The following steps need to be done by hand.
- Follow the Role-Based Strategy guide.
- Create a
developer
role with all but theAgent
andSCM
options. - Assign the role by adding a
group
calledauthenticated
, selecting thedeveloper
checkbox.
- Click
Manage Jenkins
. - Click
Configure System
. - Under
Audit Trail
, clickAdd Logger
, thenLog file
. - For
Log Location
, enter/var/log/jenkins/audit.log
. - For
Log File Size
, enter50
MB. - For
Log File Count
, enter10
. - Click
Save
.
- Visit
https://JENKINS_EXTERNAL_HOSTNAME/credentials/store/system/domain/_/newCredentials
- Fill in the form:
Kind
:SSH Username with private key
Scope
:Global (Jenkins, nodes, items, all child items, etc)
Username
:jenkins
Private Key
:From the Jenkins master ~/.ssh
Passphrase
: the value fromvault_jenkins_ssh_key_passphrase
ID
:jenkins-ssh-key
Description
: (empty)
- Click
OK
. - Use these Credentials from your Jobs.
For each user:
-
Generate a password. Here's an easy way on Linux:
cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9!@#\$%^&\*\(\)\+=_' | head -c 64
-
View the people list.
- Click
Manage Jenkins
. - Click
Manage Users
. - If they exist already:
- Click their username.
- Click
Configure
. - Correct their
Full Name
. - Set their password.
- If they don't, create a user for them.
- Click
Create User
. - For the
Username
, use the first part of their GSA email. This will ensure that it matches up to their commits.
- Click
- Click
-
Send the password via Fugacious.
- Subscribe to Jenkins security advisories.
- When creating jobs/pipelines, don't include any spaces or special characters in the name, as this can break things in confusing ways.
- Make sure to do cleanup, to prevent disk space from filling up.