Add a conclusion/todo-list

+ more generic on the gitea username + several corrections
2020-01-18 23:48:17 +01:00 · 2020-01-18 23:48:17 +01:00 · 8e132c1633
commit 8e132c1633
parent 12d4943e45
9 changed files with 62 additions and 17 deletions
--- a/roles/jenkins-php-v1/defaults/main.yml
+++ b/roles/jenkins-php-v1/defaults/main.yml
@ -1,12 +1,21 @@
 ---

 jenkins_home: /var/lib/jenkins
-jenkins_cli_jar_location: /var/cache/jenkins/war/WEB-INF/jenkins-cli.jar
 #jenkins_updates_url:
 #jenkins_plugins_install_dependencies:
+# Where to find the 'admin' password
 jenkins_admin_password_file: "{{ jenkins_home }}/secrets/initialAdminPassword"
+# Where to find/generate the 'gitea' password which will be used
+# by Gitea to push the webhook on the notifyCommit URL
 jenkins_gitea_password_file: "{{ jenkins_home }}/secrets/giteaAnsiblePassword"
+# Jenkin's username dedicated to launch the jobs via the webhook
+giteaUsername: gitea
+
+jenkins_cli_jar_location: /var/cache/jenkins/war/WEB-INF/jenkins-cli.jar
 jenkins_cli_command: java -jar "{{ jenkins_cli_jar_location }}" -s http://localhost:8080/  -auth admin:$( cat "{{ jenkins_admin_password_file | quote }}" )
+
+# Id of the SSH key used to clone/pull from the repository
+# and eventually to connect to the deploy host
 jenkins_credential_keyid: deploykey1
 jenkins_credential_keydesc: Deploy key n.1

@ -23,6 +32,7 @@ nginx_vhost_ssl:

 jenkins_plugins:
  - credentials
+  - git
  - git-client
  - ssh
  - ant
--- a/roles/jenkins-php-v1/tasks/10_jenkins-repository.yml
+++ b/roles/jenkins-php-v1/tasks/10_jenkins-repository.yml
@ -1,6 +1,11 @@
 ---

 # Add Jenkins repository for Debian
+- name: Install GPG - needed to add the repository key
+  apt:
+    name:
+      - gpg
+    state: present
 - name: Add Jenkins-stable.io repository key
  apt_key:
    id: "150FDE3F7787E7D11EF4E12A9B7D32F2D50582E6"
--- a/roles/jenkins-php-v1/tasks/20_install-plugins.yml
+++ b/roles/jenkins-php-v1/tasks/20_install-plugins.yml
@ -44,7 +44,7 @@
  when: item not in current_plugin_list.stdout_lines
  notify: safe-restart jenkins and wait

- name: Install system package needed by Jenkins plugins
+- name: Install system packages needed by Jenkins plugins
  apt:
    name: "{{ jenkins_plugins_system_dependency }}"
    state: present
--- a/roles/jenkins-php-v1/tasks/30_users.yml
+++ b/roles/jenkins-php-v1/tasks/30_users.yml
@ -11,12 +11,26 @@

 - name: Generate a password for the Gitea user
  set_fact:
-    giteaPassword: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
+    giteaPassword: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"  # preferably no colons in password, for HTTP's URL simplicity
  when: createGiteaUser
+  no_log: yes

- name: Create Gitea user
-  shell: echo 'jenkins.model.Jenkins.instance.securityRealm.createAccount("gitea", "{{ giteaPassword | quote }}")' | "{{ jenkins_cli_command }}" groovy =
+- name: Retrieve the password for the post_install message
+  slurp:
+    src: "{{ jenkins_gitea_password_file }}"
+  register: tmp
+  when: not createGiteaUser
+  no_log: yes
+- name: Set the password as a fact
+  set_fact:
+    giteaPassword: "{{ tmp.content | b64decode | trim }}"
+  when: not createGiteaUser
+  no_log: yes
+
+- name: Create webhook dedicated user
+  shell: echo 'jenkins.model.Jenkins.instance.securityRealm.createAccount("{{ giteaUsername | quote }}", "{{ giteaPassword | quote }}")' | {{ jenkins_cli_command }} groovy =
  when: createGiteaUser
+  no_log: yes

 - name: Upload the new password
  copy:
@ -26,4 +40,6 @@
    group: jenkins
    mode: 0600
  when: createGiteaUser
-  #no_log: yes  # FIXME: actually, we want to know it to tell the user to set a URL with it in Gitea. Add a debug msg maybe ?
+  # Note : We still need a way to tell the user how to be authenticated for the webhook.
+  #        For the time being, we store it here and display it at the end of the playbook.
+  no_log: yes
--- a/roles/jenkins-php-v1/tasks/40_configure-jenkins.yml
+++ b/roles/jenkins-php-v1/tasks/40_configure-jenkins.yml
@ -59,15 +59,10 @@
  #become_user: jenkins  # permission denied
  #become: yes
  register: result
- name: Retrieve the SSH private key
+- name: Retrieve the SSH public key
  slurp:
    src: "{{ jenkins_home }}/.ssh/id_rsa.pub"
-  register: tmp
-  when: result.changed
- name: Ouput public key
-  debug:
-    msg: "Don't forget to set the public key on the Git repository and the deploy target : {{ tmp.content | b64decode | trim }}"
-  when: result.changed
+  register: jenkins_ssh_public_key

 # Upload this new key to the Jenkins credentials plugin system
 # (the create/update/import-credential-as-xml is kinda cumbersome for our
--- a/roles/jenkins-php-v1/tasks/90_conclusion.yml
+++ b/roles/jenkins-php-v1/tasks/90_conclusion.yml
@ -0,0 +1,10 @@
+---
+
+# Display the tasks that still need to be done manually
+- name: Add intro to conclusion
+  set_fact:
+    jenkins_post_install: "{{ [ 'For host ' + ansible_fqdn + ', please check :', '- SSH public key : ' +  jenkins_ssh_public_key.content|b64decode|trim ] + jenkins_post_install|default([]) }}"
+
+- name: Please check the following
+  debug:
+    var: jenkins_post_install
--- a/roles/jenkins-php-v1/tasks/include_jobinstall.yml
+++ b/roles/jenkins-php-v1/tasks/include_jobinstall.yml
@ -26,3 +26,9 @@
 - name: Reload the job
  shell: "{{ jenkins_cli_command }} reload-job {{ job.key | quote }}"
  when: jobconfig.changed
+
+- name : Add info for the manual todo list at the end
+  set_fact:
+    jenkins_post_install: |-
+      {{ jenkins_post_install|default([]) + [ "- in project '" + job.key + "', add webhook '" + nginx_vhost_ssl|ternary('https', 'http') + '://' + giteaUsername + ':' + giteaPassword + '@' + nginx_vhost_main_hostname + '/git/notifyCommit?url=' + job.value.repository_url ] }}
+  when: job.value.repository_url is defined
--- a/roles/jenkins-php-v1/tasks/main.yml
+++ b/roles/jenkins-php-v1/tasks/main.yml
@ -24,3 +24,6 @@
 - include_tasks: roles/jenkins-php-v1/tasks/50_create-jobs.yml

 - include_tasks: roles/jenkins-php-v1/tasks/60_install-nginx-proxy.yml
+
+# Display the list of things to manually check (wekhooks, ssh keys, etc.)
+- include_tasks: roles/jenkins-php-v1/tasks/90_conclusion.yml
--- a/roles/jenkins-php-v1/templates/config.xml.j2
+++ b/roles/jenkins-php-v1/templates/config.xml.j2
@ -20,18 +20,18 @@
    <permission>hudson.model.Computer.Disconnect:admin</permission>
    <permission>hudson.model.Hudson.Administer:admin</permission>
    <permission>hudson.model.Hudson.Read:admin</permission>
-    <permission>hudson.model.Hudson.Read:gitea</permission>
+    <permission>hudson.model.Hudson.Read:{{ giteaUsername }}</permission>
    <permission>hudson.model.Item.Build:admin</permission>
-    <permission>hudson.model.Item.Build:gitea</permission>
+    <permission>hudson.model.Item.Build:{{ giteaUsername }}</permission>
    <permission>hudson.model.Item.Cancel:admin</permission>
    <permission>hudson.model.Item.Configure:admin</permission>
    <permission>hudson.model.Item.Create:admin</permission>
    <permission>hudson.model.Item.Delete:admin</permission>
    <permission>hudson.model.Item.Discover:admin</permission>
    <permission>hudson.model.Item.Read:admin</permission>
-    <permission>hudson.model.Item.Read:gitea</permission>
+    <permission>hudson.model.Item.Read:{{ giteaUsername }}</permission>
    <permission>hudson.model.Item.Workspace:admin</permission>
-    <permission>hudson.model.Item.Workspace:gitea</permission>
+    <permission>hudson.model.Item.Workspace:{{ giteaUsername }}</permission>
    <permission>hudson.model.Run.Delete:admin</permission>
    <permission>hudson.model.Run.Update:admin</permission>
    <permission>hudson.model.View.Configure:admin</permission>