Participants
Damien Duportal (@dduportal ), Hervé Le Meur (@hlemeur ), Stephane Merle (@smerle), Mark Waite (@MarkEWaite ), Tim Jacomb (@timja)
Official minutes on GitHub.
Announcement 
- Weekly 2.335 released last week
- Weekly 2.336 today
Notes 
- Digital Ocean :party:
- Cluster integrated and used on ci.jenkins. No visible error and some usage.
- ~30 jobs currently runnings \o/
- Costs: to be check after 1 week how much did we consume on our credit
-
New labels on ci.jenkins if you want to target (or avoid) a specific cluster (
doksorcik8s) -
TODO:
- Email to mailing list?
- Measure costs consumed
- Updating ci.jenkins.io documentation for agents
- DigitalOcean sponsorship
- Are they on the sponsor page? (nope, they should)
- We have a blog post to start
-
Azure AKS clusters
- Teraform shared lib
- Next step: “re-boot” jenkins-infra/azure with:
- Remove existing terraform/scripts/code content (not used since months and only partially true as drift occured)
- Use new terraform tooling (shared-tools + shared library)
- Add a new azurerm backend (new one to avoid inheriting existing ones)
- Start adding clusters and profit
- Teraform shared lib
-
Keep our dependencies up to date
- All our “hashicorp” repositories are now tracked and up to date
- WiP on keeping Golang up to date (update / golang should both be present)
- Incoming contributions to updatecli in order to improve infra as code use case (ex. “retrieve security group id from terraform project, and change them in JCasc”)
-
AccountApp/Keycloak:
- We need to assess the “what is missing to fully migrate to Keycloak”
- accountapp sends the password in clear by email to user reseting
- It’s an “homemade” application: costs us maintenance
- On “pure” infra there are the following points:
- Keycloak major upgrade to 17.0.0 (switch from wildfly to quarkus: faster, smaller memory footprint)
- Keycloak stability: it crashes after 2-3 request. We have to check the app configuration + helm-chart config + memory allocation
- Keycloak is hosted on the cluster
produpublick8s. Shall we move it to*privatek8sand if yes, how to handle the public ingress?
- Based on discussions with Daniel:
- User naming rules that need to be improved
- Matrix 3.0 plugin remove a big point
- Which other tools had been studied for this?
- Dex, others?
- Let’s ask Daniel, Wadeck and Olivier
- We need to assess the “what is missing to fully migrate to Keycloak”
-
Request from security team to add Windows agent on cert-ci
- cert-ci is puppet-managed: jenkins-infra/site.pp at 04bd199bca5decff6034d10ce9e3146afcffc600 · jenkins-infra/jenkins-infra · GitHub
- We have to update the hieradata for cert-ci (jenkins-infra/cert-ci.yaml at 04bd199bca5decff6034d10ce9e3146afcffc600 · jenkins-infra/jenkins-infra · GitHub) to:
- Add the azure-vm plugin
- Add the same agent specification as trusted.ci to allow Windows VM agents (jenkins-infra/trusted-ci.yaml at 04bd199bca5decff6034d10ce9e3146afcffc600 · jenkins-infra/jenkins-infra · GitHub)
- Maybe factorizing the agent profiles from “hieradata specified” to “JCasc” so we don’t need to specify it per Jenkins instance
- We have to add the Azure credentials in cert-ci manually (as there is no credential management as code easily done)
- Scope: only system, not in pipelines!
-
@smerle volunteers
- Warning: additional VPN route need to access it
-
Disable anti spam for cert team: [INFRA-3162] Disable all anti-spam protection on cert.ci · Issue #2703 · jenkins-infra/helpdesk · GitHub
-
Mark Waite blocked a ci.jenkins.io API spammer at the Linux kernel
- Remove the ci.jenkins.io ban on a specific IP address · Issue #2759 · jenkins-infra/helpdesk · GitHub
- What should we do now? fail2ban? crowdsec to get crowd-funded denied IPs list?
- Let’s check and remove the manual blocker (if not already done due to VM reboots and iptable not persisted)
- @dduportal takes it
-
Email on the mailing list (Google groups) are marked as spam
- We thought it was fixed but no
- Issue to reopen and add technical elements: [INFRA-3154] Certain emails from Jenkins mailing lists are failing SPF · Issue #2696 · jenkins-infra/helpdesk · GitHub
-
- Puppet notifications => @dduportal and @lemeurherve
- infra.ci notifications => same channel as puppet?
- release.ci notifications => as Tim and Daniel suggested, when a release starts and finishes
-
infra-report to be migrated out from trusted.ci into infra.ci
- Helpdesk issue:
- switching GH credentials to GitHub app (
jenkinsadminuser was used, but its permissions were decreased in December)
-
Alibaba mirror
- Is it working?
- Helpdesk issue to be checked (might be other mirrors also): Mirrors of jenkins update is not working · Issue #2787 · jenkins-infra/helpdesk · GitHub