Compare commits
3 commits
1559206ae4
...
9b44abb656
Author | SHA1 | Date | |
---|---|---|---|
9b44abb656 | |||
b08a231443 | |||
ab729b2c46 |
5 changed files with 86 additions and 3 deletions
|
@ -10,9 +10,11 @@ RUN apk add --no-cache \
|
||||||
bash \
|
bash \
|
||||||
coreutils \
|
coreutils \
|
||||||
curl \
|
curl \
|
||||||
|
expect \
|
||||||
git \
|
git \
|
||||||
git-lfs \
|
git-lfs \
|
||||||
openssh-client \
|
openssh-client \
|
||||||
|
openssl \
|
||||||
tini \
|
tini \
|
||||||
ttf-dejavu \
|
ttf-dejavu \
|
||||||
tzdata \
|
tzdata \
|
||||||
|
|
|
@ -1,5 +1,22 @@
|
||||||
#! /bin/bash -e
|
#! /bin/bash -e
|
||||||
|
|
||||||
|
# cert prep
|
||||||
|
for i in /secrets/jenkins.crt /etc/ssl/certs/ca-cert-MaskedName_Root_CA.pem; do
|
||||||
|
cat $i >> /tmp/jenkins_bundle.crt
|
||||||
|
echo >> /tmp/jenkins_bundle.crt
|
||||||
|
done
|
||||||
|
|
||||||
|
expect <(cat <<EOH
|
||||||
|
spawn openssl pkcs12 -inkey /secrets/jenkins.key -in /tmp/jenkins_bundle.crt -export -out /secrets/jenkins.jks
|
||||||
|
expect "Enter Export Password:"
|
||||||
|
send -- "password\r"
|
||||||
|
expect "Verifying - Enter Export Password:"
|
||||||
|
send -- "password\r"
|
||||||
|
interact
|
||||||
|
EOH
|
||||||
|
)
|
||||||
|
|
||||||
|
# defaultish jenkins stuff
|
||||||
: "${JENKINS_WAR:="/usr/share/jenkins/jenkins.war"}"
|
: "${JENKINS_WAR:="/usr/share/jenkins/jenkins.war"}"
|
||||||
: "${JENKINS_HOME:="/var/jenkins_home"}"
|
: "${JENKINS_HOME:="/var/jenkins_home"}"
|
||||||
: "${COPY_REFERENCE_FILE_LOG:="${JENKINS_HOME}/copy_reference_file.log"}"
|
: "${COPY_REFERENCE_FILE_LOG:="${JENKINS_HOME}/copy_reference_file.log"}"
|
||||||
|
|
|
@ -13,6 +13,10 @@ job "jenkins" {
|
||||||
value = "true"
|
value = "true"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
vault {
|
||||||
|
policies = ["default", "ansible"]
|
||||||
|
change_mode = "restart"
|
||||||
|
}
|
||||||
group "jenkins" {
|
group "jenkins" {
|
||||||
count = 1
|
count = 1
|
||||||
|
|
||||||
|
@ -26,19 +30,41 @@ job "jenkins" {
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = <<EOH
|
||||||
|
{{- with secret "pki_int/issue/masked-dot-name" "common_name=jenkins.service.masked.name" "alt_names=jenkins.service.columbia.masked.name" -}}
|
||||||
|
{{- .Data.certificate -}}
|
||||||
|
{{- end -}}
|
||||||
|
EOH
|
||||||
|
destination = "${NOMAD_SECRETS_DIR}/jenkins.crt"
|
||||||
|
change_mode = "restart"
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = <<EOH
|
||||||
|
{{- with secret "pki_int/issue/masked-dot-name" "common_name=jenkins.service.masked.name" "alt_names=jenkins.service.columbia.masked.name" -}}
|
||||||
|
{{- .Data.private_key -}}
|
||||||
|
{{- end -}}
|
||||||
|
EOH
|
||||||
|
destination = "${NOMAD_SECRETS_DIR}/jenkins.key"
|
||||||
|
change_mode = "restart"
|
||||||
|
}
|
||||||
|
|
||||||
env {
|
env {
|
||||||
ROOT_URL = "${NOMAD_ADDR_https}"
|
ROOT_URL = "${NOMAD_ADDR_https}"
|
||||||
|
JAVA_ARGS = "-Xmx2048m"
|
||||||
|
JENKINS_OPTS = "--httpsPort=8443 --httpsKeyStore=/secrets/jenkins.jks --httpsKeyStorePassword=password"
|
||||||
}
|
}
|
||||||
|
|
||||||
resources {
|
resources {
|
||||||
cpu = 2000
|
cpu = 2000
|
||||||
memory = 2048
|
memory = 2560
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
network {
|
network {
|
||||||
port "https" {
|
port "https" {
|
||||||
to = 8080
|
to = 8443
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
30
vault/policies/nomad-server-policy.hcl
Normal file
30
vault/policies/nomad-server-policy.hcl
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
# Allow creating tokens under "nomad-cluster" role.
|
||||||
|
path "auth/token/create/nomad-cluster" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow looking up "nomad-cluster" role.
|
||||||
|
path "auth/token/roles/nomad-cluster" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow looking up incoming tokens to validate they have permissions to access
|
||||||
|
# the tokens they are requesting.
|
||||||
|
path "auth/token/lookup" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow revoking tokens that should no longer exist.
|
||||||
|
path "auth/token/revoke-accessor" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow checking the capabilities of our own token.
|
||||||
|
path "sys/capabilities-self" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow our own token to be renewed.
|
||||||
|
path "auth/token/renew-self" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
8
vault/roles/nomad-cluster-role.json
Normal file
8
vault/roles/nomad-cluster-role.json
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
"disallowed_policies": "nomad-server,root",
|
||||||
|
"token_explicit_max_ttl": 0,
|
||||||
|
"name": "nomad-cluster",
|
||||||
|
"orphan": true,
|
||||||
|
"token_period": 259200,
|
||||||
|
"renewable": true
|
||||||
|
}
|
Loading…
Reference in a new issue