encrypted password support for jenkins users

Ragin-LundF · Apr 29, 2020 · 3641f57 · 3641f57
1 parent e415561
commit 3641f57
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -28,6 +28,20 @@ To simplify the installation and the project settings, it has a small helper too
 
 *The password for the preconfigured secrets file is `admin`. There is no valid data inside this file! Please change it for your own project!*
 
+As default the system uses encrypted passwords instead of using the password from the `jenkins_helm_values.yaml`.
+The default users and passwords are:
+
+- administrator
+  - User: admin
+  - Pass: admin
+  - permissions: all
+- project user
+  - User: project-user
+  - Pass: project
+  - permissions: read all and execute build
+
+This can be changed on the `jcasc_config.yaml` file under the `jenkins.securityRealm` section.
+
 ## Prerequisites ##
 
 To use this tool, you need to have the following tools installed:

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.5.0
+1.6.0
diff --git a/config/k8s_jcasc_mgmt.cnf b/config/k8s_jcasc_mgmt.cnf
@@ -24,8 +24,11 @@ JENKINS_JOBDSL_BASE_URL=http://github.com
 # Validation pattern for Jenkins JobDSL URI/URL
 JENKINS_JOBDSL_REPO_VALIDATE_PATTERN=".*\.git"
 
-# Default admin password for Jenkins
+# Default admin password for Jenkins if security configuration in the jcasc_config should not be used
 JENKINS_MASTER_ADMIN_PASSWORD=admin
+# Default password with bcrypt for security configuration as code (jcasc_config)
+JENKINS_MASTER_ADMIN_PASSWORD_ENCRYPTED='$2a$04$UNxiNvJN6R3me9vybVQr/OzpMhgobih8qbxDpGy3lZmmmwc6t48ty'
+JENKINS_MASTER_PROJECT_USER_PASSWORD_ENCRYPTED='$2a$04$BFPq6fSa9KGKrlIktz/C8eSFrrG/gglnW1eXWMSjgtCSx36mMOSNm'
 
 # Default label for the jenkins master to execute the seed job, which will be bind to this label.
 JENKINS_MASTER_DEFAULT_LABEL=jenkins-master-for-seed

diff --git a/scripts/project_wizard_controller.sh b/scripts/project_wizard_controller.sh
@@ -176,6 +176,9 @@ function processTemplatesWithGlobalConfiguration() {
     replaceStringInFile "##JENKINS_MASTER_CONTAINER_IMAGE_PULL_SECRET_NAME##" "${JENKINS_MASTER_CONTAINER_IMAGE_PULL_SECRET_NAME} " "${ARG_FULL_PROJECT_DIRECTORY}/jenkins_helm_values.yaml"
     # replace Jenkins admin password
     replaceStringInFile "##JENKINS_MASTER_ADMIN_PASSWORD##" "${JENKINS_MASTER_ADMIN_PASSWORD}" "${ARG_FULL_PROJECT_DIRECTORY}/jenkins_helm_values.yaml"
+    replaceStringInFile "##JENKINS_MASTER_ADMIN_PASSWORD_ENCRYPTED##" "${JENKINS_MASTER_ADMIN_PASSWORD_ENCRYPTED}" "${ARG_FULL_PROJECT_DIRECTORY}/jcasc_config.yaml"
+    replaceStringInFile "##JENKINS_MASTER_PROJECT_USER_PASSWORD_ENCRYPTED##" "${JENKINS_MASTER_PROJECT_USER_PASSWORD_ENCRYPTED}" "${ARG_FULL_PROJECT_DIRECTORY}/jcasc_config.yaml"
+
     # nginx-ingress-controller deployment name
     replaceStringInFile "##NGINX_INGRESS_DEPLOYMENT_NAME##" "${NGINX_INGRESS_DEPLOYMENT_NAME} " "${ARG_FULL_PROJECT_DIRECTORY}/nginx_ingress_helm_values.yaml"
     replaceStringInFile "##NGINX_INGRESS_CONTROLLER_CONTAINER_IMAGE##" "${NGINX_INGRESS_CONTROLLER_CONTAINER_IMAGE}" "${ARG_FULL_PROJECT_DIRECTORY}/nginx_ingress_helm_values.yaml"

diff --git a/templates/jcasc_config.yaml b/templates/jcasc_config.yaml
@@ -1,6 +1,40 @@
 jenkins:
   systemMessage: "##PROJECT_DIRECTORY## Jenkins in namespace ##NAMESPACE##"
 
+  authorizationStrategy:
+    roleBased:
+      roles:
+        global:
+          - name: "admin"
+            description: "Jenkins administrators"
+            permissions:
+              - "Overall/Administer"
+            assignments:
+              - "admin"
+          - name: "readonly"
+            description: "Read-only users"
+            permissions:
+              - "Overall/Read"
+              - "Job/Read"
+            assignments:
+              - "authenticated"
+        items:
+          - name: "Project User"
+            description: "User for the project"
+            pattern: ".*"
+            permissions:
+              - "Job/Build"
+            assignments:
+              - "project-user"
+  securityRealm:
+    local:
+      allowsSignup: false
+      users:
+        - id: "admin"
+          password: "#jbcrypt:##JENKINS_MASTER_ADMIN_PASSWORD_ENCRYPTED##"
+        - id: "project-user"
+          password: "#jbcrypt:##JENKINS_MASTER_PROJECT_USER_PASSWORD_ENCRYPTED##"
+
   clouds:
     - kubernetes:
         name: "jenkins-build-slaves"
@@ -209,6 +243,10 @@ jobs:
   - script: >
       job('seed_job') {
           label('##JENKINS_MASTER_DEFAULT_LABEL##')
+          logRotator {
+              numToKeep(5)
+              artifactNumToKeep(1)
+          }
           multiscm {
               git {
                   remote {

diff --git a/templates/jenkins_helm_values.yaml b/templates/jenkins_helm_values.yaml
@@ -23,6 +23,7 @@ master:
   # because we want to "proxy" jenkins via ingress routing, we have to set the Uri Prefix here
   jenkinsUriPrefix: "##JENKINS_MASTER_DEFAULT_URI_PREFIX##"
   installPlugins:
+    - authorize-project:latest
     - blueocean:latest
     - blueocean-bitbucket-pipeline:latest
     - configuration-as-code:latest
@@ -38,6 +39,7 @@ master:
     - metrics:latest
     - multiple-scms:latest
     - pipeline-config-history:latest
+    - role-strategy:latest
     - sonar:latest
     - ssh-agent:latest
     - stashNotifier:latest