1
0
mirror of https://github.com/krislamo/vagrant-jenkins synced 2024-12-16 05:10:36 +00:00
This commit is contained in:
Mark Heiges 2016-09-01 21:55:56 -04:00
commit c227e3f885
20 changed files with 446 additions and 0 deletions

10
.gitignore vendored Normal file
View File

@ -0,0 +1,10 @@
.DS_Store
scratch/*
*.box
.vagrant
puppet/modules
puppet/**/hieradata/sensitive.yaml
puppet/.tmp
puppet/.librarian
nolibrarian
puppet/hiera.yaml.rpmsave

10
README.md Normal file
View File

@ -0,0 +1,10 @@
Only the master Jenkins server is provisioned at this time. Provisioning
a separate worker node has not been implemented. Of course the master
server can also serve as a worker so this single node will be sufficient
for most use cases.
Manual Puppet Run
=======
sudo /opt/puppetlabs/bin/puppet apply --environment=production /etc/puppetlabs/code/environments/production/manifests/site.pp

80
Vagrantfile vendored Normal file
View File

@ -0,0 +1,80 @@
BOX = 'ebrc/centos-7-64-puppet'
BOX_URL = ''
TLD = 'jenkins.vm'
JENKINS_HOSTS = {
:master => {
:vagrant_box => BOX,
:vagrant_box_url => BOX_URL,
:wf_hostname => 'ci.' + TLD,
:puppet_manifest => 'site.pp'
},
# :node => {
# :vagrant_box => BOX,
# :vagrant_box_url => BOX_URL,
# :wf_hostname => 'node1.' + TLD,
# :puppet_manifest => 'site.pp'
# },
}
[
{ :name => 'vagrant-librarian-puppet', :version => '>= 0.9.2' },
].each do |plugin|
if not Vagrant.has_plugin?(plugin[:name], plugin[:version])
raise "#{plugin[:name]} #{plugin[:version]} is required. Please run `vagrant plugin install #{plugin[:name]}`"
end
end
Vagrant.configure(2) do |config|
JENKINS_HOSTS.each do |name,cfg|
config.vm.define name do |vm_config|
vm_config.vm.provider 'virtualbox' do |v|
v.gui = false
end
if Vagrant.has_plugin?('landrush')
vm_config.landrush.enabled = true
vm_config.landrush.tld = TLD
end
vm_config.vm.box = cfg[:vagrant_box] if cfg[:vagrant_box]
vm_config.vm.box_url = cfg[:vagrant_box_url] if cfg[:vagrant_box_url]
vm_config.vm.hostname = cfg[:wf_hostname] if cfg[:wf_hostname]
vm_config.vm.synced_folder 'puppet/',
'/etc/puppetlabs/code/',
owner: 'root', group: 'root'
vm_config.ssh.forward_agent = true
vm_config.ssh.pty = true
if ! File.exist?(File.dirname(__FILE__) + '/nolibrarian')
vm_config.librarian_puppet.puppetfile_dir = 'puppet'
vm_config.librarian_puppet.destructive = false
end
if ( Vagrant.has_plugin?('landrush') and vm_config.landrush.enabled)
# The Puppet manifests includes a firewalld reload that clobbers
# the iptables dns nat rule added by Landrush. So save iptables
# for restoration after Puppet provisioning.
vm_config.vm.provision :shell, inline: '/sbin/iptables-save -t nat > /root/landrush.iptables'
end
vm_config.vm.provision :puppet do |puppet|
puppet.environment = 'production'
puppet.environment_path = 'puppet/environments'
puppet.manifests_path = 'puppet/environments/production/manifests'
puppet.manifest_file = cfg[:puppet_manifest]
puppet.hiera_config_path = 'puppet/hiera.yaml'
#puppet.options = ['--debug --trace --verbose']
end
if ( Vagrant.has_plugin?('landrush') and vm_config.landrush.enabled)
vm_config.vm.provision :shell, inline: '/sbin/iptables-restore < /root/landrush.iptables'
end
end
end
end

21
puppet/Puppetfile Normal file
View File

@ -0,0 +1,21 @@
forge 'https://forgeapi.puppetlabs.com'
mod 'crayfishx/firewalld'
mod 'jlambert121/trusted_ca'
mod 'puppet/archive'
mod 'puppetlabs/java_ks'
mod 'puppetlabs/stdlib'
mod 'stahnma/epel'
mod 'ebrc/ebrc_yum_repo',
:git => 'git@github.com:EuPathDB/puppet-ebrc_yum_repo.git'
mod 'ebrc/ebrc_java',
:git => 'git@github.com:EuPathDB/puppet-ebrc_java.git'
mod 'ebrc/ebrc_jenkins',
:git => 'git@github.com:EuPathDB/puppet-ebrc_jenkins.git'
mod 'local/profiles',
:path => './src/profiles'
:latest

55
puppet/Puppetfile.lock Normal file
View File

@ -0,0 +1,55 @@
FORGE
remote: https://forgeapi.puppetlabs.com
specs:
crayfishx-firewalld (3.1.4)
puppetlabs-stdlib (< 5.0.0, >= 4.2.0)
jlambert121-trusted_ca (1.1.0)
puppetlabs-stdlib (< 5.0.0, >= 3.2.0)
puppet-archive (1.1.2)
puppetlabs-stdlib (< 5.0.0, >= 4.2.0)
puppetlabs-java_ks (1.4.1)
puppetlabs-stdlib (4.12.0)
stahnma-epel (1.2.2)
puppetlabs-stdlib (>= 3.0.0)
GIT
remote: git@github.com:EuPathDB/puppet-ebrc_java.git
ref: master
sha: 5434fa8c13d2dc4987530b5d9e713f05b9d93841
specs:
ebrc-ebrc_java (0.1.0)
GIT
remote: git@github.com:EuPathDB/puppet-ebrc_jenkins.git
ref: master
sha: 133ce0f678faa7af1a3a2a743c67baba09adee20
specs:
ebrc-ebrc_jenkins (0.0.1)
GIT
remote: git@github.com:EuPathDB/puppet-ebrc_yum_repo.git
ref: master
sha: 2e75a0de6b7e4da022a1a4de7ee5306b5fcc0a4d
specs:
ebrc-ebrc_yum_repo (0.1.0)
puppetlabs-stdlib (>= 1.0.0)
PATH
remote: ./src/profiles
specs:
local-profiles (0.0.0)
crayfishx-firewalld (>= 0)
ebrc-ebrc_jenkins (>= 0)
DEPENDENCIES
crayfishx-firewalld (>= 0)
ebrc-ebrc_java (>= 0)
ebrc-ebrc_jenkins (>= 0)
ebrc-ebrc_yum_repo (>= 0)
jlambert121-trusted_ca (>= 0)
local-profiles (>= 0)
puppet-archive (>= 0)
puppetlabs-java_ks (>= 0)
puppetlabs-stdlib (>= 0)
stahnma-epel (>= 0)

View File

@ -0,0 +1,19 @@
---
ebrc_jenkins::user_home: /usr/local/home/jenkins
ebrc_jenkins::instances:
CI:
version: 1.638
http_port: 9181
jmx_port: 9120
ebrc_ca::cacert: apidb-ca-rsa.crt
ebrc_java::java_home: /usr/java/jdk1.8.0_92
ebrc_java::packages:
- jdk1.8.0_92
ebrc_java::java_home: /usr/java/jdk1.8.0_92
ebrc_java::default_ver: /usr/java/jdk1.8.0_92
java_keystore_target: /etc/pki/tls/certs/cacerts
java_keystore_passwd: graeo5locza
local_home: /usr/local/home

View File

@ -0,0 +1,3 @@
---
roles:
- profiles::ebrc_jenkins

View File

@ -0,0 +1,2 @@
---
roles:

View File

@ -0,0 +1,4 @@
node default {
hiera_include('roles')
}

12
puppet/hiera.yaml Normal file
View File

@ -0,0 +1,12 @@
---
:backends:
- yaml
:yaml:
:datadir: "%{settings::codedir}/environments/%{::environment}/hieradata"
:hierarchy:
- "nodes/%{::fqdn}"
- "%{::domain}"
- sensitive
- common

4
puppet/src/README.md Normal file
View File

@ -0,0 +1,4 @@
This `src` directory contains Puppet modules only available in this
Vagrant project. Because Puppet librarian can clean out the `modules`
directory, we put local modules here, out of librarian's scope, and
reference them for in the Puppetfile for installation to `modules`.

View File

@ -0,0 +1,38 @@
-----BEGIN CERTIFICATE-----
MIIGujCCBKKgAwIBAgIJAJ88X2Ge/QNVMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD
VQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRUwEwYDVQQHEwxQaGlsYWRl
bHBoaWExLTArBgNVBAoTJEFwaURCIEJpb2luZm9ybWF0aWNzIFJlc291cmNlIENl
bnRlcjEOMAwGA1UEAxMFQXBpREIxHTAbBgkqhkiG9w0BCQEWDmhlbHBAYXBpZGIu
b3JnMB4XDTEyMDgzMTE5MTMyNFoXDTIyMDgyOTE5MTMyNFowgZkxCzAJBgNVBAYT
AlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExFTATBgNVBAcTDFBoaWxhZGVscGhp
YTEtMCsGA1UEChMkQXBpREIgQmlvaW5mb3JtYXRpY3MgUmVzb3VyY2UgQ2VudGVy
MQ4wDAYDVQQDEwVBcGlEQjEdMBsGCSqGSIb3DQEJARYOaGVscEBhcGlkYi5vcmcw
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDWjz2aYcFph78mYHXI92QG
RetOwW8Sp8bSaI3j3/MsG/+0zAesAub3qAldizZSnPGT62Ok9CwloKno8xl5k08D
tdK1PBy1KTcOhpVGDpGpQIWC5cZ3WmLkT9VciE25MSsmBsShqP7jmDy9tBAOQ5mJ
YeFxnnkiZfNMkeW+fMv/SUIutebUVMi+ZnRqj5DDlgLbcNUzH533SauYXTkehbyY
Awwx2BtPhjINWn4PFv11NGM8P5mri6+M0l8twCIUKFi9SoCjYAM0uOd3AS3EJxxK
M3QBYJVrykbqxHF/MaD3z/hbXCrhmIQm96ApnVnmxpc1DtkPKkkfhbnkDbOJqVfe
6IOHxxzRN1a1Igb12dR+nRAf6vZNCMZ1YFzC01rw1bkKlYrcaX+ZM1El1n1mgHtP
OrQZLeNzCCl0LACBAC1Ky4/2OdyAP7A3Hrlo4dT8rTC+5ZWn+vuhwZV6KMk7rElf
n1HpBvKwypSJqc5jHq7f9hTQyktWdg1rfvn+TPPfZHehKsYQrR1oEGJVynouvQMG
YrDnGTbg12xpMv+zWDpRsuTx6zpSwbS/S3/PnEndhQBx8eRrHbHkV/9zP1qPt7Xl
mX5XLQz+zJV801rx00Jadfta8SZBohV6uhhwFdBuc1z7+VOhKjKVG5EzfhINY4a/
3CaoTF51sAHuLl6q67T9FQIDAQABo4IBATCB/jAdBgNVHQ4EFgQUasR0PhZJaGRx
tVXJleUI6PJXEvUwgc4GA1UdIwSBxjCBw4AUasR0PhZJaGRxtVXJleUI6PJXEvWh
gZ+kgZwwgZkxCzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExFTAT
BgNVBAcTDFBoaWxhZGVscGhpYTEtMCsGA1UEChMkQXBpREIgQmlvaW5mb3JtYXRp
Y3MgUmVzb3VyY2UgQ2VudGVyMQ4wDAYDVQQDEwVBcGlEQjEdMBsGCSqGSIb3DQEJ
ARYOaGVscEBhcGlkYi5vcmeCCQCfPF9hnv0DVTAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBQUAA4ICAQAgiSwGDZvC9GVErm8m7DNdLU17lP8V1aUXMLbwAm2hwp6C
snUR3TzJ0MOPSPy67NIMYMWwkRKDILKUXOvfsnE295ZmqmTaUZk+Uv3DoU3xcaIw
LbAOhlIrgPvGQyWXUwAdGacBTrJM4dzQ+pAPnt9ZVu5X9+BYD7ic0H0WNimurjtk
4l+X+wxibJB8Mj3zMnkBRm3wNS1teeU3HRjByEX3HoHuxMYWhWX6tOosBIXiV/9c
12jVPseogPROziiMxqpkyDqUXWiZhzvL/MK0NGYGPlevAodvTWh4CG8Ld1ErFy07
Sk6YVxBQhz5+HAyHQNLjySh8UeX4EdF9Y1Fpmmy7M2afV+YEjB0ahIGmYfUqt4rj
KbeRdmqobpzjQ7iH53xBS8JMUw1EOP4Evjsi7/62XqB4MgRQ9EM85T0W3zhiwFF2
6h7BJ11ElhPjmTzzz12p/MBnnYmrMNwYKzDobfdlDoC4dAz1U5RDI1D7w8RyZbOk
5FOxGCS2/8Hk8vBL6/ZF5sTD3iqb7YDdEgvkrnAnPk3UAQ6FHPzp7tfC3IBQr7Jf
BmkZhG9oGg8WIkGPKxUqMJuoQAb5UB6GwE6nz2dCnAM62qUVLljs0XNWK1lgRpYy
JM0ZtsohoVcerth4vUVwrxATaSJ5N+9e9uitABWEOdkiT6l0Fv8aLrjv/ZkLCA==
-----END CERTIFICATE-----

View File

@ -0,0 +1,26 @@
# install EuPathDB BRC's Certificate Authority to filesystem and add to
# system CA bundle using ca-certificates utilities.
# Hiera
#
# The following hiera data should be set for use by the underlying
# modules. Defaults are set in common.yaml
# - ebrc_ca::cacert - filename of certificate
class profiles::ebrc_ca_bundle {
include ::trusted_ca
$ca_name = hiera('ebrc_ca::cacert')
trusted_ca::ca { $ca_name:
source => "puppet:///modules/profiles/ssl/${ca_name}",
}
file { "/etc/pki/tls/certs/${ca_name}":
ensure => file,
source => "puppet:///modules/profiles/ssl/${ca_name}",
owner => 'root',
group => 'root',
mode => '0644',
}
}

View File

@ -0,0 +1,40 @@
# install EuPathDB BRC's Certificate Authority to java keystore.
# Leverages puppetlabs/java_ks
#
# Requirements
# - EuPathDB's CA must already be on the file system
# (see profile::ebrc_ca_bundle).
# - keytool command must be available (provided by modern Java packages)
# Hiera
#
# The following hiera data should be set for use by the underlying
# modules. Defaults are set in common.yaml
# - ebrc_ca::cacert - filename for certificate
# - ebrc_java::java_home - java base directory
# - java_keystore_target - path for keystore
# - java_keystore_passwd - password for keystore
class profiles::ebrc_ca_keystore {
$alias = 'eupathdbinternalca'
$cacert = hiera('ebrc_ca::cacert')
$java_home = hiera('ebrc_java::java_home')
$java_ks_target = hiera('java_keystore_target')
$java_ks_passwd = hiera('java_keystore_passwd')
if $::osfamily == 'redhat' {
$certdir = '/etc/pki/tls/certs'
} else {
fail("profiles::ebrc_ca_keystore: Unsupported osfamily: ${::osfamily}")
}
java_ks { $alias:
ensure => latest,
path => ["${java_home}/bin", '/usr/bin'],
certificate => "${certdir}/${cacert}",
target => $java_ks_target,
password => $java_ks_passwd,
trustcacerts => true,
}
}

View File

@ -0,0 +1,48 @@
# Full java deployment for EuPathDB BRC servers
# Includes
# - installing one or more Java packages from EuPathDB YUM repo
# - adds EuPathDB's certificate authority to cacerts keystore.
#
# Hiera
#
# The following hiera data should be set for use by the underlying
# modules.
#
# Used by ebrc_java
# ebrc_java::packages - an array of Java packages to install, e.g
# ebrc_java::packages:
# - jdk-1.7.0_80
# - jdk-1.8.0_01
# ebrc_java::java_home - the full path to $JAVA_HOME, e.g.
# ebrc_java::java_home: /usr/java/jdk1.7.0_80
#
# Used by ::profiles::ebrc_ca_keystore
# java_keystore_target - the full path to the Java keystore file, e.g.
# java_keystore_target: /etc/pki/tls/certs/cacerts
# java_keystore_passwd - the keystore password
# java_keystore_passwd: graeo5locza
#
# Used by ::profiles::ebrc_ca_bundle
# ebrc_ca::cacert - the file name of EBRC's CA
# ebrc_ca::cacert: apidb-ca-rsa.crt
#
class profiles::ebrc_java_stack {
include ::ebrc_yum_repo
include ::profiles::ebrc_ca_bundle
include ::profiles::ebrc_ca_keystore
$java_home = hiera('ebrc_java::java_home')
$java_packages = hiera('ebrc_java::packages')
class { '::ebrc_java':
packages => $java_packages,
java_home => $java_home,
}
Class['::ebrc_yum_repo'] ->
Class['::ebrc_java'] ->
Class['::profiles::ebrc_ca_bundle'] ->
Class['::profiles::ebrc_ca_keystore']
}

View File

@ -0,0 +1,44 @@
# manage requirements for Jenkins server instances
# for EuPathDB
class profiles::ebrc_jenkins {
include ::profiles::ebrc_java_stack
include ::profiles::local_home
include ::ebrc_jenkins
Class['::profiles::ebrc_java_stack'] ->
Class['::profiles::local_home'] ->
Class['::ebrc_jenkins']
firewalld::custom_service{ 'Allow jenkins in public zone':
short => 'jenkins',
port => [
{
'port' => 9191,
'protocol' => 'tcp'
},
{
'port' => 9181,
'protocol' => 'tcp'
},
{
'port' => 9130,
'protocol' => 'tcp'
},
{
'port' => 9120,
'protocol' => 'tcp'
},
],
before => Firewalld_service['Allow jenkins in public zone'],
}
firewalld_service {'Allow jenkins in public zone':
ensure => 'present',
zone => 'public',
service => 'jenkins',
}
}

View File

@ -0,0 +1,10 @@
# manage a home that is on a local filesystem
# as opposed to NFS
class profiles::local_home {
$local_home = hiera('local_home')
file{ [$local_home]:
ensure => directory,
}
}

View File

@ -0,0 +1,15 @@
{
"name": "local/profiles",
"version": "0.0.0",
"author": "ebrc",
"summary": "Local profiles to install Jenkins master",
"license": "Apache-2.0",
"source": "",
"project_page": null,
"issues_url": null,
"dependencies": [
{"name":"ebrc/ebrc_jenkins"},
{"name":"crayfishx/firewalld"}
]
}

5
scratch/.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
.DS_Store
.vagrant
!.gitignore