Resolve "Pipeline Refactor: CloudBees core-oc"

28c87bda · Jesse Glick · Gerard Fulton · 1d2af7b1 · 1d2af7b1 · 1d2af7b1
Commit 28c87bda authored Mar 03, 2020 by Jesse Glick Committed by Gerard Fulton Mar 03, 2020
20 changed files
--- a/2.204.3.2/README.md
+++ b/2.204.3.2/README.md
-# CloudBees Core setup
-CloudBees Core consists of three Docker images installed via Helm chart:
-* `core-oc`: the Operations Center
-* `core-mm`: a managed Jenkins master
-* `agent`: a Jenkins build agent
-For each image, all files other than UBI and native packages
-are included in a `files.tar` marked with a SHA-256 checksum.
-`/etc/fixup` performs final image modifications such as setting file owners.
-A version of Core is given in the format `2.204.3.2`
-where the first three components are aligned with a Jenkins LTS.
-The Helm chart is coversioned with `core-oc`.
-The `core-mm` image typically shares the same version,
-though a given master may be deliberately kept at a somewhat older release.
-The `agent` image is preferably coversioned with the master.
-After creating images, create a values file that specifies locally uploaded images
-plus whatever other customizations are desired:
-```yaml
-OperationsCenter:
-  Image:
-    dockerImage: your-registry/core-oc:2.204.3.2
-Master:
-  Image:
-    dockerImage: your-registry/core-mm:2.204.3.2
-Agents:
-  Image:
-    dockerImage: your-registry/agent:2.204.3.2
-```
-and [install via Helm 3](https://docs.cloudbees.com/docs/cloudbees-core/latest/kubernetes-install-guide/installing-kubernetes-using-helm) using the local copy of the chart:
-```bash
-helm install cloudbees-core core-oc/helm -f dsop-values.yaml
-```
--- a/2.204.3.2/scripts/files.tar.key
+++ b/2.204.3.2/scripts/files.tar.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
-mQGNBF4PTV4BDAD+Y5PsYrqiHzdhMoqBbtPEUeWb5zuoOWXPCL/AQMt5d6VlKejq
-c0MTFys0bHEP0udySAUXdipomSju+n8hLfYwfbdtysyZprrVbeX4IC3tISXpzaag
-QcGLjZjdaFt4VY3fbqqKrztcwz/i/ZpApYvZsW6Rd2IdafHUWELabsBxrBZIPAaZ
-vmJC0vcfQjFTM5mpk0OM+IKD6dLGTxAT7Xs4LVp/WM5uwibpSyly2z3hLul0FBIU
-8afmLLjHIoYug3b8E1AJ7h+S5ornla/P8n6Ilb/m6Mju/0AjC1/srmtZxCyMui/e
-fSyik249z43MNUYLw/5C6MZa/0mb5H8sHhb/fq9i6VImhK1MBNw9s02qcCQyqoeM
-bQeXeRv1xVtGlRA5EIjsfsIRlttswkSpxn21+3owgn8E3bHdEfze7kcJOES68r3S
-wLwavp3iXpPHX9StupbPMwIZU683+fB6DL1Nhe/iRN2JARGYgy1Sz5C3b5JTR/wk
-+y6W8e+RM9WwqGMAEQEAAbQiSmVzc2UgR2xpY2sgPGpnbGlja0BjbG91ZGJlZXMu
-Y29tPokB1AQTAQoAPhYhBKHdJZBTheEqPxhbiUlWNUa19/j3BQJeD01eAhsDBQkD
-wmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEElWNUa19/j3ufIMAKjkSXR7
-urOHrwI7JQ3G68SKpa3Of/cYBn60Lxjbg2Jwl2Y0SSNgT86PPW18UlgNojbQXD7C
-xdqLjcURaIvXsv4FpCCGaGl8jHGQRs05DAFydZ4Gw7B3gZzwW70R1xDxAj8RjgFu
-t1fjLWUpPkMgJJetS/bi4CxttkFBHydOx8LdcCqMJZp05vpRYyKCtyL8oh4idgt/
-AuewNI0NjuHcpRHtZbFOPcW5Q23uBUd07/1xH7/5Z+PVLKVYQjSkYIQ0Mk8YlExs
-Wueoxb31eD6pIlm9kDfG8B2VMmRaLwWObFqvHOKqiCgIgmwdZMGuiyVaGHw3UrEo
-klakt4+4B9H+cFNieAbDrqIS+8expD3F6SHksH1EbTAU7HIE3ni0bDlrMYGHMEGA
-KMaFAV3WH8j9UVzKlwFTDlkZx/+eayL0iwmbLBaltv3XC1qUHdAeZg/t1cU78QXM
-zOOT81foj8TuloDhu0zmR2gFpyvxkwzZf0XVq8HtL9PR+eHALiPH5shCu7kBjQRe
-D01eAQwAzTOiKbTSGdM8o41cAgo70efJEo0z9AD2k1JsJcRri2hQWxEYa8BqWaY0
-l2jS+dgJbXN2hD866SAHKA7tQW9nTMTxAPazbSoF0QF/wJOke/hbVlMg4mqOagdw
-Ivz2XXK6mmTX9TSEkU9nmqz02+F0bO8EkzJsBxZSET8yc97we3qfULheyPRSXvaD
-4UUubb5d2jV7HVlwMD10hi1uUdW2X6n5WJAAbzRwmOMW/Ab0ga9dkhFUFf1iQvAM
-IYzrt2kZSW3qM78ecRc1vQRLG4HPsfV3UjiFrJZkR0mfTE8cFkQiMsRZdErtTyiW
-xT171PwNrC3eyQVLsifKoTj18pSFnc/AqxJylnBqhEmJO+oeGgiA9ubbKWBGM1S9
-AQp1bwCtBaM8LHcfvRsP5apQJM+G/QRKC9GmRpG04TT6BuGcz9bYvBpDjKtiaL8r
-kU2sWy2ouu6sUTywkXIPDuCNypIcN0DJazRSGPX/ypm3/igeM4K6fIwesgNTHRmH
-eph5IAbZABEBAAGJAbwEGAEKACYWIQSh3SWQU4XhKj8YW4lJVjVGtff49wUCXg9N
-XgIbDAUJA8JnAAAKCRBJVjVGtff49+BUC/418+oZ2CITgUElo7W13Tc9Z40GCcBG
-sTTDHH94V1MkwB8EBMlyliEHmbkBes64lBmgzPL0aynSX4QNKXJVaV7RY2Zd6BnJ
-YSmDk3Ccb9rSqfzNIhFpfRageSONYFcuO6aPviMqjTuOf2R8CTvD3a1g20MxhXNw
-vaK/UrRzt/cYy7sk7cu3PXpXfrM4t50yyln9aBvARvgAin+hZZnnbtZWpxLJXX8f
-aoV7iIrEtJ/myD1AMYrcQrWAZap+s6CJSvcS2vNLDUYF8DCRVlm/lgMO1pBqhB80
-w5yQ6flarWhk7y82udCK5kJ740kCQfby2WsEtYUJuFMcCOPiZyUrmInJSntTZw2z
-lDcS9aIoqMQLdlb5CUHN0AUIJa577P622bxCqgzD/+RjcFju29RFfWsOA9smSOZm
-f+AZoLxcjpOzn1DkpgH3F8SocBFsOs474zpX90I74NxjIWpE8e7RrUorBLOheV3s
-OFfM2MbO5cFxP8HWEsOhrWW39G5XcGK9AjI=
-=Wf65
-----END PGP PUBLIC KEY BLOCK-----
--- a/2.204.3.2/scripts/files.tar.sha
+++ b/2.204.3.2/scripts/files.tar.sha
-4256bbc2889b67ca88ea0bccc3ad46c2fe74b8fa58563cac8bba169b88417854 files.tar
--- a/2.204.3.2/scripts/files.tar.sig
+++ b/2.204.3.2/scripts/files.tar.sig
--- a/2.204.3.2/scripts/prebuild.sh
+++ b/2.204.3.2/scripts/prebuild.sh
-# adapted from https://dccscr.dsop.io/dsop/dccscr/tree/master/contributor-onboarding/scripts/prebuild.sh
-set -xe
-TMPDIR=$(mktemp -d -p /tmp) && cp scripts/*.{key,sig,sha} $TMPDIR && cd $TMPDIR
-curl -f -s -o files.tar https://dsop.s3.amazonaws.com/core-oc-4256bbc2889b67ca88ea0bccc3ad46c2fe74b8fa58563cac8bba169b88417854.tar
-gpg --import files.tar.key
-gpg --verify files.tar.sig files.tar
-sha256sum files.tar.sha --check --status
-curl -k -f -u ${NEXUS_USERNAME}:${NEXUS_PASSWORD} -T files.tar https://${NEXUS_SERVER}/repository/dsop/cloudbees/core-oc-4256bbc2889b67ca88ea0bccc3ad46c2fe74b8fa58563cac8bba169b88417854.tar
-cd -
-rm -rf $TMPDIR
--- a/2.204.3.2/Dockerfile
+++ b/2.204.3.2/Dockerfile
@@ -13,13 +13,9 @@ ENV CACHE_DIR /tmp/jenkins
 ENV COPY_REFERENCE_FILE_LOG $JENKINS_HOME/copy_reference_file.log
 ARG user=jenkins
-ENV JENKINS_USER=${user}
 ARG group=jenkins
-ENV JENKINS_GROUP=${group}
 ARG uid=1000
-ENV JENKINS_UID=${uid}
 ARG gid=1000
-ENV JENKINS_GID=${gid}
 RUN dnf --disableplugin=subscription-manager install -y --nodocs \
    java-1.8.0-openjdk-devel \
@@ -39,28 +35,38 @@ VOLUME $JENKINS_HOME
 # 50000 for agents incoming TCP
 EXPOSE 8080 50000
+ENTRYPOINT ["tini", "--", "/usr/local/bin/launch.sh"]
 HEALTHCHECK --interval=5m --timeout=3s \
  CMD curl -fsL ${JENKINS_URL}/login || exit 1
 LABEL securitytxt="https://www.cloudbees.com/.well-known/security.txt"
-LABEL release=bea24e931f15b21f927c19855fad804d9a4a3894
+LABEL release=882f6d72378c040c18da2e38e14a60b8dabfc55e
 LABEL version=2.204.3.2
-ARG uid=1000
+ARG TARBALL=files.tar
+COPY ${TARBALL} /tmp
+RUN cd / && \
+    tar xvf /tmp/files.tar && \
+    rm /tmp/files.tar
+RUN chmod +x /usr/local/bin/*.sh && \
+    `# Remove SUID/SGID for ssh-keysign` && \
+    chmod ug-s /usr/libexec/openssh/ssh-keysign && \
+    chmod +x /sbin/tini && \
+    `# Jenkins is run with user jenkins, uid = 1000; if you bind mount a volume from the host or a data container, ensure you use the same uid` && \
+    groupadd -g ${gid} ${group} && \
+    useradd -d $JENKINS_HOME -u ${uid} -g ${group} -s /bin/bash ${user} && \
+    `# Needed in order to run container as a different user and have a valid /etc/passwd entry` && \
+    chmod 664 /etc/passwd && \
+    chown -R ${user} $JENKINS_HOME $REF_DIR
+USER ${uid}
 ENV VOLUME_SERVICE=http://localhost:31080
 ENV TENANT=cjoc
 ENV JENKINS_VARIANT=cjoc
-ENTRYPOINT ["tini", "--", "/usr/local/bin/launch.sh"]
 LABEL name="CloudBees Core Operation Center" \
      vendor="CloudBees, Inc." \
      summary="CloudBees Core is the continuous delivery platform architected for the enterprise" \
      description="This container image will deploy one instance of CloudBees Core Operations Center."
-ARG NEXUS_SERVER=${NEXUS_SERVER}
-ARG NEXUS_USERNAME=${NEXUS_USERNAME}
-ARG NEXUS_PASSWORD=${NEXUS_PASSWORD}
-RUN cd /; curl -s -k -f -u ${NEXUS_USERNAME}:${NEXUS_PASSWORD} https://${NEXUS_SERVER}/repository/dsop/cloudbees/core-oc-4256bbc2889b67ca88ea0bccc3ad46c2fe74b8fa58563cac8bba169b88417854.tar | tar xvf -
-RUN bash /etc/fixup
-USER ${uid}
--- a/Jenkinsfile
+++ b/Jenkinsfile
+hardeningPipeline()
--- a/README.md
+++ b/README.md
-# core-oc
+# CloudBees Core setup
+CloudBees Core consists of three Docker images installed via Helm chart:
+* `core-oc`: the Operations Center
+* `core-mm`: a managed Jenkins master
+* `agent`: a Jenkins build agent
+For each image, all files other than UBI and native packages
+are included in a `files.tar` marked with a SHA-256 checksum.
+A version of Core is given in the format `2.204.3.2`
+where the first three components are aligned with a Jenkins LTS.
+The Helm chart is coversioned with `core-oc`.
+The `core-mm` image typically shares the same version,
+though a given master may be deliberately kept at a somewhat older release.
+The `agent` image is preferably coversioned with the master.
+After creating images, create a values file that specifies locally uploaded images
+plus whatever other customizations are desired:
+```yaml
+OperationsCenter:
+  Image:
+    dockerImage: your-registry/core-oc:2.204.3.2
+Master:
+  Image:
+    dockerImage: your-registry/core-mm:2.204.3.2
+Agents:
+  Image:
+    dockerImage: your-registry/agent:2.204.3.2
+```
+and [install via Helm 3](https://docs.cloudbees.com/docs/cloudbees-core/latest/kubernetes-install-guide/installing-kubernetes-using-helm) using the local copy of the chart:
+```bash
+helm install cloudbees-core core-oc/helm -f dsop-values.yaml
+```
--- a/download.json
+++ b/download.json
+{
+  "resources": [
+    {
+      "url": "https://dsop.s3.amazonaws.com/core-oc-files-3ad154c4fa3fb0322fae93015e799da8bac2adc44262eea89533ea6386d92a07.tar",
+      "filename": "files.tar",
+      "sha256": "3ad154c4fa3fb0322fae93015e799da8bac2adc44262eea89533ea6386d92a07"
+    }
+  ]
+}
--- a/2.204.3.2/helm/.gitignore
+++ b/2.204.3.2/helm/.gitignore
--- a/2.204.3.2/helm/Chart.yaml
+++ b/2.204.3.2/helm/Chart.yaml
 apiVersion: v1
-appVersion: 2.204.2.2
+appVersion: 2.204.3.2
 description: The Continuous Delivery Solution for Enterprises
 home: https://www.cloudbees.com/products/cloudbees-core
 icon: https://images.ctfassets.net/vtn4rfaw6n2j/7xprMMXARXDBuVxW4y8XfV/349fff91035050e3f2a8ff37bc0615b5/cloudbees-core-logo_header.svg
@@ -7,4 +7,4 @@ keywords:
 - cloudbees
 - jenkins
 name: cloudbees-core
-version: 3.10.0-DEVELOPMENT
+version: 3.11.0-DEVELOPMENT
--- a/2.204.3.2/helm/README.md
+++ b/2.204.3.2/helm/README.md
--- a/2.204.3.2/helm/requirements.lock
+++ b/2.204.3.2/helm/requirements.lock
 dependencies:
 - name: nginx-ingress
  repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 1.4.0
+  version: 1.31.0
 - name: cloudbees-sidecar-injector
  repository: https://charts.cloudbees.com/public/cloudbees
  version: 2.0.2
-digest: sha256:05fb24e734064b3d878f42d8350fe210a3feb38d8fa773657f73d62a94f61e64
+digest: sha256:3def1dbb081b36dfd4e884974dec82adc2191e7b9e0cc91dba2acc9bb0162764
-generated: "2020-02-14T15:52:09.061061741-05:00"
+generated: "2020-02-19T09:43:35.50092+01:00"
--- a/2.204.3.2/helm/requirements.yaml
+++ b/2.204.3.2/helm/requirements.yaml
 dependencies:
 - name: nginx-ingress
-  version: 1.4.0
+  version: 1.31.0
  repository: https://kubernetes-charts.storage.googleapis.com/
  condition: nginx-ingress.Enabled
 - name: cloudbees-sidecar-injector

--- a/2.204.3.2/helm/templates/NOTES.txt
+++ b/2.204.3.2/helm/templates/NOTES.txt
--- a/2.204.3.2/helm/templates/_helpers.tpl
+++ b/2.204.3.2/helm/templates/_helpers.tpl
@@ -215,6 +215,11 @@ Plural versions for usage in network policy ingress rules
 {{- define "agent.podSelectors" -}}
 {{ include "agent.podSelector" . | indent 2 | trim | printf "- %s"}}
+{{- if .Values.Agents.SeparateNamespace.Enabled }}
+  namespaceSelector:
+    matchLabels:
+      cloudbees.com/role: agents
+{{- end -}}
 {{- end -}}
 {{- define "master.podSelectors" -}}
@@ -342,3 +347,11 @@ status:
  ingress:
    - host: ""
 {{- end -}}
+{{- define "agents.namespace" -}}
+{{- if .Values.Agents.SeparateNamespace.Enabled -}}
+{{ default (printf "%s-%s" .Release.Namespace "builds") .Values.Agents.SeparateNamespace.Name }}
+{{- else -}}
+{{ .Release.Namespace }}
+{{- end -}}
+{{- end -}}
--- a/2.204.3.2/helm/templates/agents-configmap.yaml
+++ b/2.204.3.2/helm/templates/agents-configmap.yaml
@@ -7,6 +7,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: jenkins-agent
+  namespace: {{ template "agents.namespace" . }}
  labels:
 {{ include "cloudbees-core.labels" . | indent 4 }}
 data:

--- a/helm/templates/agents-namespace.yaml
+++ b/helm/templates/agents-namespace.yaml
+{{- if and (.Values.Agents.SeparateNamespace.Enabled) (.Values.Agents.SeparateNamespace.Create) }}
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: {{ template "agents.namespace" . }}
+  labels:
+    cloudbees.com/role: agents
+    app.kubernetes.io/part-of: {{ .Release.Namespace }}-{{ .Release.Name }}
+{{ include "cloudbees-core.labels" . | indent 4 }}
+{{- end}}
--- a/2.204.3.2/helm/templates/agents-networkpolicy.yaml
+++ b/2.204.3.2/helm/templates/agents-networkpolicy.yaml
@@ -4,6 +4,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: agents
+  namespace: {{ template "agents.namespace" . }}
 spec:
 {{ include "agent.podSelector" . | indent 2 }}
 {{- end }}
--- a/helm/templates/agents-service-account.yaml
+++ b/helm/templates/agents-service-account.yaml
+{{- if and (.Values.rbac.install) (.Values.Agents.SeparateNamespace.Enabled) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.rbac.agentsServiceAccountName }}
+  namespace: {{ template "agents.namespace" . }}
+  labels:
+{{ include "cloudbees-core.labels" . | indent 4 }}
+{{- if .Values.Agents.ImagePullSecrets }}
+imagePullSecrets:
+{{- if kindIs "string" .Values.Agents.ImagePullSecrets }}
+- name: {{ .Values.Agents.ImagePullSecrets }}
+{{- else }}
+{{ toYaml .Values.Agents.ImagePullSecrets }}
+{{- end}}
+{{- end -}}
+{{- end -}}