KubeZero/charts/kubezero-ci/values.yaml

gitea:
  enabled: false

  #image:
    #tag: 1.17.4
    #rootless: true

  repliaCount: 1

  # We use RWO persistence
  strategy:
    type: "Recreate"

  # Since V9 they default to RWX and deployment, we default to old existing RWO from statefulset
  persistence:
    enabled: true
    mount: true
    create: false
    #claimName: <set per install>
    size: 4Gi

  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
      add:
        - SYS_CHROOT

  resources:
    requests:
      cpu: "150m"
      memory: "320Mi"
    limits:
      memory: "2048Mi"

  gitea:
    admin:
      existingSecret: gitea-admin-secret

    # Enable to install demo creds
    demo: false

    metrics:
      enabled: false
      serviceMonitor:
        enabled: true

    config:
      database:
        DB_TYPE: sqlite3
      cache:
        ADAPTER: memory
      session:
        PROVIDER: memory
      queue:
        TYPE: level

  redis-cluster:
    enabled: false
  postgresql-ha:
    enabled: false
  postgresql:
    enabled: false

  istio:
    enabled: false
    gateway: istio-ingress/private-ingressgateway
    url: git.example.com


jenkins:
  enabled: false

  controller:
    tag: alpine-jdk17
    #tagLabel: alpine
    disableRememberMe: true
    prometheus:
      enabled: false
    testEnabled: false
    enableRawHtmlMarkupFormatter: true
    javaOpts: "-XX:+UseContainerSupport -XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""
    jenkinsOpts: "--sessionTimeout=300 --sessionEviction=10800"

    resources:
      requests:
        cpu: "250m"
        memory: "1280Mi"
      limits:
        #cpu: "2000m"
        memory: "4096Mi"
    initContainerResources:
      requests:
        cpu: "50m"
        memory: "256Mi"
      limits:
        #cpu: "1000m"
        memory: "1024Mi"

    JCasC:
      configScripts:
        zdt-settings: |
          jenkins:
            noUsageStatistics: true
            disabledAdministrativeMonitors:
            - "jenkins.security.ResourceDomainRecommendation"
          unclassified:
            buildDiscarders:
              configuredBuildDiscarders:
              - "jobBuildDiscarder"
              - defaultBuildDiscarder:
                  discarder:
                    logRotator:
                      artifactDaysToKeepStr: "32"
                      artifactNumToKeepStr: "10"
                      daysToKeepStr: "100"
                      numToKeepStr: "10"

    installPlugins:
      - kubernetes:3971.v94b_4c914ca_75
      - kubernetes-credentials-provider:1.225.v14f9e6b_28f53
      - workflow-aggregator:581.v0c46fa_697ffd
      - git:5.2.0
      - basic-branch-build-strategies:81.v05e333931c7d
      - pipeline-graph-view:183.v9e27732d970f
      - pipeline-stage-view:2.33
      - configuration-as-code:1647.ve39ca_b_829b_42
      - antisamy-markup-formatter:159.v25b_c67cd35fb_
      - prometheus:2.2.3
      - htmlpublisher:1.31
      - build-discarder:139.v05696a_7fe240
      - dark-theme:336.v02165cd8c2ee

  serviceAccountAgent:
    create: true
    name: jenkins-podman-aws

  # Preconfigure agents to use zdt podman requires fuse/overlayfs
  agent:
    image: public.ecr.aws/zero-downtime/jenkins-podman
    tag: v0.4.2
    #alwaysPullImage: true
    podRetention: "Default"
    showRawYaml: false
    podName: "podman-aws"
    customJenkinsLabels:
    - podman-aws-trivy
    idleMinutes: 15
    containerCap: 2
    annotations:
      container.apparmor.security.beta.kubernetes.io/jnlp: unconfined
    resources:
      requests:
        cpu: ""
        memory: ""
      limits:
        cpu: ""
        memory: ""
    # envVars:
    # - name: AWS_WEB_IDENTITY_TOKEN_FILE
    #   value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
    # - name: AWS_STS_REGIONAL_ENDPOINTS
    #   value: regional
    # - name: AWS_ROLE_ARN
    #   value: "<IAM ROLE ARN>"
    yamlMergeStrategy: "merge"
    yamlTemplate: |-
      apiVersion: v1
      kind: Pod
      spec:
        securityContext:
          fsGroup: 1000
        serviceAccountName: jenkins-podman-aws
        containers:
        - name: jnlp
          resources:
            requests:
              cpu: "512m"
              memory: "1024Mi"
            limits:
              cpu: "4"
              memory: "6144Mi"
              github.com/fuse: 1
          volumeMounts:
          - name: aws-token
            mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
            readOnly: true
          - name: host-registries-conf
            mountPath: "/home/jenkins/.config/containers/registries.conf"
            readOnly: true
        volumes:
        - name: aws-token
          projected:
            sources:
            - serviceAccountToken:
                path: token
                expirationSeconds: 86400
                audience: "sts.amazonaws.com"
        - name: host-registries-conf
          hostPath:
            path: /etc/containers/registries.conf
            type: File

  rbac:
    readSecrets: true

  persistence:
    size: "4Gi"

  istio:
    enabled: false
    gateway: istio-ingress/private-ingressgateway
    url: jenkins.example.com

    # Dedicated VirtualService for webhooks
    webhook:
      enabled: false
      gateway: istio-ingress/ingressgateway
      url: jenkins-webhook.example.com

    # Remote Agents
    agent:
      enabled: false
      gateway: istio-ingress/private-ingressgateway
      url: jenkins-agent.example.com

trivy:
  enabled: false
  image:
    tag: 0.42.0
  persistence:
    enabled: true
    size: 1Gi
  rbac:
    create: false

renovate:
  enabled: false