Few additions to secure jenkins and add relevant packages (#110)

Signed-off-by: Sayali Gaikawad <gaiksaya@amazon.com>
opensearch-project · Apr 25, 2022 · 1770594 · 1770594
1 parent 5c1a81c
commit 1770594
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -64,7 +64,7 @@ OpenSearch Continuous Integration is an open source CI system for OpenSearch and
    
    `npm run cdk deploy OpenSearch-CI-Dev -- -c useSsl=false -c runWithOidc=false`
  
-1. Jenkins logs in directly as admin. You do need any credentials to log into.
+1. When OIDC is disabled, this set up will enforce the user to secure jenkins by adding first admin user on deployment. Create admin user and password, fill in all other details like name and email id to start using jenkins.
 1. Go to the `OpenSearch-CI-Dev.JenkinsExternalLoadBalancerDns` url returned by CDK output to access the jenkins host.
 1. If you want to destroy the stack make sure you delete the agent nodes manually (via jenkins UI or AWS console) so that shared resources (like vpc, security groups, etc) can be deleted.
 

diff --git a/lib/compute/jenkins-main-node.ts b/lib/compute/jenkins-main-node.ts
@@ -225,6 +225,7 @@ export class JenkinsMainNode {
       InitPackage.yum('python3'),
       InitPackage.yum('python3-pip.noarch'),
       InitCommand.shellCommand('pip3 install docker-compose && ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose'),
+      InitCommand.shellCommand('pip3 install botocore'),
       // eslint-disable-next-line max-len
       InitCommand.shellCommand('sudo wget -nv https://github.com/mikefarah/yq/releases/download/v4.22.1/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq'),
       InitCommand.shellCommand('python3 -m pip install --upgrade pip && python3 -m pip install cryptography boto3 requests-aws4auth'),
@@ -359,8 +360,8 @@ export class JenkinsMainNode {
       InitCommand.shellCommand('systemctl start docker && docker-compose up -d'),
 
       // Commands are fired one after the other but it does not wait for the command to complete.
-      // Therefore, sleep 60 seconds to wait for jenkins to start
-      InitCommand.shellCommand('sleep 60'),
+      // Therefore, sleep 90 seconds to wait for jenkins to start
+      InitCommand.shellCommand('sleep 90'),
 
       // Download jenkins-cli from the local machine
       InitCommand.shellCommand('wget -O "jenkins-cli.jar" http://localhost:8080/jnlpJars/jenkins-cli.jar'),

diff --git a/resources/baseJenkins.yaml b/resources/baseJenkins.yaml
@@ -20,6 +20,18 @@ jenkins:
   remotingSecurity:
     enabled: true
   scmCheckoutRetryCount: 0
+  securityRealm:
+    local:
+      allowsSignup: false
+      enableCaptcha: false
+      users:
+      - id: "admin"
+        name: "admin"
+        properties:
+        - "apiToken"
+        - preferredProvider:
+            providerId: "default"
+        - "loginDetailsProperty"
   slaveAgentPort: 50000
   updateCenter:
     sites:

diff --git a/test/compute/jenkins-main-node.test.ts b/test/compute/jenkins-main-node.test.ts
@@ -25,7 +25,7 @@ describe('JenkinsMainNode Config Elements', () => {
 
   // THEN
   test('Config elements expected counts', async () => {
-    expect(configElements.filter((e) => e.elementType === 'COMMAND')).toHaveLength(17);
+    expect(configElements.filter((e) => e.elementType === 'COMMAND')).toHaveLength(18);
     expect(configElements.filter((e) => e.elementType === 'PACKAGE')).toHaveLength(10);
     expect(configElements.filter((e) => e.elementType === 'FILE')).toHaveLength(4);
   });