sa_8001/dsk-devops-toolchains
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

디렉토리 구조 및 각 서비스 추가

Browse Source
This commit is contained in:
dsk-minchulahn
2024-01-03 17:29:11 +09:00
parent 98de2a7627
commit d601d0f259
1632 changed files with 207616 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
helm/jenkins/.helmignore Normal file
View File

@@ -0,0 +1,26 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
ci/
# do not package unittests
unittests/
Tiltfile
.helmignore

2451
helm/jenkins/CHANGELOG.md Normal file
View File

File diff suppressed because it is too large Load Diff

38
helm/jenkins/Chart.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: v2
name: jenkins
home: https://jenkins.io/
version: 4.2.18
appVersion: 2.375.1
description: Jenkins - Build great things at any scale! The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.
sources:
- https://github.com/jenkinsci/jenkins
- https://github.com/jenkinsci/docker-inbound-agent
- https://github.com/maorfr/kube-tasks
- https://github.com/jenkinsci/configuration-as-code-plugin
maintainers:
- name: maorfr
email: maor.friedman@redhat.com
- name: torstenwalter
email: mail@torstenwalter.de
- name: mogaal
email: garridomota@gmail.com
- name: wmcdona89
email: wmcdona89@gmail.com
- name: timja
email: timjacomb1@gmail.com
icon: https://get.jenkins.io/art/jenkins-logo/logo.svg
annotations:
artifacthub.io/links: |
- name: Chart Source
url: https://github.com/jenkinsci/helm-charts/tree/main/charts/jenkins
- name: Jenkins
url: https://www.jenkins.io/
artifacthub.io/images: |
- name: jenkins
image: jenkins/jenkins:2.375.1-jdk11
- name: k8s-sidecar
image: kiwigrid/k8s-sidecar:1.15.0
- name: inbound-agent
image: jenkins/inbound-agent:4.11.2-4
- name: backup
image: maorfr/kube-tasks:0.2.0

1044
helm/jenkins/README.md Normal file
View File

File diff suppressed because it is too large Load Diff

5
helm/jenkins/Tiltfile Normal file
View File

@@ -0,0 +1,5 @@
# If not using a standard local dev name, specify your k8s context here
#allow_k8s_contexts('jenkins-dev')
k8s_yaml(helm('.', values='values.yaml', set=['controller.adminPassword=asdf']))
watch_file('.')

400
helm/jenkins/VALUES_SUMMARY.md Normal file
View File

@@ -0,0 +1,400 @@
# Jenkins
## Configuration
The following tables list the configurable parameters of the Jenkins chart and their default values.
### Jenkins Controller
| Parameter | Description | Default |
|---------------------------------------------|--------------------------------------------------------------------------|----------------------------------------------------------------------|
| `checkDeprecation` | Checks for deprecated values used | `true` |
| `clusterZone` | Override the cluster name for FQDN resolving | `cluster.local` |
| `nameOverride` | Override the resource name prefix | `jenkins` |
| `renderHelmLabels` | Enables rendering of the helm.sh/chart label to the annotations | `true` |
| `fullnameOverride` | Override the full resource names | `jenkins-{release-name}` (or `jenkins` if release-name is `jenkins`) |
| `namespaceOverride` | Override the deployment namespace | Not set (`Release.Namespace`) |
| `controller.componentName` | Jenkins controller name | `jenkins-controller` |
| `controller.testEnabled` | Can be used to disable rendering test resources when using helm template | `true` |
| `controller.cloudName` | Name of default cloud configuration | `kubernetes` |
| `controller.legacyRemotingSecurityEnabled` | Is remoting security enabled? | Not set (i.e. not enabled) |
#### Jenkins Configuration as Code (JCasC)
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.JCasC.defaultConfig` | Enables default Jenkins configuration via configuration as code plugin | `true` |
| `controller.JCasC.configScripts` | List of Jenkins Config as Code scripts | `{}` |
| `controller.JCasC.security` | Jenkins Config as Code for Security section | `legacy` |
| `controller.JCasC.securityRealm` | Jenkins Config as Code for Security Realm | `legacy` |
| `controller.JCasC.authorizationStrategy` | Jenkins Config as Code for Authorization Strategy | `loggedInUsersCanDoAnything` |
| `controller.sidecars.configAutoReload` | Jenkins Config as Code auto-reload settings | |
| `controller.sidecars.configAutoReload.enabled` | Jenkins Config as Code auto-reload settings (Attention: rbac needs to be enabled otherwise the sidecar can't read the config map) | `true` |
| `controller.sidecars.configAutoReload.image` | Image which triggers the reload | `kiwigrid/k8s-sidecar:0.1.144` |
| `controller.sidecars.configAutoReload.reqRetryConnect` | How many connection-related errors to retry on | `10` |
| `controller.sidecars.configAutoReload.envFrom` | Environment variable sources for the Jenkins Config as Code auto-reload container | Not set |
| `controller.sidecars.configAutoReload.env` | Environment variables for the Jenkins Config as Code auto-reload container | Not set |
| `controller.sidecars.configAutoReload.containerSecurityContext` | Enable container security context | `{readOnlyRootFilesystem: true, allowPrivilegeEscalation: false}` |
#### Jenkins Configuration Files & Scripts
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.initScripts` | List of Jenkins init scripts | `[]` |
| `controller.initConfigMap` | Pre-existing init scripts | Not set |
#### Jenkins Global Security
| Parameter | Description | Default |
| --------------------------------- | ---------------------------------------- | ----------------------------------------- |
| `controller.adminSecret` | Create secret for admin user | `true` |
| `controller.disableRememberMe` | Disable use of remember me | `false` |
| `controller.enableRawHtmlMarkupFormatter` | Enable HTML parsing using | false |
| `controller.markupFormatter` | Yaml of the markup formatter to use | `plainText` |
| `controller.disabledAgentProtocols` | Disabled agent protocols | `JNLP-connect JNLP2-connect` |
| `controller.csrf.defaultCrumbIssuer.enabled` | Enable the default CSRF Crumb issuer | `true` |
| `controller.csrf.defaultCrumbIssuer.proxyCompatability` | Enable proxy compatibility | `true` |
#### Jenkins Global Settings
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.numExecutors` | Set Number of executors | 0 |
| `controller.executorMode` | Set executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE | NORMAL |
| `controller.customJenkinsLabels` | Append Jenkins labels to the controller | `[]` |
| `controller.jenkinsHome` | Custom Jenkins home path | `/var/jenkins_home` |
| `controller.jenkinsRef` | Custom Jenkins reference path | `/usr/share/jenkins/ref` |
| `controller.jenkinsAdminEmail` | Email address for the administrator of the Jenkins instance | Not set |
| `controller.jenkinsUrl` | Set Jenkins URL if you are not using the ingress definitions provided by the chart | Not set |
| `controller.jenkinsUrlProtocol` | Set protocol for Jenkins URL | Set to `https` if `controller.ingress.tls`, `http` otherwise |
| `controller.jenkinsUriPrefix` | Root Uri Jenkins will be served on | Not set |
#### Jenkins In-Process Script Approval
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.scriptApproval` | List of groovy functions to approve | `[]` |
#### Jenkins Plugins
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.installPlugins` | List of Jenkins plugins to install. If you don't want to install plugins set it to `false` | `kubernetes:1.31.3 workflow-aggregator:2.6 git:4.10.2 configuration-as-code:1414.v878271fc496f` |
| `controller.additionalPlugins` | List of Jenkins plugins to install in addition to those listed in controller.installPlugins | `[]` |
| `controller.initializeOnce` | Initialize only on first install. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true`. | `false` |
| `controller.overwritePlugins` | Overwrite installed plugins on start.| `false` |
| `controller.overwritePluginsFromImage` | Keep plugins that are already installed in the controller image.| `true` |
| `controller.installLatestPlugins` | Set to false to download the minimum required version of all dependencies. | `true` |
| `controller.installLatestSpecifiedPlugins` | Set to true to download latest dependencies of any plugin that is requested to have the latest version. | `false` |
#### Jenkins Agent Listener
| Parameter | Description | Default |
| -------------------------------------------- | ----------------------------------------------- | ------------ |
| `controller.agentListenerEnabled` | Create Agent listener service | `true` |
| `controller.agentListenerPort` | Listening port for agents | `50000` |
| `controller.agentListenerHostPort` | Host port to listen for agents | Not set |
| `controller.agentListenerNodePort` | Node port to listen for agents | Not set |
| `controller.agentListenerServiceType` | Defines how to expose the agentListener service | `ClusterIP` |
| `controller.agentListenerServiceAnnotations` | Annotations for the agentListener service | `{}` |
| `controller.agentListenerLoadBalancerIP` | Static IP for the agentListener LoadBalancer | Not set |
| `controller.agentListenerExternalTrafficPolicy` | [Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service/#traffic-policies) of for the agentListener service | Not set |
| `controller.agentListenerLoadBalancerSourceRanges` | Allowed inbound IP for the agentListener service | `0.0.0.0/0` |
#### Kubernetes StatefulSet & Service
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.image` | Controller image name | `jenkins/jenkins` |
| `controller.tagLabel` | Controller image tag label | `jdk11` |
| `controller.tag` | Controller image tag override | Not set |
| `controller.imagePullPolicy` | Controller image pull policy | `Always` |
| `controller.imagePullSecretName` | Controller image pull secret | Not set |
| `controller.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 50m, memory: 256Mi}, limits: {cpu: 2000m, memory: 4096Mi}}`|
| `controller.initContainerResources` | Resources allocation (Requests and Limits) for Init Container | Not set |
| `controller.initContainerEnvFrom` | Environment variable sources for Init Container | Not set |
| `controller.initContainerEnv` | Environment variables for Init Container | Not set |
| `controller.containerEnvFrom` | Environment variable sources for Jenkins Container | Not set |
| `controller.containerEnv` | Environment variables for Jenkins Container | Not set |
| `controller.usePodSecurityContext` | Enable pod security context (must be `true` if `runAsUser`, `fsGroup`, or `podSecurityContextOverride` are set) | `true` |
| `controller.runAsUser` | Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. | `1000` |
| `controller.fsGroup` | Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` |
| `controller.podSecurityContextOverride` | Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, and `fsGroup`. | Not set |
| `controller.containerSecurityContext` | Allow to control securityContext for the jenkins container. | `{runAsUser: 1000, runAsGroup: 1000, readOnlyRootFilesystem: true, allowPrivilegeEscalation: false}` |
| `controller.hostAliases` | Aliases for IPs in `/etc/hosts` | `[]` |
| `controller.serviceAnnotations` | Service annotations | `{}` |
| `controller.serviceType` | k8s service type | `ClusterIP` |
| `controller.clusterIP` | k8s service clusterIP | Not set |
| `controller.servicePort` | k8s service port | `8080` |
| `controller.targetPort` | k8s target port | `8080` |
| `controller.nodePort` | k8s node port | Not set |
| `controller.jmxPort` | Open a port, for JMX stats | Not set |
| `controller.extraPorts` | Open extra ports, for other uses | `[]` |
| `controller.loadBalancerSourceRanges` | Allowed inbound IP addresses | `0.0.0.0/0` |
| `controller.loadBalancerIP` | Optional fixed external IP | Not set |
| `controller.statefulSetLabels` | Custom StatefulSet labels | Not set |
| `controller.serviceLabels` | Custom Service labels | Not set |
| `controller.podLabels` | Custom Pod labels (an object with `label-key: label-value` pairs) | Not set |
| `controller.nodeSelector` | Node labels for pod assignment | `{}` |
| `controller.affinity` | Affinity settings | `{}` |
| `controller.schedulerName` | Kubernetes scheduler name | Not set |
| `controller.terminationGracePeriodSeconds` | Set TerminationGracePeriodSeconds | Not set |
| `controller.terminationMessagePath` | Set the termination message path | Not set |
| `controller.terminationMessagePolicy` | Set the termination message policy | Not set |
| `controller.tolerations` | Toleration labels for pod assignment | `[]` |
| `controller.podAnnotations` | Annotations for controller pod | `{}` |
| `controller.statefulSetAnnotations` | Annotations for controller StatefulSet | `{}` |
| `controller.updateStrategy` | Update strategy for StatefulSet | `{}` |
| `controller.lifecycle` | Lifecycle specification for controller-container | Not set |
| `controller.priorityClassName` | The name of a `priorityClass` to apply to the controller pod | Not set |
| `controller.admin.existingSecret` | The name of an existing secret containing the admin credentials. | `""`|
| `controller.admin.userKey` | The key in the existing admin secret containing the username. | `jenkins-admin-user` |
| `controller.admin.passwordKey` | The key in the existing admin secret containing the password. | `jenkins-admin-password` |
| `controller.customInitContainers` | Custom init-container specification in raw-yaml format | Not set |
| `controller.sidecars.other` | Configures additional sidecar container(s) for Jenkins controller | `[]` |
#### Kubernetes Pod Disruption Budget
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.podDisruptionBudget.enabled` | Enable [Kubernetes Pod Disruption Budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) configuration from `controller.podDisruptionBudget` (see below) | `false` |
| `controller.podDisruptionBudget.apiVersion` | Policy API version | `policy/v1beta1` |
| `controller.podDisruptionBudget.maxUnavailable` | Number of pods that can be unavailable. Either an absolute number or a percentage. | Not set |
#### Kubernetes Health Probes
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.healthProbes` | Enable [Kubernetes Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes) configuration from `controller.probes` (see below) | `true` |
| `controller.probes.livenessProbe.timeoutSeconds` | Set the timeout for the liveness probe in seconds | `5` |
| `controller.probes.livenessProbe.periodSeconds` | Set the time interval (in seconds) between two liveness probes executions | `10` |
| `controller.probes.livenessProbe.failureThreshold` | Set the failure threshold for the liveness probe | `5` |
| `controller.probes.livenessProbe.initialDelaySeconds` | Set the initial delay for the liveness probe | Not set |
| `controller.probes.livenessProbe.httpGet.port` | Set the Pod's HTTP port to use for the liveness probe | `http` |
| `controller.probes.livenessProbe.httpGet.path` | Set the HTTP's path for the liveness probe | `/login'` (or `${controller.jenkinsUriPrefix}/login` if `controller.jenkinsUriPrefix` is defined) |
| `controller.probes.readinessProbe.timeoutSeconds` | Set the timeout for the readiness probe in seconds | `5` |
| `controller.probes.readinessProbe.periodSeconds` | Set the time interval (in seconds) between two readiness probes executions | `10` |
| `controller.probes.readinessProbe.failureThreshold` | Set the failure threshold for the readiness probe | `3` |
| `controller.probes.readinessProbe.initialDelaySeconds` | Set the initial delay for the readiness probe | Not set |
| `controller.probes.readinessProbe.httpGet.port` | Set the Pod's HTTP port to use for the readiness probe | `http` |
| `controller.probes.readinessProbe.httpGet.path` | Set the HTTP's path for the readiness probe | `/login'` (or `${controller.jenkinsUriPrefix}/login` if `controller.jenkinsUriPrefix` is defined) |
| `controller.probes.startupProbe.timeoutSeconds` | Set the timeout for the startup probe in seconds | `5` |
| `controller.probes.startupProbe.periodSeconds` | Set the time interval (in seconds) between two startup probes executions | `10` |
| `controller.probes.startupProbe.failureThreshold` | Set the failure threshold for the startup probe | `12` |
| `controller.probes.startupProbe.initialDelaySeconds` | Set the initial delay for the startup probe | Not set |
| `controller.probes.startupProbe.httpGet.port` | Set the Pod's HTTP port to use for the startup probe | `http` |
| `controller.probes.startupProbe.httpGet.path` | Set the HTTP's path for the startup probe | `/login'` (or `${controller.jenkinsUriPrefix}/login` if `controller.jenkinsUriPrefix` is defined) |
#### Kubernetes Ingress
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.ingress.enabled` | Enables ingress | `false` |
| `controller.ingress.apiVersion` | Ingress API version | `extensions/v1beta1` |
| `controller.ingress.hostName` | Ingress host name | Not set |
| `controller.ingress.resourceRootUrl` | Hostname to serve assets from | Not set |
| `controller.ingress.annotations` | Ingress annotations | `{}` |
| `controller.ingress.labels` | Ingress labels | `{}` |
| `controller.ingress.path` | Ingress path | Not set |
| `controller.ingress.paths` | Override for the default Ingress paths | `[]` |
| `controller.ingress.tls` | Ingress TLS configuration | `[]` |
#### GKE BackendConfig
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.backendconfig.enabled` | Enables backendconfig | `false` |
| `controller.backendconfig.apiVersion` | backendconfig API version | `extensions/v1beta1` |
| `controller.backendconfig.name` | backendconfig name | Not set |
| `controller.backendconfig.annotations` | backendconfig annotations | `{}` |
| `controller.backendconfig.labels` | backendconfig labels | `{}` |
| `controller.backendconfig.spec` | backendconfig spec | `{}` |
#### OpenShift Route
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.route.enabled` | Enables openshift route | `false` |
| `controller.route.annotations` | Route annotations | `{}` |
| `controller.route.labels` | Route labels | `{}` |
| `controller.route.path` | Route path | Not set |
#### Prometheus
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.prometheus.enabled` | Enables prometheus service monitor | `false` |
| `controller.prometheus.serviceMonitorAdditionalLabels` | Additional labels to add to the service monitor object | `{}` |
| `controller.prometheus.serviceMonitorNamespace` | Custom namespace for serviceMonitor | Not set (same ns where is Jenkins being deployed) |
| `controller.prometheus.scrapeInterval` | How often prometheus should scrape metrics | `60s` |
| `controller.prometheus.scrapeEndpoint` | The endpoint prometheus should get metrics from | `/prometheus` |
| `controller.prometheus.alertingrules` | Array of prometheus alerting rules | `[]` |
| `controller.prometheus.alertingRulesAdditionalLabels` | Additional labels to add to the prometheus rule object | `{}` |
| `controller.prometheus.prometheusRuleNamespace` | Custom namespace for PrometheusRule | `""` (same ns where Jenkins being deployed) |
#### HTTPS Keystore
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `controller.httpsKeyStore.enable` | Enables https keystore on jenkins controller | `false` |
| `controller.httpsKeyStore.jenkinsHttpsJksSecretName` | Name of the secret that already has ssl keystore | `` |
| `controller.httpsKeyStore.httpPort` | Http Port that Jenkins should listen on along with https, it also serves liveness and readiness probs port. When https keystore is enabled servicePort and targetPort will be used as https port | `8081` |
| `controller.httpsKeyStore.path` | Path of https keystore file | `/var/jenkins_keystore` |
| `controller.httpsKeyStore.fileName` | Jenkins keystore filename which will appear under controller.httpsKeyStore.path | `keystore.jks` |
| `controller.httpsKeyStore.password` | Jenkins keystore password | `password` |
| `controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded` | Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here | a self signed cert |
#### Kubernetes Secret
| Parameter | Description | Default |
|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ----------------------------------------- |
| `controller.adminUser` | Admin username (and password) created as a secret if adminSecret is true | `admin` |
| `controller.adminPassword` | Admin password (and user) created as a secret if adminSecret is true | Random value |
| `controller.existingSecret` | The name of an existing secret containing keys credentials. | `""`|
| `controller.additionalSecrets` | List of additional secrets to create and mount according to [JCasC docs](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) | `[]` |
| `controller.additionalExistingSecrets` | List of additional existing secrets to mount according to [JCasC docs](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) | `[]` |
| `controller.secretClaims` | List of `SecretClaim` resources to create | `[]` |
#### Kubernetes NetworkPolicy
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. | `false` |
| `networkPolicy.apiVersion` | NetworkPolicy ApiVersion | `networking.k8s.io/v1` |
| `networkPolicy.internalAgents.allowed` | Allow internal agents (from the same cluster) to connect to controller. Agent pods would be filtered based on PodLabels. | `false` |
| `networkPolicy.internalAgents.podLabels` | A map of labels (keys/values) that agents pods must have to be able to connect to controller. | `{}` |
| `networkPolicy.internalAgents.namespaceLabels` | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller. | `{}` |
| `networkPolicy.externalAgents.ipCIDR` | The IP range from which external agents are allowed to connect to controller. | `` |
| `networkPolicy.externalAgents.except` | A list of IP sub-ranges to be excluded from the whitelisted IP range. | `[]` |
#### Kubernetes RBAC
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `rbac.create` | Whether RBAC resources are created | `true` |
| `rbac.readSecrets` | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` |
#### Kubernetes ServiceAccount - Controller
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `serviceAccount.name` | name of the ServiceAccount to be used by access-controlled resources | autogenerated |
| `serviceAccount.create` | Configures if a ServiceAccount with this name should be created | `true` |
| `serviceAccount.annotations` | Configures annotation for the ServiceAccount | `{}` |
| `serviceAccount.imagePullSecretName` | Controller ServiceAccount image pull secret | Not set |
#### Kubernetes ServiceAccount - Agent
| Parameter | Description | Default |
| --------------------------------- | ------------------------------------ | ----------------------------------------- |
| `serviceAccountAgent.name` | name of the agent ServiceAccount to be used by access-controlled resources | autogenerated |
| `serviceAccountAgent.create` | Configures if an agent ServiceAccount with this name should be created | `false` |
| `serviceAccountAgent.annotations` | Configures annotation for the agent ServiceAccount | `{}` |
| `serviceAccountAgent.imagePullSecretName` | Agent ServiceAccount image pull secret | Not set |
### Jenkins Agent(s)
| Parameter | Description | Default |
| -------------------------- | ----------------------------------------------- | ---------------------- |
| `agent.enabled` | Enable Kubernetes plugin jnlp-agent podTemplate | `true` |
| `agent.namespace` | Namespace in which the Kubernetes agents should be launched | Not set |
| `agent.containerCap` | Maximum number of agent | 10 |
| `agent.defaultsProviderTemplate` | The name of the pod template to use for providing default values | Not set |
| `agent.jenkinsUrl` | Overrides the Kubernetes Jenkins URL | Not set |
| `agent.jenkinsTunnel` | Overrides the Kubernetes Jenkins tunnel | Not set |
| `agent.kubernetesConnectTimeout` | The connection timeout in seconds for connections to Kubernetes API. Minimum value is 5. | 5 |
| `agent.kubernetesReadTimeout` | The read timeout in seconds for connections to Kubernetes API. Minimum value is 15. | 15 |
| `agent.maxRequestsPerHostStr` | The maximum concurrent connections to Kubernetes API | 32 |
| `agent.podLabels` | Custom Pod labels (an object with `label-key: label-value` pairs) | Not set |
#### Pod Configuration
| Parameter | Description | Default |
| -------------------------- | ----------------------------------------------- | ---------------------- |
| `agent.websocket` | Enables agent communication via websockets | false |
| `agent.podName` | Agent Pod base name | Not set |
| `agent.customJenkinsLabels`| Append Jenkins labels to the agent | `[]` |
| `agent.envVars` | Environment variables for the agent Pod | `[]` |
| `agent.idleMinutes` | Allows the Pod to remain active for reuse | 0 |
| `agent.imagePullSecretName` | Agent image pull secret | Not set |
| `agent.hostNetworking` | Enabled agent to use hostnetwork | false |
| `agent.nodeSelector` | Node labels for pod assignment | `{}` |
| `agent.connectTimeout` | Timeout in seconds for an agent to be online | 100 |
| `agent.volumes` | Additional volumes | `[]` |
| `agent.workspaceVolume` | Workspace volume (defaults to EmptyDir) | `{}` |
| `agent.yamlTemplate` | The raw yaml of a Pod API Object to merge into the agent spec | Not set |
| `agent.yamlMergeStrategy` | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates | `override` |
| `agent.annotations` | Annotations to apply to the pod | `{}` |
| `agent.additionalContainers` | Add additional containers to the agents. | `[]` |
#### Side Container Configuration
| Parameter | Description | Default |
| -------------------------- | ----------------------------------------------- | ---------------------- |
| `agent.sideContainerName` | Side container name in agent | jnlp |
| `agent.image` | Agent image name | `jenkins/inbound-agent`|
| `agent.tag` | Agent image tag | `4.11.2-4` |
| `agent.alwaysPullImage` | Always pull agent container image before build | `false` |
| `agent.privileged` | Agent privileged container | `false` |
| `agent.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 512m, memory: 512Mi}, limits: {cpu: 512m, memory: 512Mi}}` |
| `agent.runAsUser` | Configure container user | Not set |
| `agent.runAsGroup` | Configure container group | Not set |
| `agent.command` | Executed command when side container starts | Not set |
| `agent.args` | Arguments passed to executed command | `${computer.jnlpmac} ${computer.name}` |
| `agent.TTYEnabled` | Allocate pseudo tty to the side container | false |
| `agent.workingDir` | Configure working directory for default agent | `/home/jenkins/agent` |
#### Other
| Parameter | Description | Default |
| -------------------------- | ----------------------------------------------- | ---------------------- |
| `agent.disableDefaultAgent` | Ignore the default Jenkins Agent configuration | false |
| `agent.podTemplates` | Configures extra pod templates for the default kubernetes cloud | `{}` |
| `additionalAgents` | Configure additional agents which inherit values from `agent` | `{}` |
### Persistence
| Parameter | Description | Default |
| --------------------------- | ------------------------------- | --------------- |
| `persistence.enabled` | Enable the use of a Jenkins PVC | `true` |
| `persistence.existingClaim` | Provide the name of a PVC | `nil` |
| `persistence.storageClass` | Storage class for the PVC | `nil` |
| `persistence.annotations` | Annotations for the PVC | `{}` |
| `persistence.labels` | Labels for the PVC | `{}` |
| `persistence.accessMode` | The PVC access mode | `ReadWriteOnce` |
| `persistence.size` | The size of the PVC | `8Gi` |
| `persistence.subPath` | SubPath for jenkins-home mount | `nil` |
| `persistence.volumes` | Additional volumes | `nil` |
| `persistence.mounts` | Additional mounts | `nil` |
### Backup
| Parameter | Description | Default |
| ---------------------------------------- | ----------------------------------------------------------------- | --------------------------------- |
| `backup.enabled` | Enable the use of a backup CronJob | `false` |
| `backup.schedule` | Schedule to run jobs | `0 2 * * *` |
| `backup.labels` | Backup pod labels | `{}` |
| `backup.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `backup.serviceAccount.name` | name of the backup ServiceAccount | autogenerated |
| `backup.serviceAccount.annotations` | Backup pod annotations | `{}` |
| `backup.image.repo` | Backup image repository | `maorfr/kube-tasks` |
| `backup.image.tag` | Backup image tag | `0.2.0` |
| `backup.image.imagePullSecretName` | Backup image pull secret | Not set |
| `backup.extraArgs` | Additional arguments for kube-tasks | `[]` |
| `backup.existingSecret` | Environment variables to add to the cronjob container | `{}` |
| `backup.existingSecret.*` | Specify the secret name containing the AWS or GCP credentials | `jenkinsaws` |
| `backup.existingSecret.*.awsaccesskey` | `secretKeyRef.key` used for `AWS_ACCESS_KEY_ID` | `jenkins_aws_access_key` |
| `backup.existingSecret.*.awssecretkey` | `secretKeyRef.key` used for `AWS_SECRET_ACCESS_KEY` | `jenkins_aws_secret_key` |
| `backup.existingSecret.*.azstorageaccount`| `secretKeyRef.key` used for `AZURE_STORAGE_ACCOUNT` | `""` |
| `backup.existingSecret.*.azstoragekey` | `secretKeyRef.key` used for `AZURE_STORAGE_ACCESS_KEY` | `""` |
| `backup.existingSecret.*.gcpcredentials` | Mounts secret as volume and sets `GOOGLE_APPLICATION_CREDENTIALS` | `credentials.json` |
| `backup.env` | Backup environment variables | `[]` |
| `backup.resources` | Backup CPU/Memory resource requests/limits | Memory: `1Gi`, CPU: `1` |
| `backup.destination` | Destination to store backup artifacts | `s3://jenkins-data/backup` |
| `backup.onlyJobs` | Only backup the job folder | `false` |
| `backup.usePodSecurityContext` | Enable backup pod's security context (must be `true` if `runAsUser`, `fsGroup`, or `podSecurityContextOverride` are set) | `true` |
| `backup.runAsUser` | Deprecated in favor of `backup.podSecurityContextOverride`. uid that jenkins runs with. | `1000` |
| `backup.fsGroup` | Deprecated in favor of `backup.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` |
| `backup.podSecurityContextOverride` | Completely overwrites the contents of the backup pod's security context, ignoring the values provided for `runAsUser`, and `fsGroup`. | Not set |
| `awsSecurityGroupPolicies.enabled` | Enable the creation of SecurityGroupPolicy resources | `false` |
| `awsSecurityGroupPolicies.policies` | Security Group Policy definitions. `awsSecurityGroupPolicies.enabled` must be `true` | Not set |

5
helm/jenkins/ci/default-values.yaml Normal file
View File

@@ -0,0 +1,5 @@
# this file is empty to check if defaults within values.yaml work as expected
controller:
JCasC:
configScripts:
empty: ""

95
helm/jenkins/ci/other-values.yaml Normal file
View File

@@ -0,0 +1,95 @@
---
controller:
overwritePluginsFromImage: false
containerSecurityContext: ""
runAsUser: 0
fsGroup: 1000
JCasC:
authorizationStrategy: |-
loggedInUsersCanDoAnything:
allowAnonymousRead: true
securityRealm: |-
ldap:
configurations:
- server: ldap.acme.com
rootDN: dc=acme,dc=uk
managerPasswordSecret: ${LDAP_PASSWORD}
groupMembershipStrategy:
fromUserRecord:
attributeName: "memberOf"
additionalPlugins:
- ldap:2.5
scriptApproval:
- "method groovy.json.JsonSlurperClassic parseText java.lang.String"
- "new groovy.json.JsonSlurperClassic"
ingress:
enabled: true
persistence:
enabled: false
agent:
resources:
limits:
cpu: "1"
memory: "2048Mi"
envVars:
- name: HOME
value: /home/jenkins/agent
- name: PATH
value: /usr/local/bin
nodeSelector:
"app.kubernetes.io/component": "{{ .Values.agent.componentName }}"
yamlTemplate: |-
apiVersion: v1
kind: Pod
spec:
tolerations:
- key: "app.kubernetes.io/component"
operator: "Equal"
value: "{{ .Values.agent.componentName }}"
effect: "NoSchedule"
additionalAgents:
maven:
podName: maven
customJenkinsLabels: maven
# An example of overriding the jnlp container
# sideContainerName: jnlp
image: jenkins/jnlp-agent-maven
tag: latest
python:
podName: python
customJenkinsLabels: python
sideContainerName: python
image: python
tag: "3"
command: "/bin/sh -c"
args: "cat"
TTYEnabled: true
podTemplates:
python: |
- name: python
label: jenkins-python
containers:
- name: python
image: python:3
command: "/bin/sh -c"
args: "cat"
ttyEnabled: true
privileged: true
resourceRequestCpu: "400m"
resourceRequestMemory: "512Mi"
resourceLimitCpu: "1"
resourceLimitMemory: "1024Mi"
volumes:
- type: EmptyDir
mountPath: /var/myapp/myemptydir
memory: false
serviceAccount:
annotations:
description: "Used by release {{ .Release.Name }} for role-based access control"
serviceAccountAgent:
create: true
annotations:
description: "Used by release {{ .Release.Name }} for role-based access control"

4
helm/jenkins/ci/with-secrets-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
controller:
additionalSecrets:
- name: nameOfSecret
value: secretText

132
helm/jenkins/override_values.yaml Normal file
View File

@@ -0,0 +1,132 @@
controller:
tag: "2.375.1-jdk11"
numExecutors: 20
installPlugins: []
jenkinsUrlProtocol: "https"
serviceType: NodePort
nodePort: 31080
resources:
requests:
cpu: "500m"
memory: "2Gi"
limits:
cpu: 1
memory: "4Gi"
jenkinsUrl: "https://jenkins.exem-oss.org/"
agent:
podName: "jenkins-agent"
defaultsProviderTemplate: "jenkins-agent"
websocket: true
workingDir: "/var/jenkins_home"
imagePullSecretName: "dsk-cred"
resources:
requests:
cpu: "500m"
memory: "512Mi"
limits:
cpu: 2
memory: "2Gi"
podTemplates:
default-jenkins-agent: |
- name: "default-jenkins-agent"
label: "default-jenkins-agent"
containers:
- name: kaniko
image: "gcr.io/kaniko-project/executor:v1.9.0-debug"
command: "/busybox/cat"
ttyEnabled: true
maven-jenkins-agent: |
- name: "maven-jenkins-agent"
label: "maven-jenkins-agent"
containers:
- name: kaniko
image: "gcr.io/kaniko-project/executor:v1.9.0-debug"
command: "/busybox/cat"
ttyEnabled: true
- name: maven
image: "maven:3.8.5"
command: "/bin/sh -c"
args: "cat"
ttyEnabled: true
volumes:
- persistentVolumeClaim:
claimName: jenkins
mountPath: "/root/.m2/repository"
ui-jenkins-agent: |
- name: "ui-jenkins-agent"
label: "ui-jenkins-agent"
containers:
- name: kaniko
image: "gcr.io/kaniko-project/executor:v1.9.0-debug"
command: "/busybox/cat"
ttyEnabled: true
- name: node
image: "datasaker/node:16"
command: "/bin/sh -c"
args: "cat"
ttyEnabled: true
- name: node18
image: "datasaker/node:18-pnpm"
command: "/bin/sh -c"
args: "cat"
ttyEnabled: true
go-jenkins-agent: |
- name: "go-jenkins-agent"
label: "go-jenkins-agent"
containers:
- name: kaniko
image: "gcr.io/kaniko-project/executor:v1.9.0-debug"
command: "/busybox/cat"
ttyEnabled: true
- name: go-builder
image: "datasaker/golang:1.21"
command: "/bin/sh -c"
args: "cat"
ttyEnabled: true
- name: podman
image: "datasaker/podman:latest"
command: "/bin/sh -c"
args: "cat"
alwaysPullImage: true
ttyEnabled: true
privileged: true
volumes:
- emptyDirVolume:
mountPath: "/tmp"
- persistentVolumeClaim:
claimName: jenkins
mountPath: "/go"
host-jenkins-agent: |
- name: "host-jenkins-agent"
label: "host-jenkins-agent"
containers:
- name: go-builder
image: "datasaker/golang:1.19.1"
command: "/bin/sh -c"
args: "cat"
ttyEnabled: true
- name: ubuntu-22-04
image: "datasaker/dsk-host-ubuntu-22.04:latest"
command: "/bin/sh -c"
args: "cat"
ttyEnabled: true
- name: ubuntu-18-04
image: "datasaker/dsk-host-ubuntu-18.04:latest"
command: "/bin/sh -c"
args: "cat"
ttyEnabled: true
- name: centos-7
image: "datasaker/dsk-host-centos-7:latest"
command: "/bin/sh -c"
args: "cat"
ttyEnabled: true
volumes:
- emptyDirVolume:
mountPath: "/tmp"
- persistentVolumeClaim:
claimName: jenkins
mountPath: "/go"
persistence:
storageClass: "nfs-provisioner-mgmt-nas"
accessMode: "ReadWriteMany"
size: "200Gi"

68
helm/jenkins/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,68 @@
{{- $prefix := .Values.controller.jenkinsUriPrefix | default "" -}}
{{- $url := "" -}}
1. Get your '{{ .Values.controller.adminUser }}' user password by running:
kubectl exec --namespace {{ template "jenkins.namespace" . }} -it svc/{{ template "jenkins.fullname" . }} -c jenkins -- /bin/cat /run/secrets/additional/chart-admin-password && echo
{{- if .Values.controller.ingress.hostName -}}
{{- if .Values.controller.ingress.tls -}}
{{- $url = print "https://" .Values.controller.ingress.hostName $prefix -}}
{{- else -}}
{{- $url = print "http://" .Values.controller.ingress.hostName $prefix -}}
{{- end }}
2. Visit {{ $url }}
{{- else }}
2. Get the Jenkins URL to visit by running these commands in the same shell:
{{- if contains "NodePort" .Values.controller.serviceType }}
export NODE_PORT=$(kubectl get --namespace {{ template "jenkins.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "jenkins.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ template "jenkins.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
{{- if .Values.controller.httpsKeyStore.enable -}}
{{- $url = print "https://$NODE_IP:$NODE_PORT" $prefix -}}
{{- else -}}
{{- $url = print "http://$NODE_IP:$NODE_PORT" $prefix -}}
{{- end }}
echo {{ $url }}
{{- else if contains "LoadBalancer" .Values.controller.serviceType }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc --namespace {{ template "jenkins.namespace" . }} -w {{ template "jenkins.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ template "jenkins.namespace" . }} {{ template "jenkins.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
{{- if .Values.controller.httpsKeyStore.enable -}}
{{- $url = print "https://$SERVICE_IP:" .Values.controller.servicePort $prefix -}}
{{- else -}}
{{- $url = print "http://$SERVICE_IP:" .Values.controller.servicePort $prefix -}}
{{- end }}
echo {{ $url }}
{{- else if contains "ClusterIP" .Values.controller.serviceType -}}
{{- if .Values.controller.httpsKeyStore.enable -}}
{{- $url = print "https://127.0.0.1:" .Values.controller.servicePort $prefix -}}
{{- else -}}
{{- $url = print "http://127.0.0.1:" .Values.controller.servicePort $prefix -}}
{{- end }}
echo {{ $url }}
kubectl --namespace {{ template "jenkins.namespace" . }} port-forward svc/{{template "jenkins.fullname" . }} {{ .Values.controller.servicePort }}:{{ .Values.controller.servicePort }}
{{- end }}
{{- end }}
3. Login with the password from step 1 and the username: {{ .Values.controller.adminUser }}
4. Configure security realm and authorization strategy
5. Use Jenkins Configuration as Code by specifying configScripts in your values.yaml file, see documentation: {{ $url }}/configuration-as-code and examples: https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demos
For more information on running Jenkins on Kubernetes, visit:
https://cloud.google.com/solutions/jenkins-on-container-engine
For more information about Jenkins Configuration as Code, visit:
https://jenkins.io/projects/jcasc/
{{ if (eq .Values.controller.image "jenkins/jenkins") }}
NOTE: Consider using a custom image with pre-installed plugins
{{- else if .Values.controller.installPlugins }}
NOTE: Consider disabling `installPlugins` if your image already contains plugins.
{{- end }}
{{- if .Values.persistence.enabled }}
{{- else }}
#################################################################################
###### WARNING: Persistence is disabled!!! You will lose your data when #####
###### the Jenkins pod is terminated. #####
#################################################################################
{{- end }}

448
helm/jenkins/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,448 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "jenkins.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Expand the label of the chart.
*/}}
{{- define "jenkins.label" -}}
{{- printf "%s-%s" (include "jenkins.name" .) .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
*/}}
{{- define "jenkins.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{- define "jenkins.agent.namespace" -}}
{{- if .Values.agent.namespace -}}
{{- tpl .Values.agent.namespace . -}}
{{- else -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "jenkins.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Returns the admin password
https://github.com/helm/charts/issues/5167#issuecomment-619137759
*/}}
{{- define "jenkins.password" -}}
{{ if .Values.controller.adminPassword -}}
{{- .Values.controller.adminPassword | b64enc | quote }}
{{- else -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "jenkins.fullname" .)).data -}}
{{- if $secret -}}
{{/*
Reusing current password since secret exists
*/}}
{{- index $secret ( .Values.controller.admin.passwordKey | default "jenkins-admin-password" ) -}}
{{- else -}}
{{/*
Generate new password
*/}}
{{- randAlphaNum 22 | b64enc | quote }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Returns the Jenkins URL
*/}}
{{- define "jenkins.url" -}}
{{- if .Values.controller.jenkinsUrl }}
{{- .Values.controller.jenkinsUrl }}
{{- else }}
{{- if .Values.controller.ingress.hostName }}
{{- if .Values.controller.ingress.tls }}
{{- default "https" .Values.controller.jenkinsUrlProtocol }}://{{ .Values.controller.ingress.hostName }}{{ default "" .Values.controller.jenkinsUriPrefix }}
{{- else }}
{{- default "http" .Values.controller.jenkinsUrlProtocol }}://{{ .Values.controller.ingress.hostName }}{{ default "" .Values.controller.jenkinsUriPrefix }}
{{- end }}
{{- else }}
{{- default "http" .Values.controller.jenkinsUrlProtocol }}://{{ template "jenkins.fullname" . }}:{{.Values.controller.servicePort}}{{ default "" .Values.controller.jenkinsUriPrefix }}
{{- end}}
{{- end}}
{{- end -}}
{{/*
Returns configuration as code default config
*/}}
{{- define "jenkins.casc.defaults" -}}
jenkins:
{{- $configScripts := toYaml .Values.controller.JCasC.configScripts }}
{{- if and (.Values.controller.JCasC.authorizationStrategy) (not (contains "authorizationStrategy:" $configScripts)) }}
authorizationStrategy:
{{- tpl .Values.controller.JCasC.authorizationStrategy . | nindent 4 }}
{{- end }}
{{- if and (.Values.controller.JCasC.securityRealm) (not (contains "securityRealm:" $configScripts)) }}
securityRealm:
{{- tpl .Values.controller.JCasC.securityRealm . | nindent 4 }}
{{- end }}
disableRememberMe: {{ .Values.controller.disableRememberMe }}
{{- if .Values.controller.legacyRemotingSecurityEnabled }}
remotingSecurity:
enabled: true
{{- end }}
mode: {{ .Values.controller.executorMode }}
numExecutors: {{ .Values.controller.numExecutors }}
{{- if not (kindIs "invalid" .Values.controller.customJenkinsLabels) }}
labelString: "{{ join " " .Values.controller.customJenkinsLabels }}"
{{- end }}
{{- if .Values.controller.projectNamingStrategy }}
{{- if kindIs "string" .Values.controller.projectNamingStrategy }}
projectNamingStrategy: "{{ .Values.controller.projectNamingStrategy }}"
{{- else }}
projectNamingStrategy:
{{- toYaml .Values.controller.projectNamingStrategy | nindent 4 }}
{{- end }}
{{- end }}
markupFormatter:
{{- if .Values.controller.enableRawHtmlMarkupFormatter }}
rawHtml:
disableSyntaxHighlighting: true
{{- else }}
{{- toYaml .Values.controller.markupFormatter | nindent 4 }}
{{- end }}
clouds:
- kubernetes:
containerCapStr: "{{ .Values.agent.containerCap }}"
defaultsProviderTemplate: "{{ .Values.agent.defaultsProviderTemplate }}"
connectTimeout: "{{ .Values.agent.kubernetesConnectTimeout }}"
readTimeout: "{{ .Values.agent.kubernetesReadTimeout }}"
{{- if .Values.agent.jenkinsUrl }}
jenkinsUrl: "{{ tpl .Values.agent.jenkinsUrl . }}"
{{- else }}
jenkinsUrl: "http://{{ template "jenkins.fullname" . }}.{{ template "jenkins.namespace" . }}.svc.{{.Values.clusterZone}}:{{.Values.controller.servicePort}}{{ default "" .Values.controller.jenkinsUriPrefix }}"
{{- end }}
{{- if not .Values.agent.websocket }}
{{- if .Values.agent.jenkinsTunnel }}
jenkinsTunnel: "{{ tpl .Values.agent.jenkinsTunnel . }}"
{{- else }}
jenkinsTunnel: "{{ template "jenkins.fullname" . }}-agent.{{ template "jenkins.namespace" . }}.svc.{{.Values.clusterZone}}:{{ .Values.controller.agentListenerPort }}"
{{- end }}
{{- else }}
webSocket: true
{{- end }}
maxRequestsPerHostStr: {{ .Values.agent.maxRequestsPerHostStr | quote }}
name: "{{ .Values.controller.cloudName }}"
namespace: "{{ template "jenkins.agent.namespace" . }}"
serverUrl: "https://kubernetes.default"
{{- if .Values.agent.enabled }}
podLabels:
- key: "jenkins/{{ .Release.Name }}-{{ .Values.agent.componentName }}"
value: "true"
{{- range $key, $val := .Values.agent.podLabels }}
- key: {{ $key | quote }}
value: {{ $val | quote }}
{{- end }}
templates:
{{- if not .Values.agent.disableDefaultAgent }}
{{- include "jenkins.casc.podTemplate" . | nindent 8 }}
{{- end }}
{{- if .Values.additionalAgents }}
{{- /* save .Values.agent */}}
{{- $agent := .Values.agent }}
{{- range $name, $additionalAgent := .Values.additionalAgents }}
{{- $additionalContainersEmpty := and (hasKey $additionalAgent "additionalContainers") (empty $additionalAgent.additionalContainers) }}
{{- /* merge original .Values.agent into additional agent to ensure it at least has the default values */}}
{{- $additionalAgent := merge $additionalAgent $agent }}
{{- /* clear list of additional containers in case it is configured empty for this agent (merge might have overwritten that) */}}
{{- if $additionalContainersEmpty }}
{{- $_ := set $additionalAgent "additionalContainers" list }}
{{- end }}
{{- /* set .Values.agent to $additionalAgent */}}
{{- $_ := set $.Values "agent" $additionalAgent }}
{{- include "jenkins.casc.podTemplate" $ | nindent 8 }}
{{- end }}
{{- /* restore .Values.agent */}}
{{- $_ := set .Values "agent" $agent }}
{{- end }}
{{- if .Values.agent.podTemplates }}
{{- range $key, $val := .Values.agent.podTemplates }}
{{- tpl $val $ | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.controller.csrf.defaultCrumbIssuer.enabled }}
crumbIssuer:
standard:
excludeClientIPFromCrumb: {{ if .Values.controller.csrf.defaultCrumbIssuer.proxyCompatability }}true{{ else }}false{{- end }}
{{- end }}
{{- include "jenkins.casc.security" . }}
{{- if .Values.controller.scriptApproval }}
scriptApproval:
approvedSignatures:
{{- range $key, $val := .Values.controller.scriptApproval }}
- "{{ $val }}"
{{- end }}
{{- end }}
unclassified:
location:
adminAddress: {{ default "" .Values.controller.jenkinsAdminEmail }}
url: {{ template "jenkins.url" . }}
{{- end -}}
{{/*
Returns a name template to be used for jcasc configmaps, using
suffix passed in at call as index 0
*/}}
{{- define "jenkins.casc.configName" -}}
{{- $name := index . 0 -}}
{{- $root := index . 1 -}}
"{{- include "jenkins.fullname" $root -}}-jenkins-{{ $name }}"
{{- end -}}
{{/*
Returns kubernetes pod template configuration as code
*/}}
{{- define "jenkins.casc.podTemplate" -}}
- name: "{{ .Values.agent.podName }}"
namespace: "{{ template "jenkins.agent.namespace" . }}"
{{- if .Values.agent.annotations }}
annotations:
{{- range $key, $value := .Values.agent.annotations }}
- key: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
id: {{ sha256sum (toYaml .Values.agent) }}
containers:
- name: "{{ .Values.agent.sideContainerName }}"
alwaysPullImage: {{ .Values.agent.alwaysPullImage }}
args: "{{ .Values.agent.args | replace "$" "^$" }}"
command: {{ .Values.agent.command }}
envVars:
- envVar:
key: "JENKINS_URL"
{{- if .Values.agent.jenkinsUrl }}
value: {{ tpl .Values.agent.jenkinsUrl . }}
{{- else }}
value: "http://{{ template "jenkins.fullname" . }}.{{ template "jenkins.namespace" . }}.svc.{{.Values.clusterZone}}:{{.Values.controller.servicePort}}{{ default "/" .Values.controller.jenkinsUriPrefix }}"
{{- end }}
image: "{{ .Values.agent.image }}:{{ .Values.agent.tag }}"
privileged: "{{- if .Values.agent.privileged }}true{{- else }}false{{- end }}"
resourceLimitCpu: {{.Values.agent.resources.limits.cpu}}
resourceLimitMemory: {{.Values.agent.resources.limits.memory}}
resourceRequestCpu: {{.Values.agent.resources.requests.cpu}}
resourceRequestMemory: {{.Values.agent.resources.requests.memory}}
runAsUser: {{ .Values.agent.runAsUser }}
runAsGroup: {{ .Values.agent.runAsGroup }}
ttyEnabled: {{ .Values.agent.TTYEnabled }}
workingDir: {{ .Values.agent.workingDir }}
{{- range $additionalContainers := .Values.agent.additionalContainers }}
- name: "{{ $additionalContainers.sideContainerName }}"
alwaysPullImage: {{ $additionalContainers.alwaysPullImage | default $.Values.agent.alwaysPullImage }}
args: "{{ $additionalContainers.args | replace "$" "^$" }}"
command: {{ $additionalContainers.command }}
envVars:
- envVar:
key: "JENKINS_URL"
{{- if $additionalContainers.jenkinsUrl }}
value: {{ tpl ($additionalContainers.jenkinsUrl) . }}
{{- else }}
value: "http://{{ template "jenkins.fullname" $ }}.{{ template "jenkins.namespace" $ }}.svc.{{ $.Values.clusterZone }}:{{ $.Values.controller.servicePort }}{{ default "/" $.Values.controller.jenkinsUriPrefix }}"
{{- end }}
image: "{{ $additionalContainers.image }}:{{ $additionalContainers.tag }}"
privileged: "{{- if $additionalContainers.privileged }}true{{- else }}false{{- end }}"
resourceLimitCpu: {{ if $additionalContainers.resources }}{{ $additionalContainers.resources.limits.cpu }}{{ else }}{{ $.Values.agent.resources.limits.cpu }}{{ end }}
resourceLimitMemory: {{ if $additionalContainers.resources }}{{ $additionalContainers.resources.limits.memory }}{{ else }}{{ $.Values.agent.resources.limits.memory }}{{ end }}
resourceRequestCpu: {{ if $additionalContainers.resources }}{{ $additionalContainers.resources.requests.cpu }}{{ else }}{{ $.Values.agent.resources.requests.cpu }}{{ end }}
resourceRequestMemory: {{ if $additionalContainers.resources }}{{ $additionalContainers.resources.requests.memory }}{{ else }}{{ $.Values.agent.resources.requests.memory }}{{ end }}
runAsUser: {{ $additionalContainers.runAsUser | default $.Values.agent.runAsUser }}
runAsGroup: {{ $additionalContainers.runAsGroup | default $.Values.agent.runAsGroup }}
ttyEnabled: {{ $additionalContainers.TTYEnabled | default $.Values.agent.TTYEnabled }}
workingDir: {{ $additionalContainers.workingDir | default $.Values.agent.workingDir }}
{{- end }}
{{- if or .Values.agent.envVars .Values.agent.secretEnvVars }}
envVars:
{{- range $index, $var := .Values.agent.envVars }}
- envVar:
key: {{ $var.name }}
value: {{ tpl $var.value $ }}
{{- end }}
{{- range $index, $var := .Values.agent.secretEnvVars }}
- secretEnvVar:
key: {{ $var.key }}
secretName: {{ $var.secretName }}
secretKey: {{ $var.secretKey }}
optional: {{ $var.optional | default false }}
{{- end }}
{{- end }}
idleMinutes: {{ .Values.agent.idleMinutes }}
instanceCap: 2147483647
{{- if .Values.agent.hostNetworking }}
hostNetwork: {{ .Values.agent.hostNetworking }}
{{- end }}
{{- if .Values.agent.imagePullSecretName }}
imagePullSecrets:
- name: {{ .Values.agent.imagePullSecretName }}
{{- end }}
label: "{{ .Release.Name }}-{{ .Values.agent.componentName }} {{ .Values.agent.customJenkinsLabels | join " " }}"
{{- if .Values.agent.nodeSelector }}
nodeSelector:
{{- $local := dict "first" true }}
{{- range $key, $value := .Values.agent.nodeSelector }}
{{- if $local.first }} {{ else }},{{ end }}
{{- $key }}={{ tpl $value $ }}
{{- $_ := set $local "first" false }}
{{- end }}
{{- end }}
nodeUsageMode: {{ quote .Values.agent.nodeUsageMode }}
podRetention: {{ .Values.agent.podRetention }}
showRawYaml: {{ .Values.agent.showRawYaml }}
serviceAccount: "{{ include "jenkins.serviceAccountAgentName" . }}"
slaveConnectTimeoutStr: "{{ .Values.agent.connectTimeout }}"
{{- if .Values.agent.volumes }}
volumes:
{{- range $index, $volume := .Values.agent.volumes }}
-{{- if (eq $volume.type "ConfigMap") }} configMapVolume:
{{- else if (eq $volume.type "EmptyDir") }} emptyDirVolume:
{{- else if (eq $volume.type "HostPath") }} hostPathVolume:
{{- else if (eq $volume.type "Nfs") }} nfsVolume:
{{- else if (eq $volume.type "PVC") }} persistentVolumeClaim:
{{- else if (eq $volume.type "Secret") }} secretVolume:
{{- else }} {{ $volume.type }}:
{{- end }}
{{- range $key, $value := $volume }}
{{- if not (eq $key "type") }}
{{ $key }}: {{ if kindIs "string" $value }}{{ tpl $value $ | quote }}{{ else }}{{ $value }}{{ end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.agent.workspaceVolume }}
workspaceVolume:
{{- if (eq .Values.agent.workspaceVolume.type "DynamicPVC") }}
dynamicPVC:
{{- else if (eq .Values.agent.workspaceVolume.type "EmptyDir") }}
emptyDirWorkspaceVolume:
{{- else if (eq .Values.agent.workspaceVolume.type "HostPath") }}
hostPathWorkspaceVolume:
{{- else if (eq .Values.agent.workspaceVolume.type "Nfs") }}
nfsWorkspaceVolume:
{{- else if (eq .Values.agent.workspaceVolume.type "PVC") }}
persistentVolumeClaimWorkspaceVolume:
{{- else }}
{{ .Values.agent.workspaceVolume.type }}:
{{- end }}
{{- range $key, $value := .Values.agent.workspaceVolume }}
{{- if not (eq $key "type") }}
{{ $key }}: {{ if kindIs "string" $value }}{{ tpl $value $ | quote }}{{ else }}{{ $value }}{{ end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.agent.yamlTemplate }}
yaml: |-
{{- tpl (trim .Values.agent.yamlTemplate) . | nindent 4 }}
{{- end }}
yamlMergeStrategy: {{ .Values.agent.yamlMergeStrategy }}
{{- end -}}
{{- define "jenkins.kubernetes-version" -}}
{{- if .Values.controller.installPlugins -}}
{{- range .Values.controller.installPlugins -}}
{{ if hasPrefix "kubernetes:" . }}
{{- $split := splitList ":" . }}
{{- printf "%s" (index $split 1 ) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "jenkins.casc.security" }}
security:
{{- with .Values.controller.JCasC }}
{{- if .security }}
{{- .security | toYaml | nindent 2 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "jenkins.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "jenkins.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account for Jenkins agents to use
*/}}
{{- define "jenkins.serviceAccountAgentName" -}}
{{- if .Values.serviceAccountAgent.create -}}
{{ default (printf "%s-%s" (include "jenkins.fullname" .) "agent") .Values.serviceAccountAgent.name }}
{{- else -}}
{{ default "default" .Values.serviceAccountAgent.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account for Jenkins backup to use
*/}}
{{- define "backup.serviceAccountBackupName" -}}
{{- if .Values.backup.serviceAccount.create -}}
{{ default (printf "%s-%s" (include "jenkins.fullname" .) "backup") .Values.backup.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.backup.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create a full tag name for controller image
*/}}
{{- define "controller.tag" -}}
{{- if .Values.controller.tagLabel -}}
{{- default (printf "%s-%s" .Chart.AppVersion .Values.controller.tagLabel) .Values.controller.tag -}}
{{- else -}}
{{- default .Chart.AppVersion .Values.controller.tag -}}
{{- end -}}
{{- end -}}
{{/*
Create the HTTP port for interacting with the controller
*/}}
{{- define "controller.httpPort" -}}
{{- if .Values.controller.httpsKeyStore.enable -}}
{{- .Values.controller.httpsKeyStore.httpPort -}}
{{- else -}}
{{- .Values.controller.targetPort -}}
{{- end -}}
{{- end -}}

18
helm/jenkins/templates/config-init-scripts.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if .Values.controller.initScripts -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "jenkins.fullname" . }}-init-scripts
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
data:
{{- range $key, $val := .Values.controller.initScripts }}
init{{ $key }}.groovy: |-
{{ tpl $val $ | indent 4 }}
{{- end }}
{{- end }}

86
helm/jenkins/templates/config.yaml Normal file
View File

@@ -0,0 +1,86 @@
{{- $jenkinsHome := .Values.controller.jenkinsHome -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "jenkins.fullname" . }}
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
data:
apply_config.sh: |-
set -e
{{- if .Values.controller.initializeOnce }}
if [ -f {{ .Values.controller.jenkinsHome }}/initialization-completed ]; then
echo "controller was previously initialized, refusing to re-initialize"
exit 0
fi
{{- end }}
echo "disable Setup Wizard"
# Prevent Setup Wizard when JCasC is enabled
echo $JENKINS_VERSION > {{ .Values.controller.jenkinsHome }}/jenkins.install.UpgradeWizard.state
echo $JENKINS_VERSION > {{ .Values.controller.jenkinsHome }}/jenkins.install.InstallUtil.lastExecVersion
{{- if .Values.controller.overwritePlugins }}
echo "remove all plugins from shared volume"
# remove all plugins from shared volume
rm -rf {{ .Values.controller.jenkinsHome }}/plugins/*
{{- end }}
{{- if .Values.controller.installPlugins }}
echo "download plugins"
# Install missing plugins
cp /var/jenkins_config/plugins.txt {{ .Values.controller.jenkinsHome }};
rm -rf {{ .Values.controller.jenkinsRef }}/plugins/*.lock
version () { echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; }
if [ -f "{{ .Values.controller.jenkinsWar }}" ] && [ -n "$(command -v jenkins-plugin-cli)" 2>/dev/null ] && [ $(version $(jenkins-plugin-cli --version)) -ge $(version "2.1.1") ]; then
jenkins-plugin-cli --verbose --war "{{ .Values.controller.jenkinsWar }}" --plugin-file "{{ .Values.controller.jenkinsHome }}/plugins.txt" --latest {{ .Values.controller.installLatestPlugins }}{{- if .Values.controller.installLatestSpecifiedPlugins }} --latest-specified{{- end }};
else
/usr/local/bin/install-plugins.sh `echo $(cat {{ .Values.controller.jenkinsHome }}/plugins.txt)`;
fi
echo "copy plugins to shared volume"
# Copy plugins to shared volume
yes n | cp -i {{ .Values.controller.jenkinsRef }}/plugins/* /var/jenkins_plugins/;
{{- end }}
{{- if not .Values.controller.sidecars.configAutoReload.enabled }}
echo "copy configuration as code files"
mkdir -p {{ .Values.controller.jenkinsHome }}/casc_configs;
rm -rf {{ .Values.controller.jenkinsHome }}/casc_configs/*
{{- if or .Values.controller.JCasC.defaultConfig .Values.controller.JCasC.configScripts }}
cp -v /var/jenkins_config/*.yaml {{ .Values.controller.jenkinsHome }}/casc_configs
{{- end }}
{{- end }}
echo "finished initialization"
{{- if .Values.controller.initializeOnce }}
touch {{ .Values.controller.jenkinsHome }}/initialization-completed
{{- end }}
{{- if not .Values.controller.sidecars.configAutoReload.enabled }}
# Only add config to this script if we aren't auto-reloading otherwise the pod will restart upon each config change:
{{- if .Values.controller.JCasC.defaultConfig }}
jcasc-default-config.yaml: |-
{{- include "jenkins.casc.defaults" . |nindent 4}}
{{- end }}
{{- range $key, $val := .Values.controller.JCasC.configScripts }}
{{ $key }}.yaml: |-
{{ tpl $val $| indent 4 }}
{{- end }}
{{- end }}
plugins.txt: |-
{{- if .Values.controller.installPlugins }}
{{- range $installPlugin := .Values.controller.installPlugins }}
{{- $installPlugin | nindent 4 }}
{{- end }}
{{- range $addlPlugin := .Values.controller.additionalPlugins }}
{{- /* duplicate plugin check */}}
{{- range $installPlugin := $.Values.controller.installPlugins }}
{{- if eq (splitList ":" $addlPlugin | first) (splitList ":" $installPlugin | first) }}
{{- $message := print "[PLUGIN CONFLICT] controller.additionalPlugins contains '" $addlPlugin "'" }}
{{- $message := print $message " but controller.installPlugins already contains '" $installPlugin "'." }}
{{- $message := print $message " Override controller.installPlugins to use '" $addlPlugin "' plugin." }}
{{- fail $message }}
{{- end }}
{{- end }}
{{- $addlPlugin | nindent 4 }}
{{- end }}
{{- end }}

115
helm/jenkins/templates/deprecation.yaml Normal file
View File

@@ -0,0 +1,115 @@
{{- if .Values.checkDeprecation }}
{{- if .Values.master }}
{{ fail "`master` does no longer exist. It has been renamed to `controller`" }}
{{- end }}
{{- if .Values.controller.imageTag }}
{{ fail "`controller.imageTag` does no longer exist. Please use `controller.tag` instead" }}
{{- end }}
{{- if .Values.controller.slaveListenerPort }}
{{ fail "`controller.slaveListenerPort` does no longer exist. It has been renamed to `controller.agentListenerPort`" }}
{{- end }}
{{- if .Values.controller.slaveHostPort }}
{{ fail "`controller.slaveHostPort` does no longer exist. It has been renamed to `controller.agentListenerHostPort`" }}
{{- end }}
{{- if .Values.controller.slaveKubernetesNamespace }}
{{ fail "`controller.slaveKubernetesNamespace` does no longer exist. It has been renamed to `agent.namespace`" }}
{{- end }}
{{- if .Values.controller.slaveDefaultsProviderTemplate }}
{{ fail "`controller.slaveDefaultsProviderTemplate` does no longer exist. It has been renamed to `agent.defaultsProviderTemplate`" }}
{{- end }}
{{- if .Values.controller.useSecurity }}
{{ fail "`controller.useSecurity` does no longer exist. It has been renamed to `controller.adminSecret`" }}
{{- end }}
{{- if .Values.controller.slaveJenkinsUrl }}
{{ fail "`controller.slaveJenkinsUrl` does no longer exist. It has been renamed to `agent.jenkinsUrl`" }}
{{- end }}
{{- if .Values.controller.slaveJenkinsTunnel }}
{{ fail "`controller.slaveJenkinsTunnel` does no longer exist. It has been renamed to `agent.jenkinsTunnel`" }}
{{- end }}
{{- if .Values.controller.slaveConnectTimeout }}
{{ fail "`controller.slaveConnectTimeout` does no longer exist. It has been renamed to `agent.kubernetesConnectTimeout`" }}
{{- end }}
{{- if .Values.controller.slaveReadTimeout }}
{{ fail "`controller.slaveReadTimeout` does no longer exist. It has been renamed to `agent.kubernetesReadTimeout`" }}
{{- end }}
{{- if .Values.controller.slaveListenerServiceType }}
{{ fail "`controller.slaveListenerServiceType` does no longer exist. It has been renamed to `controller.agentListenerServiceType`" }}
{{- end }}
{{- if .Values.controller.slaveListenerLoadBalancerIP }}
{{ fail "`controller.slaveListenerLoadBalancerIP` does no longer exist. It has been renamed to `controller.agentListenerLoadBalancerIP`" }}
{{- end }}
{{- if .Values.controller.slaveListenerServiceAnnotations }}
{{ fail "`controller.slaveListenerServiceAnnotations` does no longer exist. It has been renamed to `controller.agentListenerServiceAnnotations`" }}
{{- end }}
{{- if .Values.agent.slaveConnectTimeout }}
{{ fail "`agent.slaveConnectTimeout` does no longer exist. It has been renamed to `agent.connectTimeout`" }}
{{- end }}
{{- if .Values.NetworkPolicy }}
{{- if .Values.NetworkPolicy.Enabled }}
{{ fail "`NetworkPolicy.Enabled` does no longer exist. It has been renamed to `networkPolicy.enabled`" }}
{{- end }}
{{- if .Values.NetworkPolicy.ApiVersion }}
{{ fail "`NetworkPolicy.ApiVersion` does no longer exist. It has been renamed to `networkPolicy.apiVersion`" }}
{{- end }}
{{ fail "NetworkPolicy.* values have been renamed, please check the documentation" }}
{{- end }}
{{- if .Values.rbac.install }}
{{ fail "`rbac.install` does no longer exist. It has been renamed to `rbac.create` and is enabled by default!" }}
{{- end }}
{{- if .Values.rbac.serviceAccountName }}
{{ fail "`rbac.serviceAccountName` does no longer exist. It has been renamed to `serviceAccount.name`" }}
{{- end }}
{{- if .Values.rbac.serviceAccountAnnotations }}
{{ fail "`rbac.serviceAccountAnnotations` does no longer exist. It has been renamed to `serviceAccount.annotations`" }}
{{- end }}
{{- if .Values.rbac.roleRef }}
{{ fail "`rbac.roleRef` does no longer exist. RBAC roles are now generated, please check the documentation" }}
{{- end }}
{{- if .Values.rbac.roleKind }}
{{ fail "`rbac.roleKind` does no longer exist. RBAC roles are now generated, please check the documentation" }}
{{- end }}
{{- if .Values.rbac.roleBindingKind }}
{{ fail "`rbac.roleBindingKind` does no longer exist. RBAC roles are now generated, please check the documentation" }}
{{- end }}
{{- if .Values.controller.JCasC.pluginVersion }}
{{ fail "controller.JCasC.pluginVersion has been deprecated, please use controller.installPlugins instead" }}
{{- end }}
{{- if .Values.controller.deploymentLabels }}
{{ fail "`controller.deploymentLabels` does no longer exist. It has been renamed to `controller.statefulSetLabels`" }}
{{- end }}
{{- if .Values.controller.deploymentAnnotations }}
{{ fail "`controller.deploymentAnnotations` does no longer exist. It has been renamed to `controller.statefulSetAnnotations`" }}
{{- end }}
{{- if .Values.controller.rollingUpdate }}
{{ fail "`controller.rollingUpdate` does no longer exist. It is no longer relevant, since a StatefulSet is used for the Jenkins controller" }}
{{- end }}
{{- end }}

37
helm/jenkins/templates/home-pvc.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{- if not (contains "jenkins-home" (quote .Values.persistence.volumes)) }}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
{{- if .Values.persistence.annotations }}
annotations:
{{ toYaml .Values.persistence.annotations | indent 4 }}
{{- end }}
name: {{ template "jenkins.fullname" . }}
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- if .Values.persistence.labels }}
{{ toYaml .Values.persistence.labels | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end }}
{{- end }}

45
helm/jenkins/templates/jcasc-config.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- $root := . }}
{{- if .Values.controller.sidecars.configAutoReload.enabled }}
{{- range $key, $val := .Values.controller.JCasC.configScripts }}
{{- if $val }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "jenkins.casc.configName" (list (printf "config-%s" $key) $ )}}
namespace: {{ template "jenkins.namespace" $root }}
labels:
"app.kubernetes.io/name": {{ template "jenkins.name" $root}}
{{- if $root.Values.renderHelmLabels }}
"helm.sh/chart": "{{ $root.Chart.Name }}-{{ $root.Chart.Version }}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ $.Release.Service }}"
"app.kubernetes.io/instance": "{{ $.Release.Name }}"
"app.kubernetes.io/component": "{{ $.Values.controller.componentName }}"
{{ template "jenkins.fullname" $root }}-jenkins-config: "true"
data:
{{ $key }}.yaml: |-
{{ tpl $val $| indent 4 }}
{{- end }}
{{- end }}
{{- if .Values.controller.JCasC.defaultConfig }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "jenkins.casc.configName" (list "jcasc-config" $ )}}
namespace: {{ template "jenkins.namespace" $root }}
labels:
"app.kubernetes.io/name": {{ template "jenkins.name" $root}}
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ $root.Chart.Name }}-{{ $root.Chart.Version }}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ $.Release.Service }}"
"app.kubernetes.io/instance": "{{ $.Release.Name }}"
"app.kubernetes.io/component": "{{ $.Values.controller.componentName }}"
{{ template "jenkins.fullname" $root }}-jenkins-config: "true"
data:
jcasc-default-config.yaml: |-
{{- include "jenkins.casc.defaults" . |nindent 4 }}
{{- end}}
{{- end }}

43
helm/jenkins/templates/jenkins-agent-svc.yaml Normal file
View File

@@ -0,0 +1,43 @@
{{- if .Values.controller.agentListenerEnabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "jenkins.fullname" . }}-agent
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- if .Values.controller.agentListenerServiceAnnotations }}
annotations:
{{- toYaml .Values.controller.agentListenerServiceAnnotations | nindent 4 }}
{{- end }}
spec:
{{- if .Values.controller.agentListenerExternalTrafficPolicy }}
externalTrafficPolicy: {{.Values.controller.agentListenerExternalTrafficPolicy}}
{{- end }}
ports:
- port: {{ .Values.controller.agentListenerPort }}
targetPort: {{ .Values.controller.agentListenerPort }}
{{- if (and (eq .Values.controller.agentListenerServiceType "NodePort") (not (empty .Values.controller.agentListenerNodePort))) }}
nodePort: {{ .Values.controller.agentListenerNodePort }}
{{- end }}
name: agent-listener
selector:
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
type: {{ .Values.controller.agentListenerServiceType }}
{{if eq .Values.controller.agentListenerServiceType "LoadBalancer"}}
{{- if .Values.controller.agentListenerLoadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.controller.agentListenerLoadBalancerSourceRanges | indent 4 }}
{{- end }}
{{- end }}
{{- if and (eq .Values.controller.agentListenerServiceType "LoadBalancer") (.Values.controller.agentListenerLoadBalancerIP) }}
loadBalancerIP: {{ .Values.controller.agentListenerLoadBalancerIP }}
{{- end }}
{{- end }}

16
helm/jenkins/templates/jenkins-aws-security-group-policies.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if .Values.awsSecurityGroupPolicies.enabled -}}
{{- range .Values.awsSecurityGroupPolicies.policies -}}
apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
name: {{ .name }}
namespace: {{ template "jenkins.namespace" $ }}
spec:
podSelector:
{{- toYaml .podSelector | nindent 6}}
securityGroups:
groupIds:
{{- toYaml .securityGroupIds | nindent 6}}
---
{{- end -}}
{{- end -}}

168
helm/jenkins/templates/jenkins-backup-cronjob.yaml Normal file
View File

@@ -0,0 +1,168 @@
{{- if .Values.backup.enabled }}
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: {{ template "jenkins.fullname" . }}-backup
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.backup.componentName }}"
spec:
schedule: {{ .Values.backup.schedule | quote }}
concurrencyPolicy: Forbid
startingDeadlineSeconds: 120
jobTemplate:
spec:
{{- if .Values.backup.activeDeadlineSeconds }}
activeDeadlineSeconds: {{ .Values.backup.activeDeadlineSeconds }}
{{- end }}
template:
metadata:
{{- if .Values.backup.labels }}
labels:
{{- toYaml .Values.backup.labels | trim | nindent 12 }}
{{- end }}
{{- if .Values.backup.annotations }}
annotations:
{{- toYaml .Values.backup.annotations | trim | nindent 12 }}
{{- end }}
spec:
restartPolicy: OnFailure
serviceAccountName: {{ include "backup.serviceAccountBackupName" . }}
{{- if .Values.backup.usePodSecurityContext }}
securityContext:
{{- if hasKey .Values.backup "podSecurityContextOverride" }}
{{- tpl (toYaml .Values.backup.podSecurityContextOverride | nindent 12) . }}
{{- else }}
runAsUser: {{ default 0 .Values.backup.runAsUser }}
{{- if and (.Values.backup.runAsUser) (.Values.backup.fsGroup) }}
{{- if not (eq (int .Values.backup.runAsUser) 0) }}
fsGroup: {{ .Values.backup.fsGroup }}
{{- end }}
{{- end }}
{{- if .Values.backup.securityContextCapabilities }}
capabilities:
{{- toYaml .Values.backup.securityContextCapabilities | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
containers:
- name: jenkins-backup
image: "{{ .Values.backup.image.repository }}:{{ .Values.backup.image.tag }}"
command: ["kube-tasks"]
args:
- simple-backup
- -n
- {{ template "jenkins.namespace" . }}
- -l
- app.kubernetes.io/instance={{ .Release.Name }}
- --container
- jenkins
- --path
{{- if .Values.backup.onlyJobs }}
- {{ .Values.controller.jenkinsHome }}/jobs
{{- else}}
- {{ .Values.controller.jenkinsHome }}
{{- end}}
- --dst
- {{ .Values.backup.destination }}
{{- with .Values.backup.extraArgs }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:
{{- with .Values.backup.env }}
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- if .Values.backup.existingSecret }}
{{- range $key,$value := .Values.backup.existingSecret }}
{{- if $value.awsaccesskey }}
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: {{ $key }}
key: {{ $value.awsaccesskey | quote }}
{{- end }}
{{- if $value.awssecretkey }}
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ $key }}
key: {{ $value.awssecretkey | quote}}
{{- end }}
{{- if $value.azstorageaccount }}
- name: AZURE_STORAGE_ACCOUNT
valueFrom:
secretKeyRef:
name: {{ $key }}
key: {{ $value.azstorageaccount | quote}}
{{- end }}
{{- if $value.azstoragekey }}
- name: AZURE_STORAGE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ $key }}
key: {{ $value.azstoragekey | quote}}
{{- end }}
{{- if $value.gcpcredentials }}
- name: GOOGLE_APPLICATION_CREDENTIALS
value: "/var/run/secrets/{{ $key }}/{{ $value.gcpcredentials }}"
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.backup.resources }}
resources:
{{- toYaml . | trim | nindent 14 }}
{{- end }}
volumeMounts:
{{- if .Values.backup.existingSecret }}
{{- range $key,$value := .Values.backup.existingSecret }}
{{- if $value.gcpcredentials }}
- mountPath: /var/run/secrets/{{ $key }}
name: {{ $key }}
{{- end }}
{{- end }}
{{- end }}
volumes:
{{- if .Values.backup.existingSecret }}
{{- range $key,$value := .Values.backup.existingSecret }}
{{- if $value.gcpcredentials }}
- name: {{ $key }}
secret:
secretName: {{ $key }}
{{- end }}
{{- end }}
{{- end }}
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
topologyKey: "kubernetes.io/hostname"
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- {{ template "jenkins.fullname" . }}
- key: release
operator: In
values:
- {{ .Release.Name }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.backup.imagePullSecretName }}
imagePullSecrets:
- name: {{ .Values.backup.imagePullSecretName }}
{{- end -}}
{{- end }}

64
helm/jenkins/templates/jenkins-backup-rbac.yaml Normal file
View File

@@ -0,0 +1,64 @@
{{- if .Values.backup.enabled }}
{{- if .Values.backup.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "backup.serviceAccountBackupName" . }}
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- if .Values.backup.serviceAccount.annotations }}
annotations:
{{- toYaml .Values.backup.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "jenkins.fullname" . }}-backup
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "jenkins.fullname" . }}-backup
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "jenkins.fullname" . }}-backup
subjects:
- kind: ServiceAccount
name: {{ include "backup.serviceAccountBackupName" . }}
namespace: {{ template "jenkins.namespace" . }}
{{- end }}

26
helm/jenkins/templates/jenkins-controller-alerting-rules.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if and .Values.controller.prometheus.enabled .Values.controller.prometheus.alertingrules }}
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "jenkins.fullname" . }}
{{- if .Values.controller.prometheus.prometheusRuleNamespace }}
namespace: {{ .Values.controller.prometheus.prometheusRuleNamespace }}
{{- else }}
namespace: {{ template "jenkins.namespace" . }}
{{- end }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- range $key, $val := .Values.controller.prometheus.alertingRulesAdditionalLabels }}
{{ $key }}: {{ $val | quote }}
{{- end}}
spec:
groups:
{{ toYaml .Values.controller.prometheus.alertingrules | indent 2 }}
{{- end }}

24
helm/jenkins/templates/jenkins-controller-backendconfig.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if .Values.controller.backendconfig.enabled }}
apiVersion: {{ .Values.controller.backendconfig.apiVersion }}
kind: BackendConfig
metadata:
name: {{ .Values.controller.backendconfig.name }}
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- if .Values.controller.backendconfig.labels }}
{{ toYaml .Values.controller.backendconfig.labels | indent 4 }}
{{- end }}
{{- if .Values.controller.backendconfig.annotations }}
annotations:
{{ toYaml .Values.controller.backendconfig.annotations | indent 4 }}
{{- end }}
spec:
{{ toYaml .Values.controller.backendconfig.spec | indent 2 }}
{{- end }}

77
helm/jenkins/templates/jenkins-controller-ingress.yaml Normal file
View File

@@ -0,0 +1,77 @@
{{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }}
{{- if .Values.controller.ingress.enabled }}
{{- if semverCompare ">=1.19-0" $kubeTargetVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" $kubeTargetVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: {{ .Values.controller.ingress.apiVersion }}
{{- end }}
kind: Ingress
metadata:
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- if .Values.controller.ingress.labels }}
{{ toYaml .Values.controller.ingress.labels | indent 4 }}
{{- end }}
{{- if .Values.controller.ingress.annotations }}
annotations:
{{ toYaml .Values.controller.ingress.annotations | indent 4 }}
{{- end }}
name: {{ template "jenkins.fullname" . }}
spec:
{{- if .Values.controller.ingress.ingressClassName }}
ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }}
{{- end }}
rules:
- http:
paths:
{{- if empty (.Values.controller.ingress.paths) }}
- backend:
{{- if semverCompare ">=1.19-0" $kubeTargetVersion }}
service:
name: {{ template "jenkins.fullname" . }}
port:
number: {{ .Values.controller.servicePort }}
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ template "jenkins.fullname" . }}
servicePort: {{ .Values.controller.servicePort }}
{{- end }}
{{- if .Values.controller.ingress.path }}
path: {{ .Values.controller.ingress.path }}
{{- end -}}
{{- else }}
{{ tpl (toYaml .Values.controller.ingress.paths | indent 6) . }}
{{- end -}}
{{- if .Values.controller.ingress.hostName }}
host: {{ .Values.controller.ingress.hostName | quote }}
{{- end }}
{{- if .Values.controller.ingress.resourceRootUrl }}
- http:
paths:
- backend:
{{- if semverCompare ">=1.19-0" $kubeTargetVersion }}
service:
name: {{ template "jenkins.fullname" . }}
port:
number: {{ .Values.controller.servicePort }}
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ template "jenkins.fullname" . }}
servicePort: {{ .Values.controller.servicePort }}
{{- end }}
host: {{ .Values.controller.ingress.resourceRootUrl | quote }}
{{- end }}
{{- if .Values.controller.ingress.tls }}
tls:
{{ toYaml .Values.controller.ingress.tls | indent 4 }}
{{- end -}}
{{- end }}

76
helm/jenkins/templates/jenkins-controller-networkpolicy.yaml Normal file
View File

@@ -0,0 +1,76 @@
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ .Values.networkPolicy.apiVersion }}
metadata:
name: "{{ .Release.Name }}-{{ .Values.controller.componentName }}"
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
spec:
podSelector:
matchLabels:
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
ingress:
# Allow web access to the UI
- ports:
- port: {{ .Values.controller.targetPort }}
{{- if .Values.controller.agentListenerEnabled }}
# Allow inbound connections from agents
- from:
{{- if .Values.networkPolicy.internalAgents.allowed }}
- podSelector:
matchLabels:
"jenkins/{{ .Release.Name }}-{{ .Values.agent.componentName }}": "true"
{{- range $k,$v:= .Values.networkPolicy.internalAgents.podLabels }}
{{ $k }}: {{ $v }}
{{- end }}
{{- if .Values.networkPolicy.internalAgents.namespaceLabels }}
namespaceSelector:
matchLabels:
{{- range $k,$v:= .Values.networkPolicy.internalAgents.namespaceLabels }}
{{ $k }}: {{ $v }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.externalAgents }}
- ipBlock:
cidr: {{ required "ipCIDR is required if you wish to allow external agents to connect to Jenkins Controller." .Values.networkPolicy.externalAgents.ipCIDR }}
{{- if .Values.networkPolicy.externalAgents.except }}
except:
{{- range .Values.networkPolicy.externalAgents.except }}
- {{ . }}
{{- end }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.controller.agentListenerPort }}
{{- end }}
{{- if .Values.agent.enabled }}
---
kind: NetworkPolicy
apiVersion: {{ .Values.networkPolicy.apiVersion }}
metadata:
name: "{{ .Release.Name }}-{{ .Values.agent.componentName }}"
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
spec:
podSelector:
matchLabels:
# DefaultDeny
"jenkins/{{ .Release.Name }}-{{ .Values.agent.componentName }}": "true"
{{- end }}
{{- end }}

34
helm/jenkins/templates/jenkins-controller-pdb.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- if .Values.controller.podDisruptionBudget.enabled }}
{{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }}
{{- if semverCompare ">=1.21-0" $kubeTargetVersion -}}
apiVersion: policy/v1
{{- else if semverCompare ">=1.5-0" $kubeTargetVersion -}}
apiVersion: policy/v1beta1
{{- else -}}
apiVersion: {{ .Values.controller.podDisruptionBudget.apiVersion }}
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ template "jenkins.fullname" . }}-pdb
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- if .Values.controller.podDisruptionBudget.labels -}}
{{ toYaml .Values.controller.podDisruptionBudget.labels | nindent 4 }}
{{- end }}
{{- if .Values.controller.podDisruptionBudget.annotations }}
annotations: {{ toYaml .Values.controller.podDisruptionBudget.annotations | nindent 4 }}
{{- end }}
spec:
maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
selector:
matchLabels:
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- end }}

30
helm/jenkins/templates/jenkins-controller-podmonitor.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{- if .Values.controller.googlePodMonitor.enabled }}
apiVersion: monitoring.googleapis.com/v1
kind: PodMonitoring
metadata:
name: {{ template "jenkins.fullname" . }}
{{- if .Values.controller.googlePodMonitor.serviceMonitorNamespace }}
namespace: {{ .Values.controller.googlePodMonitor.serviceMonitorNamespace }}
{{- else }}
namespace: {{ template "jenkins.namespace" . }}
{{- end }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
spec:
endpoints:
- interval: {{ .Values.controller.googlePodMonitor.scrapeInterval }}
port: http
path: {{ .Values.controller.jenkinsUriPrefix }}{{ .Values.controller.googlePodMonitor.scrapeEndpoint }}
selector:
matchLabels:
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- end }}

34
helm/jenkins/templates/jenkins-controller-route.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- if .Values.controller.route.enabled }}
apiVersion: route.openshift.io/v1
kind: Route
metadata:
namespace: {{ template "jenkins.namespace" . }}
labels:
app: {{ template "jenkins.fullname" . }}
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
component: "{{ .Release.Name }}-{{ .Values.controller.componentName }}"
{{- if .Values.controller.route.labels }}
{{ toYaml .Values.controller.route.labels | indent 4 }}
{{- end }}
{{- if .Values.controller.route.annotations }}
annotations:
{{ toYaml .Values.controller.route.annotations | indent 4 }}
{{- end }}
name: {{ template "jenkins.fullname" . }}
spec:
host: {{ .Values.controller.route.path }}
port:
targetPort: http
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
to:
kind: Service
name: {{ template "jenkins.fullname" . }}
weight: 100
wildcardPolicy: None
{{- end }}

56
helm/jenkins/templates/jenkins-controller-secondary-ingress.yaml Normal file
View File

@@ -0,0 +1,56 @@
{{- if .Values.controller.secondaryingress.enabled }}
{{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }}
{{- $serviceName := include "jenkins.fullname" . -}}
{{- $servicePort := .Values.controller.servicePort -}}
{{- if semverCompare ">=1.19-0" $kubeTargetVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" $kubeTargetVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: {{ .Values.controller.secondaryingress.apiVersion }}
{{- end }}
kind: Ingress
metadata:
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- if .Values.controller.secondaryingress.labels -}}
{{ toYaml .Values.controller.secondaryingress.labels | nindent 4 }}
{{- end }}
{{- if .Values.controller.secondaryingress.annotations }}
annotations: {{ toYaml .Values.controller.secondaryingress.annotations | nindent 4 }}
{{- end }}
name: {{ template "jenkins.fullname" . }}-secondary
spec:
{{- if .Values.controller.secondaryingress.ingressClassName }}
ingressClassName: {{ .Values.controller.secondaryingress.ingressClassName | quote }}
{{- end }}
rules:
- host: {{ .Values.controller.secondaryingress.hostName }}
http:
paths:
{{- range .Values.controller.secondaryingress.paths }}
- path: {{ . | quote }}
backend:
{{ if semverCompare ">=1.19-0" $kubeTargetVersion }}
service:
name: {{ $serviceName }}
port:
number: {{ $servicePort }}
pathType: ImplementationSpecific
{{ else }}
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{ end }}
{{- end}}
{{- if .Values.controller.secondaryingress.tls }}
tls:
{{ toYaml .Values.controller.secondaryingress.tls | indent 4 }}
{{- end -}}
{{- end }}

40
helm/jenkins/templates/jenkins-controller-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if and .Values.controller.prometheus.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "jenkins.fullname" . }}
{{- if .Values.controller.prometheus.serviceMonitorNamespace }}
namespace: {{ .Values.controller.prometheus.serviceMonitorNamespace }}
{{- else }}
namespace: {{ template "jenkins.namespace" . }}
{{- end }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- range $key, $val := .Values.controller.prometheus.serviceMonitorAdditionalLabels }}
{{ $key }}: {{ $val | quote }}
{{- end}}
spec:
endpoints:
- interval: {{ .Values.controller.prometheus.scrapeInterval }}
port: http
path: {{ .Values.controller.jenkinsUriPrefix }}{{ .Values.controller.prometheus.scrapeEndpoint }}
{{- if .Values.controller.prometheus.metricRelabelings }}
metricRelabelings: {{ .Values.controller.prometheus.metricRelabelings }}
{{- end }}
jobLabel: {{ template "jenkins.fullname" . }}
namespaceSelector:
matchNames:
- "{{ template "jenkins.namespace" $ }}"
selector:
matchLabels:
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- end }}

436
helm/jenkins/templates/jenkins-controller-statefulset.yaml Normal file
View File

@@ -0,0 +1,436 @@
{{- if .Capabilities.APIVersions.Has "apps/v1" }}
apiVersion: apps/v1
{{- else }}
apiVersion: apps/v1beta1
{{- end }}
kind: StatefulSet
metadata:
name: {{ template "jenkins.fullname" . }}
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- range $key, $val := .Values.controller.statefulSetLabels }}
{{ $key }}: {{ $val | quote }}
{{- end}}
{{- if .Values.controller.statefulSetAnnotations }}
annotations:
{{ toYaml .Values.controller.statefulSetAnnotations | indent 4 }}
{{- end }}
spec:
serviceName: {{ template "jenkins.fullname" . }}
replicas: 1
selector:
matchLabels:
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
{{- if .Values.controller.updateStrategy }}
updateStrategy:
{{ toYaml .Values.controller.updateStrategy | indent 4 }}
{{- end }}
template:
metadata:
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- range $key, $val := .Values.controller.podLabels }}
{{ $key }}: {{ $val | quote }}
{{- end}}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
{{- if .Values.controller.podAnnotations }}
{{ tpl (toYaml .Values.controller.podAnnotations | indent 8) . }}
{{- end }}
spec:
{{- if .Values.controller.schedulerName }}
schedulerName: {{ .Values.controller.schedulerName }}
{{- end }}
{{- if .Values.controller.nodeSelector }}
nodeSelector:
{{ toYaml .Values.controller.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.controller.tolerations }}
tolerations:
{{ toYaml .Values.controller.tolerations | indent 8 }}
{{- end }}
{{- if .Values.controller.affinity }}
affinity:
{{ toYaml .Values.controller.affinity | indent 8 }}
{{- end }}
{{- if quote .Values.controller.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.usePodSecurityContext }}
securityContext:
{{- if hasKey .Values.controller "podSecurityContextOverride" }}
{{- tpl (toYaml .Values.controller.podSecurityContextOverride | nindent 8) . -}}
{{- else }}
{{/* The rest of this section should be replaced with the contents of this comment one the runAsUser, fsGroup, and securityContextCapabilities Helm chart values have been removed:
runAsUser: 1000
fsGroup: 1000
runAsNonRoot: true
*/}}
runAsUser: {{ default 0 .Values.controller.runAsUser }}
{{- if and (.Values.controller.runAsUser) (.Values.controller.fsGroup) }}
{{- if not (eq (int .Values.controller.runAsUser) 0) }}
fsGroup: {{ .Values.controller.fsGroup }}
runAsNonRoot: true
{{- end }}
{{- if .Values.controller.securityContextCapabilities }}
capabilities:
{{- toYaml .Values.controller.securityContextCapabilities | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
serviceAccountName: "{{ template "jenkins.serviceAccountName" . }}"
{{- if .Values.controller.hostNetworking }}
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
{{- end }}
{{- if .Values.controller.hostAliases }}
hostAliases:
{{- toYaml .Values.controller.hostAliases | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.controller.customInitContainers }}
{{ tpl (toYaml .Values.controller.customInitContainers) . | indent 8 }}
{{- end }}
- name: "init"
image: "{{ .Values.controller.image }}:{{- include "controller.tag" . -}}"
imagePullPolicy: "{{ .Values.controller.imagePullPolicy }}"
{{- if .Values.controller.containerSecurityContext }}
securityContext: {{- toYaml .Values.controller.containerSecurityContext | nindent 12 }}
{{- end }}
command: [ "sh", "/var/jenkins_config/apply_config.sh" ]
{{- if .Values.controller.initContainerEnvFrom }}
envFrom:
{{ (tpl (toYaml .Values.controller.initContainerEnvFrom) .) | indent 12 }}
{{- end }}
{{- if .Values.controller.initContainerEnv }}
env:
{{ (tpl (toYaml .Values.controller.initContainerEnv) .) | indent 12 }}
{{- end }}
resources:
{{- if .Values.controller.initContainerResources }}
{{ toYaml .Values.controller.initContainerResources | indent 12 }}
{{- else }}
{{ toYaml .Values.controller.resources | indent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.persistence.mounts }}
{{ toYaml .Values.persistence.mounts | indent 12 }}
{{- end }}
- mountPath: {{ .Values.controller.jenkinsHome }}
name: jenkins-home
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
- mountPath: /var/jenkins_config
name: jenkins-config
{{- if .Values.controller.installPlugins }}
{{- if .Values.controller.overwritePluginsFromImage }}
- mountPath: {{ .Values.controller.jenkinsRef }}/plugins
name: plugins
{{- end }}
- mountPath: /var/jenkins_plugins
name: plugin-dir
- mountPath: /tmp
name: tmp-volume
{{- end }}
{{- if or .Values.controller.initScripts .Values.controller.initConfigMap }}
- mountPath: {{ .Values.controller.jenkinsHome }}/init.groovy.d
name: init-scripts
{{- end }}
{{- if .Values.controller.httpsKeyStore.enable }}
{{- $httpsJKSDirPath := printf "%s" .Values.controller.httpsKeyStore.path }}
- mountPath: {{ $httpsJKSDirPath }}
name: jenkins-https-keystore
{{- end }}
containers:
- name: jenkins
image: "{{ .Values.controller.image }}:{{- include "controller.tag" . -}}"
imagePullPolicy: "{{ .Values.controller.imagePullPolicy }}"
{{- if .Values.controller.containerSecurityContext }}
securityContext: {{- toYaml .Values.controller.containerSecurityContext | nindent 12 }}
{{- end }}
{{- if .Values.controller.overrideArgs }}
args: [
{{- range $overrideArg := .Values.controller.overrideArgs }}
"{{- tpl $overrideArg $ }}",
{{- end }}
]
{{- else if .Values.controller.httpsKeyStore.enable }}
{{- $httpsJKSFilePath := printf "%s/%s" .Values.controller.httpsKeyStore.path .Values.controller.httpsKeyStore.fileName }}
args: [ "--httpPort={{.Values.controller.httpsKeyStore.httpPort}}", "--httpsPort={{.Values.controller.targetPort}}", '--httpsKeyStore={{ $httpsJKSFilePath }}', "--httpsKeyStorePassword=$(JENKINS_HTTPS_KEYSTORE_PASSWORD)" ]
{{- else }}
args: [ "--httpPort={{.Values.controller.targetPort}}"]
{{- end }}
{{- if .Values.controller.lifecycle }}
lifecycle:
{{ toYaml .Values.controller.lifecycle | indent 12 }}
{{- end }}
{{- if .Values.controller.terminationMessagePath }}
terminationMessagePath: {{ .Values.controller.terminationMessagePath }}
{{- end }}
{{- if .Values.controller.terminationMessagePolicy }}
terminationMessagePolicy: {{ .Values.controller.terminationMessagePolicy }}
{{- end }}
{{- if .Values.controller.containerEnvFrom }}
envFrom:
{{ (tpl ( toYaml .Values.controller.containerEnvFrom) .) | indent 12 }}
{{- end }}
env:
{{- if or .Values.controller.additionalSecrets .Values.controller.existingSecret .Values.controller.additionalExistingSecrets .Values.controller.adminSecret }}
- name: SECRETS
value: /run/secrets/additional
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: JAVA_OPTS
value: >-
{{ if .Values.controller.sidecars.configAutoReload.enabled }} -Dcasc.reload.token=$(POD_NAME) {{ end }}{{ default "" .Values.controller.javaOpts }}
- name: JENKINS_OPTS
value: >-
{{ if .Values.controller.jenkinsUriPrefix }}--prefix={{ .Values.controller.jenkinsUriPrefix }} {{ end }} --webroot=/var/jenkins_cache/war {{ default "" .Values.controller.jenkinsOpts}}
- name: JENKINS_SLAVE_AGENT_PORT
value: "{{ .Values.controller.agentListenerPort }}"
{{- if .Values.controller.httpsKeyStore.enable }}
- name: JENKINS_HTTPS_KEYSTORE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ if .Values.controller.httpsKeyStore.jenkinsHttpsJksSecretName }} {{ .Values.controller.httpsKeyStore.jenkinsHttpsJksSecretName }} {{ else }} {{ template "jenkins.fullname" . }}-https-jks {{ end }}
key: {{ "https-jks-password" | quote }}
{{- end }}
{{- if .Values.controller.containerEnv }}
{{ (tpl ( toYaml .Values.controller.containerEnv) .) | indent 12 }}
{{- end }}
- name: CASC_JENKINS_CONFIG
value: {{ .Values.controller.sidecars.configAutoReload.folder | default (printf "%s/casc_configs" (.Values.controller.jenkinsRef)) }}{{- if .Values.controller.JCasC.configUrls }},{{ join "," .Values.controller.JCasC.configUrls }}{{- end }}
ports:
{{- if .Values.controller.httpsKeyStore.enable }}
- containerPort: {{.Values.controller.httpsKeyStore.httpPort}}
{{- else }}
- containerPort: {{.Values.controller.targetPort}}
{{- end }}
name: http
- containerPort: {{ .Values.controller.agentListenerPort }}
name: agent-listener
{{- if .Values.controller.agentListenerHostPort }}
hostPort: {{ .Values.controller.agentListenerHostPort }}
{{- end }}
{{- if .Values.controller.jmxPort }}
- containerPort: {{ .Values.controller.jmxPort }}
name: jmx
{{- end }}
{{- range $index, $port := .Values.controller.extraPorts }}
- containerPort: {{ $port.port }}
name: {{ $port.name }}
{{- end }}
{{- if and .Values.controller.healthProbes .Values.controller.probes}}
{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.GitVersion }}
startupProbe:
{{ tpl (toYaml .Values.controller.probes.startupProbe | indent 12) .}}
{{- end }}
livenessProbe:
{{ tpl (toYaml .Values.controller.probes.livenessProbe | indent 12) .}}
readinessProbe:
{{ tpl (toYaml .Values.controller.probes.readinessProbe | indent 12) .}}
{{- end }}
resources:
{{ toYaml .Values.controller.resources | indent 12 }}
volumeMounts:
{{- if .Values.persistence.mounts }}
{{ toYaml .Values.persistence.mounts | indent 12 }}
{{- end }}
{{- if .Values.controller.httpsKeyStore.enable }}
{{- $httpsJKSDirPath := printf "%s" .Values.controller.httpsKeyStore.path }}
- mountPath: {{ $httpsJKSDirPath }}
name: jenkins-https-keystore
{{- end }}
- mountPath: {{ .Values.controller.jenkinsHome }}
name: jenkins-home
readOnly: false
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
- mountPath: /var/jenkins_config
name: jenkins-config
readOnly: true
{{- if .Values.controller.installPlugins }}
- mountPath: {{ .Values.controller.jenkinsRef }}/plugins/
name: plugin-dir
readOnly: false
{{- end }}
{{- if or .Values.controller.initScripts .Values.controller.initConfigMap }}
- mountPath: {{ .Values.controller.jenkinsHome }}/init.groovy.d
name: init-scripts
{{- end }}
{{- if .Values.controller.sidecars.configAutoReload.enabled }}
- name: sc-config-volume
mountPath: {{ .Values.controller.sidecars.configAutoReload.folder | default (printf "%s/casc_configs" (.Values.controller.jenkinsRef)) }}
{{- end }}
{{- if or .Values.controller.additionalSecrets .Values.controller.existingSecret .Values.controller.additionalExistingSecrets .Values.controller.adminSecret }}
- name: jenkins-secrets
mountPath: /run/secrets/additional
readOnly: true
{{- end }}
- name: jenkins-cache
mountPath: /var/jenkins_cache
- mountPath: /tmp
name: tmp-volume
{{- if .Values.controller.sidecars.configAutoReload.enabled }}
- name: config-reload
image: "{{ .Values.controller.sidecars.configAutoReload.image }}"
imagePullPolicy: {{ .Values.controller.sidecars.configAutoReload.imagePullPolicy }}
{{- if .Values.controller.sidecars.configAutoReload.containerSecurityContext }}
securityContext: {{- toYaml .Values.controller.sidecars.configAutoReload.containerSecurityContext | nindent 12 }}
{{- end }}
{{- if .Values.controller.sidecars.configAutoReload.envFrom }}
envFrom:
{{ (tpl (toYaml .Values.controller.sidecars.configAutoReload.envFrom) .) | indent 12 }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: LABEL
value: "{{ template "jenkins.fullname" . }}-jenkins-config"
- name: FOLDER
value: "{{ .Values.controller.sidecars.configAutoReload.folder }}"
- name: NAMESPACE
value: '{{ .Values.controller.sidecars.configAutoReload.searchNamespace | default (include "jenkins.namespace" .) }}'
- name: REQ_URL
value: "http://localhost:{{- include "controller.httpPort" . -}}{{- .Values.controller.jenkinsUriPrefix -}}/reload-configuration-as-code/?casc-reload-token=$(POD_NAME)"
- name: REQ_METHOD
value: "POST"
- name: REQ_RETRY_CONNECT
value: "{{ .Values.controller.sidecars.configAutoReload.reqRetryConnect }}"
{{- if .Values.controller.sidecars.configAutoReload.env }}
{{ (tpl (toYaml .Values.controller.sidecars.configAutoReload.env) .) | indent 12 }}
{{- end }}
resources:
{{ toYaml .Values.controller.sidecars.configAutoReload.resources | indent 12 }}
volumeMounts:
- name: sc-config-volume
mountPath: {{ .Values.controller.sidecars.configAutoReload.folder | quote }}
- name: jenkins-home
mountPath: {{ .Values.controller.jenkinsHome }}
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
{{- end}}
{{- if .Values.controller.sidecars.other}}
{{ tpl (toYaml .Values.controller.sidecars.other | indent 8) .}}
{{- end }}
volumes:
{{- if .Values.persistence.volumes }}
{{ tpl (toYaml .Values.persistence.volumes | indent 6) . }}
{{- end }}
{{- if .Values.controller.installPlugins }}
{{- if .Values.controller.overwritePluginsFromImage }}
- name: plugins
emptyDir: {}
{{- end }}
{{- end }}
{{- if and .Values.controller.initScripts .Values.controller.initConfigMap }}
- name: init-scripts
projected:
sources:
- configMap:
name: {{ template "jenkins.fullname" . }}-init-scripts
- configMap:
name: {{ .Values.controller.initConfigMap }}
{{- else if .Values.controller.initConfigMap }}
- name: init-scripts
configMap:
name: {{ .Values.controller.initConfigMap }}
{{- else if .Values.controller.initScripts }}
- name: init-scripts
configMap:
name: {{ template "jenkins.fullname" . }}-init-scripts
{{- end }}
- name: jenkins-config
configMap:
name: {{ template "jenkins.fullname" . }}
{{- if .Values.controller.installPlugins }}
- name: plugin-dir
emptyDir: {}
{{- end }}
{{- if or .Values.controller.additionalSecrets .Values.controller.existingSecret .Values.controller.additionalExistingSecrets .Values.controller.adminSecret }}
- name: jenkins-secrets
projected:
sources:
{{- if .Values.controller.additionalSecrets }}
- secret:
name: {{ template "jenkins.fullname" . }}-additional-secrets
{{- end }}
{{- if .Values.controller.additionalExistingSecrets }}
{{- range $key, $value := .Values.controller.additionalExistingSecrets }}
- secret:
name: {{ tpl $value.name $ }}
items:
- key: {{ tpl $value.keyName $ }}
path: {{ tpl $value.name $ }}-{{ tpl $value.keyName $ }}
{{- end }}
{{- end }}
{{- if .Values.controller.adminSecret }}
- secret:
name: {{ .Values.controller.admin.existingSecret | default (include "jenkins.fullname" .) }}
items:
- key: {{ .Values.controller.admin.userKey | default "jenkins-admin-user" }}
path: chart-admin-username
- key: {{ .Values.controller.admin.passwordKey | default "jenkins-admin-password" }}
path: chart-admin-password
{{- end }}
{{- if .Values.controller.existingSecret }}
- secret:
name: {{ .Values.controller.existingSecret }}
{{- end }}
{{- end }}
- name: jenkins-cache
emptyDir: {}
{{- if not (contains "jenkins-home" (quote .Values.persistence.volumes)) }}
- name: jenkins-home
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "jenkins.fullname" .) }}
{{- else }}
emptyDir: {}
{{- end -}}
{{- end }}
- name: sc-config-volume
emptyDir: {}
- name: tmp-volume
emptyDir: {}
{{- if .Values.controller.httpsKeyStore.enable }}
- name: jenkins-https-keystore
secret:
secretName: {{ if .Values.controller.httpsKeyStore.jenkinsHttpsJksSecretName }} {{ .Values.controller.httpsKeyStore.jenkinsHttpsJksSecretName }} {{ else }} {{ template "jenkins.fullname" . }}-https-jks {{ end }}
items:
- key: jenkins-jks-file
path: {{ .Values.controller.httpsKeyStore.fileName }}
{{- end }}
{{- if .Values.controller.imagePullSecretName }}
imagePullSecrets:
- name: {{ .Values.controller.imagePullSecretName }}
{{- end -}}

56
helm/jenkins/templates/jenkins-controller-svc.yaml Normal file
View File

@@ -0,0 +1,56 @@
apiVersion: v1
kind: Service
metadata:
name: {{template "jenkins.fullname" . }}
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- if .Values.controller.serviceLabels }}
{{ toYaml .Values.controller.serviceLabels | indent 4 }}
{{- end }}
{{- if .Values.controller.serviceAnnotations }}
annotations:
{{ toYaml .Values.controller.serviceAnnotations | indent 4 }}
{{- end }}
spec:
{{- if .Values.controller.serviceExternalTrafficPolicy }}
externalTrafficPolicy: {{.Values.controller.serviceExternalTrafficPolicy}}
{{- end }}
{{- if (and (eq .Values.controller.serviceType "ClusterIP") (not (empty .Values.controller.clusterIP))) }}
clusterIP: {{.Values.controller.clusterIP}}
{{- end }}
ports:
- port: {{.Values.controller.servicePort}}
name: http
targetPort: {{ .Values.controller.targetPort }}
{{- if (and (eq .Values.controller.serviceType "NodePort") (not (empty .Values.controller.nodePort))) }}
nodePort: {{.Values.controller.nodePort}}
{{- end }}
{{- range $index, $port := .Values.controller.extraPorts }}
- port: {{ $port.port }}
name: {{ $port.name }}
{{- if $port.targetPort }}
targetPort: {{ $port.targetPort }}
{{- else }}
targetPort: {{ $port.port }}
{{- end -}}
{{- end }}
selector:
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
type: {{.Values.controller.serviceType}}
{{if eq .Values.controller.serviceType "LoadBalancer"}}
{{- if .Values.controller.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.controller.loadBalancerSourceRanges | indent 4 }}
{{- end }}
{{if .Values.controller.loadBalancerIP}}
loadBalancerIP: {{.Values.controller.loadBalancerIP}}
{{end}}
{{end}}

149
helm/jenkins/templates/rbac.yaml Normal file
View File

@@ -0,0 +1,149 @@
{{ if .Values.rbac.create }}
{{- $serviceName := include "jenkins.fullname" . -}}
# This role is used to allow Jenkins scheduling of agents via Kubernetes plugin.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $serviceName }}-schedule-agents
namespace: {{ template "jenkins.agent.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods", "pods/exec", "persistentvolumeclaims"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
---
# We bind the role to the Jenkins service account. The role binding is created in the namespace
# where the agents are supposed to run.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $serviceName }}-schedule-agents
namespace: {{ template "jenkins.agent.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $serviceName }}-schedule-agents
subjects:
- kind: ServiceAccount
name: {{ template "jenkins.serviceAccountName" .}}
namespace: {{ template "jenkins.namespace" . }}
---
{{- if .Values.rbac.readSecrets }}
# This is needed if you want to use https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/
# as it needs permissions to get/watch/list Secrets
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "jenkins.fullname" . }}-read-secrets
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $serviceName }}-read-secrets
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "jenkins.fullname" . }}-read-secrets
subjects:
- kind: ServiceAccount
name: {{ template "jenkins.serviceAccountName" . }}
namespace: {{ template "jenkins.namespace" . }}
---
{{- end}}
{{- if .Values.controller.sidecars.configAutoReload.enabled }}
# The sidecar container which is responsible for reloading configuration changes
# needs permissions to watch ConfigMaps
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "jenkins.fullname" . }}-casc-reload
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $serviceName }}-watch-configmaps
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "jenkins.fullname" . }}-casc-reload
subjects:
- kind: ServiceAccount
name: {{ template "jenkins.serviceAccountName" . }}
namespace: {{ template "jenkins.namespace" . }}
{{- end}}
{{ end }}

21
helm/jenkins/templates/secret-additional.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if .Values.controller.additionalSecrets -}}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "jenkins.fullname" . }}-additional-secrets
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
type: Opaque
data:
{{- range .Values.controller.additionalSecrets }}
{{ .name }}: {{ .value | b64enc }}
{{- end }}
{{- end }}

29
helm/jenkins/templates/secret-claims.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- if .Values.controller.secretClaims -}}
{{- $r := .Release -}}
{{- $v := .Values -}}
{{- $chart := printf "%s-%s" .Chart.Name .Chart.Version -}}
{{- $namespace := include "jenkins.namespace" . -}}
{{- $serviceName := include "jenkins.fullname" . -}}
{{ range .Values.controller.secretClaims }}
---
kind: SecretClaim
apiVersion: vaultproject.io/v1
metadata:
name: {{ $serviceName }}-{{ .name | default .path | lower }}
namespace: {{ $namespace }}
labels:
"app.kubernetes.io/name": '{{ $serviceName }}'
{{- if $v.renderHelmLabels }}
"helm.sh/chart": "{{ $chart }}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ $r.Service }}"
"app.kubernetes.io/instance": "{{ $r.Name }}"
"app.kubernetes.io/component": "{{ $v.controller.componentName }}"
spec:
type: {{ .type | default "Opaque" }}
path: {{ .path }}
{{- if .renew }}
renew: {{ .renew }}
{{- end }}
{{- end }}
{{- end }}

20
helm/jenkins/templates/secret-https-jks.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if and .Values.controller.httpsKeyStore.enable ( not .Values.controller.httpsKeyStore.jenkinsHttpsJksSecretName ) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "jenkins.fullname" . }}-https-jks
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
type: Opaque
data:
jenkins-jks-file: |
{{ .Values.controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded | indent 4 }}
https-jks-password: {{ .Values.controller.httpsKeyStore.password | b64enc }}
{{- end }}

20
helm/jenkins/templates/secret.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if and (not .Values.controller.admin.existingSecret) (.Values.controller.adminSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "jenkins.fullname" . }}
namespace: {{ template "jenkins.namespace" . }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
type: Opaque
data:
jenkins-admin-password: {{ template "jenkins.password" . }}
jenkins-admin-user: {{ .Values.controller.adminUser | b64enc | quote }}
{{- end }}

23
helm/jenkins/templates/service-account-agent.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{ if .Values.serviceAccountAgent.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "jenkins.serviceAccountAgentName" . }}
namespace: {{ template "jenkins.agent.namespace" . }}
{{- if .Values.serviceAccountAgent.annotations }}
annotations:
{{ tpl (toYaml .Values.serviceAccountAgent.annotations) . | indent 4 }}
{{- end }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- if .Values.serviceAccountAgent.imagePullSecretName }}
imagePullSecrets:
- name: {{ .Values.serviceAccountAgent.imagePullSecretName }}
{{- end -}}
{{ end }}

23
helm/jenkins/templates/service-account.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{ if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "jenkins.serviceAccountName" . }}
namespace: {{ template "jenkins.namespace" . }}
{{- if .Values.serviceAccount.annotations }}
annotations:
{{ tpl (toYaml .Values.serviceAccount.annotations) . | indent 4 }}
{{- end }}
labels:
"app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
{{- if .Values.renderHelmLabels }}
"helm.sh/chart": "{{ template "jenkins.label" .}}"
{{- end }}
"app.kubernetes.io/managed-by": "{{ .Release.Service }}"
"app.kubernetes.io/instance": "{{ .Release.Name }}"
"app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
{{- if .Values.serviceAccount.imagePullSecretName }}
imagePullSecrets:
- name: {{ .Values.serviceAccount.imagePullSecretName }}
{{- end -}}
{{ end }}

49
helm/jenkins/templates/tests/jenkins-test.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{- if .Values.controller.testEnabled }}
apiVersion: v1
kind: Pod
metadata:
name: "{{ .Release.Name }}-ui-test-{{ randAlphaNum 5 | lower }}"
namespace: {{ template "jenkins.namespace" . }}
annotations:
"helm.sh/hook": test-success
spec:
{{- if .Values.controller.nodeSelector }}
nodeSelector:
{{ toYaml .Values.controller.nodeSelector | indent 4 }}
{{- end }}
{{- if .Values.controller.tolerations }}
tolerations:
{{ toYaml .Values.controller.tolerations | indent 4 }}
{{- end }}
initContainers:
- name: "test-framework"
image: "bats/bats:1.2.1"
command:
- "bash"
- "-c"
args:
- |
# copy bats to tools dir
set -ex
cp -R /opt/bats /tools/bats/
volumeMounts:
- mountPath: /tools
name: tools
containers:
- name: {{ .Release.Name }}-ui-test
image: {{ .Values.controller.image }}:{{ .Chart.AppVersion }}-{{ .Values.controller.tagLabel }}
command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
volumeMounts:
- mountPath: /tests
name: tests
readOnly: true
- mountPath: /tools
name: tools
volumes:
- name: tests
configMap:
name: {{ template "jenkins.fullname" . }}-tests
- name: tools
emptyDir: {}
restartPolicy: Never
{{- end }}

14
helm/jenkins/templates/tests/test-config.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if .Values.controller.testEnabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "jenkins.fullname" . }}-tests
namespace: {{ template "jenkins.namespace" . }}
annotations:
"helm.sh/hook": test
data:
run.sh: |-
@test "Testing Jenkins UI is accessible" {
curl --retry 48 --retry-delay 10 {{ template "jenkins.fullname" . }}:{{ .Values.controller.servicePort }}{{ default "" .Values.controller.jenkinsUriPrefix }}/login
}
{{- end }}

5
helm/jenkins/unittests/__snapshot__/jenkins-controller-statefulset-test.yaml.snap Normal file
View File

@@ -0,0 +1,5 @@
render pod annotations:
1: |
checksum/config: d00c6603a9397bc202be5072a81644630af27fe47c7e542ea6b066073458af83
fixed-annotation: some-fixed-annotation
templated-annotations: my-release

19
helm/jenkins/unittests/config-init-scripts-test.yaml Normal file
View File

@@ -0,0 +1,19 @@
suite: ConfigMap
templates:
- config-init-scripts.yaml
tests:
- it: config templates
set:
some.val: val here
controller.initScripts:
test: |-
my script here {{ .Values.some.val }}
asserts:
- isKind:
of: ConfigMap
- hasDocuments:
count: 1
- equal:
path: data.inittest\.groovy
value: |-
my script here val here

128
helm/jenkins/unittests/config-test.yaml Normal file
View File

@@ -0,0 +1,128 @@
suite: ConfigMap
templates:
- config.yaml
tests:
- it: default config
asserts:
- isKind:
of: ConfigMap
- hasDocuments:
count: 1
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
- equal:
path: data.apply_config\.sh
value: |-
set -e
echo "disable Setup Wizard"
# Prevent Setup Wizard when JCasC is enabled
echo $JENKINS_VERSION > /var/jenkins_home/jenkins.install.UpgradeWizard.state
echo $JENKINS_VERSION > /var/jenkins_home/jenkins.install.InstallUtil.lastExecVersion
echo "download plugins"
# Install missing plugins
cp /var/jenkins_config/plugins.txt /var/jenkins_home;
rm -rf /usr/share/jenkins/ref/plugins/*.lock
version () { echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; }
if [ -f "/usr/share/jenkins/jenkins.war" ] && [ -n "$(command -v jenkins-plugin-cli)" 2>/dev/null ] && [ $(version $(jenkins-plugin-cli --version)) -ge $(version "2.1.1") ]; then
jenkins-plugin-cli --verbose --war "/usr/share/jenkins/jenkins.war" --plugin-file "/var/jenkins_home/plugins.txt" --latest true;
else
/usr/local/bin/install-plugins.sh `echo $(cat /var/jenkins_home/plugins.txt)`;
fi
echo "copy plugins to shared volume"
# Copy plugins to shared volume
yes n | cp -i /usr/share/jenkins/ref/plugins/* /var/jenkins_plugins/;
echo "finished initialization"
- equal:
path: data.plugins\.txt
value: |-
kubernetes:3734.v562b_b_a_627ea_c
workflow-aggregator:590.v6a_d052e5a_a_b_5
git:4.13.0
configuration-as-code:1569.vb_72405b_80249
- it: no plugins
set:
controller.installPlugins: []
asserts:
- equal:
path: data.apply_config\.sh
value: |-
set -e
echo "disable Setup Wizard"
# Prevent Setup Wizard when JCasC is enabled
echo $JENKINS_VERSION > /var/jenkins_home/jenkins.install.UpgradeWizard.state
echo $JENKINS_VERSION > /var/jenkins_home/jenkins.install.InstallUtil.lastExecVersion
echo "finished initialization"
- equal:
path: data.plugins\.txt
value: ""
- it: additional plugins config
set:
controller:
additionalPlugins:
- kubernetes-credentials-provider
asserts:
- equal:
path: data.plugins\.txt
value: |-
kubernetes:3734.v562b_b_a_627ea_c
workflow-aggregator:590.v6a_d052e5a_a_b_5
git:4.13.0
configuration-as-code:1569.vb_72405b_80249
kubernetes-credentials-provider
- it: install latest plugins
set:
controller.installLatestPlugins: false
asserts:
- equal:
path: data.apply_config\.sh
value: |-
set -e
echo "disable Setup Wizard"
# Prevent Setup Wizard when JCasC is enabled
echo $JENKINS_VERSION > /var/jenkins_home/jenkins.install.UpgradeWizard.state
echo $JENKINS_VERSION > /var/jenkins_home/jenkins.install.InstallUtil.lastExecVersion
echo "download plugins"
# Install missing plugins
cp /var/jenkins_config/plugins.txt /var/jenkins_home;
rm -rf /usr/share/jenkins/ref/plugins/*.lock
version () { echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; }
if [ -f "/usr/share/jenkins/jenkins.war" ] && [ -n "$(command -v jenkins-plugin-cli)" 2>/dev/null ] && [ $(version $(jenkins-plugin-cli --version)) -ge $(version "2.1.1") ]; then
jenkins-plugin-cli --verbose --war "/usr/share/jenkins/jenkins.war" --plugin-file "/var/jenkins_home/plugins.txt" --latest false;
else
/usr/local/bin/install-plugins.sh `echo $(cat /var/jenkins_home/plugins.txt)`;
fi
echo "copy plugins to shared volume"
# Copy plugins to shared volume
yes n | cp -i /usr/share/jenkins/ref/plugins/* /var/jenkins_plugins/;
echo "finished initialization"
- it: install latest specified plugins
set:
controller.installLatestSpecifiedPlugins: true
asserts:
- equal:
path: data.apply_config\.sh
value: |-
set -e
echo "disable Setup Wizard"
# Prevent Setup Wizard when JCasC is enabled
echo $JENKINS_VERSION > /var/jenkins_home/jenkins.install.UpgradeWizard.state
echo $JENKINS_VERSION > /var/jenkins_home/jenkins.install.InstallUtil.lastExecVersion
echo "download plugins"
# Install missing plugins
cp /var/jenkins_config/plugins.txt /var/jenkins_home;
rm -rf /usr/share/jenkins/ref/plugins/*.lock
version () { echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; }
if [ -f "/usr/share/jenkins/jenkins.war" ] && [ -n "$(command -v jenkins-plugin-cli)" 2>/dev/null ] && [ $(version $(jenkins-plugin-cli --version)) -ge $(version "2.1.1") ]; then
jenkins-plugin-cli --verbose --war "/usr/share/jenkins/jenkins.war" --plugin-file "/var/jenkins_home/plugins.txt" --latest true --latest-specified;
else
/usr/local/bin/install-plugins.sh `echo $(cat /var/jenkins_home/plugins.txt)`;
fi
echo "copy plugins to shared volume"
# Copy plugins to shared volume
yes n | cp -i /usr/share/jenkins/ref/plugins/* /var/jenkins_plugins/;
echo "finished initialization"

94
helm/jenkins/unittests/home-pvc-test.yaml Normal file
View File

@@ -0,0 +1,94 @@
suite: PersistentVolumeClaim
release:
name: my-release
namespace: my-namespace
templates:
- home-pvc.yaml
tests:
- it: tests defaults
asserts:
- isKind:
of: PersistentVolumeClaim
- equal:
path: apiVersion
value: v1
- equal:
path: metadata.name
value: my-release-jenkins
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- contains:
path: spec.accessModes
content: ReadWriteOnce
- equal:
path: spec.resources.requests
value:
storage: 8Gi
- isNull:
path: spec.storageClassName
- it: test different values
set:
persistence:
annotations:
my-annotation: value
accessMode: ReadWriteMany
size: 20Gi
storageClass: gp2
asserts:
- equal:
path: metadata.annotations
value:
my-annotation: value
- contains:
path: spec.accessModes
content: ReadWriteMany
- equal:
path: spec.resources.requests
value:
storage: 20Gi
- equal:
path: spec.storageClassName
value: gp2
- it: existing claim
set:
persistence:
existingClaim: my-pvc
asserts:
- hasDocuments:
count: 0
- it: disable helm.sh label
set:
renderHelmLabels: false
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
- it: add label
set:
renderHelmLabels: false
persistence:
labels:
test-label: test-value
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
test-label: test-value

2636
helm/jenkins/unittests/jcasc-config-test.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

130
helm/jenkins/unittests/jenkins-agent-svc-test.yaml Normal file
View File

@@ -0,0 +1,130 @@
suite: Jenkins Agent Service
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-agent-svc.yaml
tests:
- it: default tests
asserts:
- isKind:
of: Service
- equal:
path: apiVersion
value: v1
- equal:
path: metadata.name
value: my-release-jenkins-agent
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- equal:
path: spec
value:
ports:
- name: agent-listener
port: 50000
targetPort: 50000
selector:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
type: ClusterIP
- it: other values
set:
controller:
agentListenerServiceAnnotations:
key: value
agentListenerPort: 55555
asserts:
- equal:
path: metadata.annotations
value:
key: value
- equal:
path: spec
value:
ports:
- name: agent-listener
port: 55555
targetPort: 55555
selector:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
type: ClusterIP
- it: node port random
set:
controller:
agentListenerServiceType: NodePort
asserts:
- equal:
path: spec
value:
ports:
- name: agent-listener
port: 50000
targetPort: 50000
selector:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
type: NodePort
- it: node port defined
set:
controller:
agentListenerServiceType: NodePort
agentListenerNodePort: 32123
asserts:
- equal:
path: spec
value:
ports:
- name: agent-listener
port: 50000
targetPort: 50000
nodePort: 32123
selector:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
type: NodePort
- it: load balancer
set:
controller:
agentListenerServiceType: LoadBalancer
agentListenerLoadBalancerIP: 10.10.10.10
asserts:
- equal:
path: spec
value:
ports:
- name: agent-listener
port: 50000
targetPort: 50000
selector:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
type: LoadBalancer
loadBalancerIP: 10.10.10.10
loadBalancerSourceRanges:
- 0.0.0.0/0
- it: disable helm.sh label
set:
renderHelmLabels: false
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
- it: disable agent service
set:
controller:
agentListenerEnabled: false
asserts:
- hasDocuments:
count: 0

62
helm/jenkins/unittests/jenkins-backup-cronjob-test.yaml Normal file
View File

@@ -0,0 +1,62 @@
suite: Jenkins Backup Cronjob
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-backup-cronjob.yaml
tests:
- it: test default values
set:
backup:
enabled: true
asserts:
- isKind:
of: CronJob
- equal:
path: spec.jobTemplate.spec.template.spec.securityContext
value:
fsGroup: 1000
runAsUser: 1000
- it: test empty backup.podSecurityContextOverride
set:
backup:
enabled: true
podSecurityContextOverride: {}
asserts:
- equal:
path: spec.jobTemplate.spec.template.spec.securityContext
value: {}
- it: test backup.podSecurityContextOverride
set:
backup:
enabled: true
podSecurityContextOverride:
runAsNonRoot: true
runAsUser: 4444
supplementalGroups: [5555]
asserts:
- equal:
path: spec.jobTemplate.spec.template.spec.securityContext
value:
runAsNonRoot: true
runAsUser: 4444
supplementalGroups:
- 5555
- it: test empty backup.imagePullSecretName
set:
backup:
enabled: true
imagePullSecretName:
asserts:
- isNull:
path: spec.jobTemplate.spec.template.spec.imagePullSecrets
- it: test backup.imagePullSecretName
set:
backup:
enabled: true
imagePullSecretName: my-secret
asserts:
- equal:
path: spec.jobTemplate.spec.template.spec.imagePullSecrets
value:
- name: my-secret

79
helm/jenkins/unittests/jenkins-controller-alerting-rules-test.yaml Normal file
View File

@@ -0,0 +1,79 @@
suite: Controller Prometheus PrometheusRule
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-controller-alerting-rules.yaml
tests:
- it: defaults
asserts:
- hasDocuments:
count: 0
- it: enabled
set:
controller.prometheus:
enabled: true
alertingrules:
- name: ./jenkins.rules
rules:
- alert: JenkinsFailedPlugins
expr: jenkins_plugins_failed > 0
for: 10m
labels:
severity: warning
annotations:
message: Some Jenkins plugins failed to load
asserts:
- isKind:
of: PrometheusRule
- equal:
path: apiVersion
value: monitoring.coreos.com/v1
- equal:
path: metadata.name
value: my-release-jenkins
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- equal:
path: spec
value:
groups:
- name: ./jenkins.rules
rules:
- alert: JenkinsFailedPlugins
expr: jenkins_plugins_failed > 0
for: 10m
labels:
severity: warning
annotations:
message: Some Jenkins plugins failed to load
- it: disable helm.sh label
set:
renderHelmLabels: false
controller.prometheus:
enabled: true
alertingrules:
- name: ./jenkins.rules
rules:
- alert: JenkinsFailedPlugins
expr: jenkins_plugins_failed > 0
for: 10m
labels:
severity: warning
annotations:
message: Some Jenkins plugins failed to load
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins

148
helm/jenkins/unittests/jenkins-controller-ingress-1.19-test.yaml Normal file
View File

@@ -0,0 +1,148 @@
suite: Controller Primary Ingress
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-controller-ingress.yaml
capabilities:
majorVersion: 1
minorVersion: 19
tests:
- it: test defaults
asserts:
- hasDocuments:
count: 0
- it: enabled
set:
controller.ingress:
enabled: true
hostName: jenkins.example.com
ingressClassName: nginx
tls:
- secretName: tlsSecret
hosts:
- jenkins.example.com
asserts:
- isKind:
of: Ingress
- equal:
path: apiVersion
value: networking.k8s.io/v1
- equal:
path: metadata.name
value: my-release-jenkins
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- equal:
path: spec
value:
ingressClassName: nginx
rules:
- host: jenkins.example.com
http:
paths:
- backend:
service:
name: my-release-jenkins
port:
number: 8080
pathType: ImplementationSpecific
tls:
- hosts:
- jenkins.example.com
secretName: tlsSecret
- it: other values
set:
controller.ingress:
enabled: true
hostName: jenkins.example.com
ingressClassName: nginx
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
paths:
- backend:
service:
name: ssl-redirect
port:
number: use-annotation
pathType: ImplementationSpecific
- backend:
service:
name: >-
{{ template "jenkins.fullname" . }}
port:
number: 8080
pathType: ImplementationSpecific
tls:
- secretName: tlsSecret
hosts:
- jenkins.example.com
asserts:
- equal:
path: metadata.annotations
value:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
- equal:
path: spec
value:
ingressClassName: nginx
rules:
- host: jenkins.example.com
http:
paths:
- backend:
service:
name: ssl-redirect
port:
number: use-annotation
pathType: ImplementationSpecific
- backend:
service:
name: my-release-jenkins
port:
number: 8080
pathType: ImplementationSpecific
tls:
- hosts:
- jenkins.example.com
secretName: tlsSecret
- it: disable helm.sh label
set:
renderHelmLabels: false
controller.ingress:
enabled: true
hostName: jenkins.example.com
ingressClassName: nginx
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
- it: empty paths
set:
controller.ingress:
enabled: true
paths:
asserts:
- equal:
path: spec.rules
value:
- http:
paths:
- backend:
service:
name: my-release-jenkins
port:
number: 8080
pathType: ImplementationSpecific

145
helm/jenkins/unittests/jenkins-controller-ingress-test.yaml Normal file
View File

@@ -0,0 +1,145 @@
suite: Controller Primary Ingress
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-controller-ingress.yaml
capabilities:
majorVersion: 1
minorVersion: 18
tests:
- it: test defaults
asserts:
- hasDocuments:
count: 0
- it: enabled
set:
controller.ingress:
enabled: true
hostName: jenkins.example.com
ingressClassName: nginx
tls:
- secretName: tlsSecret
hosts:
- jenkins.example.com
asserts:
- isKind:
of: Ingress
- equal:
path: apiVersion
value: networking.k8s.io/v1beta1
- equal:
path: metadata.name
value: my-release-jenkins
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- equal:
path: spec
value:
ingressClassName: nginx
rules:
- host: jenkins.example.com
http:
paths:
- backend:
serviceName: my-release-jenkins
servicePort: 8080
tls:
- hosts:
- jenkins.example.com
secretName: tlsSecret
- it: other values
set:
controller.ingress:
enabled: true
hostName: jenkins.example.com
ingressClassName: nginx
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
paths:
- backend:
serviceName: ssl-redirect
servicePort: use-annotation
- backend:
serviceName: >-
{{ template "jenkins.fullname" . }}
servicePort: 8080
tls:
- secretName: tlsSecret
hosts:
- jenkins.example.com
asserts:
- equal:
path: metadata.annotations
value:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
- equal:
path: spec
value:
ingressClassName: nginx
rules:
- host: jenkins.example.com
http:
paths:
- backend:
serviceName: ssl-redirect
servicePort: use-annotation
- backend:
serviceName: my-release-jenkins
servicePort: 8080
tls:
- hosts:
- jenkins.example.com
secretName: tlsSecret
- it: disable helm.sh label
set:
renderHelmLabels: false
controller.ingress:
enabled: true
hostName: jenkins.example.com
ingressClassName: nginx
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
- it: empty paths
set:
controller.ingress:
enabled: true
paths:
asserts:
- equal:
path: spec.rules
value:
- http:
paths:
- backend:
serviceName: my-release-jenkins
servicePort: 8080
- it: single path
set:
controller.ingress:
enabled: true
path: /jenkins/
asserts:
- equal:
path: spec.rules
value:
- http:
paths:
- path: /jenkins/
backend:
serviceName: my-release-jenkins
servicePort: 8080

94
helm/jenkins/unittests/jenkins-controller-networkpolicy-test.yaml Normal file
View File

@@ -0,0 +1,94 @@
suite: Network Policy
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-controller-networkpolicy.yaml
tests:
- it: tests defaults
asserts:
- hasDocuments:
count: 0
- it: enabled
set:
networkPolicy.enabled: true
asserts:
- hasDocuments:
count: 2
- isKind:
of: NetworkPolicy
- equal:
path: apiVersion
value: networking.k8s.io/v1
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- equal:
path: metadata.name
value: my-release-jenkins-controller
documentIndex: 0
- equal:
path: spec
value:
ingress:
- ports:
- port: 8080
- from:
- podSelector:
matchLabels:
jenkins/my-release-jenkins-agent: "true"
ports:
- port: 50000
podSelector:
matchLabels:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
documentIndex: 0
- equal:
path: spec
value:
podSelector:
matchLabels:
jenkins/my-release-jenkins-agent: "true"
documentIndex: 1
- equal:
path: metadata.name
value: my-release-jenkins-agent
documentIndex: 1
- it: disable helm.sh label
set:
renderHelmLabels: false
networkPolicy.enabled: true
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
- it: disable agent listener
set:
networkPolicy.enabled: true
controller.agentListenerEnabled: false
asserts:
- hasDocuments:
count: 2
- isKind:
of: NetworkPolicy
- equal:
path: spec
value:
ingress:
- ports:
- port: 8080
podSelector:
matchLabels:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
documentIndex: 0

44
helm/jenkins/unittests/jenkins-controller-pdb-1.21-test.yaml Normal file
View File

@@ -0,0 +1,44 @@
suite: Controller Pod Disruption Budget
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-controller-pdb.yaml
capabilities:
majorVersion: 1
minorVersion: 21
tests:
- it: test defaults
asserts:
- hasDocuments:
count: 0
- it: enabled
set:
controller.podDisruptionBudget:
enabled: true
maxUnavailable: "0"
asserts:
- isKind:
of: PodDisruptionBudget
- equal:
path: apiVersion
value: policy/v1
- equal:
path: metadata.name
value: my-release-jenkins-pdb
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- equal:
path: spec
value:
maxUnavailable: 0
selector:
matchLabels:
"app.kubernetes.io/instance": "my-release"
"app.kubernetes.io/name": "jenkins"

57
helm/jenkins/unittests/jenkins-controller-pdb-test.yaml Normal file
View File

@@ -0,0 +1,57 @@
suite: Controller Pod Disruption Budget
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-controller-pdb.yaml
capabilities:
majorVersion: 1
minorVersion: 18
tests:
- it: test defaults
asserts:
- hasDocuments:
count: 0
- it: enabled
set:
controller.podDisruptionBudget:
enabled: true
maxUnavailable: "0"
asserts:
- isKind:
of: PodDisruptionBudget
- equal:
path: apiVersion
value: policy/v1beta1
- equal:
path: metadata.name
value: my-release-jenkins-pdb
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- equal:
path: spec
value:
maxUnavailable: 0
selector:
matchLabels:
"app.kubernetes.io/instance": "my-release"
"app.kubernetes.io/name": "jenkins"
- it: disable helm.sh label
set:
renderHelmLabels: false
controller.podDisruptionBudget:
enabled: true
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins

78
helm/jenkins/unittests/jenkins-controller-secondary-ingress-1.19-test.yaml Normal file
View File

@@ -0,0 +1,78 @@
suite: Controller Secondary Ingress
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-controller-secondary-ingress.yaml
capabilities:
majorVersion: 1
minorVersion: 19
tests:
- it: test defaults
asserts:
- hasDocuments:
count: 0
- it: enabled
set:
controller.secondaryingress:
enabled: true
hostName: jenkins.example.com
ingressClassName: nginx
paths:
- /github-webhook
tls:
- secretName: tlsSecret
hosts:
- jenkins.example.com
asserts:
- isKind:
of: Ingress
- equal:
path: apiVersion
value: networking.k8s.io/v1
- equal:
path: metadata.name
value: my-release-jenkins-secondary
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- equal:
path: spec
value:
ingressClassName: nginx
rules:
- host: jenkins.example.com
http:
paths:
- backend:
service:
name: my-release-jenkins
port:
number: 8080
path: /github-webhook
pathType: ImplementationSpecific
tls:
- hosts:
- jenkins.example.com
secretName: tlsSecret
- it: disable helm.sh label
set:
renderHelmLabels: false
controller.secondaryingress:
enabled: true
hostName: jenkins.example.com
paths:
- /github-webhook
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins

76
helm/jenkins/unittests/jenkins-controller-secondary-ingress-test.yaml Normal file
View File

@@ -0,0 +1,76 @@
suite: Controller Secondary Ingress
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-controller-secondary-ingress.yaml
capabilities:
majorVersion: 1
minorVersion: 18
tests:
- it: test defaults
asserts:
- hasDocuments:
count: 0
- it: enabled
set:
controller.secondaryingress:
enabled: true
hostName: jenkins.example.com
ingressClassName: nginx
paths:
- /github-webhook
tls:
- secretName: tlsSecret
hosts:
- jenkins.example.com
asserts:
- isKind:
of: Ingress
- equal:
path: apiVersion
value: networking.k8s.io/v1beta1
- equal:
path: metadata.name
value: my-release-jenkins-secondary
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- equal:
path: spec
value:
ingressClassName: nginx
rules:
- host: jenkins.example.com
http:
paths:
- backend:
serviceName: my-release-jenkins
servicePort: 8080
path: /github-webhook
tls:
- hosts:
- jenkins.example.com
secretName: tlsSecret
- it: disable helm.sh label
set:
renderHelmLabels: false
controller.secondaryingress:
enabled: true
hostName: jenkins.example.com
ingressClassName: nginx
paths:
- /github-webhook
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins

82
helm/jenkins/unittests/jenkins-controller-servicemonitor_test.yaml Normal file
View File

@@ -0,0 +1,82 @@
suite: Controller Prometheus ServiceMonitor
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-controller-servicemonitor.yaml
tests:
- it: defaults
asserts:
- hasDocuments:
count: 0
- it: enabled
set:
controller.prometheus.enabled: true
asserts:
- isKind:
of: ServiceMonitor
- equal:
path: apiVersion
value: monitoring.coreos.com/v1
- equal:
path: metadata.name
value: my-release-jenkins
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- equal:
path: spec
value:
endpoints:
- interval: 60s
port: http
path: /prometheus
jobLabel: my-release-jenkins
namespaceSelector:
matchNames:
- "my-namespace"
selector:
matchLabels:
"app.kubernetes.io/instance": "my-release"
"app.kubernetes.io/component": "jenkins-controller"
- it: custom values
set:
controller:
jenkinsUriPrefix: /prefix
prometheus:
enabled: true
scrapeInterval: 120s
scrapeEndpoint: /monitoring
asserts:
- equal:
path: spec
value:
endpoints:
- interval: 120s
port: http
path: /prefix/monitoring
jobLabel: my-release-jenkins
namespaceSelector:
matchNames:
- "my-namespace"
selector:
matchLabels:
"app.kubernetes.io/instance": "my-release"
"app.kubernetes.io/component": "jenkins-controller"
- it: disable helm.sh label
set:
renderHelmLabels: false
controller:
prometheus:
enabled: true
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins

700
helm/jenkins/unittests/jenkins-controller-statefulset-test.yaml Normal file
View File

@@ -0,0 +1,700 @@
suite: Jenkins Controller
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-controller-statefulset.yaml
- config.yaml
tests:
- it: default values
template: jenkins-controller-statefulset.yaml
asserts:
- isKind:
of: StatefulSet
- equal:
path: apiVersion
value: apps/v1beta1
- equal:
path: metadata.name
value: my-release-jenkins
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- equal:
path: spec.replicas
value: 1
- equal:
path: spec.selector
value:
matchLabels:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
- equal:
path: spec
value:
serviceName: my-release-jenkins
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
template:
metadata:
annotations:
checksum/config: d00c6603a9397bc202be5072a81644630af27fe47c7e542ea6b066073458af83
labels:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
spec:
containers:
- args:
- --httpPort=8080
env:
- name: SECRETS
value: /run/secrets/additional
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: JAVA_OPTS
value: "-Dcasc.reload.token=$(POD_NAME) "
- name: JENKINS_OPTS
value: "--webroot=/var/jenkins_cache/war "
- name: JENKINS_SLAVE_AGENT_PORT
value: "50000"
- name: CASC_JENKINS_CONFIG
value: /var/jenkins_home/casc_configs
image: jenkins/jenkins:2.375.1-jdk11
imagePullPolicy: Always
securityContext:
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
livenessProbe:
failureThreshold: 5
httpGet:
path: /login
port: http
periodSeconds: 10
timeoutSeconds: 5
name: jenkins
ports:
- containerPort: 8080
name: http
- containerPort: 50000
name: agent-listener
readinessProbe:
failureThreshold: 3
httpGet:
path: /login
port: http
periodSeconds: 10
timeoutSeconds: 5
resources:
limits:
cpu: 2000m
memory: 4096Mi
requests:
cpu: 50m
memory: 256Mi
startupProbe:
httpGet:
path: "/login"
port: http
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 12
volumeMounts:
- mountPath: /var/jenkins_home
name: jenkins-home
readOnly: false
- mountPath: /var/jenkins_config
name: jenkins-config
readOnly: true
- mountPath: /usr/share/jenkins/ref/plugins/
name: plugin-dir
readOnly: false
- mountPath: /var/jenkins_home/casc_configs
name: sc-config-volume
- mountPath: /run/secrets/additional
name: jenkins-secrets
readOnly: true
- mountPath: /var/jenkins_cache
name: jenkins-cache
- mountPath: /tmp
name: tmp-volume
- env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: LABEL
value: my-release-jenkins-jenkins-config
- name: FOLDER
value: /var/jenkins_home/casc_configs
- name: NAMESPACE
value: my-namespace
- name: REQ_URL
value: http://localhost:8080/reload-configuration-as-code/?casc-reload-token=$(POD_NAME)
- name: REQ_METHOD
value: POST
- name: REQ_RETRY_CONNECT
value: "10"
image: kiwigrid/k8s-sidecar:1.15.0
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
name: config-reload
resources: {}
volumeMounts:
- mountPath: /var/jenkins_home/casc_configs
name: sc-config-volume
- mountPath: /var/jenkins_home
name: jenkins-home
initContainers:
- command:
- sh
- /var/jenkins_config/apply_config.sh
image: jenkins/jenkins:2.375.1-jdk11
imagePullPolicy: Always
securityContext:
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
name: init
resources:
limits:
cpu: 2000m
memory: 4096Mi
requests:
cpu: 50m
memory: 256Mi
volumeMounts:
- mountPath: /var/jenkins_home
name: jenkins-home
- mountPath: /var/jenkins_config
name: jenkins-config
- mountPath: /usr/share/jenkins/ref/plugins
name: plugins
- mountPath: /var/jenkins_plugins
name: plugin-dir
- mountPath: /tmp
name: tmp-volume
securityContext:
fsGroup: 1000
runAsUser: 1000
runAsNonRoot: true
serviceAccountName: my-release-jenkins
volumes:
- emptyDir: {}
name: plugins
- configMap:
name: my-release-jenkins
name: jenkins-config
- emptyDir: {}
name: plugin-dir
- name: jenkins-secrets
projected:
sources:
- secret:
name: my-release-jenkins
items:
- key: jenkins-admin-user
path: chart-admin-username
- key: jenkins-admin-password
path: chart-admin-password
- emptyDir: {}
name: jenkins-cache
- name: jenkins-home
persistentVolumeClaim:
claimName: my-release-jenkins
- emptyDir: {}
name: sc-config-volume
- emptyDir: {}
name: tmp-volume
- it: test different values
template: jenkins-controller-statefulset.yaml
capabilities:
apiVersions:
- scheduling.k8s.io/v1beta1
set:
controller:
statefulSetAnnotations:
my-annotation: value
schedulerName: my-scheduler
nodeSelector:
nodeLabel: value
tolerations:
- key: "key"
operator: "Equal"
value: "value"
effect: "NoSchedule"
affinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: security
operator: In
values:
- S1
topologyKey: failure-domain.beta.kubernetes.io/zone
terminationGracePeriodSeconds: 120
priorityClassName: important
runAsUser: 2000
fsGroup: 4000
securityContextCapabilities:
drop:
- NET_RAW
hostNetworking: true
terminationMessagePath: /tmp/termination-log-diff
terminationMessagePolicy: FallbackToLogsOnError
hostAliases:
- ip: 192.168.50.50
hostnames:
- something.local
updateStrategy:
type: OnDelete
serviceAccount.name: my-serviceaccount
asserts:
- equal:
path: metadata.annotations
value:
my-annotation: value
- equal:
path: spec.template.spec.schedulerName
value: my-scheduler
- equal:
path: spec.template.spec.nodeSelector
value:
nodeLabel: value
- equal:
path: spec.template.spec.tolerations
value:
- key: "key"
operator: "Equal"
value: "value"
effect: "NoSchedule"
- equal:
path: spec.template.spec.affinity
value:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: security
operator: In
values:
- S1
topologyKey: failure-domain.beta.kubernetes.io/zone
- equal:
path: spec.template.spec.terminationGracePeriodSeconds
value: 120
- equal:
path: spec.template.spec.priorityClassName
value: important
- equal:
path: spec.template.spec.securityContext
value:
runAsUser: 2000
fsGroup: 4000
runAsNonRoot: true
capabilities:
drop:
- NET_RAW
- equal:
path: spec.template.spec.serviceAccountName
value: my-serviceaccount
- equal:
path: spec.template.spec.hostNetwork
value: true
- equal:
path: spec.template.spec.containers[0].terminationMessagePath
value: /tmp/termination-log-diff
- equal:
path: spec.template.spec.containers[0].terminationMessagePolicy
value: FallbackToLogsOnError
- equal:
path: spec.template.spec.dnsPolicy
value: ClusterFirstWithHostNet
- equal:
path: spec.template.spec.hostAliases
value:
- ip: 192.168.50.50
hostnames:
- something.local
- equal:
path: spec.updateStrategy.type
value: OnDelete
- it: configure image tag
template: jenkins-controller-statefulset.yaml
set:
controller.tag: 2.249.1-slim
controller.imagePullPolicy: IfNotPresent
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: jenkins/jenkins:2.249.1-slim
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: IfNotPresent
- it: configure image tag label
template: jenkins-controller-statefulset.yaml
set:
controller.tagLabel: alpine
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: jenkins/jenkins:2.375.1-alpine
- it: configure empty image tag label
template: jenkins-controller-statefulset.yaml
set:
controller.tagLabel:
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: jenkins/jenkins:2.375.1
- it: custom image
template: jenkins-controller-statefulset.yaml
set:
controller:
image: registry/image
tag: my-tag
javaOpts: -Dio.jenkins.plugins.kubernetes.disableNoDelayProvisioning=true
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: registry/image:my-tag
- contains:
path: spec.template.spec.containers[0].env
content:
name: JAVA_OPTS
value: >-
-Dcasc.reload.token=$(POD_NAME) -Dio.jenkins.plugins.kubernetes.disableNoDelayProvisioning=true
- it: disable helm.sh label
template: jenkins-controller-statefulset.yaml
set:
renderHelmLabels: false
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
- it: java & jenkins opts with quotes
template: jenkins-controller-statefulset.yaml
set:
controller:
javaOpts: >-
-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self';"
jenkinsOpts: >-
-Dtest="custom: 'true'"
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: JAVA_OPTS
value: >-
-Dcasc.reload.token=$(POD_NAME) -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self';"
- contains:
path: spec.template.spec.containers[0].env
content:
name: JENKINS_OPTS
value: >-
--webroot=/var/jenkins_cache/war -Dtest="custom: 'true'"
- it: test empty controller.podSecurityContextOverride
template: jenkins-controller-statefulset.yaml
set:
controller:
podSecurityContextOverride: {}
asserts:
- equal:
path: spec.template.spec.securityContext
value: {}
- it: test controller.podSecurityContextOverride
template: jenkins-controller-statefulset.yaml
set:
controller:
podSecurityContextOverride:
runAsNonRoot: true
runAsUser: 4444
supplementalGroups: [5555]
asserts:
- equal:
path: spec.template.spec.securityContext
value:
runAsNonRoot: true
runAsUser: 4444
supplementalGroups:
- 5555
- it: test 2 additional secrets
template: jenkins-controller-statefulset.yaml
set:
controller.additionalSecrets:
- name: something
value: secret
- name: anotherthing
value: anothersecret
asserts:
- equal:
path: spec.template.spec.containers[0].volumeMounts[4]
value:
mountPath: /run/secrets/additional
name: jenkins-secrets
readOnly: true
- equal:
path: spec.template.spec.volumes[3]
value:
name: jenkins-secrets
projected:
sources:
- secret:
name: my-release-jenkins-additional-secrets
- secret:
name: my-release-jenkins
items:
- key: jenkins-admin-user
path: chart-admin-username
- key: jenkins-admin-password
path: chart-admin-password
- it: test existing secret without additionalExistingSecrets
template: jenkins-controller-statefulset.yaml
set:
controller.existingSecret: my-exisiting-credentials
asserts:
- equal:
path: spec.template.spec.containers[0].volumeMounts[4]
value:
mountPath: /run/secrets/additional
name: jenkins-secrets
readOnly: true
- equal:
path: spec.template.spec.volumes[3]
value:
name: jenkins-secrets
projected:
sources:
- secret:
name: my-release-jenkins
items:
- key: jenkins-admin-user
path: chart-admin-username
- key: jenkins-admin-password
path: chart-admin-password
- secret:
name: my-exisiting-credentials
- it: test existing secret with additionalExistingSecrets
template: jenkins-controller-statefulset.yaml
set:
controller.existingSecret: my-exisiting-credentials
controller.additionalExistingSecrets:
- name: my-exisiting-credentials
keyName: github-username
- name: my-exisiting-credentials
keyName: github-password
asserts:
- equal:
path: spec.template.spec.containers[0].volumeMounts[4]
value:
mountPath: /run/secrets/additional
name: jenkins-secrets
readOnly: true
- equal:
path: spec.template.spec.volumes[3]
value:
name: jenkins-secrets
projected:
sources:
- secret:
items:
- key: github-username
path: my-exisiting-credentials-github-username
name: my-exisiting-credentials
- secret:
items:
- key: github-password
path: my-exisiting-credentials-github-password
name: my-exisiting-credentials
- secret:
name: my-release-jenkins
items:
- key: jenkins-admin-user
path: chart-admin-username
- key: jenkins-admin-password
path: chart-admin-password
- secret:
name: my-exisiting-credentials
- it: test templated environment variables
template: jenkins-controller-statefulset.yaml
set:
testValue: some-value
controller.initContainerEnv:
- name: "TEST_ENV_VAR_INIT"
value: "test-env-var-init"
- name: "TEST_ENV_VAR_INIT_TEMPLATED"
value: "{{ .Values.testValue }}"
controller.sidecars.configAutoReload.env:
- name: "TEST_ENV_VAR_CONFIG"
value: "test-env-var-config"
- name: "TEST_ENV_VAR_CONFIG_TEMPLATED"
value: "{{ .Values.testValue }}"
controller.containerEnv:
- name: "TEST_ENV_VAR_CONTAINER"
value: "test-env-var-container"
- name: "TEST_ENV_VAR__CONTAINER_TEMPLATED"
value: "{{ .Values.testValue }}"
controller.initContainerEnvFrom:
- configMapRef:
name: special-config
controller.sidecars.configAutoReload.envFrom:
- configMapRef:
name: special-config
controller.containerEnvFrom:
- configMapRef:
name: special-config
asserts:
- contains:
path: spec.template.spec.initContainers[0].env
content:
name: "TEST_ENV_VAR_INIT"
value: "test-env-var-init"
- contains:
path: spec.template.spec.initContainers[0].env
content:
name: "TEST_ENV_VAR_INIT_TEMPLATED"
value: "some-value"
- contains:
path: spec.template.spec.containers[1].env
content:
name: "TEST_ENV_VAR_CONFIG"
value: "test-env-var-config"
- contains:
path: spec.template.spec.containers[1].env
content:
name: "TEST_ENV_VAR_CONFIG_TEMPLATED"
value: "some-value"
- contains:
path: spec.template.spec.containers[0].env
content:
name: "TEST_ENV_VAR_CONTAINER"
value: "test-env-var-container"
- contains:
path: spec.template.spec.containers[0].env
content:
name: "TEST_ENV_VAR__CONTAINER_TEMPLATED"
value: "some-value"
- contains:
path: spec.template.spec.initContainers[0].envFrom
content:
configMapRef:
name: special-config
- contains:
path: spec.template.spec.containers[0].envFrom
content:
configMapRef:
name: special-config
- contains:
path: spec.template.spec.containers[1].envFrom
content:
configMapRef:
name: special-config
- it: overrides container args
template: jenkins-controller-statefulset.yaml
set:
controller.overrideArgs:
- --httpPort=8080
- --requestHeaderSize=32768
asserts:
- equal:
path: spec.template.spec.containers[0].args
value:
- --httpPort=8080
- --requestHeaderSize=32768
- it: allows templating in container args overrides
template: jenkins-controller-statefulset.yaml
set:
controller.overrideArgs:
- --httpPort={{.Values.controller.targetPort}}
- --requestHeaderSize=32768
asserts:
- equal:
path: spec.template.spec.containers[0].args
value:
- --httpPort=8080
- --requestHeaderSize=32768
- it: render pod annotations
template: jenkins-controller-statefulset.yaml
set:
controller:
podAnnotations:
templated-annotations: "{{ .Release.Name }}"
fixed-annotation: some-fixed-annotation
asserts:
- matchSnapshot:
path: spec.template.metadata.annotations
- it:
template: jenkins-controller-statefulset.yaml
set:
controller:
installPlugins: false
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: plugins
emptyDir: {}
- notContains:
path: spec.template.spec.initContainers[0].volumeMounts
content:
name: plugins
- it:
template: jenkins-controller-statefulset.yaml
set:
controller:
JCasC:
configUrls:
- https://acme.org/jenkins.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: "CASC_JENKINS_CONFIG"
value: "/var/jenkins_home/casc_configs,https://acme.org/jenkins.yaml"
- it:
template: jenkins-controller-statefulset.yaml
set:
controller:
JCasC:
configUrls:
- https://acme.org/jenkins.yaml
- https://foobar.org/jenkins.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: "CASC_JENKINS_CONFIG"
value: "/var/jenkins_home/casc_configs,https://acme.org/jenkins.yaml,https://foobar.org/jenkins.yaml"
- it:
template: jenkins-controller-statefulset.yaml
set:
controller:
JCasC:
configUrls: []
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: "CASC_JENKINS_CONFIG"
value: "/var/jenkins_home/casc_configs"

158
helm/jenkins/unittests/jenkins-controller-svc-test.yaml Normal file
View File

@@ -0,0 +1,158 @@
suite: Jenkins Controller
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-controller-svc.yaml
tests:
- it: default tests
asserts:
- isKind:
of: Service
- equal:
path: apiVersion
value: v1
- equal:
path: metadata.name
value: my-release-jenkins
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- equal:
path: spec
value:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
type: ClusterIP
- it: other values
set:
controller:
serviceLabels:
label: label-value
serviceAnnotations:
key: value
clusterIP: 10.10.10.11
servicePort: 8888
targetPort: 7777
extraPorts:
- name: BuildInfoProxy
port: 9000
asserts:
- equal:
path: metadata.labels.label
value: label-value
- equal:
path: metadata.annotations
value:
key: value
- equal:
path: spec
value:
clusterIP: 10.10.10.11
ports:
- name: http
port: 8888
targetPort: 7777
- name: BuildInfoProxy
port: 9000
targetPort: 9000
selector:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
type: ClusterIP
- it: extraPort with targetPort
set:
controller:
serviceLabels:
label: label-value
serviceAnnotations:
key: value
clusterIP: 10.10.10.11
servicePort: 8888
targetPort: 7777
extraPorts:
- name: https
port: 443
targetPort: 8080
asserts:
- equal:
path: metadata.labels.label
value: label-value
- equal:
path: metadata.annotations
value:
key: value
- equal:
path: spec
value:
clusterIP: 10.10.10.11
ports:
- name: http
port: 8888
targetPort: 7777
- name: https
port: 443
targetPort: 8080
selector:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
type: ClusterIP
- it: node port
set:
controller:
serviceType: NodePort
nodePort: 11111
asserts:
- equal:
path: spec
value:
ports:
- name: http
port: 8080
targetPort: 8080
nodePort: 11111
selector:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
type: NodePort
- it: load balancer
set:
controller:
serviceType: LoadBalancer
loadBalancerIP: 10.10.10.10
asserts:
- equal:
path: spec
value:
loadBalancerIP: 10.10.10.10
loadBalancerSourceRanges:
- 0.0.0.0/0
ports:
- name: http
port: 8080
targetPort: 8080
selector:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
type: LoadBalancer
- it: disable helm.sh label
set:
renderHelmLabels: false
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins

217
helm/jenkins/unittests/rbac-test.yaml Normal file
View File

@@ -0,0 +1,217 @@
suite: Role Based Access Control
release:
name: my-release
namespace: my-namespace
templates:
- rbac.yaml
tests:
- it: test default number of documents
asserts:
- hasDocuments:
count: 4
- it: disable auto reload
set:
controller.sidecars.configAutoReload.enabled: false
asserts:
- hasDocuments:
count: 2
- it: disable rbac create
set:
rbac.create: false
asserts:
- hasDocuments:
count: 0
- it: Role schedule-agents
documentIndex: 0
asserts:
- isKind:
of: Role
- equal:
path: apiVersion
value: rbac.authorization.k8s.io/v1
- equal:
path: metadata.name
value: my-release-jenkins-schedule-agents
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: rules
value:
- apiGroups: [""]
resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods", "pods/exec", "persistentvolumeclaims"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- it: RoleBinding schedule-agents
documentIndex: 1
asserts:
- isKind:
of: RoleBinding
- equal:
path: apiVersion
value: rbac.authorization.k8s.io/v1
- equal:
path: metadata.name
value: my-release-jenkins-schedule-agents
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: roleRef
value:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: my-release-jenkins-schedule-agents
- equal:
path: subjects
value:
- kind: ServiceAccount
name: my-release-jenkins
namespace: my-namespace
- it: Separate Agent Namespace
set:
agent.namespace: agent-namespace
asserts:
- equal:
path: metadata.namespace
value: agent-namespace
documentIndex: 0
- equal:
path: subjects
value:
- kind: ServiceAccount
name: my-release-jenkins
namespace: my-namespace
documentIndex: 1
- it: Role casc-reload
documentIndex: 2
asserts:
- isKind:
of: Role
- equal:
path: apiVersion
value: rbac.authorization.k8s.io/v1
- equal:
path: metadata.name
value: my-release-jenkins-casc-reload
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: rules
value:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "watch", "list"]
- it: RoleBinding casc-reload
documentIndex: 3
asserts:
- isKind:
of: RoleBinding
- equal:
path: apiVersion
value: rbac.authorization.k8s.io/v1
- equal:
path: metadata.name
value: my-release-jenkins-watch-configmaps
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: roleRef
value:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: my-release-jenkins-casc-reload
- equal:
path: subjects
value:
- kind: ServiceAccount
name: my-release-jenkins
namespace: my-namespace
- it: enable read secrets
set:
rbac.readSecrets: true
asserts:
- hasDocuments:
count: 6
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- it: disable helm.sh label
set:
renderHelmLabels: false
rbac.readSecrets: true
asserts:
- hasDocuments:
count: 6
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
- it: Role read-secrets
set:
rbac.readSecrets: true
documentIndex: 2
asserts:
- isKind:
of: Role
- equal:
path: apiVersion
value: rbac.authorization.k8s.io/v1
- equal:
path: metadata.name
value: my-release-jenkins-read-secrets
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: rules
value:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
- it: RoleBinding read-secrets
set:
rbac.readSecrets: true
documentIndex: 3
asserts:
- isKind:
of: RoleBinding
- equal:
path: apiVersion
value: rbac.authorization.k8s.io/v1
- equal:
path: metadata.name
value: my-release-jenkins-read-secrets
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: roleRef
value:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: my-release-jenkins-read-secrets
- equal:
path: subjects
value:
- kind: ServiceAccount
name: my-release-jenkins
namespace: my-namespace

41
helm/jenkins/unittests/secret-additional-test.yaml Normal file
View File

@@ -0,0 +1,41 @@
suite: Controller Admin Additional Secrets
release:
name: my-release
namespace: my-namespace
templates:
- secret-additional.yaml
tests:
- it: tests defaults
asserts:
- hasDocuments:
count: 0
- it: tests 2 additional secrets
set:
controller.additionalSecrets:
- name: something
value: secret
- name: anotherthing
value: anothersecret
asserts:
- isKind:
of: Secret
- equal:
path: apiVersion
value: v1
- equal:
path: metadata.name
value: my-release-jenkins-additional-secrets
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- equal:
path: data.something
value: c2VjcmV0
- equal:
path: data.anotherthing
value: YW5vdGhlcnNlY3JldA==

82
helm/jenkins/unittests/secret-claims-test.yaml Normal file
View File

@@ -0,0 +1,82 @@
suite: Controller Secret Claims
release:
name: my-release
namespace: my-namespace
templates:
- secret-claims.yaml
tests:
- it: tests defaults
asserts:
- hasDocuments:
count: 0
- it: tests 2 secret claims
set:
controller.secretClaims:
- name: simple-secret
path: secret/path
- name: complex-secret
path: secret/complex
type: kubernetes.io/tls
renew: 60
asserts:
- hasDocuments:
count: 2
- documentIndex: 0
isKind:
of: SecretClaim
- documentIndex: 0
equal:
path: apiVersion
value: vaultproject.io/v1
- documentIndex: 0
equal:
path: metadata.name
value: my-release-jenkins-simple-secret
- documentIndex: 0
matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- documentIndex: 0
isNull:
path: metadata.annotations
- documentIndex: 0
equal:
path: spec.type
value: Opaque
- documentIndex: 0
equal:
path: spec.path
value: secret/path
- documentIndex: 0
isNull:
path: spec.renew
- documentIndex: 1
isKind:
of: SecretClaim
- documentIndex: 1
equal:
path: apiVersion
value: vaultproject.io/v1
- documentIndex: 1
equal:
path: metadata.name
value: my-release-jenkins-complex-secret
- documentIndex: 1
matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- documentIndex: 1
isNull:
path: metadata.annotations
- documentIndex: 1
equal:
path: spec.type
value: kubernetes.io/tls
- documentIndex: 1
equal:
path: spec.path
value: secret/complex
- documentIndex: 1
equal:
path: spec.renew
value: 60

52
helm/jenkins/unittests/secret-existing-test.yaml Normal file
View File

@@ -0,0 +1,52 @@
suite: Controller Additional Existing Secrets
release:
name: my-release
namespace: my-namespace
templates:
- jenkins-controller-statefulset.yaml
- config.yaml
tests:
- it: test additional existing secrets StatefulSet
template: jenkins-controller-statefulset.yaml
set:
controller.additionalExistingSecrets:
- name: "{{ .Release.Name }}-secret"
keyName: username
- name: "{{ .Release.Name }}-secret"
keyName: password
controller.existingSecret: my-existing-credentials
asserts:
- isKind:
of: StatefulSet
- equal:
path: spec.template.spec.containers[0].volumeMounts[4]
value:
mountPath: /run/secrets/additional
name: jenkins-secrets
readOnly: true
- equal:
path: spec.template.spec.volumes[3]
value:
name: jenkins-secrets
projected:
sources:
- secret:
name: my-release-secret
items:
- key: username
path: my-release-secret-username
- secret:
name: my-release-secret
items:
- key: password
path: my-release-secret-password
- secret:
name: my-release-jenkins
items:
- key: jenkins-admin-user
path: chart-admin-username
- key: jenkins-admin-password
path: chart-admin-password
- secret:
name: my-existing-credentials

65
helm/jenkins/unittests/secret-test.yaml Normal file
View File

@@ -0,0 +1,65 @@
suite: Controller Admin Credentials
release:
name: my-release
namespace: my-namespace
templates:
- secret.yaml
tests:
- it: tests defaults
asserts:
- isKind:
of: Secret
- equal:
path: apiVersion
value: v1
- equal:
path: metadata.name
value: my-release-jenkins
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- equal:
path: data.jenkins-admin-user
value: YWRtaW4=
- isNotNull:
path: data.jenkins-admin-password
- it: set admin password
set:
controller.adminPassword: secret
asserts:
- equal:
path: data.jenkins-admin-user
value: YWRtaW4=
- equal:
path: data.jenkins-admin-password
value: c2VjcmV0
- it: disable helm.sh label
set:
renderHelmLabels: false
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
- it: disable
set:
controller:
adminSecret: false
asserts:
- hasDocuments:
count: 0
- it: disable
set:
controller.admin.existingSecret: my-secret
asserts:
- hasDocuments:
count: 0

83
helm/jenkins/unittests/service-account-agent-test.yaml Normal file
View File

@@ -0,0 +1,83 @@
suite: Controller Service Account
release:
name: my-release
namespace: my-namespace
templates:
- service-account-agent.yaml
tests:
- it: test defaults
asserts:
- hasDocuments:
count: 0
- it: create service account for agents
set:
serviceAccountAgent:
create: true
asserts:
- isKind:
of: ServiceAccount
- equal:
path: apiVersion
value: v1
- equal:
path: metadata.name
value: my-release-jenkins-agent
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- it: agent namespace
set:
serviceAccountAgent:
create: true
annotations:
key: value
agent:
namespace: agents
asserts:
- isKind:
of: ServiceAccount
- equal:
path: apiVersion
value: v1
- equal:
path: metadata.name
value: my-release-jenkins-agent
- equal:
path: metadata.namespace
value: agents
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- equal:
path: metadata.annotations
value:
key: value
- it: disable helm.sh label
set:
renderHelmLabels: false
serviceAccountAgent:
create: true
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
- it: agent image pull secret
set:
renderHelmLabels: false
serviceAccountAgent:
create: true
imagePullSecretName: ips-name
asserts:
- equal:
path: imagePullSecrets
value:
- name: ips-name

58
helm/jenkins/unittests/service-account-test.yaml Normal file
View File

@@ -0,0 +1,58 @@
suite: Controller Service Account
release:
name: my-release
namespace: my-namespace
templates:
- service-account.yaml
tests:
- it: tests defaults
asserts:
- isKind:
of: ServiceAccount
- equal:
path: apiVersion
value: v1
- equal:
path: metadata.name
value: my-release-jenkins
- equal:
path: metadata.namespace
value: my-namespace
- matchRegex:
path: metadata.labels.helm\.sh/chart
pattern: ^jenkins-
- isNull:
path: metadata.annotations
- it: disable helm.sh label
set:
renderHelmLabels: false
asserts:
- equal:
path: metadata.labels
value:
app.kubernetes.io/component: jenkins-controller
app.kubernetes.io/instance: my-release
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jenkins
- it: disabled
set:
serviceAccount:
create: false
asserts:
- hasDocuments:
count: 0
- it: controller image pull secret
set:
renderHelmLabels: false
serviceAccount:
create: true
imagePullSecretName: ips-name
asserts:
- equal:
path: imagePullSecrets
value:
- name: ips-name

950
helm/jenkins/values.yaml Normal file
View File

@@ -0,0 +1,950 @@
# Default values for jenkins.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
## Overrides for generated resource names
# See templates/_helpers.tpl
# nameOverride:
# fullnameOverride:
# namespaceOverride:
# For FQDN resolving of the controller service. Change this value to match your existing configuration.
# ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md
clusterZone: "cluster.local"
renderHelmLabels: true
controller:
# Used for label app.kubernetes.io/component
componentName: "jenkins-controller"
image: "jenkins/jenkins"
# tag: "2.375.1-jdk11"
tagLabel: jdk11
imagePullPolicy: "Always"
imagePullSecretName:
# Optionally configure lifetime for controller-container
lifecycle:
# postStart:
# exec:
# command:
# - "uname"
# - "-a"
disableRememberMe: false
numExecutors: 0
# configures the executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE
executorMode: "NORMAL"
# This is ignored if enableRawHtmlMarkupFormatter is true
markupFormatter: plainText
customJenkinsLabels: []
# The default configuration uses this secret to configure an admin user
# If you don't need that user or use a different security realm then you can disable it
adminSecret: true
hostNetworking: false
# When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist.
# If you disable the non-Jenkins identity store and instead use the Jenkins internal one,
# you should revert controller.adminUser to your preferred admin user:
adminUser: "admin"
# adminPassword: <defaults to random>
admin:
existingSecret: ""
userKey: jenkins-admin-user
passwordKey: jenkins-admin-password
# This values should not be changed unless you use your custom image of jenkins or any devired from. If you want to use
# Cloudbees Jenkins Distribution docker, you should set jenkinsHome: "/var/cloudbees-jenkins-distribution"
jenkinsHome: "/var/jenkins_home"
# This values should not be changed unless you use your custom image of jenkins or any devired from. If you want to use
# Cloudbees Jenkins Distribution docker, you should set jenkinsRef: "/usr/share/cloudbees-jenkins-distribution/ref"
jenkinsRef: "/usr/share/jenkins/ref"
# Path to the jenkins war file which is used by jenkins-plugin-cli.
jenkinsWar: "/usr/share/jenkins/jenkins.war"
# Overrides the default arguments passed to the war
# overrideArgs:
# - --httpPort=8080
resources:
requests:
cpu: "50m"
memory: "256Mi"
limits:
cpu: "2000m"
memory: "4096Mi"
# Overrides the init container default values
# initContainerResources:
# requests:
# cpu: "50m"
# memory: "256Mi"
# limits:
# cpu: "2000m"
# memory: "4096Mi"
# Environment variables that get added to the init container (useful for e.g. http_proxy)
# initContainerEnv:
# - name: http_proxy
# value: "http://192.168.64.1:3128"
# containerEnv:
# - name: http_proxy
# value: "http://192.168.64.1:3128"
# Set min/max heap here if needed with:
# javaOpts: "-Xms512m -Xmx512m"
# jenkinsOpts: ""
# If you are using the ingress definitions provided by this chart via the `controller.ingress` block the configured hostname will be the ingress hostname starting with `https://` or `http://` depending on the `tls` configuration.
# The Protocol can be overwritten by specifying `controller.jenkinsUrlProtocol`.
# jenkinsUrlProtocol: "https"
# If you are not using the provided ingress you can specify `controller.jenkinsUrl` to change the url definition.
# jenkinsUrl: ""
# If you set this prefix and use ingress controller then you might want to set the ingress path below
# jenkinsUriPrefix: "/jenkins"
# Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set)
usePodSecurityContext: true
# Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are
# being deprecated and replaced by `podSecurityContextOverride`.
# Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins' which exists in 'jenkins/jenkins' docker image.
# When setting runAsUser to a different value than 0 also set fsGroup to the same value:
runAsUser: 1000
fsGroup: 1000
# If you have PodSecurityPolicies that require dropping of capabilities as suggested by CIS K8s benchmark, put them here
securityContextCapabilities: {}
# drop:
# - NET_RAW
# Completely overwrites the contents of the `securityContext`, ignoring the
# values provided for the deprecated fields: `runAsUser`, `fsGroup`, and
# `securityContextCapabilities`. In the case of mounting an ext4 filesystem,
# it might be desirable to use `supplementalGroups` instead of `fsGroup` in
# the `securityContext` block: https://github.com/kubernetes/kubernetes/issues/67014#issuecomment-589915496
# podSecurityContextOverride:
# runAsUser: 1000
# runAsNonRoot: true
# supplementalGroups: [1000]
# # capabilities: {}
# Container securityContext
containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
servicePort: 8080
targetPort: 8080
# For minikube, set this to NodePort, elsewhere use LoadBalancer
# Use ClusterIP if your setup includes ingress controller
serviceType: ClusterIP
# Use Local to preserve the client source IP and avoids a second hop for LoadBalancer and Nodeport type services,
# but risks potentially imbalanced traffic spreading.
serviceExternalTrafficPolicy:
# Jenkins controller service annotations
serviceAnnotations: {}
# Jenkins controller custom labels
statefulSetLabels: {}
# foo: bar
# bar: foo
# Jenkins controller service labels
serviceLabels: {}
# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
# Put labels on Jenkins controller pod
podLabels: {}
# Used to create Ingress record (should used with ServiceType: ClusterIP)
# nodePort: <to set explicitly, choose port between 30000-32767
# Enable Kubernetes Startup, Liveness and Readiness Probes
# if Startup Probe is supported, enable it too
# ~ 2 minutes to allow Jenkins to restart when upgrading plugins. Set ReadinessTimeout to be shorter than LivenessTimeout.
healthProbes: true
probes:
startupProbe:
httpGet:
path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login'
port: http
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 12
livenessProbe:
failureThreshold: 5
httpGet:
path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login'
port: http
periodSeconds: 10
timeoutSeconds: 5
# If Startup Probe is not supported on your Kubernetes cluster, you might want to use "initialDelaySeconds" instead.
# It delays the initial liveness probe while Jenkins is starting
# initialDelaySeconds: 60
readinessProbe:
failureThreshold: 3
httpGet:
path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login'
port: http
periodSeconds: 10
timeoutSeconds: 5
# If Startup Probe is not supported on your Kubernetes cluster, you might want to use "initialDelaySeconds" instead.
# It delays the initial readyness probe while Jenkins is starting
# initialDelaySeconds: 60
# PodDisruptionBudget config
podDisruptionBudget:
enabled: false
# For Kubernetes v1.5+, use 'policy/v1beta1'
# For Kubernetes v1.21+, use 'policy/v1'
apiVersion: "policy/v1beta1"
annotations: {}
labels: {}
# maxUnavailable: "0"
agentListenerEnabled: true
agentListenerPort: 50000
agentListenerHostPort:
agentListenerNodePort:
agentListenerExternalTrafficPolicy:
agentListenerLoadBalancerSourceRanges:
- 0.0.0.0/0
disabledAgentProtocols:
- JNLP-connect
- JNLP2-connect
csrf:
defaultCrumbIssuer:
enabled: true
proxyCompatability: true
# Kubernetes service type for the JNLP agent service
# agentListenerServiceType is the Kubernetes Service type for the JNLP agent service,
# either 'LoadBalancer', 'NodePort', or 'ClusterIP'
# Note if you set this to 'LoadBalancer', you *must* define annotations to secure it. By default
# this will be an external load balancer and allowing inbound 0.0.0.0/0, a HUGE
# security risk: https://github.com/kubernetes/charts/issues/1341
agentListenerServiceType: "ClusterIP"
# Optionally assign an IP to the LoadBalancer agentListenerService LoadBalancer
# GKE users: only regional static IPs will work for Service Load balancer.
agentListenerLoadBalancerIP:
agentListenerServiceAnnotations: {}
# Example of 'LoadBalancer' type of agent listener with annotations securing it
# agentListenerServiceType: LoadBalancer
# agentListenerServiceAnnotations:
# service.beta.kubernetes.io/aws-load-balancer-internal: "True"
# service.beta.kubernetes.io/load-balancer-source-ranges: "172.0.0.0/8, 10.0.0.0/8"
# LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to
# set allowed inbound rules on the security group assigned to the controller load balancer
loadBalancerSourceRanges:
- 0.0.0.0/0
# Optionally assign a known public LB IP
# loadBalancerIP: 1.2.3.4
# Optionally configure a JMX port
# requires additional javaOpts, ie
# javaOpts: >
# -Dcom.sun.management.jmxremote.port=4000
# -Dcom.sun.management.jmxremote.authenticate=false
# -Dcom.sun.management.jmxremote.ssl=false
# jmxPort: 4000
# Optionally configure other ports to expose in the controller container
extraPorts: []
# - name: BuildInfoProxy
# port: 9000
# targetPort: 9010 (Optional: Use to explicitly set targetPort if different from port)
# List of plugins to be install during Jenkins controller start
installPlugins:
- kubernetes:3734.v562b_b_a_627ea_c
- workflow-aggregator:590.v6a_d052e5a_a_b_5
- git:4.13.0
- configuration-as-code:1569.vb_72405b_80249
# Set to false to download the minimum required version of all dependencies.
installLatestPlugins: true
# Set to true to download latest dependencies of any plugin that is requested to have the latest version.
installLatestSpecifiedPlugins: false
# List of plugins to install in addition to those listed in controller.installPlugins
additionalPlugins: []
# Enable to initialize the Jenkins controller only once on initial installation.
# Without this, whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates which has the potential to cause breakage.
# Note that for this to work, `persistence.enabled` needs to be set to `true`
initializeOnce: false
# Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment.
# overwritePlugins: true
# Configures if plugins bundled with `controller.image` should be overwritten with the values of 'controller.installPlugins' on upgrade or redeployment.
overwritePluginsFromImage: true
# Configures the restrictions for naming projects. Set this key to null or empty to skip it in the default config.
projectNamingStrategy: standard
# Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter), useful with ghprb plugin.
# The plugin is not installed by default, please update controller.installPlugins.
enableRawHtmlMarkupFormatter: false
# Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval
scriptApproval: []
# - "method groovy.json.JsonSlurperClassic parseText java.lang.String"
# - "new groovy.json.JsonSlurperClassic"
# List of groovy init scripts to be executed during Jenkins controller start
initScripts: []
# - |
# print 'adding global pipeline libraries, register properties, bootstrap jobs...'
# 'name' is a name of an existing secret in same namespace as jenkins,
# 'keyName' is the name of one of the keys inside current secret.
# the 'name' and 'keyName' are concatenated with a '-' in between, so for example:
# an existing secret "secret-credentials" and a key inside it named "github-password" should be used in Jcasc as ${secret-credentials-github-password}
# 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-',
# and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc')
# existingSecret existing secret "secret-credentials" and a key inside it named "github-username" should be used in Jcasc as ${github-username}
# When using existingSecret no need to specify the keyName under additionalExistingSecrets.
existingSecret:
additionalExistingSecrets: []
# - name: secret-name-1
# keyName: username
# - name: secret-name-1
# keyName: password
additionalSecrets: []
# - name: nameOfSecret
# value: secretText
# Generate SecretClaim resources in order to create Kubernetes secrets from HashiCorp Vault using kube-vault-controller.
# 'name' is name of the secret that will be created in Kubernetes. The Jenkins fullname is prepended to this value.
# 'path' is the fully qualified path to the secret in Vault
# 'type' is an optional Kubernetes secret type. Defaults to 'Opaque'
# 'renew' is an optional secret renewal time in seconds
secretClaims: []
# - name: secretName # required
# path: testPath # required
# type: kubernetes.io/tls # optional
# renew: 60 # optional
# Name of default cloud configuration.
cloudName: "kubernetes"
# Below is the implementation of Jenkins Configuration as Code. Add a key under configScripts for each configuration area,
# where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value.
# Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label
# characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in
# /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each |
# become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials,
# etc. Best reference is https://<jenkins_url>/configuration-as-code/reference. The example below creates a welcome message:
JCasC:
defaultConfig: true
configUrls: []
# - https://acme.org/jenkins.yaml
# Remote URL:s for configuration files.
configScripts: {}
# welcome-message: |
# jenkins:
# systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'.
# Allows adding to the top-level security JCasC section. For legacy, default the chart includes apiToken configurations
security:
apiToken:
creationOfLegacyTokenEnabled: false
tokenGenerationOnCreationEnabled: false
usageStatisticsEnabled: true
# Ignored if securityRealm is defined in controller.JCasC.configScripts
securityRealm: |-
local:
allowsSignup: false
enableCaptcha: false
users:
- id: "${chart-admin-username}"
name: "Jenkins Admin"
password: "${chart-admin-password}"
# Ignored if authorizationStrategy is defined in controller.JCasC.configScripts
authorizationStrategy: |-
loggedInUsersCanDoAnything:
allowAnonymousRead: false
# Optionally specify additional init-containers
customInitContainers: []
# - name: custom-init
# image: "alpine:3.7"
# imagePullPolicy: Always
# command: [ "uname", "-a" ]
sidecars:
configAutoReload:
# If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. If false or not-specified,
# jcasc changes will cause a reboot and will only be applied at the subsequent start-up. Auto-reload uses the
# http://<jenkins_url>/reload-configuration-as-code endpoint to reapply config when changes to the configScripts are detected.
enabled: true
image: kiwigrid/k8s-sidecar:1.15.0
imagePullPolicy: IfNotPresent
resources: {}
# limits:
# cpu: 100m
# memory: 100Mi
# requests:
# cpu: 50m
# memory: 50Mi
# How many connection-related errors to retry on
reqRetryConnect: 10
# env:
# - name: REQ_TIMEOUT
# value: "30"
# SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random.
# Is only used to reload jcasc config from the sidecar container running in the Jenkins controller pod.
# This TCP port will not be open in the pod (unless you specifically configure this), so Jenkins will not be
# accessible via SSH from outside of the pod. Note if you use non-root pod privileges (runAsUser & fsGroup),
# this must be > 1024:
sshTcpPort: 1044
# folder in the pod that should hold the collected dashboards:
folder: "/var/jenkins_home/casc_configs"
# If specified, the sidecar will search for JCasC config-maps inside this namespace.
# Otherwise the namespace in which the sidecar is running will be used.
# It's also possible to specify ALL to search in all namespaces:
# searchNamespace:
containerSecurityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
# Allows you to inject additional/other sidecars
other: []
## The example below runs the client for https://smee.io as sidecar container next to Jenkins,
## that allows to trigger build behind a secure firewall.
## https://jenkins.io/blog/2019/01/07/webhook-firewalls/#triggering-builds-with-webhooks-behind-a-secure-firewall
##
## Note: To use it you should go to https://smee.io/new and update the url to the generete one.
# - name: smee
# image: docker.io/twalter/smee-client:1.0.2
# args: ["--port", "{{ .Values.controller.servicePort }}", "--path", "/github-webhook/", "--url", "https://smee.io/new"]
# resources:
# limits:
# cpu: 50m
# memory: 128Mi
# requests:
# cpu: 10m
# memory: 32Mi
# Name of the Kubernetes scheduler to use
schedulerName: ""
# Node labels and tolerations for pod assignment
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
nodeSelector: {}
terminationGracePeriodSeconds:
terminationMessagePath:
terminationMessagePolicy:
tolerations: []
affinity: {}
# Leverage a priorityClass to ensure your pods survive resource shortages
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName:
podAnnotations: {}
# Add StatefulSet annotations
statefulSetAnnotations: {}
# StatefulSet updateStrategy
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
updateStrategy: {}
ingress:
enabled: false
# Override for the default paths that map requests to the backend
paths: []
# - backend:
# serviceName: ssl-redirect
# servicePort: use-annotation
# - backend:
# serviceName: >-
# {{ template "jenkins.fullname" . }}
# # Don't use string here, use only integer value!
# servicePort: 8080
# For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1'
# For Kubernetes v1.19+, use 'networking.k8s.io/v1'
apiVersion: "extensions/v1beta1"
labels: {}
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
# See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
# ingressClassName: nginx
# Set this path to jenkinsUriPrefix above or use annotations to rewrite path
# path: "/jenkins"
# configures the hostname e.g. jenkins.example.com
hostName:
tls:
# - secretName: jenkins.cluster.local
# hosts:
# - jenkins.cluster.local
# often you want to have your controller all locked down and private
# but you still want to get webhooks from your SCM
# A secondary ingress will let you expose different urls
# with a differnt configuration
secondaryingress:
enabled: false
# paths you want forwarded to the backend
# ex /github-webhook
paths: []
# For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1'
# For Kubernetes v1.19+, use 'networking.k8s.io/v1'
apiVersion: "extensions/v1beta1"
labels: {}
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
# See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
# ingressClassName: nginx
# configures the hostname e.g. jenkins-external.example.com
hostName:
tls:
# - secretName: jenkins-external.example.com
# hosts:
# - jenkins-external.example.com
# If you're running on GKE and need to configure a backendconfig
# to finish ingress setup, use the following values.
# Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig
backendconfig:
enabled: false
apiVersion: "extensions/v1beta1"
name:
labels: {}
annotations: {}
spec: {}
# Openshift route
route:
enabled: false
labels: {}
annotations: {}
# path: "/jenkins"
# controller.hostAliases allows for adding entries to Pod /etc/hosts:
# https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
hostAliases: []
# - ip: 192.168.50.50
# hostnames:
# - something.local
# - ip: 10.0.50.50
# hostnames:
# - other.local
# Expose Prometheus metrics
prometheus:
# If enabled, add the prometheus plugin to the list of plugins to install
# https://plugins.jenkins.io/prometheus
enabled: false
# Additional labels to add to the ServiceMonitor object
serviceMonitorAdditionalLabels: {}
# Set a custom namespace where to deploy ServiceMonitor resource
# serviceMonitorNamespace: monitoring
scrapeInterval: 60s
# This is the default endpoint used by the prometheus plugin
scrapeEndpoint: /prometheus
# Additional labels to add to the PrometheusRule object
alertingRulesAdditionalLabels: {}
# An array of prometheus alerting rules
# See here: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/
# The `groups` root object is added by default, simply add the rule entries
alertingrules: []
# Set a custom namespace where to deploy PrometheusRule resource
prometheusRuleNamespace: ""
googlePodMonitor:
# If enabled, It creates Google Managed Prometheus scraping config
enabled: false
# Set a custom namespace where to deploy PodMonitoring resource
# serviceMonitorNamespace: ""
scrapeInterval: 60s
# This is the default endpoint used by the prometheus plugin
scrapeEndpoint: /prometheus
# Can be used to disable rendering controller test resources when using helm template
testEnabled: true
httpsKeyStore:
jenkinsHttpsJksSecretName: ''
enable: false
httpPort: 8081
path: "/var/jenkins_keystore"
fileName: "keystore.jks"
password: "password"
# Convert keystore.jks files content to base64 ( cat keystore.jks | base64 ) and put the output here
jenkinsKeyStoreBase64Encoded: |
/u3+7QAAAAIAAAABAAAAAQANamVua2luc2NpLmNvbQAAAW2r/b1ZAAAFATCCBP0wDgYKKwYBBAEq
AhEBAQUABIIE6QbCqasvoHS0pSwYqSvdydMCB9t+VNfwhFIiiuAelJfO5sSe2SebJbtwHgLcRz1Z
gMtWgOSFdl3bWSzA7vrW2LED52h+jXLYSWvZzuDuh8hYO85m10ikF6QR+dTi4jra0whIFDvq3pxe
TnESxEsN+DvbZM3jA3qsjQJSeISNpDjO099dqQvHpnCn18lyk7J4TWJ8sOQQb1EM2zDAfAOSqA/x
QuPEFl74DlY+5DIk6EBvpmWhaMSvXzWZACGA0sYqa157dq7O0AqmuLG/EI5EkHETO4CrtBW+yLcy
2dUCXOMA+j+NjM1BjrQkYE5vtSfNO6lFZcISyKo5pTFlcA7ut0Fx2nZ8GhHTn32CpeWwNcZBn1gR
pZVt6DxVVkhTAkMLhR4rL2wGIi/1WRs23ZOLGKtyDNvDHnQyDiQEoJGy9nAthA8aNHa3cfdF10vB
Drb19vtpFHmpvKEEhpk2EBRF4fTi644Fuhu2Ied6118AlaPvEea+n6G4vBz+8RWuVCmZjLU+7h8l
Hy3/WdUPoIL5eW7Kz+hS+sRTFzfu9C48dMkQH3a6f3wSY+mufizNF9U298r98TnYy+PfDJK0bstG
Ph6yPWx8DGXKQBwrhWJWXI6JwZDeC5Ny+l8p1SypTmAjpIaSW3ge+KgcL6Wtt1R5hUV1ajVwVSUi
HF/FachKqPqyLJFZTGjNrxnmNYpt8P1d5JTvJfmfr55Su/P9n7kcyWp7zMcb2Q5nlXt4tWogOHLI
OzEWKCacbFfVHE+PpdrcvCVZMDzFogIq5EqGTOZe2poPpBVE+1y9mf5+TXBegy5HToLWvmfmJNTO
NCDuBjgLs2tdw2yMPm4YEr57PnMX5gGTC3f2ZihXCIJDCRCdQ9sVBOjIQbOCzxFXkVITo0BAZhCi
Yz61wt3Ud8e//zhXWCkCsSV+IZCxxPzhEFd+RFVjW0Nm9hsb2FgAhkXCjsGROgoleYgaZJWvQaAg
UyBzMmKDPKTllBHyE3Gy1ehBNGPgEBChf17/9M+j8pcm1OmlM434ctWQ4qW7RU56//yq1soFY0Te
fu2ei03a6m68fYuW6s7XEEK58QisJWRAvEbpwu/eyqfs7PsQ+zSgJHyk2rO95IxdMtEESb2GRuoi
Bs+AHNdYFTAi+GBWw9dvEgqQ0Mpv0//6bBE/Fb4d7b7f56uUNnnE7mFnjGmGQN+MvC62pfwfvJTT
EkT1iZ9kjM9FprTFWXT4UmO3XTvesGeE50sV9YPm71X4DCQwc4KE8vyuwj0s6oMNAUACW2ClU9QQ
y0tRpaF1tzs4N42Q5zl0TzWxbCCjAtC3u6xf+c8MCGrr7DzNhm42LOQiHTa4MwX4x96q7235oiAU
iQqSI/hyF5yLpWw4etyUvsx2/0/0wkuTU1FozbLoCWJEWcPS7QadMrRRISxHf0YobIeQyz34regl
t1qSQ3dCU9D6AHLgX6kqllx4X0fnFq7LtfN7fA2itW26v+kAT2QFZ3qZhINGfofCja/pITC1uNAZ
gsJaTMcQ600krj/ynoxnjT+n1gmeqThac6/Mi3YlVeRtaxI2InL82ZuD+w/dfY9OpPssQjy3xiQa
jPuaMWXRxz/sS9syOoGVH7XBwKrWpQcpchozWJt40QV5DslJkclcr8aC2AGlzuJMTdEgz1eqV0+H
bAXG9HRHN/0eJTn1/QAAAAEABVguNTA5AAADjzCCA4swggJzAhRGqVxH4HTLYPGO4rzHcCPeGDKn
xTANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCY2ExEDAOBgNVBAgMB29udGFyaW8xEDAOBgNV
BAcMB3Rvcm9udG8xFDASBgNVBAoMC2plbmtpbnN0ZXN0MRkwFwYDVQQDDBBqZW5raW5zdGVzdC5p
bmZvMR0wGwYJKoZIhvcNAQkBFg50ZXN0QHRlc3QuaW5mbzAeFw0xOTEwMDgxNTI5NTVaFw0xOTEx
MDcxNTI5NTVaMIGBMQswCQYDVQQGEwJjYTEQMA4GA1UECAwHb250YXJpbzEQMA4GA1UEBwwHdG9y
b250bzEUMBIGA1UECgwLamVua2luc3Rlc3QxGTAXBgNVBAMMEGplbmtpbnN0ZXN0LmluZm8xHTAb
BgkqhkiG9w0BCQEWDnRlc3RAdGVzdC5pbmZvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA02q352JTHGvROMBhSHvSv+vnoOTDKSTz2aLQn0tYrIRqRo+8bfmMjXuhkwZPSnCpvUGNAJ+w
Jrt/dqMoYUjCBkjylD/qHmnXN5EwS1cMg1Djh65gi5JJLFJ7eNcoSsr/0AJ+TweIal1jJSP3t3PF
9Uv21gm6xdm7HnNK66WpUUXLDTKaIs/jtagVY1bLOo9oEVeLN4nT2CYWztpMvdCyEDUzgEdDbmrP
F5nKUPK5hrFqo1Dc5rUI4ZshL3Lpv398aMxv6n2adQvuL++URMEbXXBhxOrT6rCtYzbcR5fkwS9i
d3Br45CoWOQro02JAepoU0MQKY5+xQ4Bq9Q7tB9BAwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAe
4xc+mSvKkrKBHg9/zpkWgZUiOp4ENJCi8H4tea/PCM439v6y/kfjT/okOokFvX8N5aa1OSz2Vsrl
m8kjIc6hiA7bKzT6lb0EyjUShFFZ5jmGVP4S7/hviDvgB5yEQxOPpumkdRP513YnEGj/o9Pazi5h
/MwpRxxazoda9r45kqQpyG+XoM4pB+Fd3JzMc4FUGxfVPxJU4jLawnJJiZ3vqiSyaB0YyUL+Er1Q
6NnqtR4gEBF0ZVlQmkycFvD4EC2boP943dLqNUvop+4R3SM1QMM6P5u8iTXtHd/VN4MwMyy1wtog
hYAzODo1Jt59pcqqKJEas0C/lFJEB3frw4ImNx5fNlJYOpx+ijfQs9m39CevDq0=
agent:
enabled: true
defaultsProviderTemplate: ""
# URL for connecting to the Jenkins contoller
jenkinsUrl:
# connect to the specified host and port, instead of connecting directly to the Jenkins controller
jenkinsTunnel:
kubernetesConnectTimeout: 5
kubernetesReadTimeout: 15
maxRequestsPerHostStr: "32"
namespace:
image: "jenkins/inbound-agent"
tag: "4.11.2-4"
workingDir: "/home/jenkins/agent"
nodeUsageMode: "NORMAL"
customJenkinsLabels: []
# name of the secret to be used for image pulling
imagePullSecretName:
componentName: "jenkins-agent"
websocket: false
privileged: false
runAsUser:
runAsGroup:
hostNetworking: false
resources:
requests:
cpu: "512m"
memory: "512Mi"
limits:
cpu: "512m"
memory: "512Mi"
# You may want to change this to true while testing a new image
alwaysPullImage: false
# Controls how agent pods are retained after the Jenkins build completes
# Possible values: Always, Never, OnFailure
podRetention: "Never"
# Disable if you do not want the Yaml the agent pod template to show up
# in the job Console Output. This can be helpful for either security reasons
# or simply to clean up the output to make it easier to read.
showRawYaml: true
# You can define the volumes that you want to mount for this container
# Allowed types are: ConfigMap, EmptyDir, HostPath, Nfs, PVC, Secret
# Configure the attributes as they appear in the corresponding Java class for that type
# https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes
volumes: []
# - type: ConfigMap
# configMapName: myconfigmap
# mountPath: /var/myapp/myconfigmap
# - type: EmptyDir
# mountPath: /var/myapp/myemptydir
# memory: false
# - type: HostPath
# hostPath: /var/lib/containers
# mountPath: /var/myapp/myhostpath
# - type: Nfs
# mountPath: /var/myapp/mynfs
# readOnly: false
# serverAddress: "192.0.2.0"
# serverPath: /var/lib/containers
# - type: PVC
# claimName: mypvc
# mountPath: /var/myapp/mypvc
# readOnly: false
# - type: Secret
# defaultMode: "600"
# mountPath: /var/myapp/mysecret
# secretName: mysecret
# Pod-wide environment, these vars are visible to any container in the agent pod
# You can define the workspaceVolume that you want to mount for this container
# Allowed types are: DynamicPVC, EmptyDir, HostPath, Nfs, PVC
# Configure the attributes as they appear in the corresponding Java class for that type
# https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace
workspaceVolume: {}
## DynamicPVC example
# type: DynamicPVC
# configMapName: myconfigmap
## EmptyDir example
# type: EmptyDir
# memory: false
## HostPath example
# type: HostPath
# hostPath: /var/lib/containers
## NFS example
# type: Nfs
# readOnly: false
# serverAddress: "192.0.2.0"
# serverPath: /var/lib/containers
## PVC example
# type: PVC
# claimName: mypvc
# readOnly: false
#
# Pod-wide environment, these vars are visible to any container in the agent pod
envVars: []
# - name: PATH
# value: /usr/local/bin
# Mount a secret as environment variable
secretEnvVars: []
# - key: PATH
# optional: false # default: false
# secretKey: MY-K8S-PATH
# secretName: my-k8s-secret
nodeSelector: {}
# Key Value selectors. Ex:
# jenkins-agent: v1
# Executed command when side container gets started
command:
args: "${computer.jnlpmac} ${computer.name}"
# Side container name
sideContainerName: "jnlp"
# Doesn't allocate pseudo TTY by default
TTYEnabled: false
# Max number of spawned agent
containerCap: 10
# Pod name
podName: "default"
# Allows the Pod to remain active for reuse until the configured number of
# minutes has passed since the last step was executed on it.
idleMinutes: 0
# Raw yaml template for the Pod. For example this allows usage of toleration for agent pods.
# https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
yamlTemplate: ""
# yamlTemplate: |-
# apiVersion: v1
# kind: Pod
# spec:
# tolerations:
# - key: "key"
# operator: "Equal"
# value: "value"
# Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates: merge or override
yamlMergeStrategy: "override"
# Timeout in seconds for an agent to be online
connectTimeout: 100
# Annotations to apply to the pod.
annotations: {}
# Add additional containers to the agents.
# Containers specified here are added to all agents. Set key empty to remove container from additional agents.
additionalContainers: []
# - sideContainerName: dind
# image: docker
# tag: dind
# command: dockerd-entrypoint.sh
# args: ""
# privileged: true
# resources:
# requests:
# cpu: 500m
# memory: 1Gi
# limits:
# cpu: 1
# memory: 2Gi
# Disable the default Jenkins Agent configuration.
# Useful when configuring agents only with the podTemplates value, since the default podTemplate populated by values mentioned above will be excluded in the rendered template.
disableDefaultAgent: false
# Below is the implementation of custom pod templates for the default configured kubernetes cloud.
# Add a key under podTemplates for each pod template. Each key (prior to | character) is just a label, and can be any value.
# Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label
# characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers.
# For this pod templates configuration to be loaded the following values must be set:
# controller.JCasC.defaultConfig: true
# Best reference is https://<jenkins_url>/configuration-as-code/reference#Cloud-kubernetes. The example below creates a python pod template.
podTemplates: {}
# python: |
# - name: python
# label: jenkins-python
# serviceAccount: jenkins
# containers:
# - name: python
# image: python:3
# command: "/bin/sh -c"
# args: "cat"
# ttyEnabled: true
# privileged: true
# resourceRequestCpu: "400m"
# resourceRequestMemory: "512Mi"
# resourceLimitCpu: "1"
# resourceLimitMemory: "1024Mi"
# Here you can add additional agents
# They inherit all values from `agent` so you only need to specify values which differ
additionalAgents: {}
# maven:
# podName: maven
# customJenkinsLabels: maven
# # An example of overriding the jnlp container
# # sideContainerName: jnlp
# image: jenkins/jnlp-agent-maven
# tag: latest
# python:
# podName: python
# customJenkinsLabels: python
# sideContainerName: python
# image: python
# tag: "3"
# command: "/bin/sh -c"
# args: "cat"
# TTYEnabled: true
persistence:
enabled: true
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
existingClaim:
## jenkins data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
storageClass:
annotations: {}
labels: {}
accessMode: "ReadWriteOnce"
size: "8Gi"
volumes:
# - name: nothing
# emptyDir: {}
mounts:
# - mountPath: /var/nothing
# name: nothing
# readOnly: true
networkPolicy:
# Enable creation of NetworkPolicy resources.
enabled: false
# For Kubernetes v1.4, v1.5 and v1.6, use 'extensions/v1beta1'
# For Kubernetes v1.7, use 'networking.k8s.io/v1'
apiVersion: networking.k8s.io/v1
# You can allow agents to connect from both within the cluster (from within specific/all namespaces) AND/OR from a given external IP range
internalAgents:
allowed: true
podLabels: {}
namespaceLabels: {}
# project: myproject
externalAgents: {}
# ipCIDR: 172.17.0.0/16
# except:
# - 172.17.1.0/24
## Install Default RBAC roles and bindings
rbac:
create: true
readSecrets: false
serviceAccount:
create: true
# The name of the service account is autogenerated by default
name:
annotations: {}
imagePullSecretName:
serviceAccountAgent:
# Specifies whether a ServiceAccount should be created
create: false
# The name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template
name:
annotations: {}
imagePullSecretName:
## Backup cronjob configuration
## Ref: https://github.com/maorfr/kube-tasks
backup:
# Backup must use RBAC
# So by enabling backup you are enabling RBAC specific for backup
enabled: false
# Used for label app.kubernetes.io/component
componentName: "backup"
# Schedule to run jobs. Must be in cron time format
# Ref: https://crontab.guru/
schedule: "0 2 * * *"
labels: {}
serviceAccount:
create: true
name:
annotations: {}
# Example for authorization to AWS S3 using kube2iam or IRSA
# Can also be done using environment variables
# iam.amazonaws.com/role: "jenkins"
# "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789012:role/jenkins-backup"
# Set this to terminate the job that is running/failing continously and set the job status to "Failed"
activeDeadlineSeconds: ""
image:
repository: "maorfr/kube-tasks"
tag: "0.2.0"
imagePullSecretName:
# Additional arguments for kube-tasks
# Ref: https://github.com/maorfr/kube-tasks#simple-backup
extraArgs: []
# Add existingSecret for AWS credentials
existingSecret: {}
## Example for using an existing secret
# jenkinsaws:
## Use this key for AWS access key ID
# awsaccesskey: jenkins_aws_access_key
## Use this key for AWS secret access key
# awssecretkey: jenkins_aws_secret_key
# Add additional environment variables
# jenkinsgcp:
## Use this key for GCP credentials
# gcpcredentials: credentials.json
env: []
# Example environment variable required for AWS credentials chain
# - name: "AWS_REGION"
# value: "us-east-1"
resources:
requests:
memory: 1Gi
cpu: 1
limits:
memory: 1Gi
cpu: 1
# Destination to store the backup artifacts
# Supported cloud storage services: AWS S3, Minio S3, Azure Blob Storage, Google Cloud Storage
# Additional support can added. Visit this repository for details
# Ref: https://github.com/maorfr/skbn
destination: "s3://jenkins-data/backup"
# By enabling only the jenkins_home/jobs folder gets backed up, not the whole jenkins instance
onlyJobs: false
# Enable backup pod security context (must be `true` if runAsUser or fsGroup are set)
usePodSecurityContext: true
# When setting runAsUser to a different value than 0 also set fsGroup to the same value:
runAsUser: 1000
fsGroup: 1000
securityContextCapabilities: {}
# drop:
# - NET_RAW
checkDeprecation: true
awsSecurityGroupPolicies:
enabled: false
policies:
- name: ""
securityGroupIds: []
podSelector: {}