From 1a605af9b0db1113faa24b822642774e26f8bbdb Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 31 Jul 2024 03:06:40 +0000 Subject: [PATCH 1/3] chore(deps): update helm release cert-manager to v1.15.2 --- charts/kubezero-cert-manager/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kubezero-cert-manager/Chart.yaml b/charts/kubezero-cert-manager/Chart.yaml index 6dd2effb..08203b59 100644 --- a/charts/kubezero-cert-manager/Chart.yaml +++ b/charts/kubezero-cert-manager/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-cert-manager description: KubeZero Umbrella Chart for cert-manager type: application -version: 0.9.8 +version: 0.9.9 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,6 +16,6 @@ dependencies: version: ">= 0.1.6" repository: https://cdn.zero-downtime.net/charts/ - name: cert-manager - version: v1.15.1 + version: v1.15.2 repository: https://charts.jetstack.io kubeVersion: ">= 1.26.0" From d347a3ae641943e5857d29ce5427573b8249f8e2 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 8 Aug 2024 03:07:02 +0000 Subject: [PATCH 2/3] chore(deps): update kubezero-ci-dependencies --- charts/kubezero-ci/Chart.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/kubezero-ci/Chart.yaml b/charts/kubezero-ci/Chart.yaml index 3f61ccb7..835ddcf3 100644 --- a/charts/kubezero-ci/Chart.yaml +++ b/charts/kubezero-ci/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-ci description: KubeZero umbrella chart for all things CI type: application -version: 0.8.13 +version: 0.8.14 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -22,7 +22,7 @@ dependencies: repository: https://dl.gitea.io/charts/ condition: gitea.enabled - name: jenkins - version: 5.4.3 + version: 5.5.4 repository: https://charts.jenkins.io condition: jenkins.enabled - name: trivy @@ -30,7 +30,7 @@ dependencies: repository: https://aquasecurity.github.io/helm-charts/ condition: trivy.enabled - name: renovate - version: 37.438.2 + version: 37.440.7 repository: https://docs.renovatebot.com/helm-charts condition: renovate.enabled kubeVersion: ">= 1.25.0" From 82345703501008c07e2b19ec72f2505c12f9cd93 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 9 Aug 2024 10:52:23 +0000 Subject: [PATCH 3/3] feat: CI tools version bump, new annotation to jenkins agents to prevent autoscaler evictions --- charts/kubezero-ci/README.md | 11 +- .../kubezero-ci/charts/jenkins/CHANGELOG.md | 66 ++++--- charts/kubezero-ci/charts/jenkins/Chart.yaml | 8 +- .../kubezero-ci/charts/jenkins/UPGRADING.md | 2 +- charts/kubezero-ci/charts/jenkins/VALUES.md | 178 +++++++++--------- .../charts/jenkins/templates/_helpers.tpl | 4 + charts/kubezero-ci/charts/jenkins/values.yaml | 8 +- charts/kubezero-ci/values.yaml | 7 +- 8 files changed, 160 insertions(+), 124 deletions(-) diff --git a/charts/kubezero-ci/README.md b/charts/kubezero-ci/README.md index 827b2589..0e689c06 100644 --- a/charts/kubezero-ci/README.md +++ b/charts/kubezero-ci/README.md @@ -1,6 +1,6 @@ # kubezero-ci -![Version: 0.8.13](https://img.shields.io/badge/Version-0.8.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.8.14](https://img.shields.io/badge/Version-0.8.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things CI @@ -20,9 +20,9 @@ Kubernetes: `>= 1.25.0` |------------|------|---------| | https://aquasecurity.github.io/helm-charts/ | trivy | 0.7.0 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | -| https://charts.jenkins.io | jenkins | 5.4.3 | +| https://charts.jenkins.io | jenkins | 5.5.4 | | https://dl.gitea.io/charts/ | gitea | 10.4.0 | -| https://docs.renovatebot.com/helm-charts | renovate | 37.438.2 | +| https://docs.renovatebot.com/helm-charts | renovate | 37.440.7 | # Jenkins - default build retention 10 builds, 32days @@ -84,13 +84,14 @@ Kubernetes: `>= 1.25.0` | gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | | | gitea.strategy.type | string | `"Recreate"` | | | gitea.test.enabled | bool | `false` | | +| jenkins.agent.annotations."cluster-autoscaler.kubernetes.io/safe-to-evict" | string | `"false"` | | | jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` | | | jenkins.agent.containerCap | int | `2` | | | jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` | | | jenkins.agent.defaultsProviderTemplate | string | `"podman-aws"` | | | jenkins.agent.idleMinutes | int | `30` | | | jenkins.agent.image.repository | string | `"public.ecr.aws/zero-downtime/jenkins-podman"` | | -| jenkins.agent.image.tag | string | `"v0.6.0"` | | +| jenkins.agent.image.tag | string | `"v0.6.1"` | | | jenkins.agent.inheritYamlMergeStrategy | bool | `true` | | | jenkins.agent.podName | string | `"podman-aws"` | | | jenkins.agent.podRetention | string | `"Default"` | | @@ -103,7 +104,7 @@ Kubernetes: `>= 1.25.0` | jenkins.agent.serviceAccount | string | `"jenkins-podman-aws"` | | | jenkins.agent.showRawYaml | bool | `false` | | | jenkins.agent.yamlMergeStrategy | string | `"merge"` | | -| jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n securityContext:\n fsGroup: 1000\n containers:\n - name: jnlp\n resources:\n requests:\n cpu: \"512m\"\n memory: \"1024Mi\"\n limits:\n cpu: \"4\"\n memory: \"6144Mi\"\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n - name: host-registries-conf\n mountPath: \"/home/jenkins/.config/containers/registries.conf\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\"\n - name: host-registries-conf\n hostPath:\n path: /etc/containers/registries.conf\n type: File"` | | +| jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n securityContext:\n fsGroup: 1000\n containers:\n - name: jnlp\n resources:\n requests:\n cpu: \"200m\"\n memory: \"512Mi\"\n limits:\n cpu: \"4\"\n memory: \"6144Mi\"\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n - name: host-registries-conf\n mountPath: \"/home/jenkins/.config/containers/registries.conf\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\"\n - name: host-registries-conf\n hostPath:\n path: /etc/containers/registries.conf\n type: File"` | | | jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nappearance:\n themeManager:\n disableUserThemes: true\n theme: \"dark\"\nunclassified:\n openTelemetry:\n configurationProperties: |-\n otel.exporter.otlp.protocol=grpc\n otel.instrumentation.jenkins.web.enabled=false\n ignoredSteps: \"dir,echo,isUnix,pwd,properties\"\n #endpoint: \"telemetry-jaeger-collector.telemetry:4317\"\n exportOtelConfigurationAsEnvironmentVariables: false\n #observabilityBackends:\n # - jaeger:\n # jaegerBaseUrl: \"https://jaeger.example.com\"\n # name: \"KubeZero Jaeger\"\n serviceName: \"Jenkins\"\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | | | jenkins.controller.containerEnv[0].name | string | `"OTEL_LOGS_EXPORTER"` | | | jenkins.controller.containerEnv[0].value | string | `"none"` | | diff --git a/charts/kubezero-ci/charts/jenkins/CHANGELOG.md b/charts/kubezero-ci/charts/jenkins/CHANGELOG.md index 5fe2f399..17d5a5f8 100644 --- a/charts/kubezero-ci/charts/jenkins/CHANGELOG.md +++ b/charts/kubezero-ci/charts/jenkins/CHANGELOG.md @@ -12,6 +12,31 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0. The changelog until v1.5.7 was auto-generated based on git commits. Those entries include a reference to the git commit to be able to get more details. +## 5.5.4 + +Update `jenkins/jenkins` to version `2.462.1-jdk17` + +## 5.5.3 + +Update `git` to version `5.3.0` + +## 5.5.2 + +Update `kubernetes` to version `4280.vd919fa_528c7e` + +## 5.5.1 + +Update `kubernetes` to version `4265.v78b_d4a_1c864a_` + +## 5.5.0 + +Introduce capability of set skipTlsVerify and usageRestricted flags in additionalClouds + + +## 5.4.4 + +Update CHANGELOG.md, README.md, and UPGRADING.md for linting + ## 5.4.3 Update `configuration-as-code` to version `1836.vccda_4a_122a_a_e` @@ -39,7 +64,6 @@ Update `kubernetes` to version `4253.v7700d91739e5` ## 5.3.4 Update `jenkins/jenkins` to version `2.452.3-jdk17` - ## 5.3.3 Update `jenkins/inbound-agent` to version `3256.v88a_f6e922152-1` @@ -374,7 +398,7 @@ Changes in 4.7.0 were reverted. ## 4.7.0 -Runs `config-reload` as an init container, in addition to the sidecar container, to ensure that JCasC YAMLS are present before the main Jenkins container starts. This should fix some race conditions and crashes on startup. +Runs `config-reload` as an init container, in addition to the sidecar container, to ensure that JCasC YAMLs are present before the main Jenkins container starts. This should fix some race conditions and crashes on startup. ## 4.6.7 @@ -540,7 +564,7 @@ Disable volume mount if disableSecretMount enabled ## 4.3.9 -Document `.Values.agent.directConnection` in README. +Document `.Values.agent.directConnection` in readme. Add default value for `.Values.agent.directConnection` to `values.yaml` ## 4.3.8 @@ -732,7 +756,7 @@ Fix path of projected secrets from `additionalExistingSecrets`. ## 4.1.7 -Update README with explanation on the required environmental variable `AWS_REGION` in case of using an S3 bucket. +Update readme with explanation on the required environmental variable `AWS_REGION` in case of using an S3 bucket. ## 4.1.6 @@ -740,7 +764,7 @@ project adminSecret, additionalSecrets and additionalExistingSecrets instead of ## 4.1.5 -Update README to fix `JAVA_OPTS` name. +Update readme to fix `JAVA_OPTS` name. ## 4.1.4 Update plugins @@ -855,7 +879,7 @@ Update default plugin versions ## 3.9.4 -Add JAVA_OPTIONS to the README so proxy settings get picked by jenkins-plugin-cli +Add JAVA_OPTIONS to the readme so proxy settings get picked by jenkins-plugin-cli ## 3.9.3 @@ -1148,7 +1172,7 @@ Update Jenkins image and appVersion to jenkins lts release version 2.263.4 ## 3.1.12 -Added GitHub action to automate the updating of LTS releases. +Added GitHub Action to automate the updating of LTS releases. ## 3.1.11 @@ -1352,7 +1376,7 @@ Added unit tests for most resources in the Helm chart. ## 2.12.1 -Helm chart README update +Helm chart readme update ## 2.12.0 @@ -1414,7 +1438,7 @@ Fixes #19 ## 2.6.0 First release in jenkinsci GitHub org -Updated README for new location +Updated readme for new location ## 2.5.2 @@ -1430,7 +1454,7 @@ Add an option to specify that Jenkins master should be initialized only once, du ## 2.4.1 -Reorder README parameters into sections to facilitate chart usage and maintenance +Reorder readme parameters into sections to facilitate chart usage and maintenance ## 2.4.0 Update default agent image @@ -1464,7 +1488,7 @@ Configure `REQ_RETRY_CONNECT` to `10` to give Jenkins more time to start up. Value can be configured via `master.sidecars.configAutoReload.reqRetryConnect` -## 2.1.2 updated README +## 2.1.2 updated readme ## 2.1.1 update credentials-binding plugin to 1.23 @@ -1478,7 +1502,7 @@ Only render authorizationStrategy and securityRealm when values are set. ## 2.0.0 Configuration as Code now default + container does not run as root anymore -The README contains more details for this update. +The readme contains more details for this update. Please note that the updated values contain breaking changes. ## 1.27.0 Update plugin versions & sidecar container @@ -1643,7 +1667,7 @@ In recent version of configuration-as-code-plugin this is no longer necessary. ## 1.9.24 -Update JCasC auto-reload docs and remove stale ssh key references from version "1.8.0 JCasC auto reload works without ssh keys" +Update JCasC auto-reload docs and remove stale SSH key references from version "1.8.0 JCasC auto reload works without SSH keys" ## 1.9.23 Support jenkinsUriPrefix when JCasC is enabled @@ -1768,7 +1792,7 @@ Revert fix in `1.7.10` since direct connection is now disabled by default. Add `master.schedulerName` to allow setting a Kubernetes custom scheduler -## 1.8.0 JCasC auto reload works without ssh keys +## 1.8.0 JCasC auto reload works without SSH keys We make use of the fact that the Jenkins Configuration as Code Plugin can be triggered via http `POST` to `JENKINS_URL/configuration-as-code/reload`and a pre-shared key. The sidecar container responsible for reloading config changes is now `kiwigrid/k8s-sidecar:0.1.20` instead of it's fork `shadwell/k8s-sidecar`. @@ -2296,7 +2320,7 @@ commit: 9de96faa0 ## 0.32.7 -Fix Markdown syntax in README (#11496) +Fix Markdown syntax in readme (#11496) commit: a32221a95 ## 0.32.6 @@ -2526,7 +2550,7 @@ commit: e0a20b0b9 ## 0.16.22 -avoid lint errors when adding Values.Ingress.Annotations (#7425) +avoid linting errors when adding Values.Ingress.Annotations (#7425) commit: 99eacc854 ## 0.16.21 @@ -2551,7 +2575,7 @@ commit: bf8180018 ## 0.16.17 -Add Master.AdminPassword in README (#6987) +Add Master.AdminPassword in readme (#6987) commit: 13e754ad7 ## 0.16.16 @@ -2621,7 +2645,7 @@ commit: fc6100c38 ## 0.16.1 -fix typo in jenkins README (#5228) +fix typo in jenkins readme (#5228) commit: 3cd3f4b8b ## 0.16.0 @@ -2742,7 +2766,7 @@ commit: 9a230a6b1 Double retry count for Jenkins test commit: 129c8e824 -Jenkins: Update README | Master.ServiceAnnotations (#2757) +Jenkins: Update readme | Master.ServiceAnnotations (#2757) commit: 6571810bc ## 0.10.0 @@ -2814,7 +2838,7 @@ commit: 4af5810ff ## 0.8.4 -Add support for supplying JENKINS_OPTS and/or uri prefix (#1405) +Add support for supplying JENKINS_OPTS and/or URI prefix (#1405) commit: 6a331901a ## 0.8.3 @@ -3024,7 +3048,7 @@ commit: 3cbd3ced6 Remove 'Getting Started:' from various NOTES.txt. (#181) commit: 2f63fd524 -docs(\*): update READMEs to reference chart repos (#119) +docs(\*): update readmes to reference chart repos (#119) commit: c7d1bff05 ## 0.1.0 diff --git a/charts/kubezero-ci/charts/jenkins/Chart.yaml b/charts/kubezero-ci/charts/jenkins/Chart.yaml index 4a344617..63adf0d5 100644 --- a/charts/kubezero-ci/charts/jenkins/Chart.yaml +++ b/charts/kubezero-ci/charts/jenkins/Chart.yaml @@ -1,10 +1,10 @@ annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | - - Update `configuration-as-code` to version `1836.vccda_4a_122a_a_e` + - Update `jenkins/jenkins` to version `2.462.1-jdk17` artifacthub.io/images: | - name: jenkins - image: docker.io/jenkins/jenkins:2.452.3-jdk17 + image: docker.io/jenkins/jenkins:2.462.1-jdk17 - name: k8s-sidecar image: docker.io/kiwigrid/k8s-sidecar:1.27.5 - name: inbound-agent @@ -18,7 +18,7 @@ annotations: - name: support url: https://github.com/jenkinsci/helm-charts/issues apiVersion: v2 -appVersion: 2.452.3 +appVersion: 2.462.1 description: 'Jenkins - Build great things at any scale! As the leading open source automation server, Jenkins provides over 1800 plugins to support building, deploying and automating any project. ' @@ -46,4 +46,4 @@ sources: - https://github.com/maorfr/kube-tasks - https://github.com/jenkinsci/configuration-as-code-plugin type: application -version: 5.4.3 +version: 5.5.4 diff --git a/charts/kubezero-ci/charts/jenkins/UPGRADING.md b/charts/kubezero-ci/charts/jenkins/UPGRADING.md index 41e424db..0ff90112 100644 --- a/charts/kubezero-ci/charts/jenkins/UPGRADING.md +++ b/charts/kubezero-ci/charts/jenkins/UPGRADING.md @@ -122,7 +122,7 @@ So think of the list below more as a general guideline of what should be done. - Test drive those setting on a separate installation - Put Jenkins to Quiet Down mode so that it does not accept new jobs `/quietDown` -- Change permissions of all files and folders to the new user and group id: +- Change permissions of all files and folders to the new user and group ID: ```console kubectl exec -it -c jenkins /bin/bash diff --git a/charts/kubezero-ci/charts/jenkins/VALUES.md b/charts/kubezero-ci/charts/jenkins/VALUES.md index 14e82e75..973b755e 100644 --- a/charts/kubezero-ci/charts/jenkins/VALUES.md +++ b/charts/kubezero-ci/charts/jenkins/VALUES.md @@ -8,64 +8,66 @@ The following tables list the configurable parameters of the Jenkins chart and t | Key | Type | Description | Default | |:----|:-----|:---------|:------------| -| [additionalAgents](./values.yaml#L1165) | object | Configure additional | `{}` | -| [additionalClouds](./values.yaml#L1190) | object | | `{}` | -| [agent.TTYEnabled](./values.yaml#L1083) | bool | Allocate pseudo tty to the side container | `false` | -| [agent.additionalContainers](./values.yaml#L1118) | list | Add additional containers to the agents | `[]` | -| [agent.alwaysPullImage](./values.yaml#L976) | bool | Always pull agent container image before build | `false` | -| [agent.annotations](./values.yaml#L1114) | object | Annotations to apply to the pod | `{}` | -| [agent.args](./values.yaml#L1077) | string | Arguments passed to command to execute | `"${computer.jnlpmac} ${computer.name}"` | -| [agent.command](./values.yaml#L1075) | string | Command to execute when side container starts | `nil` | -| [agent.componentName](./values.yaml#L944) | string | | `"jenkins-agent"` | -| [agent.connectTimeout](./values.yaml#L1112) | int | Timeout in seconds for an agent to be online | `100` | -| [agent.containerCap](./values.yaml#L1085) | int | Max number of agents to launch | `10` | -| [agent.customJenkinsLabels](./values.yaml#L941) | list | Append Jenkins labels to the agent | `[]` | +| [additionalAgents](./values.yaml#L1169) | object | Configure additional | `{}` | +| [additionalClouds](./values.yaml#L1194) | object | | `{}` | +| [agent.TTYEnabled](./values.yaml#L1087) | bool | Allocate pseudo tty to the side container | `false` | +| [agent.additionalContainers](./values.yaml#L1122) | list | Add additional containers to the agents | `[]` | +| [agent.alwaysPullImage](./values.yaml#L980) | bool | Always pull agent container image before build | `false` | +| [agent.annotations](./values.yaml#L1118) | object | Annotations to apply to the pod | `{}` | +| [agent.args](./values.yaml#L1081) | string | Arguments passed to command to execute | `"${computer.jnlpmac} ${computer.name}"` | +| [agent.command](./values.yaml#L1079) | string | Command to execute when side container starts | `nil` | +| [agent.componentName](./values.yaml#L948) | string | | `"jenkins-agent"` | +| [agent.connectTimeout](./values.yaml#L1116) | int | Timeout in seconds for an agent to be online | `100` | +| [agent.containerCap](./values.yaml#L1089) | int | Max number of agents to launch | `10` | +| [agent.customJenkinsLabels](./values.yaml#L945) | list | Append Jenkins labels to the agent | `[]` | | [agent.defaultsProviderTemplate](./values.yaml#L907) | string | The name of the pod template to use for providing default values | `""` | -| [agent.directConnection](./values.yaml#L947) | bool | | `false` | -| [agent.disableDefaultAgent](./values.yaml#L1136) | bool | Disable the default Jenkins Agent configuration | `false` | +| [agent.directConnection](./values.yaml#L951) | bool | | `false` | +| [agent.disableDefaultAgent](./values.yaml#L1140) | bool | Disable the default Jenkins Agent configuration | `false` | | [agent.enabled](./values.yaml#L905) | bool | Enable Kubernetes plugin jnlp-agent podTemplate | `true` | -| [agent.envVars](./values.yaml#L1058) | list | Environment variables for the agent Pod | `[]` | -| [agent.hostNetworking](./values.yaml#L955) | bool | Enables the agent to use the host network | `false` | -| [agent.idleMinutes](./values.yaml#L1090) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` | -| [agent.image.repository](./values.yaml#L934) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` | -| [agent.image.tag](./values.yaml#L936) | string | Tag of the image to pull | `"3256.v88a_f6e922152-1"` | -| [agent.imagePullSecretName](./values.yaml#L943) | string | Name of the secret to be used to pull the image | `nil` | -| [agent.inheritYamlMergeStrategy](./values.yaml#L1110) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` | +| [agent.envVars](./values.yaml#L1062) | list | Environment variables for the agent Pod | `[]` | +| [agent.hostNetworking](./values.yaml#L959) | bool | Enables the agent to use the host network | `false` | +| [agent.idleMinutes](./values.yaml#L1094) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` | +| [agent.image.repository](./values.yaml#L938) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` | +| [agent.image.tag](./values.yaml#L940) | string | Tag of the image to pull | `"3256.v88a_f6e922152-1"` | +| [agent.imagePullSecretName](./values.yaml#L947) | string | Name of the secret to be used to pull the image | `nil` | +| [agent.inheritYamlMergeStrategy](./values.yaml#L1114) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` | | [agent.jenkinsTunnel](./values.yaml#L915) | string | Overrides the Kubernetes Jenkins tunnel | `nil` | | [agent.jenkinsUrl](./values.yaml#L911) | string | Overrides the Kubernetes Jenkins URL | `nil` | -| [agent.jnlpregistry](./values.yaml#L931) | string | Custom registry used to pull the agent jnlp image from | `nil` | -| [agent.kubernetesConnectTimeout](./values.yaml#L917) | int | The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 | `5` | -| [agent.kubernetesReadTimeout](./values.yaml#L919) | int | The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 | `15` | -| [agent.livenessProbe](./values.yaml#L966) | object | | `{}` | -| [agent.maxRequestsPerHostStr](./values.yaml#L921) | string | The maximum concurrent connections to Kubernetes API | `"32"` | -| [agent.namespace](./values.yaml#L927) | string | Namespace in which the Kubernetes agents should be launched | `nil` | -| [agent.nodeSelector](./values.yaml#L1069) | object | Node labels for pod assignment | `{}` | -| [agent.nodeUsageMode](./values.yaml#L939) | string | | `"NORMAL"` | -| [agent.podLabels](./values.yaml#L929) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` | -| [agent.podName](./values.yaml#L1087) | string | Agent Pod base name | `"default"` | -| [agent.podRetention](./values.yaml#L985) | string | | `"Never"` | -| [agent.podTemplates](./values.yaml#L1146) | object | Configures extra pod templates for the default kubernetes cloud | `{}` | -| [agent.privileged](./values.yaml#L949) | bool | Agent privileged container | `false` | -| [agent.resources](./values.yaml#L957) | object | Resources allocation (Requests and Limits) | `{"limits":{"cpu":"512m","memory":"512Mi"},"requests":{"cpu":"512m","memory":"512Mi"}}` | -| [agent.restrictedPssSecurityContext](./values.yaml#L982) | bool | Set a restricted securityContext on jnlp containers | `false` | -| [agent.retentionTimeout](./values.yaml#L923) | int | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | `5` | -| [agent.runAsGroup](./values.yaml#L953) | string | Configure container group | `nil` | -| [agent.runAsUser](./values.yaml#L951) | string | Configure container user | `nil` | -| [agent.secretEnvVars](./values.yaml#L1062) | list | Mount a secret as environment variable | `[]` | -| [agent.showRawYaml](./values.yaml#L989) | bool | | `true` | -| [agent.sideContainerName](./values.yaml#L1079) | string | Side container name | `"jnlp"` | -| [agent.volumes](./values.yaml#L996) | list | Additional volumes | `[]` | -| [agent.waitForPodSec](./values.yaml#L925) | int | Seconds to wait for pod to be running | `600` | -| [agent.websocket](./values.yaml#L946) | bool | Enables agent communication via websockets | `false` | -| [agent.workingDir](./values.yaml#L938) | string | Configure working directory for default agent | `"/home/jenkins/agent"` | -| [agent.workspaceVolume](./values.yaml#L1031) | object | Workspace volume (defaults to EmptyDir) | `{}` | -| [agent.yamlMergeStrategy](./values.yaml#L1108) | string | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" | `"override"` | -| [agent.yamlTemplate](./values.yaml#L1097) | string | The raw yaml of a Pod API Object to merge into the agent spec | `""` | -| [awsSecurityGroupPolicies.enabled](./values.yaml#L1316) | bool | | `false` | -| [awsSecurityGroupPolicies.policies[0].name](./values.yaml#L1318) | string | | `""` | -| [awsSecurityGroupPolicies.policies[0].podSelector](./values.yaml#L1320) | object | | `{}` | -| [awsSecurityGroupPolicies.policies[0].securityGroupIds](./values.yaml#L1319) | list | | `[]` | -| [checkDeprecation](./values.yaml#L1313) | bool | Checks if any deprecated values are used | `true` | +| [agent.jnlpregistry](./values.yaml#L935) | string | Custom registry used to pull the agent jnlp image from | `nil` | +| [agent.kubernetesConnectTimeout](./values.yaml#L921) | int | The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 | `5` | +| [agent.kubernetesReadTimeout](./values.yaml#L923) | int | The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 | `15` | +| [agent.livenessProbe](./values.yaml#L970) | object | | `{}` | +| [agent.maxRequestsPerHostStr](./values.yaml#L925) | string | The maximum concurrent connections to Kubernetes API | `"32"` | +| [agent.namespace](./values.yaml#L931) | string | Namespace in which the Kubernetes agents should be launched | `nil` | +| [agent.nodeSelector](./values.yaml#L1073) | object | Node labels for pod assignment | `{}` | +| [agent.nodeUsageMode](./values.yaml#L943) | string | | `"NORMAL"` | +| [agent.podLabels](./values.yaml#L933) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` | +| [agent.podName](./values.yaml#L1091) | string | Agent Pod base name | `"default"` | +| [agent.podRetention](./values.yaml#L989) | string | | `"Never"` | +| [agent.podTemplates](./values.yaml#L1150) | object | Configures extra pod templates for the default kubernetes cloud | `{}` | +| [agent.privileged](./values.yaml#L953) | bool | Agent privileged container | `false` | +| [agent.resources](./values.yaml#L961) | object | Resources allocation (Requests and Limits) | `{"limits":{"cpu":"512m","memory":"512Mi"},"requests":{"cpu":"512m","memory":"512Mi"}}` | +| [agent.restrictedPssSecurityContext](./values.yaml#L986) | bool | Set a restricted securityContext on jnlp containers | `false` | +| [agent.retentionTimeout](./values.yaml#L927) | int | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | `5` | +| [agent.runAsGroup](./values.yaml#L957) | string | Configure container group | `nil` | +| [agent.runAsUser](./values.yaml#L955) | string | Configure container user | `nil` | +| [agent.secretEnvVars](./values.yaml#L1066) | list | Mount a secret as environment variable | `[]` | +| [agent.showRawYaml](./values.yaml#L993) | bool | | `true` | +| [agent.sideContainerName](./values.yaml#L1083) | string | Side container name | `"jnlp"` | +| [agent.skipTlsVerify](./values.yaml#L917) | bool | Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI | `false` | +| [agent.usageRestricted](./values.yaml#L919) | bool | Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI | `false` | +| [agent.volumes](./values.yaml#L1000) | list | Additional volumes | `[]` | +| [agent.waitForPodSec](./values.yaml#L929) | int | Seconds to wait for pod to be running | `600` | +| [agent.websocket](./values.yaml#L950) | bool | Enables agent communication via websockets | `false` | +| [agent.workingDir](./values.yaml#L942) | string | Configure working directory for default agent | `"/home/jenkins/agent"` | +| [agent.workspaceVolume](./values.yaml#L1035) | object | Workspace volume (defaults to EmptyDir) | `{}` | +| [agent.yamlMergeStrategy](./values.yaml#L1112) | string | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" | `"override"` | +| [agent.yamlTemplate](./values.yaml#L1101) | string | The raw yaml of a Pod API Object to merge into the agent spec | `""` | +| [awsSecurityGroupPolicies.enabled](./values.yaml#L1320) | bool | | `false` | +| [awsSecurityGroupPolicies.policies[0].name](./values.yaml#L1322) | string | | `""` | +| [awsSecurityGroupPolicies.policies[0].podSelector](./values.yaml#L1324) | object | | `{}` | +| [awsSecurityGroupPolicies.policies[0].securityGroupIds](./values.yaml#L1323) | list | | `[]` | +| [checkDeprecation](./values.yaml#L1317) | bool | Checks if any deprecated values are used | `true` | | [clusterZone](./values.yaml#L21) | string | Override the cluster name for FQDN resolving | `"cluster.local"` | | [controller.JCasC.authorizationStrategy](./values.yaml#L533) | string | Jenkins Config as Code Authorization Strategy-section | `"loggedInUsersCanDoAnything:\n allowAnonymousRead: false"` | | [controller.JCasC.configMapAnnotations](./values.yaml#L538) | object | Annotations for the JCasC ConfigMap | `{}` | @@ -157,7 +159,7 @@ The following tables list the configurable parameters of the Jenkins chart and t | [controller.initializeOnce](./values.yaml#L414) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` | | [controller.installLatestPlugins](./values.yaml#L403) | bool | Download the minimum required version or latest version of all dependencies | `true` | | [controller.installLatestSpecifiedPlugins](./values.yaml#L406) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` | -| [controller.installPlugins](./values.yaml#L395) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4253.v7700d91739e5","workflow-aggregator:600.vb_57cdd26fdd7","git:5.2.2","configuration-as-code:1836.vccda_4a_122a_a_e"]` | +| [controller.installPlugins](./values.yaml#L395) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4280.vd919fa_528c7e","workflow-aggregator:600.vb_57cdd26fdd7","git:5.3.0","configuration-as-code:1836.vccda_4a_122a_a_e"]` | | [controller.javaOpts](./values.yaml#L156) | string | Append to `JAVA_OPTS` env var | `nil` | | [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` | | [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` | @@ -270,40 +272,40 @@ The following tables list the configurable parameters of the Jenkins chart and t | [controller.usePodSecurityContext](./values.yaml#L176) | bool | Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) | `true` | | [credentialsId](./values.yaml#L27) | string | The Jenkins credentials to access the Kubernetes API server. For the default cluster it is not needed. | `nil` | | [fullnameOverride](./values.yaml#L13) | string | Override the full resource names | `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins` | -| [helmtest.bats.image.registry](./values.yaml#L1329) | string | Registry of the image used to test the framework | `"docker.io"` | -| [helmtest.bats.image.repository](./values.yaml#L1331) | string | Repository of the image used to test the framework | `"bats/bats"` | -| [helmtest.bats.image.tag](./values.yaml#L1333) | string | Tag of the image to test the framework | `"1.11.0"` | +| [helmtest.bats.image.registry](./values.yaml#L1333) | string | Registry of the image used to test the framework | `"docker.io"` | +| [helmtest.bats.image.repository](./values.yaml#L1335) | string | Repository of the image used to test the framework | `"bats/bats"` | +| [helmtest.bats.image.tag](./values.yaml#L1337) | string | Tag of the image to test the framework | `"1.11.0"` | | [kubernetesURL](./values.yaml#L24) | string | The URL of the Kubernetes API server | `"https://kubernetes.default"` | | [nameOverride](./values.yaml#L10) | string | Override the resource name prefix | `Chart.Name` | | [namespaceOverride](./values.yaml#L16) | string | Override the deployment namespace | `Release.Namespace` | -| [networkPolicy.apiVersion](./values.yaml#L1259) | string | NetworkPolicy ApiVersion | `"networking.k8s.io/v1"` | -| [networkPolicy.enabled](./values.yaml#L1254) | bool | Enable the creation of NetworkPolicy resources | `false` | -| [networkPolicy.externalAgents.except](./values.yaml#L1273) | list | A list of IP sub-ranges to be excluded from the allowlisted IP range | `[]` | -| [networkPolicy.externalAgents.ipCIDR](./values.yaml#L1271) | string | The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 | `nil` | -| [networkPolicy.internalAgents.allowed](./values.yaml#L1263) | bool | Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels | `true` | -| [networkPolicy.internalAgents.namespaceLabels](./values.yaml#L1267) | object | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller | `{}` | -| [networkPolicy.internalAgents.podLabels](./values.yaml#L1265) | object | A map of labels (keys/values) that agent pods must have to be able to connect to controller | `{}` | -| [persistence.accessMode](./values.yaml#L1229) | string | The PVC access mode | `"ReadWriteOnce"` | -| [persistence.annotations](./values.yaml#L1225) | object | Annotations for the PVC | `{}` | -| [persistence.dataSource](./values.yaml#L1235) | object | Existing data source to clone PVC from | `{}` | -| [persistence.enabled](./values.yaml#L1209) | bool | Enable the use of a Jenkins PVC | `true` | -| [persistence.existingClaim](./values.yaml#L1215) | string | Provide the name of a PVC | `nil` | -| [persistence.labels](./values.yaml#L1227) | object | Labels for the PVC | `{}` | -| [persistence.mounts](./values.yaml#L1247) | list | Additional mounts | `[]` | -| [persistence.size](./values.yaml#L1231) | string | The size of the PVC | `"8Gi"` | -| [persistence.storageClass](./values.yaml#L1223) | string | Storage class for the PVC | `nil` | -| [persistence.subPath](./values.yaml#L1240) | string | SubPath for jenkins-home mount | `nil` | -| [persistence.volumes](./values.yaml#L1242) | list | Additional volumes | `[]` | -| [rbac.create](./values.yaml#L1279) | bool | Whether RBAC resources are created | `true` | -| [rbac.readSecrets](./values.yaml#L1281) | bool | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` | +| [networkPolicy.apiVersion](./values.yaml#L1263) | string | NetworkPolicy ApiVersion | `"networking.k8s.io/v1"` | +| [networkPolicy.enabled](./values.yaml#L1258) | bool | Enable the creation of NetworkPolicy resources | `false` | +| [networkPolicy.externalAgents.except](./values.yaml#L1277) | list | A list of IP sub-ranges to be excluded from the allowlisted IP range | `[]` | +| [networkPolicy.externalAgents.ipCIDR](./values.yaml#L1275) | string | The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 | `nil` | +| [networkPolicy.internalAgents.allowed](./values.yaml#L1267) | bool | Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels | `true` | +| [networkPolicy.internalAgents.namespaceLabels](./values.yaml#L1271) | object | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller | `{}` | +| [networkPolicy.internalAgents.podLabels](./values.yaml#L1269) | object | A map of labels (keys/values) that agent pods must have to be able to connect to controller | `{}` | +| [persistence.accessMode](./values.yaml#L1233) | string | The PVC access mode | `"ReadWriteOnce"` | +| [persistence.annotations](./values.yaml#L1229) | object | Annotations for the PVC | `{}` | +| [persistence.dataSource](./values.yaml#L1239) | object | Existing data source to clone PVC from | `{}` | +| [persistence.enabled](./values.yaml#L1213) | bool | Enable the use of a Jenkins PVC | `true` | +| [persistence.existingClaim](./values.yaml#L1219) | string | Provide the name of a PVC | `nil` | +| [persistence.labels](./values.yaml#L1231) | object | Labels for the PVC | `{}` | +| [persistence.mounts](./values.yaml#L1251) | list | Additional mounts | `[]` | +| [persistence.size](./values.yaml#L1235) | string | The size of the PVC | `"8Gi"` | +| [persistence.storageClass](./values.yaml#L1227) | string | Storage class for the PVC | `nil` | +| [persistence.subPath](./values.yaml#L1244) | string | SubPath for jenkins-home mount | `nil` | +| [persistence.volumes](./values.yaml#L1246) | list | Additional volumes | `[]` | +| [rbac.create](./values.yaml#L1283) | bool | Whether RBAC resources are created | `true` | +| [rbac.readSecrets](./values.yaml#L1285) | bool | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` | | [renderHelmLabels](./values.yaml#L30) | bool | Enables rendering of the helm.sh/chart label to the annotations | `true` | -| [serviceAccount.annotations](./values.yaml#L1291) | object | Configures annotations for the ServiceAccount | `{}` | -| [serviceAccount.create](./values.yaml#L1285) | bool | Configures if a ServiceAccount with this name should be created | `true` | -| [serviceAccount.extraLabels](./values.yaml#L1293) | object | Configures extra labels for the ServiceAccount | `{}` | -| [serviceAccount.imagePullSecretName](./values.yaml#L1295) | string | Controller ServiceAccount image pull secret | `nil` | -| [serviceAccount.name](./values.yaml#L1289) | string | | `nil` | -| [serviceAccountAgent.annotations](./values.yaml#L1306) | object | Configures annotations for the agent ServiceAccount | `{}` | -| [serviceAccountAgent.create](./values.yaml#L1300) | bool | Configures if an agent ServiceAccount should be created | `false` | -| [serviceAccountAgent.extraLabels](./values.yaml#L1308) | object | Configures extra labels for the agent ServiceAccount | `{}` | -| [serviceAccountAgent.imagePullSecretName](./values.yaml#L1310) | string | Agent ServiceAccount image pull secret | `nil` | -| [serviceAccountAgent.name](./values.yaml#L1304) | string | The name of the agent ServiceAccount to be used by access-controlled resources | `nil` | +| [serviceAccount.annotations](./values.yaml#L1295) | object | Configures annotations for the ServiceAccount | `{}` | +| [serviceAccount.create](./values.yaml#L1289) | bool | Configures if a ServiceAccount with this name should be created | `true` | +| [serviceAccount.extraLabels](./values.yaml#L1297) | object | Configures extra labels for the ServiceAccount | `{}` | +| [serviceAccount.imagePullSecretName](./values.yaml#L1299) | string | Controller ServiceAccount image pull secret | `nil` | +| [serviceAccount.name](./values.yaml#L1293) | string | | `nil` | +| [serviceAccountAgent.annotations](./values.yaml#L1310) | object | Configures annotations for the agent ServiceAccount | `{}` | +| [serviceAccountAgent.create](./values.yaml#L1304) | bool | Configures if an agent ServiceAccount should be created | `false` | +| [serviceAccountAgent.extraLabels](./values.yaml#L1312) | object | Configures extra labels for the agent ServiceAccount | `{}` | +| [serviceAccountAgent.imagePullSecretName](./values.yaml#L1314) | string | Agent ServiceAccount image pull secret | `nil` | +| [serviceAccountAgent.name](./values.yaml#L1308) | string | The name of the agent ServiceAccount to be used by access-controlled resources | `nil` | diff --git a/charts/kubezero-ci/charts/jenkins/templates/_helpers.tpl b/charts/kubezero-ci/charts/jenkins/templates/_helpers.tpl index 5bdece4b..11bad3af 100644 --- a/charts/kubezero-ci/charts/jenkins/templates/_helpers.tpl +++ b/charts/kubezero-ci/charts/jenkins/templates/_helpers.tpl @@ -164,6 +164,8 @@ jenkins: webSocket: true {{- end }} {{- end }} + skipTlsVerify: {{ .Values.agent.skipTlsVerify | default false}} + usageRestricted: {{ .Values.agent.usageRestricted | default false}} maxRequestsPerHostStr: {{ .Values.agent.maxRequestsPerHostStr | quote }} retentionTimeout: {{ .Values.agent.retentionTimeout | quote }} waitForPodSec: {{ .Values.agent.waitForPodSec | quote }} @@ -248,6 +250,8 @@ jenkins: webSocket: true {{- end }} {{- end }} + skipTlsVerify: {{ .Values.agent.skipTlsVerify | default false}} + usageRestricted: {{ .Values.agent.usageRestricted | default false}} maxRequestsPerHostStr: {{ .Values.agent.maxRequestsPerHostStr | quote }} retentionTimeout: {{ .Values.agent.retentionTimeout | quote }} waitForPodSec: {{ .Values.agent.waitForPodSec | quote }} diff --git a/charts/kubezero-ci/charts/jenkins/values.yaml b/charts/kubezero-ci/charts/jenkins/values.yaml index 775a76c1..ea9e836a 100644 --- a/charts/kubezero-ci/charts/jenkins/values.yaml +++ b/charts/kubezero-ci/charts/jenkins/values.yaml @@ -393,9 +393,9 @@ controller: # Plugins will be installed during Jenkins controller start # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` installPlugins: - - kubernetes:4253.v7700d91739e5 + - kubernetes:4280.vd919fa_528c7e - workflow-aggregator:600.vb_57cdd26fdd7 - - git:5.2.2 + - git:5.3.0 - configuration-as-code:1836.vccda_4a_122a_a_e # If set to false, Jenkins will download the minimum required version of all dependencies. @@ -913,6 +913,10 @@ agent: # connects to the specified host and port, instead of connecting directly to the Jenkins controller # -- Overrides the Kubernetes Jenkins tunnel jenkinsTunnel: + # -- Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI + skipTlsVerify: false + # -- Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI + usageRestricted: false # -- The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 kubernetesConnectTimeout: 5 # -- The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 diff --git a/charts/kubezero-ci/values.yaml b/charts/kubezero-ci/values.yaml index f673813b..4061d824 100644 --- a/charts/kubezero-ci/values.yaml +++ b/charts/kubezero-ci/values.yaml @@ -190,7 +190,8 @@ jenkins: podName: "podman-aws" defaultsProviderTemplate: "podman-aws" annotations: - container.apparmor.security.beta.kubernetes.io/jnlp: unconfined + container.apparmor.security.beta.kubernetes.io/jnlp: "unconfined" + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" customJenkinsLabels: - podman-aws-trivy idleMinutes: 30 @@ -224,8 +225,8 @@ jenkins: - name: jnlp resources: requests: - cpu: "512m" - memory: "1024Mi" + cpu: "200m" + memory: "512Mi" limits: cpu: "4" memory: "6144Mi"