Skip to content

How we set up continuous integration on Jenkins

Jump to bottom
Adam Hooper edited this page Feb 8, 2021 · 23 revisions

  1. At https://cloud-images.ubuntu.com/locator/ec2/, pick the latest hvm:ebs-ssd instance for the region (us-east-1 in our case)

    1. Choose the dedicated CI VPC, with IAM role Jenkins-CI.
    2. Tag it Environment: ci
    3. Give it the jenkins-ci security group (inbound port 443)
    4. Launch it!

  2. Name it Jenkins-CI

  3. Give yourself temporary SSH access (via the security group) and SSH in.

  4. Install Jenkins:

    1. sudo apt-get update && sudo apt-get dist-upgrade
    2. Follow the instructions at https://pkg.jenkins.io/debian-stable/ to install: 
      wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo apt-key add -
sudo apt-add-repository 'deb https://pkg.jenkins.io/debian-stable binary/'
sudo apt-get update
sudo apt-get install openjdk-11-jre-headless jenkins

  5. Set up GitHub for authentication: at https://jenkins-ci.overviewdocs.com/securityRealm/finishLogin set up overview-jenkins-ci with a URL of https://jenkins-ci.overviewdocs.com.

  6. Setup Jenkins:

    1. From your computer, ssh -L 8080:localhost:8080 ubuntu@[JenkinsIP] and browse to http://localhost:8080
    2. Copy/paste the administrator password in (as prompted by Jenkins)
    3. "Select plugins to install" => choose defaults, ...
      • plus: embeddable-build-status, JUnit Plugin, GitHub Plugin, GitHub Authentication Plugin, Amazon EC2 Plugin, Kubernetes CLI
      • minus: Ant Plugin, Gradle Plugin
    4. Skip creating the administrator user. Click "Start Using Jenkins"
    5. "Manage Jenkins" => "Configure System":
      • # of executors: 0
      • Jenkins URL: https://jenkins-ci.overviewdocs.com
      • System Admin e-mail address: admin@overviewdocs.com
      • SMTP Server: email-smtp.us-east-1.amazonaws.com
      • Check User SMTP Authentication and enter Amazon's SMTP settings
    6. "Manage Jenkins" => "Configure Global Security"
      • Security realm => Github Authentication Plugin
      • Enter Client ID and Client Secret from the overview-jenkins-ci app page on GitHub
      • Authorization => GitHub Committer Authorization Strategy
      • Enter comma-separated Admin User Names
      • Check Use GitHub repository permissions, and don't fill in Participant in Organization
      • Check Grant READ permissions for Anonymous Users
      • Check Grant ViewStatus permissions for Anonymous Users
      • Save. You'll be locked out.

  7. Adjust DNS to point to your new server.

  8. Set up the HTTPS proxy:

    • Install programs 
      sudo apt-get install haproxy
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
sudo certbot certonly --standalone -d jenkins-ci.overviewdocs.com -m admin@overviewdocs.com --agree-tos -n
    • Fill in /etc/haproxy/haproxy.cfg: 
      global
  log /dev/log  local0
  log /dev/log  local1 notice
  chroot /var/lib/haproxy
  user haproxy
  group haproxy
  daemon
  # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.5.14&openssl=1.0.1e&hsts=yes&profile=modern
  ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

defaults
  log global
  mode http
  option httplog
  option dontlognull
  option forwardfor
  option http-server-close
  timeout connect 5000
  timeout client 50000
  timeout server 50000
  errorfile 502 /etc/haproxy/errors/502.http

frontend jenkins-ci.overviewdocs.com
  bind :80
  bind :443 ssl crt /etc/haproxy/ssl.pem
  redirect scheme https if !{ ssl_fc }
  reqadd X-Forwarded-Proto:\ https
  use_backend jenkins

backend jenkins
  server jenkins01 127.0.0.1:8080
    • Fill in /etc/letsencrypt/post-renew.sh: 
      #!/bin/sh

cat \
    /etc/letsencrypt/live/jenkins-ci.overviewdocs.com/privkey.pem \
    /etc/letsencrypt/live/jenkins-ci.overviewdocs.com/fullchain.pem \
    > /etc/haproxy/ssl.pem
chown haproxy:haproxy /etc/haproxy/ssl.pem
chmod 0600 /etc/haproxy/ssl.pem
systemctl restart haproxy
    • Fill in /etc/letsencrypt/pre-renew.sh: 
      #!/bin/sh
systemctl stop haproxy
    • chmod +x /etc/letsencrypt/post-renew.sh /etc/letsencrypt/pre-renew.sh
    • /etc/letsencrypt/post-renew.sh (will actually start haproxy)
    • Fill in /etc/cron.daily/letsencrypt: 
      #!/bin/sh

exec /usr/bin/certbot renew \
    --pre-hook /etc/letsencrypt/pre-renew.sh \
    --post-hook /etc/letsencrypt/post-renew.sh \
    --quiet
    • chmod +x /etc/cron.daily/letsencrypt

  9. Set up EC2 spot-instance nodes

    1. Browse to Jenkins, "Manage Jenkins" -> "Configure System"
    2. "Add New Cloud" => "Amazon EC2"
    3. Check Use EC2 instance profile to obtain credentials
    4. Choose region us-east-1
    5. Create a private key jenkins-ci in AWS (EC2 => Key Pairs => Create key pair called jenkins-ci. This will download a jenkins-ci.pem in your browser)
    6. Enter the private key in Jenkins by copy/pasting from jenkins-ci.pem.
    7. Advanced -> "Add" an AMI....
    8. Description: Jenkins-CI
    9. AMI ID: ami-026c8acd92718196b (from https://cloud-images.ubuntu.com/locator/ec2/ amd64 ebs-ssd us-east-1 bionic)
    10. Instance Type: something big, Availability Zone: whatever's best. At time of writing, C48xlarge and us-east-1d have a good price. (Use the AWS console to find a combination that seems reliable.)
    11. Spot Max Bid Price: whatever -- 0.5 means 50 cents per hour. (Expect 3 builds per hour. Jenkins won't build every commit, if you commit lots of commits at the same time.)
    12. Choose Bid Type: persistent
    13. Security group names: test-slave (which grants SSH access to Jenkins-CI security group: Jenkins will SSH into it)
    14. Remote FS root: /home/ubuntu
    15. Remote user: ubuntu
    16. Root command prefix: sudo
    17. Slave command prefix: sudo
    18. Labels: test-slave
    19. Idle termination time: 30
    20. Advanced => Number of Executors: 1
    21. Check Stop/Disconnect on Idle Timeout
    22. Tags: role:jenkins-test-slave, Name:jenkins-test-slave, Environment:ci
    23. IAM Profile: The description of your IAM "instance-profile" Role. This starts with arn: and ends with instance-profile/jenkins-test-slave -- a role with permission to write to s3://overview-builds.
    24. Add this Init script: 
      #!/bin/bash

set -ex

DEBIAN_FRONTEND=noninteractive apt-get -y -qq update
DEBIAN_FRONTEND=noninteractive apt-get -y -qq dist-upgrade
DEBIAN_FRONTEND=noninteractive apt-get -y -qq update
DEBIAN_FRONTEND=noninteractive apt-get -y -qq install apt-transport-https awscli ca-certificates curl openjdk-11-jre-headless software-properties-common

# https://docs.docker.com/engine/installation/linux/docker-ce/ubuntu/
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable"        
DEBIAN_FRONTEND=noninteractive apt-get -y -qq update
DEBIAN_FRONTEND=noninteractive apt-get -y -qq install docker-ce
systemctl start docker
usermod -G docker ubuntu

curl -L https://github.com/kubernetes/kops/releases/download/1.12.2/kops-linux-amd64 > /usr/local/bin/kops
curl -L https://storage.googleapis.com/kubernetes-release/release/v1.15.1/bin/linux/amd64/kubectl > /usr/local/bin/kubectl
curl -L "https://github.com/docker/compose/releases/download/1.28.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/{docker-compose,kops,kubectl}
    25. Set Block device mapping to /dev/sda1=:24 (because Docker images often grow to greater than 8GB)
    26. Check 'Associate Public IP' (or it won't be able to download things)

  10. Add Docker Hub credentials

    1. Make sure you have access to https://hub.docker.com/r/overview/
    2. Browse to Jenkins and click Credentials (left sidebar), (global), and then Add Credentials (left sidebar)
    3. Add a Username with Password with Scope System, ID and Description both docker-hub, and the username and password that you used to log in to https://hub.docker.com.

  11. Add overview-server project

    1. Browse to Jenkins and click Create new jobs
    2. Name overview-server, Pipeline, OK
    3. Check GitHub project and enter URL https://github.com/overview/overview-server
    4. Check GitHub hook trigger for GITScm polling
    5. Check Quiet period and enter 120 seconds (builds cost time and money; this can save us a few)
    6. Make the Pipeline script Pipeline script from SCM. Select Git as a source, and enter https://github.com/overview/overview-server
    7. Make */master and */feature-* are the branch specifiers

  12. Add Kubernetes credentials

    1. Browse to Jenkins and click Credentials (left sidebar), (global), and then Add Credentials (left sidebar)
    2. Add a Secret text with Scope Global, ID and Description both overview-production-kubernetes, and the secret text you get following the instructions in overview-server/kubernetes/README.md

  13. Hook up to GitHub

    1. Add [![Build Status](http://jenkins-ci.overviewdocs.com/job/overview-server/badge/icon)](http://jenkins-ci.overviewdocs.com/job/overview-server/) to README.md
    2. In overview-server project settings on GitHub, add "Integrations and Services" -> "Jenkins (GitHub plugin)" -> https://jenkins-ci.overviewdocs.com/github-webhook/

  14. Hook up to Slack

    1. On Jenkins, add "Slack" plugin in Manage Plugins
    2. On Slack, add "Jenkins" plugin
    3. Copy/paste the Team Domain and Integration Token from Slack into Jenkins
    4. (That's it -- the Jenkinsfile will handle the rest.)
Clone this wiki locally