search

rhtconsulting / rhc-ose

OpenShift Automation and Utilities by Red Hat Consulting
42 stars 34 forks source link

Updates to support configuration of cicd environment driven by conf file #91

Closed sabre1041 closed 8 years ago

sabre1041 commented 8 years ago

What does this PR do?

Allows for the cicd environment to be driven by values in a configuration file

How should this be manually tested?

Create a file (single line) containing your Jenkins security configurations (/root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/files/jenkins-ldap-authz.xml)

<authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy"><permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create:ci_users</permission><permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete:ci_users</permission><permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:ci_users</permission><permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update:ci_users</permission><permission>com.cloudbees.plugins.credentials.CredentialsProvider.View:ci_users</permission><permission>hudson.model.Computer.Build:ci_users</permission><permission>hudson.model.Computer.Configure:ci_users</permission><permission>hudson.model.Computer.Connect:ci_users</permission><permission>hudson.model.Computer.Create:ci_users</permission><permission>hudson.model.Computer.Delete:ci_users</permission><permission>hudson.model.Computer.Disconnect:ci_users</permission><permission>hudson.model.Hudson.Administer:ci_admins</permission><permission>hudson.model.Hudson.Read:ci_users</permission><permission>hudson.model.Item.Build:ci_users</permission><permission>hudson.model.Item.Cancel:ci_users</permission><permission>hudson.model.Item.Configure:ci_users</permission><permission>hudson.model.Item.Create:ci_users</permission><permission>hudson.model.Item.Delete:ci_users</permission><permission>hudson.model.Item.Discover:ci_users</permission><permission>hudson.model.Item.Move:ci_users</permission><permission>hudson.model.Item.Read:ci_users</permission><permission>hudson.model.Item.Workspace:ci_users</permission><permission>hudson.model.Run.Delete:ci_users</permission><permission>hudson.model.Run.Update:ci_users</permission><permission>hudson.model.View.Configure:ci_users</permission><permission>hudson.model.View.Create:ci_users</permission><permission>hudson.model.View.Delete:ci_users</permission><permission>hudson.model.View.Read:ci_users</permission><permission>hudson.scm.SCM.Tag:ci_users</permission></authorizationStrategy><securityRealm class="hudson.security.LDAPSecurityRealm"><server>ldaps://ipa.rhc-ose.labs.redhat.com:636</server><rootDN>dc=rhc-ose,dc=labs,dc=redhat,dc=com</rootDN><inhibitInferRootDN>false</inhibitInferRootDN><userSearchBase>cn=users,cn=accounts</userSearchBase><userSearch>uid={0}</userSearch><groupMembershipStrategy class="jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"/><managerDN>uid=ldap,cn=users,cn=compat,dc=rhc-ose,dc=labs,dc=redhat,dc=com</managerDN><managerPassword>OMITTED</managerPassword><disableMailAddressResolver>false</disableMailAddressResolver><displayNameAttributeName>displayname</displayNameAttributeName><mailAddressAttributeName>mail</mailAddressAttributeName><userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/><groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/></securityRealm>

Create supporting Nexus configurations (/root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/files/nexus-ldap.xml)

<?xml version="1.0" encoding="UTF-8"?>
<ldapConfiguration>
  <version>2.8.0</version>
  <connectionInfo>
    <searchBase>dc=rhc-ose,dc=labs,dc=redhat,dc=com</searchBase>
    <systemUsername>uid=ldap,cn=users,cn=compat,dc=rhc-ose,dc=labs,dc=redhat,dc=com</systemUsername>
    <systemPassword>OMITTED</systemPassword>
    <authScheme>simple</authScheme>
    <protocol>ldaps</protocol>
    <host>ipa.rhc-ose.labs.redhat.com</host>
    <port>636</port>
  </connectionInfo>
  <userAndGroupConfig>
    <emailAddressAttribute>mail</emailAddressAttribute>
    <ldapGroupsAsRoles>true</ldapGroupsAsRoles>
    <groupBaseDn>ou=groups</groupBaseDn>
    <groupIdAttribute>cn</groupIdAttribute>
    <groupMemberAttribute>uniqueMember</groupMemberAttribute>
    <groupMemberFormat>${username}</groupMemberFormat>
    <groupObjectClass>groupOfUniqueNames</groupObjectClass>
    <userIdAttribute>uid</userIdAttribute>
    <userObjectClass>inetOrgPerson</userObjectClass>
    <userBaseDn>cn=users,cn=accounts</userBaseDn>
    <userRealNameAttribute>displayName</userRealNameAttribute>
    <userMemberOfAttribute>memberOf</userMemberOfAttribute>
  </userAndGroupConfig>
</ldapConfiguration>

Create a Nexus security capabilities configuration file (/root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/files/nexus-security-configuration.xml)

<?xml version="1.0"?>
<security-configuration>
  <version>2.0.8</version>
  <anonymousAccessEnabled>true</anonymousAccessEnabled>
  <anonymousUsername>anonymous</anonymousUsername>
  <anonymousPassword>{PkHuCWyS17QHLA7fAuA1ZXO2qooUfUFGNAAu1kOI6uc=}</anonymousPassword>
  <realms>
    <realm>XmlAuthenticatingRealm</realm>
    <realm>XmlAuthorizingRealm</realm>
    <realm>LdapAuthenticatingRealm</realm>
  </realms>
  <hashIterations>1024</hashIterations>
</security-configuration>

Create a Nexus security configuration file to handle role mapping (/root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/files/nexus-security-configuration.xml)

<?xml version="1.0" encoding="UTF-8"?>
<security>
  <version>2.0.5</version>
  <users>
    <user>
      <id>deployment</id>
      <firstName>Deployment</firstName>
      <lastName>User</lastName>
      <password>b2a0e378437817cebdf753d7dff3dd75483af9e0</password>
      <status>active</status>
      <email>changeme1@yourcompany.com</email>
    </user>
    <user>
      <id>admin</id>
      <firstName>Administrator</firstName>
      <lastName>User</lastName>
      <password>$shiro1$SHA-512$1024$9AeM8XSUnzf5U8BdC/+2Xw==$is4bUGiJDWJLdgr3NF4yVcMwO2E5Dc1kzCqXvxQ3S0o9HLJUSIWYxjC25rNkfR5djsCMHWElriKspQ/x59rcOA==</password>
      <status>active</status>
      <email>changeme@yourcompany.com</email>
    </user>
    <user>
      <id>anonymous</id>
      <firstName>Nexus</firstName>
      <lastName>Anonymous User</lastName>
      <password>$shiro1$SHA-512$1024$iBJaOx1LJfxiUaHba/9Kag==$gdOdYPu41EdYAya6B7iAebxgbW24EMMbxpJ79BPmf5rNTpnpG67rfbadsrPQWN2zQESBzml6KL3kM+45Ii2kjw==</password>
      <status>active</status>
      <email>changeme2@yourcompany.com</email>
    </user>
  </users>
  <roles>
    <role>
      <id>ci_admins</id>
      <name>ci_admins</name>
      <description>External mapping for ci_admins (LDAP)</description>
      <roles>
        <role>nx-admin</role>
      </roles>
    </role>
  </roles>
  <userRoleMappings>
    <userRoleMapping>
      <userId>deployment</userId>
      <source>default</source>
      <roles>
        <role>nx-deployment</role>
        <role>repository-any-full</role>
      </roles>
    </userRoleMapping>
    <userRoleMapping>
      <userId>admin</userId>
      <source>default</source>
      <roles>
        <role>nx-admin</role>
      </roles>
    </userRoleMapping>
    <userRoleMapping>
      <userId>anonymous</userId>
      <source>default</source>
      <roles>
        <role>repository-any-read</role>
        <role>anonymous</role>
      </roles>
    </userRoleMapping>
  </userRoleMappings>
</security>

Copy your LDAP ca crt to /root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/files/ipa-ca.crt so it can be added to the Java JDK

Create a CICD environment configuration file (/root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/cicd.rhc-ose.labs.redhat.com.cfg)

## Platform Configs
CONF_ENV_ID=cicd.rhc-ose.labs.redhat.com # Default: random 8 character string
CONF_OPENSHIFT_VERSION=3.1
CONF_IMAGE_NAME=ose3_1-base # Default: ose3-base
CONF_SECURITY_GROUP_CICD=CI-CD
CONF_OS_FLAVOR=m1.large
CONF_STORAGE_SIZE_LOGGING="5"
CONF_PROVISION_COMPONENTS=cicd
#CONF_LOGFILE=~/openstack_provision.log # Default: ~/openstack_provision.log
## OpenShift Configs
CONF_OPENSHIFT_BASE_DOMAIN=cicd.rhc-ose.labs.redhat.com # Default: ose.example.com
CONF_JENKINS_AUTHZ=/root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/files/jenkins-ldap-authz.xml
CONF_CICD_NEXUS_CONFIG_FILES=/root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/files/nexus-ldap.xml:/root/repository/ldap.xml,/root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/files/nexus-security.xml:/root/repository/security.xml,/root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/files/nexus-security-configuration.xml:/root/repository/security-configuration.xml
CONF_JAVA_CERTS=/root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/files/ipa-ca.crt:/root/repository/ipa-ca.crt
./osc-provision --config=/root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/cicd.rhc-ose.labs.redhat.com.cfg --key=<key_name> --ose-version=3.1

You should be able to login to Nexus and Jenkins using your LDAP credentials

Is there a relevant Issue open for this?

None

Who would you like to review this?

/cc @etsauer @oybed

etsauer commented 8 years ago

@sabre1041 Errors during provisioning. Looks like there is a problem syncing files to the server:

# ./repository/rhc-ose-sabre1041/provisioning/osc-provision --config=/root/repository/rhc-ose-env-configs/openshift_environments/cicd.rhc-ose.labs.redhat.com/cicd.rhc-ose.labs.redhat.com.cfg --key=esauer --ose-version=3.1
Provisioning CICD Server. This could take several minutes.
Complete!
scp: /root/repository/ldap.xml: No such file or directory
scp: /root/repository/security.xml: No such file or directory
scp: /root/repository/security-configuration.xml: No such file or directory
scp: /root/repository/ipa-ca.crt: No such file or directory
====================================
=   Installing CI/CD Environment   =
====================================

--- Validating Prerequisites ---

--- Installing Prerequisite Software ---

--- Installing Java ---

keytool error: java.io.FileNotFoundException: /root/repository/ipa-ca.crt (No such file or directory)

=====================================================
= CICD Server Provisioning Failed!                  =
=====================================================
sabre1041 commented 8 years ago

@etsauer make sure the values of CONF_JENKINS_AUTHZ, CONF_CICD_NEXUS_CONFIG_FILES, CONF_JAVA_CERTS match the location on your machine

sabre1041 commented 8 years ago

@etsauer I did some refactoring of how files are synchronized. Can you pull down the latest changes and retest

etsauer commented 8 years ago

Ok, looks good now. @oybed you cool if we merge?

oybed commented 8 years ago

@etsauer @sabre1041 I'm good with the change - go for it