feat: add preconfigured Jenkins to CI module

This commit is contained in:
Stefan Reimer 2022-01-20 00:04:35 +01:00
parent 33017f8aa4
commit 7eda2dc375
12 changed files with 318 additions and 43 deletions

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-ci
description: KubeZero umbrella chart for all things CI
type: application
version: 0.3.0
version: 0.4.20
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -15,19 +15,23 @@ maintainers:
email: stefan@zero-downtime.net
dependencies:
- name: kubezero-lib
version: ">= 0.1.4"
version: ">= 0.1.5"
repository: https://cdn.zero-downtime.net/charts/
- name: gocd
version: 1.39.4
repository: https://gocd.github.io/helm-chart
condition: gocd.enabled
- name: gitea
version: 4.1.1
version: 5.0.0
repository: https://dl.gitea.io/charts/
condition: gitea.enabled
- name: jenkins
version: 3.9.4
version: 3.10.3
repository: https://charts.jenkins.io
condition: jenkins.enabled
- name: trivy
version: 0.4.9
repository: https://aquasecurity.github.io/helm-charts/
condition: trivy.enabled
kubeVersion: ">= 1.20.0"

View File

@ -1,6 +1,6 @@
# kubezero-ci
![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.4.20](https://img.shields.io/badge/Version-0.4.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero umbrella chart for all things CI
@ -10,22 +10,29 @@ KubeZero umbrella chart for all things CI
| Name | Email | Url |
| ---- | ------ | --- |
| Quarky9 | | |
| Stefan Reimer | stefan@zero-downtime.net | |
## Requirements
Kubernetes: `>= 1.18.0`
Kubernetes: `>= 1.20.0`
| Repository | Name | Version |
|------------|------|---------|
| https://dl.gitea.io/charts/ | gitea | 4.1.1 |
| https://aquasecurity.github.io/helm-charts/ | trivy | 0.4.9 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 |
| https://charts.jenkins.io | jenkins | 3.10.3 |
| https://dl.gitea.io/charts/ | gitea | 5.0.0 |
| https://gocd.github.io/helm-chart | gocd | 1.39.4 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.4 |
# Jenkins
# goCD
# Gitea
## OpenSSH 8.8 RSA disabled
- https://github.com/go-gitea/gitea/issues/17798
## Resources
## Values
@ -34,21 +41,22 @@ Kubernetes: `>= 1.18.0`
|-----|------|---------|-------------|
| gitea.enabled | bool | `false` | |
| gitea.gitea.admin.existingSecret | string | `"gitea-admin-secret"` | |
| gitea.gitea.cache.builtIn.enabled | bool | `false` | |
| gitea.gitea.config.cache.ADAPTER | string | `"memory"` | |
| gitea.gitea.config.database.DB_TYPE | string | `"sqlite3"` | |
| gitea.gitea.database.builtIn.mariadb.enabled | bool | `false` | |
| gitea.gitea.database.builtIn.mysql.enabled | bool | `false` | |
| gitea.gitea.database.builtIn.postgresql.enabled | bool | `false` | |
| gitea.gitea.demo | bool | `false` | |
| gitea.gitea.metrics.enabled | bool | `false` | |
| gitea.gitea.metrics.serviceMonitor.enabled | bool | `false` | |
| gitea.image.rootless | bool | `true` | |
| gitea.image.tag | string | `"1.15.10"` | |
| gitea.istio.enabled | bool | `false` | |
| gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
| gitea.istio.url | string | `""` | |
| gitea.istio.url | string | `"git.example.com"` | |
| gitea.mariadb.enabled | bool | `false` | |
| gitea.memcached.enabled | bool | `false` | |
| gitea.mysql.enabled | bool | `false` | |
| gitea.persistence.enabled | bool | `true` | |
| gitea.persistence.size | string | `"4Gi"` | |
| gitea.postgresql.enabled | bool | `false` | |
| gitea.securityContext.allowPrivilegeEscalation | bool | `false` | |
| gitea.securityContext.capabilities.add[0] | string | `"SYS_CHROOT"` | |
| gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | |
@ -58,4 +66,57 @@ Kubernetes: `>= 1.18.0`
| gocd.istio.url | string | `""` | |
| gocd.server.ingress.enabled | bool | `false` | |
| gocd.server.service.type | string | `"ClusterIP"` | |
| jenkins.agent.alwaysPullImage | bool | `true` | |
| jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` | |
| jenkins.agent.containerCap | int | `4` | |
| jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` | |
| jenkins.agent.idleMinutes | int | `10` | |
| jenkins.agent.image | string | `"public.ecr.aws/zero-downtime/jenkins-podman"` | |
| jenkins.agent.podName | string | `"podman-aws"` | |
| jenkins.agent.podRetention | string | `"Default"` | |
| jenkins.agent.resources.limits.cpu | string | `"1"` | |
| jenkins.agent.resources.limits.memory | string | `"2048Mi"` | |
| jenkins.agent.resources.requests.cpu | string | `"512m"` | |
| jenkins.agent.resources.requests.memory | string | `"512Mi"` | |
| jenkins.agent.showRawYaml | bool | `false` | |
| jenkins.agent.tag | string | `"v0.2.4-2"` | |
| jenkins.agent.yamlMergeStrategy | string | `"merge"` | |
| jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n serviceAccountName: jenkins-podman-aws\n containers:\n - name: jnlp\n resources:\n limits:\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\""` | |
| jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nunclassified:\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | |
| jenkins.controller.disableRememberMe | bool | `true` | |
| jenkins.controller.enableRawHtmlMarkupFormatter | bool | `true` | |
| jenkins.controller.initContainerResources.limits.cpu | string | `"1000m"` | |
| jenkins.controller.initContainerResources.limits.memory | string | `"1024Mi"` | |
| jenkins.controller.initContainerResources.requests.cpu | string | `"50m"` | |
| jenkins.controller.initContainerResources.requests.memory | string | `"256Mi"` | |
| jenkins.controller.installPlugins[0] | string | `"kubernetes:1.31.3"` | |
| jenkins.controller.installPlugins[1] | string | `"workflow-aggregator:2.6"` | |
| jenkins.controller.installPlugins[2] | string | `"git:4.10.3"` | |
| jenkins.controller.installPlugins[3] | string | `"configuration-as-code:1.55.1"` | |
| jenkins.controller.installPlugins[4] | string | `"antisamy-markup-formatter:2.7"` | |
| jenkins.controller.installPlugins[5] | string | `"prometheus:2.0.10"` | |
| jenkins.controller.installPlugins[6] | string | `"htmlpublisher:1.28"` | |
| jenkins.controller.installPlugins[7] | string | `"build-discarder:60.v1747b0eb632a"` | |
| jenkins.controller.javaOpts | string | `"-XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | |
| jenkins.controller.prometheus.enabled | bool | `false` | |
| jenkins.controller.resources.limits.cpu | string | `"2000m"` | |
| jenkins.controller.resources.limits.memory | string | `"4096Mi"` | |
| jenkins.controller.resources.requests.cpu | string | `"250m"` | |
| jenkins.controller.resources.requests.memory | string | `"1280Mi"` | |
| jenkins.controller.tagLabel | string | `"alpine"` | |
| jenkins.controller.testEnabled | bool | `false` | |
| jenkins.enabled | bool | `false` | |
| jenkins.istio.enabled | bool | `false` | |
| jenkins.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
| jenkins.istio.url | string | `"jenkins.example.com"` | |
| jenkins.istio.webhook.enabled | bool | `false` | |
| jenkins.istio.webhook.gateway | string | `"istio-ingress/ingressgateway"` | |
| jenkins.istio.webhook.url | string | `"jenkins-webhook.example.com"` | |
| jenkins.persistence.size | string | `"4Gi"` | |
| jenkins.serviceAccountAgent.create | bool | `true` | |
| jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` | |
| trivy.enabled | bool | `false` | |
| trivy.persistence.enabled | bool | `true` | |
| trivy.persistence.size | string | `"1Gi"` | |
| trivy.rbac.create | bool | `false` | |
| trivy.rbac.pspEnabled | bool | `false` | |

View File

@ -17,6 +17,11 @@
# goCD
# Gitea
## OpenSSH 8.8 RSA disabled
- https://github.com/go-gitea/gitea/issues/17798
## Resources
{{ template "chart.valuesSection" . }}

View File

@ -0,0 +1,9 @@
configmap: grafana-dashboards
gzip: true
condition: '.Values.jenkins.controller.prometheus.enabled'
folder: KubeZero
dashboards:
- name: Jenkins
url: https://grafana.com/api/dashboards/9964/revisions/1/download
tags:
- CI

View File

@ -0,0 +1,22 @@
{{- if and .Values.gitea.enabled .Values.gitea.istio.enabled .Values.gitea.istio.ipBlocks }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Release.Name }}-deny-not-in-ipblocks
namespace: istio-system
labels:
{{- include "kubezero-lib.labels" $ | nindent 4 }}
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
notIpBlocks:
{{- toYaml .Values.gitea.istio.ipBlocks | nindent 8 }}
when:
- key: connection.sni
values: ["{{ .Values.gitea.istio.url }}"]
{{- end }}

View File

@ -2,10 +2,10 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: {{ include "kubezero-lib.fullname" . }}
name: gitea
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
{{- include "kubezero-lib.labels" $ | nindent 4 }}
spec:
gateways:
- {{ .Values.gitea.istio.gateway }}
@ -15,4 +15,10 @@ spec:
- route:
- destination:
host: gitea-http
tcp:
- match:
- port: 22
route:
- destination:
host: gitea-ssh
{{- end }}

View File

@ -1,4 +1,4 @@
{{- if and .Values.gitea.enabled .Values.gitea.demo }}
{{- if and .Values.gitea.enabled .Values.gitea.gitea.demo }}
apiVersion: v1
kind: Secret
type: Opaque
@ -7,6 +7,6 @@ metadata:
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
data:
username: {{ "admin" | b64enc | quote }}
username: {{ "demo" | b64enc | quote }}
password: {{ "secret" | b64enc | quote }}
{{- end }}

View File

@ -0,0 +1,15 @@
{{- if .Values.jenkins.controller.prometheus.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboards" | trunc 63 | trimSuffix "-" }}
namespace: {{ .Release.Namespace }}
labels:
grafana_dashboard: "1"
{{- include "kubezero-lib.labels" . | nindent 4 }}
annotations:
k8s-sidecar-target-directory: KubeZero
binaryData:
Jenkins.json.gz:
H4sIAAAAAAAC/+1dW3OcOBZ+z69gSe1WPNVxgL5P1T44jj2TVJzxxk4eNuWi1KDuZsxtJOHYk8p/H0lAI0D01XZ323pIx0hCl6Oj851PCM6PF5qm27YXxgnB+q/aN3qtaT/4L80JQQBpqv7uwj7//MfZyeXvJ18u9Fae7YMR9Fn+OYoCSKYwwUWmC7GDvJh4UVguor0DBGgXUYIcWBQndzFvyqWZuJIX+8nEC9+7LD+WNJXmf8o6K3SGF/hJf69a6UAR/CvxEJQMNW9/gsAYhKCo3HOlyblofqtm3ECEszH3Do1DK+tES95cDEIqwnpj8VTalJgsNNSlDRnzG5LJ1WuUaFiX5ZrtSgeIvXDiQ0wAqTd5IclraHI2sSAMI3oDLcJmNu2D7nuYzOa56BnNGSWeT96z6sxWkSpISD5yWgaGYOSzfIISKKRPPVeS6jlReBz5EWIVoskIvDJammWa9KfbbWnmgVh1Pv6jYizaf7QjHyJS6kIxoXg6igBy9SzvJ///6kU2F9UF+CEaYe2vBCZQwzGELtZA6GoIEIhb2sktdBISIZp4Azy6rj3fI3ct7VNEa9HYZCS01AcYXntheuOHr2caXUhcXlqCwQQW+bQp7SK7h5X1I6IFEYKHfBw6dD1SEaM+CSHhC3w47HXSFKbtl1HkEy+m6QZP5OoTJr7Pr3wvvOZLOdUCrmqSpe0AZwovvQBGCRFuT/PY9LwFzvUERUnIah8DH8Ny/lfgJ1CehQUN07JJ7tJZNvtWS+vQSTYOh/3SPPMiVrtPy1hDWsZgZQZDSRl2e7eT/qPVHOQTfVXY2EUqK5N1mo4QV8vykMYRCgCTkR5GoWAoJiCZwNnK4kkBuM3FYhqG0PfAC/MMMRlPo+/V9pg2T6kSTSPf/ciwBM8rcQbQNeQCZyPJlb7oI/Lc8wiXezmll32hMtaFjnB9W+nlHbuuVc21zrSK65BAdAP8qjJ5+BP8XpV0WUkz2cUxtXKX6Uo2ZellvSpGJBiKGyZljUQagbdE0B4ty2JVzxJ/tuZXhkA4WVCZVVRWU0SqDQzVzyMqGlxWCZ2JiGecRdxI0oUThtAh0NVLZS5ZyxWJxhEmY4/Nkq79SQ3YG6pdejX3NArJhfc3r7tv/FvIRzC7uZom3tIVb+FyOAPxHPmP6TLjS4R2tCwpko5A//TmqJIRzW6YI0QcUw2n6lJZaWPP98soYg6o4WhTGDHbA2YazEHJeoxZO/WFxGoW63llds2smmG7VEG2VqXLjFsTWk0ShGXBEoAmkMyRG7yN06Yp5Lz6M4UKm06qzeDYpXpvuwniwGc71BaTb2ZwdVCWI5271As8mifHmcXA3AlrmYbQS4/4ubF0IGaOSAqHdU9U5qTwtSAqj1nSHp49X3siBmb6f5dUnHztLdQdXjD3gJ0EIRgSuWMGfA/g4xy7fhQzOwKoZn+5l/ERhhMy5au6lA5lxe8ZkDyuymbJype7vbTdN3sVw99ZzvB3Fth3OIHccRCaBzcTyQLMp6WeQ82nLNULJalNQEqdRtmq54oxm6jaCJlRwBLIgt89l8+5NQ/IljHtMXCgTINiSLUkJGBS96xiViUCrpew9rrl9LrSUaG6EEFuXMbU1yzaxhB5EP9B6QNVEljpPF3ZznWtMkxgHEP3Y2qGy3lLmzjRujGXWzRu5QVeeFyEOqh22uFykdzbOAUO4UvE3NQmCkJgrZ6mgFYCXpb+GU4yRlW54WLqjUn9jsyyMu8/5Rm1IVMtzf150ZXEnymR8JOMqdQVHiDo1tkVjhCpuG9c2e3cgDtJkPi0AzdQr8NYQfdFTn0Lbr2KKRklznU66eJwWbcznWcSkRC5SmkBU2Wr89tVrYt34HaeG1hoDq0aVXy2fGem3AmWEU3eAgxrWpRaoFrx1ATVkusOQrOHuXP9rK2Nu/qkU5CcyHSRp3+EN7NOl7h3FWofm3jWGeM6vFNCXxXxfAjiaS3LPNuKeSrmuRPMk7PFQYf9DDdgnhnpZNV0t8k8q77ZvRJPCen8H3OL0k3XZ8M37w0ES7ZtLzDQhY4XAA4u5sbAmPGlJ4KNnRU3ZftyaOwrZNwmMs4FxO5zAMRBN8NCBmlr42HPyPCwbT4iHL66CewABhG6s/nukU01RnutVVMTDN0D7Y0mK/0L06pD4wH3NGqzekLtZ2Eol0bjtiHfB2bPMccIQi0d27qwbDw7WD6fmQFZZr7cN8Hzl9Zw6HR6qwL4S/O0Zxx3NgRsQwLBNHt0RwRdftoY3FkOg83uQhBWeKvw9h4JqDnICejKaPtycNp++3bweCArQ9MdeASgG60SGjY/BZi/2X/Gx6Z9YQeA1sVOS1Ha50lpn9Be7yIsHSyHpQPFZxW+7hC+brTBaxmNR4vkhxE2R9t8c3cKgU+mNjXTzrWNnQjBPaCoZsuUEdTsUG06pJ3gp79FkfuvBpQ189PZ8yzC3NqP2aRpv75paOCXfeC/y3Pc447Zs45K/FWS1O4P+ta7e6O06wJ28Fyob3HYdwH37SnAVoC91bPAQ4u9U9LL3ikxDo3e6qT4xLBOO511cdq2mcLY9nrsOIk5BAd0ZB6GVA1cvAZWU/yTnazcCo5XqLWw0fwlLh0WUzxZ8WTFk8vA21sSeA0FvAp4FVPemCmHVA3saDxmHbNT5doSPmY8N+SvnGY92o3HsdT8NtFdY9+Qct2HqhkpXQMKn+sRJmvJM0zq8akCrScGWg/3LNWJE9uPwE48QqVMYXAvD1GPz7+oJ6hb2X3N9lVFoDu1jo+NY1nSZjSwNEbFBFc+AWyaDUxQPTNVoLpVULU6bAvWYG/FWBxUzdV3YOtWZwUo3WADtkQD+YcYcPoSzJ7vwZotS8IxL9kRLPZ5Irwbr9/MIZZqF/Z+d2EV/G52+LcJfocKfRX6bhN9+Zf02t3cUhirM1oJC3hYHpuDLkroD04c9iGi9HjwHpxSku/eXiRsEFTa+4GuxpOnsfVDRGzjxjL77LRAm/8oSN3uGeAmSLXUs02Fqds9VNTvsS1i9oGGIffird5a+8SWOWRVDBg9Ng62x2450IJRhKgqrA20u3/E6CgdoYLgXYXgl6dHvY5hKNzd7mHeJuBVh3kV7m4Xd7tsZ6zfzbaTjcP2God5MxuzXbBNGFzSmp8w2n7Jhqjg9uE2k+d/Sl8Cuvf35XwFuPd3iLfx2a36fpNC3O0+uzUY4lKWavFHt53h6nhbd/Mfcfd4DDw/QXCPdo9l77ie0lEo3rpTQKqo6k6cGW5ETlMhp0LOrQeh4Q9e+acPH5mnboCbPDaBjangZe+77BFq5m/MZEHdmCbt+usy6lST+rT+NmK6md1a3VPoTaakbEvSx68KWRWyqpd0NoVZmIUUtdnXdR8caTc8GJzHP+WfAlah4J56KLjBosOu3QbWtUYoOBYx6AhfZgOtBRRaMVIcCzR8EsTkriHv/xBFGwaYQwwXL9KAxir43P4Fn6Mq9QonwfwQmwdvFhZJ3wM5OHjyAeuK4Ne1b+ypcHWPGq5O1xuCwFm7FKyusZd7HKpOuQKNh4UafAFLOQPKGdh5Z8CFY5D4xM6RPnvF0weYpH8XcL/hF/jmYn66GE5n9ei7H8L2nQpe+xjeQICVKyDv5aJHBCpsrdpb34mwtatsrqtQtmpzfQceW/c7G0bsy6PXPnLIvtrmuheyiEILPty4Scja2c74+/A1benp7o2/yMoxwTGZpEEDU2jQMUXEAHyl5jR189KPDlEX/S6Vkku1Ly1JaUQxLP34vT6rl8AgZh5dOJnpKNUrTHIH6mdaygsKHS7WS/T9tZm7evmSoIpWui32qLOHipuzgdi5pRXFrXcF0DMN4aItXphB8XdX+NsUL9qGmCM4pJbwt+mmcr7Kx8CYRBST3D1f2IpYcU+sWGzF6ogXgm3su2J/876UxPd3xK2HPkLRd0pxsumsHLb4VTuHiMN+6EANhK72O98z1Bi1u/EocvHbEg52OnX+70D4Olu1adZNoUQvfv4DNoJhvICTAAA=
{{- end }}

View File

@ -1,18 +1,22 @@
{{- if and .Values.jenkins.enabled .Values.jenkins.istio.enabled .Values.jenkins.istio.allowBlocks }}
{{- if and .Values.jenkins.enabled .Values.jenkins.istio.enabled .Values.jenkins.istio.ipBlocks }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ .Release.Name }}-jenkins-allowlist
namespace: istio-ingress
name: {{ .Release.Name }}-deny-not-in-ipblocks
namespace: istio-system
labels:
{{- include "kubezero-lib.labels" $ | nindent 4 }}
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
ipBlocks: {{ .Values.jenkins.istio.allowBlocks | toYaml | nindent 8 }}
to:
- operation:
hosts: [{{ .Values.jenkins.istio.url }}]
notIpBlocks:
{{- toYaml .Values.jenkins.istio.ipBlocks | nindent 8 }}
when:
- key: connection.sni
values: ["{{ .Values.jenkins.istio.url }}"]
{{- end }}

View File

@ -1,8 +1,8 @@
{{- if and .Values.jenkins.enabled .Values.jenkins.istio.enabled }}
apiVersion: networking.istio.io/v1alpha3
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: {{ .Release.Name }}-jenkins
name: {{ template "kubezero-lib.fullname" (merge (dict "subchart" "jenkins") .) }}
namespace: {{ template "jenkins.namespace" . }}
spec:
hosts:
@ -12,7 +12,36 @@ spec:
http:
- route:
- destination:
host: {{ .Release.Name }}-jenkins
host: {{ template "kubezero-lib.fullname" (merge (dict "subchart" "jenkins") .) }}
port:
number: 8080
{{- if .Values.jenkins.istio.webhook.enabled }}
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: {{ template "kubezero-lib.fullname" (merge (dict "subchart" "jenkins") .) }}-webhook
namespace: {{ template "jenkins.namespace" . }}
spec:
hosts:
- {{ .Values.jenkins.istio.webhook.url }}
gateways:
- {{ .Values.jenkins.istio.webhook.gateway }}
http:
- route:
- destination:
host: {{ template "kubezero-lib.fullname" (merge (dict "subchart" "jenkins") .) }}
port:
number: 8080
match:
- uri:
exact: "/bitbucket-scmsource-hook/notify"
method:
exact: "POST"
- uri:
exact: "/github-webhook/"
method:
exact: "POST"
{{- end }}
{{- end }}

4
charts/kubezero-ci/update.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/bash
# Create ZDT dashboard configmap
../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml

View File

@ -12,10 +12,12 @@ gocd:
gateway: istio-ingress/private-ingressgateway
url: "" # gocd.example.com
gitea:
enabled: false
image:
tag: 1.15.10
rootless: true
securityContext:
@ -45,27 +47,23 @@ gitea:
config:
database:
DB_TYPE: sqlite3
cache:
ADAPTER: memory
database:
builtIn:
postgresql:
enabled: false
mysql:
enabled: false
mariadb:
enabled: false
cache:
builtIn:
enabled: false
memcached:
enabled: false
postgresql:
enabled: false
mysql:
enabled: false
mariadb:
enabled: false
istio:
enabled: false
gateway: istio-ingress/private-ingressgateway
url: "" # git.example.com
url: git.example.com
jenkins:
enabled: false
@ -76,11 +74,129 @@ jenkins:
prometheus:
enabled: false
testEnabled: false
enableRawHtmlMarkupFormatter: true
# javaOpts: "-Xms512m -Xmx512m"
javaOpts: "-XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""
resources:
requests:
cpu: "250m"
memory: "1280Mi"
limits:
cpu: "2000m"
memory: "4096Mi"
initContainerResources:
requests:
cpu: "50m"
memory: "256Mi"
limits:
cpu: "1000m"
memory: "1024Mi"
JCasC:
configScripts:
zdt-settings: |
jenkins:
noUsageStatistics: true
disabledAdministrativeMonitors:
- "jenkins.security.ResourceDomainRecommendation"
unclassified:
buildDiscarders:
configuredBuildDiscarders:
- "jobBuildDiscarder"
- defaultBuildDiscarder:
discarder:
logRotator:
artifactDaysToKeepStr: "32"
artifactNumToKeepStr: "10"
daysToKeepStr: "100"
numToKeepStr: "10"
installPlugins:
- kubernetes:1.31.3
- workflow-aggregator:2.6
- git:4.10.3
- configuration-as-code:1.55.1
- antisamy-markup-formatter:2.7
- prometheus:2.0.10
- htmlpublisher:1.28
- build-discarder:60.v1747b0eb632a
serviceAccountAgent:
create: true
name: jenkins-podman-aws
# Preconfigure agents to use zdt podman requires fuse/overlayfs
agent:
image: public.ecr.aws/zero-downtime/jenkins-podman
tag: v0.2.4-2
resources:
requests:
cpu: "512m"
memory: "512Mi"
limits:
cpu: "1"
memory: "2048Mi"
alwaysPullImage: true
podRetention: "Default"
showRawYaml: false
podName: "podman-aws"
customJenkinsLabels:
- podman-aws-trivy
idleMinutes: 10
containerCap: 4
annotations:
container.apparmor.security.beta.kubernetes.io/jnlp: unconfined
# envVars:
# - name: AWS_WEB_IDENTITY_TOKEN_FILE
# value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
# - name: AWS_STS_REGIONAL_ENDPOINTS
# value: regional
# - name: AWS_ROLE_ARN
# value: "<IAM ROLE ARN>"
yamlMergeStrategy: "merge"
yamlTemplate: |-
apiVersion: v1
kind: Pod
spec:
serviceAccountName: jenkins-podman-aws
containers:
- name: jnlp
resources:
limits:
github.com/fuse: 1
volumeMounts:
- name: aws-token
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
readOnly: true
volumes:
- name: aws-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 86400
audience: "sts.amazonaws.com"
persistence:
size: "2Gi"
size: "4Gi"
istio:
enabled: false
gateway: istio-ingress/private-ingressgateway
url: jenkins.example.com
# Dedicated VirtualService for webhooks
webhook:
enabled: false
gateway: istio-ingress/ingressgateway
url: jenkins-webhook.example.com
trivy:
enabled: false
persistence:
enabled: true
size: 1Gi
rbac:
create: false
pspEnabled: false