Add config needed for splitting security/oauth

1c8a6a25 · Michael Youngstrom · 9a61056b · 1c8a6a25 · 1c8a6a25 · 1c8a6a25
Commit 1c8a6a25 authored May 17, 2018 by Michael Youngstrom
5 changed files
--- a/docker/build/jenkins_build/ansible_overrides.yml
+++ b/docker/build/jenkins_build/ansible_overrides.yml
@@ -18,6 +18,7 @@ build_jenkins_configuration_scripts:
  - 4configureJobConfigHistory.groovy
  - 4configureMailerPlugin.groovy
  - 4configureMaskPasswords.groovy
+  - 4configureSecurity.groovy
  - 5addSeedJob.groovy  # added this
  - 5createLoggers.groovy
@@ -28,6 +29,7 @@ jenkins_common_non_plugin_template_files:
  - ghprb_config
  - git_config
  - github_config
+  # - github_oauth # intentionally commented out
  - hipchat_config
  - job_config_history
  - log_config
@@ -35,7 +37,7 @@ jenkins_common_non_plugin_template_files:
  - main_config
  - mask_passwords_config
  - properties_config
-#  - security  # intentionally left commented out
+  - security
  - seed_config
 # Add the jenkins-worker label so that this jenkins master will work

--- a/playbooks/roles/jenkins_build/defaults/main.yml
+++ b/playbooks/roles/jenkins_build/defaults/main.yml
@@ -18,6 +18,7 @@ build_jenkins_configuration_scripts:
  - 4configureJobConfigHistory.groovy
  - 4configureMailerPlugin.groovy
  - 4configureMaskPasswords.groovy
+  - 4configureSecurity.groovy
  - 4configureSplunk.groovy
  - 5createLoggers.groovy

--- a/playbooks/roles/jenkins_common/defaults/main.yml
+++ b/playbooks/roles/jenkins_common/defaults/main.yml
@@ -30,6 +30,7 @@ jenkins_common_non_plugin_template_files:
  - ghprb_config
  - git_config
  - github_config
+  - github_oauth
  - hipchat_config
  - job_config_history
  - log_config
@@ -123,13 +124,11 @@ JENKINS_MASTER_SSH_LIST: []
 JENKINS_CUSTOM_SSH_LIST: []
 # security
+jenkins_common_dsl_script_security_enabled: true
 jenkins_common_security_agent_protocols:
  - 'JNLP4-connect'
 jenkins_common_security_agent_jnlp_tcp_port: 0
-jenkins_common_security_scopes: 'read:org,user:email'
-JENKINS_SECURITY_CLIENT_ID: ''
-JENKINS_SECURITY_CLIENT_SECRET: ''
 JENKINS_SECURITY_GROUPS: []
 # git
@@ -144,6 +143,13 @@ jenkins_common_github_configs:
    GITHUB_API_URL: ''
    CACHE_SIZE: 20
+# github oauth settings
+jenkins_common_security_scopes: 'read:org,user:email'
+JENKINS_SECURITY_CLIENT_ID: ''
+JENKINS_SECURITY_CLIENT_SECRET: ''
 # hipchat
 jenkins_common_hipchat_room: ''
 jenkins_common_hipchat_v2_enabled: true

--- a/playbooks/roles/jenkins_common/templates/config/github_oauth.yml.j2
+++ b/playbooks/roles/jenkins_common/templates/config/github_oauth.yml.j2
+---
+GITHUB_WEB_URI: 'https://github.com'
+GITHUB_API_URI: 'https://api.github.com'
+CLIENT_ID: '{{ JENKINS_SECURITY_CLIENT_ID }}'
+CLIENT_SECRET: '{{ JENKINS_SECURITY_CLIENT_SECRET }}'
+SCOPES: '{{ jenkins_common_security_scopes }}'
--- a/playbooks/roles/jenkins_common/templates/config/security.yml.j2
+++ b/playbooks/roles/jenkins_common/templates/config/security.yml.j2
@@ -5,12 +5,6 @@ AGENT_SETTINGS:
      - {{ protocol }}
 {% endfor %}
    JNLP_TCP_PORT: {{ jenkins_common_security_agent_jnlp_tcp_port }}
-OAUTH_SETTINGS:
-  GITHUB_WEB_URI: 'https://github.com'
-  GITHUB_API_URI: 'https://api.github.com'
-  CLIENT_ID: '{{ JENKINS_SECURITY_CLIENT_ID }}'
-  CLIENT_SECRET: '{{ JENKINS_SECURITY_CLIENT_SECRET }}'
-  SCOPES: '{{ jenkins_common_security_scopes }}'
 SECURITY_GROUPS:
 {% for group in JENKINS_SECURITY_GROUPS %}
  - NAME: '{{ group.NAME }}'
@@ -23,3 +17,4 @@ SECURITY_GROUPS:
      - {{ user }}
 {% endfor %}
 {% endfor %}
+DSL_SCRIPT_SECURITY_ENABLED: {{ jenkins_common_dsl_script_security_enabled }}