cloudbees · carlosrodlop · May 8, 2024 · May 13, 2024 · May 13, 2024 · May 13, 2024
@@ -11,10 +11,10 @@ on:
       - 'main'
 
 env:
-  AWS_REGION: "us-west-1"
+  AWS_REGION: "us-east-1"
   BUCKET_NAME_TF_STATE: "cbci-eks-addon-tf-state"
   AWS_ROLE_TO_ASSUME: "infra-admin-ci"
-  REPLAY_STR: "2"
+  REPLAY_STR: "1"
   TF_AUTO_VARS_FILE: |
     tags = {
       "cb-owner" : "professional-services"
@@ -54,7 +54,7 @@ jobs:
 
   bp01:
     env:
-      CLEAN_UP: "true"
+      CLEAN_UP: "false"
     needs:
       - init
     steps:
@@ -113,7 +113,7 @@ jobs:
 
   bp02:
     env:
-        CLEAN_UP: "true"
+        CLEAN_UP: "false"
     needs:
       - init
     steps:

@@ -13,7 +13,7 @@ permissions: read-all
 
 env:
   TERRAFORM_DOCS_VERSION: v0.16.0
-  TFLINT_VERSION: v0.50.3
+  TFLINT_VERSION: v0.51.1
 
 concurrency:
   group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'

@@ -42,10 +42,6 @@ terraform.rc
 terraform*.output
 kubeconfig*.yaml
 
-# Secrets file
-*secrets*
-!secrets*example
-
 # Bankend file
 backend*.tf
 

@@ -95,9 +95,9 @@ The CloudBees CI add-on uses `helms release` for its resources definition, makin
 | cert_arn | AWS Certificate Manager (ACM) certificate for Amazon Resource Names (ARN). | `string` | n/a | yes |
 | hosted_zone | Amazon Route 53 hosted zone name. | `string` | n/a | yes |
 | trial_license | CloudBees CI trial license details for evaluation. | `map(string)` | n/a | yes |
-| create_k8s_secrets | Create the Kubernetes secret cbci-secrets. It can be consumed by CloudBees CasC. | `bool` | `false` | no |
+| create_k8s_secrets | Create the Kubernetes secret cbci-secrets. It can be consumed by CloudBees CasC at Operation Center level. | `bool` | `false` | no |
 | helm_config | CloudBees CI Helm chart configuration. | `any` | <pre>{<br>  "values": [<br>    ""<br>  ]<br>}</pre> | no |
-| k8s_secrets_file | Secrets file .yml path containing the secrets names:values for cbci-secrets. | `string` | `"secrets-values.yml"` | no |
+| k8s_secrets | Secrets file .yml as a string containing the secrets names:values. It is required when create_k8s_secrets is enabled. | `string` | `"secrets-values.yml"` | no |
 | prometheus_target | Creates a service monitor to discover the CloudBees CI Prometheus target dynamically. It is designed to be enabled with the AWS EKS Terraform Addon Kube Prometheus Stack. | `bool` | `false` | no |
 
 ### Outputs

@@ -1,4 +1,4 @@
-hosted_zone = "example.domain.com" # Required. Route 53 Hosted Zone to host CloudBees CI subdomains records.
+hosted_zone = "acme.domain.com" # Required. Route 53 Hosted Zone to host CloudBees CI subdomains records.
 
 trial_license = { # Required. CloudBees CI Trial license details for evaluation.
   first_name  = "Foo"

@@ -1,12 +1,15 @@
-hosted_zone = "example.domain.com" # Required. Route 53 Hosted Zone to host CloudBees CI subdomains records.
+hosted_zone = "acme.domain.com" # Required. Route 53 Hosted Zone to host CloudBees CI subdomains records. Replace Default values by your own.
 
-trial_license = { # Required. CloudBees CI Trial license details for evaluation.
+trial_license = { # Required. CloudBees CI Trial license details for evaluation. Replace Default values by your own.
   first_name  = "Foo"
   last_name  = "Bar"
   email = "foo.bar@acme.com"
   company = "Acme Inc."
 }
 
+gh_user = "exampleUser" # Required. Default values can be used for demo.
+gh_token = "ExampleToken1234" # Required. Default values can be used for demo.
+
 # tags = {  # Optional. Tags for the resources created. Default set to empty. Shared among all.
 #   "cb-owner" : "team-services"
 #   "cb-user" : "demo-user"

@@ -58,7 +58,8 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta
 |------|-------------|------|---------|:--------:|
 | hosted_zone | Amazon Route 53 hosted zone. CloudBees CI applications are configured to use subdomains in this hosted zone. | `string` | n/a | yes |
 | trial_license | CloudBees CI trial license details for evaluation. | `map(string)` | n/a | yes |
-| grafana_admin_password | Grafana admin password. | `string` | `"change.me"` | no |
+| gh_token | GitHub Token for CloudBees Operation Center credential GH-User-token that is created via Casc. | `string` | `"ExampleToken1234"` | no |
+| gh_user | GitHub User for CloudBees Operation Center credential GH-User-token that is created via Casc. | `string` | `"exampleUser"` | no |
 | suffix | Unique suffix to assign to all resources. When adding the suffix, changes are required in CloudBees CI for the validation phase. | `string` | `""` | no |
 | tags | Tags to apply to resources. | `map(string)` | `{}` | no |
 
@@ -87,6 +88,7 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta
 | efs_access_points | Amazon EFS access points. |
 | efs_arn | Amazon EFS ARN. |
 | eks_cluster_arn | Amazon EKS cluster ARN. |
+| global_password | Random string that is used as the global password. |
 | grafana_dashboard | Provides access to Grafana dashboards. |
 | kubeconfig_add | Add kubeconfig to the local configuration to access the Kubernetes API. |
 | kubeconfig_export | Export the KUBECONFIG environment variable to access the Kubernetes API. |
@@ -95,9 +97,9 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta
 | prometheus_dashboard | Provides access to Prometheus dashboards. |
 | s3_cbci_arn | CloudBees CI Amazon S3 bucket ARN. |
 | s3_cbci_name | CloudBees CI Amazon S3 bucket name. It is required by CloudBees CI for workspace caching and artifact management. |
-| velero_backup_on_demand | Takes an on-demand Velero backup from the schedule for selected controller using Block Storage. |
-| velero_backup_schedule | Creates a Velero backup schedule for selected controller using Block Storage and deletes the existing schedulle, if it exists. |
-| velero_restore | Restores selected controller using Block Storage from a backup. |
+| velero_backup_on_demand | Takes an on-demand Velero backup from the schedule for the selected controller that is using block storage. |
+| velero_backup_schedule | Creates a Velero backup schedule for the selected controller that is using block storage, and then deletes the existing schedule, if it exists. |
+| velero_restore | Restores the selected controller that is using block storage from a backup. |
 | vpc_arn | VPC ID. |
 <!-- END_TF_DOCS -->
 
@@ -108,44 +110,6 @@ In addition to the minimum required settings explained in [Get started - Deploy]
 > [!TIP]
 > The `deploy` phase can be orchestrated via the companion [Makefile](../../Makefile).
 
-### Create the secrets file
-
-You must create your secrets file by copying the contents of [secrets-values.yml.example](k8s/secrets-values.yml.example) to `secrets-values.yml`. This provides [Kubernetes secrets](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) that can be consumed by CasC.
-
-### Update Amazon S3 bucket settings
-
-Since the optional Terraform variable `suffix` is used for this blueprint, you must update the Amazon S3 bucket name for CloudBees CI controllers and the Amazon S3 bucket for the backup controller cluster operations. To update the Amazon S3 bucket name, you have the following options:
-
- - [Option 1: Update Amazon S3 bucket name using CasC](#option-1-update-amazon-s3-bucket-name-using-casc)
- - [Option 2: Update Amazon S3 bucket name using the CloudBees CI UI](#option-2-update-amazon-s3-bucket-name-using-the-cloudbees-ci-ui)
-
-#### Option 1: Update Amazon S3 bucket name using CasC
-
->[!IMPORTANT]
-> This option can only be used before the blueprint has been deployed.
-
-1. Create a fork of the [cloudbees/terraform-aws-cloudbees-ci-eks-addon](https://github.com/cloudbees/casc-cloudbees-ci-eks-addon) GitHub repository to your GitHub organization and make any necessary edits to the controller CasC bundle.
-   - Update `cbci_s3` in the [casc/mc/parent/variables/variables.yaml](casc/mc/parent/variables/variables.yaml) file, including your custom prefix.
-   - Update `scm_casc_mc_store` in the [casc/oc/variables/variables.yaml](casc/oc/variables/variables.yaml) file and `bucketName` in the [casc/oc/items/items-admin-jobs-folder.yaml](casc/oc/items/items-admin-jobs-folder.yaml) file.
-2. Commit and push your changes to the forked repository in your organization.
-3. In the [k8s/cbci-values.yml](k8s/cbci-values.yml) Helm file, update the `OperationsCenter.CasC.Retriever.scmRepo` field based on the files in this blueprint.
-4. Save the file and issue the `terraform apply` command.
-
-#### Option 2: Update Amazon S3 bucket name using the CloudBees CI UI
-
-> [!IMPORTANT]
-> - This option can only be used after the blueprint is deployed.
-> - If using CasC, the declarative definition overrides any configuration updates that are made in the UI the next time the controller is restarted.
-
-1. Sign in to the CloudBees CI controller UI as a user with **Administer** privileges.
-2. Navigate to **Manage Jenkins > AWS > Amazon S3 Bucket Access settings**, update the **S3 Bucket Name**, and select **Save**.
-3. Sign in to the CloudBees CI operations center UI as a user with **Administer** privileges.
-   Note that access to back up jobs is restricted to admin users via role-based access control (RBAC).
-4. From the operations center dashboard, select **All** to view all folders on the operations center.  
-5. Navigate to the **admin** folder, and then select the **backup-all-controllers** Cluster Operations job.
-6. From the left pane, select **Configure**.
-7. Update the **S3 Bucket Name**, and then select **Save**.
-
 ## Validate
 
 Once the blueprint has been deployed, you can validate it.
@@ -164,10 +128,10 @@ Once the resources have been created, a `kubeconfig` file is created in the [/k8
 
 1. Complete the steps to [validate CloudBees CI](../01-getting-started/README.md#cloudbees-ci), if you have not done so already.
 
-2. Authentication in this blueprint is based on LDAP and uses two types of personas (Admin and Developer), each with a different authorization level. Each persona uses a different username (cn); you can find the password in [.docker/ldap/data.ldif](./../../.docker/ldap/data.ldif). The authorization level defines a set of permissions configured using [RBAC](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/rbac). Additionally, the operations center and controller use [single sign-on (SS0)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/using-sso). Issue the following command to retrieve the password of the `admin_cbci_a` user
+2. Authentication in this blueprint is based on LDAP using user cn (available in [k8s/openldap-stack-values.yml](./k8s/openldap-stack-values.yml)) and the global password. The authorization level defines a set of permissions configured using [RBAC](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/rbac). Additionally, the operations center and controller use [single sign-on (SS0)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/using-sso). Issue the following command to retrieve the global password:
 
    ```sh
-   eval $(terraform output --raw ldap_admin_password)
+   eval $(terraform output --raw global_password)
    ```
 
 3. CasC is enabled for the [operations center](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-oc/) (`cjoc`) and [controllers](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-controller/) (`team-b` and `team-c-ha`). `team-a` is not using CasC, to illustrate the difference between the two approaches. Issue the following command to verify that all controllers are in a `Running` state:

@@ -30,7 +30,7 @@ unclassified:
       endpoint: ${ot_endpoint}
 aws:
   s3:
-    container: ${cbci_s3}
+    container: "${sec_s3bucketName}"
     disableSessionToken: false
     prefix: "cbci/"
     useHttp: false

@@ -1,4 +1,2 @@
 variables:
   - ot_endpoint: "http://tempo.kube-prometheus-stack.svc.cluster.local:4317"
-  # You must update the variable in case a variable suffix is provided in the .tf files (for example, cbci-bp02-<YOUR-SUFFIX>-s3).
-  - cbci_s3: cbci-bp02-s3
@@ -82,9 +82,7 @@ items:
                   safeDelaySeconds: 0
                   store:
                     s3Store:
-                      #TODO: Use variables
-                      #bucketName: ${cbci_s3}
-                      bucketName: "cbci-bp02-s3"
+                      bucketName: "${sec_s3bucketName}"
                       bucketFolder: cbci/backup
                       region: us-east-1
               itemSource: