Compare commits
3 commits
1559206ae4
...
9b44abb656
Author | SHA1 | Date | |
---|---|---|---|
9b44abb656 | |||
b08a231443 | |||
ab729b2c46 |
5 changed files with 86 additions and 3 deletions
|
@ -10,9 +10,11 @@ RUN apk add --no-cache \
|
|||
bash \
|
||||
coreutils \
|
||||
curl \
|
||||
expect \
|
||||
git \
|
||||
git-lfs \
|
||||
openssh-client \
|
||||
openssl \
|
||||
tini \
|
||||
ttf-dejavu \
|
||||
tzdata \
|
||||
|
|
|
@ -1,5 +1,22 @@
|
|||
#! /bin/bash -e
|
||||
|
||||
# cert prep
|
||||
for i in /secrets/jenkins.crt /etc/ssl/certs/ca-cert-MaskedName_Root_CA.pem; do
|
||||
cat $i >> /tmp/jenkins_bundle.crt
|
||||
echo >> /tmp/jenkins_bundle.crt
|
||||
done
|
||||
|
||||
expect <(cat <<EOH
|
||||
spawn openssl pkcs12 -inkey /secrets/jenkins.key -in /tmp/jenkins_bundle.crt -export -out /secrets/jenkins.jks
|
||||
expect "Enter Export Password:"
|
||||
send -- "password\r"
|
||||
expect "Verifying - Enter Export Password:"
|
||||
send -- "password\r"
|
||||
interact
|
||||
EOH
|
||||
)
|
||||
|
||||
# defaultish jenkins stuff
|
||||
: "${JENKINS_WAR:="/usr/share/jenkins/jenkins.war"}"
|
||||
: "${JENKINS_HOME:="/var/jenkins_home"}"
|
||||
: "${COPY_REFERENCE_FILE_LOG:="${JENKINS_HOME}/copy_reference_file.log"}"
|
||||
|
|
|
@ -13,6 +13,10 @@ job "jenkins" {
|
|||
value = "true"
|
||||
}
|
||||
|
||||
vault {
|
||||
policies = ["default", "ansible"]
|
||||
change_mode = "restart"
|
||||
}
|
||||
group "jenkins" {
|
||||
count = 1
|
||||
|
||||
|
@ -26,19 +30,41 @@ job "jenkins" {
|
|||
]
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
{{- with secret "pki_int/issue/masked-dot-name" "common_name=jenkins.service.masked.name" "alt_names=jenkins.service.columbia.masked.name" -}}
|
||||
{{- .Data.certificate -}}
|
||||
{{- end -}}
|
||||
EOH
|
||||
destination = "${NOMAD_SECRETS_DIR}/jenkins.crt"
|
||||
change_mode = "restart"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
{{- with secret "pki_int/issue/masked-dot-name" "common_name=jenkins.service.masked.name" "alt_names=jenkins.service.columbia.masked.name" -}}
|
||||
{{- .Data.private_key -}}
|
||||
{{- end -}}
|
||||
EOH
|
||||
destination = "${NOMAD_SECRETS_DIR}/jenkins.key"
|
||||
change_mode = "restart"
|
||||
}
|
||||
|
||||
env {
|
||||
ROOT_URL = "${NOMAD_ADDR_https}"
|
||||
ROOT_URL = "${NOMAD_ADDR_https}"
|
||||
JAVA_ARGS = "-Xmx2048m"
|
||||
JENKINS_OPTS = "--httpsPort=8443 --httpsKeyStore=/secrets/jenkins.jks --httpsKeyStorePassword=password"
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 2000
|
||||
memory = 2048
|
||||
memory = 2560
|
||||
}
|
||||
}
|
||||
|
||||
network {
|
||||
port "https" {
|
||||
to = 8080
|
||||
to = 8443
|
||||
}
|
||||
}
|
||||
|
||||
|
|
30
vault/policies/nomad-server-policy.hcl
Normal file
30
vault/policies/nomad-server-policy.hcl
Normal file
|
@ -0,0 +1,30 @@
|
|||
# Allow creating tokens under "nomad-cluster" role.
|
||||
path "auth/token/create/nomad-cluster" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow looking up "nomad-cluster" role.
|
||||
path "auth/token/roles/nomad-cluster" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow looking up incoming tokens to validate they have permissions to access
|
||||
# the tokens they are requesting.
|
||||
path "auth/token/lookup" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow revoking tokens that should no longer exist.
|
||||
path "auth/token/revoke-accessor" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow checking the capabilities of our own token.
|
||||
path "sys/capabilities-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow our own token to be renewed.
|
||||
path "auth/token/renew-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
8
vault/roles/nomad-cluster-role.json
Normal file
8
vault/roles/nomad-cluster-role.json
Normal file
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
"disallowed_policies": "nomad-server,root",
|
||||
"token_explicit_max_ttl": 0,
|
||||
"name": "nomad-cluster",
|
||||
"orphan": true,
|
||||
"token_period": 259200,
|
||||
"renewable": true
|
||||
}
|
Loading…
Reference in a new issue