Go to file
retropikzel e9f736736a Fix the configuration as code autoupdate 2024-10-11 15:55:51 +03:00
.gitignore Added gitginore, modified update script to work as startup script too 2024-09-28 13:44:17 +03:00
Dockerfile.agent Update Jenkins java version 2024-10-11 14:59:33 +03:00
Dockerfile.jenkins Update Jenkins java version 2024-10-11 14:59:33 +03:00
README.adoc parameterize docker group 2024-09-28 11:53:40 +03:00
create-keys.sh first 2024-09-28 11:03:12 +03:00
docker-compose.yml Update Jenkins java version 2024-10-11 14:59:33 +03:00
jenkins.yml Fix the configuration as code autoupdate 2024-10-11 15:55:51 +03:00
start.sh Update the configuration with curl and token 2024-09-29 07:57:32 +03:00
update.sh Fix the configuration as code autoupdate 2024-10-11 15:54:45 +03:00

README.adoc

= Docker based Jenkins setup through Configuration-as-Code

== Running

. Run `create-keys.sh` to generate SSH keys used for Jenkins controller to talk to Jenkins agent;
. Run `echo -n 'password' > adminpassword` to setup password for admin user (watchout to not add newlines);
. Run `echo "DOCKER_GROUP=$(getent group docker | cut -d: -f3)" > .env` to setup agent's group so it can access docker socket;
. Run `docker compose up -d`;
. (Optionally) Add `update.sh` script to be run by cron periodically.

If all went well jenkins should be reachable on `localhost:8080`, login with user `admin` and password from step 2.

== Workflow for setting up jobs

. A pull request is initiated on a git platform where this configuration is hosted, with necessary changes in `jenkins.yml` jobs section;
. Maintainer(s) review the change, merge if appropriate;
. Either periodically, manually, or on some way set up trigger, machine hosting Jenkins controller does a `git pull` and `docker compose up -d --build`, after which the changes should appear on CI.

== User permissions and per-project secrets

Jobs often need secrets, however these secrets should be scoped per-user / project. A solution is therefore to use folders and matrix authentication plugin. For each user or project a top level folder should be created. In this folder administrator configures full permissions to necessary users (folder view -> Configure -> General -> Enable project-based-security). Users are then able to and edit secrets, but only for their jobs.

== Points of Improvement

. Fix the goofy docker group mess;
. Externalize user management (eg LDAP);
. Use vaults for secret storage;
. Change agent from persistent ssh to an adhoc provisioned instance.