jenkins-job-builder: use a real user + API token to authenticate to Jenkins

Without disabling CSRF (complicated, will probably become impossible at some
point), we did not manage to have jenkins-job-builder use the API
with current Jenkins LTS. Using the standard security setup
(https://wiki.jenkins.io/display/JENKINS/Standard+Security+Setup),
an actual user, and its API token, repairs communication with the API.

refs tails/sysadmin#16955

manifests/jenkins/master.pp

@@ -9,6 +9,7 @@
 
 class tails::jenkins::master (
   String $jenkins_jobs_repo,
+  String $api_token,
   String $version                                         = '2.235.1',
 
   String $tails_repo                                      = 'https://gitlab.tails.boum.org/tails/tails.git',
@@ -16,6 +17,7 @@ class tails::jenkins::master (
   Enum['present', 'absent'] $automatic_iso_jobs_generator = 'present',
   Integer $active_branches_max_age_in_days                = 49,
   String $gitolite_pubkey_name                            = 'gitolite@puppet-git',
+  String $api_user                                        = 'admin',
 
   Boolean $manage_mount                                   = false,
   $mount_device                                           = false,
@@ -561,7 +563,7 @@ class tails::jenkins::master (
     owner   => root,
     group   => jenkins,
     mode    => '0640',
-    source  => 'puppet:///modules/tails/jenkins/master/jenkins_jobs.ini',
+    content => template('tails/jenkins/orchestrator/jenkins_jobs.ini.erb'),
     require => [
       Package['jenkins'],
       Package['jenkins-job-builder'],

files/jenkins/master/jenkins_jobs.ini → templates/jenkins/orchestrator/jenkins_jobs.ini.erb

@@ -3,6 +3,6 @@ recursive=True
 
 [jenkins]
 query_plugins_info=True
-user=placeholder
-password=placeholder
+user=<%= @api_user %>
+password=<%= @api_token %>
 url=http://127.0.0.1:8080/