forwarding credentials working on jenkins-staging

README.md

@@ -85,5 +85,16 @@ The Jenkins server SSHs into the agents to start the agent application. Thus the
 
 While this works, it does not fell like the perfect solution. I'm happy to get better ideas on this. 
 
+## creating basic authentication for reverse proxy
+
+1. create auth file, based on [ingress-nginx documentation](https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth/basic)
+    ```bash
+    cd kubernetes/reverse-proxy
+    htpasswd -c auth <username>
+    # enter password at prompt
+    # add more users as required
+    kubectl create secret generic proxy-auth --from-file=auth --namespace=jenkins
+    ```
+
 # License
 This project is licensed unter the "Apache 2.0 with LLVM Exception" license. See [LICENSE](LICENSE) for details.

kubernetes/disk_create.sh

@@ -27,6 +27,12 @@ gcloud compute disks create jenkins-home \
     --type=pd-standard \
     --zone=${GCP_ZONE} \
 
+gcloud compute disks create jenkins-home-staging \
+    --description="storage for jenkins master (staging)" \
+    --size=20GB \
+    --type=pd-standard \
+    --zone=${GCP_ZONE} \
+
 gcloud compute disks create results \
     --description="storage build results" \
     --size=20GB \

kubernetes/jenkins-staging/Deployment.yaml

@@ -0,0 +1,62 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the the Apache License v2.0 with LLVM Exceptions (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://llvm.org/LICENSE.txt
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: jenkins-staging
+  namespace: jenkins
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: master-staging
+    spec:
+      hostname: jenkins-master-staging
+      containers:
+      - name: master-staging
+        image: gcr.io/llvm-windows-development/jenkins-master
+        ports:
+        - containerPort: 8080
+        - containerPort: 50000
+        readinessProbe:
+          httpGet:
+            path: /login
+            port: 8080
+          periodSeconds: 10
+          timeoutSeconds: 5
+          successThreshold: 2
+          failureThreshold: 5
+        env:
+        - name: JAVA_OPTS
+          value: '-Xmx1400m'
+        volumeMounts:
+        - mountPath: /var/jenkins_home
+          name: jenkins-home-staging
+        resources:
+          limits:
+            cpu: 500m
+            memory: 1500Mi
+          requests:
+            cpu: 500m
+            memory: 1500Mi
+      volumes:
+      - name: jenkins-home-staging
+        gcePersistentDisk:
+          pdName: jenkins-home-staging
+          fsType: ext4
+      nodeSelector:
+        cloud.google.com/gke-nodepool: services
+---

kubernetes/jenkins-staging/PersistentVolume.yaml

@@ -0,0 +1,29 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the the Apache License v2.0 with LLVM Exceptions (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://llvm.org/LICENSE.txt
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: jenkins-home-staging
+  labels:
+    failure-domain.beta.kubernetes.io/zone: us-central1-a
+spec:
+  capacity:
+    storage: 20Gi
+  volumeMode: Filesystem
+  accessModes:
+  - ReadWriteOnce
+  gcePersistentDisk:
+    pdName: jenkins-home-staging
+    fsType: ext4

kubernetes/jenkins-staging/Services.yaml

@@ -0,0 +1,30 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the the Apache License v2.0 with LLVM Exceptions (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://llvm.org/LICENSE.txt
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: jenkins-ui-staging
+  namespace: jenkins
+spec:
+  type: NodePort
+  selector:
+    app: master-staging
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8080
+      name: ui
+---

kubernetes/jenkins-staging/kustomization.yaml

@@ -0,0 +1,22 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the the Apache License v2.0 with LLVM Exceptions (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://llvm.org/LICENSE.txt
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: jenkins
+resources:
+  - PersistentVolume.yaml
+  - Deployment.yaml
+  - Services.yaml
+

kubernetes/jenkins.yaml

@@ -132,18 +132,6 @@ spec:
       targetPort: 50000
       name: agent
 ---
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: jenkins
-  namespace: jenkins
-spec:
-#  tls:
-#  - secretName: tls
-  backend:
-    serviceName: jenkins-ui
-    servicePort: 8080
----
 apiVersion: v1
 kind: PersistentVolume
 metadata:

kubernetes/reverse-proxy/.gitignore

@@ -0,0 +1 @@
+auth

kubernetes/reverse-proxy/Ingress.yaml

@@ -49,7 +49,37 @@ spec:
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
-  name: nginx-ingress-staging
+  name: nginx-ingress-staging-jenkins
+  namespace: jenkins
+  annotations:
+    # static IP assignment not working. Not sure why.
+    kubernetes.io/ingress.global-static-ip-name: "web-static-ip"
+    kubernetes.io/ingress.class: "nginx"    
+    cert-manager.io/issuer: "letsencrypt-staging"
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: proxy-auth
+    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - LLVM pre-merge checks"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+        proxy_set_header Authorization $remote_user;
+spec:
+  tls:
+  - secretName: jenkins-staging-tls
+    hosts:
+    - jenkins.staging.llvm-merge-guard.org
+
+  rules:
+  - host: jenkins.staging.llvm-merge-guard.org
+    http:
+      paths:
+      - backend:
+          serviceName: jenkins-ui-staging
+          servicePort: 8080
+---
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: nginx-ingress-staging-results
   namespace: jenkins
   annotations:
     # static IP assignment not working. Not sure why.
@@ -61,22 +91,11 @@ spec:
   - secretName: results-staging-tls
     hosts:
     - results.staging.llvm-merge-guard.org
-  - secretName: results-staging-tls
-    hosts:
-    - jenkins.staging.llvm-merge-guard.org
-
   rules:
-  - host: jenkins.staging.llvm-merge-guard.org
-    http:
-      paths:
-      - backend:
-          serviceName: jenkins-ui
-          servicePort: 8080
   - host: results.staging.llvm-merge-guard.org
     http:
       paths:
       - backend:
           serviceName: nginx-results
           servicePort: 80
-
 ---