diff --git a/stable/jenkins/Chart.yaml b/stable/jenkins/Chart.yaml index 107dd017b0c3..11fa2206ead5 100755 --- a/stable/jenkins/Chart.yaml +++ b/stable/jenkins/Chart.yaml @@ -1,6 +1,6 @@ name: jenkins home: https://jenkins.io/ -version: 0.28.11 +version: 0.29.0 appVersion: lts description: Open source continuous integration server. It supports multiple SCM tools including CVS, Subversion and Git. It can execute Apache Ant and Apache Maven-based @@ -9,6 +9,7 @@ sources: - https://github.com/jenkinsci/jenkins - https://github.com/jenkinsci/docker-jnlp-slave - https://github.com/nuvo/kube-tasks +- https://github.com/jenkinsci/configuration-as-code-plugin maintainers: - name: lachie83 email: lachlan.evenson@microsoft.com diff --git a/stable/jenkins/README.md b/stable/jenkins/README.md index f321afdc2aad..e78cf58203a8 100644 --- a/stable/jenkins/README.md +++ b/stable/jenkins/README.md @@ -69,12 +69,12 @@ The following tables list the configurable parameters of the Jenkins chart and t | `Master.LoadBalancerIP` | Optional fixed external IP | Not set | | `Master.JMXPort` | Open a port, for JMX stats | Not set | | `Master.ExtraPorts` | Open extra ports, for other uses | Not set | -| `Master.CustomConfigMap` | Use a custom ConfigMap | `false` | -| `Master.AdditionalConfig` | Add additional config files | `{}` | | `Master.OverwriteConfig` | Replace config w/ ConfigMap on boot | `false` | | `Master.Ingress.Annotations` | Ingress annotations | `{}` | | `Master.Ingress.Path` | Ingress path | Not set | | `Master.Ingress.TLS` | Ingress TLS configuration | `[]` | +| `Master.JCasC.ConfigScripts` | List of Jenkins Config as Code scripts | False | +| `Master.Sidecar.configAutoReload` | Jenkins Config as Code auto-reload settings | False | | `Master.InitScripts` | List of Jenkins init scripts | Not set | | `Master.CredentialsXmlSecret` | Kubernetes secret that contains a 'credentials.xml' file | Not set | | `Master.SecretsFilesSecret` | Kubernetes secret that contains 'secrets' files | Not set | @@ -86,6 +86,8 @@ The following tables list the configurable parameters of the Jenkins chart and t | `Master.Affinity` | Affinity settings | `{}` | | `Master.Tolerations` | Toleration labels for pod assignment | `{}` | | `Master.PodAnnotations` | Annotations for master pod | `{}` | +| `Master.CustomConfigMap` | Deprecated: Use a custom ConfigMap | `false` | +| `Master.AdditionalConfig` | Deprecated: Add additional config files | `{}` | | `NetworkPolicy.Enabled` | Enable creation of NetworkPolicy resources. | `false` | | `NetworkPolicy.ApiVersion` | NetworkPolicy ApiVersion | `networking.k8s.io/v1` | | `rbac.install` | Create service account and ClusterRoleBinding for Kubernetes plugin | `false` | @@ -215,25 +217,41 @@ It is possible to mount several volumes using `Persistence.volumes` and `Persist $ helm install --name my-release --set Persistence.ExistingClaim=PVC_NAME stable/jenkins ``` -## Custom ConfigMap - -When creating a new parent chart with this chart as a dependency, the `CustomConfigMap` parameter can be used to override the default config.xml provided. -It also allows for providing additional xml configuration files that will be copied into `/var/jenkins_home`. In the parent chart's values.yaml, -set the `jenkins.Master.CustomConfigMap` value to true like so +## Configuration as Code +Jenkins Configuration as Code is now a standard component in the Jenkins project. Add a key under ConfigScripts for each configuration area, where each corresponds to a plugin or section of the UI. The keys (prior to | character) are just labels, and can be any value. They are only used to give the section a meaningful name. The only restriction is they must conform to RFC 1123 definition of a DNS label, so may only contain lowercase letters, numbers, and hyphens. Each key will become the name of a configuration yaml file on the master in /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin during Jenkins startup. The lines after each | become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials, etc. Best reference is the Documentation link here: https:///configuration-as-code. The example below creates ldap settings: ```yaml -jenkins: - Master: - CustomConfigMap: true +ConfigScripts: + ldap-settings: | + jenkins: + securityRealm: + ldap: + configurations: + configurations: + - server: ldap.acme.com + rootDN: dc=acme,dc=uk + managerPasswordSecret: ${LDAP_PASSWORD} + - groupMembershipStrategy: + fromUserRecord: + attributeName: "memberOf" ``` -and provide the file `templates/config.tpl` in your parent chart for your use case. You can start by copying the contents of `config.yaml` from this chart into your parent charts `templates/config.tpl` as a basis for customization. Finally, you'll need to wrap the contents of `templates/config.tpl` like so: +Further JCasC examples can be found [here.](https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demos) +### Config as Code with and without auto-reload +Config as Code changes (to Master.JCasC.ConfigScripts) can either force a new pod to be created and only be applied at next startup, or can be auto-reloaded on-the-fly. If you choose `Master.Sidecar.autoConfigReload.enabled: true`, a second, auxiliary container will be installed into the Jenkins master pod, known as a "sidecar". This watches for changes to ConfigScripts, copies the content onto the Jenkins file-system and issues a CLI command via SSH to reload configuration. The admin user (or account you specify in Master.AdminUser) will have a random SSH private key (RSA 4096) assigned unless you specify `Master.OwnSshKey: true`. This will be saved to a k8s secret. You can monitor this sidecar's logs using command `kubectl logs -c jenkins-sc-config -f` +### Auto-reload with non-Jenkins identities +When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. Since the admin account is used by the sidecar to reload config, in order to use auto-reload, you must change the .Master.AdminUser to a valid username on your LDAP (or other) server. If you use the matrix-auth plugin, this user must also be granted Overall\Administer rights in Jenkins. Failure to do this will cause the sidecar container to fail to authenticate via SSH and enter a restart loop. You can enable LDAP using the example above and add a Config as Code block for matrix security that includes: ```yaml -{{- define "override_config_map" }} - -{{ end }} +ConfigScripts: + matrix-auth: | + Jenkins: + authorizationStrategy: + projectMatrix: + grantedPermissions: + - "Overall/Administer:" ``` +You can instead grant this permission via the UI. When this is done, you can set `Master.Sidecar.configAutoReload.enabled: true` and upon the next Helm upgrade, auto-reload will be successfully enabled. ## RBAC @@ -366,3 +384,25 @@ Master: -Dhttps.proxyHost=192.168.64.1 -Dhttps.proxyPort=3128 ``` + +## Custom ConfigMap + +The following configuration method is deprecated and will be removed in an upcoming version of this chart. +We recommend you use Jenkins Configuration as Code to configure instead. +When creating a new parent chart with this chart as a dependency, the `CustomConfigMap` parameter can be used to override the default config.xml provided. +It also allows for providing additional xml configuration files that will be copied into `/var/jenkins_home`. In the parent chart's values.yaml, +set the `jenkins.Master.CustomConfigMap` value to true like so + +```yaml +jenkins: + Master: + CustomConfigMap: true +``` + +and provide the file `templates/config.tpl` in your parent chart for your use case. You can start by copying the contents of `config.yaml` from this chart into your parent charts `templates/config.tpl` as a basis for customization. Finally, you'll need to wrap the contents of `templates/config.tpl` like so: + +```yaml +{{- define "override_config_map" }} + +{{ end }} +``` diff --git a/stable/jenkins/templates/NOTES.txt b/stable/jenkins/templates/NOTES.txt index 2a304b4ef17d..c2c3f8d8bd05 100644 --- a/stable/jenkins/templates/NOTES.txt +++ b/stable/jenkins/templates/NOTES.txt @@ -26,9 +26,16 @@ {{- end }} 3. Login with the password from step 1 and the username: {{ .Values.Master.AdminUser }} +{{ if .Values.Master.JCasC.enabled }} +4. Use Jenkins Configuration as Code by specifying ConfigScripts in your values.yaml file, see documentation: http://{{ .Values.Master.HostName }}/configuration-as-code and examples: https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demos +{{- end }} For more information on running Jenkins on Kubernetes, visit: https://cloud.google.com/solutions/jenkins-on-container-engine +{{- if .Values.Master.JCasC.enabled }} +For more information about Jenkins Configuration as Code, visit: +https://jenkins.io/projects/jcasc/ +{{- end }} {{- if .Values.Persistence.Enabled }} {{- else }} diff --git a/stable/jenkins/templates/_helpers.tpl b/stable/jenkins/templates/_helpers.tpl index eac695f6b7ad..3a0569cc98f1 100644 --- a/stable/jenkins/templates/_helpers.tpl +++ b/stable/jenkins/templates/_helpers.tpl @@ -32,3 +32,13 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} {{- end -}} + +{{/* +Generate private key for jenkins CLI +*/}} +{{- define "jenkins.gen-key" -}} +{{- if not .Values.Master.OwnSshKey -}} +{{- $key := genPrivateKey "rsa" -}} +jenkins-admin-private-key: {{ $key | b64enc }} +{{- end -}} +{{- end -}} diff --git a/stable/jenkins/templates/config.yaml b/stable/jenkins/templates/config.yaml index e67276f1ae1a..dda84a3086fe 100644 --- a/stable/jenkins/templates/config.yaml +++ b/stable/jenkins/templates/config.yaml @@ -187,15 +187,15 @@ data: {{- if .Values.Master.JenkinsUrl }} {{ .Values.Master.JenkinsUrl }} {{- else }} -{{- if .Values.Master.HostName }} -{{- if .Values.Master.Ingress.TLS }} + {{- if .Values.Master.HostName }} + {{- if .Values.Master.Ingress.TLS }} https://{{ .Values.Master.HostName }}{{ default "" .Values.Master.JenkinsUriPrefix }} -{{- else }} + {{- else }} http://{{ .Values.Master.HostName }}{{ default "" .Values.Master.JenkinsUriPrefix }} -{{- end }} -{{- else }} + {{- end }} + {{- else }} http://{{ template "jenkins.fullname" . }}:{{.Values.Master.ServicePort}}{{ default "" .Values.Master.JenkinsUriPrefix }} -{{- end}} + {{- end}} {{- end}} jenkins.CLI.xml: |- @@ -214,15 +214,15 @@ data: cp /var/jenkins_config/config.xml /var/jenkins_home; cp /var/jenkins_config/jenkins.CLI.xml /var/jenkins_home; cp /var/jenkins_config/jenkins.model.JenkinsLocationConfiguration.xml /var/jenkins_home; -{{- else }} + {{- else }} yes n | cp -i /var/jenkins_config/config.xml /var/jenkins_home; yes n | cp -i /var/jenkins_config/jenkins.CLI.xml /var/jenkins_home; yes n | cp -i /var/jenkins_config/jenkins.model.JenkinsLocationConfiguration.xml /var/jenkins_home; -{{- if .Values.Master.AdditionalConfig }} + {{- if .Values.Master.AdditionalConfig }} {{- range $key, $val := .Values.Master.AdditionalConfig }} cp /var/jenkins_config/{{- $key }} /var/jenkins_home; -{{- end }} -{{- end }} + {{- end }} + {{- end }} {{- end }} {{- if .Values.Master.InstallPlugins }} # Install missing plugins @@ -235,10 +235,25 @@ data: {{- if .Values.Master.ScriptApproval }} yes n | cp -i /var/jenkins_config/scriptapproval.xml /var/jenkins_home/scriptApproval.xml; {{- end }} +{{- if and (.Values.Master.JCasC.enabled) (.Values.Master.Sidecar.configAutoReload.enabled) }} + {{- if not .Values.Master.InitScripts }} + mkdir -p /var/jenkins_home/init.groovy.d/; + yes n | cp -i /var/jenkins_config/*.groovy /var/jenkins_home/init.groovy.d/; + {{- end }} +{{- end }} {{- if .Values.Master.InitScripts }} mkdir -p /var/jenkins_home/init.groovy.d/; yes n | cp -i /var/jenkins_config/*.groovy /var/jenkins_home/init.groovy.d/; {{- end }} +{{- if .Values.Master.JCasC.enabled }} + {{- if .Values.Master.Sidecar.configAutoReload.enabled }} + bash -c 'ssh-keygen -y -f <(echo "${ADMIN_PRIVATE_KEY}") > /var/jenkins_home/key.pub' + {{- else }} + mkdir -p /var/jenkins_home/casc_configs; + rm -rf /var/jenkins_home/casc_configs/* + cp -v /var/jenkins_config/*.yaml /var/jenkins_home/casc_configs + {{- end }} +{{- end }} {{- if .Values.Master.CredentialsXmlSecret }} yes n | cp -i /var/jenkins_credentials/credentials.xml /var/jenkins_home; {{- end }} @@ -254,12 +269,45 @@ data: {{- range $key, $val := .Values.Master.InitScripts }} init{{ $key }}.groovy: |- {{ $val | indent 4 }} +{{- end }} +{{- if .Values.Master.JCasC.enabled }} + {{- if .Values.Master.Sidecar.configAutoReload.enabled }} + init-add-ssh-key-to-admin.groovy: |- + import jenkins.security.* + import hudson.model.User + import jenkins.security.ApiTokenProperty + import jenkins.model.Jenkins + User u = User.get("{{ .Values.Master.AdminUser | default "admin" }}") + ApiTokenProperty t = u.getProperty(ApiTokenProperty.class) + String sshKeyString = new File('/var/jenkins_home/key.pub').text + keys_param = new org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl(sshKeyString) + u.addProperty(keys_param) + def inst = Jenkins.getInstance() + def sshDesc = inst.getDescriptor("org.jenkinsci.main.modules.sshd.SSHD") + sshDesc.setPort({{ .Values.Master.Sidecar.configAutoReload.sshTcpPort | default 1044 }}) + sshDesc.getActualPort() + sshDesc.save() + {{- else }} +# Only add config to this script if we aren't auto-reloading otherwise the pod will restart upon each config change: +{{- range $key, $val := .Values.Master.JCasC.ConfigScripts }} + {{ $key }}.yaml: |- +{{ tpl $val $| indent 4 }} +{{- end }} +{{- end }} {{- end }} plugins.txt: |- {{- if .Values.Master.InstallPlugins }} {{- range $index, $val := .Values.Master.InstallPlugins }} {{ $val | indent 4 }} {{- end }} +{{- if .Values.Master.JCasC.enabled }} + {{- if not (contains "configuration-as-code" (quote .Values.Master.InstallPlugins)) }} + configuration-as-code:{{ .Values.Master.JCasC.PluginVersion }} + {{- end }} + {{- if not (contains "configuration-as-code-support" (quote .Values.Master.InstallPlugins)) }} + configuration-as-code-support:{{ .Values.Master.JCasC.SupportPluginVersion }} + {{- end }} +{{- end }} {{- end }} {{ else }} {{ include "override_config_map" . }} diff --git a/stable/jenkins/templates/jcasc_config.yaml b/stable/jenkins/templates/jcasc_config.yaml new file mode 100644 index 000000000000..2b9ed47f1e67 --- /dev/null +++ b/stable/jenkins/templates/jcasc_config.yaml @@ -0,0 +1,18 @@ +{{- $root := . }} +{{- if and (.Values.Master.JCasC.enabled) (.Values.Master.Sidecar.configAutoReload.enabled) }} +{{- range $key, $val := .Values.Master.JCasC.ConfigScripts }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: jenkins-config-{{ template "jenkins.fullname" $root }}-{{ $key }} + labels: + {{ $.Values.Master.Sidecar.configAutoReload.label | default "jenkins_config" }}: "true" + release: {{ $root.Release.Name }} + chart: "{{ $root.Chart.Name }}-{{ $root.Chart.Version }}" + component: "{{ $root.Release.Name }}-{{ $.Values.Master.Name }}" +data: + {{ $key }}.yaml: |- +{{ tpl $val $| indent 4 }} +{{- end }} +{{- end }} diff --git a/stable/jenkins/templates/jenkins-master-deployment.yaml b/stable/jenkins/templates/jenkins-master-deployment.yaml index 3f85390c9fdf..76b6b15c54b6 100644 --- a/stable/jenkins/templates/jenkins-master-deployment.yaml +++ b/stable/jenkins/templates/jenkins-master-deployment.yaml @@ -59,17 +59,38 @@ spec: serviceAccountName: {{ if .Values.rbac.install }}{{ template "jenkins.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }} {{- if .Values.Master.HostNetworking }} hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet + dnsPolicy: ClusterFirstWithHostNet {{- end }} initContainers: - name: "copy-default-config" image: "{{ .Values.Master.Image }}:{{ .Values.Master.ImageTag }}" imagePullPolicy: "{{ .Values.Master.ImagePullPolicy }}" command: [ "sh", "/var/jenkins_config/apply_config.sh" ] - {{- if .Values.Master.InitContainerEnv }} env: -{{ toYaml .Values.Master.InitContainerEnv | indent 12 }} - {{- end }} + {{- if .Values.Master.UseSecurity }} + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "jenkins.fullname" . }} + key: jenkins-admin-password + - name: ADMIN_USER + valueFrom: + secretKeyRef: + name: {{ template "jenkins.fullname" . }} + key: jenkins-admin-user + {{- if or (.Values.Master.OwnSshKey) (.Values.Master.Sidecar.configAutoReload.enabled) }} + {{- if .Values.Master.JCasC.enabled }} + - name: ADMIN_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: {{ template "jenkins.fullname" . }} + key: {{ "jenkins-admin-private-key" | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.Master.InitContainerEnv }} + {{ toYaml .Values.Master.InitContainerEnv | indent 12 }} + {{- end }} resources: {{ toYaml .Values.Master.resources | indent 12 }} volumeMounts: @@ -109,6 +130,50 @@ spec: mountPath: /usr/share/jenkins/ref/secrets/ name: secrets-dir containers: +{{- if and (.Values.Master.JCasC.enabled) (.Values.Master.Sidecar.configAutoReload.enabled) }} + - name: {{ template "jenkins.name" . }}-sc-config + image: "{{ .Values.Master.Sidecar.image }}" + imagePullPolicy: {{ .Values.Master.Sidecar.imagePullPolicy }} + env: + - name: JENKINSRELOADCONFIG + value: "true" + - name: LABEL + value: "{{ .Values.Master.Sidecar.configAutoReload.label }}" + - name: FOLDER + value: "{{ .Values.Master.Sidecar.configAutoReload.folder }}" + - name: NAMESPACE + value: "{{ .Values.Master.Sidecar.configAutoReload.searchNamespace }}" + - name: SSH_PORT + value: "{{ .Values.Master.Sidecar.configAutoReload.sshTcpPort }}" + - name: JENKINS_PORT + value: "{{ .Values.Master.ServicePort }}" + {{- if .Values.Master.UseSecurity }} + - name: ADMIN_USER + valueFrom: + secretKeyRef: + name: {{ template "jenkins.fullname" . }} + key: jenkins-admin-user + {{- if or (.Values.Master.OwnSshKey) (.Values.Master.Sidecar.configAutoReload.enabled) }} + {{- if .Values.Master.JCasC.enabled }} + - name: ADMIN_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: {{ template "jenkins.fullname" . }} + key: {{ "jenkins-admin-private-key" | quote }} + {{- end }} + {{- end }} + {{- end }} + resources: +{{ toYaml .Values.Master.Sidecar.resources | indent 12 }} + volumeMounts: + - name: sc-config-volume + mountPath: {{ .Values.Master.Sidecar.configAutoReload.folder | quote }} + - name: jenkins-home + mountPath: /var/jenkins_home + {{- if .Values.Persistence.SubPath }} + subPath: {{ .Values.Persistence.SubPath }} + {{- end }} +{{- end}} - name: {{ template "jenkins.fullname" . }} image: "{{ .Values.Master.Image }}:{{ .Values.Master.ImageTag }}" imagePullPolicy: "{{ .Values.Master.ImagePullPolicy }}" @@ -131,10 +196,23 @@ spec: secretKeyRef: name: {{ template "jenkins.fullname" . }} key: jenkins-admin-user + {{- if or (.Values.Master.OwnSshKey) (.Values.Master.Sidecar.configAutoReload.enabled) }} + {{- if .Values.Master.JCasC.enabled }} + - name: ADMIN_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: {{ template "jenkins.fullname" . }} + key: {{ "jenkins-admin-private-key" | quote }} + {{- end }} + {{- end }} {{- end }} {{- if .Values.Master.ContainerEnv }} {{ toYaml .Values.Master.ContainerEnv | indent 12 }} {{- end }} + {{- if .Values.Master.JCasC.enabled }} + - name: CASC_JENKINS_CONFIG + value: {{ .Values.Master.Sidecar.configAutoReload.folder | default "/var/jenkins_home/casc_configs" | quote }} + {{- end }} ports: - containerPort: 8080 name: http @@ -217,6 +295,10 @@ spec: mountPath: /usr/share/jenkins/ref/secrets/ name: secrets-dir readOnly: false + {{- if and (.Values.Master.JCasC.enabled) (.Values.Master.Sidecar.configAutoReload.enabled) }} + - name: sc-config-volume + mountPath: {{ .Values.Master.Sidecar.configAutoReload.folder | default "/var/jenkins_home/casc_configs" | quote }} + {{- end }} volumes: {{- if .Values.Persistence.volumes }} {{ toYaml .Values.Persistence.volumes | indent 6 }} @@ -252,6 +334,10 @@ spec: {{- else }} emptyDir: {} {{- end -}} + {{- if .Values.Master.JCasC.enabled }} + - name: sc-config-volume + emptyDir: {} + {{- end }} {{- if .Values.Master.ImagePullSecret }} imagePullSecrets: - name: {{ .Values.Master.ImagePullSecret }} diff --git a/stable/jenkins/templates/secret.yaml b/stable/jenkins/templates/secret.yaml index 47cc2e056ef8..8642ad30391b 100644 --- a/stable/jenkins/templates/secret.yaml +++ b/stable/jenkins/templates/secret.yaml @@ -15,5 +15,10 @@ data: {{ else }} jenkins-admin-password: {{ randAlphaNum 10 | b64enc | quote }} {{ end }} + {{ if and (.Values.Master.JCasC.enabled) (.Values.Master.Sidecar.configAutoReload.enabled) }} + {{ if not .Values.Master.OwnSshKey }} + {{ ( include "jenkins.gen-key" . ) }} + {{ end }} + {{ end }} jenkins-admin-user: {{ .Values.Master.AdminUser | b64enc | quote }} {{- end }} \ No newline at end of file diff --git a/stable/jenkins/values.yaml b/stable/jenkins/values.yaml index 4a4b87de3aa1..9937cd1112ec 100644 --- a/stable/jenkins/values.yaml +++ b/stable/jenkins/values.yaml @@ -16,6 +16,7 @@ Master: # ImagePullSecret: jenkins Component: "jenkins-master" NumExecutors: 0 + # configAutoReload requires UseSecurity is set to true: UseSecurity: true # SecurityRealm: # Optionally configure a different AuthorizationStrategy using Jenkins XML @@ -24,15 +25,27 @@ Master: # true # HostNetworking: false + # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. + # Since the AdminUser is used by configAutoReload, in order to use configAutoReload you must change the + # .Master.AdminUser to a valid username on your LDAP (or other) server. This user does not need + # to have administrator rights in Jenkins (the default Overall:Read is sufficient) nor will it be granted any + # additional rights. Failure to do this will cause the sidecar container to fail to authenticate via SSH and enter + # a restart loop. Likewise if you disable the non-Jenkins identity store and instead use the Jenkins internal one, + # you should revert Master.AdminUser to your preferred admin user: AdminUser: admin # AdminPassword: + OwnSshKey: false + # If CasC auto-reload is enabled, an SSH (RSA) keypair is needed. Can either provide your own, or leave unconfigured\false to allow a random key to be auto-generated. + # If you choose to use your own, you must upload your decrypted RSA private key (not the public key above) to a Kubernetes secret using the following command: + # kubectl -n create secret generic --dry-run --from-file=jenkins-admin-private-key=~/.ssh/id_rsa -o yaml |kubectl -n apply -f - + # Replace ~/.ssh/id_rsa in the above command with the path to your private key file and the and placeholders to suit. resources: requests: cpu: "50m" memory: "256Mi" limits: cpu: "2000m" - memory: "2048Mi" + memory: "4096Mi" # Environment variables that get added to the init container (useful for e.g. http_proxy) # InitContainerEnv: # - name: http_proxy @@ -116,6 +129,7 @@ Master: ExtraPorts: # - name: BuildInfoProxy # port: 9000 + # List of plugins to be install during Jenkins master start InstallPlugins: - kubernetes:1.14.0 @@ -123,6 +137,7 @@ Master: - workflow-aggregator:2.6 - credentials-binding:1.17 - git:3.9.1 + # Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter), useful with ghprb plugin. # The plugin is not installed by default, please update Master.InstallPlugins. # EnableRawHtmlMarkupFormatter: true @@ -144,11 +159,54 @@ Master: # Jobs: # test: |- # <> - CustomConfigMap: false - # By default, the configMap is only used to set the initial config the first time - # that the chart is installed. Setting `OverwriteConfig` to `true` will overwrite - # the jenkins config with the contents of the configMap every time the pod starts. - OverwriteConfig: false + + # Below is the implementation of Jenkins Configuration as Code. Add a key under ConfigScripts for each configuration area, + # where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value. + # Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the master in + # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | + # become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials, + # etc. Best reference is https:///configuration-as-code/reference. The example below creates a welcome message: + JCasC: + enabled: false + PluginVersion: 1.5 + SupportPluginVersion: 1.5 + ConfigScripts: + welcome-message: | + jenkins: + systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'. + + Sidecar: + image: shadwell/k8s-sidecar:0.0.2 + imagePullPolicy: IfNotPresent + resources: + # limits: + # cpu: 100m + # memory: 100Mi + # requests: + # cpu: 50m + # memory: 50Mi + configAutoReload: + # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. If false or not-specified, + # jcasc changes will cause a reboot and will only be applied at the subsequent start-up. Auto-reload uses the Jenkins CLI + # over SSH to reapply config when changes to the ConfigScripts are detected. The admin user (or account you specify in + # Master.AdminUser) will have a random SSH private key (RSA 4096) assigned unless you specify OwnSshKey: true. This will be saved to a k8s secret. + enabled: false + # SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random. + # Is only used to reload jcasc config from the sidecar container running in the Jenkins master pod. + # This TCP port will not be open in the pod (unless you specifically configure this), so Jenkins will not be + # accessible via SSH from outside of the pod. Note if you use non-root pod privileges (RunAsUser & FsGroup), + # this must be > 1024: + sshTcpPort: 1044 + # label that the configmaps with dashboards are marked with: + label: jenkins_config + # folder in the pod that should hold the collected dashboards: + folder: /var/jenkins_home/casc_configs + # If specified, the sidecar will search for dashboard config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces: + # searchNamespace: + # Node labels and tolerations for pod assignment # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature @@ -156,15 +214,21 @@ Master: Tolerations: {} PodAnnotations: {} + # The below two configuration-related values are deprecated and replaced by Jenkins Configuration as Code (see above + # JCasC key). They will be deleted in an upcoming version. + CustomConfigMap: false + # By default, the configMap is only used to set the initial config the first time + # that the chart is installed. Setting `OverwriteConfig` to `true` will overwrite + # the jenkins config with the contents of the configMap every time the pod starts. + OverwriteConfig: false + Ingress: ApiVersion: extensions/v1beta1 Annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" - # Set this path to JenkinsUriPrefix above or use annotations to rewrite path # Path: "/jenkins" - TLS: # - secretName: jenkins.cluster.local # hosts: @@ -209,7 +273,6 @@ Persistence: ## Requires Persistence.Enabled: true ## If defined, PVC must be created manually before volume will be bound # ExistingClaim: - ## jenkins data Persistent Volume Storage Class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning @@ -218,7 +281,6 @@ Persistence: ## GKE, AWS & OpenStack) ## # StorageClass: "-" - Annotations: {} AccessMode: ReadWriteOnce Size: 8Gi @@ -254,30 +316,24 @@ backup: # Backup must use RBAC # So by enabling backup you are enabling RBAC specific for backup enabled: false - # Schedule to run jobs. Must be in cron time format # Ref: https://crontab.guru/ schedule: "0 2 * * *" - annotations: # Example for authorization to AWS S3 using kube2iam # Can also be done using environment variables iam.amazonaws.com/role: jenkins - image: repository: nuvo/kube-tasks tag: 0.1.2 - # Additional arguments for kube-tasks # Ref: https://github.com/nuvo/kube-tasks#simple-backup extraArgs: [] - # Add additional environment variables env: # Example environment variable required for AWS credentials chain - name: AWS_REGION value: us-east-1 - resources: requests: memory: 1Gi @@ -285,7 +341,6 @@ backup: limits: memory: 1Gi cpu: 1 - # Destination to store the backup artifacts # Supported cloud storage services: AWS S3, Minio S3, Azure Blob Storage # Additional support can added. Visit this repository for details