Compare commits
No commits in common. "9b44abb656babba9d26f2e5c8511a544ba8bbd2b" and "1559206ae42c7fb83927efbef8c932d8573bc141" have entirely different histories.
9b44abb656
...
1559206ae4
5 changed files with 3 additions and 86 deletions
|
@ -10,11 +10,9 @@ RUN apk add --no-cache \
|
||||||
bash \
|
bash \
|
||||||
coreutils \
|
coreutils \
|
||||||
curl \
|
curl \
|
||||||
expect \
|
|
||||||
git \
|
git \
|
||||||
git-lfs \
|
git-lfs \
|
||||||
openssh-client \
|
openssh-client \
|
||||||
openssl \
|
|
||||||
tini \
|
tini \
|
||||||
ttf-dejavu \
|
ttf-dejavu \
|
||||||
tzdata \
|
tzdata \
|
||||||
|
|
|
@ -1,22 +1,5 @@
|
||||||
#! /bin/bash -e
|
#! /bin/bash -e
|
||||||
|
|
||||||
# cert prep
|
|
||||||
for i in /secrets/jenkins.crt /etc/ssl/certs/ca-cert-MaskedName_Root_CA.pem; do
|
|
||||||
cat $i >> /tmp/jenkins_bundle.crt
|
|
||||||
echo >> /tmp/jenkins_bundle.crt
|
|
||||||
done
|
|
||||||
|
|
||||||
expect <(cat <<EOH
|
|
||||||
spawn openssl pkcs12 -inkey /secrets/jenkins.key -in /tmp/jenkins_bundle.crt -export -out /secrets/jenkins.jks
|
|
||||||
expect "Enter Export Password:"
|
|
||||||
send -- "password\r"
|
|
||||||
expect "Verifying - Enter Export Password:"
|
|
||||||
send -- "password\r"
|
|
||||||
interact
|
|
||||||
EOH
|
|
||||||
)
|
|
||||||
|
|
||||||
# defaultish jenkins stuff
|
|
||||||
: "${JENKINS_WAR:="/usr/share/jenkins/jenkins.war"}"
|
: "${JENKINS_WAR:="/usr/share/jenkins/jenkins.war"}"
|
||||||
: "${JENKINS_HOME:="/var/jenkins_home"}"
|
: "${JENKINS_HOME:="/var/jenkins_home"}"
|
||||||
: "${COPY_REFERENCE_FILE_LOG:="${JENKINS_HOME}/copy_reference_file.log"}"
|
: "${COPY_REFERENCE_FILE_LOG:="${JENKINS_HOME}/copy_reference_file.log"}"
|
||||||
|
|
|
@ -13,10 +13,6 @@ job "jenkins" {
|
||||||
value = "true"
|
value = "true"
|
||||||
}
|
}
|
||||||
|
|
||||||
vault {
|
|
||||||
policies = ["default", "ansible"]
|
|
||||||
change_mode = "restart"
|
|
||||||
}
|
|
||||||
group "jenkins" {
|
group "jenkins" {
|
||||||
count = 1
|
count = 1
|
||||||
|
|
||||||
|
@ -30,41 +26,19 @@ job "jenkins" {
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
template {
|
|
||||||
data = <<EOH
|
|
||||||
{{- with secret "pki_int/issue/masked-dot-name" "common_name=jenkins.service.masked.name" "alt_names=jenkins.service.columbia.masked.name" -}}
|
|
||||||
{{- .Data.certificate -}}
|
|
||||||
{{- end -}}
|
|
||||||
EOH
|
|
||||||
destination = "${NOMAD_SECRETS_DIR}/jenkins.crt"
|
|
||||||
change_mode = "restart"
|
|
||||||
}
|
|
||||||
|
|
||||||
template {
|
|
||||||
data = <<EOH
|
|
||||||
{{- with secret "pki_int/issue/masked-dot-name" "common_name=jenkins.service.masked.name" "alt_names=jenkins.service.columbia.masked.name" -}}
|
|
||||||
{{- .Data.private_key -}}
|
|
||||||
{{- end -}}
|
|
||||||
EOH
|
|
||||||
destination = "${NOMAD_SECRETS_DIR}/jenkins.key"
|
|
||||||
change_mode = "restart"
|
|
||||||
}
|
|
||||||
|
|
||||||
env {
|
env {
|
||||||
ROOT_URL = "${NOMAD_ADDR_https}"
|
ROOT_URL = "${NOMAD_ADDR_https}"
|
||||||
JAVA_ARGS = "-Xmx2048m"
|
|
||||||
JENKINS_OPTS = "--httpsPort=8443 --httpsKeyStore=/secrets/jenkins.jks --httpsKeyStorePassword=password"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
resources {
|
resources {
|
||||||
cpu = 2000
|
cpu = 2000
|
||||||
memory = 2560
|
memory = 2048
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
network {
|
network {
|
||||||
port "https" {
|
port "https" {
|
||||||
to = 8443
|
to = 8080
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
# Allow creating tokens under "nomad-cluster" role.
|
|
||||||
path "auth/token/create/nomad-cluster" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow looking up "nomad-cluster" role.
|
|
||||||
path "auth/token/roles/nomad-cluster" {
|
|
||||||
capabilities = ["read"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow looking up incoming tokens to validate they have permissions to access
|
|
||||||
# the tokens they are requesting.
|
|
||||||
path "auth/token/lookup" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow revoking tokens that should no longer exist.
|
|
||||||
path "auth/token/revoke-accessor" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow checking the capabilities of our own token.
|
|
||||||
path "sys/capabilities-self" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow our own token to be renewed.
|
|
||||||
path "auth/token/renew-self" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
|
@ -1,8 +0,0 @@
|
||||||
{
|
|
||||||
"disallowed_policies": "nomad-server,root",
|
|
||||||
"token_explicit_max_ttl": 0,
|
|
||||||
"name": "nomad-cluster",
|
|
||||||
"orphan": true,
|
|
||||||
"token_period": 259200,
|
|
||||||
"renewable": true
|
|
||||||
}
|
|
Loading…
Reference in a new issue