Various updates and tweaks

This commit is contained in:
Stefan Reimer 2023-10-02 12:57:25 +00:00
parent bcb718244e
commit 7da16eff55
15 changed files with 133 additions and 57 deletions

View File

@ -1,6 +1,6 @@
# kubezero-addons # kubezero-addons
![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.26](https://img.shields.io/badge/AppVersion-v1.26-informational?style=flat-square) ![Version: 0.8.2](https://img.shields.io/badge/Version-0.8.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.26](https://img.shields.io/badge/AppVersion-v1.26-informational?style=flat-square)
KubeZero umbrella chart for various optional cluster addons KubeZero umbrella chart for various optional cluster addons
@ -18,10 +18,10 @@ Kubernetes: `>= 1.26.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://bitnami-labs.github.io/sealed-secrets | sealed-secrets | 2.12.0 | | https://bitnami-labs.github.io/sealed-secrets | sealed-secrets | 2.13.0 |
| https://falcosecurity.github.io/charts | falco-control-plane(falco) | 3.5.0 | | https://falcosecurity.github.io/charts | falco-control-plane(falco) | 3.7.1 |
| https://kubernetes-sigs.github.io/external-dns/ | external-dns | 1.13.0 | | https://kubernetes-sigs.github.io/external-dns/ | external-dns | 1.13.1 |
| https://kubernetes.github.io/autoscaler | cluster-autoscaler | 9.29.1 | | https://kubernetes.github.io/autoscaler | cluster-autoscaler | 9.29.3 |
| https://nvidia.github.io/k8s-device-plugin | nvidia-device-plugin | 0.14.1 | | https://nvidia.github.io/k8s-device-plugin | nvidia-device-plugin | 0.14.1 |
| https://twin.github.io/helm-charts | aws-eks-asg-rolling-update-handler | 1.4.0 | | https://twin.github.io/helm-charts | aws-eks-asg-rolling-update-handler | 1.4.0 |
| oci://public.ecr.aws/aws-ec2/helm | aws-node-termination-handler | 0.22.0 | | oci://public.ecr.aws/aws-ec2/helm | aws-node-termination-handler | 0.22.0 |
@ -161,6 +161,8 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
| forseti.image.name | string | `"public.ecr.aws/zero-downtime/forseti"` | | | forseti.image.name | string | `"public.ecr.aws/zero-downtime/forseti"` | |
| forseti.image.tag | string | `"v0.1.2"` | | | forseti.image.tag | string | `"v0.1.2"` | |
| fuseDevicePlugin.enabled | bool | `false` | | | fuseDevicePlugin.enabled | bool | `false` | |
| fuseDevicePlugin.image.name | string | `"public.ecr.aws/zero-downtime/fuse-device-plugin"` | |
| fuseDevicePlugin.image.tag | string | `"1.2.0"` | |
| nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key | string | `"node.kubernetes.io/instance-type"` | | | nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key | string | `"node.kubernetes.io/instance-type"` | |
| nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator | string | `"In"` | | | nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator | string | `"In"` | |
| nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0] | string | `"g5.xlarge"` | | | nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0] | string | `"g5.xlarge"` | |

View File

@ -54,6 +54,7 @@ spec:
emptyDir: {} emptyDir: {}
nodeSelector: nodeSelector:
node-role.kubernetes.io/control-plane: "" node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical
tolerations: tolerations:
- key: node-role.kubernetes.io/control-plane - key: node-role.kubernetes.io/control-plane
effect: NoSchedule effect: NoSchedule

View File

@ -12,8 +12,6 @@ spec:
type: RollingUpdate type: RollingUpdate
template: template:
metadata: metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
labels: labels:
name: neuron-device-plugin-ds name: neuron-device-plugin-ds
spec: spec:

View File

@ -13,9 +13,15 @@ spec:
labels: labels:
name: fuse-device-plugin name: fuse-device-plugin
spec: spec:
hostNetwork: true priorityClassName: system-node-critical
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- key: kubezero-workergroup
effect: NoSchedule
operator: Exists
containers: containers:
- image: public.ecr.aws/zero-downtime/fuse-device-plugin:v1.1.0 - image: "{{ .Values.fuseDevicePlugin.image.name }}:{{ .Values.fuseDevicePlugin.image.tag }}"
# imagePullPolicy: Always # imagePullPolicy: Always
name: fuse-device-plugin name: fuse-device-plugin
securityContext: securityContext:

View File

@ -71,6 +71,7 @@ spec:
tolerations: tolerations:
- key: node-role.kubernetes.io/control-plane - key: node-role.kubernetes.io/control-plane
effect: NoSchedule effect: NoSchedule
priorityClassName: system-cluster-critical
volumes: volumes:
- name: aws-token - name: aws-token
projected: projected:

View File

@ -140,6 +140,9 @@ aws-node-termination-handler:
fuseDevicePlugin: fuseDevicePlugin:
enabled: false enabled: false
image:
name: public.ecr.aws/zero-downtime/fuse-device-plugin
tag: v1.2.0
awsNeuron: awsNeuron:
enabled: false enabled: false

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-auth name: kubezero-auth
description: KubeZero umbrella chart for all things Authentication and Identity management description: KubeZero umbrella chart for all things Authentication and Identity management
type: application type: application
version: 0.4.0 version: 0.4.1
appVersion: 22.0.1 appVersion: 22.0.1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png

View File

@ -0,0 +1,14 @@
# Abstract
## IdP
### AWS
Get client descriptor for your realm and client via:
`wget https://<auth-endpoint>/realms/<realm>/protocol/saml/descriptor`
# Resources
## AWS
- https://aws.amazon.com/blogs/business-intelligence/federate-amazon-quicksight-access-with-open-source-identity-provider-keycloak/
- https://docs.aws.amazon.com/singlesignon/latest/userguide/troubleshooting.html#issue8

View File

@ -1,8 +1,8 @@
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled }} {{- if and .Values.keycloak.enabled .Values.keycloak.istio.admin.enabled }}
apiVersion: security.istio.io/v1beta1 apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy kind: AuthorizationPolicy
metadata: metadata:
name: {{ .Release.Name }}-keycloak-deny-not-in-ipblocks name: {{ .Release.Name }}-keycloak-admin-deny-not-in-ipblocks
namespace: istio-system namespace: istio-system
labels: labels:
{{- include "kubezero-lib.labels" $ | nindent 4 }} {{- include "kubezero-lib.labels" $ | nindent 4 }}
@ -15,20 +15,20 @@ spec:
# block access to metrics via Ingress # block access to metrics via Ingress
- to: - to:
- operation: - operation:
hosts: ["{{ .Values.keycloak.istio.url }}"] hosts: ["{{ .Values.keycloak.istio.admin.url }}"]
paths: ["/auth/realms/master/metrics"] paths: ["/metrics", "/realms/*/metrics"]
when: when:
- key: connection.sni - key: connection.sni
values: values:
- '*' - '*'
{{- if .Values.keycloak.istio.ipBlocks }} {{- if .Values.keycloak.istio.admin.ipBlocks }}
- from: - from:
- source: - source:
notIpBlocks: notIpBlocks:
{{- toYaml .Values.keycloak.istio.ipBlocks | nindent 8 }} {{- toYaml .Values.keycloak.istio.admin.ipBlocks | nindent 8 }}
to: to:
- operation: - operation:
hosts: ["{{ .Values.keycloak.istio.url }}"] hosts: ["{{ .Values.keycloak.istio.admin.url }}"]
when: when:
- key: connection.sni - key: connection.sni
values: values:

View File

@ -1,18 +1,44 @@
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.url }} {{- if and .Values.keycloak.enabled .Values.keycloak.istio.admin.enabled .Values.keycloak.istio.admin.url }}
# Admin endpoint / all URLs allowed
apiVersion: networking.istio.io/v1beta1 apiVersion: networking.istio.io/v1beta1
kind: VirtualService kind: VirtualService
metadata: metadata:
name: {{ template "kubezero-lib.fullname" $ }} name: {{ template "kubezero-lib.fullname" $ }}-admin
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "kubezero-lib.labels" $ | nindent 4 }} {{- include "kubezero-lib.labels" $ | nindent 4 }}
spec: spec:
gateways: gateways:
- {{ .Values.keycloak.istio.gateway }} - {{ .Values.keycloak.istio.admin.gateway }}
hosts: hosts:
- {{ .Values.keycloak.istio.url }} - {{ .Values.keycloak.istio.admin.url }}
http: http:
- route: - route:
- destination: - destination:
host: {{ template "kubezero-lib.fullname" $ }}-keycloak host: {{ template "kubezero-lib.fullname" $ }}-keycloak
{{- end }} {{- end }}
---
{{- if and .Values.keycloak.enabled .Values.keycloak.istio.auth.enabled .Values.keycloak.istio.auth.url }}
# auth endpoint - only expose minimal URls
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: {{ template "kubezero-lib.fullname" $ }}-auth
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" $ | nindent 4 }}
spec:
gateways:
- {{ .Values.keycloak.istio.auth.gateway }}
hosts:
- {{ .Values.keycloak.istio.auth.url }}
http:
- match:
- uri:
regex: ^/(js/|realms/|resources/|robots.txt).*
route:
- destination:
host: {{ template "kubezero-lib.fullname" $ }}-keycloak
{{- end }}

View File

@ -38,6 +38,11 @@ keycloak:
replicaCount: 0 replicaCount: 0
istio: istio:
admin:
enabled: false enabled: false
gateway: istio-ingress/private-ingressgateway gateway: istio-ingress/private-ingressgateway
url: "" url: ""
auth:
enabled: false
gateway: istio-ingress/ingressgateway
url: ""

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-ci name: kubezero-ci
description: KubeZero umbrella chart for all things CI description: KubeZero umbrella chart for all things CI
type: application type: application
version: 0.7.4 version: 0.8.1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

View File

@ -1,6 +1,6 @@
# kubezero-ci # kubezero-ci
![Version: 0.6.3](https://img.shields.io/badge/Version-0.6.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero umbrella chart for all things CI KubeZero umbrella chart for all things CI
@ -14,15 +14,15 @@ KubeZero umbrella chart for all things CI
## Requirements ## Requirements
Kubernetes: `>= 1.24.0` Kubernetes: `>= 1.25.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://aquasecurity.github.io/helm-charts/ | trivy | 0.7.0 | | https://aquasecurity.github.io/helm-charts/ | trivy | 0.7.0 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://charts.jenkins.io | jenkins | 4.3.24 | | https://charts.jenkins.io | jenkins | 4.6.4 |
| https://dl.gitea.io/charts/ | gitea | 8.3.0 | | https://dl.gitea.io/charts/ | gitea | 9.4.0 |
| https://gocd.github.io/helm-chart | gocd | 1.40.8 | | https://docs.renovatebot.com/helm-charts | renovate | 36.93.5 |
# Jenkins # Jenkins
- default build retention 10 builds, 32days - default build retention 10 builds, 32days
@ -52,31 +52,29 @@ Kubernetes: `>= 1.24.0`
| gitea.gitea.admin.existingSecret | string | `"gitea-admin-secret"` | | | gitea.gitea.admin.existingSecret | string | `"gitea-admin-secret"` | |
| gitea.gitea.config.cache.ADAPTER | string | `"memory"` | | | gitea.gitea.config.cache.ADAPTER | string | `"memory"` | |
| gitea.gitea.config.database.DB_TYPE | string | `"sqlite3"` | | | gitea.gitea.config.database.DB_TYPE | string | `"sqlite3"` | |
| gitea.gitea.config.queue.TYPE | string | `"level"` | |
| gitea.gitea.config.session.PROVIDER | string | `"memory"` | |
| gitea.gitea.demo | bool | `false` | | | gitea.gitea.demo | bool | `false` | |
| gitea.gitea.metrics.enabled | bool | `false` | | | gitea.gitea.metrics.enabled | bool | `false` | |
| gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` | | | gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` | |
| gitea.image.rootless | bool | `true` | |
| gitea.istio.enabled | bool | `false` | | | gitea.istio.enabled | bool | `false` | |
| gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
| gitea.istio.url | string | `"git.example.com"` | | | gitea.istio.url | string | `"git.example.com"` | |
| gitea.mariadb.enabled | bool | `false` | | | gitea.persistence.create | bool | `false` | |
| gitea.memcached.enabled | bool | `false` | |
| gitea.mysql.enabled | bool | `false` | |
| gitea.persistence.enabled | bool | `true` | | | gitea.persistence.enabled | bool | `true` | |
| gitea.persistence.mount | bool | `true` | |
| gitea.persistence.size | string | `"4Gi"` | | | gitea.persistence.size | string | `"4Gi"` | |
| gitea.postgresql-ha.enabled | bool | `false` | |
| gitea.postgresql.enabled | bool | `false` | | | gitea.postgresql.enabled | bool | `false` | |
| gitea.redis-cluster.enabled | bool | `false` | |
| gitea.repliaCount | int | `1` | |
| gitea.resources.limits.memory | string | `"2048Mi"` | | | gitea.resources.limits.memory | string | `"2048Mi"` | |
| gitea.resources.requests.cpu | string | `"150m"` | | | gitea.resources.requests.cpu | string | `"150m"` | |
| gitea.resources.requests.memory | string | `"320Mi"` | | | gitea.resources.requests.memory | string | `"320Mi"` | |
| gitea.securityContext.allowPrivilegeEscalation | bool | `false` | | | gitea.securityContext.allowPrivilegeEscalation | bool | `false` | |
| gitea.securityContext.capabilities.add[0] | string | `"SYS_CHROOT"` | | | gitea.securityContext.capabilities.add[0] | string | `"SYS_CHROOT"` | |
| gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | | | gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| gocd.enabled | bool | `false` | | | gitea.strategy.type | string | `"Recreate"` | |
| gocd.istio.enabled | bool | `false` | |
| gocd.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
| gocd.istio.url | string | `""` | |
| gocd.server.ingress.enabled | bool | `false` | |
| gocd.server.service.type | string | `"ClusterIP"` | |
| jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` | | | jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` | |
| jenkins.agent.containerCap | int | `2` | | | jenkins.agent.containerCap | int | `2` | |
| jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` | | | jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` | |
@ -89,27 +87,28 @@ Kubernetes: `>= 1.24.0`
| jenkins.agent.resources.requests.cpu | string | `""` | | | jenkins.agent.resources.requests.cpu | string | `""` | |
| jenkins.agent.resources.requests.memory | string | `""` | | | jenkins.agent.resources.requests.memory | string | `""` | |
| jenkins.agent.showRawYaml | bool | `false` | | | jenkins.agent.showRawYaml | bool | `false` | |
| jenkins.agent.tag | string | `"v0.4.2"` | | | jenkins.agent.tag | string | `"v0.4.3"` | |
| jenkins.agent.yamlMergeStrategy | string | `"merge"` | | | jenkins.agent.yamlMergeStrategy | string | `"merge"` | |
| jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n securityContext:\n fsGroup: 1000\n serviceAccountName: jenkins-podman-aws\n containers:\n - name: jnlp\n resources:\n requests:\n cpu: \"512m\"\n memory: \"1024Mi\"\n limits:\n cpu: \"4\"\n memory: \"6144Mi\"\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n - name: host-registries-conf\n mountPath: \"/home/jenkins/.config/containers/registries.conf\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\"\n - name: host-registries-conf\n hostPath:\n path: /etc/containers/registries.conf\n type: File"` | | | jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n securityContext:\n fsGroup: 1000\n serviceAccountName: jenkins-podman-aws\n containers:\n - name: jnlp\n resources:\n requests:\n cpu: \"512m\"\n memory: \"1024Mi\"\n limits:\n cpu: \"4\"\n memory: \"6144Mi\"\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n - name: host-registries-conf\n mountPath: \"/home/jenkins/.config/containers/registries.conf\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\"\n - name: host-registries-conf\n hostPath:\n path: /etc/containers/registries.conf\n type: File"` | |
| jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nunclassified:\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | | | jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nappearance:\n themeManager:\n disableUserThemes: true\n theme: \"dark\"\nunclassified:\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | |
| jenkins.controller.disableRememberMe | bool | `true` | | | jenkins.controller.disableRememberMe | bool | `true` | |
| jenkins.controller.enableRawHtmlMarkupFormatter | bool | `true` | | | jenkins.controller.enableRawHtmlMarkupFormatter | bool | `true` | |
| jenkins.controller.initContainerResources.limits.memory | string | `"1024Mi"` | | | jenkins.controller.initContainerResources.limits.memory | string | `"1024Mi"` | |
| jenkins.controller.initContainerResources.requests.cpu | string | `"50m"` | | | jenkins.controller.initContainerResources.requests.cpu | string | `"50m"` | |
| jenkins.controller.initContainerResources.requests.memory | string | `"256Mi"` | | | jenkins.controller.initContainerResources.requests.memory | string | `"256Mi"` | |
| jenkins.controller.installPlugins[0] | string | `"kubernetes:3937.vd7b_82db_e347b_"` | | | jenkins.controller.installPlugins[0] | string | `"kubernetes"` | |
| jenkins.controller.installPlugins[10] | string | `"build-discarder:139.v05696a_7fe240"` | | | jenkins.controller.installPlugins[10] | string | `"htmlpublisher"` | |
| jenkins.controller.installPlugins[11] | string | `"dark-theme:315.va_22e7d692ea_a"` | | | jenkins.controller.installPlugins[11] | string | `"build-discarder"` | |
| jenkins.controller.installPlugins[1] | string | `"workflow-aggregator:581.v0c46fa_697ffd"` | | | jenkins.controller.installPlugins[12] | string | `"dark-theme"` | |
| jenkins.controller.installPlugins[2] | string | `"git:5.1.0"` | | | jenkins.controller.installPlugins[1] | string | `"kubernetes-credentials-provider"` | |
| jenkins.controller.installPlugins[3] | string | `"basic-branch-build-strategies:71.vc1421f89888e"` | | | jenkins.controller.installPlugins[2] | string | `"workflow-aggregator"` | |
| jenkins.controller.installPlugins[4] | string | `"pipeline-graph-view:183.v9e27732d970f"` | | | jenkins.controller.installPlugins[3] | string | `"git"` | |
| jenkins.controller.installPlugins[5] | string | `"pipeline-stage-view:2.32"` | | | jenkins.controller.installPlugins[4] | string | `"basic-branch-build-strategies"` | |
| jenkins.controller.installPlugins[6] | string | `"configuration-as-code:1647.ve39ca_b_829b_42"` | | | jenkins.controller.installPlugins[5] | string | `"pipeline-graph-view"` | |
| jenkins.controller.installPlugins[7] | string | `"antisamy-markup-formatter:159.v25b_c67cd35fb_"` | | | jenkins.controller.installPlugins[6] | string | `"pipeline-stage-view"` | |
| jenkins.controller.installPlugins[8] | string | `"prometheus:2.2.3"` | | | jenkins.controller.installPlugins[7] | string | `"configuration-as-code"` | |
| jenkins.controller.installPlugins[9] | string | `"htmlpublisher:1.31"` | | | jenkins.controller.installPlugins[8] | string | `"antisamy-markup-formatter"` | |
| jenkins.controller.installPlugins[9] | string | `"prometheus"` | |
| jenkins.controller.javaOpts | string | `"-XX:+UseContainerSupport -XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | | | jenkins.controller.javaOpts | string | `"-XX:+UseContainerSupport -XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | |
| jenkins.controller.jenkinsOpts | string | `"--sessionTimeout=300 --sessionEviction=10800"` | | | jenkins.controller.jenkinsOpts | string | `"--sessionTimeout=300 --sessionEviction=10800"` | |
| jenkins.controller.prometheus.enabled | bool | `false` | | | jenkins.controller.prometheus.enabled | bool | `false` | |
@ -132,6 +131,13 @@ Kubernetes: `>= 1.24.0`
| jenkins.rbac.readSecrets | bool | `true` | | | jenkins.rbac.readSecrets | bool | `true` | |
| jenkins.serviceAccountAgent.create | bool | `true` | | | jenkins.serviceAccountAgent.create | bool | `true` | |
| jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` | | | jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` | |
| renovate.cronjob.concurrencyPolicy | string | `"Forbid"` | |
| renovate.cronjob.jobBackoffLimit | int | `3` | |
| renovate.cronjob.schedule | string | `"0 3 * * *"` | |
| renovate.cronjob.successfulJobsHistoryLimit | int | `1` | |
| renovate.enabled | bool | `false` | |
| renovate.env.LOG_FORMAT | string | `"json"` | |
| renovate.securityContext.fsGroup | int | `1000` | |
| trivy.enabled | bool | `false` | | | trivy.enabled | bool | `false` | |
| trivy.image.tag | string | `"0.42.0"` | | | trivy.image.tag | string | `"0.42.0"` | |
| trivy.persistence.enabled | bool | `true` | | | trivy.persistence.enabled | bool | `true` | |

View File

@ -12,6 +12,15 @@ spec:
hosts: hosts:
- {{ .Values.gitea.istio.url }} - {{ .Values.gitea.istio.url }}
http: http:
{{- if .Values.gitea.istio.authProvider }}
# https://github.com/go-gitea/gitea/issues/13606
- match:
- uri:
regex: ^/user/login.*
redirect:
uri: /user/oauth2/{{ .Values.gitea.istio.authProvider }}
redirectCode: 302
{{- end }}
- route: - route:
- destination: - destination:
host: gitea-http host: gitea-http

View File

@ -105,6 +105,10 @@ jenkins:
noUsageStatistics: true noUsageStatistics: true
disabledAdministrativeMonitors: disabledAdministrativeMonitors:
- "jenkins.security.ResourceDomainRecommendation" - "jenkins.security.ResourceDomainRecommendation"
appearance:
themeManager:
disableUserThemes: true
theme: "dark"
unclassified: unclassified:
buildDiscarders: buildDiscarders:
configuredBuildDiscarders: configuredBuildDiscarders:
@ -131,6 +135,7 @@ jenkins:
- htmlpublisher - htmlpublisher
- build-discarder - build-discarder
- dark-theme - dark-theme
- matrix-auth
serviceAccountAgent: serviceAccountAgent:
create: true create: true
@ -139,14 +144,14 @@ jenkins:
# Preconfigure agents to use zdt podman requires fuse/overlayfs # Preconfigure agents to use zdt podman requires fuse/overlayfs
agent: agent:
image: public.ecr.aws/zero-downtime/jenkins-podman image: public.ecr.aws/zero-downtime/jenkins-podman
tag: v0.4.3 tag: v0.4.5
#alwaysPullImage: true #alwaysPullImage: true
podRetention: "Default" podRetention: "Default"
showRawYaml: false showRawYaml: false
podName: "podman-aws" podName: "podman-aws"
customJenkinsLabels: customJenkinsLabels:
- podman-aws-trivy - podman-aws-trivy
idleMinutes: 15 idleMinutes: 30
containerCap: 2 containerCap: 2
annotations: annotations:
container.apparmor.security.beta.kubernetes.io/jnlp: unconfined container.apparmor.security.beta.kubernetes.io/jnlp: unconfined
@ -228,7 +233,7 @@ jenkins:
trivy: trivy:
enabled: false enabled: false
image: image:
tag: 0.42.0 tag: 0.45.1
persistence: persistence:
enabled: true enabled: true
size: 1Gi size: 1Gi