From bfda35dc966dce8ebfcd834d3d97d064e5f77515 Mon Sep 17 00:00:00 2001 From: Vanessa Valderrama Date: Wed, 27 Aug 2025 15:13:46 -0500 Subject: [PATCH 1/8] Revert "fix: remove duplicate JCasC crumbIssuer config" This reverts commit 8d97046b4695cdb6cf27c0bbbf35c59f16abff73. --- base/jenkins/jcasc_yamls/02-security-emergency.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/base/jenkins/jcasc_yamls/02-security-emergency.yaml b/base/jenkins/jcasc_yamls/02-security-emergency.yaml index 3d9286e..b53fe0e 100644 --- a/base/jenkins/jcasc_yamls/02-security-emergency.yaml +++ b/base/jenkins/jcasc_yamls/02-security-emergency.yaml @@ -3,9 +3,14 @@ # To activate: rename 02-security.yaml to 02-security-saml.yaml.bak # rename this file to 02-security.yaml # restart Jenkins pod: kubectl delete pod jenkins-staging-0 -n jenkins-staging -# NOTE: CSRF and disableRememberMe configs are in 02-security.yaml to avoid conflicts --- jenkins: + # Enable CSRF protection + crumbIssuer: + standard: + excludeClientIPFromCrumb: false + # Disable "Remember me" functionality for better security + disableRememberMe: true # Emergency local authentication - lf-jenkins account with static password securityRealm: local: From 862bd41c42cc14e69b0d302fed093023ee538c77 Mon Sep 17 00:00:00 2001 From: Vanessa Valderrama Date: Wed, 27 Aug 2025 15:14:22 -0500 Subject: [PATCH 2/8] Revert "fix: security issues" This reverts commit bbfe317800878b0aa694b6b558e6f1ea1cb70fc2. --- base/jenkins/jcasc_yamls/02-security-emergency.yaml | 2 +- base/jenkins/jcasc_yamls/02-security.yaml | 11 +++-------- dev/values.yaml | 2 -- production/values.yaml | 2 -- staging/values.yaml | 3 --- 5 files changed, 4 insertions(+), 16 deletions(-) diff --git a/base/jenkins/jcasc_yamls/02-security-emergency.yaml b/base/jenkins/jcasc_yamls/02-security-emergency.yaml index b53fe0e..33bda3a 100644 --- a/base/jenkins/jcasc_yamls/02-security-emergency.yaml +++ b/base/jenkins/jcasc_yamls/02-security-emergency.yaml @@ -18,7 +18,7 @@ jenkins: users: - id: "lf-jenkins" name: "LF Jenkins Emergency Admin" - email: '${JCASC_EMERGENCY_ADMIN_EMAIL}' + email: "releng+opensearch-jenkins@linuxfoundation.org" password: '${JCASC_JENKINSSECURITY_ADMINPASSWORD}' authorizationStrategy: projectMatrix: diff --git a/base/jenkins/jcasc_yamls/02-security.yaml b/base/jenkins/jcasc_yamls/02-security.yaml index 11f9ec6..6f0cb3c 100644 --- a/base/jenkins/jcasc_yamls/02-security.yaml +++ b/base/jenkins/jcasc_yamls/02-security.yaml @@ -29,15 +29,10 @@ jenkins: authorizationStrategy: projectMatrix: permissions: - # SAML Group-based Admin Access (Linux Foundation Staff) - # Security Review: Replaced hardcoded individual usernames with SAML groups - # for better maintainability and security - # 'staff': Members of the Linux Foundation staff who require full administrative access to Jenkins - - "Overall/Administer:staff" - # 'lf-releng': Members of the Linux Foundation Release Engineering team responsible for CI/CD infrastructure management - - "Overall/Administer:lf-releng" - # Emergency fallback admin account (local authentication) + # Admin users - full control (known LF staff) - "Overall/Administer:lf-jenkins" + - "Overall/Administer:valderrv" + - "Overall/Administer:rdetjens" # Standard authenticated users - limited permissions - "Overall/Read:authenticated" - "Job/Build:authenticated" diff --git a/dev/values.yaml b/dev/values.yaml index 49a6eb1..b295b74 100644 --- a/dev/values.yaml +++ b/dev/values.yaml @@ -35,8 +35,6 @@ jenkinsEnvVars: JCASC_SYSTEM_MESSAGE: "Welcome to Jenkins (Development Environment)" JCASC_LOCATION_URL: "" JCASC_LOCATION_ADMINADDRESS: "dev-admin@example.com" - # Emergency Admin Email (used in 02-security-emergency.yaml) - JCASC_EMERGENCY_ADMIN_EMAIL: "dev-admin@example.com" JCASC_MASTER_LABELS: "dev-master local" JCASC_RESOURCE_ROOT_URL: "" JCASC_DISABLE_DEFERRED_WIPEOUT: "false" diff --git a/production/values.yaml b/production/values.yaml index d97ba5a..f44fbf7 100644 --- a/production/values.yaml +++ b/production/values.yaml @@ -25,8 +25,6 @@ jenkins: JCASC_SYSTEM_MESSAGE: "Welcome to Jenkins (Production Environment)" JCASC_LOCATION_URL: "" JCASC_LOCATION_ADMINADDRESS: "releng+opensearch-jenkins@linuxfoundation.org" - # Emergency Admin Email (used in 02-security-emergency.yaml) - JCASC_EMERGENCY_ADMIN_EMAIL: "releng+opensearch-jenkins@linuxfoundation.org" JCASC_MASTER_LABELS: "prod-controller" JCASC_RESOURCE_ROOT_URL: "" JCASC_DISABLE_DEFERRED_WIPEOUT: "false" diff --git a/staging/values.yaml b/staging/values.yaml index 8e7385f..5775d2a 100644 --- a/staging/values.yaml +++ b/staging/values.yaml @@ -35,9 +35,6 @@ jenkins: value: "https://jenkins-stag.opensearch.cluster.linuxfound.info" - name: JCASC_LOCATION_ADMINADDRESS value: "releng+opensearch-jenkins@linuxfoundation.org" - # Emergency Admin Email (used in 02-security-emergency.yaml) - - name: JCASC_EMERGENCY_ADMIN_EMAIL - value: "releng+opensearch-jenkins@linuxfoundation.org" - name: JCASC_MASTER_LABELS value: "staging-controller" - name: JCASC_RESOURCE_ROOT_URL From ded1b5218aff8513abfaa96640b4f83c8af2fca1 Mon Sep 17 00:00:00 2001 From: Vanessa Valderrama Date: Wed, 27 Aug 2025 15:14:44 -0500 Subject: [PATCH 3/8] Revert "feat: add SAML and security improvements" This reverts commit 6a93b76829dc5fafb5bcff7276d8fcda2d0c2b6f. --- .../jcasc_yamls/02-security-emergency.yaml | 34 ------------------ base/jenkins/jcasc_yamls/02-security.yaml | 35 ++++--------------- staging/values.yaml | 6 ---- 3 files changed, 6 insertions(+), 69 deletions(-) delete mode 100644 base/jenkins/jcasc_yamls/02-security-emergency.yaml diff --git a/base/jenkins/jcasc_yamls/02-security-emergency.yaml b/base/jenkins/jcasc_yamls/02-security-emergency.yaml deleted file mode 100644 index 33bda3a..0000000 --- a/base/jenkins/jcasc_yamls/02-security-emergency.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# jcasc/02-security-emergency.yaml -# EMERGENCY FALLBACK - Use ONLY if LF SSO is down -# To activate: rename 02-security.yaml to 02-security-saml.yaml.bak -# rename this file to 02-security.yaml -# restart Jenkins pod: kubectl delete pod jenkins-staging-0 -n jenkins-staging ---- -jenkins: - # Enable CSRF protection - crumbIssuer: - standard: - excludeClientIPFromCrumb: false - # Disable "Remember me" functionality for better security - disableRememberMe: true - # Emergency local authentication - lf-jenkins account with static password - securityRealm: - local: - allowsSignup: false - users: - - id: "lf-jenkins" - name: "LF Jenkins Emergency Admin" - email: "releng+opensearch-jenkins@linuxfoundation.org" - password: '${JCASC_JENKINSSECURITY_ADMINPASSWORD}' - authorizationStrategy: - projectMatrix: - permissions: - # Emergency admin account - lf-jenkins only - - "Overall/Administer:lf-jenkins" - # Standard authenticated users - limited permissions - - "Overall/Read:authenticated" - - "Job/Build:authenticated" - - "Job/Cancel:authenticated" - - "Job/Read:authenticated" - - "Job/Workspace:authenticated" - - "View/Read:authenticated" diff --git a/base/jenkins/jcasc_yamls/02-security.yaml b/base/jenkins/jcasc_yamls/02-security.yaml index 6f0cb3c..a1e7f21 100644 --- a/base/jenkins/jcasc_yamls/02-security.yaml +++ b/base/jenkins/jcasc_yamls/02-security.yaml @@ -1,39 +1,16 @@ # jcasc/02-security.yaml -# CSRF Protection: Prevents cross-site request forgery attacks -# NOTE: If automated scripts/API calls start failing with 403 errors, -# they may need to be updated to include CSRF tokens (crumbs) --- jenkins: - # Enable CSRF protection - crumbIssuer: - standard: - excludeClientIPFromCrumb: false - # Disable "Remember me" functionality for better security - # Users will need to re-authenticate after session expires - disableRememberMe: true - # SAML SSO Authentication via Linux Foundation SSO - # Emergency Access: Use 02-security-emergency.yaml if LF SSO is down securityRealm: - saml: - binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" - displayNameAttributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" - emailAttributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" - groupsAttributeName: "http://schemas.xmlsoap.org/claims/Group" - idpMetadataConfiguration: - period: 60 - url: "${SAML_METADATA_URL}" - logoutUrl: "${SAML_LOGOUT_URL}" - maximumAuthenticationLifetime: 86400 - usernameCaseConversion: "none" - usernameAttributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" + local: + allowsSignup: false + users: + - id: "admin" + password: '${JCASC_JENKINSSECURITY_ADMINPASSWORD}' authorizationStrategy: projectMatrix: permissions: - # Admin users - full control (known LF staff) - - "Overall/Administer:lf-jenkins" - - "Overall/Administer:valderrv" - - "Overall/Administer:rdetjens" - # Standard authenticated users - limited permissions + - "Overall/Administer:admin" - "Overall/Read:authenticated" - "Job/Build:authenticated" - "Job/Cancel:authenticated" diff --git a/staging/values.yaml b/staging/values.yaml index 5775d2a..400253f 100644 --- a/staging/values.yaml +++ b/staging/values.yaml @@ -96,12 +96,6 @@ jenkins: - name: JCASC_JENKINSGLOBALENVVARS_SILO value: "staging" - # SAML Configuration - - name: SAML_METADATA_URL - value: "https://sso.linuxfoundation.org/samlp/metadata/Sa8MIoI91JUE3154tjDzTATsEeiehGaZ" - - name: SAML_LOGOUT_URL - value: "https://sso.linuxfoundation.org/samlp/Sa8MIoI91JUE3154tjDzTATsEeiehGaZ/logout" - # Kubernetes Cloud Configuration - name: JCASC_KUBERNETES_URL value: "https://kubernetes.default.svc.cluster.local" From 5957d53dd780822649df27acac7c1b45bab6e94b Mon Sep 17 00:00:00 2001 From: Vanessa Valderrama Date: Wed, 27 Aug 2025 15:15:01 -0500 Subject: [PATCH 4/8] Revert "fix: fix templpate" This reverts commit 61b7f74fb257d5c9239b616dffd4dfb78a9bf248. --- base/jenkins/templates/jcasc-configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/jenkins/templates/jcasc-configmap.yaml b/base/jenkins/templates/jcasc-configmap.yaml index 519d164..5ef1ab7 100644 --- a/base/jenkins/templates/jcasc-configmap.yaml +++ b/base/jenkins/templates/jcasc-configmap.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "jenkins.labels" . | nindent 4 }} app.kubernetes.io/component: jcasc - {{ include "jenkins.fullname" . }}-jenkins-config: "true" + {{ template "jenkins.fullname" . }}-jenkins-config: "true" data: {{- $files := .Files.Glob "jcasc_yamls/*.yaml" }} {{- range $path, $_ := $files }} From 539cc5b80f239a94d0f22abdbe89bd3535074237 Mon Sep 17 00:00:00 2001 From: Vanessa Valderrama Date: Wed, 27 Aug 2025 15:15:17 -0500 Subject: [PATCH 5/8] Revert "fix: Jenkis staging JCasC configs" This reverts commit f8d5e31f9ffef758cd25f1952ca54bd8e5bc2bf4. --- base/jenkins/templates/jcasc-configmap.yaml | 1 - base/jenkins/values.yaml | 98 ++++++++++++++++++++- 2 files changed, 97 insertions(+), 2 deletions(-) diff --git a/base/jenkins/templates/jcasc-configmap.yaml b/base/jenkins/templates/jcasc-configmap.yaml index 5ef1ab7..34c5aa1 100644 --- a/base/jenkins/templates/jcasc-configmap.yaml +++ b/base/jenkins/templates/jcasc-configmap.yaml @@ -5,7 +5,6 @@ metadata: labels: {{- include "jenkins.labels" . | nindent 4 }} app.kubernetes.io/component: jcasc - {{ template "jenkins.fullname" . }}-jenkins-config: "true" data: {{- $files := .Files.Glob "jcasc_yamls/*.yaml" }} {{- range $path, $_ := $files }} diff --git a/base/jenkins/values.yaml b/base/jenkins/values.yaml index 29f9aeb..19b46e7 100644 --- a/base/jenkins/values.yaml +++ b/base/jenkins/values.yaml @@ -26,7 +26,103 @@ jenkins: JCasC: defaultConfig: false - configScripts: {} + configScripts: + + 01-global-env-vars: | + jenkins: + globalNodeProperties: + - envVars: + env: + - key: "GLOBAL_LOG_LEVEL" + value: '${JCASC_JENKINSGLOBALENVVARS_LOGLEVEL}' + - key: "ARTIFACTORY_URL" + value: '${JCASC_JENKINSGLOBALENVVARS_ARTIFACTORYURL}' + - key: "COMPANY_NAME" + value: "OpenSearch Project" + - key: "DOCKER_REGISTRY" + value: '${JCASC_JENKINSGLOBALENVVARS_DOCKERREGISTRY}' + - key: "GIT_BASE" + value: '${JCASC_JENKINSGLOBALENVVARS_GITBASEURL}/$PROJECT' + - key: "GIT_URL" + value: '${JCASC_JENKINSGLOBALENVVARS_GITURL}' + - key: "PACKAGECLOUDPROXY" + value: '${JCASC_JENKINSGLOBALENVVARS_PACKAGECLOUDPROXY}' + - key: "PCIO_CO" + value: '${JCASC_JENKINSGLOBALENVVARS_PCIOCO}' + - key: "RELEASE_EMAIL" + value: '${JCASC_JENKINSGLOBALENVVARS_RELEASEEMAIL}' + - key: "RELEASE_USERNAME" + value: '${JCASC_JENKINSGLOBALENVVARS_RELEASEUSERNAME}' + - key: "S3_BUCKET" + value: '${JCASC_JENKINSGLOBALENVVARS_S3BUCKET}' + - key: "CDN_URL" + value: '${JCASC_JENKINSGLOBALENVVARS_CDNURL}' + - key: "SIGUL_KEY" + value: '${JCASC_JENKINSGLOBALENVVARS_SIGULKEY}' + - key: "SILO" + value: '${JCASC_JENKINSGLOBALENVVARS_SILO}' + + 02-security: | + jenkins: + securityRealm: + local: + allowsSignup: false + users: + - id: "admin" + password: '${JCASC_JENKINSSECURITY_ADMINPASSWORD}' + authorizationStrategy: + projectMatrix: + permissions: + - "Overall/Administer:admin" + - "Overall/Read:authenticated" + - "Job/Build:authenticated" + - "Job/Cancel:authenticated" + - "Job/Read:authenticated" + - "Job/Workspace:authenticated" + - "View/Read:authenticated" + + 03-tools: | + tool: + jdk: + installations: + - name: "jdk-17" + home: "/opt/java/openjdk" + git: + installations: + - name: "Default" + home: "git" + + 04-global-libraries: | + # Jenkins global pipeline library configurations placeholder + + 05-plugins-config: | + unclassified: + gitHubConfiguration: + apiRateLimitChecker: ThrottleForNormalize + gitHubPluginConfig: + configs: + - name: "opensearch-project" + credentialsId: "github-api-token-placeholder" + hookUrl: "http://jenkins.placeholder.example.com/github-webhook/" + ghprbTrigger: + cron: "H/5 * * * *" + githubAuth: + - id: "opensearch-project-ghprb-auth" + serverAPIUrl: "https://api.github.com" + credentialsId: "github-api-token-placeholder" + description: "GitHub auth for opensearch-project PR builder" + adminlist: "" + manageWebhooks: false + okToTestPhrase: ".*ok to test.*" + retestPhrase: ".*test this please.*" + skipBuildPhrase: ".*\\[skip ci\\].*" + + 06-credentials: | + # Jenkins credential configurations placeholder + + 07-cloud-agents: | + # Cloud agents configuration moved to separate jcasc_yamls file + # See: base/jenkins/jcasc_yamls/07-cloud-agents.yaml # Network security configuration networkPolicy: From 98fad418f10bdedde1af1a6fc1552c199f86e99b Mon Sep 17 00:00:00 2001 From: Vanessa Valderrama Date: Wed, 27 Aug 2025 15:15:35 -0500 Subject: [PATCH 6/8] Revert "fix: missing JCasC configs in staging" This reverts commit 173d8fcec002dec2b43df0df05756f18f20ad053. --- staging/values.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/staging/values.yaml b/staging/values.yaml index 400253f..07a338e 100644 --- a/staging/values.yaml +++ b/staging/values.yaml @@ -19,9 +19,6 @@ jenkins: # Environment variables for Jenkins container (JCasC configuration) containerEnv: - # JCasC Configuration Path Override (fix for image default mismatch) - - name: CASC_JENKINS_CONFIG - value: "/var/jenkins_home/casc_configs" # Security Configuration - name: JCASC_JENKINSSECURITY_ADMINPASSWORD valueFrom: From 9482f6a40babe4d4a22731952b5e7a736e46a903 Mon Sep 17 00:00:00 2001 From: Vanessa Valderrama Date: Wed, 27 Aug 2025 15:15:49 -0500 Subject: [PATCH 7/8] Revert "fix: add matrix-auth plugin for security startup" This reverts commit 177b4f7a7a2e2c697bfc593e0c13bca22939671f. --- build/plugins.txt | 1 - staging/values.yaml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/build/plugins.txt b/build/plugins.txt index 8b6d64c..e2ad79b 100644 --- a/build/plugins.txt +++ b/build/plugins.txt @@ -38,7 +38,6 @@ ldap lockable-resources login-theme managed-scripts -matrix-auth nodelabelparameter nvm-wrapper oic-auth diff --git a/staging/values.yaml b/staging/values.yaml index 07a338e..7c216ce 100644 --- a/staging/values.yaml +++ b/staging/values.yaml @@ -29,7 +29,7 @@ jenkins: - name: JCASC_SYSTEM_MESSAGE value: "Welcome to Jenkins (Staging Environment)" - name: JCASC_LOCATION_URL - value: "https://jenkins-stag.opensearch.cluster.linuxfound.info" + value: "" - name: JCASC_LOCATION_ADMINADDRESS value: "releng+opensearch-jenkins@linuxfoundation.org" - name: JCASC_MASTER_LABELS From f53c1dbe5457c806afa9617951db5afe7c188c50 Mon Sep 17 00:00:00 2001 From: Vanessa Valderrama Date: Wed, 27 Aug 2025 15:16:03 -0500 Subject: [PATCH 8/8] Revert "feat: implement security hardending" This reverts commit b665ec3dff493a745a200cebcdaf27cd060daca8. --- base/jenkins/jcasc_yamls/02-security.yaml | 11 +- base/jenkins/templates/networkpolicies.yaml | 186 -------------------- base/jenkins/values.yaml | 15 +- build/Dockerfile | 70 +++----- staging/values.yaml | 7 - 5 files changed, 30 insertions(+), 259 deletions(-) delete mode 100644 base/jenkins/templates/networkpolicies.yaml diff --git a/base/jenkins/jcasc_yamls/02-security.yaml b/base/jenkins/jcasc_yamls/02-security.yaml index a1e7f21..c24c600 100644 --- a/base/jenkins/jcasc_yamls/02-security.yaml +++ b/base/jenkins/jcasc_yamls/02-security.yaml @@ -8,12 +8,5 @@ jenkins: - id: "admin" password: '${JCASC_JENKINSSECURITY_ADMINPASSWORD}' authorizationStrategy: - projectMatrix: - permissions: - - "Overall/Administer:admin" - - "Overall/Read:authenticated" - - "Job/Build:authenticated" - - "Job/Cancel:authenticated" - - "Job/Read:authenticated" - - "Job/Workspace:authenticated" - - "View/Read:authenticated" + loggedInUsersCanDoAnything: + allowAnonymousRead: false diff --git a/base/jenkins/templates/networkpolicies.yaml b/base/jenkins/templates/networkpolicies.yaml deleted file mode 100644 index 9dd0529..0000000 --- a/base/jenkins/templates/networkpolicies.yaml +++ /dev/null @@ -1,186 +0,0 @@ -{{- if .Values.networkPolicy.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "jenkins.fullname" . }}-default-deny - namespace: {{ .Release.Namespace }} - labels: - {{- include "jenkins.labels" . | nindent 4 }} - app.kubernetes.io/component: network-security -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "jenkins.fullname" . }}-controller-ingress - namespace: {{ .Release.Namespace }} - labels: - {{- include "jenkins.labels" . | nindent 4 }} - app.kubernetes.io/component: network-security -spec: - podSelector: - matchLabels: - {{- include "jenkins.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: jenkins-controller - policyTypes: - - Ingress - ingress: - # Allow NGINX ingress controller to reach Jenkins web UI - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: ingress - ports: - - protocol: TCP - port: 8080 - # Allow Jenkins agents to connect to controller - - from: - - podSelector: - matchLabels: - jenkins: slave - ports: - - protocol: TCP - port: 50000 - # Allow same namespace communication (config reload sidecar) - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace }} - ports: - - protocol: TCP - port: 8080 ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "jenkins.fullname" . }}-controller-egress - namespace: {{ .Release.Namespace }} - labels: - {{- include "jenkins.labels" . | nindent 4 }} - app.kubernetes.io/component: network-security -spec: - podSelector: - matchLabels: - {{- include "jenkins.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: jenkins-controller - policyTypes: - - Egress - egress: - # Allow DNS resolution - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - - podSelector: - matchLabels: - k8s-app: kube-dns - ports: - - protocol: UDP - port: 53 - - protocol: TCP - port: 53 - # Allow Kubernetes API access - - to: [] - ports: - - protocol: TCP - port: 443 - # Allow HTTPS outbound for plugins/updates - - to: [] - ports: - - protocol: TCP - port: 443 - # Allow HTTP outbound for legacy plugins - - to: [] - ports: - - protocol: TCP - port: 80 - # Allow agent communication - - to: - - podSelector: - matchLabels: - jenkins: slave - ports: - - protocol: TCP - port: 50000 ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "jenkins.fullname" . }}-agent-ingress - namespace: {{ .Release.Namespace }} - labels: - {{- include "jenkins.labels" . | nindent 4 }} - app.kubernetes.io/component: network-security -spec: - podSelector: - matchLabels: - jenkins: slave - policyTypes: - - Ingress - ingress: - # Allow Jenkins controller to communicate with agents - - from: - - podSelector: - matchLabels: - {{- include "jenkins.selectorLabels" . | nindent 10 }} - app.kubernetes.io/component: jenkins-controller ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "jenkins.fullname" . }}-agent-egress - namespace: {{ .Release.Namespace }} - labels: - {{- include "jenkins.labels" . | nindent 4 }} - app.kubernetes.io/component: network-security -spec: - podSelector: - matchLabels: - jenkins: slave - policyTypes: - - Egress - egress: - # Allow DNS resolution - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - - podSelector: - matchLabels: - k8s-app: kube-dns - ports: - - protocol: UDP - port: 53 - - protocol: TCP - port: 53 - # Allow communication back to Jenkins controller - - to: - - podSelector: - matchLabels: - {{- include "jenkins.selectorLabels" . | nindent 10 }} - app.kubernetes.io/component: jenkins-controller - ports: - - protocol: TCP - port: 8080 - - protocol: TCP - port: 50000 - # Allow HTTPS outbound for git, docker registry, etc. - - to: [] - ports: - - protocol: TCP - port: 443 - # Allow HTTP outbound for legacy systems - - to: [] - ports: - - protocol: TCP - port: 80 - # Allow SSH for git operations - - to: [] - ports: - - protocol: TCP - port: 22 -{{- end -}} diff --git a/base/jenkins/values.yaml b/base/jenkins/values.yaml index 19b46e7..4b33017 100644 --- a/base/jenkins/values.yaml +++ b/base/jenkins/values.yaml @@ -71,15 +71,8 @@ jenkins: - id: "admin" password: '${JCASC_JENKINSSECURITY_ADMINPASSWORD}' authorizationStrategy: - projectMatrix: - permissions: - - "Overall/Administer:admin" - - "Overall/Read:authenticated" - - "Job/Build:authenticated" - - "Job/Cancel:authenticated" - - "Job/Read:authenticated" - - "Job/Workspace:authenticated" - - "View/Read:authenticated" + loggedInUsersCanDoAnything: + allowAnonymousRead: false 03-tools: | tool: @@ -123,7 +116,3 @@ jenkins: 07-cloud-agents: | # Cloud agents configuration moved to separate jcasc_yamls file # See: base/jenkins/jcasc_yamls/07-cloud-agents.yaml - -# Network security configuration -networkPolicy: - enabled: true diff --git a/build/Dockerfile b/build/Dockerfile index ff847f1..65f35a0 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -7,11 +7,11 @@ ENV JAVA_OPTS -Djenkins.install.runSetupWizard=false # Copy the plugins.txt file COPY plugins.txt /usr/share/jenkins/ref/plugins.txt -# Switch to root only for essential system package installations +# Switch to root for install USER root -# Install system packages with security best practices -RUN apt-get update && apt-get install -y --no-install-recommends \ +# Install system packages and dependencies +RUN apt-get update && apt-get install -y \ curl \ wget \ git \ @@ -19,7 +19,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ python3 \ python3-pip \ python3-dev \ - python3-venv \ zip \ unzip \ build-essential \ @@ -27,45 +26,24 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ gnupg \ lsb-release \ - && rm -rf /var/lib/apt/lists/* \ - && apt-get clean \ - && apt-get autoremove -y + && rm -rf /var/lib/apt/lists/* -# Install Docker CLI with GPG verification +# Install Docker CLI (for containerized builds) RUN curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg \ && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \ && apt-get update \ - && apt-get install -y --no-install-recommends docker-ce-cli \ - && rm -rf /var/lib/apt/lists/* \ - && apt-get clean + && apt-get install -y docker-ce-cli \ + && rm -rf /var/lib/apt/lists/* -# Install GitHub CLI with GPG verification +# Install GitHub CLI RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | gpg --dearmor -o /usr/share/keyrings/githubcli-archive-keyring.gpg \ && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \ && apt-get update \ - && apt-get install -y --no-install-recommends gh \ - && rm -rf /var/lib/apt/lists/* \ - && apt-get clean + && apt-get install -y gh \ + && rm -rf /var/lib/apt/lists/* -# Install Node.js 18.x (maintained as root for system-wide installation) -RUN curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \ - && apt-get install -y --no-install-recommends nodejs \ - && rm -rf /var/lib/apt/lists/* \ - && apt-get clean - -# Install global npm packages as root (for system-wide access) -RUN npm install -g fs-extra chalk@4.1.2 aws-cdk cdk-assume-role-credential-plugin@1.4.0 - -# Create jenkins directories with proper permissions while root -RUN mkdir -p /var/jenkins /home/jenkins/.local /home/jenkins/.local/bin \ - && chown -R jenkins:jenkins /var/jenkins /home/jenkins/.local - -# Switch to jenkins user as early as possible -USER jenkins - -# Install Python packages as jenkins user with venv -RUN python3 -m venv /home/jenkins/.local/venv \ - && /home/jenkins/.local/venv/bin/pip install --no-cache-dir \ +# Install Python packages used by OpenSearch +RUN pip3 install --no-cache-dir --break-system-packages \ boto3 \ pyyaml \ requests==2.32.0 \ @@ -74,20 +52,24 @@ RUN python3 -m venv /home/jenkins/.local/venv \ pipenv \ awscli -# Add virtual environment to PATH for Python packages -ENV PATH="/home/jenkins/.local/venv/bin:/home/jenkins/.local/bin:${PATH}" +# Install Node.js 18.x and global npm packages (system-wide installation) +RUN curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \ + && apt-get install -y nodejs \ + && npm install -g fs-extra chalk@4.1.2 aws-cdk cdk-assume-role-credential-plugin@1.4.0 \ + && rm -rf /var/lib/apt/lists/* + +# Install 1Password CLI using main branch +RUN curl -SfL https://raw.githubusercontent.com/opensearch-project/opensearch-build/main/docker/ci/config/op-setup.sh -o op-setup.sh && \ + bash op-setup.sh && \ + rm -v op-setup.sh -# Install 1Password CLI (requires root temporarily) -USER root -RUN curl -SfL https://raw.githubusercontent.com/opensearch-project/opensearch-build/main/docker/ci/config/op-setup.sh -o op-setup.sh \ - && bash op-setup.sh \ - && rm -v op-setup.sh \ - && chown jenkins:jenkins /usr/local/bin/op 2>/dev/null || true +# Create jenkins directories with proper permissions +RUN mkdir -p /var/jenkins && chown -R jenkins:jenkins /var/jenkins -# Return to jenkins user immediately after privileged operation +# Switch back to jenkins user USER jenkins -# Install Jenkins plugins as jenkins user +# Install Jenkins plugins RUN jenkins-plugin-cli --verbose --plugin-file /usr/share/jenkins/ref/plugins.txt # Verify installations work diff --git a/staging/values.yaml b/staging/values.yaml index 7c216ce..1602da2 100644 --- a/staging/values.yaml +++ b/staging/values.yaml @@ -19,13 +19,6 @@ jenkins: # Environment variables for Jenkins container (JCasC configuration) containerEnv: - # Security Configuration - - name: JCASC_JENKINSSECURITY_ADMINPASSWORD - valueFrom: - secretKeyRef: - name: jenkins-staging - key: jenkins-admin-password - # System Configuration - name: JCASC_SYSTEM_MESSAGE value: "Welcome to Jenkins (Staging Environment)" - name: JCASC_LOCATION_URL