Jenkins improvements for automated setup

manifests/firstrun.pp

@@ -1,4 +1,5 @@
 # @summary Special class applied only at first Puppet run
+#
 # This special class is supposed to be included ONLY at the first Puppet run.
 # It's up to user to decide if to enable it (by setting psick::enable_firstrun)
 # and it's up to the user to decide what classes to include in this run and
@@ -8,7 +9,6 @@
 # includes the classes listed in the ${::kernel}_classes hashes, triggers a reboot
 # (on Windows) and creates an external fact that prevents a reboot
 # cycle.
-
 # IMPORTANT NOTE: If firstrun mode is activated on an existing infrastructure
 # or if the 'firstrun' external fact is removed from nodes, this class will
 # included in the main psick class as if this were a real first Puppet run.
@@ -32,13 +32,12 @@
 #     psick::firstrun::windows_reboot: true # (Default value)
 #
 # @example Enable firstrun and configure it to set hostname and proxy
-#   on Linux but do not trigger any reboot
+# on Linux but do not trigger any reboot
 #     psick::enable_firstrun: true
 #     psick::firstrun::linux_classes:
 #       hostname: psick::hostname
 #       proxy: psick::proxy
 #     psick::firstrun::linux_reboot: false # (Default value)
-#
 # For each of these $::kernel_classes parameters, it's expected an Hash of key-values:
 # Keys can have any name, and are used as markers to allow overrides,
 # exceptions management and customisations across Hiera's hierarchies.

manifests/init.pp

@@ -44,16 +44,16 @@
 #   if you don't want the PSICK class provisioning staged in different phases.
 #
 # @example Sample data for proxy server hash
-#   psick::servers:
-#     proxy:
-#       host: proxy.example.com
-#       port: 3128
-#       user: john    # Optional
-#       password: xxx # Optional
-#       no_proxy:
-#         - localhost
-#         - "%{::domain}"
-#       scheme: http
+#     psick::servers:
+#       proxy:
+#         host: proxy.example.com
+#         port: 3128
+#         user: john    # Optional
+#         password: xxx # Optional
+#         no_proxy:
+#           - localhost
+#           - "%{::domain}"
+#         scheme: http
 #
 class psick (
 

manifests/jenkins.pp

@@ -1,26 +1,87 @@
-# @class jenkins
+# @class psick::jenkins
+# @summary Installs and configures Jenkins, also via SCM sync plugin
+# This profile can be used to install and configure Jenkins using
+# different modules.
 #
+# @param ensure If to install or remove jenkins (may not work on all
+# select modules).
+# @param module The module to use to install Jenkins. Default, 'psick',
+# uses local psick classes.
+# @param plugins An hash of Jenkins plugins to install.
+# @param init_options An hash of options to use in init scripts.
+# @param ssh_private_key_content The content of the ssh private key for the
+# jenkins user. It's used to connect scm_sync_repository_url.
+# @param ssh_public_key_content The content of the ssh public key for jenkins
+#   user. If set, also the private one must be set, and
+#   this public key has to be added on the GIT(hub/lab/...) web interface as
+#   deploy key for the scm_sync_repository_url with write access.
+# @param ssh_private_key_source The source of the ssh private key for the
+#   jenkins user. It's used to connect scm_sync_repository_url.
+#   This is alternative to ssh_private_key_content.
+# @param ssh_public_key_source The source of the ssh public key for jenkins
+#   user. This is alternative to ssh_public_key_content
+# @param ssh_keys_generate If to automaticallty generate a ssh keypair for
+#   the jenkins user to use to connect to scm_sync_repository_url or
+#   any other remote node via ssh.
+# @param scm_sync_repository_url The url of the git repo containing the Jenkins
+#   configurations synced via the scm-sync plugin
+# @param scm_sync_repository_host The hostname of the server which hosts the
+#   scm_sync_repository_url. If set a ssh config entry is added to ignore
+#   the hostkey verification
+# @param disable_setup_wizard If to (try) to disable the initial Jenkins
+#   setup wizard. Set this to true and define a $admin_password to disable
+#   it and set the admin password via Puppet
+# @param basic_security_template The template to use for the groovy script that sets
+#   the admin password.
+#
+# @example Install Jenkins and a pair of plugins
+#    psick::base::linux_classes:
+#      jenkins: psick::jenkins
+#    psick::jenkins::plugins:
+#      warnings:
+#        enable: true
+#      blueocean:
+#        enable: true
+#
+# @example Install Jenkins, configure scm plugin with predefined keys, set admin
+# password and disable initial Wizard
+#    psick::base::linux_classes:
+#      jenkins: psick::jenkins
+#    psick::jenkins::scm_sync_repository_url: [email protected]:alvagante/jenkins.foss.psick.io-scmsync.git
+#    psick::jenkins::disable_setup_wizard: true
+#    psick::jenkins::admin_password: 'example42'
+#    psick::jenkins::ssh_private_key_source: puppet:///modules/profile/jenkins/id_rsa
+#    psick::jenkins::ssh_public_key_source: puppet:///modules/profile/jenkins/id_rsa.pub
+#    psick::openssh::configs_hash:
+#      jenkins:
+#        path: /var/lib/jenkins/.ssh/config
+#        create_ssh_dir: false
+#        options_hash:
+#          Host github.com:
+#            StrictHostKeyChecking: no
+#            UserKnownHostsFile: /dev/null
 class psick::jenkins (
 
   Variant[Boolean,String]    $ensure     = 'present',
   Enum['psick']              $module     = 'psick',
-
   Hash                       $plugins    = {},
-
   Hash                       $init_options  = {},
+  String $home_dir                          = '/var/lib/jenkins',
 
   Optional[String] $ssh_private_key_content = undef,
   Optional[String] $ssh_public_key_content  = undef,
   Optional[String] $ssh_private_key_source  = undef,
   Optional[String] $ssh_public_key_source   = undef,
 
   Boolean $ssh_keys_generate                = false,
-  String $home_dir                          = '/var/lib/jenkins',
 
   Optional[String] $scm_sync_repository_url  = undef,
   Optional[String] $scm_sync_repository_host = undef,
 
   Boolean $disable_setup_wizard              = false,
+  String $basic_security_template            = 'psick/jenkins/basic-security.groovy.erb',
+  String $admin_password                     = '',
+
 ) {
 
   $java_args_extra = $disable_setup_wizard ? {
@@ -122,6 +183,11 @@
     include ::psick::jenkins::scm_sync
   }
 
+  # Disables host checking on scm_sync_repository_host for unattended
+  # setups. Be sure to have psick::openssh and psick::jenkins profiles
+  # in the same Psick phase (pre|base|profile) in order to avoid
+  # dependency loops.
+  # If not, set this via psick::openssh::configs_hash
   if $scm_sync_repository_host {
     psick::openssh::config { 'jenkins':
       path         => "${home_dir}/.ssh/config",
@@ -135,4 +201,22 @@
     }
   }
 
+  # Extra step to disable setup Wizard
+  if $admin_password != '' {
+    file { "${home_dir}/init.groovy.d":
+      ensure  => directory,
+      owner   => 'jenkins',
+      group   => 'jenkins',
+      require => Package['jenkins'],
+    }
+    tp::conf { 'jenkins::basic-security.groovy':
+      path    => "${home_dir}/init.groovy.d/basic-security.groovy",
+      content => template($basic_security_template),
+      mode    => '0640',
+      owner   => 'jenkins',
+      group   => 'jenkins',
+      before  => Service['jenkins'],
+    }
+  }
+
 }

manifests/jenkins/scm_sync.pp

@@ -1,19 +1,29 @@
 # @class psick::jenkins::scm_sync
 # @summary Installs and configures SCM Sync plugin
-# 
+# This class is automatically loaded if it's set
+# psick::jenkins::scm_sync_repository_url
+#
+# @param ensure If the enable or not the plugin
+# @param config_template Template to use for scm-sync-configuration.xml
+# @param repository_url Url of the git repo to sync where Jenkins configs
+#   are saved
+# @param service_reload_command Command to execute to trigger Jenkins reload
+#   Possible alternative: "curl -X POST http://127.0.0.1:8080/reload -u admin:\$(cat 'secrets/initialAdminPassword')"
+#   For details: https://github.com/jenkinsci/scm-sync-configuration-plugin/issues/44
 class psick::jenkins::scm_sync (
-
-  Variant[Boolean,String]    $ensure     = 'present',
-
+  Variant[Boolean,String] $ensure  = 'present',
   String $config_template = 'psick/jenkins/scm_sync/scm-sync-configuration.xml.erb',
-
+  String $jenkins_reload_command   = 'service jenkins force-reload',
   Optional[String] $repository_url = $::psick::jenkins::scm_sync_repository_url,
-
 ) {
 
   if !defined(Psick::Jenkins::Plugin['scm-sync-configuration']) {
+    $plugin_enable = $ensure ? {
+      'absent' => false,
+      default  => true,
+    }
     psick::jenkins::plugin { 'scm-sync-configuration':
-      exec_timeout => 120,
+      enable   => $plugin_enable,
     }
   }
   if $config_template != '' and $repository_url {
@@ -40,11 +50,9 @@
       notify  => Exec['jenkins_reload'],
     }
     exec { 'jenkins_reload' :
-      command     => 'service jenkins restart',
-      # command     => "curl -X POST http://127.0.0.1:8080/reload -u admin:\$(cat 'secrets/initialAdminPassword')",
+      command     => $jenkins_reload_command,
       cwd         => $::psick::jenkins::home_dir,
       require     => [ File["${::psick::jenkins::home_dir}/scm-sync-configuration.xml"], Service['jenkins'] ],
-      # user        => 'jenkins',
       refreshonly => true,
     }
   }

templates/jenkins/basic-security.groovy.erb

@@ -0,0 +1,16 @@
+#!groovy
+// From: https://github.com/geerlingguy/ansible-role-jenkins/issues/50
+import jenkins.model.*
+import hudson.security.*
+
+def instance = Jenkins.getInstance()
+
+println "--> creating local user 'admin'"
+
+def hudsonRealm = new HudsonPrivateSecurityRealm(false)
+hudsonRealm.createAccount('admin','<%= @admin_password %>')
+instance.setSecurityRealm(hudsonRealm)
+
+def strategy = new FullControlOnceLoggedInAuthorizationStrategy()
+instance.setAuthorizationStrategy(strategy)
+instance.save()