feat: add preconfigured Jenkins to CI module

2022-01-20 00:04:35 +01:00 · 2022-01-20 00:04:35 +01:00 · ec0b6c6ce9
commit ec0b6c6ce9
parent 00ad93a667
12 changed files with 318 additions and 43 deletions
--- a/charts/kubezero-ci/Chart.yaml
+++ b/charts/kubezero-ci/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-ci
 description: KubeZero umbrella chart for all things CI
 type: application
-version: 0.3.0
+version: 0.4.20
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -15,19 +15,23 @@ maintainers:
    email: stefan@zero-downtime.net
 dependencies:
  - name: kubezero-lib
-    version: ">= 0.1.4"
+    version: ">= 0.1.5"
    repository: https://cdn.zero-downtime.net/charts/
  - name: gocd
    version: 1.39.4
    repository: https://gocd.github.io/helm-chart
    condition: gocd.enabled
  - name: gitea
-    version: 4.1.1
+    version: 5.0.0
    repository: https://dl.gitea.io/charts/
    condition: gitea.enabled
  - name: jenkins
-    version: 3.9.4
+    version: 3.10.3
    repository: https://charts.jenkins.io
    condition: jenkins.enabled
  - name: trivy
    version: 0.4.9
    repository: https://aquasecurity.github.io/helm-charts/
    condition: trivy.enabled
 kubeVersion: ">= 1.20.0"
--- a/charts/kubezero-ci/README.md
+++ b/charts/kubezero-ci/README.md
@ -1,6 +1,6 @@
 # kubezero-ci
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.4.20](https://img.shields.io/badge/Version-0.4.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 KubeZero umbrella chart for all things CI
@ -10,22 +10,29 @@ KubeZero umbrella chart for all things CI
 | Name | Email | Url |
 | ---- | ------ | --- |
-| Quarky9 |  |  |
+| Stefan Reimer | stefan@zero-downtime.net |  |
 ## Requirements
-Kubernetes: `>= 1.18.0`
+Kubernetes: `>= 1.20.0`
 | Repository | Name | Version |
 |------------|------|---------|
-| https://dl.gitea.io/charts/ | gitea | 4.1.1 |
+| https://aquasecurity.github.io/helm-charts/ | trivy | 0.4.9 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 |
 | https://charts.jenkins.io | jenkins | 3.10.3 |
 | https://dl.gitea.io/charts/ | gitea | 5.0.0 |
 | https://gocd.github.io/helm-chart | gocd | 1.39.4 |
 | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.4 |
 # Jenkins
 # goCD
 # Gitea
 ## OpenSSH 8.8 RSA disabled
 - https://github.com/go-gitea/gitea/issues/17798
 ## Resources   
 ## Values
@ -34,21 +41,22 @@ Kubernetes: `>= 1.18.0`
 |-----|------|---------|-------------|
 | gitea.enabled | bool | `false` |  |
 | gitea.gitea.admin.existingSecret | string | `"gitea-admin-secret"` |  |
 | gitea.gitea.cache.builtIn.enabled | bool | `false` |  |
 | gitea.gitea.config.cache.ADAPTER | string | `"memory"` |  |
 | gitea.gitea.config.database.DB_TYPE | string | `"sqlite3"` |  |
 | gitea.gitea.database.builtIn.mariadb.enabled | bool | `false` |  |
 | gitea.gitea.database.builtIn.mysql.enabled | bool | `false` |  |
 | gitea.gitea.database.builtIn.postgresql.enabled | bool | `false` |  |
 | gitea.gitea.demo | bool | `false` |  |
 | gitea.gitea.metrics.enabled | bool | `false` |  |
 | gitea.gitea.metrics.serviceMonitor.enabled | bool | `false` |  |
 | gitea.image.rootless | bool | `true` |  |
 | gitea.image.tag | string | `"1.15.10"` |  |
 | gitea.istio.enabled | bool | `false` |  |
 | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` |  |
-| gitea.istio.url | string | `""` |  |
+| gitea.istio.url | string | `"git.example.com"` |  |
 | gitea.mariadb.enabled | bool | `false` |  |
 | gitea.memcached.enabled | bool | `false` |  |
 | gitea.mysql.enabled | bool | `false` |  |
 | gitea.persistence.enabled | bool | `true` |  |
 | gitea.persistence.size | string | `"4Gi"` |  |
 | gitea.postgresql.enabled | bool | `false` |  |
 | gitea.securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | gitea.securityContext.capabilities.add[0] | string | `"SYS_CHROOT"` |  |
 | gitea.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
@ -58,4 +66,57 @@ Kubernetes: `>= 1.18.0`
 | gocd.istio.url | string | `""` |  |
 | gocd.server.ingress.enabled | bool | `false` |  |
 | gocd.server.service.type | string | `"ClusterIP"` |  |
 | jenkins.agent.alwaysPullImage | bool | `true` |  |
 | jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` |  |
 | jenkins.agent.containerCap | int | `4` |  |
 | jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` |  |
 | jenkins.agent.idleMinutes | int | `10` |  |
 | jenkins.agent.image | string | `"public.ecr.aws/zero-downtime/jenkins-podman"` |  |
 | jenkins.agent.podName | string | `"podman-aws"` |  |
 | jenkins.agent.podRetention | string | `"Default"` |  |
 | jenkins.agent.resources.limits.cpu | string | `"1"` |  |
 | jenkins.agent.resources.limits.memory | string | `"2048Mi"` |  |
 | jenkins.agent.resources.requests.cpu | string | `"512m"` |  |
 | jenkins.agent.resources.requests.memory | string | `"512Mi"` |  |
 | jenkins.agent.showRawYaml | bool | `false` |  |
 | jenkins.agent.tag | string | `"v0.2.4-2"` |  |
 | jenkins.agent.yamlMergeStrategy | string | `"merge"` |  |
 | jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n  serviceAccountName: jenkins-podman-aws\n  containers:\n  - name: jnlp\n    resources:\n      limits:\n        github.com/fuse: 1\n    volumeMounts:\n    - name: aws-token\n      mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n      readOnly: true\n  volumes:\n  - name: aws-token\n    projected:\n      sources:\n      - serviceAccountToken:\n          path: token\n          expirationSeconds: 86400\n          audience: \"sts.amazonaws.com\""` |  |
 | jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n  noUsageStatistics: true\n  disabledAdministrativeMonitors:\n  - \"jenkins.security.ResourceDomainRecommendation\"\nunclassified:\n  buildDiscarders:\n    configuredBuildDiscarders:\n    - \"jobBuildDiscarder\"\n    - defaultBuildDiscarder:\n        discarder:\n          logRotator:\n            artifactDaysToKeepStr: \"32\"\n            artifactNumToKeepStr: \"10\"\n            daysToKeepStr: \"100\"\n            numToKeepStr: \"10\"\n"` |  |
 | jenkins.controller.disableRememberMe | bool | `true` |  |
 | jenkins.controller.enableRawHtmlMarkupFormatter | bool | `true` |  |
 | jenkins.controller.initContainerResources.limits.cpu | string | `"1000m"` |  |
 | jenkins.controller.initContainerResources.limits.memory | string | `"1024Mi"` |  |
 | jenkins.controller.initContainerResources.requests.cpu | string | `"50m"` |  |
 | jenkins.controller.initContainerResources.requests.memory | string | `"256Mi"` |  |
 | jenkins.controller.installPlugins[0] | string | `"kubernetes:1.31.3"` |  |
 | jenkins.controller.installPlugins[1] | string | `"workflow-aggregator:2.6"` |  |
 | jenkins.controller.installPlugins[2] | string | `"git:4.10.3"` |  |
 | jenkins.controller.installPlugins[3] | string | `"configuration-as-code:1.55.1"` |  |
 | jenkins.controller.installPlugins[4] | string | `"antisamy-markup-formatter:2.7"` |  |
 | jenkins.controller.installPlugins[5] | string | `"prometheus:2.0.10"` |  |
 | jenkins.controller.installPlugins[6] | string | `"htmlpublisher:1.28"` |  |
 | jenkins.controller.installPlugins[7] | string | `"build-discarder:60.v1747b0eb632a"` |  |
 | jenkins.controller.javaOpts | string | `"-XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` |  |
 | jenkins.controller.prometheus.enabled | bool | `false` |  |
 | jenkins.controller.resources.limits.cpu | string | `"2000m"` |  |
 | jenkins.controller.resources.limits.memory | string | `"4096Mi"` |  |
 | jenkins.controller.resources.requests.cpu | string | `"250m"` |  |
 | jenkins.controller.resources.requests.memory | string | `"1280Mi"` |  |
 | jenkins.controller.tagLabel | string | `"alpine"` |  |
 | jenkins.controller.testEnabled | bool | `false` |  |
 | jenkins.enabled | bool | `false` |  |
 | jenkins.istio.enabled | bool | `false` |  |
 | jenkins.istio.gateway | string | `"istio-ingress/private-ingressgateway"` |  |
 | jenkins.istio.url | string | `"jenkins.example.com"` |  |
 | jenkins.istio.webhook.enabled | bool | `false` |  |
 | jenkins.istio.webhook.gateway | string | `"istio-ingress/ingressgateway"` |  |
 | jenkins.istio.webhook.url | string | `"jenkins-webhook.example.com"` |  |
 | jenkins.persistence.size | string | `"4Gi"` |  |
 | jenkins.serviceAccountAgent.create | bool | `true` |  |
 | jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` |  |
 | trivy.enabled | bool | `false` |  |
 | trivy.persistence.enabled | bool | `true` |  |
 | trivy.persistence.size | string | `"1Gi"` |  |
 | trivy.rbac.create | bool | `false` |  |
 | trivy.rbac.pspEnabled | bool | `false` |  |
--- a/charts/kubezero-ci/README.md.gotmpl
+++ b/charts/kubezero-ci/README.md.gotmpl
@ -17,6 +17,11 @@
 # goCD
 # Gitea
 ## OpenSSH 8.8 RSA disabled
 - https://github.com/go-gitea/gitea/issues/17798
 ## Resources    
 {{ template "chart.valuesSection" . }}
--- a/charts/kubezero-ci/dashboards.yaml
+++ b/charts/kubezero-ci/dashboards.yaml
@ -0,0 +1,9 @@
 configmap: grafana-dashboards
 gzip: true
 condition: '.Values.jenkins.controller.prometheus.enabled'
 folder: KubeZero
 dashboards:
 - name: Jenkins
  url: https://grafana.com/api/dashboards/9964/revisions/1/download
  tags:
  - CI
--- a/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml
+++ b/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml
@ -0,0 +1,22 @@
 {{- if and .Values.gitea.enabled .Values.gitea.istio.enabled .Values.gitea.istio.ipBlocks }}
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
  name: {{ .Release.Name }}-deny-not-in-ipblocks
  namespace: istio-system
  labels:
    {{- include "kubezero-lib.labels" $ | nindent 4 }}
 spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: DENY
  rules:
  - from:
    - source:
        notIpBlocks:
        {{- toYaml .Values.gitea.istio.ipBlocks | nindent 8 }}
    when:
    - key: connection.sni
      values: ["{{ .Values.gitea.istio.url }}"]
 {{- end }}
--- a/charts/kubezero-ci/templates/gitea/istio-service.yaml
+++ b/charts/kubezero-ci/templates/gitea/istio-service.yaml
@ -2,10 +2,10 @@
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
-  name: {{ include "kubezero-lib.fullname" . }}
+  name: gitea
  namespace: {{ .Release.Namespace }}
  labels:
-    {{- include "kubezero-lib.labels" . | nindent 4 }}
+    {{- include "kubezero-lib.labels" $ | nindent 4 }}
 spec:
  gateways:
  - {{ .Values.gitea.istio.gateway }}
@ -15,4 +15,10 @@ spec:
  - route:
    - destination:
        host: gitea-http
  tcp:
  - match:
    - port: 22
    route:
    - destination:
        host: gitea-ssh
 {{- end }}
--- a/charts/kubezero-ci/templates/gitea/secrets.yaml
+++ b/charts/kubezero-ci/templates/gitea/secrets.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.gitea.enabled .Values.gitea.demo }}
+{{- if and .Values.gitea.enabled .Values.gitea.gitea.demo }}
 apiVersion: v1
 kind: Secret
 type: Opaque
@ -7,6 +7,6 @@ metadata:
  labels:
 {{ include "kubezero-lib.labels" . | indent 4 }}
 data:
-  username: {{ "admin" | b64enc | quote }}
+  username: {{ "demo" | b64enc | quote }}
  password: {{ "secret" | b64enc | quote }}
 {{- end }}
--- a/charts/kubezero-ci/templates/grafana-dashboards.yaml
+++ b/charts/kubezero-ci/templates/grafana-dashboards.yaml
@ -0,0 +1,15 @@
 {{- if .Values.jenkins.controller.prometheus.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboards" | trunc 63 | trimSuffix "-" }}
  namespace: {{ .Release.Namespace }}
  labels:
    grafana_dashboard: "1"
    {{- include "kubezero-lib.labels" . | nindent 4 }}
  annotations:
    k8s-sidecar-target-directory: KubeZero
 binaryData:
  Jenkins.json.gz:
    H4sIAAAAAAAC/+1dW3OcOBZ+z69gSe1WPNVxgL5P1T44jj2TVJzxxk4eNuWi1KDuZsxtJOHYk8p/H0lAI0D01XZ323pIx0hCl6Oj851PCM6PF5qm27YXxgnB+q/aN3qtaT/4L80JQQBpqv7uwj7//MfZyeXvJ18u9Fae7YMR9Fn+OYoCSKYwwUWmC7GDvJh4UVguor0DBGgXUYIcWBQndzFvyqWZuJIX+8nEC9+7LD+WNJXmf8o6K3SGF/hJf69a6UAR/CvxEJQMNW9/gsAYhKCo3HOlyblofqtm3ECEszH3Do1DK+tES95cDEIqwnpj8VTalJgsNNSlDRnzG5LJ1WuUaFiX5ZrtSgeIvXDiQ0wAqTd5IclraHI2sSAMI3oDLcJmNu2D7nuYzOa56BnNGSWeT96z6sxWkSpISD5yWgaGYOSzfIISKKRPPVeS6jlReBz5EWIVoskIvDJammWa9KfbbWnmgVh1Pv6jYizaf7QjHyJS6kIxoXg6igBy9SzvJ///6kU2F9UF+CEaYe2vBCZQwzGELtZA6GoIEIhb2sktdBISIZp4Azy6rj3fI3ct7VNEa9HYZCS01AcYXntheuOHr2caXUhcXlqCwQQW+bQp7SK7h5X1I6IFEYKHfBw6dD1SEaM+CSHhC3w47HXSFKbtl1HkEy+m6QZP5OoTJr7Pr3wvvOZLOdUCrmqSpe0AZwovvQBGCRFuT/PY9LwFzvUERUnIah8DH8Ny/lfgJ1CehQUN07JJ7tJZNvtWS+vQSTYOh/3SPPMiVrtPy1hDWsZgZQZDSRl2e7eT/qPVHOQTfVXY2EUqK5N1mo4QV8vykMYRCgCTkR5GoWAoJiCZwNnK4kkBuM3FYhqG0PfAC/MMMRlPo+/V9pg2T6kSTSPf/ciwBM8rcQbQNeQCZyPJlb7oI/Lc8wiXezmll32hMtaFjnB9W+nlHbuuVc21zrSK65BAdAP8qjJ5+BP8XpV0WUkz2cUxtXKX6Uo2ZellvSpGJBiKGyZljUQagbdE0B4ty2JVzxJ/tuZXhkA4WVCZVVRWU0SqDQzVzyMqGlxWCZ2JiGecRdxI0oUThtAh0NVLZS5ZyxWJxhEmY4/Nkq79SQ3YG6pdejX3NArJhfc3r7tv/FvIRzC7uZom3tIVb+FyOAPxHPmP6TLjS4R2tCwpko5A//TmqJIRzW6YI0QcUw2n6lJZaWPP98soYg6o4WhTGDHbA2YazEHJeoxZO/WFxGoW63llds2smmG7VEG2VqXLjFsTWk0ShGXBEoAmkMyRG7yN06Yp5Lz6M4UKm06qzeDYpXpvuwniwGc71BaTb2ZwdVCWI5271As8mifHmcXA3AlrmYbQS4/4ubF0IGaOSAqHdU9U5qTwtSAqj1nSHp49X3siBmb6f5dUnHztLdQdXjD3gJ0EIRgSuWMGfA/g4xy7fhQzOwKoZn+5l/ERhhMy5au6lA5lxe8ZkDyuymbJype7vbTdN3sVw99ZzvB3Fth3OIHccRCaBzcTyQLMp6WeQ82nLNULJalNQEqdRtmq54oxm6jaCJlRwBLIgt89l8+5NQ/IljHtMXCgTINiSLUkJGBS96xiViUCrpew9rrl9LrSUaG6EEFuXMbU1yzaxhB5EP9B6QNVEljpPF3ZznWtMkxgHEP3Y2qGy3lLmzjRujGXWzRu5QVeeFyEOqh22uFykdzbOAUO4UvE3NQmCkJgrZ6mgFYCXpb+GU4yRlW54WLqjUn9jsyyMu8/5Rm1IVMtzf150ZXEnymR8JOMqdQVHiDo1tkVjhCpuG9c2e3cgDtJkPi0AzdQr8NYQfdFTn0Lbr2KKRklznU66eJwWbcznWcSkRC5SmkBU2Wr89tVrYt34HaeG1hoDq0aVXy2fGem3AmWEU3eAgxrWpRaoFrx1ATVkusOQrOHuXP9rK2Nu/qkU5CcyHSRp3+EN7NOl7h3FWofm3jWGeM6vFNCXxXxfAjiaS3LPNuKeSrmuRPMk7PFQYf9DDdgnhnpZNV0t8k8q77ZvRJPCen8H3OL0k3XZ8M37w0ES7ZtLzDQhY4XAA4u5sbAmPGlJ4KNnRU3ZftyaOwrZNwmMs4FxO5zAMRBN8NCBmlr42HPyPCwbT4iHL66CewABhG6s/nukU01RnutVVMTDN0D7Y0mK/0L06pD4wH3NGqzekLtZ2Eol0bjtiHfB2bPMccIQi0d27qwbDw7WD6fmQFZZr7cN8Hzl9Zw6HR6qwL4S/O0Zxx3NgRsQwLBNHt0RwRdftoY3FkOg83uQhBWeKvw9h4JqDnICejKaPtycNp++3bweCArQ9MdeASgG60SGjY/BZi/2X/Gx6Z9YQeA1sVOS1Ha50lpn9Be7yIsHSyHpQPFZxW+7hC+brTBaxmNR4vkhxE2R9t8c3cKgU+mNjXTzrWNnQjBPaCoZsuUEdTsUG06pJ3gp79FkfuvBpQ189PZ8yzC3NqP2aRpv75paOCXfeC/y3Pc447Zs45K/FWS1O4P+ta7e6O06wJ28Fyob3HYdwH37SnAVoC91bPAQ4u9U9LL3ikxDo3e6qT4xLBOO511cdq2mcLY9nrsOIk5BAd0ZB6GVA1cvAZWU/yTnazcCo5XqLWw0fwlLh0WUzxZ8WTFk8vA21sSeA0FvAp4FVPemCmHVA3saDxmHbNT5doSPmY8N+SvnGY92o3HsdT8NtFdY9+Qct2HqhkpXQMKn+sRJmvJM0zq8akCrScGWg/3LNWJE9uPwE48QqVMYXAvD1GPz7+oJ6hb2X3N9lVFoDu1jo+NY1nSZjSwNEbFBFc+AWyaDUxQPTNVoLpVULU6bAvWYG/FWBxUzdV3YOtWZwUo3WADtkQD+YcYcPoSzJ7vwZotS8IxL9kRLPZ5Irwbr9/MIZZqF/Z+d2EV/G52+LcJfocKfRX6bhN9+Zf02t3cUhirM1oJC3hYHpuDLkroD04c9iGi9HjwHpxSku/eXiRsEFTa+4GuxpOnsfVDRGzjxjL77LRAm/8oSN3uGeAmSLXUs02Fqds9VNTvsS1i9oGGIffird5a+8SWOWRVDBg9Ng62x2450IJRhKgqrA20u3/E6CgdoYLgXYXgl6dHvY5hKNzd7mHeJuBVh3kV7m4Xd7tsZ6zfzbaTjcP2God5MxuzXbBNGFzSmp8w2n7Jhqjg9uE2k+d/Sl8Cuvf35XwFuPd3iLfx2a36fpNC3O0+uzUY4lKWavFHt53h6nhbd/Mfcfd4DDw/QXCPdo9l77ie0lEo3rpTQKqo6k6cGW5ETlMhp0LOrQeh4Q9e+acPH5mnboCbPDaBjangZe+77BFq5m/MZEHdmCbt+usy6lST+rT+NmK6md1a3VPoTaakbEvSx68KWRWyqpd0NoVZmIUUtdnXdR8caTc8GJzHP+WfAlah4J56KLjBosOu3QbWtUYoOBYx6AhfZgOtBRRaMVIcCzR8EsTkriHv/xBFGwaYQwwXL9KAxir43P4Fn6Mq9QonwfwQmwdvFhZJ3wM5OHjyAeuK4Ne1b+ypcHWPGq5O1xuCwFm7FKyusZd7HKpOuQKNh4UafAFLOQPKGdh5Z8CFY5D4xM6RPnvF0weYpH8XcL/hF/jmYn66GE5n9ei7H8L2nQpe+xjeQICVKyDv5aJHBCpsrdpb34mwtatsrqtQtmpzfQceW/c7G0bsy6PXPnLIvtrmuheyiEILPty4Scja2c74+/A1benp7o2/yMoxwTGZpEEDU2jQMUXEAHyl5jR189KPDlEX/S6Vkku1Ly1JaUQxLP34vT6rl8AgZh5dOJnpKNUrTHIH6mdaygsKHS7WS/T9tZm7evmSoIpWui32qLOHipuzgdi5pRXFrXcF0DMN4aItXphB8XdX+NsUL9qGmCM4pJbwt+mmcr7Kx8CYRBST3D1f2IpYcU+sWGzF6ogXgm3su2J/876UxPd3xK2HPkLRd0pxsumsHLb4VTuHiMN+6EANhK72O98z1Bi1u/EocvHbEg52OnX+70D4Olu1adZNoUQvfv4DNoJhvICTAAA=
 {{- end }}
--- a/charts/kubezero-ci/templates/jenkins/istio-authorization-policy.yaml
+++ b/charts/kubezero-ci/templates/jenkins/istio-authorization-policy.yaml
@ -1,18 +1,22 @@
-{{- if and .Values.jenkins.enabled .Values.jenkins.istio.enabled .Values.jenkins.istio.allowBlocks }}
+{{- if and .Values.jenkins.enabled .Values.jenkins.istio.enabled .Values.jenkins.istio.ipBlocks }}
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
-  name: {{ .Release.Name }}-jenkins-allowlist
+  name: {{ .Release.Name }}-deny-not-in-ipblocks
-  namespace: istio-ingress
+  namespace: istio-system
  labels:
    {{- include "kubezero-lib.labels" $ | nindent 4 }}
 spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: DENY
  rules:
  - from:
    - source:
-        ipBlocks: {{ .Values.jenkins.istio.allowBlocks | toYaml | nindent 8 }}
+        notIpBlocks:
-    to:
+        {{- toYaml .Values.jenkins.istio.ipBlocks | nindent 8 }}
-    - operation:
+    when:
-        hosts: [{{ .Values.jenkins.istio.url }}]
+    - key: connection.sni
      values: ["{{ .Values.jenkins.istio.url }}"]
 {{- end }}
--- a/charts/kubezero-ci/templates/jenkins/istio-service.yaml
+++ b/charts/kubezero-ci/templates/jenkins/istio-service.yaml
@ -1,8 +1,8 @@
 {{- if and .Values.jenkins.enabled .Values.jenkins.istio.enabled }}
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
-  name: {{ .Release.Name }}-jenkins
+  name: {{ template "kubezero-lib.fullname" (merge (dict "subchart" "jenkins") .) }}
  namespace: {{ template "jenkins.namespace" . }}
 spec:
  hosts:
@ -12,7 +12,36 @@ spec:
  http:
  - route:
    - destination:
-        host: {{ .Release.Name }}-jenkins
+        host: {{ template "kubezero-lib.fullname" (merge (dict "subchart" "jenkins") .) }}
        port:
          number: 8080
 {{- if .Values.jenkins.istio.webhook.enabled }}
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
  name: {{ template "kubezero-lib.fullname" (merge (dict "subchart" "jenkins") .) }}-webhook
  namespace: {{ template "jenkins.namespace" . }}
 spec:
  hosts:
  - {{ .Values.jenkins.istio.webhook.url }}
  gateways:
  - {{ .Values.jenkins.istio.webhook.gateway }}
  http:
  - route:
    - destination:
        host: {{ template "kubezero-lib.fullname" (merge (dict "subchart" "jenkins") .) }}
        port:
          number: 8080
    match:
    - uri:
        exact: "/bitbucket-scmsource-hook/notify"
      method:
        exact: "POST"
    - uri:
        exact: "/github-webhook/"
      method:
        exact: "POST"
 {{- end }}
 {{- end }}
--- a/charts/kubezero-ci/update.sh
+++ b/charts/kubezero-ci/update.sh
@ -0,0 +1,4 @@
 #!/bin/bash
 # Create ZDT dashboard configmap
 ../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml
--- a/charts/kubezero-ci/values.yaml
+++ b/charts/kubezero-ci/values.yaml
@ -12,10 +12,12 @@ gocd:
    gateway: istio-ingress/private-ingressgateway
    url: "" # gocd.example.com
 gitea:
  enabled: false
  image:
    tag: 1.15.10
    rootless: true
  securityContext:
@ -45,27 +47,23 @@ gitea:
    config:
      database:
        DB_TYPE: sqlite3
      cache:
        ADAPTER: memory
-    database:
+  memcached:
-      builtIn:
+    enabled: false
-        postgresql:
+  postgresql:
-          enabled: false
+    enabled: false
-        mysql:
+  mysql:
-          enabled: false
+    enabled: false
-        mariadb:
+  mariadb:
-          enabled: false
+    enabled: false
    cache:
      builtIn:
        enabled: false
  istio:
    enabled: false
    gateway: istio-ingress/private-ingressgateway
-    url: "" # git.example.com
+    url: git.example.com
 jenkins:
  enabled: false
@ -76,11 +74,129 @@ jenkins:
    prometheus:
      enabled: false
    testEnabled: false
    enableRawHtmlMarkupFormatter: true
    # javaOpts: "-Xms512m -Xmx512m"
    javaOpts: "-XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""
    resources:
      requests:
        cpu: "250m"
        memory: "1280Mi"
      limits:
        cpu: "2000m"
        memory: "4096Mi"
    initContainerResources:
      requests:
        cpu: "50m"
        memory: "256Mi"
      limits:
        cpu: "1000m"
        memory: "1024Mi"
    JCasC:
      configScripts:
        zdt-settings: |
          jenkins:
            noUsageStatistics: true
            disabledAdministrativeMonitors:
            - "jenkins.security.ResourceDomainRecommendation"
          unclassified:
            buildDiscarders:
              configuredBuildDiscarders:
              - "jobBuildDiscarder"
              - defaultBuildDiscarder:
                  discarder:
                    logRotator:
                      artifactDaysToKeepStr: "32"
                      artifactNumToKeepStr: "10"
                      daysToKeepStr: "100"
                      numToKeepStr: "10"
    installPlugins:
      - kubernetes:1.31.3
      - workflow-aggregator:2.6
      - git:4.10.3
      - configuration-as-code:1.55.1
      - antisamy-markup-formatter:2.7
      - prometheus:2.0.10
      - htmlpublisher:1.28
      - build-discarder:60.v1747b0eb632a
  serviceAccountAgent:
    create: true
    name: jenkins-podman-aws
  # Preconfigure agents to use zdt podman requires fuse/overlayfs
  agent:
    image: public.ecr.aws/zero-downtime/jenkins-podman
    tag: v0.2.4-2
    resources:
      requests:
        cpu: "512m"
        memory: "512Mi"
      limits:
        cpu: "1"
        memory: "2048Mi"
    alwaysPullImage: true
    podRetention: "Default"
    showRawYaml: false
    podName: "podman-aws"
    customJenkinsLabels:
    - podman-aws-trivy
    idleMinutes: 10
    containerCap: 4
    annotations:
      container.apparmor.security.beta.kubernetes.io/jnlp: unconfined
    # envVars:
    # - name: AWS_WEB_IDENTITY_TOKEN_FILE
    #   value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
    # - name: AWS_STS_REGIONAL_ENDPOINTS
    #   value: regional
    # - name: AWS_ROLE_ARN
    #   value: "<IAM ROLE ARN>"
    yamlMergeStrategy: "merge"
    yamlTemplate: |-
      apiVersion: v1
      kind: Pod
      spec:
        serviceAccountName: jenkins-podman-aws
        containers:
        - name: jnlp
          resources:
            limits:
              github.com/fuse: 1
          volumeMounts:
          - name: aws-token
            mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
            readOnly: true
        volumes:
        - name: aws-token
          projected:
            sources:
            - serviceAccountToken:
                path: token
                expirationSeconds: 86400
                audience: "sts.amazonaws.com"
  persistence:
-    size: "2Gi"
+    size: "4Gi"
  istio:
    enabled: false
    gateway: istio-ingress/private-ingressgateway
    url: jenkins.example.com
    # Dedicated VirtualService for webhooks
    webhook:
      enabled: false
      gateway: istio-ingress/ingressgateway
      url: jenkins-webhook.example.com
 trivy:
  enabled: false
  persistence:
    enabled: true
    size: 1Gi
  rbac:
    create: false
    pspEnabled: false