diff --git a/charts/kubezero-addons/README.md b/charts/kubezero-addons/README.md index 8a3a92a..23394be 100644 --- a/charts/kubezero-addons/README.md +++ b/charts/kubezero-addons/README.md @@ -1,6 +1,6 @@ # kubezero-addons -![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.26](https://img.shields.io/badge/AppVersion-v1.26-informational?style=flat-square) +![Version: 0.8.2](https://img.shields.io/badge/Version-0.8.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.26](https://img.shields.io/badge/AppVersion-v1.26-informational?style=flat-square) KubeZero umbrella chart for various optional cluster addons @@ -18,10 +18,10 @@ Kubernetes: `>= 1.26.0` | Repository | Name | Version | |------------|------|---------| -| https://bitnami-labs.github.io/sealed-secrets | sealed-secrets | 2.12.0 | -| https://falcosecurity.github.io/charts | falco-control-plane(falco) | 3.5.0 | -| https://kubernetes-sigs.github.io/external-dns/ | external-dns | 1.13.0 | -| https://kubernetes.github.io/autoscaler | cluster-autoscaler | 9.29.1 | +| https://bitnami-labs.github.io/sealed-secrets | sealed-secrets | 2.13.0 | +| https://falcosecurity.github.io/charts | falco-control-plane(falco) | 3.7.1 | +| https://kubernetes-sigs.github.io/external-dns/ | external-dns | 1.13.1 | +| https://kubernetes.github.io/autoscaler | cluster-autoscaler | 9.29.3 | | https://nvidia.github.io/k8s-device-plugin | nvidia-device-plugin | 0.14.1 | | https://twin.github.io/helm-charts | aws-eks-asg-rolling-update-handler | 1.4.0 | | oci://public.ecr.aws/aws-ec2/helm | aws-node-termination-handler | 0.22.0 | @@ -161,6 +161,8 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/) | forseti.image.name | string | `"public.ecr.aws/zero-downtime/forseti"` | | | forseti.image.tag | string | `"v0.1.2"` | | | fuseDevicePlugin.enabled | bool | `false` | | +| fuseDevicePlugin.image.name | string | `"public.ecr.aws/zero-downtime/fuse-device-plugin"` | | +| fuseDevicePlugin.image.tag | string | `"1.2.0"` | | | nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key | string | `"node.kubernetes.io/instance-type"` | | | nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator | string | `"In"` | | | nvidia-device-plugin.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0] | string | `"g5.xlarge"` | | diff --git a/charts/kubezero-addons/templates/cluster-backup/cronjob.yaml b/charts/kubezero-addons/templates/cluster-backup/cronjob.yaml index d9df512..6b668b8 100644 --- a/charts/kubezero-addons/templates/cluster-backup/cronjob.yaml +++ b/charts/kubezero-addons/templates/cluster-backup/cronjob.yaml @@ -54,6 +54,7 @@ spec: emptyDir: {} nodeSelector: node-role.kubernetes.io/control-plane: "" + priorityClassName: system-cluster-critical tolerations: - key: node-role.kubernetes.io/control-plane effect: NoSchedule diff --git a/charts/kubezero-addons/templates/device-plugins/aws-neuron-ds.yaml b/charts/kubezero-addons/templates/device-plugins/aws-neuron-ds.yaml index e785cb2..b36fafc 100644 --- a/charts/kubezero-addons/templates/device-plugins/aws-neuron-ds.yaml +++ b/charts/kubezero-addons/templates/device-plugins/aws-neuron-ds.yaml @@ -12,8 +12,6 @@ spec: type: RollingUpdate template: metadata: - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" labels: name: neuron-device-plugin-ds spec: diff --git a/charts/kubezero-addons/templates/device-plugins/fuse-device-plugin.yaml b/charts/kubezero-addons/templates/device-plugins/fuse-device-plugin.yaml index 053c283..89b62eb 100644 --- a/charts/kubezero-addons/templates/device-plugins/fuse-device-plugin.yaml +++ b/charts/kubezero-addons/templates/device-plugins/fuse-device-plugin.yaml @@ -13,9 +13,15 @@ spec: labels: name: fuse-device-plugin spec: - hostNetwork: true + priorityClassName: system-node-critical + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: kubezero-workergroup + effect: NoSchedule + operator: Exists containers: - - image: public.ecr.aws/zero-downtime/fuse-device-plugin:v1.1.0 + - image: "{{ .Values.fuseDevicePlugin.image.name }}:{{ .Values.fuseDevicePlugin.image.tag }}" # imagePullPolicy: Always name: fuse-device-plugin securityContext: diff --git a/charts/kubezero-addons/templates/forseti/deployment.yaml b/charts/kubezero-addons/templates/forseti/deployment.yaml index 1fddc7b..0b6bd1d 100644 --- a/charts/kubezero-addons/templates/forseti/deployment.yaml +++ b/charts/kubezero-addons/templates/forseti/deployment.yaml @@ -71,6 +71,7 @@ spec: tolerations: - key: node-role.kubernetes.io/control-plane effect: NoSchedule + priorityClassName: system-cluster-critical volumes: - name: aws-token projected: diff --git a/charts/kubezero-addons/values.yaml b/charts/kubezero-addons/values.yaml index 004c3e1..ca5e10f 100644 --- a/charts/kubezero-addons/values.yaml +++ b/charts/kubezero-addons/values.yaml @@ -140,6 +140,9 @@ aws-node-termination-handler: fuseDevicePlugin: enabled: false + image: + name: public.ecr.aws/zero-downtime/fuse-device-plugin + tag: v1.2.0 awsNeuron: enabled: false diff --git a/charts/kubezero-auth/Chart.yaml b/charts/kubezero-auth/Chart.yaml index 4b7e584..4276229 100644 --- a/charts/kubezero-auth/Chart.yaml +++ b/charts/kubezero-auth/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-auth description: KubeZero umbrella chart for all things Authentication and Identity management type: application -version: 0.4.0 +version: 0.4.1 appVersion: 22.0.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png diff --git a/charts/kubezero-auth/docs/keycloak.md b/charts/kubezero-auth/docs/keycloak.md new file mode 100644 index 0000000..60c9540 --- /dev/null +++ b/charts/kubezero-auth/docs/keycloak.md @@ -0,0 +1,14 @@ +# Abstract + +## IdP + +### AWS + +Get client descriptor for your realm and client via: +`wget https:///realms//protocol/saml/descriptor` + +# Resources + +## AWS +- https://aws.amazon.com/blogs/business-intelligence/federate-amazon-quicksight-access-with-open-source-identity-provider-keycloak/ +- https://docs.aws.amazon.com/singlesignon/latest/userguide/troubleshooting.html#issue8 diff --git a/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml b/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml index b0b5e90..2b4b527 100644 --- a/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml +++ b/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml @@ -1,8 +1,8 @@ -{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled }} +{{- if and .Values.keycloak.enabled .Values.keycloak.istio.admin.enabled }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: {{ .Release.Name }}-keycloak-deny-not-in-ipblocks + name: {{ .Release.Name }}-keycloak-admin-deny-not-in-ipblocks namespace: istio-system labels: {{- include "kubezero-lib.labels" $ | nindent 4 }} @@ -15,20 +15,20 @@ spec: # block access to metrics via Ingress - to: - operation: - hosts: ["{{ .Values.keycloak.istio.url }}"] - paths: ["/auth/realms/master/metrics"] + hosts: ["{{ .Values.keycloak.istio.admin.url }}"] + paths: ["/metrics", "/realms/*/metrics"] when: - key: connection.sni values: - '*' - {{- if .Values.keycloak.istio.ipBlocks }} + {{- if .Values.keycloak.istio.admin.ipBlocks }} - from: - source: notIpBlocks: - {{- toYaml .Values.keycloak.istio.ipBlocks | nindent 8 }} + {{- toYaml .Values.keycloak.istio.admin.ipBlocks | nindent 8 }} to: - operation: - hosts: ["{{ .Values.keycloak.istio.url }}"] + hosts: ["{{ .Values.keycloak.istio.admin.url }}"] when: - key: connection.sni values: diff --git a/charts/kubezero-auth/templates/keycloak/istio-service.yaml b/charts/kubezero-auth/templates/keycloak/istio-service.yaml index c2dea0f..fe9ca50 100644 --- a/charts/kubezero-auth/templates/keycloak/istio-service.yaml +++ b/charts/kubezero-auth/templates/keycloak/istio-service.yaml @@ -1,18 +1,44 @@ -{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.url }} +{{- if and .Values.keycloak.enabled .Values.keycloak.istio.admin.enabled .Values.keycloak.istio.admin.url }} +# Admin endpoint / all URLs allowed apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: - name: {{ template "kubezero-lib.fullname" $ }} + name: {{ template "kubezero-lib.fullname" $ }}-admin namespace: {{ .Release.Namespace }} labels: {{- include "kubezero-lib.labels" $ | nindent 4 }} spec: gateways: - - {{ .Values.keycloak.istio.gateway }} + - {{ .Values.keycloak.istio.admin.gateway }} hosts: - - {{ .Values.keycloak.istio.url }} + - {{ .Values.keycloak.istio.admin.url }} http: - route: - destination: host: {{ template "kubezero-lib.fullname" $ }}-keycloak {{- end }} + +--- + +{{- if and .Values.keycloak.enabled .Values.keycloak.istio.auth.enabled .Values.keycloak.istio.auth.url }} +# auth endpoint - only expose minimal URls +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: {{ template "kubezero-lib.fullname" $ }}-auth + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" $ | nindent 4 }} +spec: + gateways: + - {{ .Values.keycloak.istio.auth.gateway }} + hosts: + - {{ .Values.keycloak.istio.auth.url }} + http: + - match: + - uri: + regex: ^/(js/|realms/|resources/|robots.txt).* + route: + - destination: + host: {{ template "kubezero-lib.fullname" $ }}-keycloak +{{- end }} diff --git a/charts/kubezero-auth/values.yaml b/charts/kubezero-auth/values.yaml index b8d7c79..807bc83 100644 --- a/charts/kubezero-auth/values.yaml +++ b/charts/kubezero-auth/values.yaml @@ -38,6 +38,11 @@ keycloak: replicaCount: 0 istio: - enabled: false - gateway: istio-ingress/private-ingressgateway - url: "" + admin: + enabled: false + gateway: istio-ingress/private-ingressgateway + url: "" + auth: + enabled: false + gateway: istio-ingress/ingressgateway + url: "" diff --git a/charts/kubezero-ci/Chart.yaml b/charts/kubezero-ci/Chart.yaml index a4f2054..192e542 100644 --- a/charts/kubezero-ci/Chart.yaml +++ b/charts/kubezero-ci/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-ci description: KubeZero umbrella chart for all things CI type: application -version: 0.7.4 +version: 0.8.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-ci/README.md b/charts/kubezero-ci/README.md index 0269a38..9797012 100644 --- a/charts/kubezero-ci/README.md +++ b/charts/kubezero-ci/README.md @@ -1,6 +1,6 @@ # kubezero-ci -![Version: 0.6.3](https://img.shields.io/badge/Version-0.6.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things CI @@ -14,15 +14,15 @@ KubeZero umbrella chart for all things CI ## Requirements -Kubernetes: `>= 1.24.0` +Kubernetes: `>= 1.25.0` | Repository | Name | Version | |------------|------|---------| | https://aquasecurity.github.io/helm-charts/ | trivy | 0.7.0 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | -| https://charts.jenkins.io | jenkins | 4.3.24 | -| https://dl.gitea.io/charts/ | gitea | 8.3.0 | -| https://gocd.github.io/helm-chart | gocd | 1.40.8 | +| https://charts.jenkins.io | jenkins | 4.6.4 | +| https://dl.gitea.io/charts/ | gitea | 9.4.0 | +| https://docs.renovatebot.com/helm-charts | renovate | 36.93.5 | # Jenkins - default build retention 10 builds, 32days @@ -52,31 +52,29 @@ Kubernetes: `>= 1.24.0` | gitea.gitea.admin.existingSecret | string | `"gitea-admin-secret"` | | | gitea.gitea.config.cache.ADAPTER | string | `"memory"` | | | gitea.gitea.config.database.DB_TYPE | string | `"sqlite3"` | | +| gitea.gitea.config.queue.TYPE | string | `"level"` | | +| gitea.gitea.config.session.PROVIDER | string | `"memory"` | | | gitea.gitea.demo | bool | `false` | | | gitea.gitea.metrics.enabled | bool | `false` | | | gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` | | -| gitea.image.rootless | bool | `true` | | | gitea.istio.enabled | bool | `false` | | | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | | gitea.istio.url | string | `"git.example.com"` | | -| gitea.mariadb.enabled | bool | `false` | | -| gitea.memcached.enabled | bool | `false` | | -| gitea.mysql.enabled | bool | `false` | | +| gitea.persistence.create | bool | `false` | | | gitea.persistence.enabled | bool | `true` | | +| gitea.persistence.mount | bool | `true` | | | gitea.persistence.size | string | `"4Gi"` | | +| gitea.postgresql-ha.enabled | bool | `false` | | | gitea.postgresql.enabled | bool | `false` | | +| gitea.redis-cluster.enabled | bool | `false` | | +| gitea.repliaCount | int | `1` | | | gitea.resources.limits.memory | string | `"2048Mi"` | | | gitea.resources.requests.cpu | string | `"150m"` | | | gitea.resources.requests.memory | string | `"320Mi"` | | | gitea.securityContext.allowPrivilegeEscalation | bool | `false` | | | gitea.securityContext.capabilities.add[0] | string | `"SYS_CHROOT"` | | | gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | | -| gocd.enabled | bool | `false` | | -| gocd.istio.enabled | bool | `false` | | -| gocd.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | -| gocd.istio.url | string | `""` | | -| gocd.server.ingress.enabled | bool | `false` | | -| gocd.server.service.type | string | `"ClusterIP"` | | +| gitea.strategy.type | string | `"Recreate"` | | | jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` | | | jenkins.agent.containerCap | int | `2` | | | jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` | | @@ -89,27 +87,28 @@ Kubernetes: `>= 1.24.0` | jenkins.agent.resources.requests.cpu | string | `""` | | | jenkins.agent.resources.requests.memory | string | `""` | | | jenkins.agent.showRawYaml | bool | `false` | | -| jenkins.agent.tag | string | `"v0.4.2"` | | +| jenkins.agent.tag | string | `"v0.4.3"` | | | jenkins.agent.yamlMergeStrategy | string | `"merge"` | | | jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n securityContext:\n fsGroup: 1000\n serviceAccountName: jenkins-podman-aws\n containers:\n - name: jnlp\n resources:\n requests:\n cpu: \"512m\"\n memory: \"1024Mi\"\n limits:\n cpu: \"4\"\n memory: \"6144Mi\"\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n - name: host-registries-conf\n mountPath: \"/home/jenkins/.config/containers/registries.conf\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\"\n - name: host-registries-conf\n hostPath:\n path: /etc/containers/registries.conf\n type: File"` | | -| jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nunclassified:\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | | +| jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nappearance:\n themeManager:\n disableUserThemes: true\n theme: \"dark\"\nunclassified:\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | | | jenkins.controller.disableRememberMe | bool | `true` | | | jenkins.controller.enableRawHtmlMarkupFormatter | bool | `true` | | | jenkins.controller.initContainerResources.limits.memory | string | `"1024Mi"` | | | jenkins.controller.initContainerResources.requests.cpu | string | `"50m"` | | | jenkins.controller.initContainerResources.requests.memory | string | `"256Mi"` | | -| jenkins.controller.installPlugins[0] | string | `"kubernetes:3937.vd7b_82db_e347b_"` | | -| jenkins.controller.installPlugins[10] | string | `"build-discarder:139.v05696a_7fe240"` | | -| jenkins.controller.installPlugins[11] | string | `"dark-theme:315.va_22e7d692ea_a"` | | -| jenkins.controller.installPlugins[1] | string | `"workflow-aggregator:581.v0c46fa_697ffd"` | | -| jenkins.controller.installPlugins[2] | string | `"git:5.1.0"` | | -| jenkins.controller.installPlugins[3] | string | `"basic-branch-build-strategies:71.vc1421f89888e"` | | -| jenkins.controller.installPlugins[4] | string | `"pipeline-graph-view:183.v9e27732d970f"` | | -| jenkins.controller.installPlugins[5] | string | `"pipeline-stage-view:2.32"` | | -| jenkins.controller.installPlugins[6] | string | `"configuration-as-code:1647.ve39ca_b_829b_42"` | | -| jenkins.controller.installPlugins[7] | string | `"antisamy-markup-formatter:159.v25b_c67cd35fb_"` | | -| jenkins.controller.installPlugins[8] | string | `"prometheus:2.2.3"` | | -| jenkins.controller.installPlugins[9] | string | `"htmlpublisher:1.31"` | | +| jenkins.controller.installPlugins[0] | string | `"kubernetes"` | | +| jenkins.controller.installPlugins[10] | string | `"htmlpublisher"` | | +| jenkins.controller.installPlugins[11] | string | `"build-discarder"` | | +| jenkins.controller.installPlugins[12] | string | `"dark-theme"` | | +| jenkins.controller.installPlugins[1] | string | `"kubernetes-credentials-provider"` | | +| jenkins.controller.installPlugins[2] | string | `"workflow-aggregator"` | | +| jenkins.controller.installPlugins[3] | string | `"git"` | | +| jenkins.controller.installPlugins[4] | string | `"basic-branch-build-strategies"` | | +| jenkins.controller.installPlugins[5] | string | `"pipeline-graph-view"` | | +| jenkins.controller.installPlugins[6] | string | `"pipeline-stage-view"` | | +| jenkins.controller.installPlugins[7] | string | `"configuration-as-code"` | | +| jenkins.controller.installPlugins[8] | string | `"antisamy-markup-formatter"` | | +| jenkins.controller.installPlugins[9] | string | `"prometheus"` | | | jenkins.controller.javaOpts | string | `"-XX:+UseContainerSupport -XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | | | jenkins.controller.jenkinsOpts | string | `"--sessionTimeout=300 --sessionEviction=10800"` | | | jenkins.controller.prometheus.enabled | bool | `false` | | @@ -132,6 +131,13 @@ Kubernetes: `>= 1.24.0` | jenkins.rbac.readSecrets | bool | `true` | | | jenkins.serviceAccountAgent.create | bool | `true` | | | jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` | | +| renovate.cronjob.concurrencyPolicy | string | `"Forbid"` | | +| renovate.cronjob.jobBackoffLimit | int | `3` | | +| renovate.cronjob.schedule | string | `"0 3 * * *"` | | +| renovate.cronjob.successfulJobsHistoryLimit | int | `1` | | +| renovate.enabled | bool | `false` | | +| renovate.env.LOG_FORMAT | string | `"json"` | | +| renovate.securityContext.fsGroup | int | `1000` | | | trivy.enabled | bool | `false` | | | trivy.image.tag | string | `"0.42.0"` | | | trivy.persistence.enabled | bool | `true` | | diff --git a/charts/kubezero-ci/templates/gitea/istio-service.yaml b/charts/kubezero-ci/templates/gitea/istio-service.yaml index 9da1b7a..9d92ada 100644 --- a/charts/kubezero-ci/templates/gitea/istio-service.yaml +++ b/charts/kubezero-ci/templates/gitea/istio-service.yaml @@ -12,6 +12,15 @@ spec: hosts: - {{ .Values.gitea.istio.url }} http: + {{- if .Values.gitea.istio.authProvider }} + # https://github.com/go-gitea/gitea/issues/13606 + - match: + - uri: + regex: ^/user/login.* + redirect: + uri: /user/oauth2/{{ .Values.gitea.istio.authProvider }} + redirectCode: 302 + {{- end }} - route: - destination: host: gitea-http diff --git a/charts/kubezero-ci/values.yaml b/charts/kubezero-ci/values.yaml index 3e17c82..65ddc06 100644 --- a/charts/kubezero-ci/values.yaml +++ b/charts/kubezero-ci/values.yaml @@ -105,6 +105,10 @@ jenkins: noUsageStatistics: true disabledAdministrativeMonitors: - "jenkins.security.ResourceDomainRecommendation" + appearance: + themeManager: + disableUserThemes: true + theme: "dark" unclassified: buildDiscarders: configuredBuildDiscarders: @@ -131,6 +135,7 @@ jenkins: - htmlpublisher - build-discarder - dark-theme + - matrix-auth serviceAccountAgent: create: true @@ -139,14 +144,14 @@ jenkins: # Preconfigure agents to use zdt podman requires fuse/overlayfs agent: image: public.ecr.aws/zero-downtime/jenkins-podman - tag: v0.4.3 + tag: v0.4.5 #alwaysPullImage: true podRetention: "Default" showRawYaml: false podName: "podman-aws" customJenkinsLabels: - podman-aws-trivy - idleMinutes: 15 + idleMinutes: 30 containerCap: 2 annotations: container.apparmor.security.beta.kubernetes.io/jnlp: unconfined @@ -228,7 +233,7 @@ jenkins: trivy: enabled: false image: - tag: 0.42.0 + tag: 0.45.1 persistence: enabled: true size: 1Gi