From 7eda2dc375d5522e4a55da3e5eb86d7332693d54 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 20 Jan 2022 00:04:35 +0100 Subject: [PATCH] feat: add preconfigured Jenkins to CI module --- charts/kubezero-ci/Chart.yaml | 12 +- charts/kubezero-ci/README.md | 81 ++++++++-- charts/kubezero-ci/README.md.gotmpl | 5 + charts/kubezero-ci/dashboards.yaml | 9 ++ .../gitea/istio-authorization-policy.yaml | 22 +++ .../templates/gitea/istio-service.yaml | 10 +- .../kubezero-ci/templates/gitea/secrets.yaml | 4 +- .../templates/grafana-dashboards.yaml | 15 ++ .../jenkins/istio-authorization-policy.yaml | 18 ++- .../templates/jenkins/istio-service.yaml | 35 ++++- charts/kubezero-ci/update.sh | 4 + charts/kubezero-ci/values.yaml | 146 ++++++++++++++++-- 12 files changed, 318 insertions(+), 43 deletions(-) create mode 100644 charts/kubezero-ci/dashboards.yaml create mode 100644 charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml create mode 100644 charts/kubezero-ci/templates/grafana-dashboards.yaml create mode 100755 charts/kubezero-ci/update.sh diff --git a/charts/kubezero-ci/Chart.yaml b/charts/kubezero-ci/Chart.yaml index 0c76230..88d3f9a 100644 --- a/charts/kubezero-ci/Chart.yaml +++ b/charts/kubezero-ci/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-ci description: KubeZero umbrella chart for all things CI type: application -version: 0.3.0 +version: 0.4.20 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,19 +15,23 @@ maintainers: email: stefan@zero-downtime.net dependencies: - name: kubezero-lib - version: ">= 0.1.4" + version: ">= 0.1.5" repository: https://cdn.zero-downtime.net/charts/ - name: gocd version: 1.39.4 repository: https://gocd.github.io/helm-chart condition: gocd.enabled - name: gitea - version: 4.1.1 + version: 5.0.0 repository: https://dl.gitea.io/charts/ condition: gitea.enabled - name: jenkins - version: 3.9.4 + version: 3.10.3 repository: https://charts.jenkins.io condition: jenkins.enabled + - name: trivy + version: 0.4.9 + repository: https://aquasecurity.github.io/helm-charts/ + condition: trivy.enabled kubeVersion: ">= 1.20.0" diff --git a/charts/kubezero-ci/README.md b/charts/kubezero-ci/README.md index 725795d..52e84c8 100644 --- a/charts/kubezero-ci/README.md +++ b/charts/kubezero-ci/README.md @@ -1,6 +1,6 @@ # kubezero-ci -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.4.20](https://img.shields.io/badge/Version-0.4.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things CI @@ -10,22 +10,29 @@ KubeZero umbrella chart for all things CI | Name | Email | Url | | ---- | ------ | --- | -| Quarky9 | | | +| Stefan Reimer | stefan@zero-downtime.net | | ## Requirements -Kubernetes: `>= 1.18.0` +Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| -| https://dl.gitea.io/charts/ | gitea | 4.1.1 | +| https://aquasecurity.github.io/helm-charts/ | trivy | 0.4.9 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | +| https://charts.jenkins.io | jenkins | 3.10.3 | +| https://dl.gitea.io/charts/ | gitea | 5.0.0 | | https://gocd.github.io/helm-chart | gocd | 1.39.4 | -| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.4 | # Jenkins # goCD +# Gitea + +## OpenSSH 8.8 RSA disabled +- https://github.com/go-gitea/gitea/issues/17798 + ## Resources ## Values @@ -34,21 +41,22 @@ Kubernetes: `>= 1.18.0` |-----|------|---------|-------------| | gitea.enabled | bool | `false` | | | gitea.gitea.admin.existingSecret | string | `"gitea-admin-secret"` | | -| gitea.gitea.cache.builtIn.enabled | bool | `false` | | | gitea.gitea.config.cache.ADAPTER | string | `"memory"` | | | gitea.gitea.config.database.DB_TYPE | string | `"sqlite3"` | | -| gitea.gitea.database.builtIn.mariadb.enabled | bool | `false` | | -| gitea.gitea.database.builtIn.mysql.enabled | bool | `false` | | -| gitea.gitea.database.builtIn.postgresql.enabled | bool | `false` | | | gitea.gitea.demo | bool | `false` | | | gitea.gitea.metrics.enabled | bool | `false` | | | gitea.gitea.metrics.serviceMonitor.enabled | bool | `false` | | | gitea.image.rootless | bool | `true` | | +| gitea.image.tag | string | `"1.15.10"` | | | gitea.istio.enabled | bool | `false` | | | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | -| gitea.istio.url | string | `""` | | +| gitea.istio.url | string | `"git.example.com"` | | +| gitea.mariadb.enabled | bool | `false` | | +| gitea.memcached.enabled | bool | `false` | | +| gitea.mysql.enabled | bool | `false` | | | gitea.persistence.enabled | bool | `true` | | | gitea.persistence.size | string | `"4Gi"` | | +| gitea.postgresql.enabled | bool | `false` | | | gitea.securityContext.allowPrivilegeEscalation | bool | `false` | | | gitea.securityContext.capabilities.add[0] | string | `"SYS_CHROOT"` | | | gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | | @@ -58,4 +66,57 @@ Kubernetes: `>= 1.18.0` | gocd.istio.url | string | `""` | | | gocd.server.ingress.enabled | bool | `false` | | | gocd.server.service.type | string | `"ClusterIP"` | | +| jenkins.agent.alwaysPullImage | bool | `true` | | +| jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` | | +| jenkins.agent.containerCap | int | `4` | | +| jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` | | +| jenkins.agent.idleMinutes | int | `10` | | +| jenkins.agent.image | string | `"public.ecr.aws/zero-downtime/jenkins-podman"` | | +| jenkins.agent.podName | string | `"podman-aws"` | | +| jenkins.agent.podRetention | string | `"Default"` | | +| jenkins.agent.resources.limits.cpu | string | `"1"` | | +| jenkins.agent.resources.limits.memory | string | `"2048Mi"` | | +| jenkins.agent.resources.requests.cpu | string | `"512m"` | | +| jenkins.agent.resources.requests.memory | string | `"512Mi"` | | +| jenkins.agent.showRawYaml | bool | `false` | | +| jenkins.agent.tag | string | `"v0.2.4-2"` | | +| jenkins.agent.yamlMergeStrategy | string | `"merge"` | | +| jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n serviceAccountName: jenkins-podman-aws\n containers:\n - name: jnlp\n resources:\n limits:\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\""` | | +| jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nunclassified:\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | | +| jenkins.controller.disableRememberMe | bool | `true` | | +| jenkins.controller.enableRawHtmlMarkupFormatter | bool | `true` | | +| jenkins.controller.initContainerResources.limits.cpu | string | `"1000m"` | | +| jenkins.controller.initContainerResources.limits.memory | string | `"1024Mi"` | | +| jenkins.controller.initContainerResources.requests.cpu | string | `"50m"` | | +| jenkins.controller.initContainerResources.requests.memory | string | `"256Mi"` | | +| jenkins.controller.installPlugins[0] | string | `"kubernetes:1.31.3"` | | +| jenkins.controller.installPlugins[1] | string | `"workflow-aggregator:2.6"` | | +| jenkins.controller.installPlugins[2] | string | `"git:4.10.3"` | | +| jenkins.controller.installPlugins[3] | string | `"configuration-as-code:1.55.1"` | | +| jenkins.controller.installPlugins[4] | string | `"antisamy-markup-formatter:2.7"` | | +| jenkins.controller.installPlugins[5] | string | `"prometheus:2.0.10"` | | +| jenkins.controller.installPlugins[6] | string | `"htmlpublisher:1.28"` | | +| jenkins.controller.installPlugins[7] | string | `"build-discarder:60.v1747b0eb632a"` | | +| jenkins.controller.javaOpts | string | `"-XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | | +| jenkins.controller.prometheus.enabled | bool | `false` | | +| jenkins.controller.resources.limits.cpu | string | `"2000m"` | | +| jenkins.controller.resources.limits.memory | string | `"4096Mi"` | | +| jenkins.controller.resources.requests.cpu | string | `"250m"` | | +| jenkins.controller.resources.requests.memory | string | `"1280Mi"` | | +| jenkins.controller.tagLabel | string | `"alpine"` | | +| jenkins.controller.testEnabled | bool | `false` | | | jenkins.enabled | bool | `false` | | +| jenkins.istio.enabled | bool | `false` | | +| jenkins.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | +| jenkins.istio.url | string | `"jenkins.example.com"` | | +| jenkins.istio.webhook.enabled | bool | `false` | | +| jenkins.istio.webhook.gateway | string | `"istio-ingress/ingressgateway"` | | +| jenkins.istio.webhook.url | string | `"jenkins-webhook.example.com"` | | +| jenkins.persistence.size | string | `"4Gi"` | | +| jenkins.serviceAccountAgent.create | bool | `true` | | +| jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` | | +| trivy.enabled | bool | `false` | | +| trivy.persistence.enabled | bool | `true` | | +| trivy.persistence.size | string | `"1Gi"` | | +| trivy.rbac.create | bool | `false` | | +| trivy.rbac.pspEnabled | bool | `false` | | diff --git a/charts/kubezero-ci/README.md.gotmpl b/charts/kubezero-ci/README.md.gotmpl index 126215f..97513a6 100644 --- a/charts/kubezero-ci/README.md.gotmpl +++ b/charts/kubezero-ci/README.md.gotmpl @@ -17,6 +17,11 @@ # goCD +# Gitea + +## OpenSSH 8.8 RSA disabled +- https://github.com/go-gitea/gitea/issues/17798 + ## Resources {{ template "chart.valuesSection" . }} diff --git a/charts/kubezero-ci/dashboards.yaml b/charts/kubezero-ci/dashboards.yaml new file mode 100644 index 0000000..b395f9c --- /dev/null +++ b/charts/kubezero-ci/dashboards.yaml @@ -0,0 +1,9 @@ +configmap: grafana-dashboards +gzip: true +condition: '.Values.jenkins.controller.prometheus.enabled' +folder: KubeZero +dashboards: +- name: Jenkins + url: https://grafana.com/api/dashboards/9964/revisions/1/download + tags: + - CI diff --git a/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml b/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml new file mode 100644 index 0000000..3f47bac --- /dev/null +++ b/charts/kubezero-ci/templates/gitea/istio-authorization-policy.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.gitea.enabled .Values.gitea.istio.enabled .Values.gitea.istio.ipBlocks }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ .Release.Name }}-deny-not-in-ipblocks + namespace: istio-system + labels: + {{- include "kubezero-lib.labels" $ | nindent 4 }} +spec: + selector: + matchLabels: + app: istio-ingressgateway + action: DENY + rules: + - from: + - source: + notIpBlocks: + {{- toYaml .Values.gitea.istio.ipBlocks | nindent 8 }} + when: + - key: connection.sni + values: ["{{ .Values.gitea.istio.url }}"] +{{- end }} diff --git a/charts/kubezero-ci/templates/gitea/istio-service.yaml b/charts/kubezero-ci/templates/gitea/istio-service.yaml index 44ee699..9da1b7a 100644 --- a/charts/kubezero-ci/templates/gitea/istio-service.yaml +++ b/charts/kubezero-ci/templates/gitea/istio-service.yaml @@ -2,10 +2,10 @@ apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: - name: {{ include "kubezero-lib.fullname" . }} + name: gitea namespace: {{ .Release.Namespace }} labels: - {{- include "kubezero-lib.labels" . | nindent 4 }} + {{- include "kubezero-lib.labels" $ | nindent 4 }} spec: gateways: - {{ .Values.gitea.istio.gateway }} @@ -15,4 +15,10 @@ spec: - route: - destination: host: gitea-http + tcp: + - match: + - port: 22 + route: + - destination: + host: gitea-ssh {{- end }} diff --git a/charts/kubezero-ci/templates/gitea/secrets.yaml b/charts/kubezero-ci/templates/gitea/secrets.yaml index 7b466f2..9dff274 100644 --- a/charts/kubezero-ci/templates/gitea/secrets.yaml +++ b/charts/kubezero-ci/templates/gitea/secrets.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.gitea.enabled .Values.gitea.demo }} +{{- if and .Values.gitea.enabled .Values.gitea.gitea.demo }} apiVersion: v1 kind: Secret type: Opaque @@ -7,6 +7,6 @@ metadata: labels: {{ include "kubezero-lib.labels" . | indent 4 }} data: - username: {{ "admin" | b64enc | quote }} + username: {{ "demo" | b64enc | quote }} password: {{ "secret" | b64enc | quote }} {{- end }} diff --git a/charts/kubezero-ci/templates/grafana-dashboards.yaml b/charts/kubezero-ci/templates/grafana-dashboards.yaml new file mode 100644 index 0000000..feff0a6 --- /dev/null +++ b/charts/kubezero-ci/templates/grafana-dashboards.yaml @@ -0,0 +1,15 @@ +{{- if .Values.jenkins.controller.prometheus.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboards" | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace }} + labels: + grafana_dashboard: "1" + {{- include "kubezero-lib.labels" . | nindent 4 }} + annotations: + k8s-sidecar-target-directory: KubeZero +binaryData: + Jenkins.json.gz: + H4sIAAAAAAAC/+1dW3OcOBZ+z69gSe1WPNVxgL5P1T44jj2TVJzxxk4eNuWi1KDuZsxtJOHYk8p/H0lAI0D01XZ323pIx0hCl6Oj851PCM6PF5qm27YXxgnB+q/aN3qtaT/4L80JQQBpqv7uwj7//MfZyeXvJ18u9Fae7YMR9Fn+OYoCSKYwwUWmC7GDvJh4UVguor0DBGgXUYIcWBQndzFvyqWZuJIX+8nEC9+7LD+WNJXmf8o6K3SGF/hJf69a6UAR/CvxEJQMNW9/gsAYhKCo3HOlyblofqtm3ECEszH3Do1DK+tES95cDEIqwnpj8VTalJgsNNSlDRnzG5LJ1WuUaFiX5ZrtSgeIvXDiQ0wAqTd5IclraHI2sSAMI3oDLcJmNu2D7nuYzOa56BnNGSWeT96z6sxWkSpISD5yWgaGYOSzfIISKKRPPVeS6jlReBz5EWIVoskIvDJammWa9KfbbWnmgVh1Pv6jYizaf7QjHyJS6kIxoXg6igBy9SzvJ///6kU2F9UF+CEaYe2vBCZQwzGELtZA6GoIEIhb2sktdBISIZp4Azy6rj3fI3ct7VNEa9HYZCS01AcYXntheuOHr2caXUhcXlqCwQQW+bQp7SK7h5X1I6IFEYKHfBw6dD1SEaM+CSHhC3w47HXSFKbtl1HkEy+m6QZP5OoTJr7Pr3wvvOZLOdUCrmqSpe0AZwovvQBGCRFuT/PY9LwFzvUERUnIah8DH8Ny/lfgJ1CehQUN07JJ7tJZNvtWS+vQSTYOh/3SPPMiVrtPy1hDWsZgZQZDSRl2e7eT/qPVHOQTfVXY2EUqK5N1mo4QV8vykMYRCgCTkR5GoWAoJiCZwNnK4kkBuM3FYhqG0PfAC/MMMRlPo+/V9pg2T6kSTSPf/ciwBM8rcQbQNeQCZyPJlb7oI/Lc8wiXezmll32hMtaFjnB9W+nlHbuuVc21zrSK65BAdAP8qjJ5+BP8XpV0WUkz2cUxtXKX6Uo2ZellvSpGJBiKGyZljUQagbdE0B4ty2JVzxJ/tuZXhkA4WVCZVVRWU0SqDQzVzyMqGlxWCZ2JiGecRdxI0oUThtAh0NVLZS5ZyxWJxhEmY4/Nkq79SQ3YG6pdejX3NArJhfc3r7tv/FvIRzC7uZom3tIVb+FyOAPxHPmP6TLjS4R2tCwpko5A//TmqJIRzW6YI0QcUw2n6lJZaWPP98soYg6o4WhTGDHbA2YazEHJeoxZO/WFxGoW63llds2smmG7VEG2VqXLjFsTWk0ShGXBEoAmkMyRG7yN06Yp5Lz6M4UKm06qzeDYpXpvuwniwGc71BaTb2ZwdVCWI5271As8mifHmcXA3AlrmYbQS4/4ubF0IGaOSAqHdU9U5qTwtSAqj1nSHp49X3siBmb6f5dUnHztLdQdXjD3gJ0EIRgSuWMGfA/g4xy7fhQzOwKoZn+5l/ERhhMy5au6lA5lxe8ZkDyuymbJype7vbTdN3sVw99ZzvB3Fth3OIHccRCaBzcTyQLMp6WeQ82nLNULJalNQEqdRtmq54oxm6jaCJlRwBLIgt89l8+5NQ/IljHtMXCgTINiSLUkJGBS96xiViUCrpew9rrl9LrSUaG6EEFuXMbU1yzaxhB5EP9B6QNVEljpPF3ZznWtMkxgHEP3Y2qGy3lLmzjRujGXWzRu5QVeeFyEOqh22uFykdzbOAUO4UvE3NQmCkJgrZ6mgFYCXpb+GU4yRlW54WLqjUn9jsyyMu8/5Rm1IVMtzf150ZXEnymR8JOMqdQVHiDo1tkVjhCpuG9c2e3cgDtJkPi0AzdQr8NYQfdFTn0Lbr2KKRklznU66eJwWbcznWcSkRC5SmkBU2Wr89tVrYt34HaeG1hoDq0aVXy2fGem3AmWEU3eAgxrWpRaoFrx1ATVkusOQrOHuXP9rK2Nu/qkU5CcyHSRp3+EN7NOl7h3FWofm3jWGeM6vFNCXxXxfAjiaS3LPNuKeSrmuRPMk7PFQYf9DDdgnhnpZNV0t8k8q77ZvRJPCen8H3OL0k3XZ8M37w0ES7ZtLzDQhY4XAA4u5sbAmPGlJ4KNnRU3ZftyaOwrZNwmMs4FxO5zAMRBN8NCBmlr42HPyPCwbT4iHL66CewABhG6s/nukU01RnutVVMTDN0D7Y0mK/0L06pD4wH3NGqzekLtZ2Eol0bjtiHfB2bPMccIQi0d27qwbDw7WD6fmQFZZr7cN8Hzl9Zw6HR6qwL4S/O0Zxx3NgRsQwLBNHt0RwRdftoY3FkOg83uQhBWeKvw9h4JqDnICejKaPtycNp++3bweCArQ9MdeASgG60SGjY/BZi/2X/Gx6Z9YQeA1sVOS1Ha50lpn9Be7yIsHSyHpQPFZxW+7hC+brTBaxmNR4vkhxE2R9t8c3cKgU+mNjXTzrWNnQjBPaCoZsuUEdTsUG06pJ3gp79FkfuvBpQ189PZ8yzC3NqP2aRpv75paOCXfeC/y3Pc447Zs45K/FWS1O4P+ta7e6O06wJ28Fyob3HYdwH37SnAVoC91bPAQ4u9U9LL3ikxDo3e6qT4xLBOO511cdq2mcLY9nrsOIk5BAd0ZB6GVA1cvAZWU/yTnazcCo5XqLWw0fwlLh0WUzxZ8WTFk8vA21sSeA0FvAp4FVPemCmHVA3saDxmHbNT5doSPmY8N+SvnGY92o3HsdT8NtFdY9+Qct2HqhkpXQMKn+sRJmvJM0zq8akCrScGWg/3LNWJE9uPwE48QqVMYXAvD1GPz7+oJ6hb2X3N9lVFoDu1jo+NY1nSZjSwNEbFBFc+AWyaDUxQPTNVoLpVULU6bAvWYG/FWBxUzdV3YOtWZwUo3WADtkQD+YcYcPoSzJ7vwZotS8IxL9kRLPZ5Irwbr9/MIZZqF/Z+d2EV/G52+LcJfocKfRX6bhN9+Zf02t3cUhirM1oJC3hYHpuDLkroD04c9iGi9HjwHpxSku/eXiRsEFTa+4GuxpOnsfVDRGzjxjL77LRAm/8oSN3uGeAmSLXUs02Fqds9VNTvsS1i9oGGIffird5a+8SWOWRVDBg9Ng62x2450IJRhKgqrA20u3/E6CgdoYLgXYXgl6dHvY5hKNzd7mHeJuBVh3kV7m4Xd7tsZ6zfzbaTjcP2God5MxuzXbBNGFzSmp8w2n7Jhqjg9uE2k+d/Sl8Cuvf35XwFuPd3iLfx2a36fpNC3O0+uzUY4lKWavFHt53h6nhbd/Mfcfd4DDw/QXCPdo9l77ie0lEo3rpTQKqo6k6cGW5ETlMhp0LOrQeh4Q9e+acPH5mnboCbPDaBjangZe+77BFq5m/MZEHdmCbt+usy6lST+rT+NmK6md1a3VPoTaakbEvSx68KWRWyqpd0NoVZmIUUtdnXdR8caTc8GJzHP+WfAlah4J56KLjBosOu3QbWtUYoOBYx6AhfZgOtBRRaMVIcCzR8EsTkriHv/xBFGwaYQwwXL9KAxir43P4Fn6Mq9QonwfwQmwdvFhZJ3wM5OHjyAeuK4Ne1b+ypcHWPGq5O1xuCwFm7FKyusZd7HKpOuQKNh4UafAFLOQPKGdh5Z8CFY5D4xM6RPnvF0weYpH8XcL/hF/jmYn66GE5n9ei7H8L2nQpe+xjeQICVKyDv5aJHBCpsrdpb34mwtatsrqtQtmpzfQceW/c7G0bsy6PXPnLIvtrmuheyiEILPty4Scja2c74+/A1benp7o2/yMoxwTGZpEEDU2jQMUXEAHyl5jR189KPDlEX/S6Vkku1Ly1JaUQxLP34vT6rl8AgZh5dOJnpKNUrTHIH6mdaygsKHS7WS/T9tZm7evmSoIpWui32qLOHipuzgdi5pRXFrXcF0DMN4aItXphB8XdX+NsUL9qGmCM4pJbwt+mmcr7Kx8CYRBST3D1f2IpYcU+sWGzF6ogXgm3su2J/876UxPd3xK2HPkLRd0pxsumsHLb4VTuHiMN+6EANhK72O98z1Bi1u/EocvHbEg52OnX+70D4Olu1adZNoUQvfv4DNoJhvICTAAA= +{{- end }} diff --git a/charts/kubezero-ci/templates/jenkins/istio-authorization-policy.yaml b/charts/kubezero-ci/templates/jenkins/istio-authorization-policy.yaml index cc28339..a8f8538 100644 --- a/charts/kubezero-ci/templates/jenkins/istio-authorization-policy.yaml +++ b/charts/kubezero-ci/templates/jenkins/istio-authorization-policy.yaml @@ -1,18 +1,22 @@ -{{- if and .Values.jenkins.enabled .Values.jenkins.istio.enabled .Values.jenkins.istio.allowBlocks }} +{{- if and .Values.jenkins.enabled .Values.jenkins.istio.enabled .Values.jenkins.istio.ipBlocks }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: {{ .Release.Name }}-jenkins-allowlist - namespace: istio-ingress + name: {{ .Release.Name }}-deny-not-in-ipblocks + namespace: istio-system + labels: + {{- include "kubezero-lib.labels" $ | nindent 4 }} spec: selector: matchLabels: app: istio-ingressgateway + action: DENY rules: - from: - source: - ipBlocks: {{ .Values.jenkins.istio.allowBlocks | toYaml | nindent 8 }} - to: - - operation: - hosts: [{{ .Values.jenkins.istio.url }}] + notIpBlocks: + {{- toYaml .Values.jenkins.istio.ipBlocks | nindent 8 }} + when: + - key: connection.sni + values: ["{{ .Values.jenkins.istio.url }}"] {{- end }} diff --git a/charts/kubezero-ci/templates/jenkins/istio-service.yaml b/charts/kubezero-ci/templates/jenkins/istio-service.yaml index a52e8d2..300aef0 100644 --- a/charts/kubezero-ci/templates/jenkins/istio-service.yaml +++ b/charts/kubezero-ci/templates/jenkins/istio-service.yaml @@ -1,8 +1,8 @@ {{- if and .Values.jenkins.enabled .Values.jenkins.istio.enabled }} -apiVersion: networking.istio.io/v1alpha3 +apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: - name: {{ .Release.Name }}-jenkins + name: {{ template "kubezero-lib.fullname" (merge (dict "subchart" "jenkins") .) }} namespace: {{ template "jenkins.namespace" . }} spec: hosts: @@ -12,7 +12,36 @@ spec: http: - route: - destination: - host: {{ .Release.Name }}-jenkins + host: {{ template "kubezero-lib.fullname" (merge (dict "subchart" "jenkins") .) }} port: number: 8080 + +{{- if .Values.jenkins.istio.webhook.enabled }} +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: {{ template "kubezero-lib.fullname" (merge (dict "subchart" "jenkins") .) }}-webhook + namespace: {{ template "jenkins.namespace" . }} +spec: + hosts: + - {{ .Values.jenkins.istio.webhook.url }} + gateways: + - {{ .Values.jenkins.istio.webhook.gateway }} + http: + - route: + - destination: + host: {{ template "kubezero-lib.fullname" (merge (dict "subchart" "jenkins") .) }} + port: + number: 8080 + match: + - uri: + exact: "/bitbucket-scmsource-hook/notify" + method: + exact: "POST" + - uri: + exact: "/github-webhook/" + method: + exact: "POST" +{{- end }} {{- end }} diff --git a/charts/kubezero-ci/update.sh b/charts/kubezero-ci/update.sh new file mode 100755 index 0000000..ccb8397 --- /dev/null +++ b/charts/kubezero-ci/update.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# Create ZDT dashboard configmap +../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml diff --git a/charts/kubezero-ci/values.yaml b/charts/kubezero-ci/values.yaml index 051c01a..040ce09 100644 --- a/charts/kubezero-ci/values.yaml +++ b/charts/kubezero-ci/values.yaml @@ -12,10 +12,12 @@ gocd: gateway: istio-ingress/private-ingressgateway url: "" # gocd.example.com + gitea: enabled: false image: + tag: 1.15.10 rootless: true securityContext: @@ -45,27 +47,23 @@ gitea: config: database: DB_TYPE: sqlite3 - cache: ADAPTER: memory - database: - builtIn: - postgresql: - enabled: false - mysql: - enabled: false - mariadb: - enabled: false - - cache: - builtIn: - enabled: false + memcached: + enabled: false + postgresql: + enabled: false + mysql: + enabled: false + mariadb: + enabled: false istio: enabled: false gateway: istio-ingress/private-ingressgateway - url: "" # git.example.com + url: git.example.com + jenkins: enabled: false @@ -76,11 +74,129 @@ jenkins: prometheus: enabled: false testEnabled: false + enableRawHtmlMarkupFormatter: true + # javaOpts: "-Xms512m -Xmx512m" + javaOpts: "-XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\"" + + resources: + requests: + cpu: "250m" + memory: "1280Mi" + limits: + cpu: "2000m" + memory: "4096Mi" + initContainerResources: + requests: + cpu: "50m" + memory: "256Mi" + limits: + cpu: "1000m" + memory: "1024Mi" + + JCasC: + configScripts: + zdt-settings: | + jenkins: + noUsageStatistics: true + disabledAdministrativeMonitors: + - "jenkins.security.ResourceDomainRecommendation" + unclassified: + buildDiscarders: + configuredBuildDiscarders: + - "jobBuildDiscarder" + - defaultBuildDiscarder: + discarder: + logRotator: + artifactDaysToKeepStr: "32" + artifactNumToKeepStr: "10" + daysToKeepStr: "100" + numToKeepStr: "10" + + installPlugins: + - kubernetes:1.31.3 + - workflow-aggregator:2.6 + - git:4.10.3 + - configuration-as-code:1.55.1 + - antisamy-markup-formatter:2.7 + - prometheus:2.0.10 + - htmlpublisher:1.28 + - build-discarder:60.v1747b0eb632a + + serviceAccountAgent: + create: true + name: jenkins-podman-aws + + # Preconfigure agents to use zdt podman requires fuse/overlayfs + agent: + image: public.ecr.aws/zero-downtime/jenkins-podman + tag: v0.2.4-2 + resources: + requests: + cpu: "512m" + memory: "512Mi" + limits: + cpu: "1" + memory: "2048Mi" + alwaysPullImage: true + podRetention: "Default" + showRawYaml: false + podName: "podman-aws" + customJenkinsLabels: + - podman-aws-trivy + idleMinutes: 10 + containerCap: 4 + annotations: + container.apparmor.security.beta.kubernetes.io/jnlp: unconfined + # envVars: + # - name: AWS_WEB_IDENTITY_TOKEN_FILE + # value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + # - name: AWS_STS_REGIONAL_ENDPOINTS + # value: regional + # - name: AWS_ROLE_ARN + # value: "" + yamlMergeStrategy: "merge" + yamlTemplate: |- + apiVersion: v1 + kind: Pod + spec: + serviceAccountName: jenkins-podman-aws + containers: + - name: jnlp + resources: + limits: + github.com/fuse: 1 + volumeMounts: + - name: aws-token + mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + readOnly: true + volumes: + - name: aws-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 86400 + audience: "sts.amazonaws.com" persistence: - size: "2Gi" + size: "4Gi" istio: enabled: false gateway: istio-ingress/private-ingressgateway url: jenkins.example.com + + # Dedicated VirtualService for webhooks + webhook: + enabled: false + gateway: istio-ingress/ingressgateway + url: jenkins-webhook.example.com + +trivy: + enabled: false + persistence: + enabled: true + size: 1Gi + rbac: + create: false + pspEnabled: false