An Ansible project to manage the Digital Marketplace Jenkins instance.
We use Jenkins job builder for managing jobs.
The infrastructure that Jenkins runs on is now managed via our Terraform code, found in the digitalmarketplace-aws repo.
To make changes to Jenkins configuration or jobs, you will need:
- The
DM_CREDENTIALS_REPO
environment variable to be set to your credentials repo path (e.g. in your bash profile) - GDS network or VPN access
The Ansible tasks are grouped by tags. See playbooks/roles/jenkins/tasks/main.yml
. Use make jenkins TAGS=your_tag_here
to run a particular set of tagged tasks.
All job definitions will be updated automaticaly when merged to main
. This is perfomed by the job_definitions/update_jenkins_job_definitions.yml
job.
If you need to test a job from a branch or deploy manually you can run the commands below from your local machine:
To update all job definitions (i.e. run the Ansible tasks tagged as jobs
):
$ make jobs
To only update a specific Jenkins job:
$ make jobs JOBS=index_services
Usually, the Jenkins jobs you push onto the server will be enabled. However if you're setting up a new box, you will want to disable them, which can be done as follows:
$ make jobs JOBS_DISABLED=true
Jobs will also be disabled if you are bootstrapping the box from scratch (i.e. if the bootstrap
tag is used, or if no tags are specified).
Note that these commands involve restarting Jenkins - make sure Jenkins is put into shutdown mode before running them.
To update Jenkins settings (e.g. adding a job to a tab group in the UI):
$ make reconfigure
To upgrade the Jenkins version:
$ make upgrade
If you encounter Python 3.x/OpenSSL errors when running the Ansible playbooks, try the following from within your Python3 virtualenv:
$ pip install certifi
$ export SSL_CERT_FILE=venv/lib/python3.8/site-packages/certifi/cacert.pem
If you still get a certificate error, try:
$ open /Applications/Python\ 3.8/Install\ Certificates.command
You need a private key file, a username (always 'ubuntu'), and the hostname. You need to be connected to the VPN or corporate network.
ssh -i [path/to/identity/file] {username}@{hostname}
# eg
ssh -i ../digitalmarketplace-credentials/aws-keys/ci.pem ubuntu@ci.marketplace.team
All GitHub-associated SSH keys for trusted users should work. However if the SSH key has only recently been added to the Github account, you may need to re-gather the keys with:
make keys
To run a script with Python3 inside a Docker container, call the script as follows:
docker run digitalmarketplace/scripts scripts/my-amazing-script.py arg1 arg2 ...
This removes the need for activating a virtualenv, or installing requirements with pip on the Jenkins instance itself.
More information on running scripts with Docker
The list of plugins in /playbooks/roles/jenkins/defaults/main.yml
should reflect the list at https://ci.marketplace.team/pluginManager/installed (dependencies
are greyed out on the dashboard, and are not included in the main.yml
list).
To upgrade a plugin (for example, to address a security vulnerability), tick the relevant box on the Updates panel of the plugins dashboard, and
click Download now and install after restart
and follow the instructions given.
Jenkins should restart during a quiet period when no jobs are running (the restart will take a few seconds).
Authentication is managed via a Github OAuth app owned by the user dm-ssp-jenkins
on
Github. The password is in logins.enc
in the credentials repo.
An application exists per Jenkins instance - see Settings/Developer settings/Oauth Apps once logged into Github with
the dm-ssp-jenkins
user. The Client ID and Client Secret must be stored in the credentials repo, in
jenkins-vars/jenkins.yaml, and must be stored as a nested dict under jenkins_github_auth_by_hostname
. This allows
us to maintain multiple Jenkins instances (if required). These credentials are deployed via the config
task tag.
The process for creating a new instance is documented in the team manual.
The Jenkins server captures the following logs:
- Events, using the Jenkins Audit Trail plugin
- Access logs (see PR #171)
- SSH Access logs (see PR #172)
The log files are sent to CloudWatch for long term storage. See PR PR #173
and the awslogs-config
section in playbooks/jenkins_playbook.yml
for more details.
Unless stated otherwise, the codebase is released under the MIT License. This covers both the codebase and any sample code in the documentation.
The documentation is © Crown copyright and available under the terms of the Open Government 3.0 licence.