Migrate Blue Ocean remaining jobs from ci.blueocean.io to the OSS Infra

[dduportal]

Service(s)

ci.jenkins.io, Other

Summary

The goal of this issue is to track the work related to migration of the builds and task currently run on the ci.blueocean.io Jenkins controller as it will be sunset.

1. The first scenario is to move the jobs to ci.jenkins.io: there is already some jobs related to blueocean but this is the "end to end testing" that seems to be the core of the tasks to migrate.

2. The fallback scenario, if ci.jenkins.io does not fit the usage, is to create a Jenkins controller only for this.

Reproduction steps

No response

[dduportal]

Let's work on the scenario 1.

The following major steps are needed:

• GitHub setup
  • List all the repositories that need a job (ping @olamy)
  • For each repo, ensure there is a GitHub app setup at their organization level only for ci.jenkins.io (should only allow read-related rights)
  • For each repo, list the produced artifacts (ping @olamy) as Docker images, etc. To help us evaluate where to do the CD part (to manage credentials securely).
• ci.jenkins.io integration
  • Create jobs
  • Open PRs to ensure that Jenkinsfile are working on ci.jenkins.io (mainly checking agents, should be VMs with Docker engine, eventually highmem VMs if needed)
• Continous Delivery integration: to be determined (based on the list of artefacts to be published)

[olamy]

there is only one repository which need a job https://github.com/jenkinsci/blueocean-plugin
no need of CD (I definitely prefer using Jenkins :P to build Blue Ocean) if needed there is incremental in place.
As documented in the README there will be a need of a credentials called live.properties to gave access to https://github.com/blueocean-ath/private-ci.git in order to run ATH tests.

The tests runs within a docker image called blueocean/blueocean:build_env (sources here: https://github.com/cloudbees/blueocean-docker-image/tree/create-blueocean-io-image in Jenkinsfile-build-image)
would be good to change namespace to something such jenkinsci/blueocean:build_env ?

[dduportal]

@olamy thanks for this first set of details.

Could you grant access to https://github.com/blueocean-ath/private-ci.git for me and @lemeurherve please?
At first sight, we'll probably have to split the file into multiple credentials and generate on-the-fly the properties files, because of the following rationale:

• Using a githubapp means that the "GitHub Token" will be a 1-hour valid element as per https://www.jenkins.io/blog/2020/04/16/github-app-authentication/ . Good news: it means that no personaltoken will have to be stored \o/
• Splitting in different strings avoid exposing accidentally with the build logs. We faced this problem 2 month ago, and we have to do the same with the infra teraform config files. Alas disabling github checks output is not an easy option for ci.jenkins.io, because of how organization scanning jobs work (you disable it for everyone in a given org).

I see there is a 2nd credential at https://github.com/jenkinsci/blueocean-plugin/blob/302e569079139663f375478666ac6a6396345ebd/Jenkinsfile#L23, which is a key file: is it and RSA key used for SSH connection? Something else? (I d'ont see any mention in https://github.com/jenkinsci/blueocean-plugin/tree/master/acceptance-tests so not sure)

[olamy]

@olamy thanks for this first set of details.

Could you grant access to https://github.com/blueocean-ath/private-ci.git for me and @lemeurherve please? At first sight, we'll probably have to split the file into multiple credentials and generate on-the-fly the properties files, because of the following rationale:

you should have received invite.

• Using a githubapp means that the "GitHub Token" will be a 1-hour valid element as per https://www.jenkins.io/blog/2020/04/16/github-app-authentication/ . Good news: it means that no personaltoken will have to be stored \o/
• Splitting in different strings avoid exposing accidentally with the build logs. We faced this problem 2 month ago, and we have to do the same with the infra teraform config files. Alas disabling github checks output is not an easy option for ci.jenkins.io, because of how organization scanning jobs work (you disable it for everyone in a given org).

I see there is a 2nd credential at https://github.com/jenkinsci/blueocean-plugin/blob/302e569079139663f375478666ac6a6396345ebd/Jenkinsfile#L23, which is a key file: is it and RSA key used for SSH connection? Something else? (I d'ont see any mention in https://github.com/jenkinsci/blueocean-plugin/tree/master/acceptance-tests so not sure)

Don't worry about it, I will remove it as it's not used anymore

[olamy]

ping :)

[jglick]

Please at least disable the jobs on ci.blueocean.io. As of jenkinsci/blueocean-plugin#2379 they are less than useless—fail in trunk (though they were long unstable it seems), leaving a confusing red X on every PR.