Pass Java arguments to Jenkins master

Passing Java arguments to Jenkins puppet allows to tune Jenkins
master Java. This is useful in order to set various Java attributes
like Java heap size virtual memory consumption.
This is most useful for downstream projects.

This patch also enables to workaround Jenkins SECURITY-170 by
setting java arguments through hieradata.
https://issues.jenkins-ci.org/browse/JENKINS-34885

Change-Id: I745a23b0f177f868d5406639bc8c42e3acacea72
Depends-On: Ice0e4ffa2fffd041d8bcc4a0b323ffae7ba2b0c8

contrib/single_node_ci_data.yaml

@@ -8,6 +8,8 @@ project_config_repo: http://your-project-config-repo.example.com/project-config-
 # zuul. However, it has numerous security vulnerabilities, and should only
 # be used for installations that have other means (e.g. firewalls) that block all
 # untrusted access to Jenkins.
+# see SECURITY-170 in:
+# "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11"
 #jenkins_version: present
 #jenkins_vhost_name: jenkins
 #jenkins_username: jenkins
@@ -18,6 +20,11 @@ jenkins_ssh_private_key: |
   -----END RSA PRIVATE KEY-----
 jenkins_ssh_public_key:  your-jenkins-public-key-no-whitespace
 jjb_git_revision: 1.6.2
+#java_args_override: |
+   # These are the arguments to pass to Java
+   # The recommended value:
+   # "-Xloggc:/var/log/jenkins/gc.log -XX:+PrintGCDetails -Xmx12g -Dorg.kohsuke.stapler.compression.CompressionFilter.disabled=true -Djava.util.logging.config.file=/var/lib/jenkins/logger.conf -Dhudson.model.ParametersAction.keepUndefinedParameters=true"
+   # Please note that using the parameter: keepUndefinedParameters=true is not secure and exposes a potential jenkins security vulnerability
 #jjb_git_url: https://git.openstack.org/openstack-infra/jenkins-job-builder
 #gerrit_server: review.openstack.org
 #gerrit_ssh_host_key:

contrib/single_node_ci_site.pp

@@ -38,6 +38,7 @@ node default {
     jenkins_password            => hiera('jenkins_password', 'XXX'),
     jenkins_ssh_private_key     => hiera('jenkins_ssh_private_key'),
     jenkins_ssh_public_key      => hiera('jenkins_ssh_public_key'),
+    java_args_override          => hiera('java_args_override', undef),
     gerrit_server               => hiera('gerrit_server', 'review.openstack.org'),
     gerrit_user                 => hiera('gerrit_user'),
     gerrit_user_ssh_public_key  => hiera('gerrit_user_ssh_public_key'),

manifests/jenkins_master.pp

@@ -17,6 +17,7 @@ class openstackci::jenkins_master (
   $jenkins_version         = 'present',
   $manage_jenkins_jobs     = false,
   $jenkins_url             = 'http://localhost:8080',
+  $java_args_override      = undef,
   $jjb_update_timeout      = 1200,
   $jjb_git_url             = 'https://git.openstack.org/openstack-infra/jenkins-job-builder',
   $jjb_git_revision        = 'master',
@@ -38,6 +39,7 @@ class openstackci::jenkins_master (
     jenkins_ssh_private_key => $jenkins_ssh_private_key,
     jenkins_ssh_public_key  => $jenkins_ssh_public_key,
     jenkins_version         => $jenkins_version,
+    java_args_override      => $java_args_override,
   }
 
   jenkins::plugin { 'build-timeout':

manifests/single_node_ci.pp

@@ -56,6 +56,15 @@
 #   The public key should not have any white space. Omit the 'ssh-rsa' prefix
 #   and comment section / e-mail address suffix.
 #
+# [*java_args_override*]
+#   These are the arguments to pass to Java:
+#   "-Xloggc:/var/log/jenkins/gc.log -XX:+PrintGCDetails -Xmx12g -Dorg.kohsuke.stapler.compression.CompressionFilter.disabled=true -Djava.util.logging.config.file=/var/lib/jenkins/logger.conf -Dhudson.model.ParametersAction.keepUndefinedParameters=true"
+#   Set this parameter through hieradata.
+#   To work around the security restrictions that result from upgrading to version > 1.651.2
+#   Add the Java system parameter:
+#   "-Dhudson.model.ParametersAction.keepUndefinedParameters=true"
+#   Please note that adding this parameter is not secure and it exposes a potential jenkins security vulnerability.
+#
 # [*jenkins_version*]
 #   This is a Jenkins version, such as '1.651', 'present' (to install
 #   the most recent, and never upgrade), or latest' (to install the most
@@ -158,6 +167,7 @@ class openstackci::single_node_ci (
   $jenkins_password              = undef,
   $jenkins_ssh_private_key       = undef,
   $jenkins_ssh_public_key        = undef,
+  $java_args_override            = undef,
   $jenkins_version               = 'present',
   $jjb_git_revision              = 'master',
   $jjb_git_url                   = 'https://git.openstack.org/openstack-infra/jenkins-job-builder',
@@ -200,6 +210,7 @@ class openstackci::single_node_ci (
     jenkins_password        => $jenkins_password,
     project_config_repo     => $project_config_repo,
     log_server              => $log_server,
+    java_args_override      => $java_args_override,
     jjb_git_revision        => $jjb_git_revision,
     jjb_git_url             => $jjb_git_url,
   }