Use a sudoers file for jenkins sudo rights

This way we can start with the file in place on all single-use
slaves, and then remove the file at the beginning of jobs that
should not be able to sudo (for example, unit test jobs).

Change-Id: I37aabdba89d00b45365126c8f776ae6ef8357c8f

modules/jenkins/files/jenkins-sudo.sudo

@@ -0,0 +1 @@
+jenkins ALL=(root) NOPASSWD:ALL

modules/jenkins/manifests/jenkinsuser.pp

@@ -3,19 +3,12 @@
 class jenkins::jenkinsuser(
   $ssh_key = '',
   $ensure = present,
-  $sudo = false,
 ) {
 
   group { 'jenkins':
     ensure => present,
   }
 
-  if ($sudo == true) {
-    $groups = ['sudo', 'admin']
-  } else {
-    $groups = []
-  }
-
   user { 'jenkins':
     ensure     => present,
     comment    => 'Jenkins User',
@@ -23,7 +16,7 @@ class jenkins::jenkinsuser(
     gid        => 'jenkins',
     shell      => '/bin/bash',
     membership => 'minimum',
-    groups     => $groups,
+    groups     => [],
     require    => Group['jenkins'],
   }
 

modules/jenkins/manifests/slave.pp

@@ -15,7 +15,6 @@ class jenkins::slave(
   if ($user == true) {
     class { 'jenkins::jenkinsuser':
       ensure  => present,
-      sudo    => $sudo,
       ssh_key => $ssh_key,
     }
   }
@@ -354,6 +353,16 @@ class jenkins::slave(
     source  => 'puppet:///modules/jenkins/slave_scripts',
   }
 
+  if ($sudo == true) {
+    file { '/etc/sudoers.d/jenkins-sudo':
+      ensure => present,
+      source => 'puppet:///modules/jenkins/jenkins-sudo.sudo',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0440',
+    }
+  }
+
   file { '/etc/sudoers.d/jenkins-sudo-grep':
     ensure => present,
     source => 'puppet:///modules/jenkins/jenkins-sudo-grep.sudo',