Jenkins role: automate the initialization, create an admin user.

2019-05-01 16:35:13 +02:00 · 2019-05-01 16:35:13 +02:00 · fe87db7acd
parent 9354f4e483
commit fe87db7acd
9 changed files with 131 additions and 15 deletions
--- a/jenkins/common/defaults/main.yml
+++ b/jenkins/common/defaults/main.yml
@ -3,9 +3,12 @@
 jenkins_dest: "/var/lib/jenkins"
 jenkins_username: jenkins
 jenkins_group: jenkins
-jenkins_shell: /bin/bash
+jenkins_shell: /usr/bin/nologin
+jenkins_slaves_via_ssh: True

-jenkins_maven_config: True
+
+# These should go away
+jenkins_maven_config: False
 jenkins_maven_settings_dirs:
  - .m2

--- a/jenkins/common/tasks/main.yml
+++ b/jenkins/common/tasks/main.yml
@ -1,4 +1,26 @@
 ---
+- block:
+  - name: Create the ssh key on the master node
+    user: name={{ jenkins_username }} generate_ssh_key=True 
+    delegate_to: '{{ item }}'
+    with_items: '{{ groups.jenkins_master }}'
+
+  - name: Get the master ssh keys
+    become: True
+    become_user: '{{ jenkins_username }}'
+    shell: cat ~/.ssh/id_rsa.pub
+    register: jenkins_pubkeys
+
+  - name: Deploy the public ssh key on the slaves
+    authorized_key: user={{ jenkins_username }} key={{ item[0] }}
+    delegate_to: '{{ item[1] }}'
+    with_nested:
+      - '{{ jenkins_pubkeys.stdout }}'
+      - "{{ groups['jenkins_slaves'] }}"
+
+  when: jenkins_slaves_via_ssh
+  tags: [ 'jenkins', 'jenkins_common', 'jenkins_master', 'jenkins_slave', 'jenkins_slaves' ]
+
 - block:
    - name: Create the maven setting directory
      file: dest={{ jenkins_dest }}/{{ item }} state=directory
--- a/jenkins/master/defaults/main.yml
+++ b/jenkins/master/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-jenkins_install: False
+jenkins_install: True
 jenkins_use_latest: False
 jenkins_pkg_state: latest
 jenkins_repo_key: 'https://pkg.jenkins.io/debian/jenkins-ci.org.key'
@ -14,10 +14,41 @@ jenkins_rh_latest_repo_key: https://pkg.jenkins.io/redhat/jenkins.io.key
 jenkins_packages:
  - jenkins

-jenkins_package_requirements:
-  - curl
+jenkins_deb_package_requirements:
  - python-svn
+  - dblatex
+  - imagemagick
+  - graphviz
+  - fonts-dejavu
+  - dos2unix
+  - build-essential
+  - curl
+  - fabric
+  - git
+  - git-svn
+  - maven
+  - python-dev
+  - sloccount
+  - subversion
+  - subversion-tools
+  - unzip

+jenkins_rh_package_requirements:
+  - curl
+  - dblatex
+  - docbook-utils-pdf
+  - texlive-cmap
+  - ImageMagick
+  - graphviz
+  - graphviz-java
+  - graphviz-graphs
+  - dejavu-sans-fonts
+  - dejavu-sans-mono-fonts
+  - dejavu-serif-fonts
+  - dejavu-fonts-common
+  - dos2unix
+
+jenkins_stb_support: False
 jenkins_sbt_launch_jars:
  - sbt-launch-0.11.0.jar
  - sbt-launch-0.12.jar
@ -31,7 +62,8 @@ jenkins_webroot: /var/cache/jenkins/war
 jenkins_username: jenkins
 jenkins_group: jenkins
 jenkins_shell: /bin/bash
-jenkins_restart_delay: 60
+jenkins_restart_delay: 20
+jenkins_restart_wait_timeout: 600
 jenkins_admin_user: admin
 jenkins_jdk_xmx: 4096M
 jenkins_jdk_gc_opts: "-XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled"
@ -41,7 +73,7 @@ jenkins_java_path: /usr/bin/java

 jenkins_cli_dest: "{{ jenkins_dest }}/jenkins-cli.jar" # Jenkins CLI destination
 jenkins_updates_dest: "{{ jenkins_dest }}/updates_jenkins.json" # Jenkins updates file
-jenkins_admin_user_pwd_file: "{{ jenkins_dest }}/.jenkins_admin_pwd"
+jenkins_admin_user_pwd_file: "{{ jenkins_dest }}/secrets/.jenkins_admin_pwd"

 jenkins_access_params:
  url_username: '{{ jenkins_admin_user }}'
@ -56,6 +88,7 @@ jenkins_plugins:
  - { name: 'github-api', state: 'latest', dependencies: 'True' }
  - { name: 'global-build-stats', state: 'latest', dependencies: 'True' }
  - { name: 'mailer', state: 'latest', dependencies: 'True' }
+  - { name: 'matrix-project', state: 'latest', dependencies: 'True' }
  - { name: 'maven-plugin', state: 'latest', dependencies: 'True' }
  - { name: 'monitoring', state: 'latest', dependencies: 'True' }
  - { name: 'extended-read-permission', state: 'latest', dependencies: 'True' }
@ -71,4 +104,4 @@ jenkins_plugins:
  - { name: 'jquery-ui', state: 'latest', dependencies: 'True' }
  - { name: 'parameterized-trigger', state: 'latest', dependencies: 'True' }
  - { name: 'javadoc', state: 'latest', dependencies: 'True' }
-  - { name: 'job-dsl-plugin', state: 'latest', dependencies: 'True' }
+  - { name: 'job-dsl', state: 'latest', dependencies: 'True' }
--- a/jenkins/master/tasks/jenkins_deb_pkgs.yml
+++ b/jenkins/master/tasks/jenkins_deb_pkgs.yml
@ -12,17 +12,16 @@
    when: jenkins_use_latest

  - name: Install jenkins
-    apt: pkg={{ item }} state={{ jenkins_pkg_state }} update_cache=yes cache_valid_time=3600
+    apt: pkg={{ jenkins_packages }} state={{ jenkins_pkg_state }} update_cache=yes cache_valid_time=3600
    register: jenkins_install
-    with_items: '{{ jenkins_packages }}'

  - name: Install some jenkins requirements
-    apt: pkg={{ item }} state={{ jenkins_pkg_state }} update_cache=yes cache_valid_time=3600
-    with_items: '{{ jenkins_package_requirements }}'
+    apt: pkg={{ jenkins_deb_package_requirements }} state={{ jenkins_pkg_state }} update_cache=yes cache_valid_time=3600

  - name: install sbt launcher
    copy: src={{ item }} dest=/usr/local/lib/{{ item }}
    with_items: '{{ jenkins_sbt_launch_jars }}'
+    when: jenkins_stb_support

  - name: Set the startup jenkins options
    template: src=jenkins.default.j2 dest=/etc/default/jenkins owner=root group=root mode=0444
@ -45,8 +44,7 @@
      service: name=jenkins state=stopped enabled=no

    - name: Remove jenkins
-      apt: pkg={{ item }} state=absent
-      with_items: '{{ jenkins_packages }}'
+      apt: pkg={{ jenkins_packages }} state=absent

    - name: Remove the jenkins stable repository
      apt_repository: repo='{{ jenkins_stable_repo }}' state=absent update_cache=yes
--- a/jenkins/master/tasks/jenkins_init.yml
+++ b/jenkins/master/tasks/jenkins_init.yml
@ -0,0 +1,18 @@
+---
+- block:
+  - name: Create the groovy directory
+    file: dest={{ jenkins_dest }}/init.groovy.d state=directory
+
+  - name: Install a groovy script to initialize the Jenkins system
+    template: src=admin_user.groovy dest={{ jenkins_dest }}/init.groovy.d/admin_user.groovy mode=0600
+    register: jenkins_must_be_restarted
+
+  - name: Restart jenkins if needed
+    become_user: root
+    service: name=jenkins state=restarted
+    when: jenkins_must_be_restarted is changed
+
+  become: True
+  become_user: '{{ jenkins_username }}'
+  when: jenkins_install
+  tags: [ 'jenkins', 'jenkins_master' ]
--- a/jenkins/master/tasks/jenkins_plugins.yml
+++ b/jenkins/master/tasks/jenkins_plugins.yml
@ -3,7 +3,7 @@
    # Handle plugins
    # If Jenkins is installed or updated, wait for pulling the Jenkins CLI, assuming 10s should be sufficiant
    - name: Wait for jenkins
-      wait_for: port={{ jenkins_http_port }} delay={{ jenkins_restart_delay }}
+      wait_for: port={{ jenkins_http_port }} delay={{ jenkins_restart_delay }} state=started timeout={{ jenkins_restart_wait_timeout }}
      when: jenkins_has_been_restarted is changed or jenkins_has_been_started is changed

    # Create Jenkins CLI destination directory
@ -13,6 +13,19 @@
    - name: Get Jenkins CLI
      get_url: url={{ jenkins_local_url}}/jnlpJars/jenkins-cli.jar dest={{ jenkins_cli_dest }} mode=0440

+    # - name: Check if Jenkins has been initialized already
+    #   stat: path={{ jenkins_admin_user_pwd_file }}
+    #   register: jenkins_pwd_path
+
+    # - name: Get the initial admin password, if we have to initialize the service
+    #   shell: cat '{{ jenkins_dest }}/secrets/initialAdminPassword'
+    #   register: jenkins_admin_pwd
+    #   when: not jenkins_pwd_path.stat.exists
+
+    # # Create the Jenkins administrative user password file
+    # - name: Create the Jenkins administrative user password file
+    #   copy: content={{ jenkins_admin_pwd.stdout }} dest={{ jenkins_admin_user_pwd_file }} mode=600
+
    # Create the Jenkins administrative user password file
    - name: Create the Jenkins administrative user password file
      copy: content={{ jenkins_admin_pwd }} dest={{ jenkins_admin_user_pwd_file }} mode=600
--- a/jenkins/master/tasks/jenkins_rh_pkgs.yml
+++ b/jenkins/master/tasks/jenkins_rh_pkgs.yml
@ -28,6 +28,9 @@
    yum: pkg={{ jenkins_packages }} state={{ jenkins_pkg_state }}
    register: jenkins_install

+  - name: Install jenkins additional packages
+    yum: pkg={{ jenkins_rh_package_requirements }} state={{ jenkins_pkg_state }}
+
  - name: Set the startup jenkins options
    template: src=jenkins.default.j2 dest=/etc/sysconfig/jenkins owner=root group=root mode=0444
    register: jenkins_must_be_restarted
--- a/jenkins/master/tasks/main.yml
+++ b/jenkins/master/tasks/main.yml
@ -5,6 +5,8 @@
 - import_tasks: jenkins_rh_pkgs.yml
  when: ansible_distribution_file_variety != "Debian"

+- import_tasks: jenkins_init.yml
+
 - import_tasks: jenkins_plugins.yml
  when: jenkins_install

--- a/jenkins/master/templates/admin_user.groovy
+++ b/jenkins/master/templates/admin_user.groovy
@ -0,0 +1,24 @@
+#!groovy
+import java.util.logging.Level
+import java.util.logging.Logger
+import hudson.security.*
+import jenkins.model.*
+
+def instance = Jenkins.getInstance()
+def logger = Logger.getLogger(Jenkins.class.getName())
+
+logger.log(Level.INFO, "Ensuring that local user '{{ jenkins_admin_user }}' is created.")
+
+if (!instance.isUseSecurity()) {
+    logger.log(Level.INFO, "Creating local admin user '{{ jenkins_admin_user }}'.")
+
+    def strategy = new FullControlOnceLoggedInAuthorizationStrategy()
+    strategy.setAllowAnonymousRead(false)
+
+    def hudsonRealm = new HudsonPrivateSecurityRealm(false)
+    hudsonRealm.createAccount("{{ jenkins_admin_user }}", "{{ jenkins_admin_pwd }}")
+
+    instance.setSecurityRealm(hudsonRealm)
+    instance.setAuthorizationStrategy(strategy)
+    instance.save()
+}