Jenkins за Апачем по HTTPS и всё это в соли
От: Ватакуси Россия  
Дата: 17.11.20 10:16
Оценка:
Вообщем, пытаюсь сделать что-то простое, но странным образом.

Есть Salt stack для автоматизации, для него есть формулы для Дженкинса и Апача:
https://github.com/salt-formulas/salt-formula-jenkins
https://github.com/saltstack-formulas/apache-formula

Всё это работает на Redhat Linux 7.9

Я могу установить всё и скопировать что нужно куда нужно. Проблема в том, что почему-то, не получается
а) весь HTTP перебрасывать на HTTPS Апачем
б) Закрыть Дженкинс от остального мира и перебрасывать на его порт с Апача

salt/top.sls
base:
  '*':
    - jenkins_installation


jenkins_installation.sls
# sudo mkdir -p /srv/salt/keystore&&sudo keytool -genkey -alias localhost -keyalg RSA -dname 'CN=localhost, OU=UK, O=UK, C=UK, ST=LON, L=WESTMINSTER' -storepass myTest12 -validity 365 -keystore /srv/salt/keystore/keystore.jks -keypass myTest12 -deststoretype pkcs12&&sudo chown -R jenkins:jenkins /srv/salt/keystore/keystore.jks
{{ pillar["jenkins"]["lookup"]["home"] + "/keystore:" }}
    file.recurse:
        - source: salt://keystore
        - include_empty: False
        - order: 1

# TODO: chown to jenkins:jenkins
# sudo mkdir -p /srv/salt/ssl&&sudo openssl genrsa -out /srv/salt/ssl/key.pem&&sudo openssl req -new -key /srv/salt/ssl/key.pem -out /srv/salt/ssl/csr.pem -subj '/CN=localhost/OU=UK/O=UK/C=UK/ST=LON/L=WESTMINSTER'&&sudo openssl x509 -req -days 9999 -in /srv/salt/ssl/csr.pem -signkey /srv/salt/ssl/key.pem -out /srv/salt/ssl/cert.pem
{{ pillar["jenkins"]["lookup"]["home"] + "/init.d:" }}
    file.recurse:
        - source: salt://init
        - include_empty: True
        - order: 2

copy_jenkins_configs:
  file.recurse:
    - name: {{ pillar["jenkins"]["lookup"]["home"] }} 
    - source: salt://config
    - order: 3

java-install:
  pkg.installed:
    - pkgs:
        - java-1.8.0-openjdk
    - order: 4

'sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm':
    cmd.run:
        - order: 5

# sudo mkdir -p 777 /etc/httpd/conf&&sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/conf/server.key -out /etc/httpd/conf/server.crt -subj '/CN=localhost/OU=UK/O=UK/C=UK/ST=LON/L=WESTMINSTER'
'/etc/httpd/conf':
    file.recurse:
        - source: salt://apache/conf
        - include_empty: True
        - order: 6

'sudo yum install -y deltarpm':
    cmd.run:
        - order: 7     

include:
  - jenkins
  - jenkins.cli
  - jenkins.plugins
  - apache


pillar/jenkins.sls
jenkins:
  lookup:
    stable: False
    jenkins_port: 8080
    home: /var/lib/jenkins
    user: jenkins
    group: jenkins
    java_args: -Djenkins.install.runSetupWizard=false
    master_url: http://127.0.0.1:8080
    cli:
        connection_mode: ssh
        ssh_user: ssh_user

    # Plugins
    plugins:
      installed:
        - git
        - rebuild
        - ssh


pillar/apache.sls
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
apache:
  lookup:
    master: template-master

    # apache version (generally '2.2' or '2.4')
    # version: '2.2'

    # Default value for AddDefaultCharset in RedHat configuration
    default_charset: 'UTF-8'

    # Should we enforce DocumentRoot user/group?
    document_root_user: null   # Defaults to: apache.user
    document_root_group: null  # Defaults to: apache.group

  global:
    # global apache directives
    AllowEncodedSlashes: 'On'

  name_virtual_hosts:
    - interface: '*'
      port: 80
    - interface: '*'
      port: 443

  sites:
    # Force SSL: Redirect from 8080 to 443
    localhost_8080:
      port: 8080
      template_file: salt://apache/vhosts/redirect.tmpl
      RedirectSource: 'permanent /'
      # Trailing slash is important
      RedirectTarget: 'https://localhost/'

    # Force SSL: Redirect from 80 to 443
    localhost_80:
      port: 80
      template_file: salt://apache/vhosts/redirect.tmpl
      RedirectSource: 'permanent /'
      # Trailing slash is important
      RedirectTarget: 'https://127.0.0.1/'
      
    localhost_ssl_proxy:
      port: 443
      ServerName: localhost
      SSLCertificateFile: /etc/httpd/conf/server.crt
      SSLCertificateKeyFile: /etc/httpd/conf/server.key

      ProxyRequests: 'Off'
      ProxyPreserveHost: 'On'
      AllowEncodedSlashes: 'NoDecode'

      ProxyRoute:
        jenkins_proxy_route:
          ProxyPassSource: '/'
          ProxyPassTarget: 'http://127.0.0.1:8080/'
          ProxyPassTargetOptions: 'nocanon connectiontimeout=10 timeout=90'
          ProxyPassReverseSource: '/'
          ProxyPassReverseTarget: 'https://127.0.0.1:8080/'

  modules:
    enabled:   # List modules to enable
      - ssl
      - prefork
      - rewrite
      - proxy
      - proxy_http
      - proxy_ajp
      - proxy_html
      - headers
      # geoip
      - status
      - logio
      - dav
      - dav_fs
      - dav_lock
      - auth_digest
      - socache_shmcb
      - watchdog
      - xml2enc
      - ldap
    disabled:  # List modules to disable
      - geoip

  flags:
    enabled:   # List server flags to enable
      - SSL
    disabled:  # List server flags to disable
      - status

  # KeepAlive: Whether or not to allow persistent connections (more than
  # one request per connection). Set to "Off" to deactivate.
  keepalive: 'On'

  TimeOut: 60  # software default is 60 seconds

  security:
    # can be Full | OS | Minimal | Minor | Major | Prod
    # where Full conveys the most information, and Prod the least.
    ServerTokens: Prod


salt/init содержит груви скрипты для инициализации Дженкинса
#!groovy

import jenkins.model.*
import hudson.security.*

def env = System.getenv()

def jenkins = Jenkins.getInstance()
if(!(jenkins.getSecurityRealm() instanceof HudsonPrivateSecurityRealm))
    jenkins.setSecurityRealm(new HudsonPrivateSecurityRealm(false))

if(!(jenkins.getAuthorizationStrategy() instanceof GlobalMatrixAuthorizationStrategy))
    jenkins.setAuthorizationStrategy(new GlobalMatrixAuthorizationStrategy())

# SSH_User
def user = jenkins.getSecurityRealm().createAccount('ssh_user', new File('/var/lib/jenkins/secrets/initialAdminPassword').text)
user.save()
jenkins.getAuthorizationStrategy().add(jenkins.ADMINISTER, 'ssh_user')

# Admin
def hudsonRealm = new HudsonPrivateSecurityRealm(false)
hudsonRealm.createAccount('admin','admin')
jenkins.setSecurityRealm(hudsonRealm)
def strategy = new FullControlOnceLoggedInAuthorizationStrategy()
jenkins.setAuthorizationStrategy(strategy)

jenkins.save()


#!groovy

import jenkins.model.*
import hudson.util.*;
import jenkins.install.*;

def instance = Jenkins.getInstance()

instance.setInstallState(InstallState.INITIAL_SETUP_COMPLETED)



Вопрос. Что тут неправильно и почему а) и б) не работают? Самое интересное, что а) в какой-то момент работало, но перестало.
Коо иу-то дзиман-о суру ё-ни наримас га...
 
Подождите ...
Wait...
Пока на собственное сообщение не было ответов, его можно удалить.