fix(docker): Multi does not launch a second Jenkins controller anymore.

[gounthar]

Summary by CodeRabbit

• New Features

  • Enhanced script flexibility for Jenkins controller address handling.
  • Improved authentication process for GitHub Container Registry in workflow.
  • Added weekly dependency update settings for Docker packages.

• Bug Fixes

  • Corrected volume mapping for the Jenkins controller service.

• Chores

  • Updated service profiles in the Docker configuration for improved clarity and consistency.
  • Incremented versions of various plugins to ensure compatibility and performance improvements.
  • Updated to a newer version of the Debian base image in the Dockerfile.

[gounthar]

@coderabbitai review

[gounthar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Caution

Review failed

The head commit changed during the review from cb4b4c1 to cb44510.

Walkthrough

The changes in this pull request involve modifications to the docker-compose.yaml file, the find-name.sh script, and the plugins.txt file. In the docker-compose.yaml, the jenkins_controller service has had its - multi profile removed and its volume mapping corrected. The find-name.sh script has been updated to introduce a variable for the Jenkins controller address, enhancing its adaptability. Additionally, the plugins.txt file has undergone version updates for several plugins, ensuring they are aligned with the latest releases. The workflow for pushing Docker images has also been modified to enhance authentication.

Changes

File	Change Summary
docker-compose.yaml	- Removed - multi profile from jenkins_controller service. - Updated volume mapping for agent-ssh-dir from /app to /ssh-dir.
dockerfiles/agent-discovery/find-name.sh	- Introduced variable JENKINS_CONTROLLER, defaulting to "jenkins_controller". - Updated curl commands to use $JENKINS_CONTROLLER instead of hardcoded values.
dockerfiles/plugins.txt	- Updated versions for multiple plugins, including workflow-support from 932.vb_555de1b_a_b_94 to 936.v9fa_77211ca_e1.
.github/workflows/github-docker-registry-push.yml	- Updated authentication to use ${{ github.actor }} and ${{ secrets.GITHUB_TOKEN }}. - Added a step to extract and set the branch name as an environment variable.
.github/dependabot.yml	- Added new entry for Docker package ecosystem in ./dockerfiles/agent-discovery with weekly update intervals.
dockerfiles/agent-discovery/Dockerfile	- Updated base image from debian:bookworm-20240311-slim to debian:bookworm-20241111-slim.

Poem

In the land of code where bunnies hop,
Changes made, we can't stop!
Profiles trimmed and paths refined,
Jenkins now more aligned.
With a script that knows its way,
Hooray for updates, hip-hip-hooray! 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

dockerfiles/agent-discovery/find-name.sh (1)

82-86: Consider consolidating duplicate HTTP checks.

The curl check for controller reachability is duplicated later in the script. Consider consolidating this with the timeout check on line 91 to improve maintainability.

 JENKINS_CONTROLLER="jenkins_controller"
-if ! curl -s -f http://jenkins_controller:8080/login > /dev/null; then
+if ! timeout 10 bash -c 'curl -s -f http://jenkins_controller:8080/login > /dev/null'; then
     JENKINS_CONTROLLER="multi_jenkins_controller"
 fi

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 96912e3 and 6def213.

📒 Files selected for processing (2)

• docker-compose.yaml (0 hunks)
• dockerfiles/agent-discovery/find-name.sh (1 hunks)

💤 Files with no reviewable changes (1)

• docker-compose.yaml

🧰 Additional context used

🪛 GitHub Check: Shellcheck (reported by Codacy)

dockerfiles/agent-discovery/find-name.sh

[warning] 91-91:
Expressions don't expand in single quotes, use double quotes for that.

🔇 Additional comments (2)

dockerfiles/agent-discovery/find-name.sh (2)

94-94: LGTM!

Good use of the $JENKINS_CONTROLLER variable with proper expansion in double quotes.

---

91-91: ⚠️ Potential issue

Fix variable expansion in timeout command.

The single quotes prevent $JENKINS_CONTROLLER from being expanded. This is a critical issue that would cause the script to fail.

-timeout 60 bash -c 'until curl -s -f http://$JENKINS_CONTROLLER:8080/login > /dev/null; do sleep 5; done' && echo "Jenkins is running" || echo "Jenkins is not running"
+timeout 60 bash -c "until curl -s -f http://${JENKINS_CONTROLLER}:8080/login > /dev/null; do sleep 5; done" && echo "Jenkins is running" || echo "Jenkins is not running"

🧰 Tools

🪛 GitHub Check: Shellcheck (reported by Codacy)

[warning] 91-91:
Expressions don't expand in single quotes, use double quotes for that.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

dockerfiles/agent-discovery/find-name.sh (1)

82-86: Improve the fallback mechanism implementation.

While the fallback logic is a good addition, consider these improvements:

1. Use the variable in the check to avoid URL duplication
2. Add error messaging for better debugging

 JENKINS_CONTROLLER="jenkins_controller"
-if ! curl -s -f http://jenkins_controller:8080/login > /dev/null; then
+if ! curl -s -f "http://${JENKINS_CONTROLLER}:8080/login" > /dev/null; then
+    echo "Primary controller not reachable, falling back to multi controller..."
     JENKINS_CONTROLLER="multi_jenkins_controller"
 fi

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 6def213 and 2b92582.

📒 Files selected for processing (1)

• dockerfiles/agent-discovery/find-name.sh (1 hunks)

🔇 Additional comments (3)

dockerfiles/agent-discovery/find-name.sh (3)

91-91: LGTM! Proper implementation of Jenkins readiness check.

The timeout command correctly uses the JENKINS_CONTROLLER variable with proper string interpolation.

---

99-100: Previous security concern still applies.

The hardcoded insecure token issue was previously identified and needs to be addressed.

---

91-91: Follow shell scripting best practices.

Use double quotes for string interpolation in shell scripts to ensure variables are properly expanded.

[coderabbitai]

⚠️ Potential issue

Security Issue: Remove hardcoded credentials.

The Jenkins version check contains hardcoded admin credentials. This poses a security risk.

-JENKINS_VERSION=$(curl -s -I -k http://admin:admin@$JENKINS_CONTROLLER:8080 | grep -i '^X-Jenkins:' | awk '{print $2}')
+JENKINS_VERSION=$(curl -s -I -k "http://${JENKINS_USER}:${JENKINS_TOKEN}@${JENKINS_CONTROLLER}:8080" | grep -i '^X-Jenkins:' | awk '{print $2}')

Please add these environment variables to your configuration:

• JENKINS_USER: Jenkins admin username
• JENKINS_TOKEN: Jenkins API token or password

Committable suggestion skipped: line range outside the PR's diff.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (2)

dockerfiles/agent-discovery/find-name.sh (2)

82-87: LGTM with a suggestion for enhanced error handling.

The fallback logic is well-implemented. Consider adding error handling for when both controllers are unreachable.

 JENKINS_CONTROLLER="jenkins_controller"
 if ! curl -s -f "http://${JENKINS_CONTROLLER}:8080/login" > /dev/null; then
     echo "Primary controller not reachable, falling back to multi controller..."
     JENKINS_CONTROLLER="multi_jenkins_controller"
+    if ! curl -s -f "http://${JENKINS_CONTROLLER}:8080/login" > /dev/null; then
+        echo "Error: Neither primary nor multi controller is reachable"
+        exit 1
+    fi
 fi

---

92-92: Consider making the timeout duration configurable.

While the variable usage is correct, consider making the timeout duration configurable via an environment variable to accommodate different environments.

-timeout 60 bash -c "until curl -s -f http://${JENKINS_CONTROLLER}:8080/login > /dev/null; do sleep 5; done" && echo "Jenkins is running" || echo "Jenkins is not running"
+: "${JENKINS_STARTUP_TIMEOUT:=60}"  # Default to 60 seconds if not set
+timeout "${JENKINS_STARTUP_TIMEOUT}" bash -c "until curl -s -f http://${JENKINS_CONTROLLER}:8080/login > /dev/null; do sleep 5; done" && echo "Jenkins is running" || echo "Jenkins is not running"

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between ffef29c and 066d15e.

📒 Files selected for processing (1)

• dockerfiles/agent-discovery/find-name.sh (1 hunks)

🔇 Additional comments (1)

dockerfiles/agent-discovery/find-name.sh (1)

96-96: Previous security concern about hardcoded credentials remains unaddressed.

[coderabbitai]

⚠️ Potential issue

Critical Security Regression: Hardcoded insecure token replaces secure token.

This change introduces a severe security vulnerability by:

1. Commenting out the secure token implementation
2. Replacing it with a hardcoded, predictable token

This makes the Jenkins configuration reload endpoint vulnerable to unauthorized access.

Revert to using the secure token:

-# curl -X POST "http://admin:admin@$JENKINS_CONTROLLER:8080/reload-configuration-as-code/?casc-reload-token=$JCASC_TOKEN"
-curl -X POST "http://admin:admin@$JENKINS_CONTROLLER:8080/reload-configuration-as-code/?casc-reload-token=thisisnotsecure"
+curl -X POST "http://admin:admin@$JENKINS_CONTROLLER:8080/reload-configuration-as-code/?casc-reload-token=$JCASC_TOKEN"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# curl -X POST "http://admin:admin@$JENKINS_CONTROLLER:8080/reload-configuration-as-code/?casc-reload-token=$JCASC_TOKEN"
	curl -X POST "http://admin:admin@$JENKINS_CONTROLLER:8080/reload-configuration-as-code/?casc-reload-token=thisisnotsecure"
	curl -X POST "http://admin:admin@$JENKINS_CONTROLLER:8080/reload-configuration-as-code/?casc-reload-token=$JCASC_TOKEN"

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (3)

.github/workflows/github-docker-registry-push.yml (3)

Line range hint 98-114: Remove duplicate branch name extraction steps.

There are two identical steps performing the same branch name extraction operation. This is redundant and should be consolidated into a single step.

Apply this diff to remove the duplication:

      - name: Extract branch name
        shell: bash
        run: |
          BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | sed -e 's#/#-#g')
          if [[ "$BRANCH_NAME" == "main" ]]; then BRANCH_NAME=""; fi
          echo "BRANCH=$BRANCH_NAME" >> $GITHUB_ENV
        id: extract_branch

-      - name: Extract branch name and set BRANCH environment variable
-        shell: bash
-        run: |
-          BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | sed -e 's#/#-#g')
-          if [[ "$BRANCH_NAME" == "main" ]]; then BRANCH_NAME=""; fi
-          echo "BRANCH=$BRANCH_NAME" >> $GITHUB_ENV

---

Line range hint 52-64: Fix the Dockerfile change detection logic.

The current implementation has several issues:

1. The break statement exits the loop but doesn't communicate the result
2. The $? check is incorrect as it checks the loop's exit status
3. The "No changes" message is printed on non-zero exit status

Apply this diff to fix the logic:

      - name: Check for Dockerfile and context changes
        run: |
+         DOCKERFILE_CHANGED=false
          for file in ${{ env.files }}; do
            if [[ $file =~ (^|/)Dockerfile($|/)|(^|/)dockerfiles/ ]]; then
              echo "Dockerfile or dockerfiles directory has changed."
              echo "Changed file: $file"
-             break
+             DOCKERFILE_CHANGED=true
+             break
            fi
          done
          
-         if (( $? == 0 )); then
+         if [[ "$DOCKERFILE_CHANGED" == "false" ]]; then
            echo "No Dockerfile or context directory changes. Skipping Docker image build and push steps."
            echo "Changed files: ${{ env.files }}"
          fi
+         echo "DOCKERFILE_CHANGED=$DOCKERFILE_CHANGED" >> $GITHUB_ENV

This change:

• Introduces a proper flag to track Dockerfile changes
• Fixes the condition check
• Exports the result as an environment variable for use in subsequent steps

---

Line range hint 15-18: Remove unused environment variables.

The GHCR_USERNAME and GHCR_TOKEN environment variables are no longer used after switching to github.actor and secrets.GITHUB_TOKEN for authentication.

Apply this diff to remove the unused variables:

env:
-  GHCR_USERNAME: ${{ github.repository_owner }} # The owner of the repository
-  GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }} # The token for GHCR

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between cdc5909 and ad558f7.

📒 Files selected for processing (1)

• .github/workflows/github-docker-registry-push.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/github-docker-registry-push.yml (1)

94-95: LGTM! Improved authentication security.

The change to use github.actor and secrets.GITHUB_TOKEN instead of custom environment variables is a security improvement. It leverages GitHub's built-in authentication mechanism, which is the recommended approach for GHCR authentication.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between ad558f7 and 093b96c.

📒 Files selected for processing (2)

• .github/dependabot.yml (2 hunks)
• dockerfiles/agent-discovery/Dockerfile (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• dockerfiles/agent-discovery/Dockerfile

🧰 Additional context used

🪛 yamllint (1.29.0-1)

.github/dependabot.yml

[error] 45-45: trailing spaces

(trailing-spaces)

---

[error] 50-50: trailing spaces

(trailing-spaces)

🔇 Additional comments (1)

.github/dependabot.yml (1)

46-50: LGTM! New Dependabot configuration looks good

The new Docker package ecosystem entry for ./dockerfiles/agent-discovery follows the established pattern and maintains consistent settings with other Docker entries.

🧰 Tools

🪛 yamllint (1.29.0-1)

[error] 50-50: trailing spaces

(trailing-spaces)

[coderabbitai]

⚠️ Potential issue

Remove trailing spaces

There are trailing spaces at the end of lines 45 and 50 that should be removed for consistency.

Apply this diff to fix the trailing spaces:

-    open-pull-requests-limit: 10    
+    open-pull-requests-limit: 10

Also applies to: 50-50

🧰 Tools

🪛 yamllint (1.29.0-1)

[error] 45-45: trailing spaces

(trailing-spaces)

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

dockerfiles/agent-discovery/find-name.sh (1)

82-91: Consider making curl timeout configurable

The fallback mechanism is well-implemented, but the hardcoded 60-second timeout in curl commands could be made configurable like JENKINS_STARTUP_TIMEOUT.

+: "${JENKINS_CURL_TIMEOUT:=60}"  # Default to 60 seconds if not set
 JENKINS_CONTROLLER="jenkins_controller"
-if ! curl -s -f --max-time 60 "http://${JENKINS_CONTROLLER}:8080/login" > /dev/null; then
+if ! curl -s -f --max-time "${JENKINS_CURL_TIMEOUT}" "http://${JENKINS_CONTROLLER}:8080/login" > /dev/null; then
     echo "Primary controller not reachable, falling back to multi controller..."
     JENKINS_CONTROLLER="multi_jenkins_controller"
-    if ! curl -s -f --max-time 60 "http://${JENKINS_CONTROLLER}:8080/login" > /dev/null; then
+    if ! curl -s -f --max-time "${JENKINS_CURL_TIMEOUT}" "http://${JENKINS_CONTROLLER}:8080/login" > /dev/null; then

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 093b96c and cb44510.

📒 Files selected for processing (2)

• .github/dependabot.yml (2 hunks)
• dockerfiles/agent-discovery/find-name.sh (1 hunks)

🧰 Additional context used

🪛 yamllint (1.29.0-1)

.github/dependabot.yml

[error] 45-45: trailing spaces

(trailing-spaces)

🔇 Additional comments (3)

.github/dependabot.yml (2)

45-45: Remove trailing spaces

There are trailing spaces at the end of line 45 that should be removed for consistency.

Apply this diff to fix the trailing spaces:

-    open-pull-requests-limit: 10    
+    open-pull-requests-limit: 10

🧰 Tools

🪛 yamllint (1.29.0-1)

[error] 45-45: trailing spaces

(trailing-spaces)

---

Line range hint 46-60: LGTM! The new Dependabot configuration for agent-discovery looks good.

The new entry follows the established pattern and maintains consistency with other Docker directory configurations.

🧰 Tools

🪛 yamllint (1.29.0-1)

[error] 45-45: trailing spaces

(trailing-spaces)

dockerfiles/agent-discovery/find-name.sh (1)

104-104: ⚠️ Potential issue

Critical: Previously identified security issues remain unaddressed

The code still contains critical security vulnerabilities that were identified in previous reviews:

1. Hardcoded admin credentials in the version check
2. Replacement of secure token with hardcoded insecure token

These changes significantly weaken the security of the Jenkins configuration reload endpoint.

Please refer to the previous review comments for the recommended fixes:

1. Use environment variables for Jenkins credentials
2. Revert to using the secure $JCASC_TOKEN for configuration reload

Also applies to: 108-109

[coderabbitai]

🛠️ Refactor suggestion

Remove duplicate timeout command

There are two identical timeout commands checking Jenkins availability. The first one uses a hardcoded timeout while the second uses the configurable JENKINS_STARTUP_TIMEOUT. Remove the first command to avoid confusion.

-timeout 60 bash -c "until curl -s -f http://${JENKINS_CONTROLLER}:8080/login > /dev/null; do sleep 5; done" && echo "Jenkins is running" || echo "Jenkins is not running"
 # The colon (:) is a no-op command in Bash, which means it does nothing and always returns a true exit status. It is often used as a placeholder or to evaluate expressions without executing any commands.
 # The ${JENKINS_STARTUP_TIMEOUT:=60} part is a parameter expansion. It checks if the JENKINS_STARTUP_TIMEOUT variable is set and not null. If it is not set, it assigns the value 60 to JENKINS_STARTUP_TIMEOUT
 : "${JENKINS_STARTUP_TIMEOUT:=60}"  # Default to 60 seconds if not set
 timeout "${JENKINS_STARTUP_TIMEOUT}" bash -c "until curl -s -f http://${JENKINS_CONTROLLER}:8080/login > /dev/null; do sleep 5; done" && echo "Jenkins is running" || echo "Jenkins is not running"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	timeout 60 bash -c "until curl -s -f http://${JENKINS_CONTROLLER}:8080/login > /dev/null; do sleep 5; done" && echo "Jenkins is running" || echo "Jenkins is not running"
	# The colon (:) is a no-op command in Bash, which means it does nothing and always returns a true exit status. It is often used as a placeholder or to evaluate expressions without executing any commands.
	# The ${JENKINS_STARTUP_TIMEOUT:=60} part is a parameter expansion. It checks if the JENKINS_STARTUP_TIMEOUT variable is set and not null. If it is not set, it assigns the value 60 to JENKINS_STARTUP_TIMEOUT
	: "${JENKINS_STARTUP_TIMEOUT:=60}" # Default to 60 seconds if not set
	timeout "${JENKINS_STARTUP_TIMEOUT}" bash -c "until curl -s -f http://${JENKINS_CONTROLLER}:8080/login > /dev/null; do sleep 5; done" && echo "Jenkins is running" || echo "Jenkins is not running"
	# The colon (:) is a no-op command in Bash, which means it does nothing and always returns a true exit status. It is often used as a placeholder or to evaluate expressions without executing any commands.
	# The ${JENKINS_STARTUP_TIMEOUT:=60} part is a parameter expansion. It checks if the JENKINS_STARTUP_TIMEOUT variable is set and not null. If it is not set, it assigns the value 60 to JENKINS_STARTUP_TIMEOUT
	: "${JENKINS_STARTUP_TIMEOUT:=60}" # Default to 60 seconds if not set
	timeout "${JENKINS_STARTUP_TIMEOUT}" bash -c "until curl -s -f http://${JENKINS_CONTROLLER}:8080/login > /dev/null; do sleep 5; done" && echo "Jenkins is running" || echo "Jenkins is not running"