Ciinabox2 0.7.1 Release

September 7, 2021

The latest ciinabox update has some major improvements to Jenkins and Jenkins Configuration as Code infrastructure.

What’s New in 0.7.1

Jenkins image has move from the deprecated Cloudbees Jenkins Distribution to Jenkins LTS
Jenkins controller infrastructure has moved from ECS on EC2 to ECS on Fargate
Jenkins EFS mount attachment has moved from RexRay docker plugin to a native ECS EFS mount. For existing ciinaboxes the same EFS volumes is still used and the same functionality where a ciinabox is deleted and recreated the EFS volume is left intact and reattached is maintained.
JCASC reload from CodePipeline job now uses a generated JCASC token to authenticate to Jenkins rather than a username and password which fixes issues where different auth methods are used such as GitHub and bitbucket OAuth.
Improved JCASC error checking and reload will rollback the s3 file if the reload fails.
A default JCASC YAML is shipped with the Jenkins docker image which is merged with JCASC in the codecommit repository.
IAM policy on Jenkins and agents for getting AWS managed SSM parameters such as AWS AMI parameters.
Jenkins plugins will update plugins from the image if they have been manually updated through the console and is a newer version.
The default rules for GiHub and Bitbucket WebHooks have been removed to allow for easier management through AWS prefix lists in the ciinabox2 Bearse feature.
Support for custom Jenkins docker images in the ciinabox config.

Migration to ciinabox 0.7.1 from 0.6.x

Follow the bellow steps to move to the new docker image on Fargate once the Bearse ciinabox2 feature has been deployed or updated to the latest version.

Set the Jenkins ECS service desired count to 0
Connect to a bastion instance and mount the EFS volume to /efs

ssh to the bastion and run the following commands from with in a screen

cd /efs
mkdir -p var/jenkins_home
cp --verbose -r data/* var/jenkins_home/
chown -R ec2-user var/jenkins_home
cd var/jenkins_home/
rm -rf war/ \
    updates/
    plugins/cloudbees-analytics*
    plugins/cloudbees-assurance*
    plugins/cloudbees-administrative-monitors*
    plugins/cloudbees-license*
    plugins/cloudbees-uc-data-api*
    plugins/cloudbees-support*
    plugins/cloudbees-jenkins-advisor*
    plugins/nectar-license*

from the new var/jenkins home directory open hudson.model.UpdateCenter.xml with vim and remove the 2 sites from the xml file
- cloudbees-jenkins-distribution-offline
- cap-cloudbees-jenkins-distribution
manually remove the existing mountpoints for EFS. This will revoke access to the EFS from your bastion so ensure steps above have been completed.

Edit the jenkins.yaml config file in the JCASC CodeCommit repo and remove the following configuration

updateCenter:
    sites:
    - id: "cloudbees-jenkins-distribution-offline"
    url: "file:/var/cloudbees-jenkins-distribution/war/WEB-INF/plugins/update-center.json"
    - id: "cap-cloudbees-jenkins-distribution"
    url: "https://jenkins-updates.cloudbees.com/update-center/envelope-cloudbees-jenkins-distribution/update-center.json"

experimentalPlugins:
    enabled: false

clouds:
- amazonEC2:
    templates:
    - 
      useDedicatedTenancy: false # just this line

Edit the ciinabox.yaml in the ciinabox CodeCommit repo and alter the jenkins: config to alter the cpu and memory to a fargate compatible configuration or remove it completely to use the defaults (mem: 1024, cpu: 2048) and change the Jenkins version to the latest Jenkins tagged image version https://github.com/base2Services/jenkins-distribution/releases
```
jenkins:
    version: {{jenkins_version}}
```
Alter the IP whitelisting in the ciinabox.yaml

loadbalancer:
  security_group_rules:
  - from: 80
    ip_blocks:
    - whitelist
  - from: 443
    ip_blocks:
    - whitelist
  ### whitelist bitbucket or github webhooks. IPs are managed theough the ciinabox2 bearse feature
  # - from: 443
  #   prefix_list:
  #     Fn:ImportValue: {{ciinabox_name}}-bitbucket-webhooks-prefix-list
  #   desc: incoming bitbucket webhooks
  # - from: 443
  #   prefix_list:
  #     Fn:ImportValue: {{ciinabox_name}}-github-webhooks-prefix-list
  #   desc: incoming github webhooks
  
ip_blocks:
  whitelist:
  - ip: 52.64.86.162/32
    desc: Base2 Sydney VPN access
  - ip: 54.191.24.202/32
    desc: Base2 Oregon VPN access