papr: add pipeline for deploying customized Jenkins

README.md

@@ -1,7 +1,3 @@
-This repository contains OpenShift v3 projects
-for Project Atomic related CI infrastructure, which
-is currently just homu.
-
-The plan is to move this into
-https://github.com/openshift/release/tree/master/cluster/ci
-
+This repository contains OpenShift v3 projects for Project
+Atomic related CI infrastructure, which is currently homu
+and PAPR. Together, we refer to these projects as PACI.

papr/README.md

@@ -0,0 +1,54 @@
+# PAPR Jenkins
+
+This directory defines the infrastructure for a PAPR pipeline.
+
+The infrastructure is instantiated by the `papr-jenkins.yaml` OpenShift template
+which will create a Jenkins instance customized for PAPR. This is heavily based
+on the `jenkins-persistent` builtin OpenShift template, but with the following
+enhancements:
+
+- the GHPRB plugin is installed by default
+- anonymous users have read access
+- a GitHub token is securely installed at runtime using OpenShift secrets
+
+The `jenkins/` directory is used by the S2I
+[OpenShift Jenkins builder](https://github.com/openshift/jenkins/tree/8e58d88#installing-using-s2i-build)
+to create the customized Jenkins image.
+
+# Usage
+
+Assuming you already have a cluster set up and running (e.g. `oc cluster up`):
+
+```
+$ oc new-project papr
+$ echo "$GITHUB_TOKEN" > mytoken
+$ oc secrets new github-token token=mytoken
+$ oc new-app --file papr-jenkins.yaml
+```
+
+If your project already exists (e.g. you are not a cluster admin) and it is not
+named `papr`, make sure to pass the `-p NAMESPACE=$project` argument to the
+`new-app` command above.
+
+You can now start a build of the PAPR Jenkins image using:
+
+```
+$ oc start-build papr-jenkins
+```
+
+Once the image is built, it will be automatically deployed and available at:
+
+https://jenkins-papr.127.0.0.1.nip.io/
+
+If you're working on your own fork, you can point OpenShift at it:
+
+```
+$ oc new-app --file papr-jenkins.yaml \
+    -p REPO_URL=https://github.com/jlebon/projectatomic-ci-infra \
+    -p REPO_REF=my-branch
+```
+
+Note that modifications to Jenkins configurations fed to the S2I builder will
+probably require that you delete and recreate the PVC so that old configurations
+don't override new ones (I find it easier to just `oc delete project papr` and
+recreate it; the builder image is cached in the `openshift` namespace).

papr/jenkins/configuration/config.xml.tpl

@@ -0,0 +1,66 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<hudson>
+  <disabledAdministrativeMonitors/>
+  <version>2.89.2</version>
+  <numExecutors>5</numExecutors>
+  <mode>NORMAL</mode>
+  <useSecurity>true</useSecurity>
+  <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
+    <permission>hudson.model.Computer.Configure:admin</permission>
+    <permission>hudson.model.Computer.Delete:admin</permission>
+    <permission>hudson.model.Hudson.Administer:admin</permission>
+    <permission>hudson.model.Hudson.Read:admin</permission>
+    <permission>hudson.model.Item.Build:admin</permission>
+    <permission>hudson.model.Item.Configure:admin</permission>
+    <permission>hudson.model.Item.Create:admin</permission>
+    <permission>hudson.model.Item.Delete:admin</permission>
+    <permission>hudson.model.Item.Read:admin</permission>
+    <permission>hudson.model.Item.Workspace:admin</permission>
+    <permission>hudson.model.Run.Delete:admin</permission>
+    <permission>hudson.model.Run.Update:admin</permission>
+    <permission>hudson.model.View.Configure:admin</permission>
+    <permission>hudson.model.View.Create:admin</permission>
+    <permission>hudson.model.View.Delete:admin</permission>
+    <!-- allow anonymous to see e.g. the Jenkins interface and jobs -->
+    <permission>hudson.model.Hudson.Read:anonymous</permission>
+    <permission>hudson.model.Item.Discover:anonymous</permission>
+    <permission>hudson.model.Item.Read:anonymous</permission>
+    <permission>hudson.model.View.Read:anonymous</permission>
+    <permission>hudson.scm.SCM.Tag:admin</permission>
+  </authorizationStrategy>
+  <securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
+    <disableSignup>true</disableSignup>
+    <enableCaptcha>false</enableCaptcha>
+  </securityRealm>
+  <disableRememberMe>false</disableRememberMe>
+  <workspaceDir>${ITEM_ROOTDIR}/workspace</workspaceDir>
+  <buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
+  <markupFormatter class="hudson.markup.EscapedMarkupFormatter"/>
+  <jdks/>
+  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
+  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
+  <clouds>
+    ${KUBERNETES_CONFIG}
+  </clouds>
+  <quietPeriod>1</quietPeriod>
+  <scmCheckoutRetryCount>0</scmCheckoutRetryCount>
+  <views>
+    <hudson.model.AllView>
+      <owner class="hudson" reference="../../.."/>
+      <name>All</name>
+      <filterExecutors>false</filterExecutors>
+      <filterQueue>false</filterQueue>
+      <properties/>
+    </hudson.model.AllView>
+  </views>
+  <primaryView>All</primaryView>
+  <slaveAgentPort>${JNLP_PORT}</slaveAgentPort>
+  <disabledAgentProtocols>
+    <string>JNLP-connect</string>
+    <string>JNLP2-connect</string>
+  </disabledAgentProtocols>
+  <label>master</label>
+  <nodeProperties/>
+  <globalNodeProperties/>
+  <noUsageStatistics>true</noUsageStatistics>
+</hudson>

papr/jenkins/configuration/credentials.xml.tpl

@@ -0,0 +1,19 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="[email protected]">
+  <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
+    ${KUBERNETES_CREDENTIALS}
+    <entry>
+      <com.cloudbees.plugins.credentials.domains.Domain>
+        <specifications/>
+      </com.cloudbees.plugins.credentials.domains.Domain>
+      <java.util.concurrent.CopyOnWriteArrayList>
+        <org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl plugin="[email protected]">
+          <scope>GLOBAL</scope>
+          <description>GitHub token</description>
+          <!-- this will be replaced at startup by init.groovy -->
+          <secret>SOOPERSEKRIT</secret>
+        </org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl>
+      </java.util.concurrent.CopyOnWriteArrayList>
+    </entry>
+  </domainCredentialsMap>
+</com.cloudbees.plugins.credentials.SystemCredentialsProvider>

papr/jenkins/configuration/init.groovy

@@ -0,0 +1,41 @@
+/* This init script injects the real GitHub token mounted into the container
+ * into the stored credentials.
+ */
+
+import jenkins.model.*
+import com.cloudbees.plugins.credentials.*
+import com.cloudbees.plugins.credentials.domains.*
+import org.jenkinsci.plugins.plaincredentials.*
+import org.jenkinsci.plugins.plaincredentials.impl.*
+
+StringCredentials findGitHubTokenCreds() {
+    def creds = CredentialsProvider.lookupCredentials(
+        StringCredentials.class,
+        Jenkins.instance,
+        null,
+        null)
+    for (c in creds) {
+        if (c.description.equals("GitHub token"))
+            return c
+    }
+}
+
+github_creds = findGitHubTokenCreds()
+if (!github_creds) {
+    println("Didn't find GitHub token credentials, exiting...")
+    return
+}
+
+def real_token_file = "/etc/github-token/token"
+println("Reading token value from $real_token_file")
+String real_token = new File(real_token_file).text.trim()
+
+Credentials new_github_creds = (Credentials) new StringCredentialsImpl(
+    CredentialsScope.GLOBAL,
+    github_creds.id, /* crucially; we copy the ID here to make it a clean swap */
+    github_creds.description,
+    hudson.util.Secret.fromString(real_token))
+
+store = SystemCredentialsProvider.instance.store
+store.updateCredentials(Domain.global(), github_creds, new_github_creds)
+println("Successfully updated credential token!")

papr/jenkins/configuration/jobs/README.md

@@ -0,0 +1,4 @@
+This directory exists just so we override the default job
+that gets created for us. See:
+
+https://github.com/openshift/jenkins/blob/8e58d888cc10e21db40ff5dbd40efe8ee8c77f93/2/contrib/s2i/assemble#L29

papr/jenkins/configuration/org.jenkinsci.plugins.ghprb.GhprbTrigger.xml.tpl

@@ -0,0 +1,38 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<org.jenkinsci.plugins.ghprb.GhprbTrigger_-DescriptorImpl plugin="[email protected]">
+  <configVersion>1</configVersion>
+  <!-- make these the same as before -->
+  <whitelistPhrase>(?m)^\s*bot,\s+add\s+author\s+to\s+whitelist\s*\.?$</whitelistPhrase>
+  <okToTestPhrase>(?m)^\s*bot,\s+test\s+pull\s+request\s*\.?$</okToTestPhrase>
+  <retestPhrase>(?m)^\s*bot,\s+test\s+pull\s+request\s+once\s*\.?$</retestPhrase>
+  <skipBuildPhrase>.*\[skip\W+ci\].*</skipBuildPhrase>
+  <blackListCommitAuthor></blackListCommitAuthor>
+  <!-- note we exclusively use webhooks, so shouldn't actually need cron -->
+  <cron>H/10 * * * *</cron>
+  <useComments>false</useComments>
+  <useDetailedComments>false</useDetailedComments>
+  <manageWebhooks>false</manageWebhooks>
+  <unstableAs>FAILURE</unstableAs>
+  <autoCloseFailedPullRequests>false</autoCloseFailedPullRequests>
+  <displayBuildErrorsOnDownstreamBuilds>false</displayBuildErrorsOnDownstreamBuilds>
+  <blackListLabels></blackListLabels>
+  <whiteListLabels></whiteListLabels>
+  <githubAuth>
+    <org.jenkinsci.plugins.ghprb.GhprbGitHubAuth>
+      <serverAPIUrl>https://api.github.com</serverAPIUrl>
+      <!-- NB: because we only define a single credential, we don't need to
+           hardcode/generate a <credentialsId> here -->
+      <description>Authenticated connection</description>
+    </org.jenkinsci.plugins.ghprb.GhprbGitHubAuth>
+  </githubAuth>
+  <adminlist></adminlist>
+  <requestForTestingPhrase>Can one of the admins verify this patch?</requestForTestingPhrase>
+  <extensions>
+    <org.jenkinsci.plugins.ghprb.extensions.status.GhprbSimpleStatus>
+      <commitStatusContext></commitStatusContext>
+      <showMatrixStatus>false</showMatrixStatus>
+      <addTestResults>false</addTestResults>
+      <completedStatus/>
+    </org.jenkinsci.plugins.ghprb.extensions.status.GhprbSimpleStatus>
+  </extensions>
+</org.jenkinsci.plugins.ghprb.GhprbTrigger_-DescriptorImpl>

papr/jenkins/plugins.txt

@@ -0,0 +1,4 @@
+# This file is read by
+# https://github.com/openshift/jenkins/blob/8e58d88/2/contrib/jenkins/install-plugins.sh
+# TODO: freeze all plugins
+ghprb:1.39.0