Various updates and tweaks
This commit is contained in:
parent
bcb718244e
commit
7da16eff55
@ -1,6 +1,6 @@
|
|||||||
# kubezero-addons
|
# kubezero-addons
|
||||||
|
|
||||||
![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.26](https://img.shields.io/badge/AppVersion-v1.26-informational?style=flat-square)
|
![Version: 0.8.2](https://img.shields.io/badge/Version-0.8.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.26](https://img.shields.io/badge/AppVersion-v1.26-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero umbrella chart for various optional cluster addons
|
KubeZero umbrella chart for various optional cluster addons
|
||||||
|
|
||||||
@ -18,10 +18,10 @@ Kubernetes: `>= 1.26.0`
|
|||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://bitnami-labs.github.io/sealed-secrets | sealed-secrets | 2.12.0 |
|
| https://bitnami-labs.github.io/sealed-secrets | sealed-secrets | 2.13.0 |
|
||||||
| https://falcosecurity.github.io/charts | falco-control-plane(falco) | 3.5.0 |
|
| https://falcosecurity.github.io/charts | falco-control-plane(falco) | 3.7.1 |
|
||||||
| https://kubernetes-sigs.github.io/external-dns/ | external-dns | 1.13.0 |
|
| https://kubernetes-sigs.github.io/external-dns/ | external-dns | 1.13.1 |
|
||||||
| https://kubernetes.github.io/autoscaler | cluster-autoscaler | 9.29.1 |
|
| https://kubernetes.github.io/autoscaler | cluster-autoscaler | 9.29.3 |
|
||||||
| https://nvidia.github.io/k8s-device-plugin | nvidia-device-plugin | 0.14.1 |
|
| https://nvidia.github.io/k8s-device-plugin | nvidia-device-plugin | 0.14.1 |
|
||||||
| https://twin.github.io/helm-charts | aws-eks-asg-rolling-update-handler | 1.4.0 |
|
| https://twin.github.io/helm-charts | aws-eks-asg-rolling-update-handler | 1.4.0 |
|
||||||
| oci://public.ecr.aws/aws-ec2/helm | aws-node-termination-handler | 0.22.0 |
|
| oci://public.ecr.aws/aws-ec2/helm | aws-node-termination-handler | 0.22.0 |
|
||||||
@ -161,6 +161,8 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
|
|||||||
| forseti.image.name | string | `"public.ecr.aws/zero-downtime/forseti"` | |
|
| forseti.image.name | string | `"public.ecr.aws/zero-downtime/forseti"` | |
|
||||||
| forseti.image.tag | string | `"v0.1.2"` | |
|
| forseti.image.tag | string | `"v0.1.2"` | |
|
||||||
| fuseDevicePlugin.enabled | bool | `false` | |
|
| fuseDevicePlugin.enabled | bool | `false` | |
|
||||||
|
| fuseDevicePlugin.image.name | string | `"public.ecr.aws/zero-downtime/fuse-device-plugin"` | |
|
||||||
|
| fuseDevicePlugin.image.tag | string | `"1.2.0"` | |
|
||||||
| nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key | string | `"node.kubernetes.io/instance-type"` | |
|
| nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key | string | `"node.kubernetes.io/instance-type"` | |
|
||||||
| nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator | string | `"In"` | |
|
| nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator | string | `"In"` | |
|
||||||
| nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0] | string | `"g5.xlarge"` | |
|
| nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0] | string | `"g5.xlarge"` | |
|
||||||
|
@ -54,6 +54,7 @@ spec:
|
|||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/control-plane: ""
|
node-role.kubernetes.io/control-plane: ""
|
||||||
|
priorityClassName: system-cluster-critical
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
|
@ -12,8 +12,6 @@ spec:
|
|||||||
type: RollingUpdate
|
type: RollingUpdate
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
|
||||||
scheduler.alpha.kubernetes.io/critical-pod: ""
|
|
||||||
labels:
|
labels:
|
||||||
name: neuron-device-plugin-ds
|
name: neuron-device-plugin-ds
|
||||||
spec:
|
spec:
|
||||||
|
@ -13,9 +13,15 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
name: fuse-device-plugin
|
name: fuse-device-plugin
|
||||||
spec:
|
spec:
|
||||||
hostNetwork: true
|
priorityClassName: system-node-critical
|
||||||
|
tolerations:
|
||||||
|
- key: CriticalAddonsOnly
|
||||||
|
operator: Exists
|
||||||
|
- key: kubezero-workergroup
|
||||||
|
effect: NoSchedule
|
||||||
|
operator: Exists
|
||||||
containers:
|
containers:
|
||||||
- image: public.ecr.aws/zero-downtime/fuse-device-plugin:v1.1.0
|
- image: "{{ .Values.fuseDevicePlugin.image.name }}:{{ .Values.fuseDevicePlugin.image.tag }}"
|
||||||
# imagePullPolicy: Always
|
# imagePullPolicy: Always
|
||||||
name: fuse-device-plugin
|
name: fuse-device-plugin
|
||||||
securityContext:
|
securityContext:
|
||||||
|
@ -71,6 +71,7 @@ spec:
|
|||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
|
priorityClassName: system-cluster-critical
|
||||||
volumes:
|
volumes:
|
||||||
- name: aws-token
|
- name: aws-token
|
||||||
projected:
|
projected:
|
||||||
|
@ -140,6 +140,9 @@ aws-node-termination-handler:
|
|||||||
|
|
||||||
fuseDevicePlugin:
|
fuseDevicePlugin:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
image:
|
||||||
|
name: public.ecr.aws/zero-downtime/fuse-device-plugin
|
||||||
|
tag: v1.2.0
|
||||||
|
|
||||||
awsNeuron:
|
awsNeuron:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: kubezero-auth
|
name: kubezero-auth
|
||||||
description: KubeZero umbrella chart for all things Authentication and Identity management
|
description: KubeZero umbrella chart for all things Authentication and Identity management
|
||||||
type: application
|
type: application
|
||||||
version: 0.4.0
|
version: 0.4.1
|
||||||
appVersion: 22.0.1
|
appVersion: 22.0.1
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
|
14
charts/kubezero-auth/docs/keycloak.md
Normal file
14
charts/kubezero-auth/docs/keycloak.md
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# Abstract
|
||||||
|
|
||||||
|
## IdP
|
||||||
|
|
||||||
|
### AWS
|
||||||
|
|
||||||
|
Get client descriptor for your realm and client via:
|
||||||
|
`wget https://<auth-endpoint>/realms/<realm>/protocol/saml/descriptor`
|
||||||
|
|
||||||
|
# Resources
|
||||||
|
|
||||||
|
## AWS
|
||||||
|
- https://aws.amazon.com/blogs/business-intelligence/federate-amazon-quicksight-access-with-open-source-identity-provider-keycloak/
|
||||||
|
- https://docs.aws.amazon.com/singlesignon/latest/userguide/troubleshooting.html#issue8
|
@ -1,8 +1,8 @@
|
|||||||
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled }}
|
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.admin.enabled }}
|
||||||
apiVersion: security.istio.io/v1beta1
|
apiVersion: security.istio.io/v1beta1
|
||||||
kind: AuthorizationPolicy
|
kind: AuthorizationPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ .Release.Name }}-keycloak-deny-not-in-ipblocks
|
name: {{ .Release.Name }}-keycloak-admin-deny-not-in-ipblocks
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
labels:
|
labels:
|
||||||
{{- include "kubezero-lib.labels" $ | nindent 4 }}
|
{{- include "kubezero-lib.labels" $ | nindent 4 }}
|
||||||
@ -15,20 +15,20 @@ spec:
|
|||||||
# block access to metrics via Ingress
|
# block access to metrics via Ingress
|
||||||
- to:
|
- to:
|
||||||
- operation:
|
- operation:
|
||||||
hosts: ["{{ .Values.keycloak.istio.url }}"]
|
hosts: ["{{ .Values.keycloak.istio.admin.url }}"]
|
||||||
paths: ["/auth/realms/master/metrics"]
|
paths: ["/metrics", "/realms/*/metrics"]
|
||||||
when:
|
when:
|
||||||
- key: connection.sni
|
- key: connection.sni
|
||||||
values:
|
values:
|
||||||
- '*'
|
- '*'
|
||||||
{{- if .Values.keycloak.istio.ipBlocks }}
|
{{- if .Values.keycloak.istio.admin.ipBlocks }}
|
||||||
- from:
|
- from:
|
||||||
- source:
|
- source:
|
||||||
notIpBlocks:
|
notIpBlocks:
|
||||||
{{- toYaml .Values.keycloak.istio.ipBlocks | nindent 8 }}
|
{{- toYaml .Values.keycloak.istio.admin.ipBlocks | nindent 8 }}
|
||||||
to:
|
to:
|
||||||
- operation:
|
- operation:
|
||||||
hosts: ["{{ .Values.keycloak.istio.url }}"]
|
hosts: ["{{ .Values.keycloak.istio.admin.url }}"]
|
||||||
when:
|
when:
|
||||||
- key: connection.sni
|
- key: connection.sni
|
||||||
values:
|
values:
|
||||||
|
@ -1,18 +1,44 @@
|
|||||||
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.url }}
|
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.admin.enabled .Values.keycloak.istio.admin.url }}
|
||||||
|
# Admin endpoint / all URLs allowed
|
||||||
apiVersion: networking.istio.io/v1beta1
|
apiVersion: networking.istio.io/v1beta1
|
||||||
kind: VirtualService
|
kind: VirtualService
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "kubezero-lib.fullname" $ }}
|
name: {{ template "kubezero-lib.fullname" $ }}-admin
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{- include "kubezero-lib.labels" $ | nindent 4 }}
|
{{- include "kubezero-lib.labels" $ | nindent 4 }}
|
||||||
spec:
|
spec:
|
||||||
gateways:
|
gateways:
|
||||||
- {{ .Values.keycloak.istio.gateway }}
|
- {{ .Values.keycloak.istio.admin.gateway }}
|
||||||
hosts:
|
hosts:
|
||||||
- {{ .Values.keycloak.istio.url }}
|
- {{ .Values.keycloak.istio.admin.url }}
|
||||||
http:
|
http:
|
||||||
- route:
|
- route:
|
||||||
- destination:
|
- destination:
|
||||||
host: {{ template "kubezero-lib.fullname" $ }}-keycloak
|
host: {{ template "kubezero-lib.fullname" $ }}-keycloak
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.auth.enabled .Values.keycloak.istio.auth.url }}
|
||||||
|
# auth endpoint - only expose minimal URls
|
||||||
|
apiVersion: networking.istio.io/v1beta1
|
||||||
|
kind: VirtualService
|
||||||
|
metadata:
|
||||||
|
name: {{ template "kubezero-lib.fullname" $ }}-auth
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{- include "kubezero-lib.labels" $ | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
gateways:
|
||||||
|
- {{ .Values.keycloak.istio.auth.gateway }}
|
||||||
|
hosts:
|
||||||
|
- {{ .Values.keycloak.istio.auth.url }}
|
||||||
|
http:
|
||||||
|
- match:
|
||||||
|
- uri:
|
||||||
|
regex: ^/(js/|realms/|resources/|robots.txt).*
|
||||||
|
route:
|
||||||
|
- destination:
|
||||||
|
host: {{ template "kubezero-lib.fullname" $ }}-keycloak
|
||||||
|
{{- end }}
|
||||||
|
@ -38,6 +38,11 @@ keycloak:
|
|||||||
replicaCount: 0
|
replicaCount: 0
|
||||||
|
|
||||||
istio:
|
istio:
|
||||||
|
admin:
|
||||||
enabled: false
|
enabled: false
|
||||||
gateway: istio-ingress/private-ingressgateway
|
gateway: istio-ingress/private-ingressgateway
|
||||||
url: ""
|
url: ""
|
||||||
|
auth:
|
||||||
|
enabled: false
|
||||||
|
gateway: istio-ingress/ingressgateway
|
||||||
|
url: ""
|
||||||
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: kubezero-ci
|
name: kubezero-ci
|
||||||
description: KubeZero umbrella chart for all things CI
|
description: KubeZero umbrella chart for all things CI
|
||||||
type: application
|
type: application
|
||||||
version: 0.7.4
|
version: 0.8.1
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# kubezero-ci
|
# kubezero-ci
|
||||||
|
|
||||||
![Version: 0.6.3](https://img.shields.io/badge/Version-0.6.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
![Version: 0.7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero umbrella chart for all things CI
|
KubeZero umbrella chart for all things CI
|
||||||
|
|
||||||
@ -14,15 +14,15 @@ KubeZero umbrella chart for all things CI
|
|||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
Kubernetes: `>= 1.24.0`
|
Kubernetes: `>= 1.25.0`
|
||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://aquasecurity.github.io/helm-charts/ | trivy | 0.7.0 |
|
| https://aquasecurity.github.io/helm-charts/ | trivy | 0.7.0 |
|
||||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
||||||
| https://charts.jenkins.io | jenkins | 4.3.24 |
|
| https://charts.jenkins.io | jenkins | 4.6.4 |
|
||||||
| https://dl.gitea.io/charts/ | gitea | 8.3.0 |
|
| https://dl.gitea.io/charts/ | gitea | 9.4.0 |
|
||||||
| https://gocd.github.io/helm-chart | gocd | 1.40.8 |
|
| https://docs.renovatebot.com/helm-charts | renovate | 36.93.5 |
|
||||||
|
|
||||||
# Jenkins
|
# Jenkins
|
||||||
- default build retention 10 builds, 32days
|
- default build retention 10 builds, 32days
|
||||||
@ -52,31 +52,29 @@ Kubernetes: `>= 1.24.0`
|
|||||||
| gitea.gitea.admin.existingSecret | string | `"gitea-admin-secret"` | |
|
| gitea.gitea.admin.existingSecret | string | `"gitea-admin-secret"` | |
|
||||||
| gitea.gitea.config.cache.ADAPTER | string | `"memory"` | |
|
| gitea.gitea.config.cache.ADAPTER | string | `"memory"` | |
|
||||||
| gitea.gitea.config.database.DB_TYPE | string | `"sqlite3"` | |
|
| gitea.gitea.config.database.DB_TYPE | string | `"sqlite3"` | |
|
||||||
|
| gitea.gitea.config.queue.TYPE | string | `"level"` | |
|
||||||
|
| gitea.gitea.config.session.PROVIDER | string | `"memory"` | |
|
||||||
| gitea.gitea.demo | bool | `false` | |
|
| gitea.gitea.demo | bool | `false` | |
|
||||||
| gitea.gitea.metrics.enabled | bool | `false` | |
|
| gitea.gitea.metrics.enabled | bool | `false` | |
|
||||||
| gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` | |
|
| gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||||
| gitea.image.rootless | bool | `true` | |
|
|
||||||
| gitea.istio.enabled | bool | `false` | |
|
| gitea.istio.enabled | bool | `false` | |
|
||||||
| gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
|
| gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
|
||||||
| gitea.istio.url | string | `"git.example.com"` | |
|
| gitea.istio.url | string | `"git.example.com"` | |
|
||||||
| gitea.mariadb.enabled | bool | `false` | |
|
| gitea.persistence.create | bool | `false` | |
|
||||||
| gitea.memcached.enabled | bool | `false` | |
|
|
||||||
| gitea.mysql.enabled | bool | `false` | |
|
|
||||||
| gitea.persistence.enabled | bool | `true` | |
|
| gitea.persistence.enabled | bool | `true` | |
|
||||||
|
| gitea.persistence.mount | bool | `true` | |
|
||||||
| gitea.persistence.size | string | `"4Gi"` | |
|
| gitea.persistence.size | string | `"4Gi"` | |
|
||||||
|
| gitea.postgresql-ha.enabled | bool | `false` | |
|
||||||
| gitea.postgresql.enabled | bool | `false` | |
|
| gitea.postgresql.enabled | bool | `false` | |
|
||||||
|
| gitea.redis-cluster.enabled | bool | `false` | |
|
||||||
|
| gitea.repliaCount | int | `1` | |
|
||||||
| gitea.resources.limits.memory | string | `"2048Mi"` | |
|
| gitea.resources.limits.memory | string | `"2048Mi"` | |
|
||||||
| gitea.resources.requests.cpu | string | `"150m"` | |
|
| gitea.resources.requests.cpu | string | `"150m"` | |
|
||||||
| gitea.resources.requests.memory | string | `"320Mi"` | |
|
| gitea.resources.requests.memory | string | `"320Mi"` | |
|
||||||
| gitea.securityContext.allowPrivilegeEscalation | bool | `false` | |
|
| gitea.securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||||
| gitea.securityContext.capabilities.add[0] | string | `"SYS_CHROOT"` | |
|
| gitea.securityContext.capabilities.add[0] | string | `"SYS_CHROOT"` | |
|
||||||
| gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
| gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||||
| gocd.enabled | bool | `false` | |
|
| gitea.strategy.type | string | `"Recreate"` | |
|
||||||
| gocd.istio.enabled | bool | `false` | |
|
|
||||||
| gocd.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
|
|
||||||
| gocd.istio.url | string | `""` | |
|
|
||||||
| gocd.server.ingress.enabled | bool | `false` | |
|
|
||||||
| gocd.server.service.type | string | `"ClusterIP"` | |
|
|
||||||
| jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` | |
|
| jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` | |
|
||||||
| jenkins.agent.containerCap | int | `2` | |
|
| jenkins.agent.containerCap | int | `2` | |
|
||||||
| jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` | |
|
| jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` | |
|
||||||
@ -89,27 +87,28 @@ Kubernetes: `>= 1.24.0`
|
|||||||
| jenkins.agent.resources.requests.cpu | string | `""` | |
|
| jenkins.agent.resources.requests.cpu | string | `""` | |
|
||||||
| jenkins.agent.resources.requests.memory | string | `""` | |
|
| jenkins.agent.resources.requests.memory | string | `""` | |
|
||||||
| jenkins.agent.showRawYaml | bool | `false` | |
|
| jenkins.agent.showRawYaml | bool | `false` | |
|
||||||
| jenkins.agent.tag | string | `"v0.4.2"` | |
|
| jenkins.agent.tag | string | `"v0.4.3"` | |
|
||||||
| jenkins.agent.yamlMergeStrategy | string | `"merge"` | |
|
| jenkins.agent.yamlMergeStrategy | string | `"merge"` | |
|
||||||
| jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n securityContext:\n fsGroup: 1000\n serviceAccountName: jenkins-podman-aws\n containers:\n - name: jnlp\n resources:\n requests:\n cpu: \"512m\"\n memory: \"1024Mi\"\n limits:\n cpu: \"4\"\n memory: \"6144Mi\"\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n - name: host-registries-conf\n mountPath: \"/home/jenkins/.config/containers/registries.conf\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\"\n - name: host-registries-conf\n hostPath:\n path: /etc/containers/registries.conf\n type: File"` | |
|
| jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n securityContext:\n fsGroup: 1000\n serviceAccountName: jenkins-podman-aws\n containers:\n - name: jnlp\n resources:\n requests:\n cpu: \"512m\"\n memory: \"1024Mi\"\n limits:\n cpu: \"4\"\n memory: \"6144Mi\"\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n - name: host-registries-conf\n mountPath: \"/home/jenkins/.config/containers/registries.conf\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\"\n - name: host-registries-conf\n hostPath:\n path: /etc/containers/registries.conf\n type: File"` | |
|
||||||
| jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nunclassified:\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | |
|
| jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nappearance:\n themeManager:\n disableUserThemes: true\n theme: \"dark\"\nunclassified:\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | |
|
||||||
| jenkins.controller.disableRememberMe | bool | `true` | |
|
| jenkins.controller.disableRememberMe | bool | `true` | |
|
||||||
| jenkins.controller.enableRawHtmlMarkupFormatter | bool | `true` | |
|
| jenkins.controller.enableRawHtmlMarkupFormatter | bool | `true` | |
|
||||||
| jenkins.controller.initContainerResources.limits.memory | string | `"1024Mi"` | |
|
| jenkins.controller.initContainerResources.limits.memory | string | `"1024Mi"` | |
|
||||||
| jenkins.controller.initContainerResources.requests.cpu | string | `"50m"` | |
|
| jenkins.controller.initContainerResources.requests.cpu | string | `"50m"` | |
|
||||||
| jenkins.controller.initContainerResources.requests.memory | string | `"256Mi"` | |
|
| jenkins.controller.initContainerResources.requests.memory | string | `"256Mi"` | |
|
||||||
| jenkins.controller.installPlugins[0] | string | `"kubernetes:3937.vd7b_82db_e347b_"` | |
|
| jenkins.controller.installPlugins[0] | string | `"kubernetes"` | |
|
||||||
| jenkins.controller.installPlugins[10] | string | `"build-discarder:139.v05696a_7fe240"` | |
|
| jenkins.controller.installPlugins[10] | string | `"htmlpublisher"` | |
|
||||||
| jenkins.controller.installPlugins[11] | string | `"dark-theme:315.va_22e7d692ea_a"` | |
|
| jenkins.controller.installPlugins[11] | string | `"build-discarder"` | |
|
||||||
| jenkins.controller.installPlugins[1] | string | `"workflow-aggregator:581.v0c46fa_697ffd"` | |
|
| jenkins.controller.installPlugins[12] | string | `"dark-theme"` | |
|
||||||
| jenkins.controller.installPlugins[2] | string | `"git:5.1.0"` | |
|
| jenkins.controller.installPlugins[1] | string | `"kubernetes-credentials-provider"` | |
|
||||||
| jenkins.controller.installPlugins[3] | string | `"basic-branch-build-strategies:71.vc1421f89888e"` | |
|
| jenkins.controller.installPlugins[2] | string | `"workflow-aggregator"` | |
|
||||||
| jenkins.controller.installPlugins[4] | string | `"pipeline-graph-view:183.v9e27732d970f"` | |
|
| jenkins.controller.installPlugins[3] | string | `"git"` | |
|
||||||
| jenkins.controller.installPlugins[5] | string | `"pipeline-stage-view:2.32"` | |
|
| jenkins.controller.installPlugins[4] | string | `"basic-branch-build-strategies"` | |
|
||||||
| jenkins.controller.installPlugins[6] | string | `"configuration-as-code:1647.ve39ca_b_829b_42"` | |
|
| jenkins.controller.installPlugins[5] | string | `"pipeline-graph-view"` | |
|
||||||
| jenkins.controller.installPlugins[7] | string | `"antisamy-markup-formatter:159.v25b_c67cd35fb_"` | |
|
| jenkins.controller.installPlugins[6] | string | `"pipeline-stage-view"` | |
|
||||||
| jenkins.controller.installPlugins[8] | string | `"prometheus:2.2.3"` | |
|
| jenkins.controller.installPlugins[7] | string | `"configuration-as-code"` | |
|
||||||
| jenkins.controller.installPlugins[9] | string | `"htmlpublisher:1.31"` | |
|
| jenkins.controller.installPlugins[8] | string | `"antisamy-markup-formatter"` | |
|
||||||
|
| jenkins.controller.installPlugins[9] | string | `"prometheus"` | |
|
||||||
| jenkins.controller.javaOpts | string | `"-XX:+UseContainerSupport -XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | |
|
| jenkins.controller.javaOpts | string | `"-XX:+UseContainerSupport -XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | |
|
||||||
| jenkins.controller.jenkinsOpts | string | `"--sessionTimeout=300 --sessionEviction=10800"` | |
|
| jenkins.controller.jenkinsOpts | string | `"--sessionTimeout=300 --sessionEviction=10800"` | |
|
||||||
| jenkins.controller.prometheus.enabled | bool | `false` | |
|
| jenkins.controller.prometheus.enabled | bool | `false` | |
|
||||||
@ -132,6 +131,13 @@ Kubernetes: `>= 1.24.0`
|
|||||||
| jenkins.rbac.readSecrets | bool | `true` | |
|
| jenkins.rbac.readSecrets | bool | `true` | |
|
||||||
| jenkins.serviceAccountAgent.create | bool | `true` | |
|
| jenkins.serviceAccountAgent.create | bool | `true` | |
|
||||||
| jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` | |
|
| jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` | |
|
||||||
|
| renovate.cronjob.concurrencyPolicy | string | `"Forbid"` | |
|
||||||
|
| renovate.cronjob.jobBackoffLimit | int | `3` | |
|
||||||
|
| renovate.cronjob.schedule | string | `"0 3 * * *"` | |
|
||||||
|
| renovate.cronjob.successfulJobsHistoryLimit | int | `1` | |
|
||||||
|
| renovate.enabled | bool | `false` | |
|
||||||
|
| renovate.env.LOG_FORMAT | string | `"json"` | |
|
||||||
|
| renovate.securityContext.fsGroup | int | `1000` | |
|
||||||
| trivy.enabled | bool | `false` | |
|
| trivy.enabled | bool | `false` | |
|
||||||
| trivy.image.tag | string | `"0.42.0"` | |
|
| trivy.image.tag | string | `"0.42.0"` | |
|
||||||
| trivy.persistence.enabled | bool | `true` | |
|
| trivy.persistence.enabled | bool | `true` | |
|
||||||
|
@ -12,6 +12,15 @@ spec:
|
|||||||
hosts:
|
hosts:
|
||||||
- {{ .Values.gitea.istio.url }}
|
- {{ .Values.gitea.istio.url }}
|
||||||
http:
|
http:
|
||||||
|
{{- if .Values.gitea.istio.authProvider }}
|
||||||
|
# https://github.com/go-gitea/gitea/issues/13606
|
||||||
|
- match:
|
||||||
|
- uri:
|
||||||
|
regex: ^/user/login.*
|
||||||
|
redirect:
|
||||||
|
uri: /user/oauth2/{{ .Values.gitea.istio.authProvider }}
|
||||||
|
redirectCode: 302
|
||||||
|
{{- end }}
|
||||||
- route:
|
- route:
|
||||||
- destination:
|
- destination:
|
||||||
host: gitea-http
|
host: gitea-http
|
||||||
|
@ -105,6 +105,10 @@ jenkins:
|
|||||||
noUsageStatistics: true
|
noUsageStatistics: true
|
||||||
disabledAdministrativeMonitors:
|
disabledAdministrativeMonitors:
|
||||||
- "jenkins.security.ResourceDomainRecommendation"
|
- "jenkins.security.ResourceDomainRecommendation"
|
||||||
|
appearance:
|
||||||
|
themeManager:
|
||||||
|
disableUserThemes: true
|
||||||
|
theme: "dark"
|
||||||
unclassified:
|
unclassified:
|
||||||
buildDiscarders:
|
buildDiscarders:
|
||||||
configuredBuildDiscarders:
|
configuredBuildDiscarders:
|
||||||
@ -131,6 +135,7 @@ jenkins:
|
|||||||
- htmlpublisher
|
- htmlpublisher
|
||||||
- build-discarder
|
- build-discarder
|
||||||
- dark-theme
|
- dark-theme
|
||||||
|
- matrix-auth
|
||||||
|
|
||||||
serviceAccountAgent:
|
serviceAccountAgent:
|
||||||
create: true
|
create: true
|
||||||
@ -139,14 +144,14 @@ jenkins:
|
|||||||
# Preconfigure agents to use zdt podman requires fuse/overlayfs
|
# Preconfigure agents to use zdt podman requires fuse/overlayfs
|
||||||
agent:
|
agent:
|
||||||
image: public.ecr.aws/zero-downtime/jenkins-podman
|
image: public.ecr.aws/zero-downtime/jenkins-podman
|
||||||
tag: v0.4.3
|
tag: v0.4.5
|
||||||
#alwaysPullImage: true
|
#alwaysPullImage: true
|
||||||
podRetention: "Default"
|
podRetention: "Default"
|
||||||
showRawYaml: false
|
showRawYaml: false
|
||||||
podName: "podman-aws"
|
podName: "podman-aws"
|
||||||
customJenkinsLabels:
|
customJenkinsLabels:
|
||||||
- podman-aws-trivy
|
- podman-aws-trivy
|
||||||
idleMinutes: 15
|
idleMinutes: 30
|
||||||
containerCap: 2
|
containerCap: 2
|
||||||
annotations:
|
annotations:
|
||||||
container.apparmor.security.beta.kubernetes.io/jnlp: unconfined
|
container.apparmor.security.beta.kubernetes.io/jnlp: unconfined
|
||||||
@ -228,7 +233,7 @@ jenkins:
|
|||||||
trivy:
|
trivy:
|
||||||
enabled: false
|
enabled: false
|
||||||
image:
|
image:
|
||||||
tag: 0.42.0
|
tag: 0.45.1
|
||||||
persistence:
|
persistence:
|
||||||
enabled: true
|
enabled: true
|
||||||
size: 1Gi
|
size: 1Gi
|
||||||
|
Loading…
Reference in New Issue
Block a user