Skip to content
This project contents everything needed to build an openvpn docker image used by the Jenkins Infrastructure Project
Shell Go Makefile Dockerfile
Branch: master
Clone or download
olblak Merge pull request #45 from jenkins-infra/staging
Submit certificate request for slide_o_mix
Latest commit 78cf6c1 Aug 28, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cert
docker Always publish jenkinsciinfra/openvpn:latest Apr 18, 2019
utils/easyvpn Increase easyvpn verbosity Mar 20, 2019
.dockerignore Add mock data in order to be able to start a testing environment Mar 14, 2019
.gitignore Rename scripts into utils Mar 20, 2019
CODEOWNERS Add Codeowners Jan 4, 2019
Dockerfile Add mock data in order to be able to start a testing environment Mar 14, 2019
Jenkinsfile
LICENSE Move docker configuration to a subdirectory Mar 11, 2019
Makefile Update Makefile .PHONY Mar 20, 2019
README.md Update vpn access instruction Apr 18, 2019
config.yaml Update default network route Mar 14, 2019

README.md

README

This project contents everything related to Jenkins infrastructure vpn. It includes following elements:

  • Build an openvpn docker image integrated with openldap.
  • Manage client configuration and certificate

CONNECTION

In order to connect to this vpn, your vpn client must be configured with your jenkins account username/password and certificate authentication. Certificate authentication requires following files:

client
remote vpn.jenkins.io 443
ca "~/.cert/jenkins/ca.crt"
cert "~/.cert/jenkins/username.crt"
key "~/.cert/jenkins/username.key"
auth-user-pass
dev tun
proto tcp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nobody

With network manager client, you must enable the option : Use this connection only for resources on its network

Windows only

If you want to use multiple VPN connections at the same time with OpenVPN, you have to install a new TAP adapter. This can be very easily by running as Admin the C:\Program Files\TAP-Windows\bin\addtap.bat. The TAP-Windows tool is installed in parallel of OpenVPN.

CERTIFICATES

This projects holds vpn keys for connecting on Jenkins infrastructure vpn.

If you think that you should have access to this network, feel free to read HowTo Get client access.

Client

HowTo get client access

In order to access the Jenkins infrastructure private network, you need a certificate containing your jenkins username as CN. Then this certificate must be signed by an administrator who also assign you a static IP configuration.

Feel free to follow next action points:

  • Fork this repository on your own Github account: fork a repo
  • Build easyvpn binary by running one of the following command depending on your
    • make init_osx
    • make init_linux
    • make init_windows then copy utils/easyvpn/easyvpn.exe at the root of this repository
  • Generate your private key and certificate request: ./easyvpn request <your username> Your private key will be generate in cert/pki/private, this key must remain secret.
  • Create a new Pull Request on jenkinsinfra/openvpn, staging branch: How to Create a pull request
  • Open a INFRA ticket on JIRA referencing your PR
  • Grab a cup of coffee and wait patiently for an administrator to sign your certificate request.
  • Once an admin notify you that everything is right, your can then retrieve your certificate from ./cert/pki/issued/<your_username>.crt

HowTo show request information

  • Enter in the vpn network directory: cd cert
  • Run make show-req name=<username>

HowTo show certificate information

  • Enter in the vpn network directory: cd cert
  • Run make show-certs name=<username>

Administrator

HowTo become an administrator

In order to add/revoke certificates, you must be allowed to decrypt cert/pki/private/ca.key.enc. This file is encrypted with sops and you are public gpg key must be added to .sops.yaml by an existing administrator in order to be allow to run make decrypt.

This repository relies on easy-rsa.

HowTo approve client access?

In order to validate and sign a client certificate, your are going to do following actions

  • Build easyvpn binary by running one of the following command depending on your
  • make init_osx
  • make init_linux
  • make init_windows then copy utils/easyvpn/easyvpn.exe at the root of this repository
  • Git checkout on the right branch "staging"
  • Sign certificate request: ./easyvpn sign <CN_to_sign>
  • Update docker image in the puppet configuration.

HowTo revoke client access?

  • Build easyvpn binary by running one of the following command depending on your
  • make init_osx
  • make init_linux
  • make init_windows and copy utils/easyvpn/easyvpn.exe at the root of this repository
  • Revoke certificate: ./easyvpn revoke <CN_to_sign>
  • Update docker image in the puppet configuration.

DOCKER

CONFIGURATION

This image can be configured at runtime with different environment variables.

  • AUTH_LDAP_BINDDN Define user dn used to query the ldap database
  • AUTH_LDAP_URL Define ldap endpoint url
  • AUTH_LDAP_PASSWORD Define user dn password
  • AUTH_LDAP_GROUPS_MEMBER Define required group member to authenticate

Some examples can be found inside docker-compose.yaml

TESTING

In order to test this image, you need a "mock" ldap and SSL certificates. Then go in directory docker and run one of the following commands

! Certificates must be readable by UID 101 make start - Start the ldap and vpn service

INFRASTRUCTURE

This project is designed to work with following pieces:

  • Machine provisioned by Terraform
  • Service configured and orchestrated by Puppet

CONTRIBUTING

Feel free to contribute to this image by:

  1. Fork this project into your account
  2. Make your changes in your local fork
  3. Submit a pull request with a description and a link to a Jira ticket
  4. Ask for a review

ISSUE

Please report any issue on the jenkins infrastructure project

LINKS

You can’t perform that action at this time.