cloudbees · carlosrodlop · May 21, 2024 · May 21, 2024 · May 21, 2024 · May 21, 2024
@@ -13,7 +13,7 @@ permissions: read-all
 
 env:
   TERRAFORM_DOCS_VERSION: v0.16.0
-  TFLINT_VERSION: v0.50.3
+  TFLINT_VERSION: v0.51.1
 
 concurrency:
   group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'

@@ -58,6 +58,7 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta
 |------|-------------|------|---------|:--------:|
 | hosted_zone | Amazon Route 53 hosted zone. CloudBees CI applications are configured to use subdomains in this hosted zone. | `string` | n/a | yes |
 | trial_license | CloudBees CI trial license details for evaluation. | `map(string)` | n/a | yes |
+| secret_file | Relative location of the Secret file to be converted into a Kubernetes Secret. secrets-values.yml is not stored in the repository but it is generated as copy from secrets-values.yml.example. | `string` | `"k8s/secrets-values.yml"` | no |
 | suffix | Unique suffix to assign to all resources. When adding the suffix, changes are required in CloudBees CI for the validation phase. | `string` | `""` | no |
 | tags | Tags to apply to resources. | `map(string)` | `{}` | no |
 
@@ -110,7 +111,10 @@ In addition to the minimum required settings explained in [Get started - Deploy]
 
 ### Create the secrets file
 
-You must create your secrets file by copying the contents of [secrets-values.yml.example](k8s/secrets-values.yml.example) to `secrets-values.yml`. This provides [Kubernetes secrets](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) that can be consumed by CasC.
+You must create your secrets file by copying the contents of [secrets-values.yml.example](k8s/secrets-values.yml.example) to `secrets-values.yml`. The content of this file will be served as [Kubernetes secrets](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) that can be consumed by CasC.
+
+> [!IMPORTANT]
+> Do not update parametrized values in the `secrets-values.yml` file. These values are automatically replaced by Terraform during the deployment phase (e.g. `sec_ldapPassword: ${ldap_password}` ).
 
 ### Update Amazon S3 bucket settings
 
@@ -164,10 +168,10 @@ Once the resources have been created, a `kubeconfig` file is created in the [/k8
 
 1. Complete the steps to [validate CloudBees CI](../01-getting-started/README.md#cloudbees-ci), if you have not done so already.
 
-2. Authentication in this blueprint is based on LDAP and uses two types of personas (Admin and Developer), each with a different authorization level. Each persona uses a different username (cn); you can find the password in [.docker/ldap/data.ldif](./../../.docker/ldap/data.ldif). The authorization level defines a set of permissions configured using [RBAC](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/rbac). Additionally, the operations center and controller use [single sign-on (SS0)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/using-sso). Issue the following command to retrieve the password of the `admin_cbci_a` user
+2. Authentication in this blueprint is based on LDAP using user cn (available in [k8s/openldap-stack-values.yml](./k8s/openldap-stack-values.yml)) and the global password. The authorization level defines a set of permissions configured using [RBAC](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/rbac). Additionally, the operations center and controller use [single sign-on (SS0)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/using-sso). Issue the following command to retrieve the global password:
 
    ```sh
-   eval $(terraform output --raw ldap_admin_password)
+   eval $(terraform output --raw global_password)
    ```
 
 3. CasC is enabled for the [operations center](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-oc/) (`cjoc`) and [controllers](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-controller/) (`team-b` and `team-c-ha`). `team-a` is not using CasC, to illustrate the difference between the two approaches. Issue the following command to verify that all controllers are in a `Running` state:

@@ -116,4 +116,4 @@ ltb-passwd:
 
 # Enable the phpldapadmin web UI service for LDAP management after deployment.
 phpldapadmin:
-  enabled: false
+  enabled: false
@@ -51,7 +51,7 @@ locals {
   fluentbit_s3_location = "${module.cbci_s3_bucket.s3_bucket_arn}/fluentbit"
   velero_s3_location    = "${module.cbci_s3_bucket.s3_bucket_arn}/velero"
 
-  epoch_millis = time_static.epoch.unix * 1000
+  epoch_millis    = time_static.epoch.unix * 1000
   global_password = random_string.global_pass_string.result
 
   cloudwatch_logs_expiration_days = 7
@@ -64,10 +64,10 @@ locals {
   velero_controller_backup_selector = "tenant=${local.velero_controller_backup}"
   velero_schedule_name              = "schedule-${local.velero_controller_backup}"
 
-  cbci_agents_ns  = "cbci-agents"
+  cbci_agents_ns                     = "cbci-agents"
   cbci_agent_podtemplname_validation = "maven-and-go-ondemand"
 
-  cbci_admin_user = "admin_cbci_a"
+  cbci_admin_user      = "admin_cbci_a"
   global_pass_jsonpath = "'{.data.sec_globalPassword}'"
 }
 
@@ -107,9 +107,9 @@ module "eks_blueprints_addon_cbci" {
   }
 
   create_k8s_secrets = true
-  k8s_secrets = templatefile("k8s/secrets-values.yml", {
-      global_password = local.global_password
-    })
+  k8s_secrets = templatefile(var.secret_file, {
+    global_password = local.global_password
+  })
 
   prometheus_target = true
 

@@ -28,6 +28,11 @@ terraform {
       source  = "hashicorp/null"
       version = ">= 3.1.0"
     }
+
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6.1"
+    }
   }
 
 }

@@ -24,3 +24,9 @@ variable "suffix" {
     error_message = "The suffix can contain 10 characters or less."
   }
 }
+
+variable "secret_file" {
+  description = "Relative location of the Secret file to be converted into a Kubernetes Secret. secrets-values.yml is not stored in the repository but it is generated as copy from secrets-values.yml.example."
+  default     = "k8s/secrets-values.yml"
+  type        = string
+}
@@ -113,11 +113,11 @@ probes () {
       INFO "Initial Admin Password: $INITIAL_PASS."
   fi
   if [ "$root" == "02-at-scale" ]; then
-    ADMIN_CBCI_A_PASS=$(eval "$(tf-output "$root" ldap_admin_password)") && \
-      if [ -n "$ADMIN_CBCI_A_PASS" ]; then
-        INFO "Password for admin_cbci_a: $ADMIN_CBCI_A_PASS."
+    GLOBAL_PASS=$(eval "$(tf-output "$root" global_password)") && \
+      if [ -n "$GLOBAL_PASS" ]; then
+        INFO "Password for admin_cbci_a: $GLOBAL_PASS."
       else
-        ERROR "Problem while getting Password for admin_cbci_a."
+        ERROR "Problem while getting Global Pass."
       fi
     until [ "$(eval "$(tf-output "$root" cbci_controllers_pods)" | awk '{ print $3 }' | grep -v STATUS | grep -v -c Running)" == 0 ]; do sleep $wait && echo "Waiting for Controllers Pod to get into Ready State..."; done ;\
       eval "$(tf-output "$root" cbci_controllers_pods)" && INFO "All Controllers Pods are Ready."