From 540e5f5c19bcee3ca0a5a20c37f4015750c24db9 Mon Sep 17 00:00:00 2001
From: Trevor Bramwell <tbramwell@linuxfoundation.org>
Date: Tue, 26 Feb 2019 15:34:20 -0800
Subject: [PATCH] Fix Jenkins Credentials

The new version of Jenkins no longer allows SSH credentials to come from
the master filesystem, so instead they are uploaded using the
jenkins-cli.jar.

An initial credential setting is created when Jenkins starts with the
private key added later.

Change-Id: Id4e80625cca06a5047f592c58ee6bae1b698228a
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
---
 init/Dockerfile                                  |  1 +
 init/playbooks/site.yaml                         |  5 ++++-
 init/playbooks/tasks/jenkins.yaml                | 22 ++++++++++++++++++++++
 init/playbooks/templates/jenkins-credentials.xml |  9 +++++++++
 init/playbooks/vars/default.yaml                 |  4 ++++
 jenkins/scripts/20_create-jenkins-agent.groovy   |  4 +---
 6 files changed, 41 insertions(+), 4 deletions(-)
 create mode 100644 init/playbooks/templates/jenkins-credentials.xml

diff --git a/init/Dockerfile b/init/Dockerfile
index 9ba2891..b8fdce0 100644
--- a/init/Dockerfile
+++ b/init/Dockerfile
@@ -13,6 +13,7 @@ ENV CI_SYSTEM=jenkins
 ENV ANSIBLE_STDOUT_CALLBACK=yaml
 
 RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -yq \
+  openjdk-8-jdk \
   python3-apt \
   && apt-get clean
 RUN pip install --no-cache-dir ansible docker-py
diff --git a/init/playbooks/site.yaml b/init/playbooks/site.yaml
index 5b7a982..60b8a8b 100644
--- a/init/playbooks/site.yaml
+++ b/init/playbooks/site.yaml
@@ -23,13 +23,16 @@
             method: 'POST'
             body: "username=workshop&password=workshop"
             status_code: 302
+      - name: Remove ssh-rsa from sshkey
+        set_fact:
+            workshop_ssh_key_modified: "{{ lookup('file', '{{ workshop_ssh_keyfile }}.pub') }}"
       - name: Upload sshkey to Admin user
         uri:
             url: 'http://gerrit:8080/a/accounts/self/sshkeys'
             method: 'POST'
             user: 'workshop'
             password: 'workshop'
-            body: "{{ lookup('file', '{{ workshop_ssh_keyfile }}.pub') }}"
+            body: "{{ workshop_ssh_key_modified }}"
             status_code: 201
       - name: Wait for Gerrit SSH Interface
         wait_for:
diff --git a/init/playbooks/tasks/jenkins.yaml b/init/playbooks/tasks/jenkins.yaml
index 4157107..7302089 100644
--- a/init/playbooks/tasks/jenkins.yaml
+++ b/init/playbooks/tasks/jenkins.yaml
@@ -9,6 +9,28 @@
       uid: 1000
       ssh_key_bits: 2048
       ssh_key_file: '{{ jenkins_ssh_keyfile }}'
+- name: Set Jenkins Workshop SSH Key fact
+  set_fact:
+      credentials_sshkey: "{{ lookup('file', jenkins_ssh_keyfile) }}"
+- name: Put down Jenkins Credential template
+  template:
+      src: jenkins-credentials.xml
+      dest: /jenkins/jenkins-credentials.xml
+- name: Install Jenkins CLI
+  get_url:
+      url: 'http://jenkins:8080/jnlpJars/jenkins-cli.jar'
+      dest: /jenkins/jenkins-cli.jar
+- name: Add Workshop Credentials to Jenkins
+  environment:
+      JENKINS_URL: http://jenkins:8080/
+      JENKINS_USER_ID: workshop
+      JENKINS_API_TOKEN: workshop
+  shell: |
+      cat jenkins-credentials.xml | java -jar jenkins-cli.jar -http \
+      update-credentials-by-xml "system::system::jenkins" "(global)" \
+      "{{ credentials_id }}"
+  args:
+      chdir: '/jenkins'
 - name: Wait for Gerrit SSH Interface
   wait_for:
       host: 'gerrit'
diff --git a/init/playbooks/templates/jenkins-credentials.xml b/init/playbooks/templates/jenkins-credentials.xml
new file mode 100644
index 0000000..b9a650d
--- /dev/null
+++ b/init/playbooks/templates/jenkins-credentials.xml
@@ -0,0 +1,9 @@
+<com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey plugin="ssh-credentials@1.14">
+  <scope>GLOBAL</scope>
+  <id>{{credentials_id}}</id>
+  <description>{{credentials_description}}</description>
+  <username>{{credentials_username}}</username>
+  <privateKeySource class="com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource">
+    <privateKey>{{credentials_sshkey}}</privateKey>
+  </privateKeySource>
+</com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
diff --git a/init/playbooks/vars/default.yaml b/init/playbooks/vars/default.yaml
index a95e792..d39b84a 100644
--- a/init/playbooks/vars/default.yaml
+++ b/init/playbooks/vars/default.yaml
@@ -9,3 +9,7 @@ ssh_options: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
 global_jjb_version: "{{ lookup('env', 'GLOBAL_JJB_VERSION') | default('v0.19.2', true) }}"
 global_jjb_url: https://github.com/lfit/releng-global-jjb
 jjb_version: "{{ lookup('env', 'JJB_VERSION') | default('2.0.3', true) }}"
+
+credentials_id: ciworkshop-jenkins-ssh
+credentials_username: jenkins-workshop
+credentials_description: Gerrit user
diff --git a/jenkins/scripts/20_create-jenkins-agent.groovy b/jenkins/scripts/20_create-jenkins-agent.groovy
index 207cebc..65093b8 100644
--- a/jenkins/scripts/20_create-jenkins-agent.groovy
+++ b/jenkins/scripts/20_create-jenkins-agent.groovy
@@ -62,8 +62,6 @@ QxR/mcboAaX1EvMLTjeFqDC5XK6gwC67s0H0p2gC91e6hzQs5Qb7M7g7LqD28YEW
 Tja198bt428xTsjxxffuhekDQt8hbEO6RJFJPxhHQIWVo8708lWj
 -----END RSA PRIVATE KEY-----""")
 
-def private_key_on_master = new BasicSSHUserPrivateKey.UsersPrivateKeySource();
-
 // Credentials for connecting to an SSH Jenkins Agent
 def jenkins_agent_credentials = new BasicSSHUserPrivateKey(
   CredentialsScope.GLOBAL,
@@ -80,7 +78,7 @@ def gerrit_credentials = new BasicSSHUserPrivateKey(
   CredentialsScope.GLOBAL,
   "ciworkshop-jenkins-ssh", // ID
   "jenkins-workshop", // username
-  private_key_on_master,
+  null,
   null, // password
   "Gerrit User" // description
 )
-- 
2.16.6