ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 27 Packages Projects Releases Wiki Activity

feat: latest CI, 1.32 upgrade fixes

Browse Source
This commit is contained in:
Stefan Reimer 2025-05-22 13:49:27 +00:00
parent 1c0fcaf4dd
commit dcbe965292
14 changed files with 673 additions and 576 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.yamllint Normal file
View File

@ -0,0 +1,17 @@
---
extends: default
ignore: |
.yamllint
rules:
truthy:
allowed-values: ['true', 'false']
check-keys: False
level: error
line-length: disable
document-start: disable
comments:
min-spaces-from-content: 1
braces:
max-spaces-inside: 2

56
admin/hooks-1.31.sh
View File

@ -1,56 +0,0 @@
### v1.31
# All things BEFORE the first controller / control plane upgrade
pre_control_plane_upgrade_cluster() {
# add kubezero version label to existing controller nodes for aws-iam migration
for n in $(kubectl get nodes -l "node-role.kubernetes.io/control-plane=" | grep v1.30 | awk {'print $1}'); do
kubectl label node $n 'node.kubernetes.io/kubezero.version=v1.30.6' || true
done
# patch aws-iam-authenticator DS to NOT run pods on 1.31 controllers
kubectl patch ds aws-iam-authenticator -n kube-system -p '{"spec": {"template": {"spec": {"nodeSelector": {"node.kubernetes.io/kubezero.version": "v1.30.6"}}}}}' || true
}
# All things after the first controller / control plane upgrade
post_control_plane_upgrade_cluster() {
# delete previous root app controlled by kubezero module
kubectl delete application kubezero-git-sync -n argocd || true
# only patch appproject to keep SyncWindow in place
kubectl patch appproject kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/labels"}]' || true
kubectl patch appproject kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/annotations"}]' || true
}
# All things AFTER all contollers are on the new version
pre_cluster_upgrade_final() {
set +e
if [ "$PLATFORM" == "aws" ];then
# cleanup aws-iam-authenticator
kubectl delete clusterrolebinding aws-iam-authenticator
kubectl delete clusterrole aws-iam-authenticator
kubectl delete serviceaccount aws-iam-authenticator -n kube-system
kubectl delete cm aws-iam-authenticator -n kube-system
kubectl delete ds aws-iam-authenticator -n kube-system
kubectl delete IAMIdentityMapping kubezero-worker-nodes
kubectl delete IAMIdentityMapping kubernetes-admin
kubectl delete crd iamidentitymappings.iamauthenticator.k8s.aws
kubectl delete secret aws-iam-certs -n kube-system
fi
# Remove any helm hook related resources
kubectl delete rolebinding argo-argocd-redis-secret-init -n argocd
kubectl delete sa argo-argocd-redis-secret-init -n argocd
kubectl delete role argo-argocd-redis-secret-init -n argocd
kubectl delete job argo-argocd-redis-secret-init -n argocd
set -e
}
# Last call
post_cluster_upgrade_final() {
echo
}

13
admin/migrate_argo_values.py
View File

@ -8,18 +8,9 @@ import yaml
def migrate(values):
"""Actual changes here"""
# migrate kubezero root app of apps to Argo chart
# 1.32
try:
if values["kubezero"]:
try:
values["kubezero"].pop("syncPolicy")
except KeyError:
pass
values["kubezero"]["gitSync"]["repoUrl"] = values["kubezero"]["gitSync"].pop("repoURL")
values["argo"]["argo-cd"]["kubezero"] = values["kubezero"]["gitSync"]
values.pop("kubezero")
pass
except KeyError:
pass

6
admin/upgrade_cluster.sh
View File

@ -2,7 +2,7 @@
set -eE
set -o pipefail
KUBE_VERSION=v1.31
KUBE_VERSION=v1.32
ARGO_APP=${1:-/tmp/new-kubezero-argoapp.yaml}
@ -21,6 +21,7 @@ waitSystemPodsRunning
admin_job "upgrade_control_plane, upgrade_kubezero"
exit 0
#echo "Adjust kubezero values as needed:"
# shellcheck disable=SC2015
#[ "$ARGOCD" == "true" ] && kubectl edit app kubezero -n argocd || kubectl edit cm kubezero-values -n kubezero
@ -38,9 +39,6 @@ echo "Applying remaining KubeZero modules..."
admin_job "apply_cert-manager, apply_istio, apply_istio-ingress, apply_istio-private-ingress, apply_logging, apply_metrics, apply_telemetry, apply_argo"
# we replace the project during v1.31 so disable again
[ "$ARGOCD" == "true" ] && disable_argo
# Final step is to commit the new argocd kubezero app
kubectl get app kubezero -n argocd -o yaml | yq 'del(.status) | del(.metadata) | del(.operation) | .metadata.name="kubezero" | .metadata.namespace="argocd"' | yq 'sort_keys(..)' > $ARGO_APP

11
charts/kubezero-ci/README.md
View File

@ -1,6 +1,6 @@
# kubezero-ci
![Version: 0.8.21](https://img.shields.io/badge/Version-0.8.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.8.23](https://img.shields.io/badge/Version-0.8.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero umbrella chart for all things CI
@ -18,11 +18,11 @@ Kubernetes: `>= 1.25.0`
| Repository | Name | Version |
|------------|------|---------|
| https://aquasecurity.github.io/helm-charts/ | trivy | 0.12.0 |
| https://aquasecurity.github.io/helm-charts/ | trivy | 0.14.1 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
| https://charts.jenkins.io | jenkins | 5.8.18 |
| https://dl.gitea.io/charts/ | gitea | 11.0.0 |
| https://docs.renovatebot.com/helm-charts | renovate | 39.200.0 |
| https://charts.jenkins.io | jenkins | 5.8.48 |
| https://dl.gitea.io/charts/ | gitea | 12.0.0 |
| https://docs.renovatebot.com/helm-charts | renovate | 40.22.1 |
# Jenkins
- default build retention 10 builds, 32days
@ -68,7 +68,6 @@ Kubernetes: `>= 1.25.0`
| gitea.gitea.metrics.enabled | bool | `false` | |
| gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` | |
| gitea.image.rootless | bool | `true` | |
| gitea.image.tag | string | `"1.23.5"` | |
| gitea.istio.blockApi | bool | `false` | |
| gitea.istio.enabled | bool | `false` | |
| gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |

320
charts/kubezero-ci/charts/jenkins/CHANGELOG.md
View File

@ -5,13 +5,133 @@ The release numbering uses [semantic versioning](http://semver.org).
Use the following links to reference issues, PRs, and commits prior to v2.6.0.
* Issue: `https://github.com/helm/charts/issues/[issue#]`
* PR: `https://github.com/helm/charts/pull/[pr#]`
* Commit: `https://github.com/helm/charts/commit/[commit]/stable/jenkins`
- Issue: `https://github.com/helm/charts/issues/[issue#]`
- PR: `https://github.com/helm/charts/pull/[pr#]`
- Commit: `https://github.com/helm/charts/commit/[commit]/stable/jenkins`
The changelog until v1.5.7 was auto-generated based on git commits.
Those entries include a reference to the git commit to be able to get more details.
## 5.8.48
Update `docker.io/bats/bats` to version `1.12.0`
## 5.8.47
Fix code styling for super-linter 7 upgrade
## 5.8.46
Update `kubernetes` to version `4340.v345364d31a_2a_`
## 5.8.45
Update `jenkins/inbound-agent` to version `3309.v27b_9314fd1a_4-2`
## 5.8.44
Fix the default value for `controller.sidecars.configAutoReload.env` (change from `{}` to `[]`) to address `coalesce.go:286: warning: cannot overwrite table with non table`.
## 5.8.43
Update `configuration-as-code` to version `1967.va_968e15fd05b_`
## 5.8.42
Update `kubernetes` to version `4336.v55d9a_494db_38`
## 5.8.41
Update `jenkins/inbound-agent` to version `3309.v27b_9314fd1a_4-1`
## 5.8.40
Update `kubernetes` to version `4334.v32b_f157682d6`
## 5.8.39
Update `configuration-as-code` to version `1963.v24e046127a_3f`
## 5.8.38
Update `jenkins/jenkins` to version `2.504.1-jdk21`
## 5.8.37
Update `jenkins/inbound-agent` to version `3307.v632ed11b_3a_c7-2`
## 5.8.36
Update `configuration-as-code` to version `1958.vddc0d369b_e16`
## 5.8.35
Support .Values.agent.garbageCollection also in secondary clouds
## 5.8.34
Added .Values.agent.instanceCap to limit number of agents of each type.
## 5.8.33
Update `configuration-as-code` to version `1953.v148f87d74b_1e`
## 5.8.32
Update `jenkins/jenkins` to version `2.492.3-jdk21`
## 5.8.31
Update `jenkins/jenkins` to version `2.492.3-jdk17`
## 5.8.30
Update `jenkins/inbound-agent` to version `3301.v4363ddcca_4e7-3`
## 5.8.29
Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.3`
## 5.8.28
Update `jenkins/inbound-agent` to version `3301.v4363ddcca_4e7-2`
## 5.8.27
Update `jenkins/inbound-agent` to version `3301.v4363ddcca_4e7-1`
## 5.8.26
Update `jenkins/inbound-agent` to version `3299.v0d0d06908537-2`
## 5.8.25
Fix indentation in `values.yaml`
## 5.8.24
Update `workflow-aggregator` to version `608.v67378e9d3db_1`
## 5.8.23
Update `configuration-as-code` to version `1947.v7d33fe23569c`
## 5.8.22
Update `jenkins/inbound-agent` to version `3299.v0d0d06908537-1`
## 5.8.21
Update `kubernetes` to version `4324.vfec199a_33512`
## 5.8.20
Update `jenkins/inbound-agent` to version `3291.vb_131b_dc231fa_-1`
## 5.8.19
Update `docker.io/kiwigrid/k8s-sidecar` to version `1.30.2`
## 5.8.18
Update `jenkins/jenkins` to version `2.492.2-jdk17`
@ -134,7 +254,7 @@ Update `docker.io/bats/bats` to version `1.11.1`
## 5.7.16
Add tpl support for persistence.storageClassName in home-pvc.yaml and tpl support in controller.ingress parameters(ingressClassName, annotations, hostname) in jenkins-controller-ingress.yaml
Add tpl support for persistence.storageClassName in home-pvc.yaml and tpl support in controller.ingress parameters(ingressClassName, annotations, hostname) in jenkins-controller-ingress.yaml
## 5.7.15
@ -289,7 +409,6 @@ Update `kubernetes` to version `4265.v78b_d4a_1c864a_`
Introduce capability of set skipTlsVerify and usageRestricted flags in additionalClouds
## 5.4.4
Update CHANGELOG.md, README.md, and UPGRADING.md for linting
@ -321,6 +440,7 @@ Update `kubernetes` to version `4253.v7700d91739e5`
## 5.3.4
Update `jenkins/jenkins` to version `2.452.3-jdk17`
## 5.3.3
Update `jenkins/inbound-agent` to version `3256.v88a_f6e922152-1`
@ -501,7 +621,6 @@ Enable support for deleting plugin configuration files at startup.
Fixed changelog entries for previous version bumps
## 5.0.14
Update `jenkins/jenkins` to version `2.440.1-jdk17`
@ -516,8 +635,8 @@ Fix controller.sidecars.additionalSidecarContainers renaming and add tests
## 5.0.11
* Add controller.sidecars.configAutoReload.scheme to specify protocol scheme when connecting Jenkins configuration-as-code reload endpoint
* Add controller.sidecars.configAutoReload.skipTlsVerify to force the k8s-sidecar container to skip TLS verification when connecting to an HTTPS Jenkins configuration-as-code reload endpoint
- Add controller.sidecars.configAutoReload.scheme to specify protocol scheme when connecting Jenkins configuration-as-code reload endpoint
- Add controller.sidecars.configAutoReload.skipTlsVerify to force the k8s-sidecar container to skip TLS verification when connecting to an HTTPS Jenkins configuration-as-code reload endpoint
## 5.0.10
@ -557,8 +676,8 @@ Update `docker.io/bats/bats` to version `v1.10.0`
## 5.0.0
> [!CAUTION]
> Several fields have been renamed or removed. See [UPGRADING.md](./UPGRADING.md#to-500)
> [!CAUTION]
> Several fields have been renamed or removed. See [UPGRADING.md](./UPGRADING.md#to-500)
The Helm Chart is now updated automatically via [Renovate](https://docs.renovatebot.com/)
@ -571,7 +690,7 @@ Update Jenkins image and appVersion to jenkins lts release version 2.426.3
Add support for [generic ephemeral storage](https://github.com/jenkinsci/kubernetes-plugin/pull/1489) in `agent.volumes` and `agents.workspaceVolume`.
| plugin | old version | new version |
|------------|---------------------|--------------------|
| ---------- | ------------------- | ------------------ |
| kubernetes | 4029.v5712230ccb_f8 | 4174.v4230d0ccd951 |
## 4.11.2
@ -594,8 +713,8 @@ Bumped Jenkins inbound agent from 3107.v665000b_51092-15 to 3192.v713e3b_039fb_e
Update Jenkins image and appVersion to jenkins lts release version 2.426.2
Notes about [Artifact Hub](https://artifacthub.io/packages/helm/jenkinsci/jenkins?modal=changelog) changelog processing:
- Remove empty lines
- Keep only ASCII characters (no emojis)
- One change per line
@ -691,7 +810,6 @@ Added `.Values.controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretKey` to all
Update Jenkins image and appVersion to jenkins lts release version 2.414.1
## 4.5.0
Added `.Values.persistence.dataSource` to allow cloning home PVC from existing dataSource.
@ -700,7 +818,6 @@ Added `.Values.persistence.dataSource` to allow cloning home PVC from existing d
Update Jenkins image and appVersion to jenkins lts release version 2.401.3
## 4.4.1
Added `.Values.agent.jnlpregistry` to allow agents to be configured with private registry.
@ -709,7 +826,6 @@ Added `.Values.agent.jnlpregistry` to allow agents to be configured with private
Add config keys for liveness probes on agent containers.
## 4.3.30
Update Jenkins version in controller test matching LTS version
@ -718,7 +834,6 @@ Update Jenkins version in controller test matching LTS version
Update Jenkins image and appVersion to jenkins lts release version 2.401.2
## 4.3.28
Allow the kubernetes API server URL to be configurable.
@ -734,8 +849,8 @@ Fix various typos in the chart documentation.
## 4.3.25
| plugin | old version | new version |
|-----------------------|----------------------|-----------------------|
| kubernetes | 3900.va_dce992317b_4 | 3937.vd7b_82db_e347b_ |
| --------------------- | -------------------- | --------------------- |
| kubernetes | 3900.va_dce992317b_4 | 3937.vd7b*82db_e347b* |
| configuration-as-code | 1625.v27444588cc3d | 1647.ve39ca_b_829b_42 |
| git | 5.0.0 | 5.1.0 |
| ldap | 671.v2a_9192a_7419d | 682.v7b_544c9d1512 |
@ -744,46 +859,38 @@ Fix various typos in the chart documentation.
Update Jenkins image and appVersion to jenkins lts release version 2.401.1
## 4.3.23
Update Jenkins image and appVersion to jenkins lts release version 2.387.3
## 4.3.22
Bump chart version.
## 4.3.21
Document building charts for weekly releases.
## 4.3.20
Enhance repository appearance and miscellaneous cleanup.
## 4.3.19
Comply with superlinter rules and address ShellCheck issues.
## 4.3.18
Bump kiwigrid/k8s-sidecar from 1.15.0 to 1.23.1.
## 4.3.17
Bump jenkins/inbound-agent from 4.11.2-4 to 3107.v665000b_51092-5.
## 4.3.16
Update bundled plugins:
- [ldap](https://plugins.jenkins.io/ldap/): From 2.5 to 671.v2a_9192a_7419d
- [kubernetes](https://plugins.jenkins.io/kubernetes/): From 3734.v562b_b_a_627ea_c to 3900.va_dce992317b_4
- [workflow-aggregator](https://plugins.jenkins.io/workflow-aggregator/): From 590.v6a_d052e5a_a_b_5 to 590.v6a_d052e5a_a_b_5
@ -791,29 +898,24 @@ Update bundled plugins:
## 4.3.15
Update bats from 1.2.1 to 1.9.0.
## 4.3.14
Update various GH actions, typo fixes, and miscellaneous chores.
## 4.3.13
Bump helm-unittest from 0.2.8 to 0.2.11.
## 4.3.12
Update wording in values.yml.
## 4.3.11
Update Jenkins image and appVersion to jenkins lts release version 2.387.2
## 4.3.10
Correct incorrect env var definition
@ -845,7 +947,6 @@ Added `.Values.helmtest.bats.image` and `.Values.helmtest.bats.image` to allow u
Update Jenkins image and appVersion to jenkins lts release version 2.375.3
## 4.3.3
Removed hardcoding of chart version in tests to make maintenance easier
@ -855,7 +956,6 @@ Removed hardcoding of chart version in tests to make maintenance easier
Added `.Values.serviceAccount.extraLabels` on Service Account
Added `.Values.serviceAccountAgent.extraLabels` on Agent's Service Account
## 4.3.0
Moved use of `.Values.containerEnv` within `jenkins` Container to top of `env` block to allow for subsequent Environment Variables to reference these additional ones.
@ -864,7 +964,6 @@ Moved use of `.Values.containerEnv` within `jenkins` Container to top of `env` b
Update Jenkins image and appVersion to jenkins lts release version 2.375.2
## 4.2.20
Fixed the `controller.prometheus.metricRelabelings` being unable to convert the value to the ServiceMonitor.
@ -883,7 +982,6 @@ Added option to set secretEnvVars.
Update Jenkins image and appVersion to jenkins lts release version 2.375.1
## 4.2.16
Fixed chart notes not rendering Jenkins URL with prefix when `controller.jenkinsUriPrefix` is set.
@ -906,43 +1004,49 @@ Adding `tpl` to `controller.additionalExistingSecrets`
Update Jenkins image and appVersion to jenkins lts release version 2.361.3
## 4.2.11
Update default plugin versions
| plugin | old version | new version |
|-----------------------|-----------------------|------------------------|
| kubernetes | 3706.vdfb_d599579f3 | 3734.v562b_b_a_627ea_c |
| git | 4.11.5 | 4.13.0 |
| configuration-as-code | 1512.vb_79d418d5fc8 | 1569.vb_72405b_80249 |
| plugin | old version | new version |
| --------------------- | ------------------- | ---------------------- |
| kubernetes | 3706.vdfb_d599579f3 | 3734.v562b_b_a_627ea_c |
| git | 4.11.5 | 4.13.0 |
| configuration-as-code | 1512.vb_79d418d5fc8 | 1569.vb_72405b_80249 |
## 4.2.10
Fix grammar and typos
## 4.2.9
Update Jenkins image and appVersion to jenkins lts release version 2.361.2
## 4.2.8
Modify the condition to trigger copying jenkins_config files when configAutoReload option is disabled during Jenkins initialization
## 4.2.7
Support for remote URL for configuration
## 4.2.6
Add option to set hostnetwork for agents
## 4.2.5
Add an extra optional argument to extraPorts in order to specify targetPort
## 4.2.4
Remove k8s capibility requirements when setting priority class for controller
## 4.2.3 Update plugin versions
| plugin | old version | new version |
| --------------------- | --------------------- | --------------------- |
| kubernetes | 3600.v144b_cd192ca_a_ | 3706.vdfb_d599579f3 |
| kubernetes | 3600.v144b*cd192ca_a* | 3706.vdfb_d599579f3 |
| workflow-aggregator | 581.v0c46fa_697ffd | 590.v6a_d052e5a_a_b_5 |
| configuration-as-code | 1429.v09b_044a_c93de | 1512.vb_79d418d5fc8 |
| git | 4.11.3 | 4.11.5 |
@ -966,17 +1070,14 @@ Add option to provide additional containers to agents
Update Jenkins image and appVersion to jenkins lts release version 2.361.1
## 4.1.17
Update Jenkins casc default settings to allow `security` configs to be provided
## 4.1.16
Update Jenkins image and appVersion to jenkins lts release version 2.346.3
## 4.1.15
`projectNamingStrategy` is configurable in default config.
@ -989,7 +1090,6 @@ If `installPlugins` is disabled, don't create unused plugins volume.
Update Jenkins image and appVersion to jenkins lts release version 2.346.2
## 4.1.12
If keystore is defined, it is now also made available in the initContainer.
@ -1002,7 +1102,6 @@ JCasC ConfigMaps now generate their name from the `jenkins.casc.configName` help
Update Jenkins image and appVersion to jenkins lts release version 2.346.1
## 4.1.9
Allow setting `imagePullSecret` for backup job via `backup.imagePullSecretName`
@ -1024,12 +1123,15 @@ project adminSecret, additionalSecrets and additionalExistingSecrets instead of
Update readme to fix `JAVA_OPTS` name.
## 4.1.4
Update plugins
## 4.1.3
Update jenkins-controller-statefulset projected volumes definition
## 4.1.1
Added 'controller.prometheus.metricRelabelings' to allow relabling and dropping unused prometheus metrics
## 4.1.0
@ -1062,9 +1164,9 @@ Update Jenkins image and appVersion to jenkins lts release version 2.332.2
## 3.11.9 Bump configuration-as-code plugin version
| plugin | old version | new version |
| --------------------- | ----------- | ----------- |
| configuration-as-code | 1.51 | 1414.v878271fc496f |
| plugin | old version | new version |
| --------------------- | ----------- | ------------------ |
| configuration-as-code | 1.51 | 1414.v878271fc496f |
## 3.11.8
@ -1078,7 +1180,6 @@ Removed Configuration as Code `remotingSecurity` section for Jenkins 2.326 or ne
Update Jenkins image and appVersion to jenkins lts release version 2.332.1
## 3.11.5
Change Backup Role name function call to match the RoleDef function call in the Backup RoleBinding
@ -1087,7 +1188,6 @@ Change Backup Role name function call to match the RoleDef function call in the
Update Jenkins image and appVersion to jenkins lts release version 2.319.3
## 3.11.3
Update kiwigrid/k8s-sidecar:1.15.0
@ -1101,21 +1201,19 @@ Improve example for workspaceVolume. Clarify that this is not a list.
Update configuration-as-code plugin to 1.55.1
## 3.11.0
Update default plugin versions
| plugin | old version | new version |
| --------------------- | ----------- | ----------- |
| kubernetes | 1.31.1 | 1.31.3 |
| git | 4.10.1 | 4.10.2 |
| plugin | old version | new version |
| ---------- | ----------- | ----------- |
| kubernetes | 1.31.1 | 1.31.3 |
| git | 4.10.1 | 4.10.2 |
## 3.10.3
Update Jenkins image and appVersion to jenkins lts release version 2.319.2
## 3.10.2
Fix definition of startupProbe when deploying on a Kubernetes cluster < 1.16
@ -1147,9 +1245,9 @@ Fix config reload request URL when httpsKeystore in use
Update Jenkins image and appVersion to jenkins lts release version 2.319.1
Update following plugins:
* kubernetes:1.30.11
* git:4.10.0
* configuration-as-code:1.54
- kubernetes:1.30.11
- git:4.10.0
- configuration-as-code:1.54
## 3.9.1
@ -1215,33 +1313,39 @@ Fix httpsKeyStore mount when `controller.httpsKeyStore.enable` is `true`
Update Jenkins image and appVersion to jenkins lts release version 2.303.2
## 3.6.0
Support custom agent pod labels
## 3.5.20
Disallow ingress on port 50000 when agent listener is disabled
## 3.5.19
Add support for specifying termination-log behaviour for Jenkins controller
## 3.5.18
Add support for creating a Pod Disruption Budget for Jenkins controller
## 3.5.17
Update workdingDir to `/home/jenkins/agent`
## 3.5.16
Update location of icon (wiki.jenkins.io is down)
## 3.5.15
Add support for adding labels to the Jenkins home Persistent Volume Claim (pvc)
## 3.5.14
* Updated versions of default plugins
* Use verbose logging during plugin installation
* download the latest version of all plugin dependencies (Fixes #442)
- Updated versions of default plugins
- Use verbose logging during plugin installation
- download the latest version of all plugin dependencies (Fixes #442)
## 3.5.13
@ -1263,7 +1367,6 @@ Fixed `controller.customJenkinsLabels` not getting templated into the controller
Update Jenkins image and appVersion to jenkins lts release version 2.289.3
## 3.5.8
Add parameter `backup.serviceAccount.create` to disable service account creation for backup service and `backup.serviceAccount.name` to allow change of the SA name.
@ -1294,6 +1397,7 @@ Update Jenkins image and appVersion to jenkins lts release version 2.289.2
Enable setting `controller.installLatestSpecifiedPlugins` to set whether to download the latest dependencies of any plugin that is requested to have the latest version.
## 3.5.1
Fix activeDeadlineSeconds wrong type bug in jenkins-backup-cronjob template
## 3.5.0
@ -1317,43 +1421,56 @@ Make `controller.ingress.resourceRootUrl` compatible with API version networking
Update Jenkins image and appVersion to jenkins lts release version 2.289.1
## 3.3.21
`persistence.mounts` additionally mount to init container to allow custom CA certificate keystore
## 3.3.18
Added `controller.overrideArgs` so any cli argument can be passed to the WAR.
## 3.3.17
Correct docs on disabling plugin installation
## 3.3.16
Support generating `SecretClaim` resources in order to read secrets from HashiCorp Vault into Kubernetes using `kube-vault-controller`.
## 3.3.15
Prevent `controller.httpsKeyStore` from improperly being quoted, leading to an invalid location on disk
## 3.3.14
Correct docs on disabling plugin installation
## 3.3.13
Update plugins
## 3.3.12
Add `controller.additionalExistingSecrets` property
## 3.3.11
Add support for disabling the Agent listener service via `controller.agentListenerEnabled`.
## 3.3.10
Update Jenkins image and appVersion to jenkins lts release version 2.277.4
## 3.3.9
* Change helper template so user defined `agent.jenkinsUrl` value will always be used, if set
* Simplify logic for `jenkinsUrl` and `jenkinsTunnel` generation: always use fully qualified address
- Change helper template so user defined `agent.jenkinsUrl` value will always be used, if set
- Simplify logic for `jenkinsUrl` and `jenkinsTunnel` generation: always use fully qualified address
## 3.3.8
Update Jenkins image and appVersion to jenkins lts release version 2.277.3
## 3.3.7
fix controller-ingress line feed bug
## 3.3.6
@ -1369,7 +1486,6 @@ Use tpl function for environment vars. Fixes [https://github.com/jenkinsci/helm-
Update Jenkins image and appVersion to jenkins lts release version 2.277.2
## 3.3.3
Enable setting `controller.installLatestPlugins` to set whether to download the minimum required version of all dependencies.
@ -1395,6 +1511,7 @@ Add missing `controller.jenkinsUrlProtocol` property
Add additional metadata `artifacthub.io/images` for artifacthub
## 3.2.4
Update Jenkins image and appVersion to jenkins lts release version 2.277.1
Update Git plugin version to v4.6.0
Update kubernetes plugin version to v1.29.2
@ -1477,8 +1594,8 @@ Update Jenkins image and appVersion to jenkins lts release version 2.263.2
## 3.1.0
* Added `.Values.controller.podSecurityContextOverride` and `.Values.backup.podSecurityContextOverride`.
* Added simple default values tests for `jenkins-backup-cronjob.yaml`.
- Added `.Values.controller.podSecurityContextOverride` and `.Values.backup.podSecurityContextOverride`.
- Added simple default values tests for `jenkins-backup-cronjob.yaml`.
## 3.0.14
@ -1506,11 +1623,11 @@ Added support for backing up to Azure Blob Storage.
## 3.0.8
* Typo in documentation
- Typo in documentation
## 3.0.7
* Add support for setting default agent workspaceVolume
- Add support for setting default agent workspaceVolume
## 3.0.6
@ -1518,47 +1635,47 @@ Use 2.263.1 image
## 3.0.5
* Update appVersion to reflect new jenkins lts release version 2.263.1
- Update appVersion to reflect new jenkins lts release version 2.263.1
## 3.0.4
* Fix documentation for additional secret mounts
- Fix documentation for additional secret mounts
## 3.0.3
* Update `README.md` with explanation on how to mount additional secrets
- Update `README.md` with explanation on how to mount additional secrets
## 3.0.2
* Fix `.Values.controller.tolerations` and `.Values.controller.nodeSelector` variable names in templates\jenkins-backup-cronjob.yaml
- Fix `.Values.controller.tolerations` and `.Values.controller.nodeSelector` variable names in templates\jenkins-backup-cronjob.yaml
## 3.0.1
* added 'runAsNonroot' to security context
- added 'runAsNonroot' to security context
## 3.0.0
* Chart uses StatefulSet instead of Deployment
* XML configuration was removed in favor of JCasC
* chart migrated to helm 3.0.0 (apiVersion v2)
* offending terms have been removed
* values have been renamed and re-ordered to make it easier to use
* already deprecated items have been removed
* componentName for the controller is now `jenkins-controller`
* componentName for the agent is now `jenkins-agent`
* container names are now
* `init` for the init container which downloads Jenkins plugins
* `jenkins` for the Jenkins controller
* `config-reload` for the sidecar container which automatically reloads JCasC
* Updated UI tests to use official `bats/bats` image instead of `dduportal/bats`
- Chart uses StatefulSet instead of Deployment
- XML configuration was removed in favor of JCasC
- chart migrated to helm 3.0.0 (apiVersion v2)
- offending terms have been removed
- values have been renamed and re-ordered to make it easier to use
- already deprecated items have been removed
- componentName for the controller is now `jenkins-controller`
- componentName for the agent is now `jenkins-agent`
- container names are now
- `init` for the init container which downloads Jenkins plugins
- `jenkins` for the Jenkins controller
- `config-reload` for the sidecar container which automatically reloads JCasC
- Updated UI tests to use official `bats/bats` image instead of `dduportal/bats`
For migration instructions from previous versions and additional information check README.md.
## 2.19.0
* Use lts version 2.249.3
* Update kubernetes, workflow-aggregator, git and configuration-as-code plugins.
* Fail apply_config.sh script if an error occurs.
- Use lts version 2.249.3
- Update kubernetes, workflow-aggregator, git and configuration-as-code plugins.
- Fail apply_config.sh script if an error occurs.
## 2.18.2
@ -1958,7 +2075,7 @@ Update docs for Helm 3
Make `jenkins-home` attachable to Azure Disks without pvc
```yaml
volumes:
volumes:
- name: jenkins-home
azureDisk:
kind: Managed
@ -1987,6 +2104,7 @@ Scriptapprovals are overwritten when overwriteConfig is enabled
Added documentation for `persistence.storageClass`.
## 1.9.9
Make `master.deploymentAnnotation` configurable.
## 1.9.8
@ -1996,7 +2114,7 @@ Make `agent.slaveConnectTimeout` configurable: by increasing this value Jenkins
## 1.9.7 Update plugin versions
| plugin | old version | new version |
|-----------------------|-------------|-------------|
| --------------------- | ----------- | ----------- |
| kubernetes | 1.18.2 | 1.21.2 |
| workflow-job | 2.33 | 2.36 |
| credentials-binding | 1.19 | 1.20 |
@ -2016,9 +2134,9 @@ Enables jenkins to use keystore inorder to have native ssl support #17790 <https
Google application credentials are kept in a file, which has to be mounted to a pod. You can set `gcpcredentials` in `existingSecret` as follows:
```yaml
existingSecret:
jenkins-service-account:
gcpcredentials: application_default_credentials.json
existingSecret:
jenkins-service-account:
gcpcredentials: application_default_credentials.json
```
Helm template then creates the necessary volume mounts and `GOOGLE_APPLICATION_CREDENTIALS` environmental variable.
@ -2437,7 +2555,7 @@ commit: b02ae3f48
### Breaking changes
- values have been renamed to follow helm chart best practices for naming conventions so
that all variables start with a lowercase letter and words are separated with camelcase
that all variables start with a lowercase letter and words are separated with camelCase
<https://helm.sh/docs/chart_best_practices/#naming-conventions>
- all resources are now using recommended standard labels
<https://helm.sh/docs/chart_best_practices/#standard-labels>

12
charts/kubezero-ci/charts/jenkins/Chart.yaml
View File

@ -1,14 +1,14 @@
annotations:
artifacthub.io/category: integration-delivery
artifacthub.io/changes: |
- Update `jenkins/jenkins` to version `2.492.2-jdk17`
- Update `docker.io/bats/bats` to version `1.12.0`
artifacthub.io/images: |
- name: jenkins
image: docker.io/jenkins/jenkins:2.492.2-jdk17
image: docker.io/jenkins/jenkins:2.504.1-jdk21
- name: k8s-sidecar
image: docker.io/kiwigrid/k8s-sidecar:1.30.1
image: docker.io/kiwigrid/k8s-sidecar:1.30.3
- name: inbound-agent
image: jenkins/inbound-agent:3283.v92c105e0f819-9
image: jenkins/inbound-agent:3309.v27b_9314fd1a_4-2
artifacthub.io/license: Apache-2.0
artifacthub.io/links: |
- name: Chart Source
@ -18,7 +18,7 @@ annotations:
- name: support
url: https://github.com/jenkinsci/helm-charts/issues
apiVersion: v2
appVersion: 2.492.2
appVersion: 2.504.1
description: 'Jenkins - Build great things at any scale! As the leading open source
automation server, Jenkins provides over 2000 plugins to support building, deploying
and automating any project. '
@ -46,4 +46,4 @@ sources:
- https://github.com/maorfr/kube-tasks
- https://github.com/jenkinsci/configuration-as-code-plugin
type: application
version: 5.8.18
version: 5.8.48

92
charts/kubezero-ci/charts/jenkins/README.md
View File

@ -227,8 +227,8 @@ Further JCasC examples can be found [here](https://github.com/jenkinsci/configur
#### Breaking out large Config as Code scripts
Jenkins Config as Code scripts can become quite large, and maintaining all of your scripts within one yaml file can be difficult. The Config as Code plugin itself suggests updating the `CASC_JENKINS_CONFIG` environment variable to be a comma separated list of paths for the plugin to traverse, picking up the yaml files as needed.
However, under the Jenkins helm chart, this `CASC_JENKINS_CONFIG` value is maintained through the templates. A better solution is to split your `controller.JCasC.configScripts` into separate values files, and provide each file during the helm install.
Jenkins Config as Code scripts can become quite large, and maintaining all of your scripts within one yaml file can be difficult. The Config as Code plugin itself suggests updating the `CASC_JENKINS_CONFIG` environment variable to be a comma separated list of paths for the plugin to traverse, picking up the yaml files as needed.
However, under the Jenkins helm chart, this `CASC_JENKINS_CONFIG` value is maintained through the templates. A better solution is to split your `controller.JCasC.configScripts` into separate values files, and provide each file during the helm install.
For example, you can have a values file (e.g values_main.yaml) that defines the values described in the `VALUES_SUMMARY.md` for your Jenkins configuration:
@ -247,7 +247,7 @@ jenkins:
controller:
JCasC:
configScripts:
jenkinsCasc: |
jenkinsCasc: |
jenkins:
disableRememberMe: false
mode: NORMAL
@ -268,7 +268,7 @@ jenkins:
...
```
When installing, you provide all relevant yaml files (e.g `helm install -f values_main.yaml -f values_jenkins_casc.yaml -f values_jenkins_unclassified.yaml ...`). Instead of updating the `CASC_JENKINS_CONFIG` environment variable to include multiple paths, multiple CasC yaml files will be created in the same path `var/jenkins_home/casc_configs`.
When installing, you provide all relevant yaml files (e.g `helm install -f values_main.yaml -f values_jenkins_casc.yaml -f values_jenkins_unclassified.yaml ...`). Instead of updating the `CASC_JENKINS_CONFIG` environment variable to include multiple paths, multiple CasC yaml files will be created in the same path `var/jenkins_home/casc_configs`.
#### Config as Code With or Without Auto-Reload
@ -295,27 +295,36 @@ This option requires installation of the [OWASP Markup Formatter Plugin (antisam
This plugin is **not** installed by default but may be added to `controller.additionalPlugins`.
### Change max connections to Kubernetes API
When using agents with containers other than JNLP, The kubernetes plugin will communicate with those containers using the Kubernetes API. this changes the maximum concurrent connections
```yaml
agent:
maxRequestsPerHostStr: "32"
```
This will change the configuration of the kubernetes "cloud" (as called by jenkins) that is created automatically as part of this helm chart.
### Change container cleanup timeout API
For tasks that use very large images, this timeout can be increased to avoid early termination of the task while the Kubernetes pod is still deploying.
```yaml
agent:
retentionTimeout: "32"
```
This will change the configuration of the kubernetes "cloud" (as called by jenkins) that is created automatically as part of this helm chart.
### Change seconds to wait for pod to be running
This will change how long Jenkins will wait (seconds) for pod to be in running state.
```yaml
agent:
waitForPodSec: "32"
```
This will change the configuration of the kubernetes "cloud" (as called by jenkins) that is created automatically as part of this helm chart.
### Mounting Volumes into Agent Pods
@ -325,9 +334,9 @@ Your Jenkins Agents will run as pods, and it's possible to inject volumes where
```yaml
agent:
volumes:
- type: Secret
secretName: jenkins-mysecrets
mountPath: /var/run/secrets/jenkins-mysecrets
- type: Secret
secretName: jenkins-mysecrets
mountPath: /var/run/secrets/jenkins-mysecrets
```
The supported volume types are: `ConfigMap`, `EmptyDir`, `HostPath`, `Nfs`, `PVC`, `Secret`.
@ -380,11 +389,11 @@ See additional `persistence` values using [configuration commands](#configuratio
2. Create the PersistentVolumeClaim
3. [Install](#install-chart) the chart, setting `persistence.existingClaim` to `PVC_NAME`
#### Long Volume Attach/Mount Times
#### Long Volume Attach-/Mount Times
Certain volume type and filesystem format combinations may experience long
attach/mount times, [10 or more minutes][K8S_VOLUME_TIMEOUT], when using
`fsGroup`. This issue may result in the following entries in the pod's event
`fsGroup`. This issue may result in the following entries in the pod's event
history:
```console
@ -392,7 +401,7 @@ Warning FailedMount 38m kubelet, aks-default-41587790-2 Unable
```
In these cases, experiment with replacing `fsGroup` with
`supplementalGroups` in the pod's `securityContext`. This can be achieved by
`supplementalGroups` in the pod's `securityContext`. This can be achieved by
setting the `controller.podSecurityContextOverride` Helm chart value to
something like:
@ -424,6 +433,7 @@ A common use case might be identity provider credentials if using an external LD
The secret may then be referenced in JCasC configuration (see [JCasC configuration](#configuration-as-code)).
`values.yaml` controller section, referencing mounted secrets:
```yaml
controller:
# the 'name' and 'keyName' are concatenated with a '-' in between, so for example:
@ -433,7 +443,7 @@ controller:
# existingSecret existing secret "secret-credentials" and a key inside it named "github-username" should be used in Jcasc as ${github-username}
# When using existingSecret no need to specify the keyName under additionalExistingSecrets.
existingSecret: secret-credentials
additionalExistingSecrets:
- name: secret-credentials
keyName: github-username
@ -441,7 +451,7 @@ controller:
keyName: github-password
- name: secret-credentials
keyName: token
additionalSecrets:
- name: client_id
value: abc123
@ -481,6 +491,7 @@ It's possible for this chart to generate `SecretClaim` resources in order to aut
These `Secrets` can then be referenced in the same manner as Additional Secrets above.
This can be achieved by defining required Secret Claims within `controller.secretClaims`, as follows:
```yaml
controller:
secretClaims:
@ -574,11 +585,11 @@ The simplest configuration looks like the following:
```yaml
controller:
ingress:
enabled: true
paths: []
apiVersion: "extensions/v1beta1"
hostName: jenkins.example.com
ingress:
enabled: true
paths: []
apiVersion: "extensions/v1beta1"
hostName: jenkins.example.com
```
This snippet configures an ingress rule for exposing jenkins at `jenkins.example.com`
@ -593,20 +604,20 @@ The secondaryingress doesn't expose anything by default and has to be configured
```yaml
controller:
ingress:
enabled: true
apiVersion: "extensions/v1beta1"
hostName: "jenkins.internal.example.com"
annotations:
kubernetes.io/ingress.class: "internal"
secondaryingress:
enabled: true
apiVersion: "extensions/v1beta1"
hostName: "jenkins-scm.example.com"
annotations:
kubernetes.io/ingress.class: "public"
paths:
- /github-webhook
ingress:
enabled: true
apiVersion: "extensions/v1beta1"
hostName: "jenkins.internal.example.com"
annotations:
kubernetes.io/ingress.class: "internal"
secondaryingress:
enabled: true
apiVersion: "extensions/v1beta1"
hostName: "jenkins-scm.example.com"
annotations:
kubernetes.io/ingress.class: "public"
paths:
- /github-webhook
```
## Prometheus Metrics
@ -660,15 +671,16 @@ and `https-jks-password` (or override the key name using `jenkinsHttpsJksPasswor
```yaml
controller:
httpsKeyStore:
enable: true
jenkinsHttpsJksSecretName: ''
httpPort: 8081
path: "/var/jenkins_keystore"
fileName: "keystore.jks"
password: "changeit"
jenkinsKeyStoreBase64Encoded: ''
httpsKeyStore:
enable: true
jenkinsHttpsJksSecretName: ""
httpPort: 8081
path: "/var/jenkins_keystore"
fileName: "keystore.jks"
password: "changeit"
jenkinsKeyStoreBase64Encoded: ""
```
### AWS Security Group Policies
To create SecurityGroupPolicies set `awsSecurityGroupPolicies.enabled` to true and add your policies. Each policy requires a `name`, array of `securityGroupIds` and a `podSelector`. Example:
@ -678,7 +690,7 @@ awsSecurityGroupPolicies:
enabled: true
policies:
- name: "jenkins-controller"
securityGroupIds:
securityGroupIds:
- sg-123456789
podSelector:
matchExpressions:

59
charts/kubezero-ci/charts/jenkins/UPGRADING.md
View File

@ -1,6 +1,7 @@
# Upgrade Notes
## To 5.0.0
- `controller.image`, `controller.tag`, and `controller.tagLabel` have been removed. If you want to overwrite the image you now need to configure any or all of:
- `controller.image.registry`
- `controller.image.repository`
@ -31,38 +32,40 @@
- `backup.*` was unmaintained and has thus been removed. See the following page for alternatives: [Kubernetes Backup and Migrations](https://nubenetes.com/kubernetes-backup-migrations/).
## To 4.0.0
Removes automatic `remotingSecurity` setting when using a container tag older than `2.326` (introduced in [`3.11.7`](./CHANGELOG.md#3117)). If you're using a version older than `2.326`, you should explicitly set `.controller.legacyRemotingSecurityEnabled` to `true`.
## To 3.0.0
* Check `securityRealm` and `authorizationStrategy` and adjust it.
- Check `securityRealm` and `authorizationStrategy` and adjust it.
Otherwise, your configured users and permissions will be overridden.
* You need to use helm version 3 as the `Chart.yaml` uses `apiVersion: v2`.
* All XML configuration options have been removed.
- You need to use helm version 3 as the `Chart.yaml` uses `apiVersion: v2`.
- All XML configuration options have been removed.
In case those are still in use you need to migrate to configuration as code.
Upgrade guide to 2.0.0 contains pointers how to do that.
* Jenkins is now using a `StatefulSet` instead of a `Deployment`
* terminology has been adjusted that's also reflected in values.yaml
- Jenkins is now using a `StatefulSet` instead of a `Deployment`
- terminology has been adjusted that's also reflected in values.yaml
The following values from `values.yaml` have been renamed:
* `master` => `controller`
* `master.useSecurity` => `controller.adminSecret`
* `master.slaveListenerPort` => `controller.agentListenerPort`
* `master.slaveHostPort` => `controller.agentListenerHostPort`
* `master.slaveKubernetesNamespace` => `agent.namespace`
* `master.slaveDefaultsProviderTemplate` => `agent.defaultsProviderTemplate`
* `master.slaveJenkinsUrl` => `agent.jenkinsUrl`
* `master.slaveJenkinsTunnel` => `agent.jenkinsTunnel`
* `master.slaveConnectTimeout` => `agent.kubernetesConnectTimeout`
* `master.slaveReadTimeout` => `agent.kubernetesReadTimeout`
* `master.slaveListenerServiceAnnotations` => `controller.agentListenerServiceAnnotations`
* `master.slaveListenerServiceType` => `controller.agentListenerServiceType`
* `master.slaveListenerLoadBalancerIP` => `controller.agentListenerLoadBalancerIP`
* `agent.slaveConnectTimeout` => `agent.connectTimeout`
* Removed values:
- `master` => `controller`
- `master.useSecurity` => `controller.adminSecret`
- `master.slaveListenerPort` => `controller.agentListenerPort`
- `master.slaveHostPort` => `controller.agentListenerHostPort`
- `master.slaveKubernetesNamespace` => `agent.namespace`
- `master.slaveDefaultsProviderTemplate` => `agent.defaultsProviderTemplate`
- `master.slaveJenkinsUrl` => `agent.jenkinsUrl`
- `master.slaveJenkinsTunnel` => `agent.jenkinsTunnel`
- `master.slaveConnectTimeout` => `agent.kubernetesConnectTimeout`
- `master.slaveReadTimeout` => `agent.kubernetesReadTimeout`
- `master.slaveListenerServiceAnnotations` => `controller.agentListenerServiceAnnotations`
- `master.slaveListenerServiceType` => `controller.agentListenerServiceType`
- `master.slaveListenerLoadBalancerIP` => `controller.agentListenerLoadBalancerIP`
- `agent.slaveConnectTimeout` => `agent.connectTimeout`
* `master.imageTag`: use `controller.image` and `controller.tag` instead
* `slave.imageTag`: use `agent.image` and `agent.tag` instead
- Removed values:
- `master.imageTag`: use `controller.image` and `controller.tag` instead
- `slave.imageTag`: use `agent.image` and `agent.tag` instead
## To 2.0.0
@ -95,14 +98,14 @@ Here we show which values have changed and the previous default values:
```yaml
controller:
runAsUser: 1000 # was unset before
fsGroup: 1000 # was unset before
runAsUser: 1000 # was unset before
fsGroup: 1000 # was unset before
JCasC:
enabled: true # was false
defaultConfig: true # was false
enabled: true # was false
defaultConfig: true # was false
sidecars:
configAutoReload:
enabled: true # was false
enabled: true # was false
```
### Migration steps
@ -135,7 +138,7 @@ So think of the list below more as a general guideline of what should be done.
Breaking changes:
- Values have been renamed to follow [helm recommended naming conventions](https://helm.sh/docs/chart_best_practices/#naming-conventions) so that all variables start with a lowercase letter and words are separated with camelcase
- Values have been renamed to follow [helm recommended naming conventions](https://helm.sh/docs/chart_best_practices/#naming-conventions) so that all variables start with a lowercase letter and words are separated with camelCase
- All resources are now using [helm recommended standard labels](https://helm.sh/docs/chart_best_practices/#standard-labels)
As a result of the label changes also the selectors of the deployment have been updated.

585
charts/kubezero-ci/charts/jenkins/VALUES.md
View File

@ -8,314 +8,315 @@ The following tables list the configurable parameters of the Jenkins chart and t
| Key | Type | Description | Default |
|:----|:-----|:---------|:------------|
| [additionalAgents](./values.yaml#L1199) | object | Configure additional | `{}` |
| [additionalClouds](./values.yaml#L1224) | object | | `{}` |
| [agent.TTYEnabled](./values.yaml#L1105) | bool | Allocate pseudo tty to the side container | `false` |
| [agent.additionalContainers](./values.yaml#L1152) | list | Add additional containers to the agents | `[]` |
| [agent.alwaysPullImage](./values.yaml#L998) | bool | Always pull agent container image before build | `false` |
| [agent.annotations](./values.yaml#L1148) | object | Annotations to apply to the pod | `{}` |
| [agent.args](./values.yaml#L1099) | string | Arguments passed to command to execute | `"${computer.jnlpmac} ${computer.name}"` |
| [agent.command](./values.yaml#L1097) | string | Command to execute when side container starts | `nil` |
| [agent.componentName](./values.yaml#L966) | string | | `"jenkins-agent"` |
| [agent.connectTimeout](./values.yaml#L1146) | int | Timeout in seconds for an agent to be online | `100` |
| [agent.containerCap](./values.yaml#L1107) | int | Max number of agents to launch | `10` |
| [agent.customJenkinsLabels](./values.yaml#L963) | list | Append Jenkins labels to the agent | `[]` |
| [agent.defaultsProviderTemplate](./values.yaml#L917) | string | The name of the pod template to use for providing default values | `""` |
| [agent.directConnection](./values.yaml#L969) | bool | | `false` |
| [agent.disableDefaultAgent](./values.yaml#L1170) | bool | Disable the default Jenkins Agent configuration | `false` |
| [agent.enabled](./values.yaml#L915) | bool | Enable Kubernetes plugin jnlp-agent podTemplate | `true` |
| [agent.envVars](./values.yaml#L1080) | list | Environment variables for the agent Pod | `[]` |
| [agent.garbageCollection.enabled](./values.yaml#L1114) | bool | When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them. | `false` |
| [agent.garbageCollection.namespaces](./values.yaml#L1116) | string | Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line. | `""` |
| [agent.garbageCollection.timeout](./values.yaml#L1121) | int | Timeout value for orphaned pods | `300` |
| [agent.hostNetworking](./values.yaml#L977) | bool | Enables the agent to use the host network | `false` |
| [agent.idleMinutes](./values.yaml#L1124) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` |
| [agent.image.repository](./values.yaml#L956) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` |
| [agent.image.tag](./values.yaml#L958) | string | Tag of the image to pull | `"3283.v92c105e0f819-9"` |
| [agent.imagePullSecretName](./values.yaml#L965) | string | Name of the secret to be used to pull the image | `nil` |
| [agent.inheritYamlMergeStrategy](./values.yaml#L1144) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` |
| [agent.jenkinsTunnel](./values.yaml#L933) | string | Overrides the Kubernetes Jenkins tunnel | `nil` |
| [agent.jenkinsUrl](./values.yaml#L929) | string | Overrides the Kubernetes Jenkins URL | `nil` |
| [agent.jnlpregistry](./values.yaml#L953) | string | Custom registry used to pull the agent jnlp image from | `nil` |
| [agent.kubernetesConnectTimeout](./values.yaml#L939) | int | The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 | `5` |
| [agent.kubernetesReadTimeout](./values.yaml#L941) | int | The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 | `15` |
| [agent.livenessProbe](./values.yaml#L988) | object | | `{}` |
| [agent.maxRequestsPerHostStr](./values.yaml#L943) | string | The maximum concurrent connections to Kubernetes API | `"32"` |
| [agent.namespace](./values.yaml#L949) | string | Namespace in which the Kubernetes agents should be launched | `nil` |
| [agent.nodeSelector](./values.yaml#L1091) | object | Node labels for pod assignment | `{}` |
| [agent.nodeUsageMode](./values.yaml#L961) | string | | `"NORMAL"` |
| [agent.podLabels](./values.yaml#L951) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
| [agent.podName](./values.yaml#L1109) | string | Agent Pod base name | `"default"` |
| [agent.podRetention](./values.yaml#L1007) | string | | `"Never"` |
| [agent.podTemplates](./values.yaml#L1180) | object | Configures extra pod templates for the default kubernetes cloud | `{}` |
| [agent.privileged](./values.yaml#L971) | bool | Agent privileged container | `false` |
| [agent.resources](./values.yaml#L979) | object | Resources allocation (Requests and Limits) | `{"limits":{"cpu":"512m","memory":"512Mi"},"requests":{"cpu":"512m","memory":"512Mi"}}` |
| [agent.restrictedPssSecurityContext](./values.yaml#L1004) | bool | Set a restricted securityContext on jnlp containers | `false` |
| [agent.retentionTimeout](./values.yaml#L945) | int | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | `5` |
| [agent.runAsGroup](./values.yaml#L975) | string | Configure container group | `nil` |
| [agent.runAsUser](./values.yaml#L973) | string | Configure container user | `nil` |
| [agent.secretEnvVars](./values.yaml#L1084) | list | Mount a secret as environment variable | `[]` |
| [agent.serviceAccount](./values.yaml#L925) | string | Override the default service account | `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true` |
| [agent.showRawYaml](./values.yaml#L1011) | bool | | `true` |
| [agent.sideContainerName](./values.yaml#L1101) | string | Side container name | `"jnlp"` |
| [agent.skipTlsVerify](./values.yaml#L935) | bool | Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI | `false` |
| [agent.usageRestricted](./values.yaml#L937) | bool | Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI | `false` |
| [agent.useDefaultServiceAccount](./values.yaml#L921) | bool | Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount` | `true` |
| [agent.volumes](./values.yaml#L1018) | list | Additional volumes | `[]` |
| [agent.waitForPodSec](./values.yaml#L947) | int | Seconds to wait for pod to be running | `600` |
| [agent.websocket](./values.yaml#L968) | bool | Enables agent communication via websockets | `false` |
| [agent.workingDir](./values.yaml#L960) | string | Configure working directory for default agent | `"/home/jenkins/agent"` |
| [agent.workspaceVolume](./values.yaml#L1053) | object | Workspace volume (defaults to EmptyDir) | `{}` |
| [agent.yamlMergeStrategy](./values.yaml#L1142) | string | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" | `"override"` |
| [agent.yamlTemplate](./values.yaml#L1131) | string | The raw yaml of a Pod API Object to merge into the agent spec | `""` |
| [awsSecurityGroupPolicies.enabled](./values.yaml#L1356) | bool | | `false` |
| [awsSecurityGroupPolicies.policies[0].name](./values.yaml#L1358) | string | | `""` |
| [awsSecurityGroupPolicies.policies[0].podSelector](./values.yaml#L1360) | object | | `{}` |
| [awsSecurityGroupPolicies.policies[0].securityGroupIds](./values.yaml#L1359) | list | | `[]` |
| [checkDeprecation](./values.yaml#L1353) | bool | Checks if any deprecated values are used | `true` |
| [additionalAgents](./values.yaml#L1202) | object | Configure additional | `{}` |
| [additionalClouds](./values.yaml#L1227) | object | | `{}` |
| [agent.TTYEnabled](./values.yaml#L1107) | bool | Allocate pseudo tty to the side container | `false` |
| [agent.additionalContainers](./values.yaml#L1155) | list | Add additional containers to the agents | `[]` |
| [agent.alwaysPullImage](./values.yaml#L1000) | bool | Always pull agent container image before build | `false` |
| [agent.annotations](./values.yaml#L1151) | object | Annotations to apply to the pod | `{}` |
| [agent.args](./values.yaml#L1101) | string | Arguments passed to command to execute | `"${computer.jnlpmac} ${computer.name}"` |
| [agent.command](./values.yaml#L1099) | string | Command to execute when side container starts | `nil` |
| [agent.componentName](./values.yaml#L968) | string | | `"jenkins-agent"` |
| [agent.connectTimeout](./values.yaml#L1149) | int | Timeout in seconds for an agent to be online | `100` |
| [agent.containerCap](./values.yaml#L1109) | int | Max number of agents to launch for a whole cluster. | `10` |
| [agent.customJenkinsLabels](./values.yaml#L965) | list | Append Jenkins labels to the agent | `[]` |
| [agent.defaultsProviderTemplate](./values.yaml#L919) | string | The name of the pod template to use for providing default values | `""` |
| [agent.directConnection](./values.yaml#L971) | bool | | `false` |
| [agent.disableDefaultAgent](./values.yaml#L1173) | bool | Disable the default Jenkins Agent configuration | `false` |
| [agent.enabled](./values.yaml#L917) | bool | Enable Kubernetes plugin jnlp-agent podTemplate | `true` |
| [agent.envVars](./values.yaml#L1082) | list | Environment variables for the agent Pod | `[]` |
| [agent.garbageCollection.enabled](./values.yaml#L1118) | bool | When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them. | `false` |
| [agent.garbageCollection.namespaces](./values.yaml#L1120) | string | Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line. | `""` |
| [agent.garbageCollection.timeout](./values.yaml#L1125) | int | Timeout value for orphaned pods | `300` |
| [agent.hostNetworking](./values.yaml#L979) | bool | Enables the agent to use the host network | `false` |
| [agent.idleMinutes](./values.yaml#L1128) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` |
| [agent.image.repository](./values.yaml#L958) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` |
| [agent.image.tag](./values.yaml#L960) | string | Tag of the image to pull | `"3309.v27b_9314fd1a_4-2"` |
| [agent.imagePullSecretName](./values.yaml#L967) | string | Name of the secret to be used to pull the image | `nil` |
| [agent.inheritYamlMergeStrategy](./values.yaml#L1147) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` |
| [agent.instanceCap](./values.yaml#L1111) | int | Max number of agents to launch for this type of agent | `2147483647` |
| [agent.jenkinsTunnel](./values.yaml#L935) | string | Overrides the Kubernetes Jenkins tunnel | `nil` |
| [agent.jenkinsUrl](./values.yaml#L931) | string | Overrides the Kubernetes Jenkins URL | `nil` |
| [agent.jnlpregistry](./values.yaml#L955) | string | Custom registry used to pull the agent jnlp image from | `nil` |
| [agent.kubernetesConnectTimeout](./values.yaml#L941) | int | The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 | `5` |
| [agent.kubernetesReadTimeout](./values.yaml#L943) | int | The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 | `15` |
| [agent.livenessProbe](./values.yaml#L990) | object | | `{}` |
| [agent.maxRequestsPerHostStr](./values.yaml#L945) | string | The maximum concurrent connections to Kubernetes API | `"32"` |
| [agent.namespace](./values.yaml#L951) | string | Namespace in which the Kubernetes agents should be launched | `nil` |
| [agent.nodeSelector](./values.yaml#L1093) | object | Node labels for pod assignment | `{}` |
| [agent.nodeUsageMode](./values.yaml#L963) | string | | `"NORMAL"` |
| [agent.podLabels](./values.yaml#L953) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
| [agent.podName](./values.yaml#L1113) | string | Agent Pod base name | `"default"` |
| [agent.podRetention](./values.yaml#L1009) | string | | `"Never"` |
| [agent.podTemplates](./values.yaml#L1183) | object | Configures extra pod templates for the default kubernetes cloud | `{}` |
| [agent.privileged](./values.yaml#L973) | bool | Agent privileged container | `false` |
| [agent.resources](./values.yaml#L981) | object | Resources allocation (Requests and Limits) | `{"limits":{"cpu":"512m","memory":"512Mi"},"requests":{"cpu":"512m","memory":"512Mi"}}` |
| [agent.restrictedPssSecurityContext](./values.yaml#L1006) | bool | Set a restricted securityContext on jnlp containers | `false` |
| [agent.retentionTimeout](./values.yaml#L947) | int | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | `5` |
| [agent.runAsGroup](./values.yaml#L977) | string | Configure container group | `nil` |
| [agent.runAsUser](./values.yaml#L975) | string | Configure container user | `nil` |
| [agent.secretEnvVars](./values.yaml#L1086) | list | Mount a secret as environment variable | `[]` |
| [agent.serviceAccount](./values.yaml#L927) | string | Override the default service account | `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true` |
| [agent.showRawYaml](./values.yaml#L1013) | bool | | `true` |
| [agent.sideContainerName](./values.yaml#L1103) | string | Side container name | `"jnlp"` |
| [agent.skipTlsVerify](./values.yaml#L937) | bool | Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI | `false` |
| [agent.usageRestricted](./values.yaml#L939) | bool | Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI | `false` |
| [agent.useDefaultServiceAccount](./values.yaml#L923) | bool | Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount` | `true` |
| [agent.volumes](./values.yaml#L1020) | list | Additional volumes | `[]` |
| [agent.waitForPodSec](./values.yaml#L949) | int | Seconds to wait for pod to be running | `600` |
| [agent.websocket](./values.yaml#L970) | bool | Enables agent communication via websockets | `false` |
| [agent.workingDir](./values.yaml#L962) | string | Configure working directory for default agent | `"/home/jenkins/agent"` |
| [agent.workspaceVolume](./values.yaml#L1055) | object | Workspace volume (defaults to EmptyDir) | `{}` |
| [agent.yamlMergeStrategy](./values.yaml#L1145) | string | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" | `"override"` |
| [agent.yamlTemplate](./values.yaml#L1134) | string | The raw yaml of a Pod API Object to merge into the agent spec | `""` |
| [awsSecurityGroupPolicies.enabled](./values.yaml#L1360) | bool | | `false` |
| [awsSecurityGroupPolicies.policies[0].name](./values.yaml#L1362) | string | | `""` |
| [awsSecurityGroupPolicies.policies[0].podSelector](./values.yaml#L1364) | object | | `{}` |
| [awsSecurityGroupPolicies.policies[0].securityGroupIds](./values.yaml#L1363) | list | | `[]` |
| [checkDeprecation](./values.yaml#L1357) | bool | Checks if any deprecated values are used | `true` |
| [clusterZone](./values.yaml#L21) | string | Override the cluster name for FQDN resolving | `"cluster.local"` |
| [controller.JCasC.authorizationStrategy](./values.yaml#L543) | string | Jenkins Config as Code Authorization Strategy-section | `"loggedInUsersCanDoAnything:\n allowAnonymousRead: false"` |
| [controller.JCasC.configMapAnnotations](./values.yaml#L548) | object | Annotations for the JCasC ConfigMap | `{}` |
| [controller.JCasC.configScripts](./values.yaml#L517) | object | List of Jenkins Config as Code scripts | `{}` |
| [controller.JCasC.configUrls](./values.yaml#L514) | list | Remote URLs for configuration files. | `[]` |
| [controller.JCasC.defaultConfig](./values.yaml#L508) | bool | Enables default Jenkins configuration via configuration as code plugin | `true` |
| [controller.JCasC.overwriteConfiguration](./values.yaml#L512) | bool | Whether Jenkins Config as Code should overwrite any existing configuration | `false` |
| [controller.JCasC.security](./values.yaml#L524) | object | Jenkins Config as Code security-section | `{"apiToken":{"creationOfLegacyTokenEnabled":false,"tokenGenerationOnCreationEnabled":false,"usageStatisticsEnabled":true}}` |
| [controller.JCasC.securityRealm](./values.yaml#L532) | string | Jenkins Config as Code Security Realm-section | `"local:\n allowsSignup: false\n enableCaptcha: false\n users:\n - id: \"${chart-admin-username}\"\n name: \"Jenkins Admin\"\n password: \"${chart-admin-password}\""` |
| [controller.additionalExistingSecrets](./values.yaml#L469) | list | List of additional existing secrets to mount | `[]` |
| [controller.additionalPlugins](./values.yaml#L419) | list | List of plugins to install in addition to those listed in controller.installPlugins | `[]` |
| [controller.additionalSecrets](./values.yaml#L478) | list | List of additional secrets to create and mount | `[]` |
| [controller.admin.createSecret](./values.yaml#L91) | bool | Create secret for admin user | `true` |
| [controller.admin.existingSecret](./values.yaml#L94) | string | The name of an existing secret containing the admin credentials | `""` |
| [controller.admin.password](./values.yaml#L81) | string | Admin password created as a secret if `controller.admin.createSecret` is true | `<random password>` |
| [controller.admin.passwordKey](./values.yaml#L86) | string | The key in the existing admin secret containing the password | `"jenkins-admin-password"` |
| [controller.admin.userKey](./values.yaml#L84) | string | The key in the existing admin secret containing the username | `"jenkins-admin-user"` |
| [controller.admin.username](./values.yaml#L78) | string | Admin username created as a secret if `controller.admin.createSecret` is true | `"admin"` |
| [controller.affinity](./values.yaml#L670) | object | Affinity settings | `{}` |
| [controller.agentListenerEnabled](./values.yaml#L328) | bool | Create Agent listener service | `true` |
| [controller.agentListenerExternalTrafficPolicy](./values.yaml#L338) | string | Traffic Policy of for the agentListener service | `nil` |
| [controller.agentListenerHostPort](./values.yaml#L332) | string | Host port to listen for agents | `nil` |
| [controller.agentListenerLoadBalancerIP](./values.yaml#L368) | string | Static IP for the agentListener LoadBalancer | `nil` |
| [controller.agentListenerLoadBalancerSourceRanges](./values.yaml#L340) | list | Allowed inbound IP for the agentListener service | `["0.0.0.0/0"]` |
| [controller.agentListenerNodePort](./values.yaml#L334) | string | Node port to listen for agents | `nil` |
| [controller.agentListenerPort](./values.yaml#L330) | int | Listening port for agents | `50000` |
| [controller.agentListenerServiceAnnotations](./values.yaml#L363) | object | Annotations for the agentListener service | `{}` |
| [controller.agentListenerServiceType](./values.yaml#L360) | string | Defines how to expose the agentListener service | `"ClusterIP"` |
| [controller.backendconfig.annotations](./values.yaml#L773) | object | backendconfig annotations | `{}` |
| [controller.backendconfig.apiVersion](./values.yaml#L767) | string | backendconfig API version | `"extensions/v1beta1"` |
| [controller.backendconfig.enabled](./values.yaml#L765) | bool | Enables backendconfig | `false` |
| [controller.backendconfig.labels](./values.yaml#L771) | object | backendconfig labels | `{}` |
| [controller.backendconfig.name](./values.yaml#L769) | string | backendconfig name | `nil` |
| [controller.backendconfig.spec](./values.yaml#L775) | object | backendconfig spec | `{}` |
| [controller.cloudName](./values.yaml#L497) | string | Name of default cloud configuration. | `"kubernetes"` |
| [controller.clusterIp](./values.yaml#L223) | string | k8s service clusterIP. Only used if serviceType is ClusterIP | `nil` |
| [controller.JCasC.authorizationStrategy](./values.yaml#L542) | string | Jenkins Config as Code Authorization Strategy-section | `"loggedInUsersCanDoAnything:\n allowAnonymousRead: false"` |
| [controller.JCasC.configMapAnnotations](./values.yaml#L547) | object | Annotations for the JCasC ConfigMap | `{}` |
| [controller.JCasC.configScripts](./values.yaml#L516) | object | List of Jenkins Config as Code scripts | `{}` |
| [controller.JCasC.configUrls](./values.yaml#L513) | list | Remote URLs for configuration files. | `[]` |
| [controller.JCasC.defaultConfig](./values.yaml#L507) | bool | Enables default Jenkins configuration via configuration as code plugin | `true` |
| [controller.JCasC.overwriteConfiguration](./values.yaml#L511) | bool | Whether Jenkins Config as Code should overwrite any existing configuration | `false` |
| [controller.JCasC.security](./values.yaml#L523) | object | Jenkins Config as Code security-section | `{"apiToken":{"creationOfLegacyTokenEnabled":false,"tokenGenerationOnCreationEnabled":false,"usageStatisticsEnabled":true}}` |
| [controller.JCasC.securityRealm](./values.yaml#L531) | string | Jenkins Config as Code Security Realm-section | `"local:\n allowsSignup: false\n enableCaptcha: false\n users:\n - id: \"${chart-admin-username}\"\n name: \"Jenkins Admin\"\n password: \"${chart-admin-password}\""` |
| [controller.additionalExistingSecrets](./values.yaml#L468) | list | List of additional existing secrets to mount | `[]` |
| [controller.additionalPlugins](./values.yaml#L418) | list | List of plugins to install in addition to those listed in controller.installPlugins | `[]` |
| [controller.additionalSecrets](./values.yaml#L477) | list | List of additional secrets to create and mount | `[]` |
| [controller.admin.createSecret](./values.yaml#L90) | bool | Create secret for admin user | `true` |
| [controller.admin.existingSecret](./values.yaml#L93) | string | The name of an existing secret containing the admin credentials | `""` |
| [controller.admin.password](./values.yaml#L80) | string | Admin password created as a secret if `controller.admin.createSecret` is true | `<random password>` |
| [controller.admin.passwordKey](./values.yaml#L85) | string | The key in the existing admin secret containing the password | `"jenkins-admin-password"` |
| [controller.admin.userKey](./values.yaml#L83) | string | The key in the existing admin secret containing the username | `"jenkins-admin-user"` |
| [controller.admin.username](./values.yaml#L77) | string | Admin username created as a secret if `controller.admin.createSecret` is true | `"admin"` |
| [controller.affinity](./values.yaml#L671) | object | Affinity settings | `{}` |
| [controller.agentListenerEnabled](./values.yaml#L327) | bool | Create Agent listener service | `true` |
| [controller.agentListenerExternalTrafficPolicy](./values.yaml#L337) | string | Traffic Policy of for the agentListener service | `nil` |
| [controller.agentListenerHostPort](./values.yaml#L331) | string | Host port to listen for agents | `nil` |
| [controller.agentListenerLoadBalancerIP](./values.yaml#L367) | string | Static IP for the agentListener LoadBalancer | `nil` |
| [controller.agentListenerLoadBalancerSourceRanges](./values.yaml#L339) | list | Allowed inbound IP for the agentListener service | `["0.0.0.0/0"]` |
| [controller.agentListenerNodePort](./values.yaml#L333) | string | Node port to listen for agents | `nil` |
| [controller.agentListenerPort](./values.yaml#L329) | int | Listening port for agents | `50000` |
| [controller.agentListenerServiceAnnotations](./values.yaml#L362) | object | Annotations for the agentListener service | `{}` |
| [controller.agentListenerServiceType](./values.yaml#L359) | string | Defines how to expose the agentListener service | `"ClusterIP"` |
| [controller.backendconfig.annotations](./values.yaml#L775) | object | backendconfig annotations | `{}` |
| [controller.backendconfig.apiVersion](./values.yaml#L769) | string | backendconfig API version | `"extensions/v1beta1"` |
| [controller.backendconfig.enabled](./values.yaml#L767) | bool | Enables backendconfig | `false` |
| [controller.backendconfig.labels](./values.yaml#L773) | object | backendconfig labels | `{}` |
| [controller.backendconfig.name](./values.yaml#L771) | string | backendconfig name | `nil` |
| [controller.backendconfig.spec](./values.yaml#L777) | object | backendconfig spec | `{}` |
| [controller.cloudName](./values.yaml#L496) | string | Name of default cloud configuration. | `"kubernetes"` |
| [controller.clusterIp](./values.yaml#L222) | string | k8s service clusterIP. Only used if serviceType is ClusterIP | `nil` |
| [controller.componentName](./values.yaml#L34) | string | Used for label app.kubernetes.io/component | `"jenkins-controller"` |
| [controller.containerEnv](./values.yaml#L156) | list | Environment variables for Jenkins Container | `[]` |
| [controller.containerEnvFrom](./values.yaml#L153) | list | Environment variable sources for Jenkins Container | `[]` |
| [controller.containerSecurityContext](./values.yaml#L211) | object | Allow controlling the securityContext for the jenkins container | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsUser":1000}` |
| [controller.csrf.defaultCrumbIssuer.enabled](./values.yaml#L349) | bool | Enable the default CSRF Crumb issuer | `true` |
| [controller.csrf.defaultCrumbIssuer.proxyCompatability](./values.yaml#L351) | bool | Enable proxy compatibility | `true` |
| [controller.customInitContainers](./values.yaml#L551) | list | Custom init-container specification in raw-yaml format | `[]` |
| [controller.containerEnv](./values.yaml#L155) | list | Environment variables for Jenkins Container | `[]` |
| [controller.containerEnvFrom](./values.yaml#L152) | list | Environment variable sources for Jenkins Container | `[]` |
| [controller.containerSecurityContext](./values.yaml#L210) | object | Allow controlling the securityContext for the jenkins container | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsUser":1000}` |
| [controller.csrf.defaultCrumbIssuer.enabled](./values.yaml#L348) | bool | Enable the default CSRF Crumb issuer | `true` |
| [controller.csrf.defaultCrumbIssuer.proxyCompatability](./values.yaml#L350) | bool | Enable proxy compatibility | `true` |
| [controller.customInitContainers](./values.yaml#L550) | list | Custom init-container specification in raw-yaml format | `[]` |
| [controller.customJenkinsLabels](./values.yaml#L68) | list | Append Jenkins labels to the controller | `[]` |
| [controller.disableRememberMe](./values.yaml#L59) | bool | Disable use of remember me | `false` |
| [controller.disabledAgentProtocols](./values.yaml#L343) | list | Disabled agent protocols | `["JNLP-connect","JNLP2-connect"]` |
| [controller.enableRawHtmlMarkupFormatter](./values.yaml#L439) | bool | Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter) | `false` |
| [controller.enableServiceLinks](./values.yaml#L130) | bool | | `false` |
| [controller.disabledAgentProtocols](./values.yaml#L342) | list | Disabled agent protocols | `["JNLP-connect","JNLP2-connect"]` |
| [controller.enableRawHtmlMarkupFormatter](./values.yaml#L438) | bool | Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter) | `false` |
| [controller.enableServiceLinks](./values.yaml#L129) | bool | | `false` |
| [controller.executorMode](./values.yaml#L65) | string | Sets the executor mode of the Jenkins node. Possible values are "NORMAL" or "EXCLUSIVE" | `"NORMAL"` |
| [controller.existingSecret](./values.yaml#L466) | string | | `nil` |
| [controller.extraPorts](./values.yaml#L398) | list | Optionally configure other ports to expose in the controller container | `[]` |
| [controller.fsGroup](./values.yaml#L192) | int | Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` |
| [controller.googlePodMonitor.enabled](./values.yaml#L836) | bool | | `false` |
| [controller.googlePodMonitor.scrapeEndpoint](./values.yaml#L841) | string | | `"/prometheus"` |
| [controller.googlePodMonitor.scrapeInterval](./values.yaml#L839) | string | | `"60s"` |
| [controller.healthProbes](./values.yaml#L258) | bool | Enable Kubernetes Probes configuration configured in `controller.probes` | `true` |
| [controller.hostAliases](./values.yaml#L789) | list | Allows for adding entries to Pod /etc/hosts | `[]` |
| [controller.existingSecret](./values.yaml#L465) | string | | `nil` |
| [controller.extraPorts](./values.yaml#L397) | list | Optionally configure other ports to expose in the controller container | `[]` |
| [controller.fsGroup](./values.yaml#L191) | int | Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` |
| [controller.googlePodMonitor.enabled](./values.yaml#L838) | bool | | `false` |
| [controller.googlePodMonitor.scrapeEndpoint](./values.yaml#L843) | string | | `"/prometheus"` |
| [controller.googlePodMonitor.scrapeInterval](./values.yaml#L841) | string | | `"60s"` |
| [controller.healthProbes](./values.yaml#L257) | bool | Enable Kubernetes Probes configuration configured in `controller.probes` | `true` |
| [controller.hostAliases](./values.yaml#L791) | list | Allows for adding entries to Pod /etc/hosts | `[]` |
| [controller.hostNetworking](./values.yaml#L70) | bool | | `false` |
| [controller.httpsKeyStore.disableSecretMount](./values.yaml#L857) | bool | | `false` |
| [controller.httpsKeyStore.enable](./values.yaml#L848) | bool | Enables HTTPS keystore on jenkins controller | `false` |
| [controller.httpsKeyStore.fileName](./values.yaml#L865) | string | Jenkins keystore filename which will appear under controller.httpsKeyStore.path | `"keystore.jks"` |
| [controller.httpsKeyStore.httpPort](./values.yaml#L861) | int | HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port. | `8081` |
| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretKey](./values.yaml#L856) | string | Name of the key in the secret that contains the JKS password | `"https-jks-password"` |
| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretName](./values.yaml#L854) | string | Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file | `""` |
| [controller.httpsKeyStore.jenkinsHttpsJksSecretKey](./values.yaml#L852) | string | Name of the key in the secret that already has ssl keystore | `"jenkins-jks-file"` |
| [controller.httpsKeyStore.jenkinsHttpsJksSecretName](./values.yaml#L850) | string | Name of the secret that already has ssl keystore | `""` |
| [controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded](./values.yaml#L870) | string | Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here | `nil` |
| [controller.httpsKeyStore.password](./values.yaml#L867) | string | Jenkins keystore password | `"password"` |
| [controller.httpsKeyStore.path](./values.yaml#L863) | string | Path of HTTPS keystore file | `"/var/jenkins_keystore"` |
| [controller.httpsKeyStore.disableSecretMount](./values.yaml#L859) | bool | | `false` |
| [controller.httpsKeyStore.enable](./values.yaml#L850) | bool | Enables HTTPS keystore on jenkins controller | `false` |
| [controller.httpsKeyStore.fileName](./values.yaml#L867) | string | Jenkins keystore filename which will appear under controller.httpsKeyStore.path | `"keystore.jks"` |
| [controller.httpsKeyStore.httpPort](./values.yaml#L863) | int | HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port. | `8081` |
| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretKey](./values.yaml#L858) | string | Name of the key in the secret that contains the JKS password | `"https-jks-password"` |
| [controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretName](./values.yaml#L856) | string | Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file | `""` |
| [controller.httpsKeyStore.jenkinsHttpsJksSecretKey](./values.yaml#L854) | string | Name of the key in the secret that already has ssl keystore | `"jenkins-jks-file"` |
| [controller.httpsKeyStore.jenkinsHttpsJksSecretName](./values.yaml#L852) | string | Name of the secret that already has ssl keystore | `""` |
| [controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded](./values.yaml#L872) | string | Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here | `nil` |
| [controller.httpsKeyStore.password](./values.yaml#L869) | string | Jenkins keystore password | `"password"` |
| [controller.httpsKeyStore.path](./values.yaml#L865) | string | Path of HTTPS keystore file | `"/var/jenkins_keystore"` |
| [controller.image.pullPolicy](./values.yaml#L47) | string | Controller image pull policy | `"Always"` |
| [controller.image.registry](./values.yaml#L37) | string | Controller image registry | `"docker.io"` |
| [controller.image.repository](./values.yaml#L39) | string | Controller image repository | `"jenkins/jenkins"` |
| [controller.image.tag](./values.yaml#L42) | string | Controller image tag override; i.e., tag: "2.440.1-jdk17" | `nil` |
| [controller.image.tagLabel](./values.yaml#L45) | string | Controller image tag label | `"jdk17"` |
| [controller.image.tag](./values.yaml#L42) | string | Controller image tag override; i.e., tag: "2.440.1-jdk21" | `nil` |
| [controller.image.tagLabel](./values.yaml#L45) | string | Controller image tag label | `"jdk21"` |
| [controller.imagePullSecretName](./values.yaml#L49) | string | Controller image pull secret | `nil` |
| [controller.ingress.annotations](./values.yaml#L712) | object | Ingress annotations | `{}` |
| [controller.ingress.apiVersion](./values.yaml#L708) | string | Ingress API version | `"extensions/v1beta1"` |
| [controller.ingress.enabled](./values.yaml#L691) | bool | Enables ingress | `false` |
| [controller.ingress.hostName](./values.yaml#L725) | string | Ingress hostname | `nil` |
| [controller.ingress.labels](./values.yaml#L710) | object | Ingress labels | `{}` |
| [controller.ingress.path](./values.yaml#L721) | string | Ingress path | `nil` |
| [controller.ingress.paths](./values.yaml#L695) | list | Override for the default Ingress paths | `[]` |
| [controller.ingress.resourceRootUrl](./values.yaml#L727) | string | Hostname to serve assets from | `nil` |
| [controller.ingress.tls](./values.yaml#L729) | list | Ingress TLS configuration | `[]` |
| [controller.initConfigMap](./values.yaml#L456) | string | Name of the existing ConfigMap that contains init scripts | `nil` |
| [controller.initContainerEnv](./values.yaml#L147) | list | Environment variables for Init Container | `[]` |
| [controller.initContainerEnvFrom](./values.yaml#L143) | list | Environment variable sources for Init Container | `[]` |
| [controller.initContainerResources](./values.yaml#L134) | object | Resources allocation (Requests and Limits) for Init Container | `{}` |
| [controller.initScripts](./values.yaml#L452) | object | Map of groovy init scripts to be executed during Jenkins controller start | `{}` |
| [controller.initializeOnce](./values.yaml#L424) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` |
| [controller.installLatestPlugins](./values.yaml#L413) | bool | Download the minimum required version or latest version of all dependencies | `true` |
| [controller.installLatestSpecifiedPlugins](./values.yaml#L416) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` |
| [controller.installPlugins](./values.yaml#L405) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4314.v5b_846cf499eb_","workflow-aggregator:600.vb_57cdd26fdd7","git:5.7.0","configuration-as-code:1932.v75cb_b_f1b_698d"]` |
| [controller.javaOpts](./values.yaml#L162) | string | Append to `JAVA_OPTS` env var | `nil` |
| [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` |
| [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` |
| [controller.jenkinsOpts](./values.yaml#L164) | string | Append to `JENKINS_OPTS` env var | `nil` |
| [controller.jenkinsRef](./values.yaml#L106) | string | Custom Jenkins reference path | `"/usr/share/jenkins/ref"` |
| [controller.jenkinsUriPrefix](./values.yaml#L179) | string | Root URI Jenkins will be served on | `nil` |
| [controller.jenkinsUrl](./values.yaml#L174) | string | Set Jenkins URL if you are not using the ingress definitions provided by the chart | `nil` |
| [controller.jenkinsUrlProtocol](./values.yaml#L171) | string | Set protocol for Jenkins URL; `https` if `controller.ingress.tls`, `http` otherwise | `nil` |
| [controller.jenkinsWar](./values.yaml#L109) | string | | `"/usr/share/jenkins/jenkins.war"` |
| [controller.jmxPort](./values.yaml#L395) | string | Open a port, for JMX stats | `nil` |
| [controller.legacyRemotingSecurityEnabled](./values.yaml#L371) | bool | Whether legacy remoting security should be enabled | `false` |
| [controller.ingress.annotations](./values.yaml#L713) | object | Ingress annotations | `{}` |
| [controller.ingress.apiVersion](./values.yaml#L709) | string | Ingress API version | `"extensions/v1beta1"` |
| [controller.ingress.enabled](./values.yaml#L692) | bool | Enables ingress | `false` |
| [controller.ingress.hostName](./values.yaml#L727) | string | Ingress hostname | `nil` |
| [controller.ingress.labels](./values.yaml#L711) | object | Ingress labels | `{}` |
| [controller.ingress.path](./values.yaml#L723) | string | Ingress path | `nil` |
| [controller.ingress.paths](./values.yaml#L696) | list | Override for the default Ingress paths | `[]` |
| [controller.ingress.resourceRootUrl](./values.yaml#L729) | string | Hostname to serve assets from | `nil` |
| [controller.ingress.tls](./values.yaml#L731) | list | Ingress TLS configuration | `[]` |
| [controller.initConfigMap](./values.yaml#L455) | string | Name of the existing ConfigMap that contains init scripts | `nil` |
| [controller.initContainerEnv](./values.yaml#L146) | list | Environment variables for Init Container | `[]` |
| [controller.initContainerEnvFrom](./values.yaml#L142) | list | Environment variable sources for Init Container | `[]` |
| [controller.initContainerResources](./values.yaml#L133) | object | Resources allocation (Requests and Limits) for Init Container | `{}` |
| [controller.initScripts](./values.yaml#L451) | object | Map of groovy init scripts to be executed during Jenkins controller start | `{}` |
| [controller.initializeOnce](./values.yaml#L423) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` |
| [controller.installLatestPlugins](./values.yaml#L412) | bool | Download the minimum required version or latest version of all dependencies | `true` |
| [controller.installLatestSpecifiedPlugins](./values.yaml#L415) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` |
| [controller.installPlugins](./values.yaml#L404) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4340.v345364d31a_2a_","workflow-aggregator:608.v67378e9d3db_1","git:5.7.0","configuration-as-code:1967.va_968e15fd05b_"]` |
| [controller.javaOpts](./values.yaml#L161) | string | Append to `JAVA_OPTS` env var | `nil` |
| [controller.jenkinsAdminEmail](./values.yaml#L95) | string | Email address for the administrator of the Jenkins instance | `nil` |
| [controller.jenkinsHome](./values.yaml#L100) | string | Custom Jenkins home path | `"/var/jenkins_home"` |
| [controller.jenkinsOpts](./values.yaml#L163) | string | Append to `JENKINS_OPTS` env var | `nil` |
| [controller.jenkinsRef](./values.yaml#L105) | string | Custom Jenkins reference path | `"/usr/share/jenkins/ref"` |
| [controller.jenkinsUriPrefix](./values.yaml#L178) | string | Root URI Jenkins will be served on | `nil` |
| [controller.jenkinsUrl](./values.yaml#L173) | string | Set Jenkins URL if you are not using the ingress definitions provided by the chart | `nil` |
| [controller.jenkinsUrlProtocol](./values.yaml#L170) | string | Set protocol for Jenkins URL; `https` if `controller.ingress.tls`, `http` otherwise | `nil` |
| [controller.jenkinsWar](./values.yaml#L108) | string | | `"/usr/share/jenkins/jenkins.war"` |
| [controller.jmxPort](./values.yaml#L394) | string | Open a port, for JMX stats | `nil` |
| [controller.legacyRemotingSecurityEnabled](./values.yaml#L370) | bool | Whether legacy remoting security should be enabled | `false` |
| [controller.lifecycle](./values.yaml#L51) | object | Lifecycle specification for controller-container | `{}` |
| [controller.loadBalancerIP](./values.yaml#L386) | string | Optionally assign a known public LB IP | `nil` |
| [controller.loadBalancerSourceRanges](./values.yaml#L382) | list | Allowed inbound IP addresses | `["0.0.0.0/0"]` |
| [controller.markupFormatter](./values.yaml#L443) | string | Yaml of the markup formatter to use | `"plainText"` |
| [controller.nodePort](./values.yaml#L229) | string | k8s node port. Only used if serviceType is NodePort | `nil` |
| [controller.nodeSelector](./values.yaml#L657) | object | Node labels for pod assignment | `{}` |
| [controller.loadBalancerIP](./values.yaml#L385) | string | Optionally assign a known public LB IP | `nil` |
| [controller.loadBalancerSourceRanges](./values.yaml#L381) | list | Allowed inbound IP addresses | `["0.0.0.0/0"]` |
| [controller.markupFormatter](./values.yaml#L442) | string | Yaml of the markup formatter to use | `"plainText"` |
| [controller.nodePort](./values.yaml#L228) | string | k8s node port. Only used if serviceType is NodePort | `nil` |
| [controller.nodeSelector](./values.yaml#L658) | object | Node labels for pod assignment | `{}` |
| [controller.numExecutors](./values.yaml#L62) | int | Set Number of executors | `0` |
| [controller.overwritePlugins](./values.yaml#L428) | bool | Overwrite installed plugins on start | `false` |
| [controller.overwritePluginsFromImage](./values.yaml#L432) | bool | Overwrite plugins that are already installed in the controller image | `true` |
| [controller.podAnnotations](./values.yaml#L678) | object | Annotations for controller pod | `{}` |
| [controller.podDisruptionBudget.annotations](./values.yaml#L322) | object | | `{}` |
| [controller.podDisruptionBudget.apiVersion](./values.yaml#L320) | string | Policy API version | `"policy/v1beta1"` |
| [controller.podDisruptionBudget.enabled](./values.yaml#L315) | bool | Enable Kubernetes Pod Disruption Budget configuration | `false` |
| [controller.podDisruptionBudget.labels](./values.yaml#L323) | object | | `{}` |
| [controller.podDisruptionBudget.maxUnavailable](./values.yaml#L325) | string | Number of pods that can be unavailable. Either an absolute number or a percentage | `"0"` |
| [controller.podLabels](./values.yaml#L251) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
| [controller.podSecurityContextOverride](./values.yaml#L208) | string | Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, `fsGroup`, and `securityContextCapabilities` | `nil` |
| [controller.priorityClassName](./values.yaml#L675) | string | The name of a `priorityClass` to apply to the controller pod | `nil` |
| [controller.probes.livenessProbe.failureThreshold](./values.yaml#L276) | int | Set the failure threshold for the liveness probe | `5` |
| [controller.probes.livenessProbe.httpGet.path](./values.yaml#L279) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
| [controller.probes.livenessProbe.httpGet.port](./values.yaml#L281) | string | Set the Pod's HTTP port to use for the liveness probe | `"http"` |
| [controller.probes.livenessProbe.initialDelaySeconds](./values.yaml#L290) | string | Set the initial delay for the liveness probe in seconds | `nil` |
| [controller.probes.livenessProbe.periodSeconds](./values.yaml#L283) | int | Set the time interval between two liveness probes executions in seconds | `10` |
| [controller.probes.livenessProbe.timeoutSeconds](./values.yaml#L285) | int | Set the timeout for the liveness probe in seconds | `5` |
| [controller.probes.readinessProbe.failureThreshold](./values.yaml#L294) | int | Set the failure threshold for the readiness probe | `3` |
| [controller.probes.readinessProbe.httpGet.path](./values.yaml#L297) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
| [controller.probes.readinessProbe.httpGet.port](./values.yaml#L299) | string | Set the Pod's HTTP port to use for the readiness probe | `"http"` |
| [controller.probes.readinessProbe.initialDelaySeconds](./values.yaml#L308) | string | Set the initial delay for the readiness probe in seconds | `nil` |
| [controller.probes.readinessProbe.periodSeconds](./values.yaml#L301) | int | Set the time interval between two readiness probes executions in seconds | `10` |
| [controller.probes.readinessProbe.timeoutSeconds](./values.yaml#L303) | int | Set the timeout for the readiness probe in seconds | `5` |
| [controller.probes.startupProbe.failureThreshold](./values.yaml#L263) | int | Set the failure threshold for the startup probe | `12` |
| [controller.probes.startupProbe.httpGet.path](./values.yaml#L266) | string | Set the Pod's HTTP path for the startup probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
| [controller.probes.startupProbe.httpGet.port](./values.yaml#L268) | string | Set the Pod's HTTP port to use for the startup probe | `"http"` |
| [controller.probes.startupProbe.periodSeconds](./values.yaml#L270) | int | Set the time interval between two startup probes executions in seconds | `10` |
| [controller.probes.startupProbe.timeoutSeconds](./values.yaml#L272) | int | Set the timeout for the startup probe in seconds | `5` |
| [controller.projectNamingStrategy](./values.yaml#L435) | string | | `"standard"` |
| [controller.prometheus.alertingRulesAdditionalLabels](./values.yaml#L822) | object | Additional labels to add to the PrometheusRule object | `{}` |
| [controller.prometheus.alertingrules](./values.yaml#L820) | list | Array of prometheus alerting rules | `[]` |
| [controller.prometheus.enabled](./values.yaml#L805) | bool | Enables prometheus service monitor | `false` |
| [controller.prometheus.metricRelabelings](./values.yaml#L832) | list | | `[]` |
| [controller.prometheus.prometheusRuleNamespace](./values.yaml#L824) | string | Set a custom namespace where to deploy PrometheusRule resource | `""` |
| [controller.prometheus.relabelings](./values.yaml#L830) | list | | `[]` |
| [controller.prometheus.scrapeEndpoint](./values.yaml#L815) | string | The endpoint prometheus should get metrics from | `"/prometheus"` |
| [controller.prometheus.scrapeInterval](./values.yaml#L811) | string | How often prometheus should scrape metrics | `"60s"` |
| [controller.prometheus.serviceMonitorAdditionalLabels](./values.yaml#L807) | object | Additional labels to add to the service monitor object | `{}` |
| [controller.prometheus.serviceMonitorNamespace](./values.yaml#L809) | string | Set a custom namespace where to deploy ServiceMonitor resource | `nil` |
| [controller.publishNotReadyAddresses](./values.yaml#L237) | string | | `nil` |
| [controller.resources](./values.yaml#L115) | object | Resource allocation (Requests and Limits) | `{"limits":{"cpu":"2000m","memory":"4096Mi"},"requests":{"cpu":"50m","memory":"256Mi"}}` |
| [controller.route.annotations](./values.yaml#L784) | object | Route annotations | `{}` |
| [controller.route.enabled](./values.yaml#L780) | bool | Enables openshift route | `false` |
| [controller.route.labels](./values.yaml#L782) | object | Route labels | `{}` |
| [controller.route.path](./values.yaml#L786) | string | Route path | `nil` |
| [controller.runAsUser](./values.yaml#L189) | int | Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. | `1000` |
| [controller.schedulerName](./values.yaml#L653) | string | Name of the Kubernetes scheduler to use | `""` |
| [controller.scriptApproval](./values.yaml#L447) | list | List of groovy functions to approve | `[]` |
| [controller.secondaryingress.annotations](./values.yaml#L747) | object | | `{}` |
| [controller.secondaryingress.apiVersion](./values.yaml#L745) | string | | `"extensions/v1beta1"` |
| [controller.secondaryingress.enabled](./values.yaml#L739) | bool | | `false` |
| [controller.secondaryingress.hostName](./values.yaml#L754) | string | | `nil` |
| [controller.secondaryingress.labels](./values.yaml#L746) | object | | `{}` |
| [controller.secondaryingress.paths](./values.yaml#L742) | list | | `[]` |
| [controller.secondaryingress.tls](./values.yaml#L755) | string | | `nil` |
| [controller.secretClaims](./values.yaml#L490) | list | List of `SecretClaim` resources to create | `[]` |
| [controller.securityContextCapabilities](./values.yaml#L198) | object | | `{}` |
| [controller.serviceAnnotations](./values.yaml#L240) | object | Jenkins controller service annotations | `{}` |
| [controller.serviceExternalTrafficPolicy](./values.yaml#L233) | string | | `nil` |
| [controller.serviceLabels](./values.yaml#L246) | object | Labels for the Jenkins controller-service | `{}` |
| [controller.servicePort](./values.yaml#L225) | int | k8s service port | `8080` |
| [controller.serviceType](./values.yaml#L220) | string | k8s service type | `"ClusterIP"` |
| [controller.shareProcessNamespace](./values.yaml#L124) | bool | | `false` |
| [controller.sidecars.additionalSidecarContainers](./values.yaml#L635) | list | Configures additional sidecar container(s) for the Jenkins controller | `[]` |
| [controller.overwritePlugins](./values.yaml#L427) | bool | Overwrite installed plugins on start | `false` |
| [controller.overwritePluginsFromImage](./values.yaml#L431) | bool | Overwrite plugins that are already installed in the controller image | `true` |
| [controller.podAnnotations](./values.yaml#L679) | object | Annotations for controller pod | `{}` |
| [controller.podDisruptionBudget.annotations](./values.yaml#L321) | object | | `{}` |
| [controller.podDisruptionBudget.apiVersion](./values.yaml#L319) | string | Policy API version | `"policy/v1beta1"` |
| [controller.podDisruptionBudget.enabled](./values.yaml#L314) | bool | Enable Kubernetes Pod Disruption Budget configuration | `false` |
| [controller.podDisruptionBudget.labels](./values.yaml#L322) | object | | `{}` |
| [controller.podDisruptionBudget.maxUnavailable](./values.yaml#L324) | string | Number of pods that can be unavailable. Either an absolute number or a percentage | `"0"` |
| [controller.podLabels](./values.yaml#L250) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` |
| [controller.podSecurityContextOverride](./values.yaml#L207) | string | Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, `fsGroup`, and `securityContextCapabilities` | `nil` |
| [controller.priorityClassName](./values.yaml#L676) | string | The name of a `priorityClass` to apply to the controller pod | `nil` |
| [controller.probes.livenessProbe.failureThreshold](./values.yaml#L275) | int | Set the failure threshold for the liveness probe | `5` |
| [controller.probes.livenessProbe.httpGet.path](./values.yaml#L278) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
| [controller.probes.livenessProbe.httpGet.port](./values.yaml#L280) | string | Set the Pod's HTTP port to use for the liveness probe | `"http"` |
| [controller.probes.livenessProbe.initialDelaySeconds](./values.yaml#L289) | string | Set the initial delay for the liveness probe in seconds | `nil` |
| [controller.probes.livenessProbe.periodSeconds](./values.yaml#L282) | int | Set the time interval between two liveness probes executions in seconds | `10` |
| [controller.probes.livenessProbe.timeoutSeconds](./values.yaml#L284) | int | Set the timeout for the liveness probe in seconds | `5` |
| [controller.probes.readinessProbe.failureThreshold](./values.yaml#L293) | int | Set the failure threshold for the readiness probe | `3` |
| [controller.probes.readinessProbe.httpGet.path](./values.yaml#L296) | string | Set the Pod's HTTP path for the liveness probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
| [controller.probes.readinessProbe.httpGet.port](./values.yaml#L298) | string | Set the Pod's HTTP port to use for the readiness probe | `"http"` |
| [controller.probes.readinessProbe.initialDelaySeconds](./values.yaml#L307) | string | Set the initial delay for the readiness probe in seconds | `nil` |
| [controller.probes.readinessProbe.periodSeconds](./values.yaml#L300) | int | Set the time interval between two readiness probes executions in seconds | `10` |
| [controller.probes.readinessProbe.timeoutSeconds](./values.yaml#L302) | int | Set the timeout for the readiness probe in seconds | `5` |
| [controller.probes.startupProbe.failureThreshold](./values.yaml#L262) | int | Set the failure threshold for the startup probe | `12` |
| [controller.probes.startupProbe.httpGet.path](./values.yaml#L265) | string | Set the Pod's HTTP path for the startup probe | `"{{ default \"\" .Values.controller.jenkinsUriPrefix }}/login"` |
| [controller.probes.startupProbe.httpGet.port](./values.yaml#L267) | string | Set the Pod's HTTP port to use for the startup probe | `"http"` |
| [controller.probes.startupProbe.periodSeconds](./values.yaml#L269) | int | Set the time interval between two startup probes executions in seconds | `10` |
| [controller.probes.startupProbe.timeoutSeconds](./values.yaml#L271) | int | Set the timeout for the startup probe in seconds | `5` |
| [controller.projectNamingStrategy](./values.yaml#L434) | string | | `"standard"` |
| [controller.prometheus.alertingRulesAdditionalLabels](./values.yaml#L824) | object | Additional labels to add to the PrometheusRule object | `{}` |
| [controller.prometheus.alertingrules](./values.yaml#L822) | list | Array of prometheus alerting rules | `[]` |
| [controller.prometheus.enabled](./values.yaml#L807) | bool | Enables prometheus service monitor | `false` |
| [controller.prometheus.metricRelabelings](./values.yaml#L834) | list | | `[]` |
| [controller.prometheus.prometheusRuleNamespace](./values.yaml#L826) | string | Set a custom namespace where to deploy PrometheusRule resource | `""` |
| [controller.prometheus.relabelings](./values.yaml#L832) | list | | `[]` |
| [controller.prometheus.scrapeEndpoint](./values.yaml#L817) | string | The endpoint prometheus should get metrics from | `"/prometheus"` |
| [controller.prometheus.scrapeInterval](./values.yaml#L813) | string | How often prometheus should scrape metrics | `"60s"` |
| [controller.prometheus.serviceMonitorAdditionalLabels](./values.yaml#L809) | object | Additional labels to add to the service monitor object | `{}` |
| [controller.prometheus.serviceMonitorNamespace](./values.yaml#L811) | string | Set a custom namespace where to deploy ServiceMonitor resource | `nil` |
| [controller.publishNotReadyAddresses](./values.yaml#L236) | string | | `nil` |
| [controller.resources](./values.yaml#L114) | object | Resource allocation (Requests and Limits) | `{"limits":{"cpu":"2000m","memory":"4096Mi"},"requests":{"cpu":"50m","memory":"256Mi"}}` |
| [controller.route.annotations](./values.yaml#L786) | object | Route annotations | `{}` |
| [controller.route.enabled](./values.yaml#L782) | bool | Enables openshift route | `false` |
| [controller.route.labels](./values.yaml#L784) | object | Route labels | `{}` |
| [controller.route.path](./values.yaml#L788) | string | Route path | `nil` |
| [controller.runAsUser](./values.yaml#L188) | int | Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. | `1000` |
| [controller.schedulerName](./values.yaml#L654) | string | Name of the Kubernetes scheduler to use | `""` |
| [controller.scriptApproval](./values.yaml#L446) | list | List of groovy functions to approve | `[]` |
| [controller.secondaryingress.annotations](./values.yaml#L749) | object | | `{}` |
| [controller.secondaryingress.apiVersion](./values.yaml#L747) | string | | `"extensions/v1beta1"` |
| [controller.secondaryingress.enabled](./values.yaml#L741) | bool | | `false` |
| [controller.secondaryingress.hostName](./values.yaml#L756) | string | | `nil` |
| [controller.secondaryingress.labels](./values.yaml#L748) | object | | `{}` |
| [controller.secondaryingress.paths](./values.yaml#L744) | list | | `[]` |
| [controller.secondaryingress.tls](./values.yaml#L757) | string | | `nil` |
| [controller.secretClaims](./values.yaml#L489) | list | List of `SecretClaim` resources to create | `[]` |
| [controller.securityContextCapabilities](./values.yaml#L197) | object | | `{}` |
| [controller.serviceAnnotations](./values.yaml#L239) | object | Jenkins controller service annotations | `{}` |
| [controller.serviceExternalTrafficPolicy](./values.yaml#L232) | string | | `nil` |
| [controller.serviceLabels](./values.yaml#L245) | object | Labels for the Jenkins controller-service | `{}` |
| [controller.servicePort](./values.yaml#L224) | int | k8s service port | `8080` |
| [controller.serviceType](./values.yaml#L219) | string | k8s service type | `"ClusterIP"` |
| [controller.shareProcessNamespace](./values.yaml#L123) | bool | | `false` |
| [controller.sidecars.additionalSidecarContainers](./values.yaml#L636) | list | Configures additional sidecar container(s) for the Jenkins controller | `[]` |
| [controller.sidecars.configAutoReload.additionalVolumeMounts](./values.yaml#L581) | list | Enables additional volume mounts for the config auto-reload container | `[]` |
| [controller.sidecars.configAutoReload.containerSecurityContext](./values.yaml#L630) | object | Enable container security context | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` |
| [controller.sidecars.configAutoReload.enabled](./values.yaml#L564) | bool | Enables Jenkins Config as Code auto-reload | `true` |
| [controller.sidecars.configAutoReload.env](./values.yaml#L612) | object | Environment variables for the Jenkins Config as Code auto-reload container | `{}` |
| [controller.sidecars.configAutoReload.envFrom](./values.yaml#L610) | list | Environment variable sources for the Jenkins Config as Code auto-reload container | `[]` |
| [controller.sidecars.configAutoReload.folder](./values.yaml#L623) | string | | `"/var/jenkins_home/casc_configs"` |
| [controller.sidecars.configAutoReload.image.registry](./values.yaml#L567) | string | Registry for the image that triggers the reload | `"docker.io"` |
| [controller.sidecars.configAutoReload.image.repository](./values.yaml#L569) | string | Repository of the image that triggers the reload | `"kiwigrid/k8s-sidecar"` |
| [controller.sidecars.configAutoReload.image.tag](./values.yaml#L571) | string | Tag for the image that triggers the reload | `"1.30.1"` |
| [controller.sidecars.configAutoReload.imagePullPolicy](./values.yaml#L572) | string | | `"IfNotPresent"` |
| [controller.sidecars.configAutoReload.logging](./values.yaml#L587) | object | Config auto-reload logging settings | `{"configuration":{"backupCount":3,"formatter":"JSON","logLevel":"INFO","logToConsole":true,"logToFile":false,"maxBytes":1024,"override":false}}` |
| [controller.sidecars.configAutoReload.logging.configuration.override](./values.yaml#L591) | bool | Enables custom log config utilizing using the settings below. | `false` |
| [controller.sidecars.configAutoReload.reqRetryConnect](./values.yaml#L605) | int | How many connection-related errors to retry on | `10` |
| [controller.sidecars.configAutoReload.resources](./values.yaml#L573) | object | | `{}` |
| [controller.sidecars.configAutoReload.scheme](./values.yaml#L600) | string | The scheme to use when connecting to the Jenkins configuration as code endpoint | `"http"` |
| [controller.sidecars.configAutoReload.skipTlsVerify](./values.yaml#L602) | bool | Skip TLS verification when connecting to the Jenkins configuration as code endpoint | `false` |
| [controller.sidecars.configAutoReload.sleepTime](./values.yaml#L607) | string | How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) | `nil` |
| [controller.sidecars.configAutoReload.sshTcpPort](./values.yaml#L621) | int | | `1044` |
| [controller.statefulSetAnnotations](./values.yaml#L680) | object | Annotations for controller StatefulSet | `{}` |
| [controller.statefulSetLabels](./values.yaml#L242) | object | Jenkins controller custom labels for the StatefulSet | `{}` |
| [controller.targetPort](./values.yaml#L227) | int | k8s target port | `8080` |
| [controller.terminationGracePeriodSeconds](./values.yaml#L663) | string | Set TerminationGracePeriodSeconds | `nil` |
| [controller.terminationMessagePath](./values.yaml#L665) | string | Set the termination message path | `nil` |
| [controller.terminationMessagePolicy](./values.yaml#L667) | string | Set the termination message policy | `nil` |
| [controller.testEnabled](./values.yaml#L844) | bool | Can be used to disable rendering controller test resources when using helm template | `true` |
| [controller.tolerations](./values.yaml#L661) | list | Toleration labels for pod assignment | `[]` |
| [controller.topologySpreadConstraints](./values.yaml#L687) | object | Topology spread constraints | `{}` |
| [controller.updateStrategy](./values.yaml#L684) | object | Update strategy for StatefulSet | `{}` |
| [controller.usePodSecurityContext](./values.yaml#L182) | bool | Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) | `true` |
| [controller.sidecars.configAutoReload.containerSecurityContext](./values.yaml#L631) | object | Enable container security context | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` |
| [controller.sidecars.configAutoReload.enabled](./values.yaml#L563) | bool | Enable Jenkins Config as Code auto-reload | `true` |
| [controller.sidecars.configAutoReload.env](./values.yaml#L613) | list | Environment variables for the Jenkins Config as Code auto-reload container | `[]` |
| [controller.sidecars.configAutoReload.envFrom](./values.yaml#L611) | list | Environment variable sources for the Jenkins Config as Code auto-reload container | `[]` |
| [controller.sidecars.configAutoReload.folder](./values.yaml#L624) | string | | `"/var/jenkins_home/casc_configs"` |
| [controller.sidecars.configAutoReload.image.registry](./values.yaml#L566) | string | Registry for the image that triggers the reload | `"docker.io"` |
| [controller.sidecars.configAutoReload.image.repository](./values.yaml#L568) | string | Repository of the image that triggers the reload | `"kiwigrid/k8s-sidecar"` |
| [controller.sidecars.configAutoReload.image.tag](./values.yaml#L570) | string | Tag for the image that triggers the reload | `"1.30.3"` |
| [controller.sidecars.configAutoReload.imagePullPolicy](./values.yaml#L571) | string | | `"IfNotPresent"` |
| [controller.sidecars.configAutoReload.logging](./values.yaml#L588) | object | Config auto-reload logging settings | `{"configuration":{"backupCount":3,"formatter":"JSON","logLevel":"INFO","logToConsole":true,"logToFile":false,"maxBytes":1024,"override":false}}` |
| [controller.sidecars.configAutoReload.logging.configuration.override](./values.yaml#L592) | bool | Enables custom log config utilizing using the settings below. | `false` |
| [controller.sidecars.configAutoReload.reqRetryConnect](./values.yaml#L606) | int | How many connection-related errors to retry on | `10` |
| [controller.sidecars.configAutoReload.resources](./values.yaml#L572) | object | | `{}` |
| [controller.sidecars.configAutoReload.scheme](./values.yaml#L601) | string | The scheme to use when connecting to the Jenkins configuration as code endpoint | `"http"` |
| [controller.sidecars.configAutoReload.skipTlsVerify](./values.yaml#L603) | bool | Skip TLS verification when connecting to the Jenkins configuration as code endpoint | `false` |
| [controller.sidecars.configAutoReload.sleepTime](./values.yaml#L608) | string | How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) | `nil` |
| [controller.sidecars.configAutoReload.sshTcpPort](./values.yaml#L622) | int | | `1044` |
| [controller.statefulSetAnnotations](./values.yaml#L681) | object | Annotations for controller StatefulSet | `{}` |
| [controller.statefulSetLabels](./values.yaml#L241) | object | Jenkins controller custom labels for the StatefulSet | `{}` |
| [controller.targetPort](./values.yaml#L226) | int | k8s target port | `8080` |
| [controller.terminationGracePeriodSeconds](./values.yaml#L664) | string | Set TerminationGracePeriodSeconds | `nil` |
| [controller.terminationMessagePath](./values.yaml#L666) | string | Set the termination message path | `nil` |
| [controller.terminationMessagePolicy](./values.yaml#L668) | string | Set the termination message policy | `nil` |
| [controller.testEnabled](./values.yaml#L846) | bool | Can be used to disable rendering controller test resources when using helm template | `true` |
| [controller.tolerations](./values.yaml#L662) | list | Toleration labels for pod assignment | `[]` |
| [controller.topologySpreadConstraints](./values.yaml#L688) | object | Topology spread constraints | `{}` |
| [controller.updateStrategy](./values.yaml#L685) | object | Update strategy for StatefulSet | `{}` |
| [controller.usePodSecurityContext](./values.yaml#L181) | bool | Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) | `true` |
| [credentialsId](./values.yaml#L27) | string | The Jenkins credentials to access the Kubernetes API server. For the default cluster it is not needed. | `nil` |
| [fullnameOverride](./values.yaml#L13) | string | Override the full resource names | `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins` |
| [helmtest.bats.image.registry](./values.yaml#L1369) | string | Registry of the image used to test the framework | `"docker.io"` |
| [helmtest.bats.image.repository](./values.yaml#L1371) | string | Repository of the image used to test the framework | `"bats/bats"` |
| [helmtest.bats.image.tag](./values.yaml#L1373) | string | Tag of the image to test the framework | `"1.11.1"` |
| [helmtest.bats.image.registry](./values.yaml#L1373) | string | Registry of the image used to test the framework | `"docker.io"` |
| [helmtest.bats.image.repository](./values.yaml#L1375) | string | Repository of the image used to test the framework | `"bats/bats"` |
| [helmtest.bats.image.tag](./values.yaml#L1377) | string | Tag of the image to test the framework | `"1.12.0"` |
| [kubernetesURL](./values.yaml#L24) | string | The URL of the Kubernetes API server | `"https://kubernetes.default"` |
| [nameOverride](./values.yaml#L10) | string | Override the resource name prefix | `Chart.Name` |
| [namespaceOverride](./values.yaml#L16) | string | Override the deployment namespace | `Release.Namespace` |
| [networkPolicy.apiVersion](./values.yaml#L1293) | string | NetworkPolicy ApiVersion | `"networking.k8s.io/v1"` |
| [networkPolicy.enabled](./values.yaml#L1288) | bool | Enable the creation of NetworkPolicy resources | `false` |
| [networkPolicy.externalAgents.except](./values.yaml#L1307) | list | A list of IP sub-ranges to be excluded from the allowlisted IP range | `[]` |
| [networkPolicy.externalAgents.ipCIDR](./values.yaml#L1305) | string | The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 | `nil` |
| [networkPolicy.internalAgents.allowed](./values.yaml#L1297) | bool | Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels | `true` |
| [networkPolicy.internalAgents.namespaceLabels](./values.yaml#L1301) | object | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller | `{}` |
| [networkPolicy.internalAgents.podLabels](./values.yaml#L1299) | object | A map of labels (keys/values) that agent pods must have to be able to connect to controller | `{}` |
| [persistence.accessMode](./values.yaml#L1263) | string | The PVC access mode | `"ReadWriteOnce"` |
| [persistence.annotations](./values.yaml#L1259) | object | Annotations for the PVC | `{}` |
| [persistence.dataSource](./values.yaml#L1269) | object | Existing data source to clone PVC from | `{}` |
| [persistence.enabled](./values.yaml#L1243) | bool | Enable the use of a Jenkins PVC | `true` |
| [persistence.existingClaim](./values.yaml#L1249) | string | Provide the name of a PVC | `nil` |
| [persistence.labels](./values.yaml#L1261) | object | Labels for the PVC | `{}` |
| [persistence.mounts](./values.yaml#L1281) | list | Additional mounts | `[]` |
| [persistence.size](./values.yaml#L1265) | string | The size of the PVC | `"8Gi"` |
| [persistence.storageClass](./values.yaml#L1257) | string | Storage class for the PVC | `nil` |
| [persistence.subPath](./values.yaml#L1274) | string | SubPath for jenkins-home mount | `nil` |
| [persistence.volumes](./values.yaml#L1276) | list | Additional volumes | `[]` |
| [rbac.create](./values.yaml#L1313) | bool | Whether RBAC resources are created | `true` |
| [rbac.readSecrets](./values.yaml#L1315) | bool | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` |
| [rbac.useOpenShiftNonRootSCC](./values.yaml#L1317) | bool | Whether the Jenkins service account should be able to use the OpenShift "nonroot" Security Context Constraints | `false` |
| [networkPolicy.apiVersion](./values.yaml#L1296) | string | NetworkPolicy ApiVersion | `"networking.k8s.io/v1"` |
| [networkPolicy.enabled](./values.yaml#L1291) | bool | Enable the creation of NetworkPolicy resources | `false` |
| [networkPolicy.externalAgents.except](./values.yaml#L1311) | list | A list of IP sub-ranges to be excluded from the allowlisted IP range | `[]` |
| [networkPolicy.externalAgents.ipCIDR](./values.yaml#L1309) | string | The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 | `nil` |
| [networkPolicy.internalAgents.allowed](./values.yaml#L1300) | bool | Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels | `true` |
| [networkPolicy.internalAgents.namespaceLabels](./values.yaml#L1304) | object | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller | `{}` |
| [networkPolicy.internalAgents.podLabels](./values.yaml#L1302) | object | A map of labels (keys/values) that agent pods must have to be able to connect to controller | `{}` |
| [persistence.accessMode](./values.yaml#L1266) | string | The PVC access mode | `"ReadWriteOnce"` |
| [persistence.annotations](./values.yaml#L1262) | object | Annotations for the PVC | `{}` |
| [persistence.dataSource](./values.yaml#L1272) | object | Existing data source to clone PVC from | `{}` |
| [persistence.enabled](./values.yaml#L1246) | bool | Enable the use of a Jenkins PVC | `true` |
| [persistence.existingClaim](./values.yaml#L1252) | string | Provide the name of a PVC | `nil` |
| [persistence.labels](./values.yaml#L1264) | object | Labels for the PVC | `{}` |
| [persistence.mounts](./values.yaml#L1284) | list | Additional mounts | `[]` |
| [persistence.size](./values.yaml#L1268) | string | The size of the PVC | `"8Gi"` |
| [persistence.storageClass](./values.yaml#L1260) | string | Storage class for the PVC | `nil` |
| [persistence.subPath](./values.yaml#L1277) | string | SubPath for jenkins-home mount | `nil` |
| [persistence.volumes](./values.yaml#L1279) | list | Additional volumes | `[]` |
| [rbac.create](./values.yaml#L1318) | bool | Whether RBAC resources are created | `true` |
| [rbac.readSecrets](./values.yaml#L1320) | bool | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` |
| [rbac.useOpenShiftNonRootSCC](./values.yaml#L1322) | bool | Whether the Jenkins service account should be able to use the OpenShift "nonroot" Security Context Constraints | `false` |
| [renderHelmLabels](./values.yaml#L30) | bool | Enables rendering of the helm.sh/chart label to the annotations | `true` |
| [serviceAccount.annotations](./values.yaml#L1327) | object | Configures annotations for the ServiceAccount | `{}` |
| [serviceAccount.automountServiceAccountToken](./values.yaml#L1333) | bool | Auto-mount ServiceAccount token | `true` |
| [serviceAccount.create](./values.yaml#L1321) | bool | Configures if a ServiceAccount with this name should be created | `true` |
| [serviceAccount.extraLabels](./values.yaml#L1329) | object | Configures extra labels for the ServiceAccount | `{}` |
| [serviceAccount.imagePullSecretName](./values.yaml#L1331) | string | Controller ServiceAccount image pull secret | `nil` |
| [serviceAccount.name](./values.yaml#L1325) | string | | `nil` |
| [serviceAccountAgent.annotations](./values.yaml#L1344) | object | Configures annotations for the agent ServiceAccount | `{}` |
| [serviceAccountAgent.automountServiceAccountToken](./values.yaml#L1350) | bool | Auto-mount ServiceAccount token | `true` |
| [serviceAccountAgent.create](./values.yaml#L1338) | bool | Configures if an agent ServiceAccount should be created | `false` |
| [serviceAccountAgent.extraLabels](./values.yaml#L1346) | object | Configures extra labels for the agent ServiceAccount | `{}` |
| [serviceAccountAgent.imagePullSecretName](./values.yaml#L1348) | string | Agent ServiceAccount image pull secret | `nil` |
| [serviceAccountAgent.name](./values.yaml#L1342) | string | The name of the agent ServiceAccount to be used by access-controlled resources | `nil` |
| [serviceAccount.annotations](./values.yaml#L1332) | object | Configures annotations for the ServiceAccount | `{}` |
| [serviceAccount.automountServiceAccountToken](./values.yaml#L1338) | bool | Auto-mount ServiceAccount token | `true` |
| [serviceAccount.create](./values.yaml#L1326) | bool | Configures if a ServiceAccount with this name should be created | `true` |
| [serviceAccount.extraLabels](./values.yaml#L1334) | object | Configures extra labels for the ServiceAccount | `{}` |
| [serviceAccount.imagePullSecretName](./values.yaml#L1336) | string | Controller ServiceAccount image pull secret | `nil` |
| [serviceAccount.name](./values.yaml#L1330) | string | | `nil` |
| [serviceAccountAgent.annotations](./values.yaml#L1348) | object | Configures annotations for the agent ServiceAccount | `{}` |
| [serviceAccountAgent.automountServiceAccountToken](./values.yaml#L1354) | bool | Auto-mount ServiceAccount token | `true` |
| [serviceAccountAgent.create](./values.yaml#L1342) | bool | Configures if an agent ServiceAccount should be created | `false` |
| [serviceAccountAgent.extraLabels](./values.yaml#L1350) | object | Configures extra labels for the agent ServiceAccount | `{}` |
| [serviceAccountAgent.imagePullSecretName](./values.yaml#L1352) | string | Agent ServiceAccount image pull secret | `nil` |
| [serviceAccountAgent.name](./values.yaml#L1346) | string | The name of the agent ServiceAccount to be used by access-controlled resources | `nil` |

10
charts/kubezero-ci/charts/jenkins/templates/_helpers.tpl
View File

@ -234,6 +234,14 @@ jenkins:
{{- with $newRoot}}
- kubernetes:
containerCapStr: "{{ .Values.agent.containerCap }}"
{{- if .Values.agent.garbageCollection.enabled }}
garbageCollection:
{{- if .Values.agent.garbageCollection.namespaces }}
namespaces: |-
{{- .Values.agent.garbageCollection.namespaces | nindent 10 }}
{{- end }}
timeout: "{{ .Values.agent.garbageCollection.timeout }}"
{{- end }}
{{- if .Values.agent.jnlpregistry }}
jnlpregistry: "{{ .Values.agent.jnlpregistry }}"
{{- end }}
@ -463,7 +471,7 @@ Returns kubernetes pod template configuration as code
{{- end }}
{{- end }}
idleMinutes: {{ .Values.agent.idleMinutes }}
instanceCap: 2147483647
instanceCap: {{ int .Values.agent.instanceCap }}
{{- if .Values.agent.hostNetworking }}
hostNetwork: {{ .Values.agent.hostNetworking }}
{{- end }}

58
charts/kubezero-ci/charts/jenkins/values.yaml
View File

@ -38,11 +38,11 @@ controller:
# -- Controller image repository
repository: "jenkins/jenkins"
# -- Controller image tag override; i.e., tag: "2.440.1-jdk17"
# -- Controller image tag override; i.e., tag: "2.440.1-jdk21"
tag:
# -- Controller image tag label
tagLabel: jdk17
tagLabel: jdk21
# -- Controller image pull policy
pullPolicy: "Always"
# -- Controller image pull secret
@ -73,7 +73,6 @@ controller:
# If you disable the non-Jenkins identity store and instead use the Jenkins internal one,
# you should revert controller.admin.username to your preferred admin user:
admin:
# -- Admin username created as a secret if `controller.admin.createSecret` is true
username: "admin"
# -- Admin password created as a secret if `controller.admin.createSecret` is true
@ -338,7 +337,7 @@ controller:
agentListenerExternalTrafficPolicy:
# -- Allowed inbound IP for the agentListener service
agentListenerLoadBalancerSourceRanges:
- 0.0.0.0/0
- 0.0.0.0/0
# -- Disabled agent protocols
disabledAgentProtocols:
- JNLP-connect
@ -380,7 +379,7 @@ controller:
# set allowed inbound rules on the security group assigned to the controller load balancer
# -- Allowed inbound IP addresses
loadBalancerSourceRanges:
- 0.0.0.0/0
- 0.0.0.0/0
# -- Optionally assign a known public LB IP
loadBalancerIP:
@ -403,10 +402,10 @@ controller:
# Plugins will be installed during Jenkins controller start
# -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false`
installPlugins:
- kubernetes:4314.v5b_846cf499eb_
- workflow-aggregator:600.vb_57cdd26fdd7
- kubernetes:4340.v345364d31a_2a_
- workflow-aggregator:608.v67378e9d3db_1
- git:5.7.0
- configuration-as-code:1932.v75cb_b_f1b_698d
- configuration-as-code:1967.va_968e15fd05b_
# If set to false, Jenkins will download the minimum required version of all dependencies.
# -- Download the minimum required version or latest version of all dependencies
@ -560,7 +559,7 @@ controller:
# If false or not-specified, JCasC changes will cause a reboot and will only be applied at the subsequent start-up.
# Auto-reload uses the http://<jenkins_url>/reload-configuration-as-code endpoint to reapply config when changes to
# the configScripts are detected.
# -- Enables Jenkins Config as Code auto-reload
# -- Enable Jenkins Config as Code auto-reload
enabled: true
image:
# -- Registry for the image that triggers the reload
@ -568,9 +567,10 @@ controller:
# -- Repository of the image that triggers the reload
repository: kiwigrid/k8s-sidecar
# -- Tag for the image that triggers the reload
tag: 1.30.1
tag: 1.30.3
imagePullPolicy: IfNotPresent
resources: {}
resources:
{}
# limits:
# cpu: 100m
# memory: 100Mi
@ -578,7 +578,8 @@ controller:
# cpu: 50m
# memory: 50Mi
# -- Enables additional volume mounts for the config auto-reload container
additionalVolumeMounts: []
additionalVolumeMounts:
[]
# - name: auto-reload-config
# mountPath: /var/config/logger
# - name: auto-reload-logs
@ -609,7 +610,7 @@ controller:
# -- Environment variable sources for the Jenkins Config as Code auto-reload container
envFrom: []
# -- Environment variables for the Jenkins Config as Code auto-reload container
env: {}
env: []
# - name: REQ_TIMEOUT
# value: "30"
@ -709,7 +710,8 @@ controller:
# -- Ingress labels
labels: {}
# -- Ingress annotations
annotations: {}
annotations:
{}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
@ -955,7 +957,7 @@ agent:
# -- Repository to pull the agent jnlp image from
repository: "jenkins/inbound-agent"
# -- Tag of the image to pull
tag: "3283.v92c105e0f819-9"
tag: "3309.v27b_9314fd1a_4-2"
# -- Configure working directory for default agent
workingDir: "/home/jenkins/agent"
nodeUsageMode: "NORMAL"
@ -986,12 +988,12 @@ agent:
memory: "512Mi"
# ephemeralStorage:
livenessProbe: {}
# execArgs: "cat /tmp/healthy"
# failureThreshold: 3
# initialDelaySeconds: 0
# periodSeconds: 10
# successThreshold: 1
# timeoutSeconds: 1
# execArgs: "cat /tmp/healthy"
# failureThreshold: 3
# initialDelaySeconds: 0
# periodSeconds: 10
# successThreshold: 1
# timeoutSeconds: 1
# You may want to change this to true while testing a new image
# -- Always pull agent container image before build
@ -1103,8 +1105,10 @@ agent:
# Doesn't allocate pseudo TTY by default
# -- Allocate pseudo tty to the side container
TTYEnabled: false
# -- Max number of agents to launch
# -- Max number of agents to launch for a whole cluster.
containerCap: 10
# -- Max number of agents to launch for this type of agent
instanceCap: 2147483647
# -- Agent Pod base name
podName: "default"
@ -1123,7 +1127,6 @@ agent:
# -- Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it
idleMinutes: 0
# The raw yaml of a Pod API Object, for example, this allows usage of toleration for agent pods.
# https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
@ -1298,13 +1301,15 @@ networkPolicy:
# -- A map of labels (keys/values) that agent pods must have to be able to connect to controller
podLabels: {}
# -- A map of labels (keys/values) that agents namespaces must have to be able to connect to controller
namespaceLabels: {}
namespaceLabels:
{}
# project: myproject
externalAgents:
# -- The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16
ipCIDR:
# -- A list of IP sub-ranges to be excluded from the allowlisted IP range
except: []
except:
[]
# - 172.17.1.0/24
## Install Default RBAC roles and bindings
@ -1332,7 +1337,6 @@ serviceAccount:
# -- Auto-mount ServiceAccount token
automountServiceAccountToken: true
serviceAccountAgent:
# -- Configures if an agent ServiceAccount should be created
create: false
@ -1370,4 +1374,4 @@ helmtest:
# -- Repository of the image used to test the framework
repository: "bats/bats"
# -- Tag of the image to test the framework
tag: "1.11.1"
tag: "1.12.0"

8
charts/kubezero-ci/values.yaml
View File

@ -2,7 +2,7 @@ gitea:
enabled: false
image:
tag: 1.23.5
# tag: 1.23.5
rootless: true
repliaCount: 1
@ -76,7 +76,9 @@ gitea:
ssh.minimum_key_sizes:
RSA: 2047
redis-cluster:
valkey:
enabled: false
valkey-cluster:
enabled: false
postgresql-ha:
enabled: false
@ -188,7 +190,7 @@ jenkins:
agent:
image:
repository: public.ecr.aws/zero-downtime/jenkins-podman
tag: v0.7.0
tag: v0.7.1
#alwaysPullImage: true
podRetention: "Default"
showRawYaml: false

2
docs/kube-bench.yaml
View File

@ -13,7 +13,7 @@ spec:
- command: ["kube-bench"]
#args:
#- "--json"
image: docker.io/aquasec/kube-bench:v0.9.1
image: docker.io/aquasec/kube-bench:v0.10.6
name: kube-bench
volumeMounts:
- name: var-lib-cni