Test and validated the Secrets

.gitignore

@@ -40,3 +40,7 @@ terraform.rc
 *.log
 .deployed
 kubeconfig*.yaml
+
+# Secrets file
+*secrets*
+!secrets*example

Makefile

@@ -18,9 +18,9 @@ endef
 define tfDeploy
 	@printf $(MSG_INFO) "Deploying CloudBees CI Blueprint $(1) ..."
 	$(call confirmation,Deploy $(1))
-	terraform -chdir=$(MKFILEDIR)/blueprints/$(1) init -upgrade
-	terraform -chdir=$(MKFILEDIR)/blueprints/$(1) apply -target="module.vpc" -auto-approve
-	terraform -chdir=$(MKFILEDIR)/blueprints/$(1) apply -target="module.eks" -auto-approve
+	@terraform -chdir=$(MKFILEDIR)/blueprints/$(1) init -upgrade
+	@terraform -chdir=$(MKFILEDIR)/blueprints/$(1) apply -target="module.vpc" -auto-approve
+	@terraform -chdir=$(MKFILEDIR)/blueprints/$(1) apply -target="module.eks" -auto-approve
 	terraform -chdir=$(MKFILEDIR)/blueprints/$(1) apply -auto-approve
 	@terraform -chdir=$(MKFILEDIR)/blueprints/$(1) output > $(MKFILEDIR)/blueprints/$(1)/.deployed
 endef
@@ -31,8 +31,7 @@ define tfDestroy
 	$(call confirmation,Destroy $(1))
 	$(eval $(call tfOutput,$(1),export_kubeconfig))
 	$(eval CBCI_NAMESPACE := $(call tfOutput,$(1),cbci_namespace))
-	@kubectl delete --all pods --grace-period=0 --force --namespace $(CBCI_NAMESPACE) || echo "There are no pods to delete in $(CBCI_NAMESPACE)"
-	@#TODO: Issue #34
+	@kubectl delete --all pods --grace-period=0 --force --namespace $(CBCI_NAMESPACE) || echo "There are no pvc to delete in $(CBCI_NAMESPACE)"
 	@terraform -chdir=$(MKFILEDIR)/blueprints/$(1) destroy -target=module.eks_blueprints_addon_cbci -auto-approve
 	@kubectl delete --all pvc --grace-period=0 --force --namespace $(CBCI_NAMESPACE) || echo "There are no pvc to delete in $(CBCI_NAMESPACE)"
 	@terraform -chdir=$(MKFILEDIR)/blueprints/$(1) destroy -target=module.eks_blueprints_addons -auto-approve
@@ -47,13 +46,13 @@ define validate
 	$(eval $(call tfOutput,$(1),export_kubeconfig))
 	$(eval CBCI_NAMESPACE := $(call tfOutput,$(1),cbci_namespace))
 	$(eval OC_URL := $(call tfOutput,$(1),cjoc_url))
-	until $(call tfOutput,$(1),cbci_oc_pod); do sleep 2 && echo "Waiting for Operation Center Pod to get ready"; done
+	@until $(call tfOutput,$(1),cbci_oc_pod); do sleep 2 && echo "Waiting for Operation Center Pod to get ready"; done
 	@printf $(MSG_INFO) "OC Pod is Ready."
-	until $(call tfOutput,$(1),cbci_liveness_probe_int); do sleep 10 && echo "Waiting for Operation Center Service to pass Health Check from inside the cluster"; done
+	@until $(call tfOutput,$(1),cbci_liveness_probe_int); do sleep 10 && echo "Waiting for Operation Center Service to pass Health Check from inside the cluster"; done
 	@printf $(MSG_INFO) "Operation Center Service passed Health Check inside the cluster."
-	until $(call tfOutput,$(1),cbci_oc_ing); do sleep 2 && echo "Waiting for Operation Center Ingress to get ready"; done
+	@until $(call tfOutput,$(1),cbci_oc_ing); do sleep 2 && echo "Waiting for Operation Center Ingress to get ready"; done
 	@printf $(MSG_INFO) "Operation Center Ingress Ready."
-	until $(call tfOutput,$(1),cbci_liveness_probe_ext); do sleep 10 && echo "Waiting for Operation Center Service to pass Health Check from outside the cluster"; done
+	@until $(call tfOutput,$(1),cbci_liveness_probe_ext); do sleep 10 && echo "Waiting for Operation Center Service to pass Health Check from outside the cluster"; done
 	@printf $(MSG_INFO) "Operation Center Service passed Health Check outside the cluster. It is available at $(OC_URL)."
 	@echo "Initial Admin Password: `$(call tfOutput,$(1),cbci_initial_admin_password)`"
 endef

blueprints/02-at-scale/README.md

@@ -21,8 +21,8 @@ Refer to the [Getting Started Blueprint - Prerequisites](../01-getting-started/R
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | domain_name | Desired domain name (e.g. example.com) used as suffix for CloudBees CI subdomains (e.g. cjoc.example.com). It requires to be mapped within an existing Route 53 Hosted Zone. | `string` | n/a | yes |
-| temp_license | Temporary license details | `map(string)` | n/a | yes |
-| tags | Tags to apply to resources | `map(string)` | `{}` | no |
+| temp_license | Temporary license details. | `map(string)` | n/a | yes |
+| tags | Tags to apply to resources. | `map(string)` | `{}` | no |
 
 ### Outputs
 
@@ -47,6 +47,8 @@ Refer to the [Getting Started Blueprint - Prerequisites](../01-getting-started/R
 
 Refer to the [Getting Started Blueprint - Prerequisites](../01-getting-started/README.md#deploy) section.
 
+Additionally, customize your secrets file by copying `.auto.tfvars.example` to `.auto.tfvars`.
+
 ## Validate
 
 Refer to the [Getting Started Blueprint - Prerequisites](../01-getting-started/README.md#validate) section.

blueprints/02-at-scale/cbci-values.yml

@@ -22,6 +22,17 @@ OperationsCenter:
       scmBranch: main
       scmBundlePath: bp02
       scmPollingInterval: PT20M
+  ContainerEnv:
+    - name: SECRETS
+      value: /var/run/secrets/oc
+  ExtraVolumes:
+    - name: oc-secrets
+      secret:
+        secretName: oc-secrets
+  ExtraVolumeMounts:
+    - name: oc-secrets
+      mountPath: /var/run/secrets/oc
+      readOnly: true
 Persistence:
   StorageClass: efs
 Hibernation:

blueprints/02-at-scale/main.tf

@@ -16,6 +16,8 @@ locals {
   kubeconfig_file      = "kubeconfig_${local.name}.yaml"
   kubeconfig_file_path = abspath("${path.root}/${local.kubeconfig_file}")
 
+  cbci_namespace = "cbci"
+
   vpc_cidr = "10.0.0.0/16"
 
   #https://docs.cloudbees.com/docs/cloudbees-common/latest/supported-platforms/cloudbees-ci-cloud#_kubernetes
@@ -53,6 +55,32 @@ resource "random_integer" "ramdom_id" {
 # EKS: Add-ons
 ################################################################################
 
+# CloudBees CI Add-ons
+
+resource "kubernetes_namespace" "cbci" {
+
+  metadata {
+    name = local.cbci_namespace
+  }
+
+  depends_on = [
+    module.eks_blueprints_addons
+  ]
+
+}
+
+# Secrets to be passed to Casc
+# https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets
+resource "kubernetes_secret" "oc_secrets" {
+
+  metadata {
+    name      = "oc-secrets"
+    namespace = kubernetes_namespace.cbci.metadata[0].name
+  }
+
+  data = yamldecode(file("${path.module}/secrets-values.yml"))
+}
+
 module "eks_blueprints_addon_cbci" {
   source = "../../"
 
@@ -61,14 +89,35 @@ module "eks_blueprints_addon_cbci" {
   temp_license = var.temp_license
 
   helm_config = {
-    values = [file("${path.module}/cbci-values.yml")]
+    create_namespace = false
+    values           = [file("${path.module}/cbci-values.yml")]
   }
 
   depends_on = [
-    module.eks_blueprints_addons
+    kubernetes_secret.oc_secrets
   ]
 }
 
+# EKS Blueprints Add-ons
+
+module "ebs_csi_driver_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.29.0"
+
+  role_name_prefix = "${module.eks.cluster_name}-ebs-csi-driv"
+
+  attach_ebs_csi_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
+    }
+  }
+
+  tags = var.tags
+}
+
 module "eks_blueprints_addons" {
   source  = "aws-ia/eks-blueprints-addons/aws"
   version = "1.12.0"
@@ -112,24 +161,6 @@ module "eks_blueprints_addons" {
   tags = local.tags
 }
 
-module "ebs_csi_driver_irsa" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.29.0"
-
-  role_name_prefix = "${module.eks.cluster_name}-ebs-csi-driv"
-
-  attach_ebs_csi_policy = true
-
-  oidc_providers = {
-    main = {
-      provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
-    }
-  }
-
-  tags = var.tags
-}
-
 ################################################################################
 # EKS: Infra
 ################################################################################

blueprints/02-at-scale/outputs.tf

@@ -42,7 +42,7 @@ output "cbci_liveness_probe_ext" {
 
 output "cbci_initial_admin_password" {
   description = "Operation Center Service Initial Admin Password for CloudBees CI Add-on. Additionally, there are developer and guest users using the same password."
-  value       = "echo 'User: admin Password: SECRET'"
+  value       = "kubectl get secret oc-secrets -n ${module.eks_blueprints_addon_cbci.cbci_namespace} -o jsonpath='{.data.secJenkinsPass}' | base64 -d"
 }
 
 output "cjoc_url" {

blueprints/02-at-scale/secrets-values.yml.example

@@ -0,0 +1,13 @@
+# Copyright (c) CloudBees, Inc.
+
+# Secret for Jenkins password. It is valid for all users: admin, developer, and guest.
+secJenkinsPass: "P4ssw0rd" # Required
+
+# Other examples of secrets
+# secGithubKey: |
+#   SSH Key for accessing repos in your GitHub account/organization
+# secGithubToken: "API token for GitHub"
+# secLicenseCert: |
+#   License certificate from CloudBees
+# secLicenseKey: |
+#   License key from CloudBees

blueprints/02-at-scale/variables.tf

@@ -1,6 +1,6 @@
 
 variable "tags" {
-  description = "Tags to apply to resources"
+  description = "Tags to apply to resources."
   default     = {}
   type        = map(string)
 }
@@ -15,6 +15,6 @@ variable "domain_name" {
 }
 
 variable "temp_license" {
-  description = "Temporary license details"
+  description = "Temporary license details."
   type        = map(string)
 }

blueprints/test-all.sh

@@ -4,6 +4,7 @@
 # 1. Deploy
 # 2. Validate
 # 3. Destroy
+# 4. Clean
 
 set -e