In the previous introduction [how to utilize the Helm on Kubernetes rapid deployment Jenkins] (https://segmentfault.com/a/11)… In this article, we explained how to quickly deploy a Jenkins instance that meets our needs using the Jenkins Chart, which is officially provided by Helm.

Although the newly deployed Jenkins instance automatically installs all the plug-ins we need and configures things like Job initialization, we still need to do a number of manual tasks before we can start using it, such as configuring Jenkins’ “Configure System” page:

If you are a Jenkins administrator, you will be familiar with this page, and every time we deploy a new Jenkins instance, we often need to do some configuration on this page before it can be used. This page contains some basic configuration information for Jenkins itself, as well as configuration information for plug-ins installed on the current system. That is, the more plug-ins your Jenkins installs, the more configuration items there are likely to be on the page.

In addition to this, you may need to do some other manual work on it such as configuring Jenkins secure-related configuration items, creating Jenkins Credentials, and configuring Jenkins Job’s work nodes (both physical and Cloud nodes).

Jenkins Configuration as Code is a Jenkins plugin that can help free us from the heavy manual Configuration work. This article will briefly explain what the Jenkins Configuration as Code is and how to use it in the Helm Chart to automatically configure our deployed Jenkins instance.

Jenkins Configuration as Code

Jenkins Configuration as Code, also known as JCASC, allows you to write all Jenkins Configuration files in YAML format and apply these Configuration files to Jenkins instances that have the plugin installed. To automate the configuration of Jenkins with one click.

JCASC provides a set of specific Key values for writing YAML files that correspond to different configuration items in Jenkins. Jenkins is configured by assigning these keys. Here is a sample configuration file provided by the authorities:

jenkins:
  systemMessage: "Jenkins configured automatically by Jenkins Configuration as Code plugin\n\n"
  securityRealm:
    ldap:
      configurations:
        - groupMembershipStrategy:
            fromUserRecord:
              attributeName: "memberOf"
          inhibitInferRootDN: false
          rootDN: "dc=acme,dc=org"
          server: "ldaps://ldap.acme.org:1636"
  nodes:
    - permanent:
        name: "static-agent"
        remoteFS: "/home/jenkins"
        launcher:
          jnlp:
            workDirSettings:
              disabled: true
              failIfWorkDirIsMissing: false
              internalDir: "remoting"
              workDirPath: "/tmp"
  slaveAgentPort: 50000
  agentProtocols:
    - "jnlp2"
tool:
  git:
    installations:
      - name: git
        home: /usr/local/bin/git
credentials:
  system:
    domainCredentials:
      - credentials:
          - basicSSHUserPrivateKey:
              scope: SYSTEM
              id: ssh_with_passphrase_provided
              username: ssh_root
              passphrase: ${SSH_KEY_PASSWORD}
              description: "SSH passphrase with private key file. Private key provided"
              privateKeySource:
                directEntry:
                  privateKey: ${SSH_PRIVATE_KEY}

The three root configuration element keys provided by JCASC are used in this configuration file: Jenkins, Tool, and Credentials, which correspond to Jenkins’ base configuration, global tool configuration, and Jenkins Credentials. By setting appropriate values for the sub-configuration keys provided by these root keys, we configured Jenkins as follows:

jenkins

  • systemMessageThe Key sets Jenkins’ “System Message” Message.
  • securityRealmThe Key sets the LDAP configuration and sets it to Jenkins’ authentication mode.
  • nodesKey creates a node named static-agent and configures it appropriately.
  • slaveAgentPortThe Key sets the port number and communication protocol between the Jenkins host and the node.
  • agentProtocolsKey sets the communication protocol between the Jenkins host and the node.

tool

  • gitThe default execution path is specified for Git, Jenkins’ global tool.

credentials

  • Create a system-level SSH Credential with ID ssh_with_passphrase_provided.

JCasC plugin page

JCASC provides a separate plug-in page in Jenkins, which can be opened from the “Manage Jenkins” -> “Configuration as Code” menu in Jenkins where the plug-in is installed:

This page contains some common functionality options, such as applying a given configuration file to the current Jenkins instance, viewing the generated configuration file for the current Jenkins instance, and so on.

JCasC plugin provides a large number of configuration example (https://github.com/jenkinsci/)… This contains almost all of Jenkins’ configuration and most of the plug-in’s configuration, and references to these configuration examples will help you quickly write your own configuration files.

Another tip for writing a YAML Configuration file is to do all of Jenkin’s Configuration manually first, and then write our own Configuration file by getting the Configuration file automatically generated by JCASC for us from the “View Configuration” on the plug-in page.

Documentation pages

In addition to the three root configuration elements used in the above example, unclassified is another very common root configuration element that contains most of the plugin-specific configuration.

In addition to the root configuration elements themselves, each root configuration element provides large quantum configuration keys, and depending on the plug-in installed, each Jenkins instance supports these sub-keys differently. The Documentation page provided by JCASC, which lists all Key values supported by the plug-in in the current Jenkins instance, can be opened via the “Documentation” link at the bottom of the plug-in page:

It is important to note that the contents of this page are created dynamically, and the keys displayed may vary slightly depending on the plug-ins currently installed in Jenkins.

Use the JCASC plug-in in Jenkins Helm Chart

Jenkins Helm Chart implements the integration of JCASC plug-ins. It allows us to store the JCASC configuration information in a custom values file and automatically apply the configuration information after Jenkins is deployed. Here is a values.yaml file with a simple configuration:

master:
  JCasC:
    enabled: true
    configScripts:
      welcome-message: |
        jenkins:
          systemMessage: Welcome to our CI\CD server.  This Jenkins is configured and managed 'as code'.

The values file starts with jcasc.enabled set to true, indicating that the Jcasc plug-in is automatically installed during deployment and used to configure the deployed Jenkins instance.

JCasC. Configscripts are used to store all the configuration information of JCasC. These configuration files can be divided into different configuration blocks by defining globally unique keys, and under each block contains the configuration information of JCasC native YAML format. For example, the Welcome-Message configuration uses the SystemMessage Key under the root configuration element Jenkins to set the “Configure System” information for our deployed Jenkins instance.

Now that you have seen how to write the JCASC configuration information in the custom values file of Helm Chart, let’s look at how common Jenkins configurations are implemented in JCASC.

Jenkins basic configuration

Jenkins contains a number of basic configuration items. Let’s first look at the basic configuration items of Jenkins:

master:
  JCasC:
    enabled: true
    configScripts:
      basic-configuration: |
        jenkins:
          systemMessage: Welcome to our CI\CD server.  This Jenkins is configured and managed 'as code'.
          markupFormatter:
             rawHtml:
               disableSyntaxHighlighting: false
        unclassified:
          location:
            adminAddress: "[email protected]"
            url: "https://ci.example.com/"
          mailer:
            replyToAddress: [email protected]
            smtpHost: smtp.acme.org
            smtpPort: 4441
      approval-scripts: |
         security:
           scriptApproval:
             approvedSignatures:
             - "method groovy.json.JsonSlurperClassic parseText java.lang.String"
             - "new groovy.json.JsonSlurperClassic"
      global-libraries: |
        unclassified:
          globalLibraries:
            libraries:
              - name: "awesome-lib"
                defaultVersion: "master"
                implicit: false
                allowVersionOverride: true
                includeInChangesets: true
                retriever:
                  modernSCM:
                    scm:
                      git:
                        remote: "[email protected]:gbyukg/jenkins-libirary.git"
                        credentialsId: "SSHKEY4Github"

In the above values.yaml file, we define three configuration scripts for ConfigScripts:

The basic configuration:

  • Set “System Message” for Jenkins.
  • Set the “Markup Formatter” value of Jenkins “Global Security” page to “Saft HTML”
  • Set the “Jenkins URL” and “System Admin E-mail Address” values for the Jenkins configuration page.
  • Set “E-mail Notification” for Jenkins.

approval-scripts

  • Set up trusted Groovy methods for Jenkins.

global-libraries

  • Add a name for Jenkinsawesome-lib“Global Pipeline Libraries” and download the shared Libraries from the master of the remote Git repository with the given Credential.

The SshKey4GitHub Credentials used here are the ones we will create next.

Again, you can find most of the configurations you need in the official configuration samples.

Create Credentials

The JCasc plug-in provides a special root configuration element called the Credentials to automatically create Jenkins Credentials:

configScripts: credentials-config: | credentials: system: domainCredentials: - credentials: - usernamePassword: description: "Password: GitHub Token" id: DevOpsToken4EEGithubAsPWD username: "[email protected]" password: "DEVOPS-TOKEN-FOR-GITHUB" scope: GLOBAL - string: description: "Secret: GitHub Token" id: "DevOpsToken4EEGithubAsSecret" secret: "DEVOPS-TOKEN-FOR-GITHUB" scope: GLOBAL - basicSSHUserPrivateKey: description: "SSH-KEY: SSH Key for GitHub" scope: GLOBAL id: "SSHKEY4Github" username: "[email protected]" privateKeySource: directEntry: privateKey: | -----BEGIN OPENSSH PRIVATE KEY----- ... . . -----END OPENSSH PRIVATE KEY-----

In the credentials-config configuration script defined above, three system-level credentials are created:

  • Username and passwordTypes of DevOpsToken4EEGithubAsPWD
  • Secret textTypes of DevOpsToken4EEGithubAsSecret
  • SSH Username with private keyTypes of SSHKEY4Github

In addition to these three types of Credentials, the plug-in supports many other types of Credentials; see the documentation for DomainCredentials Key for more details.

Configure LDAP authentication and set up permission management

Instead of using the default authentication method of the Jenkins system, we usually use the enterprise-provided LDAP service. The following shows how to configure LDAP for Jenkins and use it as Jenkins’ authentication method:

ldap-configuration: |
          jenkins:
            securityRealm:
              ldap:
                configurations:
                - groupSearchBase: "ou=memberlist,ou=ibmgroups"
                  inhibitInferRootDN: false
                  managerPasswordSecret: "XXXXXXXXXXXXXXXXXX"
                  rootDN: "o=ibm.com"
                  server: "ldaps://ldapserver.com:636"
                  userSearch: "mail={0}"
                  userSearchBase: "ou=bluepages"
                disableMailAddressResolver: false
                disableRolePrefixing: true
                groupIdStrategy: "caseInsensitive"
                userIdStrategy: "caseInsensitive"
      matrix-config: |
        jenkins:
          authorizationStrategy:
            projectMatrix:
              grantedPermissions:
                - "Agent/Build:sdp-devops-admins"
                - "Agent/Configure:sdp-devops-admins"
                ... more content

Set Jenkins’ authentication mode as LDAP and set it as “project-based Matrix Authorization Strategy” :

Other common plug-in Settings

configScripts:
      git-config: |
        unclassified:
          gitscm:
            globalConfigName: jenkins
            globalConfigEmail: [email protected]
            createAccountBasedOnEmail: false
      github-config: |
        gitHubConfiguration:
          apiRateLimitChecker: ThrottleForNormalize
          endpoints:
          - apiUri: "https://github.example.com/api/v3"
            name: "GitHub EE"
      github-ee: |
        unclassified:
          githubpluginconfig:
            configs:
            - credentialsId: "DevOpsToken4GithubAsSecret"
              manageHooks: false
              name: "GitHub"
            - name: "GitHub EE"
              apiUrl: "https://github.example.com/api/v3/"
              credentialsId: "DevOpsToken4EEthubAsSecret"
              manageHooks: false
      slack-config: |
        unclassified:
          slackNotifier:
            botUser: false
            room: "#slack-channel"
            sendAsText: false
            teamDomain: "luke"
            tokenCredentialId: "Token4SlackSecret"
  • git-configSet “Global Config user.name Value” and “Global Config user.name Value” for Git plug-in;
  • github-configAdd GitHub Enterprise Servers TAB for Jenkins;
  • github-eeI set up two GitHub Servers for Jenkins, one is official GitHub, one is enterprise GitHub, and set their corresponding Credentials respectively.
  • slack-configConfigure the Slack plugin, which can be used to send messages to Slack.

Enable Sidecars to automatically load JCASC

By default, when we make changes to the JCASC section of the VALUES file and upgrade the deployed Jenkins using Helm Upgrade, Helm Chart will make these changes effective by recreating the POD pair. This will cause our Jenkins service to go offline for a short time.

Helm Chart provides another way to apply the changed JCASC configuration information to our Jenkins instance in real time via sidecars, without having to restart the POD.

When Jenkins is deployed in this manner, the configuration information from each configuration block under JCasC. ConfigScripts is stored separately in a ConfigMap with the same name as the Key of that configuration block. At the same time, another container named jenkins-sc-config is created in Jenkin Pods to monitor these configMap changes. When we upgrade the deployment with Helm Upgrade, these configMap changes are captured by the Jenkins-sc-config container and implemented on Jenkins.

Open sidecars is very simple, you only need to master the sidecars. ConfigAutoReload. Enabled value can be set to true:

master:
  sidecars:
    configAutoReload:
      enabled: true

When the deployment is complete, you will see a ConfigMap generated for each configuration block:

$ kubectl -n jenkins get configmap
NAME                                         DATA   AGE
jenkins-jenkins-config-approval-scripts      1      2m45s
jenkins-jenkins-config-basic-configuration   1      2m45s
jenkins-jenkins-config-credentials-config    1      2m45s
jenkins-jenkins-config-global-libraries      1      2m45s
jenkins-jenkins-config-node-config           1      2m45s
... more output

Jenkins POD contains two running containers at this time:

$ kubectl -n jenkins get pods
NAME                       READY   STATUS    RESTARTS   AGE
jenkins-64c7cf4fc6-pjbps   2/2     Running   0          3m6s

For Jenkins instances deployed this way, the changes are immediately applied to the Jenkins instances when we update the configuration information under JCasC. ConfigScripts and upgrade the Jenkins instances via Helm Upgrade.

conclusion

In this section, we have seen how to set the JCasc configuration item for the JCasc. ConfigScripts Key value in the Jenkins Helm Chart values file. To help us automatically configure new Jenkins instances deployed through the Chart, achieving true zero configuration.

Jenkins plug-in tens of thousands, Jenkins configuration also go, about how to write more JCasC configuration file, please refer to the official sample https://github.com/jenkinsci/… .

Source: Devsecops Sig


Author: Zhang Zeliang


Disclaimer: The article was forwarded on IDCF public account (devopshub) with the authorization of the author. Quality content to share with the technical partners of the Sifou platform, if the original author has other considerations, please contact Xiaobian to delete, thanks.

Every Thursday in July at 8 p.m., “Dong Ge has words” R & D efficiency tool special, public account message “efficiency” can be obtained address

  • July 8, Leansoft – Wenyang Zhou “Azure DevOps Toolchain”
  • July 15, Aliyun Intelligent Senior Product Expert – Chen Xun “Practice of Efficiency Improvement in Complex Research and Development Collaboration Mode”
  • On July 22, Yang Yang, solution architect at GitLab, shared “Exploring the Automated Testing of Infrastructure as Code”
  • On July 29, Bytedance Product Manager — Xianbin Hu shared “Automated Testing: How to Be Offensive and Defensive”.
  • Wang Zhi, head of Acoustics AgoracicD System, shared “Creating a Closed Loop of Software Delivery Quality Assurance from 0 to 1” on August 5.