Вообщем, пытаюсь сделать что-то простое, но странным образом.
Есть Salt stack для автоматизации, для него есть формулы для Дженкинса и Апача:
https://github.com/salt-formulas/salt-formula-jenkins
https://github.com/saltstack-formulas/apache-formula
Всё это работает на Redhat Linux 7.9
Я могу установить всё и скопировать что нужно куда нужно. Проблема в том, что почему-то, не получается
а) весь HTTP перебрасывать на HTTPS Апачем
б) Закрыть Дженкинс от остального мира и перебрасывать на его порт с Апача
salt/top.sls
base:
'*':
- jenkins_installation
jenkins_installation.sls
# sudo mkdir -p /srv/salt/keystore&&sudo keytool -genkey -alias localhost -keyalg RSA -dname 'CN=localhost, OU=UK, O=UK, C=UK, ST=LON, L=WESTMINSTER' -storepass myTest12 -validity 365 -keystore /srv/salt/keystore/keystore.jks -keypass myTest12 -deststoretype pkcs12&&sudo chown -R jenkins:jenkins /srv/salt/keystore/keystore.jks
{{ pillar["jenkins"]["lookup"]["home"] + "/keystore:" }}
file.recurse:
- source: salt://keystore
- include_empty: False
- order: 1
# TODO: chown to jenkins:jenkins
# sudo mkdir -p /srv/salt/ssl&&sudo openssl genrsa -out /srv/salt/ssl/key.pem&&sudo openssl req -new -key /srv/salt/ssl/key.pem -out /srv/salt/ssl/csr.pem -subj '/CN=localhost/OU=UK/O=UK/C=UK/ST=LON/L=WESTMINSTER'&&sudo openssl x509 -req -days 9999 -in /srv/salt/ssl/csr.pem -signkey /srv/salt/ssl/key.pem -out /srv/salt/ssl/cert.pem
{{ pillar["jenkins"]["lookup"]["home"] + "/init.d:" }}
file.recurse:
- source: salt://init
- include_empty: True
- order: 2
copy_jenkins_configs:
file.recurse:
- name: {{ pillar["jenkins"]["lookup"]["home"] }}
- source: salt://config
- order: 3
java-install:
pkg.installed:
- pkgs:
- java-1.8.0-openjdk
- order: 4
'sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm':
cmd.run:
- order: 5
# sudo mkdir -p 777 /etc/httpd/conf&&sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/conf/server.key -out /etc/httpd/conf/server.crt -subj '/CN=localhost/OU=UK/O=UK/C=UK/ST=LON/L=WESTMINSTER'
'/etc/httpd/conf':
file.recurse:
- source: salt://apache/conf
- include_empty: True
- order: 6
'sudo yum install -y deltarpm':
cmd.run:
- order: 7
include:
- jenkins
- jenkins.cli
- jenkins.plugins
- apache
pillar/jenkins.sls
jenkins:
lookup:
stable: False
jenkins_port: 8080
home: /var/lib/jenkins
user: jenkins
group: jenkins
java_args: -Djenkins.install.runSetupWizard=false
master_url: http://127.0.0.1:8080
cli:
connection_mode: ssh
ssh_user: ssh_user
# Plugins
plugins:
installed:
- git
- rebuild
- ssh
pillar/apache.sls
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
apache:
lookup:
master: template-master
# apache version (generally '2.2' or '2.4')
# version: '2.2'
# Default value for AddDefaultCharset in RedHat configuration
default_charset: 'UTF-8'
# Should we enforce DocumentRoot user/group?
document_root_user: null # Defaults to: apache.user
document_root_group: null # Defaults to: apache.group
global:
# global apache directives
AllowEncodedSlashes: 'On'
name_virtual_hosts:
- interface: '*'
port: 80
- interface: '*'
port: 443
sites:
# Force SSL: Redirect from 8080 to 443
localhost_8080:
port: 8080
template_file: salt://apache/vhosts/redirect.tmpl
RedirectSource: 'permanent /'
# Trailing slash is important
RedirectTarget: 'https://localhost/'
# Force SSL: Redirect from 80 to 443
localhost_80:
port: 80
template_file: salt://apache/vhosts/redirect.tmpl
RedirectSource: 'permanent /'
# Trailing slash is important
RedirectTarget: 'https://127.0.0.1/'
localhost_ssl_proxy:
port: 443
ServerName: localhost
SSLCertificateFile: /etc/httpd/conf/server.crt
SSLCertificateKeyFile: /etc/httpd/conf/server.key
ProxyRequests: 'Off'
ProxyPreserveHost: 'On'
AllowEncodedSlashes: 'NoDecode'
ProxyRoute:
jenkins_proxy_route:
ProxyPassSource: '/'
ProxyPassTarget: 'http://127.0.0.1:8080/'
ProxyPassTargetOptions: 'nocanon connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/'
ProxyPassReverseTarget: 'https://127.0.0.1:8080/'
modules:
enabled: # List modules to enable
- ssl
- prefork
- rewrite
- proxy
- proxy_http
- proxy_ajp
- proxy_html
- headers
# geoip
- status
- logio
- dav
- dav_fs
- dav_lock
- auth_digest
- socache_shmcb
- watchdog
- xml2enc
- ldap
disabled: # List modules to disable
- geoip
flags:
enabled: # List server flags to enable
- SSL
disabled: # List server flags to disable
- status
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
keepalive: 'On'
TimeOut: 60 # software default is 60 seconds
security:
# can be Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens: Prod
salt/init содержит груви скрипты для инициализации Дженкинса
#!groovy
import jenkins.model.*
import hudson.security.*
def env = System.getenv()
def jenkins = Jenkins.getInstance()
if(!(jenkins.getSecurityRealm() instanceof HudsonPrivateSecurityRealm))
jenkins.setSecurityRealm(new HudsonPrivateSecurityRealm(false))
if(!(jenkins.getAuthorizationStrategy() instanceof GlobalMatrixAuthorizationStrategy))
jenkins.setAuthorizationStrategy(new GlobalMatrixAuthorizationStrategy())
# SSH_User
def user = jenkins.getSecurityRealm().createAccount('ssh_user', new File('/var/lib/jenkins/secrets/initialAdminPassword').text)
user.save()
jenkins.getAuthorizationStrategy().add(jenkins.ADMINISTER, 'ssh_user')
# Admin
def hudsonRealm = new HudsonPrivateSecurityRealm(false)
hudsonRealm.createAccount('admin','admin')
jenkins.setSecurityRealm(hudsonRealm)
def strategy = new FullControlOnceLoggedInAuthorizationStrategy()
jenkins.setAuthorizationStrategy(strategy)
jenkins.save()
#!groovy
import jenkins.model.*
import hudson.util.*;
import jenkins.install.*;
def instance = Jenkins.getInstance()
instance.setInstallState(InstallState.INITIAL_SETUP_COMPLETED)
Вопрос. Что тут неправильно и почему а) и б) не работают? Самое интересное, что а) в какой-то момент работало, но перестало.