From d4917b46dd81aa6cd8cc5f0f41c02fbbc5c609ec Mon Sep 17 00:00:00 2001 From: sharmapulkit04 Date: Fri, 27 Aug 2021 02:57:32 +0530 Subject: [PATCH] Completed Documentation --- .../content/en/docs/Developer Guide/_index.md | 3 + .../How it works/architecture-and-design.md | 1 - .../content/en/docs/Installation/_index.md | 84 ++++++++++++++++++- 3 files changed, 83 insertions(+), 5 deletions(-) diff --git a/website/content/en/docs/Developer Guide/_index.md b/website/content/en/docs/Developer Guide/_index.md index d86fce2f..488e4bd7 100644 --- a/website/content/en/docs/Developer Guide/_index.md +++ b/website/content/en/docs/Developer Guide/_index.md @@ -301,6 +301,7 @@ kubectl get secret jenkins-operator-credentials- -o 'jsonpath={.data.pa ### Webhook To deploy the operator along with webhook, run : ```bash +eval $(minikube docker-env) make deploy-webhook ``` It uses [cert-manager](https://cert-manager.io/) as an external dependancy. @@ -314,6 +315,8 @@ It uses [cert-manager](https://cert-manager.io/) as an external dependancy. * [Operator SDK Tutorial for Go](https://sdk.operatorframework.io/docs/building-operators/golang/tutorial/) +* [Kubebuilder Validating Webhook Implementation](https://book.kubebuilder.io/cronjob-tutorial/webhook-implementation.html) + [dep_tool]:https://golang.github.io/dep/docs/installation.html [git_tool]:https://git-scm.com/downloads [go_tool]:https://golang.org/dl/ diff --git a/website/content/en/docs/How it works/architecture-and-design.md b/website/content/en/docs/How it works/architecture-and-design.md index 10754a7e..b1f2de17 100644 --- a/website/content/en/docs/How it works/architecture-and-design.md +++ b/website/content/en/docs/How it works/architecture-and-design.md @@ -39,4 +39,3 @@ It helps to maintain or recover the desired state even after the operator or Jen ## Webhook It rejects/accepts admission requests based on potential security warnings in plugins present in the jenkins custom resource. - diff --git a/website/content/en/docs/Installation/_index.md b/website/content/en/docs/Installation/_index.md index 635d2e0d..3e0100ec 100644 --- a/website/content/en/docs/Installation/_index.md +++ b/website/content/en/docs/Installation/_index.md @@ -901,12 +901,88 @@ below is the full list of those volumeMounts: * operator-credentials ## Validating Webhook -You can also have a validating webhook which can be used to validate security warnings in plugins. It can be easily installed via helm charts by setting webhook.enabled in values.yaml or in the command line flag. ->webhook.enabled=true +A validating webhook can be used in order to increase monitoring capabilities of the security issues. It will look for security vulnerabilities in the base and requested plugins. It can be easily installed via helm charts by setting webhook.enabled in values.yaml. -Also, you can deploy it via kubectl manifests, +**Note**: The webhook takes some time to get up and running. It's recommended to first deploy Operator and later Jenkins Custom Resource by using toggles in values.yaml +If the installation happens with yamls, +First, install cert-manager: +```bash +kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.1/cert-manager.yaml +``` +It takes some time to get cert-manager up and running. +Then, install the webhook and other required resources: +```bash +kubectl apply -f https://raw.githubusercontent.com/jenkinsci/kubernetes-operator/master/deploy/all-in-one-webhook.yaml +``` +Now, download the manifests for the operator and other resources from [here](https://raw.githubusercontent.com/jenkinsci/kubernetes-operator/master/deploy/all-in-one-v1alpha2.yaml)and please provide these additional fields in the operator manifest: +

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jenkins-operator
+  labels:
+    control-plane: controller-manager
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+    spec:
+      serviceAccountName: jenkins-operator
+      securityContext:
+        runAsUser: 65532
+      containers:
+      - command:
+        - /manager
+        args:
+        - --leader-elect
+        - --validate-security-warnings
+        image: jenkins-operator:54231733-dirty 
+        name: jenkins-operator
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: 200m
+            memory: 100Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        env:
+          - name: WATCH_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        volumeMounts:
+          - mountPath: /tmp/k8s-webhook-server/serving-certs
+            name: webhook-certs
+            readOnly: true       
+      volumes:
+      - name: webhook-certs
+        secret:
+          defaultMode: 420
+          secretName: jenkins-webhook-certificate
+      terminationGracePeriodSeconds: 10
+
+
To enable security validation in the jenkins custom resource set >jenkins.ValidateSecurityWarnings=true -**Note**: The webhook takes some time to get up and running,also when helm renders the template the validating webhook configuration is applied at last, hence if the user wants to deploy a jenkins custom resource with validation turned on, he needs to wait for sometime. After the webhook is up and running the user can deploy the jenkins custom resource using *helm* or *kubectl*