jenkins-config/README.adoc

= Docker based Jenkins setup through Configuration-as-Code

== Running

. Run `create-keys.sh` to generate SSH keys used for Jenkins controller to talk to Jenkins agent;
. Run `echo -n 'password' > adminpassword` to setup password for admin user (watchout to not add newlines);
. Run `echo "DOCKER_GROUP=$(getent group docker | cut -d: -f3)" > .env` to setup agent's group so it can access docker socket;
. Run `docker compose up -d`;
. (Optionally) Add `update.sh` script to be run by cron periodically.

If all went well jenkins should be reachable on `localhost:8080`, login with user `admin` and password from step 2.

== Workflow for setting up jobs

. A pull request is initiated on a git platform where this configuration is hosted, with necessary changes in `jenkins.yml` jobs section;
. Maintainer(s) review the change, merge if appropriate;
. Either periodically, manually, or on some way set up trigger, machine hosting Jenkins controller does a `git pull` and `docker compose up -d --build`, after which the changes should appear on CI.

== User permissions and per-project secrets

Jobs often need secrets, however these secrets should be scoped per-user / project. A solution is therefore to use folders and matrix authentication plugin. For each user or project a top level folder should be created. In this folder administrator configures full permissions to necessary users (folder view -> Configure -> General -> Enable project-based-security). Users are then able to and edit secrets, but only for their jobs.

== Points of Improvement

. Fix the goofy docker group mess;
. Externalize user management (eg LDAP);
. Use vaults for secret storage;
. Change agent from persistent ssh to an adhoc provisioned instance.
first 2024-09-28 04:03:12 -04:00			`= Docker based Jenkins setup through Configuration-as-Code`

			`== Running`

			. Run `create-keys.sh` to generate SSH keys used for Jenkins controller to talk to Jenkins agent;
			. Run `echo -n 'password' > adminpassword` to setup password for admin user (watchout to not add newlines);
parameterize docker group 2024-09-28 04:53:40 -04:00			. Run `echo "DOCKER_GROUP=$(getent group docker \| cut -d: -f3)" > .env` to setup agent's group so it can access docker socket;
first 2024-09-28 04:03:12 -04:00			. Run `docker compose up -d`;
			. (Optionally) Add `update.sh` script to be run by cron periodically.

			If all went well jenkins should be reachable on `localhost:8080`, login with user `admin` and password from step 2.

			`== Workflow for setting up jobs`

			. A pull request is initiated on a git platform where this configuration is hosted, with necessary changes in `jenkins.yml` jobs section;
			`. Maintainer(s) review the change, merge if appropriate;`
			. Either periodically, manually, or on some way set up trigger, machine hosting Jenkins controller does a `git pull` and `docker compose up -d --build`, after which the changes should appear on CI.

			`== User permissions and per-project secrets`

			`Jobs often need secrets, however these secrets should be scoped per-user / project. A solution is therefore to use folders and matrix authentication plugin. For each user or project a top level folder should be created. In this folder administrator configures full permissions to necessary users (folder view -> Configure -> General -> Enable project-based-security). Users are then able to and edit secrets, but only for their jobs.`

			`== Points of Improvement`

parameterize docker group 2024-09-28 04:53:40 -04:00			`. Fix the goofy docker group mess;`
first 2024-09-28 04:03:12 -04:00			`. Externalize user management (eg LDAP);`
			`. Use vaults for secret storage;`
			`. Change agent from persistent ssh to an adhoc provisioned instance.`