Merge remote-tracking branch 'target/master'
diff --git a/docker/swarm/service/gerrit.yml b/docker/swarm/service/gerrit.yml
index d33bdbb..1fc2aab 100644
--- a/docker/swarm/service/gerrit.yml
+++ b/docker/swarm/service/gerrit.yml
@@ -1,6 +1,12 @@
parameters:
_param:
docker_image_gerrit: tcpcloud/gerrit:2.12.7
+ gerrit_ldap_server: ""
+ gerrit_ldap_bind_user: ""
+ gerrit_ldap_bind_password: ""
+ gerrit_ldap_account_base: ""
+ gerrit_ldap_group_base: ""
+
docker:
client:
service:
@@ -13,6 +19,13 @@
DB_ENV_MYSQL_PASSWORD: ${_param:mysql_gerrit_password}
DB_ENV_MYSQL_DB: gerrit
AUTH_TYPE: ${_param:gerrit_auth_type}
+ LDAP_SERVER: ${_param:gerrit_ldap_server}
+ LDAP_ACCOUNTPATTERN: 'uid={username}'
+ LDAP_ACCOUNTBASE: ${_param:gerrit_ldap_account_base}
+ LDAP_GROUPBASE: ${_param:gerrit_ldap_group_base}
+ LDAP_USERNAME: ${_param:gerrit_ldap_bind_user}
+ LDAP_PASSWORD: ${_param:gerrit_ldap_bind_password}
+ CAPABILITY_ADMINISTRATESERVER: admin
WEBURL: ${_param:gerrit_public_host}
GERRIT_ADMIN_SSH_PUBLIC: ${_param:gerrit_admin_public_key}
GERRIT_ADMIN_PWD: ${_param:gerrit_admin_password}
diff --git a/docker/swarm/service/jenkins.yml b/docker/swarm/service/jenkins.yml
index 3069dc6..16dee71 100644
--- a/docker/swarm/service/jenkins.yml
+++ b/docker/swarm/service/jenkins.yml
@@ -1,6 +1,6 @@
parameters:
_param:
- docker_image_jenkins: tcpcloud/jenkins:2.50
+ docker_image_jenkins: tcpcloud/jenkins:2.52
docker:
client:
service:
diff --git a/docker/swarm/service/openldap.yml b/docker/swarm/service/openldap.yml
index 863144c..f7f12e2 100644
--- a/docker/swarm/service/openldap.yml
+++ b/docker/swarm/service/openldap.yml
@@ -5,8 +5,6 @@
client:
service:
openldap:
- # XXX: docker service is not able to set hostname
- # https://github.com/docker/docker/issues/24877
restart:
condition: any
image: ${_param:docker_image_openldap}
@@ -21,9 +19,6 @@
LDAP_DOMAIN: "${_param:openldap_domain}"
LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
LDAP_CONFIG_PASSWORD: ${_param:openldap_config_password}
- LDAP_READONLY_USER: "true"
- LDAP_READONLY_USER_USERNAME: readonly
- LDAP_READONLY_USER_PASSWORD: ${_param:openldap_readonly_password}
LDAP_TLS: "false"
ports:
- 1389:389
diff --git a/gerrit/client/init.yml b/gerrit/client/init.yml
index a9bb4de..0edd17e 100644
--- a/gerrit/client/init.yml
+++ b/gerrit/client/init.yml
@@ -14,6 +14,7 @@
host: ${_param:cluster_vip_address}
user: admin
email: ${_param:gerrit_admin_email}
+ auth_method: basic
http_port: 8080
ssh_port: 29418
protocol: http
diff --git a/jenkins/client/init.yml b/jenkins/client/init.yml
index 41e639d..e7c56ec 100644
--- a/jenkins/client/init.yml
+++ b/jenkins/client/init.yml
@@ -28,6 +28,7 @@
gerrit-trigger: {}
git: {}
heavy-job: {}
+ ldap: {}
matrix-auth: {}
monitoring: {}
pipeline-utility-steps: {}
diff --git a/jenkins/client/security/ldap.yml b/jenkins/client/security/ldap.yml
index 8b7b97b..ba53570 100644
--- a/jenkins/client/security/ldap.yml
+++ b/jenkins/client/security/ldap.yml
@@ -1,7 +1,18 @@
parameters:
+ _param:
+ jenkins_security_ldap_manager_dn: ''
+ jenkins_security_ldap_manager_password: ''
+ jenkins_security_ldap_user_search_filter: 'uid={0}'
+ jenkins_security_ldap_user_search_base: ''
+ jenkins_security_ldap_group_search_base: ''
jenkins:
client:
security:
ldap:
server: ${_param:jenkins_security_ldap_server}
- root_dn: ${_param:jenkins_security_root_dn}
+ root_dn: ${_param:jenkins_security_ldap_root_dn}
+ manager_dn: ${_param:jenkins_security_ldap_manager_dn}
+ manager_password: ${_param:jenkins_security_ldap_manager_password}
+ user_search: ${_param:jenkins_security_ldap_user_search_filter}
+ user_search_base: ${_param:jenkins_security_ldap_user_search_base}
+ group_search_base: ${_param:jenkins_security_ldap_group_search_base}
diff --git a/jenkins/client/security/matrix.yml b/jenkins/client/security/matrix.yml
new file mode 100644
index 0000000..4c3c8a9
--- /dev/null
+++ b/jenkins/client/security/matrix.yml
@@ -0,0 +1,48 @@
+parameters:
+ _param:
+ # Full admin access
+ jenkins_security_matrix_admins:
+ - ${_param:jenkins_client_user}
+ # Read only access
+ jenkins_security_matrix_read: []
+ # Read + permissions to build jobs
+ jenkins_security_matrix_build: []
+ # Build permissions + create/delete, whatever.
+ jenkins_security_matrix_write:
+ - ${_param:jenkins_client_user}
+
+ jenkins:
+ client:
+ security:
+ matrix:
+ permissions:
+ Jenkins:
+ ADMINISTER: ${_param:jenkins_security_matrix_admins}
+ READ: ${_param:jenkins_security_matrix_read}
+ hudson:
+ model:
+ Item:
+ BUILD: ${_param:jenkins_security_matrix_build}
+ CANCEL: ${_param:jenkins_security_matrix_build}
+ CONFIGURE: ${_param:jenkins_security_matrix_write}
+ CREATE: ${_param:jenkins_security_matrix_write}
+ DELETE: ${_param:jenkins_security_matrix_write}
+ DISCOVER: ${_param:jenkins_security_matrix_build}
+ EXTENDED_READ: ${_param:jenkins_security_matrix_build}
+ WIPEOUT: ${_param:jenkins_security_matrix_write}
+ WORKSPACE: ${_param:jenkins_security_matrix_write}
+ READ: ${_param:jenkins_security_matrix_read}
+ Run:
+ DELETE: ${_param:jenkins_security_matrix_write}
+ ARTIFACTS: ${_param:jenkins_security_matrix_write}
+ UPDATE: ${_param:jenkins_security_matrix_write}
+ View:
+ READ: ${_param:jenkins_security_matrix_read}
+ com:
+ sonyericsson:
+ hudson:
+ plugins:
+ gerrit:
+ trigger:
+ PluginImpl:
+ RETRIGGER: ${_param:jenkins_security_matrix_build}
diff --git a/openldap/client/groups/admins.yml b/openldap/client/groups/admins.yml
new file mode 100644
index 0000000..5dbc7ba
--- /dev/null
+++ b/openldap/client/groups/admins.yml
@@ -0,0 +1,18 @@
+classes:
+ - system.openldap.client.groups
+parameters:
+ openldap:
+ client:
+ entry:
+ groups:
+ entry:
+ admins:
+ attr:
+ description: Administrators
+ gidNumber: 20001
+ classes:
+ - posixGroup
+ - top
+ # TODO: Cannot set member attributes in our LDAP yet
+ # member:
+ # - cn=admin,ou=people
diff --git a/openldap/client/groups/init.yml b/openldap/client/groups/init.yml
new file mode 100644
index 0000000..a419001
--- /dev/null
+++ b/openldap/client/groups/init.yml
@@ -0,0 +1,9 @@
+parameters:
+ openldap:
+ client:
+ entry:
+ groups:
+ type: ou
+ classes:
+ - top
+ - organizationalUnit
diff --git a/openldap/client/init.yml b/openldap/client/init.yml
new file mode 100644
index 0000000..25812f6
--- /dev/null
+++ b/openldap/client/init.yml
@@ -0,0 +1,15 @@
+classes:
+ - service.openldap.client
+parameters:
+ _param:
+ openldap_server: ${_param:cluster_vip_address}
+ openldap_tls: false
+ openldap:
+ client:
+ server:
+ basedn: ${_param:openldap_dn}
+ host: ${_param:openldap_server}
+ tls: ${_param:openldap_tls}
+ auth:
+ user: cn=admin,${_param:openldap_dn}
+ password: ${_param:openldap_admin_password}
diff --git a/openldap/client/people/admin.yml b/openldap/client/people/admin.yml
new file mode 100644
index 0000000..fa1a2c8
--- /dev/null
+++ b/openldap/client/people/admin.yml
@@ -0,0 +1,26 @@
+classes:
+ - system.openldap.client.people
+ - system.openldap.client.groups.admins
+parameters:
+ openldap:
+ client:
+ entry:
+ people:
+ entry:
+ admin:
+ attr:
+ uid: admin
+ userPassword: ${_param:openldap_admin_password}
+ uidNumber: 20001
+ gidNumber: ${openldap:client:entry:groups:entry:admins:attr:gidNumber}
+ gecos: Administrator
+ givenName: Charlie
+ sn: Root
+ homeDirectory: /home/admin
+ loginShell: /bin/bash
+ mail: ${_param:admin_email}
+ classes:
+ - posixAccount
+ - inetOrgPerson
+ - top
+ - shadowAccount
diff --git a/openldap/client/people/init.yml b/openldap/client/people/init.yml
new file mode 100644
index 0000000..a4ae94d
--- /dev/null
+++ b/openldap/client/people/init.yml
@@ -0,0 +1,9 @@
+parameters:
+ openldap:
+ client:
+ entry:
+ people:
+ type: ou
+ classes:
+ - top
+ - organizationalUnit
diff --git a/salt/master/formula/pkg/foundation.yml b/salt/master/formula/pkg/foundation.yml
index abcc1b0..3611321 100644
--- a/salt/master/formula/pkg/foundation.yml
+++ b/salt/master/formula/pkg/foundation.yml
@@ -19,4 +19,7 @@
freeipa:
source: pkg
name: salt-formula-freeipa
+ openldap:
+ source: pkg
+ name: salt-formula-openldap