From b91d2192bae2706905c1bd82d1315b1f45657010 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=8C=AF=E5=AE=87?= <> Date: Thu, 16 Jan 2025 17:00:31 +0800 Subject: [PATCH] feat(k8s): add Jenkins certificate and Azure Blob Storage configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 孙振宇 <> --- .../argo-cd/values.yaml | 551 +++---- .../freeleaps-devops-system/jenkins/.gitkeep | 0 .../jenkins/certificate.yaml | 13 + .../freeleaps-devops-system/jenkins/pv.yaml | 14 - .../jenkins/values.yaml | 1374 +++++++++++++++++ .../storage-classes.yaml | 262 +--- .../tests/test-statefulsets.yaml | 42 + first-class-pipeline/.gitkeep | 0 8 files changed, 1721 insertions(+), 535 deletions(-) delete mode 100644 cluster/manifests/freeleaps-devops-system/jenkins/.gitkeep create mode 100644 cluster/manifests/freeleaps-devops-system/jenkins/certificate.yaml delete mode 100644 cluster/manifests/freeleaps-devops-system/jenkins/pv.yaml create mode 100644 cluster/manifests/freeleaps-devops-system/jenkins/values.yaml create mode 100644 cluster/manifests/freeleaps-storage-system/azure-blob-storage-csi/tests/test-statefulsets.yaml delete mode 100644 first-class-pipeline/.gitkeep diff --git a/cluster/manifests/freeleaps-devops-system/argo-cd/values.yaml b/cluster/manifests/freeleaps-devops-system/argo-cd/values.yaml index 3d4c6c1c..6e396b38 100644 --- a/cluster/manifests/freeleaps-devops-system/argo-cd/values.yaml +++ b/cluster/manifests/freeleaps-devops-system/argo-cd/values.yaml @@ -606,10 +606,10 @@ server: ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-certificates-used-by-argocd-server certificate: # -- Deploy a Certificate resource (requires cert-manager) - enabled: false + enabled: true # -- Certificate primary domain (commonName) # @default -- `""` (defaults to global.domain) - domain: "" + domain: "argo.mathmast.com" # -- Certificate Subject Alternate Names (SANs) additionalHosts: [] # -- The requested 'duration' (i.e. lifetime) of the certificate. @@ -624,11 +624,11 @@ server: ## Ref: https://cert-manager.io/docs/concepts/issuer issuer: # -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` - group: "" + group: "cert-manager.io" # -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer` - kind: "" + kind: "ClusterIssuer" # -- Certificate issuer name. Eg. `letsencrypt` - name: "" + name: "mathmast-dot-com" # Private key of the certificate privateKey: # -- Rotation policy of private key when certificate is re-issued. Either: `Never` or `Always` @@ -703,7 +703,7 @@ server: ## Server metrics service configuration metrics: # -- Deploy metrics service - enabled: false + enabled: true service: # -- Metrics service type type: ClusterIP @@ -719,7 +719,7 @@ server: portName: http-metrics serviceMonitor: # -- Enable a prometheus ServiceMonitor - enabled: false + enabled: true # -- Prometheus ServiceMonitor interval interval: 30s # -- Prometheus ServiceMonitor scrapeTimeout. If empty, Prometheus uses the global scrape timeout unless it is less than the target's scrape interval value in which the latter is used. @@ -739,7 +739,7 @@ server: # -- Prometheus ServiceMonitor tlsConfig tlsConfig: {} # -- Prometheus ServiceMonitor namespace - namespace: "" # monitoring + namespace: "freeleaps-monitoring-system" # monitoring # -- Prometheus ServiceMonitor labels additionalLabels: {} # -- Prometheus ServiceMonitor annotations @@ -763,7 +763,7 @@ server: # Argo CD server ingress configuration ingress: # -- Enable an ingress resource for the Argo CD server - enabled: false + enabled: true # -- Specific implementation for ingress controller. One of `generic`, `aws` or `gke` ## Additional configuration might be required in related configuration sections controller: generic @@ -776,11 +776,11 @@ server: # nginx.ingress.kubernetes.io/ssl-passthrough: "true" # -- Defines which ingress controller will implement the resource - ingressClassName: "" + ingressClassName: "nginx" # -- Argo CD server hostname # @default -- `""` (defaults to global.domain) - hostname: "" + hostname: "argo.mathmast.com" # -- The path to Argo CD server path: / @@ -791,7 +791,7 @@ server: # -- Enable TLS configuration for the hostname defined at `server.ingress.hostname` ## TLS certificate will be retrieved from a TLS secret `argocd-server-tls` ## You can create this secret via `certificate` or `certificateSecret` option - tls: false + tls: true # -- The list of additional hostnames to be covered by ingress record # @default -- `[]` (See [values.yaml]) @@ -1280,7 +1280,7 @@ repoServer: ## Repo server metrics service configuration metrics: # -- Deploy metrics service - enabled: false + enabled: true service: # -- Metrics service type type: ClusterIP @@ -1296,7 +1296,7 @@ repoServer: portName: http-metrics serviceMonitor: # -- Enable a prometheus ServiceMonitor - enabled: false + enabled: true # -- Prometheus ServiceMonitor interval interval: 30s # -- Prometheus ServiceMonitor scrapeTimeout. If empty, Prometheus uses the global scrape timeout unless it is less than the target's scrape interval value in which the latter is used. @@ -1316,7 +1316,7 @@ repoServer: # -- Prometheus ServiceMonitor tlsConfig tlsConfig: {} # -- Prometheus ServiceMonitor namespace - namespace: "" # "monitoring" + namespace: "freeleaps-monitoring-system" # "monitoring" # -- Prometheus ServiceMonitor labels additionalLabels: {} # -- Prometheus ServiceMonitor annotations @@ -1443,7 +1443,7 @@ applicationSet: ## Metrics service configuration metrics: # -- Deploy metrics service - enabled: false + enabled: true service: # -- Metrics service type type: ClusterIP @@ -1459,7 +1459,7 @@ applicationSet: portName: http-metrics serviceMonitor: # -- Enable a prometheus ServiceMonitor - enabled: false + enabled: true # -- Prometheus ServiceMonitor interval interval: 30s # -- Prometheus ServiceMonitor scrapeTimeout. If empty, Prometheus uses the global scrape timeout unless it is less than the target's scrape interval value in which the latter is used. @@ -1479,7 +1479,7 @@ applicationSet: # -- Prometheus ServiceMonitor tlsConfig tlsConfig: {} # -- Prometheus ServiceMonitor namespace - namespace: "" # monitoring + namespace: "freeleaps-monitoring-system" # monitoring # -- Prometheus ServiceMonitor labels additionalLabels: {} # -- Prometheus ServiceMonitor annotations @@ -1561,7 +1561,7 @@ applicationSet: ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ readinessProbe: # -- Enable Kubernetes liveness probe for ApplicationSet controller - enabled: false + enabled: true # -- Number of seconds after the container has started before [probe] is initiated initialDelaySeconds: 10 # -- How often (in seconds) to perform the [probe] @@ -1575,7 +1575,7 @@ applicationSet: livenessProbe: # -- Enable Kubernetes liveness probe for ApplicationSet controller - enabled: false + enabled: true # -- Number of seconds after the container has started before [probe] is initiated initialDelaySeconds: 10 # -- How often (in seconds) to perform the [probe] @@ -1849,7 +1849,7 @@ notifications: metrics: # -- Enables prometheus metrics server - enabled: false + enabled: true # -- Metrics port port: 9001 service: @@ -1865,7 +1865,7 @@ notifications: portName: http-metrics serviceMonitor: # -- Enable a prometheus ServiceMonitor - enabled: false + enabled: true # -- Prometheus ServiceMonitor selector selector: {} # prometheus: kube-prometheus @@ -1873,7 +1873,7 @@ notifications: additionalLabels: {} # -- Prometheus ServiceMonitor annotations annotations: {} - # namespace: monitoring + namespace: freeleaps-monitoring-system # interval: 30s # scrapeTimeout: 10s # -- Prometheus ServiceMonitor scheme @@ -1890,7 +1890,10 @@ notifications: # -- Configures notification services such as slack, email or custom webhook # @default -- See [values.yaml] ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/overview/ - notifiers: {} + notifiers: + service.teams: | + recipientUrls: + freeleaps-teams: https://netorgft10898514.webhook.office.com/webhookb2/302556e5-c211-4f38-b482-2062d104c679@cf151ee8-5c2c-4fe7-a1c4-809ba43c9f24/IncomingWebhook/4257b37399044f0d8b1ad41653b0c415/f821920b-1659-40c2-a4b4-4730089b7134 # service.slack: | # token: $slack-token @@ -1938,7 +1941,7 @@ notifications: ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ readinessProbe: # -- Enable Kubernetes liveness probe for notifications controller Pods - enabled: false + enabled: true # -- Number of seconds after the container has started before [probe] is initiated initialDelaySeconds: 10 # -- How often (in seconds) to perform the [probe] @@ -1952,7 +1955,7 @@ notifications: livenessProbe: # -- Enable Kubernetes liveness probe for notifications controller Pods - enabled: false + enabled: true # -- Number of seconds after the container has started before [probe] is initiated initialDelaySeconds: 10 # -- How often (in seconds) to perform the [probe] @@ -2039,256 +2042,256 @@ notifications: # -- The notification template is used to generate the notification content ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/templates/ - templates: {} - # template.app-deployed: | - # email: - # subject: New version of an application {{.app.metadata.name}} is up and running. - # message: | - # {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} is now running new version of deployments manifests. - # slack: - # attachments: | - # [{ - # "title": "{{ .app.metadata.name}}", - # "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", - # "color": "#18be52", - # "fields": [ - # { - # "title": "Sync Status", - # "value": "{{.app.status.sync.status}}", - # "short": true - # }, - # { - # "title": "Repository", - # "value": "{{.app.spec.source.repoURL}}", - # "short": true - # }, - # { - # "title": "Revision", - # "value": "{{.app.status.sync.revision}}", - # "short": true - # } - # {{range $index, $c := .app.status.conditions}} - # {{if not $index}},{{end}} - # {{if $index}},{{end}} - # { - # "title": "{{$c.type}}", - # "value": "{{$c.message}}", - # "short": true - # } - # {{end}} - # ] - # }] - # template.app-health-degraded: | - # email: - # subject: Application {{.app.metadata.name}} has degraded. - # message: | - # {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} has degraded. - # Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}. - # slack: - # attachments: |- - # [{ - # "title": "{{ .app.metadata.name}}", - # "title_link": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", - # "color": "#f4c030", - # "fields": [ - # { - # "title": "Sync Status", - # "value": "{{.app.status.sync.status}}", - # "short": true - # }, - # { - # "title": "Repository", - # "value": "{{.app.spec.source.repoURL}}", - # "short": true - # } - # {{range $index, $c := .app.status.conditions}} - # {{if not $index}},{{end}} - # {{if $index}},{{end}} - # { - # "title": "{{$c.type}}", - # "value": "{{$c.message}}", - # "short": true - # } - # {{end}} - # ] - # }] - # template.app-sync-failed: | - # email: - # subject: Failed to sync application {{.app.metadata.name}}. - # message: | - # {{if eq .serviceType "slack"}}:exclamation:{{end}} The sync operation of application {{.app.metadata.name}} has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}} - # Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . - # slack: - # attachments: |- - # [{ - # "title": "{{ .app.metadata.name}}", - # "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", - # "color": "#E96D76", - # "fields": [ - # { - # "title": "Sync Status", - # "value": "{{.app.status.sync.status}}", - # "short": true - # }, - # { - # "title": "Repository", - # "value": "{{.app.spec.source.repoURL}}", - # "short": true - # } - # {{range $index, $c := .app.status.conditions}} - # {{if not $index}},{{end}} - # {{if $index}},{{end}} - # { - # "title": "{{$c.type}}", - # "value": "{{$c.message}}", - # "short": true - # } - # {{end}} - # ] - # }] - # template.app-sync-running: | - # email: - # subject: Start syncing application {{.app.metadata.name}}. - # message: | - # The sync operation of application {{.app.metadata.name}} has started at {{.app.status.operationState.startedAt}}. - # Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . - # slack: - # attachments: |- - # [{ - # "title": "{{ .app.metadata.name}}", - # "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", - # "color": "#0DADEA", - # "fields": [ - # { - # "title": "Sync Status", - # "value": "{{.app.status.sync.status}}", - # "short": true - # }, - # { - # "title": "Repository", - # "value": "{{.app.spec.source.repoURL}}", - # "short": true - # } - # {{range $index, $c := .app.status.conditions}} - # {{if not $index}},{{end}} - # {{if $index}},{{end}} - # { - # "title": "{{$c.type}}", - # "value": "{{$c.message}}", - # "short": true - # } - # {{end}} - # ] - # }] - # template.app-sync-status-unknown: | - # email: - # subject: Application {{.app.metadata.name}} sync status is 'Unknown' - # message: | - # {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} sync is 'Unknown'. - # Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}. - # {{if ne .serviceType "slack"}} - # {{range $c := .app.status.conditions}} - # * {{$c.message}} - # {{end}} - # {{end}} - # slack: - # attachments: |- - # [{ - # "title": "{{ .app.metadata.name}}", - # "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", - # "color": "#E96D76", - # "fields": [ - # { - # "title": "Sync Status", - # "value": "{{.app.status.sync.status}}", - # "short": true - # }, - # { - # "title": "Repository", - # "value": "{{.app.spec.source.repoURL}}", - # "short": true - # } - # {{range $index, $c := .app.status.conditions}} - # {{if not $index}},{{end}} - # {{if $index}},{{end}} - # { - # "title": "{{$c.type}}", - # "value": "{{$c.message}}", - # "short": true - # } - # {{end}} - # ] - # }] - # template.app-sync-succeeded: | - # email: - # subject: Application {{.app.metadata.name}} has been successfully synced. - # message: | - # {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}. - # Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . - # slack: - # attachments: |- - # [{ - # "title": "{{ .app.metadata.name}}", - # "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", - # "color": "#18be52", - # "fields": [ - # { - # "title": "Sync Status", - # "value": "{{.app.status.sync.status}}", - # "short": true - # }, - # { - # "title": "Repository", - # "value": "{{.app.spec.source.repoURL}}", - # "short": true - # } - # {{range $index, $c := .app.status.conditions}} - # {{if not $index}},{{end}} - # {{if $index}},{{end}} - # { - # "title": "{{$c.type}}", - # "value": "{{$c.message}}", - # "short": true - # } - # {{end}} - # ] - # }] + templates: + template.app-deployed: | + email: + subject: New version of an application {{.app.metadata.name}} is up and running. + message: | + {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} is now running new version of deployments manifests. + slack: + attachments: | + [{ + "title": "{{ .app.metadata.name}}", + "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", + "color": "#18be52", + "fields": [ + { + "title": "Sync Status", + "value": "{{.app.status.sync.status}}", + "short": true + }, + { + "title": "Repository", + "value": "{{.app.spec.source.repoURL}}", + "short": true + }, + { + "title": "Revision", + "value": "{{.app.status.sync.revision}}", + "short": true + } + {{range $index, $c := .app.status.conditions}} + {{if not $index}},{{end}} + {{if $index}},{{end}} + { + "title": "{{$c.type}}", + "value": "{{$c.message}}", + "short": true + } + {{end}} + ] + }] + template.app-health-degraded: | + email: + subject: Application {{.app.metadata.name}} has degraded. + message: | + {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} has degraded. + Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}. + slack: + attachments: |- + [{ + "title": "{{ .app.metadata.name}}", + "title_link": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", + "color": "#f4c030", + "fields": [ + { + "title": "Sync Status", + "value": "{{.app.status.sync.status}}", + "short": true + }, + { + "title": "Repository", + "value": "{{.app.spec.source.repoURL}}", + "short": true + } + {{range $index, $c := .app.status.conditions}} + {{if not $index}},{{end}} + {{if $index}},{{end}} + { + "title": "{{$c.type}}", + "value": "{{$c.message}}", + "short": true + } + {{end}} + ] + }] + template.app-sync-failed: | + email: + subject: Failed to sync application {{.app.metadata.name}}. + message: | + {{if eq .serviceType "slack"}}:exclamation:{{end}} The sync operation of application {{.app.metadata.name}} has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}} + Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . + slack: + attachments: |- + [{ + "title": "{{ .app.metadata.name}}", + "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", + "color": "#E96D76", + "fields": [ + { + "title": "Sync Status", + "value": "{{.app.status.sync.status}}", + "short": true + }, + { + "title": "Repository", + "value": "{{.app.spec.source.repoURL}}", + "short": true + } + {{range $index, $c := .app.status.conditions}} + {{if not $index}},{{end}} + {{if $index}},{{end}} + { + "title": "{{$c.type}}", + "value": "{{$c.message}}", + "short": true + } + {{end}} + ] + }] + template.app-sync-running: | + email: + subject: Start syncing application {{.app.metadata.name}}. + message: | + The sync operation of application {{.app.metadata.name}} has started at {{.app.status.operationState.startedAt}}. + Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . + slack: + attachments: |- + [{ + "title": "{{ .app.metadata.name}}", + "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", + "color": "#0DADEA", + "fields": [ + { + "title": "Sync Status", + "value": "{{.app.status.sync.status}}", + "short": true + }, + { + "title": "Repository", + "value": "{{.app.spec.source.repoURL}}", + "short": true + } + {{range $index, $c := .app.status.conditions}} + {{if not $index}},{{end}} + {{if $index}},{{end}} + { + "title": "{{$c.type}}", + "value": "{{$c.message}}", + "short": true + } + {{end}} + ] + }] + template.app-sync-status-unknown: | + email: + subject: Application {{.app.metadata.name}} sync status is 'Unknown' + message: | + {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} sync is 'Unknown'. + Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}. + {{if ne .serviceType "slack"}} + {{range $c := .app.status.conditions}} + * {{$c.message}} + {{end}} + {{end}} + slack: + attachments: |- + [{ + "title": "{{ .app.metadata.name}}", + "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", + "color": "#E96D76", + "fields": [ + { + "title": "Sync Status", + "value": "{{.app.status.sync.status}}", + "short": true + }, + { + "title": "Repository", + "value": "{{.app.spec.source.repoURL}}", + "short": true + } + {{range $index, $c := .app.status.conditions}} + {{if not $index}},{{end}} + {{if $index}},{{end}} + { + "title": "{{$c.type}}", + "value": "{{$c.message}}", + "short": true + } + {{end}} + ] + }] + template.app-sync-succeeded: | + email: + subject: Application {{.app.metadata.name}} has been successfully synced. + message: | + {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}. + Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . + slack: + attachments: |- + [{ + "title": "{{ .app.metadata.name}}", + "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", + "color": "#18be52", + "fields": [ + { + "title": "Sync Status", + "value": "{{.app.status.sync.status}}", + "short": true + }, + { + "title": "Repository", + "value": "{{.app.spec.source.repoURL}}", + "short": true + } + {{range $index, $c := .app.status.conditions}} + {{if not $index}},{{end}} + {{if $index}},{{end}} + { + "title": "{{$c.type}}", + "value": "{{$c.message}}", + "short": true + } + {{end}} + ] + }] # -- The trigger defines the condition when the notification should be sent ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/ - triggers: {} - # trigger.on-deployed: | - # - description: Application is synced and healthy. Triggered once per commit. - # oncePer: app.status.sync.revision - # send: - # - app-deployed - # when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy' - # trigger.on-health-degraded: | - # - description: Application has degraded - # send: - # - app-health-degraded - # when: app.status.health.status == 'Degraded' - # trigger.on-sync-failed: | - # - description: Application syncing has failed - # send: - # - app-sync-failed - # when: app.status.operationState.phase in ['Error', 'Failed'] - # trigger.on-sync-running: | - # - description: Application is being synced - # send: - # - app-sync-running - # when: app.status.operationState.phase in ['Running'] - # trigger.on-sync-status-unknown: | - # - description: Application status is 'Unknown' - # send: - # - app-sync-status-unknown - # when: app.status.sync.status == 'Unknown' - # trigger.on-sync-succeeded: | - # - description: Application syncing has succeeded - # send: - # - app-sync-succeeded - # when: app.status.operationState.phase in ['Succeeded'] + triggers: + trigger.on-deployed: | + - description: Application is synced and healthy. Triggered once per commit. + oncePer: app.status.sync.revision + send: + - app-deployed + when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy' + trigger.on-health-degraded: | + - description: Application has degraded + send: + - app-health-degraded + when: app.status.health.status == 'Degraded' + trigger.on-sync-failed: | + - description: Application syncing has failed + send: + - app-sync-failed + when: app.status.operationState.phase in ['Error', 'Failed'] + trigger.on-sync-running: | + - description: Application is being synced + send: + - app-sync-running + when: app.status.operationState.phase in ['Running'] + trigger.on-sync-status-unknown: | + - description: Application status is 'Unknown' + send: + - app-sync-status-unknown + when: app.status.sync.status == 'Unknown' + trigger.on-sync-succeeded: | + - description: Application syncing has succeeded + send: + - app-sync-succeeded + when: app.status.operationState.phase in ['Succeeded'] # # For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/#default-triggers - # defaultTriggers: | - # - on-sync-status-unknown + defaultTriggers: | + - on-sync-status-unknown diff --git a/cluster/manifests/freeleaps-devops-system/jenkins/.gitkeep b/cluster/manifests/freeleaps-devops-system/jenkins/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/cluster/manifests/freeleaps-devops-system/jenkins/certificate.yaml b/cluster/manifests/freeleaps-devops-system/jenkins/certificate.yaml new file mode 100644 index 00000000..f597e702 --- /dev/null +++ b/cluster/manifests/freeleaps-devops-system/jenkins/certificate.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: jenkins-dot-mathmast-dot-com + namespace: freeleaps-devops-system +spec: + commonName: jenkins.mathmast.com + dnsNames: + - jenkins.mathmast.com + issuerRef: + kind: ClusterIssuer + name: mathmast-dot-com + secretName: jenkins-dot-mathmast-dot-com-tls \ No newline at end of file diff --git a/cluster/manifests/freeleaps-devops-system/jenkins/pv.yaml b/cluster/manifests/freeleaps-devops-system/jenkins/pv.yaml deleted file mode 100644 index d4e41096..00000000 --- a/cluster/manifests/freeleaps-devops-system/jenkins/pv.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: jenkins-pv - namespace: freeleaps-devops-system -spec: - storageClassName: freeleaps-node-local - accessModes: - - ReadWriteOnce - capacity: - storage: 20Gi - persistentVolumeReclaimPolicy: Retain - hostPath: - path: /mnt/data/jenkins \ No newline at end of file diff --git a/cluster/manifests/freeleaps-devops-system/jenkins/values.yaml b/cluster/manifests/freeleaps-devops-system/jenkins/values.yaml new file mode 100644 index 00000000..26c184d9 --- /dev/null +++ b/cluster/manifests/freeleaps-devops-system/jenkins/values.yaml @@ -0,0 +1,1374 @@ +# Default values for jenkins. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +## Overrides for generated resource names +# See templates/_helpers.tpl +# -- Override the resource name prefix +# @default -- `Chart.Name` +nameOverride: +# -- Override the full resource names +# @default -- `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins` +fullnameOverride: +# -- Override the deployment namespace +# @default -- `Release.Namespace` +namespaceOverride: freeleaps-devops-system + +# For FQDN resolving of the controller service. Change this value to match your existing configuration. +# ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md +# -- Override the cluster name for FQDN resolving +clusterZone: "freeleaps.cluster" + +# -- The URL of the Kubernetes API server +kubernetesURL: "https://kubernetes.default" + +# -- The Jenkins credentials to access the Kubernetes API server. For the default cluster it is not needed. +credentialsId: + +# -- Enables rendering of the helm.sh/chart label to the annotations +renderHelmLabels: true + +controller: + # -- Used for label app.kubernetes.io/component + componentName: "jenkins-controller" + image: + # -- Controller image registry + registry: "docker.io" + # -- Controller image repository + repository: "jenkins/jenkins" + + # -- Controller image tag override; i.e., tag: "2.440.1-jdk17" + tag: + + # -- Controller image tag label + tagLabel: jdk17 + # -- Controller image pull policy + pullPolicy: "Always" + # -- Controller image pull secret + imagePullSecretName: + # -- Lifecycle specification for controller-container + lifecycle: {} + # postStart: + # exec: + # command: + # - "uname" + # - "-a" + + # -- Disable use of remember me + disableRememberMe: true + + # -- Set Number of executors + numExecutors: 0 + + # -- Sets the executor mode of the Jenkins node. Possible values are "NORMAL" or "EXCLUSIVE" + executorMode: "NORMAL" + + # -- Append Jenkins labels to the controller + customJenkinsLabels: [] + + hostNetworking: false + + # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. + # If you disable the non-Jenkins identity store and instead use the Jenkins internal one, + # you should revert controller.admin.username to your preferred admin user: + admin: + + # -- Admin username created as a secret if `controller.admin.createSecret` is true + username: "admin" + # -- Admin password created as a secret if `controller.admin.createSecret` is true + # @default -- + password: r6Y@QTb*7BQN@hDGsN + + # -- The key in the existing admin secret containing the username + userKey: jenkins-admin-user + # -- The key in the existing admin secret containing the password + passwordKey: jenkins-admin-password + + # The default configuration uses this secret to configure an admin user + # If you don't need that user or use a different security realm, then you can disable it + # -- Create secret for admin user + createSecret: true + + # -- The name of an existing secret containing the admin credentials + existingSecret: "" + # -- Email address for the administrator of the Jenkins instance + jenkinsAdminEmail: jetli@mathmast.com + + # This value should not be changed unless you use your custom image of jenkins or any derived from. + # If you want to use Cloudbees Jenkins Distribution docker, you should set jenkinsHome: "/var/cloudbees-jenkins-distribution" + # -- Custom Jenkins home path + jenkinsHome: "/var/jenkins_home" + + # This value should not be changed unless you use your custom image of jenkins or any derived from. + # If you want to use Cloudbees Jenkins Distribution docker, you should set jenkinsRef: "/usr/share/cloudbees-jenkins-distribution/ref" + # -- Custom Jenkins reference path + jenkinsRef: "/usr/share/jenkins/ref" + + # Path to the jenkins war file which is used by jenkins-plugin-cli. + jenkinsWar: "/usr/share/jenkins/jenkins.war" + # Override the default arguments passed to the war + # overrideArgs: + # - --httpPort=8080 + + # -- Resource allocation (Requests and Limits) + resources: + requests: + cpu: "50m" + memory: "256Mi" + limits: + cpu: "2000m" + memory: "4096Mi" + + # Share process namespace to allow sidecar containers to interact with processes in other containers in the same pod + shareProcessNamespace: false + + # Service links might cause issue if running in a namespace with a large amount of services + # that might cause a slow startup when plugins are copied from ref to volume + # Set to true to keep previous behavior + # See https://github.com/kubernetes/kubernetes/issues/121787 + enableServiceLinks: false + + # Overrides the init container default values + # -- Resources allocation (Requests and Limits) for Init Container + initContainerResources: {} + # initContainerResources: + # requests: + # cpu: "50m" + # memory: "256Mi" + # limits: + # cpu: "2000m" + # memory: "4096Mi" + # -- Environment variable sources for Init Container + initContainerEnvFrom: [] + + # useful for i.e., http_proxy + # -- Environment variables for Init Container + initContainerEnv: [] + # initContainerEnv: + # - name: http_proxy + # value: "http://192.168.64.1:3128" + + # -- Environment variable sources for Jenkins Container + containerEnvFrom: [] + + # -- Environment variables for Jenkins Container + containerEnv: [] + # - name: http_proxy + # value: "http://192.168.64.1:3128" + + # Set min/max heap here if needed with "-Xms512m -Xmx512m" + # -- Append to `JAVA_OPTS` env var + javaOpts: + # -- Append to `JENKINS_OPTS` env var + jenkinsOpts: + + # If you are using the ingress definitions provided by this chart via the `controller.ingress` block, + # the configured hostname will be the ingress hostname starting with `https://` + # or `http://` depending on the `tls` configuration. + # The Protocol can be overwritten by specifying `controller.jenkinsUrlProtocol`. + # -- Set protocol for Jenkins URL; `https` if `controller.ingress.tls`, `http` otherwise + jenkinsUrlProtocol: + + # -- Set Jenkins URL if you are not using the ingress definitions provided by the chart + jenkinsUrl: https://jenkins.mathmast.com + + # If you set this prefix and use ingress controller, then you might want to set the ingress path below + # I.e., "/jenkins" + # -- Root URI Jenkins will be served on + jenkinsUriPrefix: + + # -- Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) + usePodSecurityContext: true + + # Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are + # being deprecated and replaced by `podSecurityContextOverride`. + # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins', which exists in 'jenkins/jenkins' docker image. + # When configuring runAsUser to a different value than 0 also set fsGroup to the same value: + # -- Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. + runAsUser: 1000 + + # -- Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. + fsGroup: 1000 + + # If you have PodSecurityPolicies that require dropping of capabilities as suggested by CIS K8s benchmark, put them here + # securityContextCapabilities: + # drop: + # - NET_RAW + securityContextCapabilities: {} + + # In the case of mounting an ext4 filesystem, it might be desirable to use `supplementalGroups` instead of `fsGroup` in + # the `securityContext` block: https://github.com/kubernetes/kubernetes/issues/67014#issuecomment-589915496 + # podSecurityContextOverride: + # runAsUser: 1000 + # runAsNonRoot: true + # supplementalGroups: [1000] + # capabilities: {} + # -- Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, `fsGroup`, and `securityContextCapabilities` + podSecurityContextOverride: ~ + + # -- Allow controlling the securityContext for the jenkins container + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + + # For minikube, set this to NodePort, elsewhere uses LoadBalancer + # Use ClusterIP if your setup includes ingress controller + # -- k8s service type + serviceType: ClusterIP + + # -- k8s service clusterIP. Only used if serviceType is ClusterIP + clusterIp: + # -- k8s service port + servicePort: 8080 + # -- k8s target port + targetPort: 8080 + # -- k8s node port. Only used if serviceType is NodePort + nodePort: + + # Use Local to preserve the client source IP and avoids a second hop for LoadBalancer and NodePort type services, + # but risks potentially imbalanced traffic spreading. + serviceExternalTrafficPolicy: + + # If enabled, the controller is available through its service before its pods reports ready. Makes startup screen and + # auto-reload on restart feature possible. + publishNotReadyAddresses: true + + # -- Jenkins controller service annotations + serviceAnnotations: {} + # -- Jenkins controller custom labels for the StatefulSet + statefulSetLabels: {} + # foo: bar + # bar: foo + # -- Labels for the Jenkins controller-service + serviceLabels: {} + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https + + # Put labels on Jenkins controller pod + # -- Custom Pod labels (an object with `label-key: label-value` pairs) + podLabels: {} + + # Enable Kubernetes Startup, Liveness and Readiness Probes + # if Startup Probe is supported, enable it too + # ~ 2 minutes to allow Jenkins to restart when upgrading plugins. Set ReadinessTimeout to be shorter than LivenessTimeout. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes + # -- Enable Kubernetes Probes configuration configured in `controller.probes` + healthProbes: true + + probes: + startupProbe: + # -- Set the failure threshold for the startup probe + failureThreshold: 12 + httpGet: + # -- Set the Pod's HTTP path for the startup probe + path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' + # -- Set the Pod's HTTP port to use for the startup probe + port: http + # -- Set the time interval between two startup probes executions in seconds + periodSeconds: 10 + # -- Set the timeout for the startup probe in seconds + timeoutSeconds: 5 + + livenessProbe: + # -- Set the failure threshold for the liveness probe + failureThreshold: 5 + httpGet: + # -- Set the Pod's HTTP path for the liveness probe + path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' + # -- Set the Pod's HTTP port to use for the liveness probe + port: http + # -- Set the time interval between two liveness probes executions in seconds + periodSeconds: 10 + # -- Set the timeout for the liveness probe in seconds + timeoutSeconds: 5 + + # If Startup Probe is not supported on your Kubernetes cluster, you might want to use "initialDelaySeconds" instead. + # It delays the initial liveness probe while Jenkins is starting + # -- Set the initial delay for the liveness probe in seconds + initialDelaySeconds: + + readinessProbe: + # -- Set the failure threshold for the readiness probe + failureThreshold: 3 + httpGet: + # -- Set the Pod's HTTP path for the liveness probe + path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' + # -- Set the Pod's HTTP port to use for the readiness probe + port: http + # -- Set the time interval between two readiness probes executions in seconds + periodSeconds: 10 + # -- Set the timeout for the readiness probe in seconds + timeoutSeconds: 5 + + # If Startup Probe is not supported on your Kubernetes cluster, you might want to use "initialDelaySeconds" instead. + # It delays the initial readiness probe while Jenkins is starting + # -- Set the initial delay for the readiness probe in seconds + initialDelaySeconds: + + # PodDisruptionBudget config + podDisruptionBudget: + # ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + + # -- Enable Kubernetes Pod Disruption Budget configuration + enabled: false + + # For Kubernetes v1.5+, use 'policy/v1beta1' + # For Kubernetes v1.21+, use 'policy/v1' + # -- Policy API version + apiVersion: "policy/v1beta1" + + annotations: {} + labels: {} + # -- Number of pods that can be unavailable. Either an absolute number or a percentage + maxUnavailable: "0" + + # -- Create Agent listener service + agentListenerEnabled: true + # -- Listening port for agents + agentListenerPort: 50000 + # -- Host port to listen for agents + agentListenerHostPort: + # -- Node port to listen for agents + agentListenerNodePort: + + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-policies + # -- Traffic Policy of for the agentListener service + agentListenerExternalTrafficPolicy: + # -- Allowed inbound IP for the agentListener service + agentListenerLoadBalancerSourceRanges: + - 0.0.0.0/0 + # -- Disabled agent protocols + disabledAgentProtocols: + - JNLP-connect + - JNLP2-connect + csrf: + defaultCrumbIssuer: + # -- Enable the default CSRF Crumb issuer + enabled: true + # -- Enable proxy compatibility + proxyCompatability: true + + # Kubernetes service type for the JNLP agent service + # agentListenerServiceType is the Kubernetes Service type for the JNLP agent service, + # either 'LoadBalancer', 'NodePort', or 'ClusterIP' + # Note if you set this to 'LoadBalancer', you *must* define annotations to secure it. By default, + # this will be an external load balancer and allowing inbound 0.0.0.0/0, a HUGE + # security risk: https://github.com/kubernetes/charts/issues/1341 + # -- Defines how to expose the agentListener service + agentListenerServiceType: "ClusterIP" + + # -- Annotations for the agentListener service + agentListenerServiceAnnotations: {} + + # Optionally, assign an IP to the LoadBalancer agentListenerService LoadBalancer + # GKE users: only regional static IPs will work for Service Load balancer. + # -- Static IP for the agentListener LoadBalancer + agentListenerLoadBalancerIP: + + # -- Whether legacy remoting security should be enabled + legacyRemotingSecurityEnabled: false + + # Example of a 'LoadBalancer'-type agent listener with annotations securing it + # agentListenerServiceType: LoadBalancer + # agentListenerServiceAnnotations: + # service.beta.kubernetes.io/aws-load-balancer-internal: "True" + # service.beta.kubernetes.io/load-balancer-source-ranges: "172.0.0.0/8, 10.0.0.0/8" + + # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to + # set allowed inbound rules on the security group assigned to the controller load balancer + # -- Allowed inbound IP addresses + loadBalancerSourceRanges: + - 0.0.0.0/0 + + # -- Optionally assign a known public LB IP + loadBalancerIP: + + # Optionally configure a JMX port. This requires additional javaOpts, for example, + # javaOpts: > + # -Dcom.sun.management.jmxremote.port=4000 + # -Dcom.sun.management.jmxremote.authenticate=false + # -Dcom.sun.management.jmxremote.ssl=false + # jmxPort: 4000 + # -- Open a port, for JMX stats + jmxPort: + + # -- Optionally configure other ports to expose in the controller container + extraPorts: [] + # - name: BuildInfoProxy + # port: 9000 + # targetPort: 9010 (Optional: Use to explicitly set targetPort if different from port) + + # Plugins will be installed during Jenkins controller start + # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` + installPlugins: + - kubernetes:4306.vc91e951ea_eb_d + - workflow-aggregator:600.vb_57cdd26fdd7 + - git:5.7.0 + - configuration-as-code:1915.vcdd0a_d0d2625 + - pipeline-utility-steps:2.18.0 + - gitea-checks:504.v7d75347769cf + + # If set to false, Jenkins will download the minimum required version of all dependencies. + # -- Download the minimum required version or latest version of all dependencies + installLatestPlugins: true + + # -- Set to true to download the latest version of any plugin that is requested to have the latest version + installLatestSpecifiedPlugins: false + + # -- List of plugins to install in addition to those listed in controller.installPlugins + additionalPlugins: [] + + # Without this; whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates that have the potential to cause breakage. + # Note that for this to work, `persistence.enabled` needs to be set to `true` + # -- Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` + initializeOnce: false + + # Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment. + # -- Overwrite installed plugins on start + overwritePlugins: false + + # Configures if plugins bundled with `controller.image` should be overwritten with the values of 'controller.installPlugins' on upgrade or redeployment. + # -- Overwrite plugins that are already installed in the controller image + overwritePluginsFromImage: true + + # Configures the restrictions for naming projects. Set this key to null or empty to skip it in the default config. + projectNamingStrategy: standard + + # Useful with ghprb plugin. The OWASP plugin is not installed by default, please update controller.installPlugins. + # -- Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter) + enableRawHtmlMarkupFormatter: false + + # This is ignored if enableRawHtmlMarkupFormatter is true + # -- Yaml of the markup formatter to use + markupFormatter: plainText + + # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval + # -- List of groovy functions to approve + scriptApproval: [] + # - "method groovy.json.JsonSlurperClassic parseText java.lang.String" + # - "new groovy.json.JsonSlurperClassic" + + # -- Map of groovy init scripts to be executed during Jenkins controller start + initScripts: {} + # test: |- + # print 'adding global pipeline libraries, register properties, bootstrap jobs...' + # -- Name of the existing ConfigMap that contains init scripts + initConfigMap: + + # 'name' is a name of an existing secret in the same namespace as jenkins, + # 'keyName' is the name of one of the keys inside the current secret. + # the 'name' and 'keyName' are concatenated with a '-' in between, so for example: + # an existing secret "secret-credentials" and a key inside it named "github-password" should be used in JCasC as ${secret-credentials-github-password} + # 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', + # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc') + # existingSecret existing secret "secret-credentials" and a key inside it named "github-username" should be used in JCasC as ${github-username} + # When using existingSecret no need to specify the keyName under additionalExistingSecrets. + existingSecret: + + # -- List of additional existing secrets to mount + additionalExistingSecrets: [] + # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets + # additionalExistingSecrets: + # - name: secret-name-1 + # keyName: username + # - name: secret-name-1 + # keyName: password + + # -- List of additional secrets to create and mount + additionalSecrets: [] + # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets + # additionalSecrets: + # - name: nameOfSecret + # value: secretText + + # Generate SecretClaim resources to create Kubernetes secrets from HashiCorp Vault using kube-vault-controller. + # 'name' is the name of the secret that will be created in Kubernetes. The Jenkins fullname is prepended to this value. + # 'path' is the fully qualified path to the secret in Vault + # 'type' is an optional Kubernetes secret type. The default is 'Opaque' + # 'renew' is an optional secret renewal time in seconds + # -- List of `SecretClaim` resources to create + secretClaims: [] + # - name: secretName # required + # path: testPath # required + # type: kubernetes.io/tls # optional + # renew: 60 # optional + + # -- Name of default cloud configuration. + cloudName: "freeleaps-cluster" + + # Below is the implementation of Jenkins Configuration as Code. Add a key under configScripts for each configuration area, + # where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value. + # Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in + # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | + # become the content of the configuration yaml file. The first line after this is a JCasC root element, e.g., jenkins, credentials, + # etc. Best reference is https:///configuration-as-code/reference. The example below creates a welcome message: + JCasC: + # -- Enables default Jenkins configuration via configuration as code plugin + defaultConfig: true + + # If true, the init container deletes all the plugin config files and Jenkins Config as Code overwrites any existing configuration + # -- Whether Jenkins Config as Code should overwrite any existing configuration + overwriteConfiguration: false + # -- Remote URLs for configuration files. + configUrls: [] + # - https://acme.org/jenkins.yaml + # -- List of Jenkins Config as Code scripts + configScripts: {} + # welcome-message: | + # jenkins: + # systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'. + + # Allows adding to the top-level security JCasC section. For legacy purposes, by default, the chart includes apiToken configurations + # -- Jenkins Config as Code security-section + security: + apiToken: + creationOfLegacyTokenEnabled: false + tokenGenerationOnCreationEnabled: false + usageStatisticsEnabled: true + + # Ignored if securityRealm is defined in controller.JCasC.configScripts + # -- Jenkins Config as Code Security Realm-section + securityRealm: |- + local: + allowsSignup: false + enableCaptcha: false + users: + - id: "${chart-admin-username}" + name: "Jenkins Admin" + password: "${chart-admin-password}" + + # Ignored if authorizationStrategy is defined in controller.JCasC.configScripts + # -- Jenkins Config as Code Authorization Strategy-section + authorizationStrategy: |- + loggedInUsersCanDoAnything: + allowAnonymousRead: false + + # -- Annotations for the JCasC ConfigMap + configMapAnnotations: {} + + # -- Custom init-container specification in raw-yaml format + customInitContainers: [] + # - name: custom-init + # image: "alpine:3" + # imagePullPolicy: Always + # command: [ "uname", "-a" ] + + sidecars: + configAutoReload: + # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. + # If false or not-specified, JCasC changes will cause a reboot and will only be applied at the subsequent start-up. + # Auto-reload uses the http:///reload-configuration-as-code endpoint to reapply config when changes to + # the configScripts are detected. + # -- Enables Jenkins Config as Code auto-reload + enabled: true + image: + # -- Registry for the image that triggers the reload + registry: docker.io + # -- Repository of the image that triggers the reload + repository: kiwigrid/k8s-sidecar + # -- Tag for the image that triggers the reload + tag: 1.29.0 + imagePullPolicy: IfNotPresent + resources: {} + # limits: + # cpu: 100m + # memory: 100Mi + # requests: + # cpu: 50m + # memory: 50Mi + # -- Enables additional volume mounts for the config auto-reload container + additionalVolumeMounts: [] + # - name: auto-reload-config + # mountPath: /var/config/logger + # - name: auto-reload-logs + # mountPath: /var/log/auto_reload + # -- Config auto-reload logging settings + logging: + # See default settings https://github.com/kiwigrid/k8s-sidecar/blob/master/src/logger.py + configuration: + # -- Enables custom log config utilizing using the settings below. + override: false + logLevel: INFO + formatter: JSON + logToConsole: true + logToFile: false + maxBytes: 1024 + backupCount: 3 + + # -- The scheme to use when connecting to the Jenkins configuration as code endpoint + scheme: http + # -- Skip TLS verification when connecting to the Jenkins configuration as code endpoint + skipTlsVerify: false + + # -- How many connection-related errors to retry on + reqRetryConnect: 10 + # -- How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) + sleepTime: + + # -- Environment variable sources for the Jenkins Config as Code auto-reload container + envFrom: [] + # -- Environment variables for the Jenkins Config as Code auto-reload container + env: {} + # - name: REQ_TIMEOUT + # value: "30" + + # SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random. + # This is only used to reload JCasC config from the sidecar container running in the Jenkins controller pod. + # This TCP port will not be open in the pod (unless you specifically configure this), so Jenkins will not be + # accessible via SSH from outside the pod. Note if you use non-root pod privileges (runAsUser & fsGroup), + # this must be > 1024: + sshTcpPort: 1044 + # folder in the pod that should hold the collected dashboards: + folder: "/var/jenkins_home/casc_configs" + + # If specified, the sidecar will search for JCasC config-maps inside this namespace. + # Otherwise, the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces: + # searchNamespace: + # -- Enable container security context + containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + + # -- Configures additional sidecar container(s) for the Jenkins controller + additionalSidecarContainers: [] + ## The example below runs the client for https://smee.io as sidecar container next to Jenkins, + ## that allows triggering build behind a secure firewall. + ## https://jenkins.io/blog/2019/01/07/webhook-firewalls/#triggering-builds-with-webhooks-behind-a-secure-firewall + ## + ## Note: To use it you should go to https://smee.io/new and update the url to the generated one. + # - name: smee + # image: docker.io/twalter/smee-client:1.0.2 + # args: ["--port", "{{ .Values.controller.servicePort }}", "--path", "/github-webhook/", "--url", "https://smee.io/new"] + # resources: + # limits: + # cpu: 50m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 32Mi + + # -- Name of the Kubernetes scheduler to use + schedulerName: "" + + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # -- Node labels for pod assignment + nodeSelector: {} + + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + # -- Toleration labels for pod assignment + tolerations: [] + # -- Set TerminationGracePeriodSeconds + terminationGracePeriodSeconds: + # -- Set the termination message path + terminationMessagePath: + # -- Set the termination message policy + terminationMessagePolicy: + + # -- Affinity settings + affinity: {} + + # Leverage a priorityClass to ensure your pods survive resource shortages + # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + # -- The name of a `priorityClass` to apply to the controller pod + priorityClassName: + + # -- Annotations for controller pod + podAnnotations: {} + # -- Annotations for controller StatefulSet + statefulSetAnnotations: {} + + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + # -- Update strategy for StatefulSet + updateStrategy: {} + + # -- Topology spread constraints + topologySpreadConstraints: {} + + ingress: + # -- Enables ingress + enabled: true + + # Override for the default paths that map requests to the backend + # -- Override for the default Ingress paths + paths: [] + # - backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + # - backend: + # serviceName: >- + # {{ template "jenkins.fullname" . }} + # # Don't use string here, use only integer value! + # servicePort: 8080 + + # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' + # For Kubernetes v1.19+, use 'networking.k8s.io/v1' + # -- Ingress API version + apiVersion: "networking.k8s.io/v1" + # -- Ingress labels + labels: {} + # -- Ingress annotations + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + ingressClassName: nginx + + # Set this path to jenkinsUriPrefix above or use annotations to rewrite path + # -- Ingress path + path: + + # configures the hostname e.g. jenkins.example.com + # -- Ingress hostname + hostName: jenkins.mathmast.com + # -- Hostname to serve assets from + resourceRootUrl: + # -- Ingress TLS configuration + tls: + - secretName: jenkins-dot-mathmast-dot-com-tls + hosts: + - jenkins.mathmast.com + # - secretName: jenkins.cluster.local + # hosts: + # - jenkins.cluster.local + + # often you want to have your controller all locked down and private, + # but you still want to get webhooks from your SCM + # A secondary ingress will let you expose different urls + # with a different configuration + secondaryingress: + enabled: false + # paths you want forwarded to the backend + # ex /github-webhook + paths: [] + # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' + # For Kubernetes v1.19+, use 'networking.k8s.io/v1' + apiVersion: "extensions/v1beta1" + labels: {} + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # configures the hostname e.g., jenkins-external.example.com + hostName: + tls: + # - secretName: jenkins-external.example.com + # hosts: + # - jenkins-external.example.com + + # If you're running on GKE and need to configure a backendconfig + # to finish ingress setup, use the following values. + # Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig + backendconfig: + # -- Enables backendconfig + enabled: false + # -- backendconfig API version + apiVersion: "extensions/v1beta1" + # -- backendconfig name + name: + # -- backendconfig labels + labels: {} + # -- backendconfig annotations + annotations: {} + # -- backendconfig spec + spec: {} + + # Openshift route + route: + # -- Enables openshift route + enabled: false + # -- Route labels + labels: {} + # -- Route annotations + annotations: {} + # -- Route path + path: + + # -- Allows for adding entries to Pod /etc/hosts + hostAliases: [] + # ref: https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + # hostAliases: + # - ip: 192.168.50.50 + # hostnames: + # - something.local + # - ip: 10.0.50.50 + # hostnames: + # - other.local + + # Expose Prometheus metrics + prometheus: + # If enabled, add the prometheus plugin to the list of plugins to install + # https://plugins.jenkins.io/prometheus + + # -- Enables prometheus service monitor + enabled: true + # -- Additional labels to add to the service monitor object + serviceMonitorAdditionalLabels: {} + # -- Set a custom namespace where to deploy ServiceMonitor resource + serviceMonitorNamespace: freeleaps-monitoring-system + # -- How often prometheus should scrape metrics + scrapeInterval: 60s + + # Defaults to the default endpoint used by the prometheus plugin + # -- The endpoint prometheus should get metrics from + scrapeEndpoint: /prometheus + + # See here: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + # The `groups` root object is added by default, add the rule entries + # -- Array of prometheus alerting rules + alertingrules: [] + # -- Additional labels to add to the PrometheusRule object + alertingRulesAdditionalLabels: {} + # -- Set a custom namespace where to deploy PrometheusRule resource + prometheusRuleNamespace: "freeleaps-monitoring-system" + + # RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds + # relabelings for a few standard Kubernetes fields. The original scrape job’s name + # is available via the __tmp_prometheus_job_name label. + # More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + relabelings: [] + # MetricRelabelConfigs to apply to samples before ingestion. + metricRelabelings: [] + + googlePodMonitor: + # If enabled, It creates Google Managed Prometheus scraping config + enabled: false + # Set a custom namespace where to deploy PodMonitoring resource + # serviceMonitorNamespace: "" + scrapeInterval: 60s + # This is the default endpoint used by the prometheus plugin + scrapeEndpoint: /prometheus + + # -- Can be used to disable rendering controller test resources when using helm template + testEnabled: true + + httpsKeyStore: + # -- Enables HTTPS keystore on jenkins controller + enable: false + # -- Name of the secret that already has ssl keystore + jenkinsHttpsJksSecretName: "" + # -- Name of the key in the secret that already has ssl keystore + jenkinsHttpsJksSecretKey: "jenkins-jks-file" + # -- Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file + jenkinsHttpsJksPasswordSecretName: "" + # -- Name of the key in the secret that contains the JKS password + jenkinsHttpsJksPasswordSecretKey: "https-jks-password" + disableSecretMount: false + + # When HTTPS keystore is enabled, servicePort and targetPort will be used as HTTPS port + # -- HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port. + httpPort: 8081 + # -- Path of HTTPS keystore file + path: "/var/jenkins_keystore" + # -- Jenkins keystore filename which will appear under controller.httpsKeyStore.path + fileName: "keystore.jks" + # -- Jenkins keystore password + password: "password" + + # -- Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here + jenkinsKeyStoreBase64Encoded: + # Convert keystore.jks files content to base64 > $ cat keystore.jks | base64 +# /u3+7QAAAAIAAAABAAAAAQANamVua2luc2NpLmNvbQAAAW2r/b1ZAAAFATCCBP0wDgYKKwYBBAEq +# AhEBAQUABIIE6QbCqasvoHS0pSwYqSvdydMCB9t+VNfwhFIiiuAelJfO5sSe2SebJbtwHgLcRz1Z +# gMtWgOSFdl3bWSzA7vrW2LED52h+jXLYSWvZzuDuh8hYO85m10ikF6QR+dTi4jra0whIFDvq3pxe +# TnESxEsN+DvbZM3jA3qsjQJSeISNpDjO099dqQvHpnCn18lyk7J4TWJ8sOQQb1EM2zDAfAOSqA/x +# QuPEFl74DlY+5DIk6EBvpmWhaMSvXzWZACGA0sYqa157dq7O0AqmuLG/EI5EkHETO4CrtBW+yLcy +# 2dUCXOMA+j+NjM1BjrQkYE5vtSfNO6lFZcISyKo5pTFlcA7ut0Fx2nZ8GhHTn32CpeWwNcZBn1gR +# pZVt6DxVVkhTAkMLhR4rL2wGIi/1WRs23ZOLGKtyDNvDHnQyDiQEoJGy9nAthA8aNHa3cfdF10vB +# Drb19vtpFHmpvKEEhpk2EBRF4fTi644Fuhu2Ied6118AlaPvEea+n6G4vBz+8RWuVCmZjLU+7h8l +# Hy3/WdUPoIL5eW7Kz+hS+sRTFzfu9C48dMkQH3a6f3wSY+mufizNF9U298r98TnYy+PfDJK0bstG +# Ph6yPWx8DGXKQBwrhWJWXI6JwZDeC5Ny+l8p1SypTmAjpIaSW3ge+KgcL6Wtt1R5hUV1ajVwVSUi +# HF/FachKqPqyLJFZTGjNrxnmNYpt8P1d5JTvJfmfr55Su/P9n7kcyWp7zMcb2Q5nlXt4tWogOHLI +# OzEWKCacbFfVHE+PpdrcvCVZMDzFogIq5EqGTOZe2poPpBVE+1y9mf5+TXBegy5HToLWvmfmJNTO +# NCDuBjgLs2tdw2yMPm4YEr57PnMX5gGTC3f2ZihXCIJDCRCdQ9sVBOjIQbOCzxFXkVITo0BAZhCi +# Yz61wt3Ud8e//zhXWCkCsSV+IZCxxPzhEFd+RFVjW0Nm9hsb2FgAhkXCjsGROgoleYgaZJWvQaAg +# UyBzMmKDPKTllBHyE3Gy1ehBNGPgEBChf17/9M+j8pcm1OmlM434ctWQ4qW7RU56//yq1soFY0Te +# fu2ei03a6m68fYuW6s7XEEK58QisJWRAvEbpwu/eyqfs7PsQ+zSgJHyk2rO95IxdMtEESb2GRuoi +# Bs+AHNdYFTAi+GBWw9dvEgqQ0Mpv0//6bBE/Fb4d7b7f56uUNnnE7mFnjGmGQN+MvC62pfwfvJTT +# EkT1iZ9kjM9FprTFWXT4UmO3XTvesGeE50sV9YPm71X4DCQwc4KE8vyuwj0s6oMNAUACW2ClU9QQ +# y0tRpaF1tzs4N42Q5zl0TzWxbCCjAtC3u6xf+c8MCGrr7DzNhm42LOQiHTa4MwX4x96q7235oiAU +# iQqSI/hyF5yLpWw4etyUvsx2/0/0wkuTU1FozbLoCWJEWcPS7QadMrRRISxHf0YobIeQyz34regl +# t1qSQ3dCU9D6AHLgX6kqllx4X0fnFq7LtfN7fA2itW26v+kAT2QFZ3qZhINGfofCja/pITC1uNAZ +# gsJaTMcQ600krj/ynoxnjT+n1gmeqThac6/Mi3YlVeRtaxI2InL82ZuD+w/dfY9OpPssQjy3xiQa +# jPuaMWXRxz/sS9syOoGVH7XBwKrWpQcpchozWJt40QV5DslJkclcr8aC2AGlzuJMTdEgz1eqV0+H +# bAXG9HRHN/0eJTn1/QAAAAEABVguNTA5AAADjzCCA4swggJzAhRGqVxH4HTLYPGO4rzHcCPeGDKn +# xTANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCY2ExEDAOBgNVBAgMB29udGFyaW8xEDAOBgNV +# BAcMB3Rvcm9udG8xFDASBgNVBAoMC2plbmtpbnN0ZXN0MRkwFwYDVQQDDBBqZW5raW5zdGVzdC5p +# bmZvMR0wGwYJKoZIhvcNAQkBFg50ZXN0QHRlc3QuaW5mbzAeFw0xOTEwMDgxNTI5NTVaFw0xOTEx +# MDcxNTI5NTVaMIGBMQswCQYDVQQGEwJjYTEQMA4GA1UECAwHb250YXJpbzEQMA4GA1UEBwwHdG9y +# b250bzEUMBIGA1UECgwLamVua2luc3Rlc3QxGTAXBgNVBAMMEGplbmtpbnN0ZXN0LmluZm8xHTAb +# BgkqhkiG9w0BCQEWDnRlc3RAdGVzdC5pbmZvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +# AQEA02q352JTHGvROMBhSHvSv+vnoOTDKSTz2aLQn0tYrIRqRo+8bfmMjXuhkwZPSnCpvUGNAJ+w +# Jrt/dqMoYUjCBkjylD/qHmnXN5EwS1cMg1Djh65gi5JJLFJ7eNcoSsr/0AJ+TweIal1jJSP3t3PF +# 9Uv21gm6xdm7HnNK66WpUUXLDTKaIs/jtagVY1bLOo9oEVeLN4nT2CYWztpMvdCyEDUzgEdDbmrP +# F5nKUPK5hrFqo1Dc5rUI4ZshL3Lpv398aMxv6n2adQvuL++URMEbXXBhxOrT6rCtYzbcR5fkwS9i +# d3Br45CoWOQro02JAepoU0MQKY5+xQ4Bq9Q7tB9BAwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAe +# 4xc+mSvKkrKBHg9/zpkWgZUiOp4ENJCi8H4tea/PCM439v6y/kfjT/okOokFvX8N5aa1OSz2Vsrl +# m8kjIc6hiA7bKzT6lb0EyjUShFFZ5jmGVP4S7/hviDvgB5yEQxOPpumkdRP513YnEGj/o9Pazi5h +# /MwpRxxazoda9r45kqQpyG+XoM4pB+Fd3JzMc4FUGxfVPxJU4jLawnJJiZ3vqiSyaB0YyUL+Er1Q +# 6NnqtR4gEBF0ZVlQmkycFvD4EC2boP943dLqNUvop+4R3SM1QMM6P5u8iTXtHd/VN4MwMyy1wtog +# hYAzODo1Jt59pcqqKJEas0C/lFJEB3frw4ImNx5fNlJYOpx+ijfQs9m39CevDq0= + +agent: + # -- Enable Kubernetes plugin jnlp-agent podTemplate + enabled: true + # -- The name of the pod template to use for providing default values + defaultsProviderTemplate: "" + + # Useful for not including a serviceAccount in the template if `false` + # -- Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount` + useDefaultServiceAccount: true + + # -- Override the default service account + # @default -- `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true` + serviceAccount: + + # For connecting to the Jenkins controller + # -- Overrides the Kubernetes Jenkins URL + jenkinsUrl: + + # connects to the specified host and port, instead of connecting directly to the Jenkins controller + # -- Overrides the Kubernetes Jenkins tunnel + jenkinsTunnel: + # -- Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI + skipTlsVerify: false + # -- Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI + usageRestricted: false + # -- The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 + kubernetesConnectTimeout: 5 + # -- The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 + kubernetesReadTimeout: 15 + # -- The maximum concurrent connections to Kubernetes API + maxRequestsPerHostStr: "32" + # -- Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated + retentionTimeout: 5 + # -- Seconds to wait for pod to be running + waitForPodSec: 600 + # -- Namespace in which the Kubernetes agents should be launched + namespace: freeleaps-devops-system + # -- Custom Pod labels (an object with `label-key: label-value` pairs) + podLabels: {} + # -- Custom registry used to pull the agent jnlp image from + jnlpregistry: + image: + # -- Repository to pull the agent jnlp image from + repository: "jenkins/inbound-agent" + # -- Tag of the image to pull + tag: "3273.v4cfe589b_fd83-1" + # -- Configure working directory for default agent + workingDir: "/home/jenkins/agent" + nodeUsageMode: "NORMAL" + # -- Append Jenkins labels to the agent + customJenkinsLabels: [] + # -- Name of the secret to be used to pull the image + imagePullSecretName: + componentName: "jenkins-agent" + # -- Enables agent communication via websockets + websocket: false + directConnection: false + # -- Agent privileged container + privileged: false + # -- Configure container user + runAsUser: + # -- Configure container group + runAsGroup: + # -- Enables the agent to use the host network + hostNetworking: false + # -- Resources allocation (Requests and Limits) + resources: + requests: + cpu: "0.5" + memory: "512Mi" + # ephemeralStorage: + limits: + cpu: "1" + memory: "1024Mi" + # ephemeralStorage: + livenessProbe: {} +# execArgs: "cat /tmp/healthy" +# failureThreshold: 3 +# initialDelaySeconds: 0 +# periodSeconds: 10 +# successThreshold: 1 +# timeoutSeconds: 1 + + # You may want to change this to true while testing a new image + # -- Always pull agent container image before build + alwaysPullImage: false + # When using Pod Security Admission in the Agents namespace with the restricted Pod Security Standard, + # the jnlp container cannot be scheduled without overriding its container definition with a securityContext. + # This option allows to automatically inject in the jnlp container a securityContext + # that is suitable for the use of the restricted Pod Security Standard. + # -- Set a restricted securityContext on jnlp containers + restrictedPssSecurityContext: false + # Controls how agent pods are retained after the Jenkins build completes + # Possible values: Always, Never, OnFailure + podRetention: "Never" + # Disable if you do not want the Yaml the agent pod template to show up + # in the job Console Output. This can be helpful for either security reasons + # or simply to clean up the output to make it easier to read. + showRawYaml: true + + # You can define the volumes that you want to mount for this container + # Allowed types are: ConfigMap, EmptyDir, EphemeralVolume, HostPath, Nfs, PVC, Secret + # Configure the attributes as they appear in the corresponding Java class for that type + # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes + # -- Additional volumes + volumes: [] + # - type: ConfigMap + # configMapName: myconfigmap + # mountPath: /var/myapp/myconfigmap + # - type: EmptyDir + # mountPath: /var/myapp/myemptydir + # memory: false + # - type: EphemeralVolume + # mountPath: /var/myapp/myephemeralvolume + # accessModes: ReadWriteOnce + # requestsSize: 10Gi + # storageClassName: mystorageclass + # - type: HostPath + # hostPath: /var/lib/containers + # mountPath: /var/myapp/myhostpath + # - type: Nfs + # mountPath: /var/myapp/mynfs + # readOnly: false + # serverAddress: "192.0.2.0" + # serverPath: /var/lib/containers + # - type: PVC + # claimName: mypvc + # mountPath: /var/myapp/mypvc + # readOnly: false + # - type: Secret + # defaultMode: "600" + # mountPath: /var/myapp/mysecret + # secretName: mysecret + # Pod-wide environment, these vars are visible to any container in the agent pod + + # You can define the workspaceVolume that you want to mount for this container + # Allowed types are: DynamicPVC, EmptyDir, EphemeralVolume, HostPath, Nfs, PVC + # Configure the attributes as they appear in the corresponding Java class for that type + # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace + # -- Workspace volume (defaults to EmptyDir) + workspaceVolume: {} + ## DynamicPVC example + # - type: DynamicPVC + # configMapName: myconfigmap + ## EmptyDir example + # - type: EmptyDir + # memory: false + ## EphemeralVolume example + # - type: EphemeralVolume + # accessModes: ReadWriteOnce + # requestsSize: 10Gi + # storageClassName: mystorageclass + ## HostPath example + # - type: HostPath + # hostPath: /var/lib/containers + ## NFS example + # - type: Nfs + # readOnly: false + # serverAddress: "192.0.2.0" + # serverPath: /var/lib/containers + ## PVC example + # - type: PVC + # claimName: mypvc + # readOnly: false + + # Pod-wide environment, these vars are visible to any container in the agent pod + # -- Environment variables for the agent Pod + envVars: [] + # - name: PATH + # value: /usr/local/bin + # -- Mount a secret as environment variable + secretEnvVars: [] + # - key: PATH + # optional: false # default: false + # secretKey: MY-K8S-PATH + # secretName: my-k8s-secret + + # -- Node labels for pod assignment + nodeSelector: {} + # Key Value selectors. Ex: + # nodeSelector + # jenkins-agent: v1 + + # -- Command to execute when side container starts + command: + # -- Arguments passed to command to execute + args: "${computer.jnlpmac} ${computer.name}" + # -- Side container name + sideContainerName: "jnlp" + + # Doesn't allocate pseudo TTY by default + # -- Allocate pseudo tty to the side container + TTYEnabled: false + # -- Max number of agents to launch + containerCap: 10 + # -- Agent Pod base name + podName: "default" + + # Enables garbage collection of orphan pods for this Kubernetes cloud. (beta) + garbageCollection: + # -- When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them. + enabled: false + # -- Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line. + namespaces: "" + # namespaces: |- + # namespaceOne + # namespaceTwo + # -- Timeout value for orphaned pods + timeout: 300 + + # -- Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it + idleMinutes: 0 + + + # The raw yaml of a Pod API Object, for example, this allows usage of toleration for agent pods. + # https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates + # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + # -- The raw yaml of a Pod API Object to merge into the agent spec + yamlTemplate: "" + # yamlTemplate: |- + # apiVersion: v1 + # kind: Pod + # spec: + # tolerations: + # - key: "key" + # operator: "Equal" + # value: "value" + + # -- Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" + yamlMergeStrategy: "override" + # -- Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one + inheritYamlMergeStrategy: false + # -- Timeout in seconds for an agent to be online + connectTimeout: 100 + # -- Annotations to apply to the pod + annotations: {} + + # Containers specified here are added to all agents. Set key empty to remove container from additional agents. + # -- Add additional containers to the agents + additionalContainers: [] + # - sideContainerName: dind + # image: + # repository: docker + # tag: dind + # command: dockerd-entrypoint.sh + # args: "" + # privileged: true + # resources: + # requests: + # cpu: 500m + # memory: 1Gi + # limits: + # cpu: 1 + # memory: 2Gi + + # Useful when configuring agents only with the podTemplates value, since the default podTemplate populated by values mentioned above will be excluded in the rendered template. + # -- Disable the default Jenkins Agent configuration + disableDefaultAgent: false + + # Below is the implementation of custom pod templates for the default configured kubernetes cloud. + # Add a key under podTemplates for each pod template. Each key (prior to | character) is just a label, and can be any value. + # Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers. + # For this pod templates configuration to be loaded, the following values must be set: + # controller.JCasC.defaultConfig: true + # Best reference is https:///configuration-as-code/reference#Cloud-kubernetes. The example below creates a python pod template. + # -- Configures extra pod templates for the default kubernetes cloud + podTemplates: {} + # python: | + # - name: python + # label: jenkins-python + # serviceAccount: jenkins + # containers: + # - name: python + # image: python:3 + # command: "/bin/sh -c" + # args: "cat" + # ttyEnabled: true + # privileged: true + # resourceRequestCpu: "400m" + # resourceRequestMemory: "512Mi" + # resourceLimitCpu: "1" + # resourceLimitMemory: "1024Mi" + +# Inherits all values from `agent` so you only need to specify values which differ +# -- Configure additional +additionalAgents: {} +# maven: +# podName: maven +# customJenkinsLabels: maven +# # An example of overriding the jnlp container +# # sideContainerName: jnlp +# image: +# repository: jenkins/jnlp-agent-maven +# tag: latest +# python: +# podName: python +# customJenkinsLabels: python +# sideContainerName: python +# image: +# repository: python +# tag: "3" +# command: "/bin/sh -c" +# args: "cat" +# TTYEnabled: true + +# Here you can add additional clouds +# They inherit all values from the default cloud (including the main agent), so +# you only need to specify values which differ. If you want to override +# default additionalAgents with the additionalClouds.additionalAgents set +# additionalAgentsOverride to `true`. +additionalClouds: {} +# remote-cloud-1: +# kubernetesURL: https://api.remote-cloud.com +# additionalAgentsOverride: true +# additionalAgents: +# maven-2: +# podName: maven-2 +# customJenkinsLabels: maven +# # An example of overriding the jnlp container +# # sideContainerName: jnlp +# image: +# repository: jenkins/jnlp-agent-maven +# tag: latest +# namespace: my-other-maven-namespace +# remote-cloud-2: +# kubernetesURL: https://api.remote-cloud.com + +persistence: + # -- Enable the use of a Jenkins PVC + enabled: true + + # A manually managed Persistent Volume and Claim + # Requires persistence.enabled: true + # If defined, PVC must be created manually before volume will be bound + # -- Provide the name of a PVC + existingClaim: + + # jenkins data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS & OpenStack) + # -- Storage class for the PVC + storageClass: azure-blob-fuse-2-std-lrs + # -- Annotations for the PVC + annotations: {} + # -- Labels for the PVC + labels: {} + # -- The PVC access mode + accessMode: "ReadWriteOnce" + # -- The size of the PVC + size: "50Gi" + + # ref: https://kubernetes.io/docs/concepts/storage/volume-pvc-datasource/ + # -- Existing data source to clone PVC from + dataSource: {} + # name: PVC-NAME + # kind: PersistentVolumeClaim + + # -- SubPath for jenkins-home mount + subPath: + # -- Additional volumes + volumes: [] + # - name: nothing + # emptyDir: {} + + # -- Additional mounts + mounts: [] + # - mountPath: /var/nothing + # name: nothing + # readOnly: true + +networkPolicy: + # -- Enable the creation of NetworkPolicy resources + enabled: false + + # For Kubernetes v1.4, v1.5 and v1.6, use 'extensions/v1beta1' + # For Kubernetes v1.7, use 'networking.k8s.io/v1' + # -- NetworkPolicy ApiVersion + apiVersion: networking.k8s.io/v1 + # You can allow agents to connect from both within the cluster (from within specific/all namespaces) AND/OR from a given external IP range + internalAgents: + # -- Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels + allowed: true + # -- A map of labels (keys/values) that agent pods must have to be able to connect to controller + podLabels: {} + # -- A map of labels (keys/values) that agents namespaces must have to be able to connect to controller + namespaceLabels: {} + # project: myproject + externalAgents: + # -- The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 + ipCIDR: + # -- A list of IP sub-ranges to be excluded from the allowlisted IP range + except: [] + # - 172.17.1.0/24 + +## Install Default RBAC roles and bindings +rbac: + # -- Whether RBAC resources are created + create: true + # -- Whether the Jenkins service account should be able to read Kubernetes secrets + readSecrets: false + # -- Whether the Jenkins service account should be able to use the OpenShift "nonroot" Security Context Constraints + useOpenShiftNonRootSCC: false + +serviceAccount: + # -- Configures if a ServiceAccount with this name should be created + create: true + + # The name of the ServiceAccount is autogenerated by default + # -- The name of the ServiceAccount to be used by access-controlled resources + name: + # -- Configures annotations for the ServiceAccount + annotations: {} + # -- Configures extra labels for the ServiceAccount + extraLabels: {} + # -- Controller ServiceAccount image pull secret + imagePullSecretName: + + +serviceAccountAgent: + # -- Configures if an agent ServiceAccount should be created + create: false + + # If not set and create is true, a name is generated using the fullname template + # -- The name of the agent ServiceAccount to be used by access-controlled resources + name: + # -- Configures annotations for the agent ServiceAccount + annotations: {} + # -- Configures extra labels for the agent ServiceAccount + extraLabels: {} + # -- Agent ServiceAccount image pull secret + imagePullSecretName: + +# -- Checks if any deprecated values are used +checkDeprecation: true + +awsSecurityGroupPolicies: + enabled: false + policies: + - name: "" + securityGroupIds: [] + podSelector: {} + +# Here you can configure unit tests values when executing the helm unittest in the CONTRIBUTING.md +helmtest: + # A testing framework for bash + bats: + # Bash Automated Testing System (BATS) + image: + # -- Registry of the image used to test the framework + registry: "docker.io" + # -- Repository of the image used to test the framework + repository: "bats/bats" + # -- Tag of the image to test the framework + tag: "1.11.1" \ No newline at end of file diff --git a/cluster/manifests/freeleaps-storage-system/azure-blob-storage-csi/storage-classes.yaml b/cluster/manifests/freeleaps-storage-system/azure-blob-storage-csi/storage-classes.yaml index 89aadde7..436d030d 100644 --- a/cluster/manifests/freeleaps-storage-system/azure-blob-storage-csi/storage-classes.yaml +++ b/cluster/manifests/freeleaps-storage-system/azure-blob-storage-csi/storage-classes.yaml @@ -1,3 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: freeleaps-azure-blob-storage-secret + namespace: freeleaps-storage-system +type: Opaque +data: + azurestorageaccountname: ZnJlZWxlYXBz + azurestorageaccountkey: bWE3dmxQdktySmtFVS9vRENFRjNDYkNJWkQzMUlOb0R5a214Y0NoYnpoR25oMWxhVGpsRkxUclVhdG5odXdveS9Dc3g5L1Vwa0VjZStBU3Rab08rL0E9PQ== --- apiVersion: storage.k8s.io/v1 kind: StorageClass @@ -5,254 +14,13 @@ metadata: name: azure-blob-fuse-2-std-lrs provisioner: blob.csi.azure.com parameters: - skuName: Standard_LRS # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS + skuName: Standard_LRS protocol: fuse2 -reclaimPolicy: Delete -volumeBindingMode: Immediate -allowVolumeExpansion: true -mountOptions: - - -o allow_other - - --file-cache-timeout-in-seconds=120 - - --use-attr-cache=true - - --cancel-list-on-mount-seconds=10 # prevent billing charges on mounting - - -o attr_timeout=120 - - -o entry_timeout=120 - - -o negative_timeout=120 - - --log-level=LOG_WARNING # LOG_WARNING, LOG_INFO, LOG_DEBUG - - --cache-size-mb=1000 # Default will be 80% of available memory, eviction will happen beyond that. ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: azure-blob-fuse-2-premium-lrs -provisioner: blob.csi.azure.com -parameters: - skuName: Premium_LRS # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS - protocol: fuse2 -reclaimPolicy: Delete -volumeBindingMode: Immediate -allowVolumeExpansion: true -mountOptions: - - -o allow_other - - --file-cache-timeout-in-seconds=120 - - --use-attr-cache=true - - --cancel-list-on-mount-seconds=10 # prevent billing charges on mounting - - -o attr_timeout=120 - - -o entry_timeout=120 - - -o negative_timeout=120 - - --log-level=LOG_WARNING # LOG_WARNING, LOG_INFO, LOG_DEBUG - - --cache-size-mb=1000 # Default will be 80% of available memory, eviction will happen beyond that. ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: azure-blob-fuse-2-standard-grs -provisioner: blob.csi.azure.com -parameters: - skuName: Standard_GRS # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS - protocol: fuse2 -reclaimPolicy: Delete -volumeBindingMode: Immediate -allowVolumeExpansion: true -mountOptions: - - -o allow_other - - --file-cache-timeout-in-seconds=120 - - --use-attr-cache=true - - --cancel-list-on-mount-seconds=10 # prevent billing charges on mounting - - -o attr_timeout=120 - - -o entry_timeout=120 - - -o negative_timeout=120 - - --log-level=LOG_WARNING # LOG_WARNING, LOG_INFO, LOG_DEBUG - - --cache-size-mb=1000 # Default will be 80% of available memory, eviction will happen beyond that. ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: azure-blob-fuse-2-standard-ragrs -provisioner: blob.csi.azure.com -parameters: - skuName: Standard_RAGRS # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS - protocol: fuse2 -reclaimPolicy: Delete -volumeBindingMode: Immediate -allowVolumeExpansion: true -mountOptions: - - -o allow_other - - --file-cache-timeout-in-seconds=120 - - --use-attr-cache=true - - --cancel-list-on-mount-seconds=10 # prevent billing charges on mounting - - -o attr_timeout=120 - - -o entry_timeout=120 - - -o negative_timeout=120 - - --log-level=LOG_WARNING # LOG_WARNING, LOG_INFO, LOG_DEBUG - - --cache-size-mb=1000 # Default will be 80% of available memory, eviction will happen beyond that. ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: azure-blob-fuse-2-standard-zrs -provisioner: blob.csi.azure.com -parameters: - skuName: Standard_ZRS # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS - protocol: fuse2 -reclaimPolicy: Delete -volumeBindingMode: Immediate -allowVolumeExpansion: true -mountOptions: - - -o allow_other - - --file-cache-timeout-in-seconds=120 - - --use-attr-cache=true - - --cancel-list-on-mount-seconds=10 # prevent billing charges on mounting - - -o attr_timeout=120 - - -o entry_timeout=120 - - -o negative_timeout=120 - - --log-level=LOG_WARNING # LOG_WARNING, LOG_INFO, LOG_DEBUG - - --cache-size-mb=1000 # Default will be 80% of available memory, eviction will happen beyond that. ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: azure-blob-fuse-2-premium-zrs -provisioner: blob.csi.azure.com -parameters: - skuName: Premium_ZRS # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS - protocol: fuse2 -reclaimPolicy: Delete -volumeBindingMode: Immediate -allowVolumeExpansion: true -mountOptions: - - -o allow_other - - --file-cache-timeout-in-seconds=120 - - --use-attr-cache=true - - --cancel-list-on-mount-seconds=10 # prevent billing charges on mounting - - -o attr_timeout=120 - - -o entry_timeout=120 - - -o negative_timeout=120 - - --log-level=LOG_WARNING # LOG_WARNING, LOG_INFO, LOG_DEBUG - - --cache-size-mb=1000 # Default will be 80% of available memory, eviction will happen beyond that. ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: azure-blob-nfs -provisioner: blob.csi.azure.com -parameters: - protocol: nfs -volumeBindingMode: Immediate -allowVolumeExpansion: true ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: azure-blob-std-lrs -provisioner: blob.csi.azure.com -parameters: - skuName: Premium_LRS # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS -reclaimPolicy: Delete -volumeBindingMode: Immediate -allowVolumeExpansion: true -mountOptions: - - -o allow_other - - --file-cache-timeout-in-seconds=120 - - --use-attr-cache=true - - --cancel-list-on-mount-seconds=10 # prevent billing charges on mounting - - -o attr_timeout=120 - - -o entry_timeout=120 - - -o negative_timeout=120 - - --log-level=LOG_WARNING # LOG_WARNING, LOG_INFO, LOG_DEBUG - - --cache-size-mb=1000 # Default will be 80% of available memory, eviction will happen beyond that. ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: azure-blob-premium-lrs -provisioner: blob.csi.azure.com -parameters: - skuName: Premium_LRS # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS -reclaimPolicy: Delete -volumeBindingMode: Immediate -allowVolumeExpansion: true -mountOptions: - - -o allow_other - - --file-cache-timeout-in-seconds=120 - - --use-attr-cache=true - - --cancel-list-on-mount-seconds=10 # prevent billing charges on mounting - - -o attr_timeout=120 - - -o entry_timeout=120 - - -o negative_timeout=120 - - --log-level=LOG_WARNING # LOG_WARNING, LOG_INFO, LOG_DEBUG - - --cache-size-mb=1000 # Default will be 80% of available memory, eviction will happen beyond that. ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: azure-blob-standard-grs -provisioner: blob.csi.azure.com -parameters: - skuName: Standard_GRS # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS -reclaimPolicy: Delete -volumeBindingMode: Immediate -allowVolumeExpansion: true -mountOptions: - - -o allow_other - - --file-cache-timeout-in-seconds=120 - - --use-attr-cache=true - - --cancel-list-on-mount-seconds=10 # prevent billing charges on mounting - - -o attr_timeout=120 - - -o entry_timeout=120 - - -o negative_timeout=120 - - --log-level=LOG_WARNING # LOG_WARNING, LOG_INFO, LOG_DEBUG - - --cache-size-mb=1000 # Default will be 80% of available memory, eviction will happen beyond that. ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: azure-blob-standard-ragrs -provisioner: blob.csi.azure.com -parameters: - skuName: Standard_RAGRS # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS -reclaimPolicy: Delete -volumeBindingMode: Immediate -allowVolumeExpansion: true -mountOptions: - - -o allow_other - - --file-cache-timeout-in-seconds=120 - - --use-attr-cache=true - - --cancel-list-on-mount-seconds=10 # prevent billing charges on mounting - - -o attr_timeout=120 - - -o entry_timeout=120 - - -o negative_timeout=120 - - --log-level=LOG_WARNING # LOG_WARNING, LOG_INFO, LOG_DEBUG - - --cache-size-mb=1000 # Default will be 80% of available memory, eviction will happen beyond that. ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: azure-blob-standard-zrs -provisioner: blob.csi.azure.com -parameters: - skuName: Standard_ZRS # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS -reclaimPolicy: Delete -volumeBindingMode: Immediate -allowVolumeExpansion: true -mountOptions: - - -o allow_other - - --file-cache-timeout-in-seconds=120 - - --use-attr-cache=true - - --cancel-list-on-mount-seconds=10 # prevent billing charges on mounting - - -o attr_timeout=120 - - -o entry_timeout=120 - - -o negative_timeout=120 - - --log-level=LOG_WARNING # LOG_WARNING, LOG_INFO, LOG_DEBUG - - --cache-size-mb=1000 # Default will be 80% of available memory, eviction will happen beyond that. ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: azure-blob-premium-zrs -provisioner: blob.csi.azure.com -parameters: - skuName: Premium_ZRS # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS, Standard_ZRS, Premium_ZRS + location: westus2 + resourceGroup: k8s + containerNamePrefix: fs-storage-sys- + secretName: freeleaps-azure-blob-storage-secret + secretNamespace: freeleaps-storage-system reclaimPolicy: Delete volumeBindingMode: Immediate allowVolumeExpansion: true diff --git a/cluster/manifests/freeleaps-storage-system/azure-blob-storage-csi/tests/test-statefulsets.yaml b/cluster/manifests/freeleaps-storage-system/azure-blob-storage-csi/tests/test-statefulsets.yaml new file mode 100644 index 00000000..dc1dc746 --- /dev/null +++ b/cluster/manifests/freeleaps-storage-system/azure-blob-storage-csi/tests/test-statefulsets.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: statefulset-blob + labels: + app: nginx +spec: + serviceName: statefulset-blob + replicas: 1 + template: + metadata: + labels: + app: nginx + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: statefulset-blob + image: mcr.microsoft.com/mirror/docker/library/nginx:1.23 + command: + - "/bin/bash" + - "-c" + - set -euo pipefail; while true; do echo $(date) >> /mnt/blob/outfile; sleep 1; done + volumeMounts: + - name: persistent-storage + mountPath: /mnt/blob + readOnly: false + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: nginx + volumeClaimTemplates: + - metadata: + name: persistent-storage + spec: + storageClassName: azure-blob-fuse-2-std-lrs + accessModes: ["ReadWriteMany"] + resources: + requests: + storage: 1Gi \ No newline at end of file diff --git a/first-class-pipeline/.gitkeep b/first-class-pipeline/.gitkeep deleted file mode 100644 index e69de29b..00000000