There is a method in the GUI for Jenkins that tells the Jenkins java process to reload its config from disk. From outside the GUI, where devops and automation live, you can do the same thing through the jenkins-cli.jar. This needed a script to craft the other pieces needed, retrieving a key from vault in order to authenticate.
#! /bin/bash
# script to use the jenkins-cli to reload the config from disk
#/etc/alternatives/java -jar /opt/jenkins-cli.jar -s http://localhost:8080 reload-configuration --username devops --password `cat /home/ec2-user/.ssh/devopsUserActual`
if [[ -f /home/ec2-user/.ssh/devopsUserActual ]]; then
/etc/alternatives/java -jar /opt/jenkins-cli.jar -s http://localhost:8080 reload-configuration --username user --password `cat /home/ec2-user/.ssh/someUserActual`
else
# jenkins cli requires the base actual devops password be available to restart jenkins
if [[ `$VAULT read -field passwd secret/keys/jenkins/someUserActual` ]]; then
echo "...successflly retrieved password string from vault..."
DEVOPSACTUAL=`$VAULT read -field passwd secret/keys/jenkins/someUserActual`
/etc/alternatives/java -jar /opt/jenkins-cli.jar -s http://localhost:8080 reload-configuration --username user --password ${DEVOPSACTUAL}
else
echo "ERROR:: Failed to get passwd from vault: secret/keys/jenkins/someUserActual, passwd field"
echo "Exiting..."
fi
fi
This replaced ansible calls for “restart”. Instead I use a shell call to this script. Speeded up execution tremendously.
— doug
UPDATE 20190503
I reworked this because – Jenkins.
Jenkins keeps updating (and significantly changing) their security model. LTS (long term support) is basically abandoned, because each LTS immediately gets flagged by Jenkins as insecure because of the next bug they fix, which demands a re-architecture of the product and disrupts the CRAP out of supporting this <insert adjective here>.
The reload had to be reworked, recently.
#! /bin/bash
#/etc/alternatives/java -jar /opt/jenkins-cli.jar -s http://localhost:8080 reload-configuration --username devops --password `cat /home/ec2-user/.ssh/devopsUserActual`
if [[ -f /home/centos/.ssh/devopsActual ]]; then
/etc/alternatives/java -jar /opt/jenkins/jenkins-cli.jar -s http://localhost:8080 -auth devops:`cat /home/centos/.ssh/devopsActual` reload-configuration
else
echo "ERROR:: Failed to get passwd from devopsActual"
echo "Exiting..."
fi
The significant change is:
/etc/alternatives/java -jar /opt/jenkins/jenkins-cli.jar -s http://localhost:8080 -auth devops:`cat /home/centos/.ssh/devopsActual` reload-configuration
the previous
--username user --password ${DEVOPSACTUAL}
no longer worked, but the -auth construct still does. For now. Sigh.
Really tempted to (1) replace jenkins with a golang server listening for the notifyCommit… or (2) fork Jenkins and isolate it behind a comprehensive auth and firewall and drop the security model from inside jenkins cause it’s seriously crap, guys…
— doug