blob: ff3a48afb9276031f457efd0754da7fd7bf14cf1 [file] [log] [blame]
=====
Usage
=====
Jenkins CI is an open source automation server written in Java. Jenkins
helps to automate the non-human part of software development process,
with continuous integration and facilitating technical aspects of
continuous delivery.
More information can be found at `<https://jenkins.io/>`_
Setup jenkins client, works with Salt 2016.3+, supports pipeline
workflow projects only for now.
Dependencies
============
To install on Ubuntu, you will need to add the jenkins debian repository
to the target server. You can do this with the
`salt-formula-linux formula <https://gerrit.mcp.mirantis.com/salt-formulas/linux>`_ ,
with the following pillar data:
.. code-block:: yaml
linux:
system:
enabled: true
repo:
jenkins:
enabled: true
source: "deb http://pkg.jenkins.io/debian-stable binary/"
key_url: "https://pkg.jenkins.io/debian/jenkins-ci.org.key"
This state will need to be applied *before* the jenkins state.
Using this formula
==================
To use this formula, you must install the formula to your Salt
Master as documented in
`saltstack formula docs <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#installation>`_
This formula is driven by pillar data, and can be used to
install either a Jenkins Master or Client. See pillar data
below for examples.
Sample pillars
==============
Master role
-----------
Simple master with reverse proxy:
.. code-block:: yaml
nginx:
server:
site:
jenkins:
enabled: true
type: nginx_proxy
name: jenkins
proxy:
host: 127.0.0.1
port: 8080
protocol: http
host:
name: jenkins.example.com
port: 80
jenkins:
master:
mode: EXCLUSIVE
java_args: -Xms256m -Xmx1g
# Do not manage any xml config files via Salt, use UI instead
# Including config.xml and any plugin xml's.
no_config: true
slaves:
- name: slave01
label: pbuilder
executors: 2
- name: slave02
label: image_builder
mode: EXCLUSIVE
executors: 2
views:
- name: "Package builds"
regex: "debian-build-.*"
- name: "Contrail builds"
regex: "contrail-build-.*"
- name: "Aptly"
regex: "aptly-.*"
plugins:
- name: slack
- name: extended-choice-parameter
- name: rebuild
- name: test-stability
Jenkins master with experimental plugin source support:
.. code-block:: yaml
jenkins:
master:
enabled: true
update_site_url: 'http://updates.jenkins-ci.org/experimental/update-center.json'
SMTP server settings:
.. code-block:: yaml
jenkins:
master:
email:
engine: "smtp"
host: "smtp.domain.com"
user: "user@domain.cz"
password: "smtp-password"
port: 25
Script approvals from client:
.. code-block:: yaml
jenkins:
client:
approved_scripts:
- method groovy.json.JsonSlurperClassic parseText java.lang.String
Script approvals:
.. code-block:: yaml
jenkins:
master:
approved_scripts:
- method groovy.json.JsonSlurperClassic parseText java.lang.String
User enforcement:
.. code-block:: yaml
jenkins:
master:
user:
admin:
api_token: xxxxxxxxxx
password: admin_password
email: admin@domain.com
user01:
api_token: xxxxxxxxxx
password: user_password
email: user01@domain.com
Agent (slave) role
------------------
.. code-block:: yaml
jenkins:
slave:
master:
host: jenkins.example.com
port: 80
protocol: http
user:
name: jenkins_slave
password: dexiech6AepohthaiHook2iesh7ol5ook4Ov3leid3yek6daid2ooNg3Ee2oKeYo
gpg:
keypair_id: A76882D3
public_key: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
private_key: |
-----BEGIN PGP PRIVATE KEY BLOCK-----
...
Client role
-----------
Simple client with workflow job definition:
.. code-block:: yaml
jenkins:
client:
master:
host: jenkins.example.com
port: 80
protocol: http
location:
url: http://jenkins.example.com:80
job:
jobname:
type: workflow
param:
bool_param:
type: boolean
description: true/false
default: true
string_param:
type: string
description: 1 liner
default: default_string
text_param:
type: text
description: multi-liner
default: default_text
jobname_scm:
type: workflow-scm
concurrent: false
scm:
type: git
url: https://github.com/jenkinsci/docker.git
branch: master
script: Jenkinsfile
github:
url: https://github.com/jenkinsci/docker
name: "Jenkins Docker Image"
trigger:
timer:
dependency_job_names:
- job1
- job2
spec: "H H * * *"
github:
pollscm:
spec: "H/15 * * * *"
reverse:
projects:
- test1
- test2
state: SUCCESS
param:
bool_param:
type: boolean
description: true/false
default: true
string_param:
type: string
description: 1 liner
default: default_string
text_param:
type: text
description: multi-liner
default: default_text
Inline Groovy scripts:
.. code-block:: yaml
jenkins:
client:
job:
test_workflow_jenkins_simple:
type: workflow
display_name: Test jenkins simple workflow
script:
content: |
node {
stage 'Stage 1'
echo 'Hello World 1'
stage 'Stage 2'
echo 'Hello World 2'
}
test_workflow_jenkins_input:
type: workflow
display_name: Test jenkins workflow inputs
script:
content: |
node {
stage 'Enter string'
input message: 'Enter job parameters', ok: 'OK', parameters: [
string(defaultValue: 'default', description: 'Enter a string.', name: 'string'),
]
stage 'Enter boolean'
input message: 'Enter job parameters', ok: 'OK', parameters: [
booleanParam(defaultValue: false, description: 'Select boolean.', name: 'Bool'),
]
stage 'Enter text'
input message: 'Enter job parameters', ok: 'OK', parameters: [
text(defaultValue: '', description: 'Enter multiline', name: 'Multiline')
]
}
GIT controlled groovy scripts:
.. code-block:: yaml
jenkins:
client:
source:
base:
engine: git
address: repo_url
branch: branch
domain:
engine: git
address: domain_url
branch: branch
job:
test_workflow_jenkins_simple:
type: workflow
display_name: Test jenkins simple workflow
param:
bool_param:
type: boolean
description: true/false
default: true
script:
repository: base
file: workflows/test_workflow_jenkins_simple.groovy
test_workflow_jenkins_input:
type: workflow
display_name: Test jenkins workflow inputs
script:
repository: domain
file: workflows/test_workflow_jenkins_input.groovy
test_workflow_jenkins_input_jenkinsfile:
type: workflow
display_name: Test jenkins workflow inputs (jenknisfile)
script:
repository: domain
file: workflows/test_workflow_jenkins_input/Jenkinsfile
GIT controlled groovy script with shared libraries:
.. code-block:: yaml
jenkins:
client:
source:
base:
engine: git
address: repo_url
branch: branch
domain:
engine: git
address: domain_url
branch: branch
job:
test_workflow_jenkins_simple:
type: workflow
display_name: Test jenkins simple workflow
param:
bool_param:
type: boolean
description: true/false
default: true
script:
repository: base
file: workflows/test_workflow_jenkins_simple.groovy
libs:
- repository: base
file: macros/cookiecutter.groovy
- repository: base
file: macros/git.groovy
Setting job max builds to keep (amount of last builds stored on Jenkins master)
.. code-block:: yaml
jenkins:
client:
job:
my-amazing-job:
type: workflow
discard:
build:
keep_num: 5
keep_days: 5
artifact:
keep_num: 6
keep_days: 6
Using job templates in similar way as in jjb. For now just
1 defined param is supported:
.. code-block:: yaml
jenkins:
client:
job_template:
test_workflow_template:
name: test-{{formula}}-workflow
template:
type: workflow
display_name: Test jenkins {{name}} workflow
param:
repo_param:
type: string
default: repo/{{formula}}
script:
repository: base
file: workflows/test_formula_workflow.groovy
param:
formula:
- aodh
- linux
- openssh
Interpolating parameters for job templates:
.. code-block:: yaml
_param:
salt_formulas:
- aodh
- git
- nova
- xorg
jenkins:
client:
job_template:
test_workflow_template:
name: test-{{formula}}-workflow
template:
...
param:
formula: ${_param:salt_formulas}
Or simply define multiple jobs and it's parameters to
replace from template:
.. code-block:: yaml
jenkins:
client:
job_template:
test_workflow_template:
name: test-{{name}}-{{myparam}}
template:
...
jobs:
- name: firstjob
myparam: dummy
- name: secondjob
myparam: dummyaswell
Purging undefined jobs from Jenkins:
.. code-block:: yaml
jenkins:
client:
purge_jobs: true
job:
my-amazing-job:
type: workflow
Plugins management from client:
.. code-block:: yaml
jenkins:
client:
plugin_remove_unwanted: false
plugin_force_remove: false
plugin:
plugin1: 1.2.3
plugin2:
plugin3: {}
plugin4:
version: 3.2.1
enabled: false
plugin5: absent
Alternative plugin management using version pins (baseline plugin management could not work with some
modern version labels like "1.12+build.201809061734").
.. code-block:: yaml
jenkins:
client:
plugin:
alt_update:
enabled: True
base_url: https://archives.jenkins-ci.org/plugins/
jenkins_home_volume_dir: /srv/volumes/jenkins/
plugins:
ace-editor:
source_hash: abc97028893c8a71581a5f559ea48e8e1f1a65164faee96dabfed9e95e9abad2
version: '1.1'
ant:
source_hash: f04961a8a42f1e2ccdf5001d33ae93fdc2b3a5af96f13bddc1d721f1d11a8b4b
version: '1.8'
apache-httpcomponents-client-4-api:
enabled: False
Adding plugin params to job:
.. code-block:: yaml
jenkins:
client:
job:
my_plugin_parametrized_job:
plugin_properties:
throttleconcurrents:
enabled: True
max_concurrent_per_node: 3
max_concurrent_total: 1
throttle_option: category #one of project (default or category)
categories:
- my_throuttle_category
plugin:
throttle-concurrents:
LDAP configuration (depends on LDAP plugin):
.. code-block:: yaml
jenkins:
client:
security:
ldap:
server: 1.2.3.4
root_dn: dc=foo,dc=com
user_search_base: cn=users,cn=accounts
manager_dn: ""
manager_password: password
user_search: ""
group_search_base: ""
inhibit_infer_root_dn: false
Matrix configuration (depends on auth-matrix plugin):
.. code-block:: yaml
jenkins:
client:
security:
matrix:
# set true for use ProjectMatrixAuthStrategy instead of GlobalMatrixAuthStrategy
project_based: false
permissions:
Jenkins:
# administrator access
ADMINISTER:
- admin
# read access (anonymous too)
READ:
- anonymous
- user1
- user2
# agents permissions
MasterComputer:
BUILD:
- user3
# jobs permissions
hudson:
model:
Item:
BUILD:
- user4
`Common matrix strategies <https://github.com/arbabnazar/configuration/blob/c08a5eaf4e04a68d2481375502a926517097b253/playbooks/roles/tools_jenkins/templates/projectBasedMatrixSecurity.groovy.j2>`_
Views enforcing from client:
.. code-block:: yaml
jenkins:
client:
view:
my-list-view:
enabled: true
type: ListView
include_regex: ".*"
my-view:
# set false to disable
enabled: true
type: MyView
View specific params:
- ``include_regex`` for ``ListView`` and ``CategorizedJobsView``
- categories for ``CategorizedJobsView``
Categorized views:
.. code-block:: yaml
jenkins:
client:
view:
my-categorized-view:
enabled: true
type: CategorizedJobsView
include_regex: ".*"
categories:
- group_regex: "aptly-.*-nightly-testing"
naming_rule: "Nightly -> Testing"
- group_regex: "aptly-.*-nightly-production"
naming_rule: "Nightly -> Production"
Credentials enforcing from client:
.. code-block:: yaml
jenkins:
client:
credential:
cred_first:
username: admin
password: password
cred_second:
username: salt
password: password
cred_with_key:
username: admin
key: SOMESSHKEY
cred_with_text_secret:
secret: SOMETEXTSECRET
cred_with_secret_file:
filename: somefile.json
content: |
{ "Hello": "world!" }
Users enforcing from client:
.. code-block:: yaml
jenkins:
client:
user:
admin:
password: admin_password
admin: true
user01:
password: user_password
Node enforcing from client using JNLP launcher:
.. code-block:: yaml
jenkins:
client:
node:
node01:
remote_home: /remote/home/path
desc: node-description
num_executors: 1
node_mode: Normal
ret_strategy: Always
labels:
- example
- label
launcher:
type: jnlp
Node enforcing from client using SSH launcher:
.. code-block:: yaml
jenkins:
client:
node:
node01:
remote_home: /remote/home/path
desc: node-description
num_executors: 1
node_mode: Normal
ret_strategy: Always
labels:
- example
- label
launcher:
type: ssh
host: test-launcher
port: 22
username: launcher-user
password: launcher-pass
Configure Jenkins master:
.. code-block:: yaml
jenkins:
client:
node:
master:
num_executors: 1
node_mode: Normal # or Exclusive
labels:
- example
- label
Setting node labels:
.. code-block:: yaml
jenkins:
client:
label:
node-name:
lbl_text: label-offline
append: false # set true for label append instead of replace
SMTP server settings from client:
.. code-block:: yaml
jenkins:
client:
smtp:
host: "smtp.domain.com"
username: "user@domain.cz"
password: "smtp-password"
port: 25
ssl: false
reply_to: reply_to@address.com
Jenkins admin user email enforcement from client:
.. code-block:: yaml
jenkins:
client:
smtp:
admin_email: "My Jenkins <jenkins@myserver.com>"
Slack plugin configuration:
.. code-block:: yaml
jenkins:
client:
slack:
team_domain: example.com
token: slack-token
room: slack-room
token_credential_id: cred_id
send_as: Some slack user
Pipeline global libraries setup:
.. code-block:: yaml
jenkins:
client:
lib:
my-pipeline-library:
enabled: true
url: https://path-to-my-library
credential_id: github
branch: master # optional, default master
implicit: true # optional default true
Artifactory server enforcing:
.. code-block:: yaml
jenkins:
client:
artifactory:
my-artifactory-server:
enabled: true
url: https://path-to-my-library
credential_id: github
Jenkins Global env properties enforcing:
.. code-block:: yaml
jenkins:
client:
globalenvprop:
OFFLINE_DEPLOYMENT:
enabled: true
name: "OFFLINE_DEPLOYMENT" # optional, default using dict key
value: "true"
Throttle categories management from client (requires
`Throttle Concurrent Builds <https://plugins.jenkins.io/throttle-concurrents>`_
plugin):
.. code-block:: yaml
jenkins:
client:
throttle_category:
'My First Category':
max_total: 2
max_per_node: 1
'My Second Category':
max_total: 5
max_per_node: 2
max_per_label:
'node_label_1': 1
'node_label_2': 2
'My Category To Remove:
enabled: false
Jira sites management from client (requires
`JIRA <https://plugins.jenkins.io/jira>`_ plugin):
.. code-block:: yaml
# Remove all sites
jenkins:
client:
jira:
enabled: False
.. code-block:: yaml
jenkins:
client:
jira:
sites:
'http://my.jira.site/':
link_url: 'http://alternative.link/'
http_auth: false
use_wiki_notation: false
record_scm: false
disable_changelog: false
issue_pattern: ''
any_build_result: false
user: 'username'
password: 'passwd'
conn_timeout: 10
visible_for_group: ''
visible_for_project: ''
timestamps: false
timestamp_format: ''
Gerrit trigger plugin configuration:
.. code-block:: yaml
jenkins:
client:
gerrit:
server1:
host: "gerrit.domain.local"
port: 29418
username: "jenkins"
email: "jenkins@domain.local"
auth_key_file: "/var/jenkins_home/.ssh/id_rsa"
frontendURL: "https://gerrit.domain.local"
build_current_patches_only: true
abort_new_patchsets: false
abort_manual_patchsets: false
abort_same_topic: false
authkey: |
SOMESSHKEY
server2:
host: "gerrit2.domain.local"
port: 29418
username: "jenkins"
email: "jenkins@domain.local"
auth_key_file: "/var/jenkins_home/.ssh/id_rsa"
frontendURL: "https://gerrit2.domain.local"
build_current_patches_only: true
abort_new_patchsets: false
abort_manual_patchsets: false
abort_same_topic: false
authkey: |
SOMESSHKEY
CSRF Protection configuration:
.. code-block:: yaml
jenkins:
client:
security:
csrf:
enabled: true
proxy_compat: false
Agent to Master Access Control:
.. code-block:: yaml
jenkins:
client:
security:
agent2master:
enabled: true
whitelisted: ''
file_path_rules: ''
Content Security Policy configuration:
.. code-block:: yaml
jenkins:
client:
security:
csp: "sandbox; default-src 'none'; img-src 'self'; style-src 'self';"
Git-client plugin's ssh host key verification strategy:
Allowed settings:
.. code-block:: yaml
- noHostKeyVerificationStrategy
- knownHostsFileVerificationStrategy
- acceptFirstConnectionStrategy
.. code-block:: yaml
jenkins:
client:
security:
git_ssh_host_key_strategy: "acceptFirstConnectionStrategy"
Usage
=====
#. Generate password hash:
.. code-block:: bash
echo -n "salt{plainpassword}" | openssl dgst -sha256
#. Place in the configuration ``salt:hashpassword``.
Read more
=========
* https://wiki.jenkins-ci.org/display/JENKINS/Use+Jenkins