# Default values for jenkins. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value ## Overrides for generated resource names # See templates/_helpers.tpl # -- Override the resource name prefix # @default -- `Chart.Name` nameOverride: # -- Override the full resource names # @default -- `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins` fullnameOverride: # -- Override the deployment namespace # @default -- `Release.Namespace` namespaceOverride: # For FQDN resolving of the controller service. Change this value to match your existing configuration. # ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md # -- Override the cluster name for FQDN resolving clusterZone: "cluster.local" # -- The URL of the Kubernetes API server kubernetesURL: "https://kubernetes.default" # -- The Jenkins credentials to access the Kubernetes API server. For the default cluster it is not needed. credentialsId: # -- Enables rendering of the helm.sh/chart label to the annotations renderHelmLabels: true controller: # -- Used for label app.kubernetes.io/component componentName: "jenkins-controller" image: # -- Controller image registry registry: "docker.io" # -- Controller image repository repository: "jenkins/jenkins" # -- Controller image tag override; i.e., tag: "2.440.1-jdk17" tag: # -- Controller image tag label tagLabel: jdk17 # -- Controller image pull policy pullPolicy: "Always" # -- Controller image pull secret imagePullSecretName: # -- Lifecycle specification for controller-container lifecycle: {} # postStart: # exec: # command: # - "uname" # - "-a" # -- Disable use of remember me disableRememberMe: false # -- Set Number of executors numExecutors: 0 # -- Sets the executor mode of the Jenkins node. Possible values are "NORMAL" or "EXCLUSIVE" executorMode: "NORMAL" # -- Append Jenkins labels to the controller customJenkinsLabels: [] hostNetworking: false # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. # If you disable the non-Jenkins identity store and instead use the Jenkins internal one, # you should revert controller.admin.username to your preferred admin user: admin: # -- Admin username created as a secret if `controller.admin.createSecret` is true username: "admin" # -- Admin password created as a secret if `controller.admin.createSecret` is true # @default -- password: # -- The key in the existing admin secret containing the username userKey: jenkins-admin-user # -- The key in the existing admin secret containing the password passwordKey: jenkins-admin-password # The default configuration uses this secret to configure an admin user # If you don't need that user or use a different security realm, then you can disable it # -- Create secret for admin user createSecret: true # -- The name of an existing secret containing the admin credentials existingSecret: "" # -- Email address for the administrator of the Jenkins instance jenkinsAdminEmail: # This value should not be changed unless you use your custom image of jenkins or any derived from. # If you want to use Cloudbees Jenkins Distribution docker, you should set jenkinsHome: "/var/cloudbees-jenkins-distribution" # -- Custom Jenkins home path jenkinsHome: "/var/jenkins_home" # This value should not be changed unless you use your custom image of jenkins or any derived from. # If you want to use Cloudbees Jenkins Distribution docker, you should set jenkinsRef: "/usr/share/cloudbees-jenkins-distribution/ref" # -- Custom Jenkins reference path jenkinsRef: "/usr/share/jenkins/ref" # Path to the jenkins war file which is used by jenkins-plugin-cli. jenkinsWar: "/usr/share/jenkins/jenkins.war" # Override the default arguments passed to the war # overrideArgs: # - --httpPort=8080 # -- Resource allocation (Requests and Limits) resources: requests: cpu: "50m" memory: "256Mi" limits: cpu: "2000m" memory: "4096Mi" # Share process namespace to allow sidecar containers to interact with processes in other containers in the same pod shareProcessNamespace: false # Overrides the init container default values # -- Resources allocation (Requests and Limits) for Init Container initContainerResources: {} # initContainerResources: # requests: # cpu: "50m" # memory: "256Mi" # limits: # cpu: "2000m" # memory: "4096Mi" # -- Environment variable sources for Init Container initContainerEnvFrom: [] # useful for i.e., http_proxy # -- Environment variables for Init Container initContainerEnv: [] # initContainerEnv: # - name: http_proxy # value: "http://192.168.64.1:3128" # -- Environment variable sources for Jenkins Container containerEnvFrom: [] # -- Environment variables for Jenkins Container containerEnv: [] # - name: http_proxy # value: "http://192.168.64.1:3128" # Set min/max heap here if needed with "-Xms512m -Xmx512m" # -- Append to `JAVA_OPTS` env var javaOpts: # -- Append to `JENKINS_OPTS` env var jenkinsOpts: # If you are using the ingress definitions provided by this chart via the `controller.ingress` block, # the configured hostname will be the ingress hostname starting with `https://` # or `http://` depending on the `tls` configuration. # The Protocol can be overwritten by specifying `controller.jenkinsUrlProtocol`. # -- Set protocol for Jenkins URL; `https` if `controller.ingress.tls`, `http` otherwise jenkinsUrlProtocol: # -- Set Jenkins URL if you are not using the ingress definitions provided by the chart jenkinsUrl: # If you set this prefix and use ingress controller, then you might want to set the ingress path below # I.e., "/jenkins" # -- Root URI Jenkins will be served on jenkinsUriPrefix: # -- Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) usePodSecurityContext: true # Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are # being deprecated and replaced by `podSecurityContextOverride`. # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins', which exists in 'jenkins/jenkins' docker image. # When configuring runAsUser to a different value than 0 also set fsGroup to the same value: # -- Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. runAsUser: 1000 # -- Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. fsGroup: 1000 # If you have PodSecurityPolicies that require dropping of capabilities as suggested by CIS K8s benchmark, put them here # securityContextCapabilities: # drop: # - NET_RAW securityContextCapabilities: {} # In the case of mounting an ext4 filesystem, it might be desirable to use `supplementalGroups` instead of `fsGroup` in # the `securityContext` block: https://github.com/kubernetes/kubernetes/issues/67014#issuecomment-589915496 # podSecurityContextOverride: # runAsUser: 1000 # runAsNonRoot: true # supplementalGroups: [1000] # capabilities: {} # -- Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, `fsGroup`, and `securityContextCapabilities` podSecurityContextOverride: ~ # -- Allow controlling the securityContext for the jenkins container containerSecurityContext: runAsUser: 1000 runAsGroup: 1000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false # For minikube, set this to NodePort, elsewhere uses LoadBalancer # Use ClusterIP if your setup includes ingress controller # -- k8s service type serviceType: ClusterIP # -- k8s service clusterIP. Only used if serviceType is ClusterIP clusterIp: # -- k8s service port servicePort: 8080 # -- k8s target port targetPort: 8080 # -- k8s node port. Only used if serviceType is NodePort nodePort: # Use Local to preserve the client source IP and avoids a second hop for LoadBalancer and NodePort type services, # but risks potentially imbalanced traffic spreading. serviceExternalTrafficPolicy: # -- Jenkins controller service annotations serviceAnnotations: {} # -- Jenkins controller custom labels for the StatefulSet statefulSetLabels: {} # foo: bar # bar: foo # -- Labels for the Jenkins controller-service serviceLabels: {} # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https # Put labels on Jenkins controller pod # -- Custom Pod labels (an object with `label-key: label-value` pairs) podLabels: {} # Enable Kubernetes Startup, Liveness and Readiness Probes # if Startup Probe is supported, enable it too # ~ 2 minutes to allow Jenkins to restart when upgrading plugins. Set ReadinessTimeout to be shorter than LivenessTimeout. # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes # -- Enable Kubernetes Probes configuration configured in `controller.probes` healthProbes: true probes: startupProbe: # -- Set the failure threshold for the startup probe failureThreshold: 12 httpGet: # -- Set the Pod's HTTP path for the startup probe path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' # -- Set the Pod's HTTP port to use for the startup probe port: http # -- Set the time interval between two startup probes executions in seconds periodSeconds: 10 # -- Set the timeout for the startup probe in seconds timeoutSeconds: 5 livenessProbe: # -- Set the failure threshold for the liveness probe failureThreshold: 5 httpGet: # -- Set the Pod's HTTP path for the liveness probe path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' # -- Set the Pod's HTTP port to use for the liveness probe port: http # -- Set the time interval between two liveness probes executions in seconds periodSeconds: 10 # -- Set the timeout for the liveness probe in seconds timeoutSeconds: 5 # If Startup Probe is not supported on your Kubernetes cluster, you might want to use "initialDelaySeconds" instead. # It delays the initial liveness probe while Jenkins is starting # -- Set the initial delay for the liveness probe in seconds initialDelaySeconds: readinessProbe: # -- Set the failure threshold for the readiness probe failureThreshold: 3 httpGet: # -- Set the Pod's HTTP path for the liveness probe path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' # -- Set the Pod's HTTP port to use for the readiness probe port: http # -- Set the time interval between two readiness probes executions in seconds periodSeconds: 10 # -- Set the timeout for the readiness probe in seconds timeoutSeconds: 5 # If Startup Probe is not supported on your Kubernetes cluster, you might want to use "initialDelaySeconds" instead. # It delays the initial readiness probe while Jenkins is starting # -- Set the initial delay for the readiness probe in seconds initialDelaySeconds: # PodDisruptionBudget config podDisruptionBudget: # ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ # -- Enable Kubernetes Pod Disruption Budget configuration enabled: false # For Kubernetes v1.5+, use 'policy/v1beta1' # For Kubernetes v1.21+, use 'policy/v1' # -- Policy API version apiVersion: "policy/v1beta1" annotations: {} labels: {} # -- Number of pods that can be unavailable. Either an absolute number or a percentage maxUnavailable: "0" # -- Create Agent listener service agentListenerEnabled: true # -- Listening port for agents agentListenerPort: 50000 # -- Host port to listen for agents agentListenerHostPort: # -- Node port to listen for agents agentListenerNodePort: # ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-policies # -- Traffic Policy of for the agentListener service agentListenerExternalTrafficPolicy: # -- Allowed inbound IP for the agentListener service agentListenerLoadBalancerSourceRanges: - 0.0.0.0/0 # -- Disabled agent protocols disabledAgentProtocols: - JNLP-connect - JNLP2-connect csrf: defaultCrumbIssuer: # -- Enable the default CSRF Crumb issuer enabled: true # -- Enable proxy compatibility proxyCompatability: true # Kubernetes service type for the JNLP agent service # agentListenerServiceType is the Kubernetes Service type for the JNLP agent service, # either 'LoadBalancer', 'NodePort', or 'ClusterIP' # Note if you set this to 'LoadBalancer', you *must* define annotations to secure it. By default, # this will be an external load balancer and allowing inbound 0.0.0.0/0, a HUGE # security risk: https://github.com/kubernetes/charts/issues/1341 # -- Defines how to expose the agentListener service agentListenerServiceType: "ClusterIP" # -- Annotations for the agentListener service agentListenerServiceAnnotations: {} # Optionally, assign an IP to the LoadBalancer agentListenerService LoadBalancer # GKE users: only regional static IPs will work for Service Load balancer. # -- Static IP for the agentListener LoadBalancer agentListenerLoadBalancerIP: # -- Whether legacy remoting security should be enabled legacyRemotingSecurityEnabled: false # Example of a 'LoadBalancer'-type agent listener with annotations securing it # agentListenerServiceType: LoadBalancer # agentListenerServiceAnnotations: # service.beta.kubernetes.io/aws-load-balancer-internal: "True" # service.beta.kubernetes.io/load-balancer-source-ranges: "172.0.0.0/8, 10.0.0.0/8" # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to # set allowed inbound rules on the security group assigned to the controller load balancer # -- Allowed inbound IP addresses loadBalancerSourceRanges: - 0.0.0.0/0 # -- Optionally assign a known public LB IP loadBalancerIP: # Optionally configure a JMX port. This requires additional javaOpts, for example, # javaOpts: > # -Dcom.sun.management.jmxremote.port=4000 # -Dcom.sun.management.jmxremote.authenticate=false # -Dcom.sun.management.jmxremote.ssl=false # jmxPort: 4000 # -- Open a port, for JMX stats jmxPort: # -- Optionally configure other ports to expose in the controller container extraPorts: [] # - name: BuildInfoProxy # port: 9000 # targetPort: 9010 (Optional: Use to explicitly set targetPort if different from port) # Plugins will be installed during Jenkins controller start # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` installPlugins: - kubernetes:4285.v50ed5f624918 - workflow-aggregator:600.vb_57cdd26fdd7 - git:5.3.0 - configuration-as-code:1836.vccda_4a_122a_a_e # If set to false, Jenkins will download the minimum required version of all dependencies. # -- Download the minimum required version or latest version of all dependencies installLatestPlugins: true # -- Set to true to download the latest version of any plugin that is requested to have the latest version installLatestSpecifiedPlugins: false # -- List of plugins to install in addition to those listed in controller.installPlugins additionalPlugins: [] # Without this; whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates that have the potential to cause breakage. # Note that for this to work, `persistence.enabled` needs to be set to `true` # -- Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` initializeOnce: false # Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment. # -- Overwrite installed plugins on start overwritePlugins: false # Configures if plugins bundled with `controller.image` should be overwritten with the values of 'controller.installPlugins' on upgrade or redeployment. # -- Overwrite plugins that are already installed in the controller image overwritePluginsFromImage: true # Configures the restrictions for naming projects. Set this key to null or empty to skip it in the default config. projectNamingStrategy: standard # Useful with ghprb plugin. The OWASP plugin is not installed by default, please update controller.installPlugins. # -- Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter) enableRawHtmlMarkupFormatter: false # This is ignored if enableRawHtmlMarkupFormatter is true # -- Yaml of the markup formatter to use markupFormatter: plainText # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval # -- List of groovy functions to approve scriptApproval: [] # - "method groovy.json.JsonSlurperClassic parseText java.lang.String" # - "new groovy.json.JsonSlurperClassic" # -- Map of groovy init scripts to be executed during Jenkins controller start initScripts: {} # test: |- # print 'adding global pipeline libraries, register properties, bootstrap jobs...' # -- Name of the existing ConfigMap that contains init scripts initConfigMap: # 'name' is a name of an existing secret in the same namespace as jenkins, # 'keyName' is the name of one of the keys inside the current secret. # the 'name' and 'keyName' are concatenated with a '-' in between, so for example: # an existing secret "secret-credentials" and a key inside it named "github-password" should be used in JCasC as ${secret-credentials-github-password} # 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc') # existingSecret existing secret "secret-credentials" and a key inside it named "github-username" should be used in JCasC as ${github-username} # When using existingSecret no need to specify the keyName under additionalExistingSecrets. existingSecret: # -- List of additional existing secrets to mount additionalExistingSecrets: [] # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets # additionalExistingSecrets: # - name: secret-name-1 # keyName: username # - name: secret-name-1 # keyName: password # -- List of additional secrets to create and mount additionalSecrets: [] # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets # additionalSecrets: # - name: nameOfSecret # value: secretText # Generate SecretClaim resources to create Kubernetes secrets from HashiCorp Vault using kube-vault-controller. # 'name' is the name of the secret that will be created in Kubernetes. The Jenkins fullname is prepended to this value. # 'path' is the fully qualified path to the secret in Vault # 'type' is an optional Kubernetes secret type. The default is 'Opaque' # 'renew' is an optional secret renewal time in seconds # -- List of `SecretClaim` resources to create secretClaims: [] # - name: secretName # required # path: testPath # required # type: kubernetes.io/tls # optional # renew: 60 # optional # -- Name of default cloud configuration. cloudName: "kubernetes" # Below is the implementation of Jenkins Configuration as Code. Add a key under configScripts for each configuration area, # where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value. # Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | # become the content of the configuration yaml file. The first line after this is a JCasC root element, e.g., jenkins, credentials, # etc. Best reference is https:///configuration-as-code/reference. The example below creates a welcome message: JCasC: # -- Enables default Jenkins configuration via configuration as code plugin defaultConfig: true # If true, the init container deletes all the plugin config files and Jenkins Config as Code overwrites any existing configuration # -- Whether Jenkins Config as Code should overwrite any existing configuration overwriteConfiguration: false # -- Remote URLs for configuration files. configUrls: [] # - https://acme.org/jenkins.yaml # -- List of Jenkins Config as Code scripts configScripts: {} # welcome-message: | # jenkins: # systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'. # Allows adding to the top-level security JCasC section. For legacy purposes, by default, the chart includes apiToken configurations # -- Jenkins Config as Code security-section security: apiToken: creationOfLegacyTokenEnabled: false tokenGenerationOnCreationEnabled: false usageStatisticsEnabled: true # Ignored if securityRealm is defined in controller.JCasC.configScripts # -- Jenkins Config as Code Security Realm-section securityRealm: |- local: allowsSignup: false enableCaptcha: false users: - id: "${chart-admin-username}" name: "Jenkins Admin" password: "${chart-admin-password}" # Ignored if authorizationStrategy is defined in controller.JCasC.configScripts # -- Jenkins Config as Code Authorization Strategy-section authorizationStrategy: |- loggedInUsersCanDoAnything: allowAnonymousRead: false # -- Annotations for the JCasC ConfigMap configMapAnnotations: {} # -- Custom init-container specification in raw-yaml format customInitContainers: [] # - name: custom-init # image: "alpine:3" # imagePullPolicy: Always # command: [ "uname", "-a" ] sidecars: configAutoReload: # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. # If false or not-specified, JCasC changes will cause a reboot and will only be applied at the subsequent start-up. # Auto-reload uses the http:///reload-configuration-as-code endpoint to reapply config when changes to # the configScripts are detected. # -- Enables Jenkins Config as Code auto-reload enabled: true image: # -- Registry for the image that triggers the reload registry: docker.io # -- Repository of the image that triggers the reload repository: kiwigrid/k8s-sidecar # -- Tag for the image that triggers the reload tag: 1.27.5 imagePullPolicy: IfNotPresent resources: {} # limits: # cpu: 100m # memory: 100Mi # requests: # cpu: 50m # memory: 50Mi # -- Enables additional volume mounts for the config auto-reload container additionalVolumeMounts: [] # - name: auto-reload-config # mountPath: /var/config/logger # - name: auto-reload-logs # mountPath: /var/log/auto_reload # -- Config auto-reload logging settings logging: # See default settings https://github.com/kiwigrid/k8s-sidecar/blob/master/src/logger.py configuration: # -- Enables custom log config utilizing using the settings below. override: false logLevel: INFO formatter: JSON logToConsole: true logToFile: false maxBytes: 1024 backupCount: 3 # -- The scheme to use when connecting to the Jenkins configuration as code endpoint scheme: http # -- Skip TLS verification when connecting to the Jenkins configuration as code endpoint skipTlsVerify: false # -- How many connection-related errors to retry on reqRetryConnect: 10 # -- How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) sleepTime: # -- Environment variable sources for the Jenkins Config as Code auto-reload container envFrom: [] # -- Environment variables for the Jenkins Config as Code auto-reload container env: {} # - name: REQ_TIMEOUT # value: "30" # SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random. # This is only used to reload JCasC config from the sidecar container running in the Jenkins controller pod. # This TCP port will not be open in the pod (unless you specifically configure this), so Jenkins will not be # accessible via SSH from outside the pod. Note if you use non-root pod privileges (runAsUser & fsGroup), # this must be > 1024: sshTcpPort: 1044 # folder in the pod that should hold the collected dashboards: folder: "/var/jenkins_home/casc_configs" # If specified, the sidecar will search for JCasC config-maps inside this namespace. # Otherwise, the namespace in which the sidecar is running will be used. # It's also possible to specify ALL to search in all namespaces: # searchNamespace: # -- Enable container security context containerSecurityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false # -- Configures additional sidecar container(s) for the Jenkins controller additionalSidecarContainers: [] ## The example below runs the client for https://smee.io as sidecar container next to Jenkins, ## that allows triggering build behind a secure firewall. ## https://jenkins.io/blog/2019/01/07/webhook-firewalls/#triggering-builds-with-webhooks-behind-a-secure-firewall ## ## Note: To use it you should go to https://smee.io/new and update the url to the generated one. # - name: smee # image: docker.io/twalter/smee-client:1.0.2 # args: ["--port", "{{ .Values.controller.servicePort }}", "--path", "/github-webhook/", "--url", "https://smee.io/new"] # resources: # limits: # cpu: 50m # memory: 128Mi # requests: # cpu: 10m # memory: 32Mi # -- Name of the Kubernetes scheduler to use schedulerName: "" # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector # -- Node labels for pod assignment nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature # -- Toleration labels for pod assignment tolerations: [] # -- Set TerminationGracePeriodSeconds terminationGracePeriodSeconds: # -- Set the termination message path terminationMessagePath: # -- Set the termination message policy terminationMessagePolicy: # -- Affinity settings affinity: {} # Leverage a priorityClass to ensure your pods survive resource shortages # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ # -- The name of a `priorityClass` to apply to the controller pod priorityClassName: # -- Annotations for controller pod podAnnotations: {} # -- Annotations for controller StatefulSet statefulSetAnnotations: {} # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies # -- Update strategy for StatefulSet updateStrategy: {} # -- Topology spread constraints topologySpreadConstraints: {} ingress: # -- Enables ingress enabled: false # Override for the default paths that map requests to the backend # -- Override for the default Ingress paths paths: [] # - backend: # serviceName: ssl-redirect # servicePort: use-annotation # - backend: # serviceName: >- # {{ template "jenkins.fullname" . }} # # Don't use string here, use only integer value! # servicePort: 8080 # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' # For Kubernetes v1.19+, use 'networking.k8s.io/v1' # -- Ingress API version apiVersion: "extensions/v1beta1" # -- Ingress labels labels: {} # -- Ingress annotations annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # ingressClassName: nginx # Set this path to jenkinsUriPrefix above or use annotations to rewrite path # -- Ingress path path: # configures the hostname e.g. jenkins.example.com # -- Ingress hostname hostName: # -- Hostname to serve assets from resourceRootUrl: # -- Ingress TLS configuration tls: [] # - secretName: jenkins.cluster.local # hosts: # - jenkins.cluster.local # often you want to have your controller all locked down and private, # but you still want to get webhooks from your SCM # A secondary ingress will let you expose different urls # with a different configuration secondaryingress: enabled: false # paths you want forwarded to the backend # ex /github-webhook paths: [] # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' # For Kubernetes v1.19+, use 'networking.k8s.io/v1' apiVersion: "extensions/v1beta1" labels: {} annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # ingressClassName: nginx # configures the hostname e.g., jenkins-external.example.com hostName: tls: # - secretName: jenkins-external.example.com # hosts: # - jenkins-external.example.com # If you're running on GKE and need to configure a backendconfig # to finish ingress setup, use the following values. # Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig backendconfig: # -- Enables backendconfig enabled: false # -- backendconfig API version apiVersion: "extensions/v1beta1" # -- backendconfig name name: # -- backendconfig labels labels: {} # -- backendconfig annotations annotations: {} # -- backendconfig spec spec: {} # Openshift route route: # -- Enables openshift route enabled: false # -- Route labels labels: {} # -- Route annotations annotations: {} # -- Route path path: # -- Allows for adding entries to Pod /etc/hosts hostAliases: [] # ref: https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ # hostAliases: # - ip: 192.168.50.50 # hostnames: # - something.local # - ip: 10.0.50.50 # hostnames: # - other.local # Expose Prometheus metrics prometheus: # If enabled, add the prometheus plugin to the list of plugins to install # https://plugins.jenkins.io/prometheus # -- Enables prometheus service monitor enabled: false # -- Additional labels to add to the service monitor object serviceMonitorAdditionalLabels: {} # -- Set a custom namespace where to deploy ServiceMonitor resource serviceMonitorNamespace: # -- How often prometheus should scrape metrics scrapeInterval: 60s # Defaults to the default endpoint used by the prometheus plugin # -- The endpoint prometheus should get metrics from scrapeEndpoint: /prometheus # See here: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ # The `groups` root object is added by default, add the rule entries # -- Array of prometheus alerting rules alertingrules: [] # -- Additional labels to add to the PrometheusRule object alertingRulesAdditionalLabels: {} # -- Set a custom namespace where to deploy PrometheusRule resource prometheusRuleNamespace: "" # RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds # relabelings for a few standard Kubernetes fields. The original scrape job’s name # is available via the __tmp_prometheus_job_name label. # More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config relabelings: [] # MetricRelabelConfigs to apply to samples before ingestion. metricRelabelings: [] googlePodMonitor: # If enabled, It creates Google Managed Prometheus scraping config enabled: false # Set a custom namespace where to deploy PodMonitoring resource # serviceMonitorNamespace: "" scrapeInterval: 60s # This is the default endpoint used by the prometheus plugin scrapeEndpoint: /prometheus # -- Can be used to disable rendering controller test resources when using helm template testEnabled: true httpsKeyStore: # -- Enables HTTPS keystore on jenkins controller enable: false # -- Name of the secret that already has ssl keystore jenkinsHttpsJksSecretName: "" # -- Name of the key in the secret that already has ssl keystore jenkinsHttpsJksSecretKey: "jenkins-jks-file" # -- Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file jenkinsHttpsJksPasswordSecretName: "" # -- Name of the key in the secret that contains the JKS password jenkinsHttpsJksPasswordSecretKey: "https-jks-password" disableSecretMount: false # When HTTPS keystore is enabled, servicePort and targetPort will be used as HTTPS port # -- HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port. httpPort: 8081 # -- Path of HTTPS keystore file path: "/var/jenkins_keystore" # -- Jenkins keystore filename which will appear under controller.httpsKeyStore.path fileName: "keystore.jks" # -- Jenkins keystore password password: "password" # -- Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here jenkinsKeyStoreBase64Encoded: # Convert keystore.jks files content to base64 > $ cat keystore.jks | base64 # /u3+7QAAAAIAAAABAAAAAQANamVua2luc2NpLmNvbQAAAW2r/b1ZAAAFATCCBP0wDgYKKwYBBAEq # AhEBAQUABIIE6QbCqasvoHS0pSwYqSvdydMCB9t+VNfwhFIiiuAelJfO5sSe2SebJbtwHgLcRz1Z # gMtWgOSFdl3bWSzA7vrW2LED52h+jXLYSWvZzuDuh8hYO85m10ikF6QR+dTi4jra0whIFDvq3pxe # TnESxEsN+DvbZM3jA3qsjQJSeISNpDjO099dqQvHpnCn18lyk7J4TWJ8sOQQb1EM2zDAfAOSqA/x # QuPEFl74DlY+5DIk6EBvpmWhaMSvXzWZACGA0sYqa157dq7O0AqmuLG/EI5EkHETO4CrtBW+yLcy # 2dUCXOMA+j+NjM1BjrQkYE5vtSfNO6lFZcISyKo5pTFlcA7ut0Fx2nZ8GhHTn32CpeWwNcZBn1gR # pZVt6DxVVkhTAkMLhR4rL2wGIi/1WRs23ZOLGKtyDNvDHnQyDiQEoJGy9nAthA8aNHa3cfdF10vB # Drb19vtpFHmpvKEEhpk2EBRF4fTi644Fuhu2Ied6118AlaPvEea+n6G4vBz+8RWuVCmZjLU+7h8l # Hy3/WdUPoIL5eW7Kz+hS+sRTFzfu9C48dMkQH3a6f3wSY+mufizNF9U298r98TnYy+PfDJK0bstG # Ph6yPWx8DGXKQBwrhWJWXI6JwZDeC5Ny+l8p1SypTmAjpIaSW3ge+KgcL6Wtt1R5hUV1ajVwVSUi # HF/FachKqPqyLJFZTGjNrxnmNYpt8P1d5JTvJfmfr55Su/P9n7kcyWp7zMcb2Q5nlXt4tWogOHLI # OzEWKCacbFfVHE+PpdrcvCVZMDzFogIq5EqGTOZe2poPpBVE+1y9mf5+TXBegy5HToLWvmfmJNTO # NCDuBjgLs2tdw2yMPm4YEr57PnMX5gGTC3f2ZihXCIJDCRCdQ9sVBOjIQbOCzxFXkVITo0BAZhCi # Yz61wt3Ud8e//zhXWCkCsSV+IZCxxPzhEFd+RFVjW0Nm9hsb2FgAhkXCjsGROgoleYgaZJWvQaAg # UyBzMmKDPKTllBHyE3Gy1ehBNGPgEBChf17/9M+j8pcm1OmlM434ctWQ4qW7RU56//yq1soFY0Te # fu2ei03a6m68fYuW6s7XEEK58QisJWRAvEbpwu/eyqfs7PsQ+zSgJHyk2rO95IxdMtEESb2GRuoi # Bs+AHNdYFTAi+GBWw9dvEgqQ0Mpv0//6bBE/Fb4d7b7f56uUNnnE7mFnjGmGQN+MvC62pfwfvJTT # EkT1iZ9kjM9FprTFWXT4UmO3XTvesGeE50sV9YPm71X4DCQwc4KE8vyuwj0s6oMNAUACW2ClU9QQ # y0tRpaF1tzs4N42Q5zl0TzWxbCCjAtC3u6xf+c8MCGrr7DzNhm42LOQiHTa4MwX4x96q7235oiAU # iQqSI/hyF5yLpWw4etyUvsx2/0/0wkuTU1FozbLoCWJEWcPS7QadMrRRISxHf0YobIeQyz34regl # t1qSQ3dCU9D6AHLgX6kqllx4X0fnFq7LtfN7fA2itW26v+kAT2QFZ3qZhINGfofCja/pITC1uNAZ # gsJaTMcQ600krj/ynoxnjT+n1gmeqThac6/Mi3YlVeRtaxI2InL82ZuD+w/dfY9OpPssQjy3xiQa # jPuaMWXRxz/sS9syOoGVH7XBwKrWpQcpchozWJt40QV5DslJkclcr8aC2AGlzuJMTdEgz1eqV0+H # bAXG9HRHN/0eJTn1/QAAAAEABVguNTA5AAADjzCCA4swggJzAhRGqVxH4HTLYPGO4rzHcCPeGDKn # xTANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCY2ExEDAOBgNVBAgMB29udGFyaW8xEDAOBgNV # BAcMB3Rvcm9udG8xFDASBgNVBAoMC2plbmtpbnN0ZXN0MRkwFwYDVQQDDBBqZW5raW5zdGVzdC5p # bmZvMR0wGwYJKoZIhvcNAQkBFg50ZXN0QHRlc3QuaW5mbzAeFw0xOTEwMDgxNTI5NTVaFw0xOTEx # MDcxNTI5NTVaMIGBMQswCQYDVQQGEwJjYTEQMA4GA1UECAwHb250YXJpbzEQMA4GA1UEBwwHdG9y # b250bzEUMBIGA1UECgwLamVua2luc3Rlc3QxGTAXBgNVBAMMEGplbmtpbnN0ZXN0LmluZm8xHTAb # BgkqhkiG9w0BCQEWDnRlc3RAdGVzdC5pbmZvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC # AQEA02q352JTHGvROMBhSHvSv+vnoOTDKSTz2aLQn0tYrIRqRo+8bfmMjXuhkwZPSnCpvUGNAJ+w # Jrt/dqMoYUjCBkjylD/qHmnXN5EwS1cMg1Djh65gi5JJLFJ7eNcoSsr/0AJ+TweIal1jJSP3t3PF # 9Uv21gm6xdm7HnNK66WpUUXLDTKaIs/jtagVY1bLOo9oEVeLN4nT2CYWztpMvdCyEDUzgEdDbmrP # F5nKUPK5hrFqo1Dc5rUI4ZshL3Lpv398aMxv6n2adQvuL++URMEbXXBhxOrT6rCtYzbcR5fkwS9i # d3Br45CoWOQro02JAepoU0MQKY5+xQ4Bq9Q7tB9BAwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAe # 4xc+mSvKkrKBHg9/zpkWgZUiOp4ENJCi8H4tea/PCM439v6y/kfjT/okOokFvX8N5aa1OSz2Vsrl # m8kjIc6hiA7bKzT6lb0EyjUShFFZ5jmGVP4S7/hviDvgB5yEQxOPpumkdRP513YnEGj/o9Pazi5h # /MwpRxxazoda9r45kqQpyG+XoM4pB+Fd3JzMc4FUGxfVPxJU4jLawnJJiZ3vqiSyaB0YyUL+Er1Q # 6NnqtR4gEBF0ZVlQmkycFvD4EC2boP943dLqNUvop+4R3SM1QMM6P5u8iTXtHd/VN4MwMyy1wtog # hYAzODo1Jt59pcqqKJEas0C/lFJEB3frw4ImNx5fNlJYOpx+ijfQs9m39CevDq0= agent: # -- Enable Kubernetes plugin jnlp-agent podTemplate enabled: true # -- The name of the pod template to use for providing default values defaultsProviderTemplate: "" # Useful for not including a serviceAccount in the template if `false` # -- Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount` useDefaultServiceAccount: true # -- Override the default service account # @default -- `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true` serviceAccount: # For connecting to the Jenkins controller # -- Overrides the Kubernetes Jenkins URL jenkinsUrl: # connects to the specified host and port, instead of connecting directly to the Jenkins controller # -- Overrides the Kubernetes Jenkins tunnel jenkinsTunnel: # -- Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI skipTlsVerify: false # -- Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI usageRestricted: false # -- The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 kubernetesConnectTimeout: 5 # -- The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 kubernetesReadTimeout: 15 # -- The maximum concurrent connections to Kubernetes API maxRequestsPerHostStr: "32" # -- Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated retentionTimeout: 5 # -- Seconds to wait for pod to be running waitForPodSec: 600 # -- Namespace in which the Kubernetes agents should be launched namespace: # -- Custom Pod labels (an object with `label-key: label-value` pairs) podLabels: {} # -- Custom registry used to pull the agent jnlp image from jnlpregistry: image: # -- Repository to pull the agent jnlp image from repository: "jenkins/inbound-agent" # -- Tag of the image to pull tag: "3261.v9c670a_4748a_9-1" # -- Configure working directory for default agent workingDir: "/home/jenkins/agent" nodeUsageMode: "NORMAL" # -- Append Jenkins labels to the agent customJenkinsLabels: [] # -- Name of the secret to be used to pull the image imagePullSecretName: componentName: "jenkins-agent" # -- Enables agent communication via websockets websocket: false directConnection: false # -- Agent privileged container privileged: false # -- Configure container user runAsUser: # -- Configure container group runAsGroup: # -- Enables the agent to use the host network hostNetworking: false # -- Resources allocation (Requests and Limits) resources: requests: cpu: "512m" memory: "512Mi" # ephemeralStorage: limits: cpu: "512m" memory: "512Mi" # ephemeralStorage: livenessProbe: {} # execArgs: "cat /tmp/healthy" # failureThreshold: 3 # initialDelaySeconds: 0 # periodSeconds: 10 # successThreshold: 1 # timeoutSeconds: 1 # You may want to change this to true while testing a new image # -- Always pull agent container image before build alwaysPullImage: false # When using Pod Security Admission in the Agents namespace with the restricted Pod Security Standard, # the jnlp container cannot be scheduled without overriding its container definition with a securityContext. # This option allows to automatically inject in the jnlp container a securityContext # that is suitable for the use of the restricted Pod Security Standard. # -- Set a restricted securityContext on jnlp containers restrictedPssSecurityContext: false # Controls how agent pods are retained after the Jenkins build completes # Possible values: Always, Never, OnFailure podRetention: "Never" # Disable if you do not want the Yaml the agent pod template to show up # in the job Console Output. This can be helpful for either security reasons # or simply to clean up the output to make it easier to read. showRawYaml: true # You can define the volumes that you want to mount for this container # Allowed types are: ConfigMap, EmptyDir, EphemeralVolume, HostPath, Nfs, PVC, Secret # Configure the attributes as they appear in the corresponding Java class for that type # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes # -- Additional volumes volumes: [] # - type: ConfigMap # configMapName: myconfigmap # mountPath: /var/myapp/myconfigmap # - type: EmptyDir # mountPath: /var/myapp/myemptydir # memory: false # - type: EphemeralVolume # mountPath: /var/myapp/myephemeralvolume # accessModes: ReadWriteOnce # requestsSize: 10Gi # storageClassName: mystorageclass # - type: HostPath # hostPath: /var/lib/containers # mountPath: /var/myapp/myhostpath # - type: Nfs # mountPath: /var/myapp/mynfs # readOnly: false # serverAddress: "192.0.2.0" # serverPath: /var/lib/containers # - type: PVC # claimName: mypvc # mountPath: /var/myapp/mypvc # readOnly: false # - type: Secret # defaultMode: "600" # mountPath: /var/myapp/mysecret # secretName: mysecret # Pod-wide environment, these vars are visible to any container in the agent pod # You can define the workspaceVolume that you want to mount for this container # Allowed types are: DynamicPVC, EmptyDir, EphemeralVolume, HostPath, Nfs, PVC # Configure the attributes as they appear in the corresponding Java class for that type # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace # -- Workspace volume (defaults to EmptyDir) workspaceVolume: {} ## DynamicPVC example # - type: DynamicPVC # configMapName: myconfigmap ## EmptyDir example # - type: EmptyDir # memory: false ## EphemeralVolume example # - type: EphemeralVolume # accessModes: ReadWriteOnce # requestsSize: 10Gi # storageClassName: mystorageclass ## HostPath example # - type: HostPath # hostPath: /var/lib/containers ## NFS example # - type: Nfs # readOnly: false # serverAddress: "192.0.2.0" # serverPath: /var/lib/containers ## PVC example # - type: PVC # claimName: mypvc # readOnly: false # Pod-wide environment, these vars are visible to any container in the agent pod # -- Environment variables for the agent Pod envVars: [] # - name: PATH # value: /usr/local/bin # -- Mount a secret as environment variable secretEnvVars: [] # - key: PATH # optional: false # default: false # secretKey: MY-K8S-PATH # secretName: my-k8s-secret # -- Node labels for pod assignment nodeSelector: {} # Key Value selectors. Ex: # nodeSelector # jenkins-agent: v1 # -- Command to execute when side container starts command: # -- Arguments passed to command to execute args: "${computer.jnlpmac} ${computer.name}" # -- Side container name sideContainerName: "jnlp" # Doesn't allocate pseudo TTY by default # -- Allocate pseudo tty to the side container TTYEnabled: false # -- Max number of agents to launch containerCap: 10 # -- Agent Pod base name podName: "default" # Enables garbage collection of orphan pods for this Kubernetes cloud. (beta) garbageCollection: # -- When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them. enabled: false # -- Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line. namespaces: "" # namespaces: |- # namespaceOne # namespaceTwo # -- Timeout value for orphaned pods timeout: 300 # -- Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it idleMinutes: 0 # The raw yaml of a Pod API Object, for example, this allows usage of toleration for agent pods. # https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ # -- The raw yaml of a Pod API Object to merge into the agent spec yamlTemplate: "" # yamlTemplate: |- # apiVersion: v1 # kind: Pod # spec: # tolerations: # - key: "key" # operator: "Equal" # value: "value" # -- Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" yamlMergeStrategy: "override" # -- Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one inheritYamlMergeStrategy: false # -- Timeout in seconds for an agent to be online connectTimeout: 100 # -- Annotations to apply to the pod annotations: {} # Containers specified here are added to all agents. Set key empty to remove container from additional agents. # -- Add additional containers to the agents additionalContainers: [] # - sideContainerName: dind # image: # repository: docker # tag: dind # command: dockerd-entrypoint.sh # args: "" # privileged: true # resources: # requests: # cpu: 500m # memory: 1Gi # limits: # cpu: 1 # memory: 2Gi # Useful when configuring agents only with the podTemplates value, since the default podTemplate populated by values mentioned above will be excluded in the rendered template. # -- Disable the default Jenkins Agent configuration disableDefaultAgent: false # Below is the implementation of custom pod templates for the default configured kubernetes cloud. # Add a key under podTemplates for each pod template. Each key (prior to | character) is just a label, and can be any value. # Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label # characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers. # For this pod templates configuration to be loaded, the following values must be set: # controller.JCasC.defaultConfig: true # Best reference is https:///configuration-as-code/reference#Cloud-kubernetes. The example below creates a python pod template. # -- Configures extra pod templates for the default kubernetes cloud podTemplates: {} # python: | # - name: python # label: jenkins-python # serviceAccount: jenkins # containers: # - name: python # image: python:3 # command: "/bin/sh -c" # args: "cat" # ttyEnabled: true # privileged: true # resourceRequestCpu: "400m" # resourceRequestMemory: "512Mi" # resourceLimitCpu: "1" # resourceLimitMemory: "1024Mi" # Inherits all values from `agent` so you only need to specify values which differ # -- Configure additional additionalAgents: {} # maven: # podName: maven # customJenkinsLabels: maven # # An example of overriding the jnlp container # # sideContainerName: jnlp # image: # repository: jenkins/jnlp-agent-maven # tag: latest # python: # podName: python # customJenkinsLabels: python # sideContainerName: python # image: # repository: python # tag: "3" # command: "/bin/sh -c" # args: "cat" # TTYEnabled: true # Here you can add additional clouds # They inherit all values from the default cloud (including the main agent), so # you only need to specify values which differ. If you want to override # default additionalAgents with the additionalClouds.additionalAgents set # additionalAgentsOverride to `true`. additionalClouds: {} # remote-cloud-1: # kubernetesURL: https://api.remote-cloud.com # additionalAgentsOverride: true # additionalAgents: # maven-2: # podName: maven-2 # customJenkinsLabels: maven # # An example of overriding the jnlp container # # sideContainerName: jnlp # image: # repository: jenkins/jnlp-agent-maven # tag: latest # namespace: my-other-maven-namespace # remote-cloud-2: # kubernetesURL: https://api.remote-cloud.com persistence: # -- Enable the use of a Jenkins PVC enabled: true # A manually managed Persistent Volume and Claim # Requires persistence.enabled: true # If defined, PVC must be created manually before volume will be bound # -- Provide the name of a PVC existingClaim: # jenkins data Persistent Volume Storage Class # If defined, storageClassName: # If set to "-", storageClassName: "", which disables dynamic provisioning # If undefined (the default) or set to null, no storageClassName spec is # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS & OpenStack) # -- Storage class for the PVC storageClass: # -- Annotations for the PVC annotations: {} # -- Labels for the PVC labels: {} # -- The PVC access mode accessMode: "ReadWriteOnce" # -- The size of the PVC size: "8Gi" # ref: https://kubernetes.io/docs/concepts/storage/volume-pvc-datasource/ # -- Existing data source to clone PVC from dataSource: {} # name: PVC-NAME # kind: PersistentVolumeClaim # -- SubPath for jenkins-home mount subPath: # -- Additional volumes volumes: [] # - name: nothing # emptyDir: {} # -- Additional mounts mounts: [] # - mountPath: /var/nothing # name: nothing # readOnly: true networkPolicy: # -- Enable the creation of NetworkPolicy resources enabled: false # For Kubernetes v1.4, v1.5 and v1.6, use 'extensions/v1beta1' # For Kubernetes v1.7, use 'networking.k8s.io/v1' # -- NetworkPolicy ApiVersion apiVersion: networking.k8s.io/v1 # You can allow agents to connect from both within the cluster (from within specific/all namespaces) AND/OR from a given external IP range internalAgents: # -- Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels allowed: true # -- A map of labels (keys/values) that agent pods must have to be able to connect to controller podLabels: {} # -- A map of labels (keys/values) that agents namespaces must have to be able to connect to controller namespaceLabels: {} # project: myproject externalAgents: # -- The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 ipCIDR: # -- A list of IP sub-ranges to be excluded from the allowlisted IP range except: [] # - 172.17.1.0/24 ## Install Default RBAC roles and bindings rbac: # -- Whether RBAC resources are created create: true # -- Whether the Jenkins service account should be able to read Kubernetes secrets readSecrets: false serviceAccount: # -- Configures if a ServiceAccount with this name should be created create: true # The name of the ServiceAccount is autogenerated by default # -- The name of the ServiceAccount to be used by access-controlled resources name: # -- Configures annotations for the ServiceAccount annotations: {} # -- Configures extra labels for the ServiceAccount extraLabels: {} # -- Controller ServiceAccount image pull secret imagePullSecretName: serviceAccountAgent: # -- Configures if an agent ServiceAccount should be created create: false # If not set and create is true, a name is generated using the fullname template # -- The name of the agent ServiceAccount to be used by access-controlled resources name: # -- Configures annotations for the agent ServiceAccount annotations: {} # -- Configures extra labels for the agent ServiceAccount extraLabels: {} # -- Agent ServiceAccount image pull secret imagePullSecretName: # -- Checks if any deprecated values are used checkDeprecation: true awsSecurityGroupPolicies: enabled: false policies: - name: "" securityGroupIds: [] podSelector: {} # Here you can configure unit tests values when executing the helm unittest in the CONTRIBUTING.md helmtest: # A testing framework for bash bats: # Bash Automated Testing System (BATS) image: # -- Registry of the image used to test the framework registry: "docker.io" # -- Repository of the image used to test the framework repository: "bats/bats" # -- Tag of the image to test the framework tag: "1.11.0"