("k8s/secrets-values.yml", { - global_password = local.global_password - }) + global_password = local.global_password + }) prometheus_target = true diff --git a/blueprints/02-at-scale/providers.tf b/blueprints/02-at-scale/providers.tf index 9f952d29..49400d71 100644 --- a/blueprints/02-at-scale/providers.tf +++ b/blueprints/02-at-scale/providers.tf @@ -28,6 +28,11 @@ terraform { source = "hashicorp/null" version = ">= 3.1.0" } + + random = { + source = "hashicorp/random" + version = ">= 3.6.1" + } } } From f7381eaee34cc83c21921d133e7718e2fe5c3a1f Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez Lopez Date: Tue, 21 May 2024 11:45:29 +0200 Subject: [PATCH 4/8] Adding tflint-ignore k8s/secrets-values.yml --- blueprints/02-at-scale/main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/blueprints/02-at-scale/main.tf b/blueprints/02-at-scale/main.tf index 0776ff34..dce4686a 100644 --- a/blueprints/02-at-scale/main.tf +++ b/blueprints/02-at-scale/main.tf @@ -107,6 +107,8 @@ module "eks_blueprints_addon_cbci" { } create_k8s_secrets = true + # k8s/secrets-values.yml is not included in the repository + # tflint-ignore: terraform_unused_declarations_with_resource k8s_secrets = templatefile("k8s/secrets-values.yml", { global_password = local.global_password }) From 6e03ac24c585d01580c35d1e9dd38f236e62ac33 Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez Lopez Date: Tue, 21 May 2024 12:06:09 +0200 Subject: [PATCH 5/8] try with ignore all for K8s secrets file --- blueprints/02-at-scale/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blueprints/02-at-scale/main.tf b/blueprints/02-at-scale/main.tf index dce4686a..2b209231 100644 --- a/blueprints/02-at-scale/main.tf +++ b/blueprints/02-at-scale/main.tf @@ -108,7 +108,7 @@ module "eks_blueprints_addon_cbci" { create_k8s_secrets = true # k8s/secrets-values.yml is not included in the repository - # tflint-ignore: terraform_unused_declarations_with_resource + # tflint-ignore: all k8s_secrets = templatefile("k8s/secrets-values.yml", { global_password = local.global_password }) From 95529fed2f673430e40857fb9648374e92a1259b Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez Lopez Date: Tue, 21 May 2024 12:26:34 +0200 Subject: [PATCH 6/8] Adding in the same line the ignore --- blueprints/02-at-scale/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blueprints/02-at-scale/main.tf b/blueprints/02-at-scale/main.tf index 2b209231..430f5d92 100644 --- a/blueprints/02-at-scale/main.tf +++ b/blueprints/02-at-scale/main.tf @@ -109,7 +109,7 @@ module "eks_blueprints_addon_cbci" { create_k8s_secrets = true # k8s/secrets-values.yml is not included in the repository # tflint-ignore: all - k8s_secrets = templatefile("k8s/secrets-values.yml", { + k8s_secrets = templatefile("k8s/secrets-values.yml", { # tflint-ignore: all global_password = local.global_password }) From 4c5784b2e80a6b2de3f2d4fce5de672e831859d4 Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez Lopez Date: Tue, 21 May 2024 12:33:03 +0200 Subject: [PATCH 7/8] increasing version of tf-lini --- .github/workflows/terraform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 91a7d5ff..2887491e 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -13,7 +13,7 @@ permissions: read-all env: TERRAFORM_DOCS_VERSION: v0.16.0 - TFLINT_VERSION: v0.50.3 + TFLINT_VERSION: v0.51.1 concurrency: group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' From 9be23c71df69da66706920b11d49ef77ba6a353b Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez Lopez Date: Tue, 21 May 2024 13:05:28 +0200 Subject: [PATCH 8/8] Adding secrets file path as variable --- blueprints/02-at-scale/README.md | 1 + blueprints/02-at-scale/main.tf | 4 +--- blueprints/02-at-scale/variables.tf | 6 ++++++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/blueprints/02-at-scale/README.md b/blueprints/02-at-scale/README.md index 24fe567c..5e97b5ed 100644 --- a/blueprints/02-at-scale/README.md +++ b/blueprints/02-at-scale/README.md @@ -58,6 +58,7 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta |------|-------------|------|---------|:--------:| | hosted_zone | Amazon Route 53 hosted zone. CloudBees CI applications are configured to use subdomains in this hosted zone. | `string` | n/a | yes | | trial_license | CloudBees CI trial license details for evaluation. | `map(string)` | n/a | yes | +| secret_file | Relative location of the Secret file to be converted into a Kubernetes Secret. secrets-values.yml is not stored in the repository but it is generated as copy from secrets-values.yml.example. | `string` | `"k8s/secrets-values.yml"` | no | | suffix | Unique suffix to assign to all resources. When adding the suffix, changes are required in CloudBees CI for the validation phase. | `string` | `""` | no | | tags | Tags to apply to resources. | `map(string)` | `{}` | no | diff --git a/blueprints/02-at-scale/main.tf b/blueprints/02-at-scale/main.tf index 430f5d92..0792cc96 100644 --- a/blueprints/02-at-scale/main.tf +++ b/blueprints/02-at-scale/main.tf @@ -107,9 +107,7 @@ module "eks_blueprints_addon_cbci" { } create_k8s_secrets = true - # k8s/secrets-values.yml is not included in the repository - # tflint-ignore: all - k8s_secrets = templatefile("k8s/secrets-values.yml", { # tflint-ignore: all + k8s_secrets = templatefile(var.secret_file, { global_password = local.global_password }) diff --git a/blueprints/02-at-scale/variables.tf b/blueprints/02-at-scale/variables.tf index 2da41ad3..20b72fc6 100644 --- a/blueprints/02-at-scale/variables.tf +++ b/blueprints/02-at-scale/variables.tf @@ -24,3 +24,9 @@ variable "suffix" { error_message = "The suffix can contain 10 characters or less." } } + +variable "secret_file" { + description = "Relative location of the Secret file to be converted into a Kubernetes Secret. secrets-values.yml is not stored in the repository but it is generated as copy from secrets-values.yml.example." + default = "k8s/secrets-values.yml" + type = string +}