From 8d819c9d020603e8c73df2d4db364e0f136c4fea Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 22 Aug 2024 13:08:13 +0000 Subject: [PATCH] feat: latest CI Jenkins, some doc fixes --- charts/kubezero-auth/docs/postgres.md | 12 +- charts/kubezero-ci/README.md | 6 +- .../kubezero-ci/charts/jenkins/CHANGELOG.md | 17 ++ charts/kubezero-ci/charts/jenkins/Chart.yaml | 6 +- charts/kubezero-ci/charts/jenkins/VALUES.md | 189 +++++++++--------- .../charts/jenkins/templates/_helpers.tpl | 13 +- charts/kubezero-ci/charts/jenkins/values.yaml | 24 ++- 7 files changed, 161 insertions(+), 106 deletions(-) diff --git a/charts/kubezero-auth/docs/postgres.md b/charts/kubezero-auth/docs/postgres.md index fb60a912..3e2ea274 100644 --- a/charts/kubezero-auth/docs/postgres.md +++ b/charts/kubezero-auth/docs/postgres.md @@ -2,11 +2,11 @@ ## backup -- shell into running posgres-auth pod +- shell into running postgres-auth pod ``` -export PGPASSWORD="" -cd /bitnami/posgresql -pg_dumpall -U postgres > backup +export PGPASSWORD="$POSTGRES_POSTGRES_PASSWORD" +cd /bitnami/postgresql +pg_dumpall -U postgres > /bitnami/postgresql/backup ``` - store backup off-site @@ -29,8 +29,10 @@ kubectl cp keycloak/kubezero-auth-postgresql-0:/bitnami/postgresql/backup postgr kubectl cp postgres-backup keycloak/kubezero-auth-postgresql-0:/bitnami/postgresql/backup ``` -- log into psql as admin ( shell on running pod ) +- shell into running postgres-auth pod ``` +export PGPASSWORD="$POSTGRES_POSTGRES_PASSWORD" +cd /bitnami/postgresql psql -U postgres ``` diff --git a/charts/kubezero-ci/README.md b/charts/kubezero-ci/README.md index 0e689c06..a231de32 100644 --- a/charts/kubezero-ci/README.md +++ b/charts/kubezero-ci/README.md @@ -1,6 +1,6 @@ # kubezero-ci -![Version: 0.8.14](https://img.shields.io/badge/Version-0.8.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.8.15](https://img.shields.io/badge/Version-0.8.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things CI @@ -20,7 +20,7 @@ Kubernetes: `>= 1.25.0` |------------|------|---------| | https://aquasecurity.github.io/helm-charts/ | trivy | 0.7.0 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | -| https://charts.jenkins.io | jenkins | 5.5.4 | +| https://charts.jenkins.io | jenkins | 5.5.8 | | https://dl.gitea.io/charts/ | gitea | 10.4.0 | | https://docs.renovatebot.com/helm-charts | renovate | 37.440.7 | @@ -91,7 +91,7 @@ Kubernetes: `>= 1.25.0` | jenkins.agent.defaultsProviderTemplate | string | `"podman-aws"` | | | jenkins.agent.idleMinutes | int | `30` | | | jenkins.agent.image.repository | string | `"public.ecr.aws/zero-downtime/jenkins-podman"` | | -| jenkins.agent.image.tag | string | `"v0.6.1"` | | +| jenkins.agent.image.tag | string | `"v0.6.2"` | | | jenkins.agent.inheritYamlMergeStrategy | bool | `true` | | | jenkins.agent.podName | string | `"podman-aws"` | | | jenkins.agent.podRetention | string | `"Default"` | | diff --git a/charts/kubezero-ci/charts/jenkins/CHANGELOG.md b/charts/kubezero-ci/charts/jenkins/CHANGELOG.md index 17d5a5f8..3d54f10b 100644 --- a/charts/kubezero-ci/charts/jenkins/CHANGELOG.md +++ b/charts/kubezero-ci/charts/jenkins/CHANGELOG.md @@ -12,6 +12,23 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0. The changelog until v1.5.7 was auto-generated based on git commits. Those entries include a reference to the git commit to be able to get more details. +## 5.5.8 + +Add `agent.garbageCollection` to support setting [kubernetes plugin garbage collection](https://plugins.jenkins.io/kubernetes/#plugin-content-garbage-collection-beta). + +## 5.5.7 + +Update `kubernetes` to version `4285.v50ed5f624918` + +## 5.5.6 + +Add `agent.useDefaultServiceAccount` to support omitting setting `serviceAccount` in the default pod template from `serviceAgentAccount.name`. +Add `agent.serviceAccount` to support setting the default pod template value. + +## 5.5.5 + +Update `jenkins/inbound-agent` to version `3261.v9c670a_4748a_9-1` + ## 5.5.4 Update `jenkins/jenkins` to version `2.462.1-jdk17` diff --git a/charts/kubezero-ci/charts/jenkins/Chart.yaml b/charts/kubezero-ci/charts/jenkins/Chart.yaml index 63adf0d5..fcb1fe89 100644 --- a/charts/kubezero-ci/charts/jenkins/Chart.yaml +++ b/charts/kubezero-ci/charts/jenkins/Chart.yaml @@ -1,14 +1,14 @@ annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | - - Update `jenkins/jenkins` to version `2.462.1-jdk17` + - Add `agent.garbageCollection` to support setting [kubernetes plugin garbage collection](https://plugins.jenkins.io/kubernetes/#plugin-content-garbage-collection-beta). artifacthub.io/images: | - name: jenkins image: docker.io/jenkins/jenkins:2.462.1-jdk17 - name: k8s-sidecar image: docker.io/kiwigrid/k8s-sidecar:1.27.5 - name: inbound-agent - image: jenkins/inbound-agent:3256.v88a_f6e922152-1 + image: jenkins/inbound-agent:3261.v9c670a_4748a_9-1 artifacthub.io/license: Apache-2.0 artifacthub.io/links: | - name: Chart Source @@ -46,4 +46,4 @@ sources: - https://github.com/maorfr/kube-tasks - https://github.com/jenkinsci/configuration-as-code-plugin type: application -version: 5.5.4 +version: 5.5.8 diff --git a/charts/kubezero-ci/charts/jenkins/VALUES.md b/charts/kubezero-ci/charts/jenkins/VALUES.md index 973b755e..23a0f6c4 100644 --- a/charts/kubezero-ci/charts/jenkins/VALUES.md +++ b/charts/kubezero-ci/charts/jenkins/VALUES.md @@ -8,66 +8,71 @@ The following tables list the configurable parameters of the Jenkins chart and t | Key | Type | Description | Default | |:----|:-----|:---------|:------------| -| [additionalAgents](./values.yaml#L1169) | object | Configure additional | `{}` | -| [additionalClouds](./values.yaml#L1194) | object | | `{}` | -| [agent.TTYEnabled](./values.yaml#L1087) | bool | Allocate pseudo tty to the side container | `false` | -| [agent.additionalContainers](./values.yaml#L1122) | list | Add additional containers to the agents | `[]` | -| [agent.alwaysPullImage](./values.yaml#L980) | bool | Always pull agent container image before build | `false` | -| [agent.annotations](./values.yaml#L1118) | object | Annotations to apply to the pod | `{}` | -| [agent.args](./values.yaml#L1081) | string | Arguments passed to command to execute | `"${computer.jnlpmac} ${computer.name}"` | -| [agent.command](./values.yaml#L1079) | string | Command to execute when side container starts | `nil` | -| [agent.componentName](./values.yaml#L948) | string | | `"jenkins-agent"` | -| [agent.connectTimeout](./values.yaml#L1116) | int | Timeout in seconds for an agent to be online | `100` | -| [agent.containerCap](./values.yaml#L1089) | int | Max number of agents to launch | `10` | -| [agent.customJenkinsLabels](./values.yaml#L945) | list | Append Jenkins labels to the agent | `[]` | +| [additionalAgents](./values.yaml#L1189) | object | Configure additional | `{}` | +| [additionalClouds](./values.yaml#L1214) | object | | `{}` | +| [agent.TTYEnabled](./values.yaml#L1095) | bool | Allocate pseudo tty to the side container | `false` | +| [agent.additionalContainers](./values.yaml#L1142) | list | Add additional containers to the agents | `[]` | +| [agent.alwaysPullImage](./values.yaml#L988) | bool | Always pull agent container image before build | `false` | +| [agent.annotations](./values.yaml#L1138) | object | Annotations to apply to the pod | `{}` | +| [agent.args](./values.yaml#L1089) | string | Arguments passed to command to execute | `"${computer.jnlpmac} ${computer.name}"` | +| [agent.command](./values.yaml#L1087) | string | Command to execute when side container starts | `nil` | +| [agent.componentName](./values.yaml#L956) | string | | `"jenkins-agent"` | +| [agent.connectTimeout](./values.yaml#L1136) | int | Timeout in seconds for an agent to be online | `100` | +| [agent.containerCap](./values.yaml#L1097) | int | Max number of agents to launch | `10` | +| [agent.customJenkinsLabels](./values.yaml#L953) | list | Append Jenkins labels to the agent | `[]` | | [agent.defaultsProviderTemplate](./values.yaml#L907) | string | The name of the pod template to use for providing default values | `""` | -| [agent.directConnection](./values.yaml#L951) | bool | | `false` | -| [agent.disableDefaultAgent](./values.yaml#L1140) | bool | Disable the default Jenkins Agent configuration | `false` | +| [agent.directConnection](./values.yaml#L959) | bool | | `false` | +| [agent.disableDefaultAgent](./values.yaml#L1160) | bool | Disable the default Jenkins Agent configuration | `false` | | [agent.enabled](./values.yaml#L905) | bool | Enable Kubernetes plugin jnlp-agent podTemplate | `true` | -| [agent.envVars](./values.yaml#L1062) | list | Environment variables for the agent Pod | `[]` | -| [agent.hostNetworking](./values.yaml#L959) | bool | Enables the agent to use the host network | `false` | -| [agent.idleMinutes](./values.yaml#L1094) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` | -| [agent.image.repository](./values.yaml#L938) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` | -| [agent.image.tag](./values.yaml#L940) | string | Tag of the image to pull | `"3256.v88a_f6e922152-1"` | -| [agent.imagePullSecretName](./values.yaml#L947) | string | Name of the secret to be used to pull the image | `nil` | -| [agent.inheritYamlMergeStrategy](./values.yaml#L1114) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` | -| [agent.jenkinsTunnel](./values.yaml#L915) | string | Overrides the Kubernetes Jenkins tunnel | `nil` | -| [agent.jenkinsUrl](./values.yaml#L911) | string | Overrides the Kubernetes Jenkins URL | `nil` | -| [agent.jnlpregistry](./values.yaml#L935) | string | Custom registry used to pull the agent jnlp image from | `nil` | -| [agent.kubernetesConnectTimeout](./values.yaml#L921) | int | The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 | `5` | -| [agent.kubernetesReadTimeout](./values.yaml#L923) | int | The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 | `15` | -| [agent.livenessProbe](./values.yaml#L970) | object | | `{}` | -| [agent.maxRequestsPerHostStr](./values.yaml#L925) | string | The maximum concurrent connections to Kubernetes API | `"32"` | -| [agent.namespace](./values.yaml#L931) | string | Namespace in which the Kubernetes agents should be launched | `nil` | -| [agent.nodeSelector](./values.yaml#L1073) | object | Node labels for pod assignment | `{}` | -| [agent.nodeUsageMode](./values.yaml#L943) | string | | `"NORMAL"` | -| [agent.podLabels](./values.yaml#L933) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` | -| [agent.podName](./values.yaml#L1091) | string | Agent Pod base name | `"default"` | -| [agent.podRetention](./values.yaml#L989) | string | | `"Never"` | -| [agent.podTemplates](./values.yaml#L1150) | object | Configures extra pod templates for the default kubernetes cloud | `{}` | -| [agent.privileged](./values.yaml#L953) | bool | Agent privileged container | `false` | -| [agent.resources](./values.yaml#L961) | object | Resources allocation (Requests and Limits) | `{"limits":{"cpu":"512m","memory":"512Mi"},"requests":{"cpu":"512m","memory":"512Mi"}}` | -| [agent.restrictedPssSecurityContext](./values.yaml#L986) | bool | Set a restricted securityContext on jnlp containers | `false` | -| [agent.retentionTimeout](./values.yaml#L927) | int | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | `5` | -| [agent.runAsGroup](./values.yaml#L957) | string | Configure container group | `nil` | -| [agent.runAsUser](./values.yaml#L955) | string | Configure container user | `nil` | -| [agent.secretEnvVars](./values.yaml#L1066) | list | Mount a secret as environment variable | `[]` | -| [agent.showRawYaml](./values.yaml#L993) | bool | | `true` | -| [agent.sideContainerName](./values.yaml#L1083) | string | Side container name | `"jnlp"` | -| [agent.skipTlsVerify](./values.yaml#L917) | bool | Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI | `false` | -| [agent.usageRestricted](./values.yaml#L919) | bool | Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI | `false` | -| [agent.volumes](./values.yaml#L1000) | list | Additional volumes | `[]` | -| [agent.waitForPodSec](./values.yaml#L929) | int | Seconds to wait for pod to be running | `600` | -| [agent.websocket](./values.yaml#L950) | bool | Enables agent communication via websockets | `false` | -| [agent.workingDir](./values.yaml#L942) | string | Configure working directory for default agent | `"/home/jenkins/agent"` | -| [agent.workspaceVolume](./values.yaml#L1035) | object | Workspace volume (defaults to EmptyDir) | `{}` | -| [agent.yamlMergeStrategy](./values.yaml#L1112) | string | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" | `"override"` | -| [agent.yamlTemplate](./values.yaml#L1101) | string | The raw yaml of a Pod API Object to merge into the agent spec | `""` | -| [awsSecurityGroupPolicies.enabled](./values.yaml#L1320) | bool | | `false` | -| [awsSecurityGroupPolicies.policies[0].name](./values.yaml#L1322) | string | | `""` | -| [awsSecurityGroupPolicies.policies[0].podSelector](./values.yaml#L1324) | object | | `{}` | -| [awsSecurityGroupPolicies.policies[0].securityGroupIds](./values.yaml#L1323) | list | | `[]` | -| [checkDeprecation](./values.yaml#L1317) | bool | Checks if any deprecated values are used | `true` | +| [agent.envVars](./values.yaml#L1070) | list | Environment variables for the agent Pod | `[]` | +| [agent.garbageCollection.enabled](./values.yaml#L1104) | bool | When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them. | `false` | +| [agent.garbageCollection.namespaces](./values.yaml#L1106) | string | Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line. | `""` | +| [agent.garbageCollection.timeout](./values.yaml#L1111) | int | Timeout value for orphaned pods | `300` | +| [agent.hostNetworking](./values.yaml#L967) | bool | Enables the agent to use the host network | `false` | +| [agent.idleMinutes](./values.yaml#L1114) | int | Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it | `0` | +| [agent.image.repository](./values.yaml#L946) | string | Repository to pull the agent jnlp image from | `"jenkins/inbound-agent"` | +| [agent.image.tag](./values.yaml#L948) | string | Tag of the image to pull | `"3261.v9c670a_4748a_9-1"` | +| [agent.imagePullSecretName](./values.yaml#L955) | string | Name of the secret to be used to pull the image | `nil` | +| [agent.inheritYamlMergeStrategy](./values.yaml#L1134) | bool | Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one | `false` | +| [agent.jenkinsTunnel](./values.yaml#L923) | string | Overrides the Kubernetes Jenkins tunnel | `nil` | +| [agent.jenkinsUrl](./values.yaml#L919) | string | Overrides the Kubernetes Jenkins URL | `nil` | +| [agent.jnlpregistry](./values.yaml#L943) | string | Custom registry used to pull the agent jnlp image from | `nil` | +| [agent.kubernetesConnectTimeout](./values.yaml#L929) | int | The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 | `5` | +| [agent.kubernetesReadTimeout](./values.yaml#L931) | int | The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 | `15` | +| [agent.livenessProbe](./values.yaml#L978) | object | | `{}` | +| [agent.maxRequestsPerHostStr](./values.yaml#L933) | string | The maximum concurrent connections to Kubernetes API | `"32"` | +| [agent.namespace](./values.yaml#L939) | string | Namespace in which the Kubernetes agents should be launched | `nil` | +| [agent.nodeSelector](./values.yaml#L1081) | object | Node labels for pod assignment | `{}` | +| [agent.nodeUsageMode](./values.yaml#L951) | string | | `"NORMAL"` | +| [agent.podLabels](./values.yaml#L941) | object | Custom Pod labels (an object with `label-key: label-value` pairs) | `{}` | +| [agent.podName](./values.yaml#L1099) | string | Agent Pod base name | `"default"` | +| [agent.podRetention](./values.yaml#L997) | string | | `"Never"` | +| [agent.podTemplates](./values.yaml#L1170) | object | Configures extra pod templates for the default kubernetes cloud | `{}` | +| [agent.privileged](./values.yaml#L961) | bool | Agent privileged container | `false` | +| [agent.resources](./values.yaml#L969) | object | Resources allocation (Requests and Limits) | `{"limits":{"cpu":"512m","memory":"512Mi"},"requests":{"cpu":"512m","memory":"512Mi"}}` | +| [agent.restrictedPssSecurityContext](./values.yaml#L994) | bool | Set a restricted securityContext on jnlp containers | `false` | +| [agent.retentionTimeout](./values.yaml#L935) | int | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | `5` | +| [agent.runAsGroup](./values.yaml#L965) | string | Configure container group | `nil` | +| [agent.runAsUser](./values.yaml#L963) | string | Configure container user | `nil` | +| [agent.secretEnvVars](./values.yaml#L1074) | list | Mount a secret as environment variable | `[]` | +| [agent.serviceAccount](./values.yaml#L915) | string | Override the default service account | `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true` | +| [agent.showRawYaml](./values.yaml#L1001) | bool | | `true` | +| [agent.sideContainerName](./values.yaml#L1091) | string | Side container name | `"jnlp"` | +| [agent.skipTlsVerify](./values.yaml#L925) | bool | Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI | `false` | +| [agent.usageRestricted](./values.yaml#L927) | bool | Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI | `false` | +| [agent.useDefaultServiceAccount](./values.yaml#L911) | bool | Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount` | `true` | +| [agent.volumes](./values.yaml#L1008) | list | Additional volumes | `[]` | +| [agent.waitForPodSec](./values.yaml#L937) | int | Seconds to wait for pod to be running | `600` | +| [agent.websocket](./values.yaml#L958) | bool | Enables agent communication via websockets | `false` | +| [agent.workingDir](./values.yaml#L950) | string | Configure working directory for default agent | `"/home/jenkins/agent"` | +| [agent.workspaceVolume](./values.yaml#L1043) | object | Workspace volume (defaults to EmptyDir) | `{}` | +| [agent.yamlMergeStrategy](./values.yaml#L1132) | string | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" | `"override"` | +| [agent.yamlTemplate](./values.yaml#L1121) | string | The raw yaml of a Pod API Object to merge into the agent spec | `""` | +| [awsSecurityGroupPolicies.enabled](./values.yaml#L1340) | bool | | `false` | +| [awsSecurityGroupPolicies.policies[0].name](./values.yaml#L1342) | string | | `""` | +| [awsSecurityGroupPolicies.policies[0].podSelector](./values.yaml#L1344) | object | | `{}` | +| [awsSecurityGroupPolicies.policies[0].securityGroupIds](./values.yaml#L1343) | list | | `[]` | +| [checkDeprecation](./values.yaml#L1337) | bool | Checks if any deprecated values are used | `true` | | [clusterZone](./values.yaml#L21) | string | Override the cluster name for FQDN resolving | `"cluster.local"` | | [controller.JCasC.authorizationStrategy](./values.yaml#L533) | string | Jenkins Config as Code Authorization Strategy-section | `"loggedInUsersCanDoAnything:\n allowAnonymousRead: false"` | | [controller.JCasC.configMapAnnotations](./values.yaml#L538) | object | Annotations for the JCasC ConfigMap | `{}` | @@ -159,7 +164,7 @@ The following tables list the configurable parameters of the Jenkins chart and t | [controller.initializeOnce](./values.yaml#L414) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` | | [controller.installLatestPlugins](./values.yaml#L403) | bool | Download the minimum required version or latest version of all dependencies | `true` | | [controller.installLatestSpecifiedPlugins](./values.yaml#L406) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` | -| [controller.installPlugins](./values.yaml#L395) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4280.vd919fa_528c7e","workflow-aggregator:600.vb_57cdd26fdd7","git:5.3.0","configuration-as-code:1836.vccda_4a_122a_a_e"]` | +| [controller.installPlugins](./values.yaml#L395) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4285.v50ed5f624918","workflow-aggregator:600.vb_57cdd26fdd7","git:5.3.0","configuration-as-code:1836.vccda_4a_122a_a_e"]` | | [controller.javaOpts](./values.yaml#L156) | string | Append to `JAVA_OPTS` env var | `nil` | | [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` | | [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` | @@ -272,40 +277,40 @@ The following tables list the configurable parameters of the Jenkins chart and t | [controller.usePodSecurityContext](./values.yaml#L176) | bool | Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) | `true` | | [credentialsId](./values.yaml#L27) | string | The Jenkins credentials to access the Kubernetes API server. For the default cluster it is not needed. | `nil` | | [fullnameOverride](./values.yaml#L13) | string | Override the full resource names | `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins` | -| [helmtest.bats.image.registry](./values.yaml#L1333) | string | Registry of the image used to test the framework | `"docker.io"` | -| [helmtest.bats.image.repository](./values.yaml#L1335) | string | Repository of the image used to test the framework | `"bats/bats"` | -| [helmtest.bats.image.tag](./values.yaml#L1337) | string | Tag of the image to test the framework | `"1.11.0"` | +| [helmtest.bats.image.registry](./values.yaml#L1353) | string | Registry of the image used to test the framework | `"docker.io"` | +| [helmtest.bats.image.repository](./values.yaml#L1355) | string | Repository of the image used to test the framework | `"bats/bats"` | +| [helmtest.bats.image.tag](./values.yaml#L1357) | string | Tag of the image to test the framework | `"1.11.0"` | | [kubernetesURL](./values.yaml#L24) | string | The URL of the Kubernetes API server | `"https://kubernetes.default"` | | [nameOverride](./values.yaml#L10) | string | Override the resource name prefix | `Chart.Name` | | [namespaceOverride](./values.yaml#L16) | string | Override the deployment namespace | `Release.Namespace` | -| [networkPolicy.apiVersion](./values.yaml#L1263) | string | NetworkPolicy ApiVersion | `"networking.k8s.io/v1"` | -| [networkPolicy.enabled](./values.yaml#L1258) | bool | Enable the creation of NetworkPolicy resources | `false` | -| [networkPolicy.externalAgents.except](./values.yaml#L1277) | list | A list of IP sub-ranges to be excluded from the allowlisted IP range | `[]` | -| [networkPolicy.externalAgents.ipCIDR](./values.yaml#L1275) | string | The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 | `nil` | -| [networkPolicy.internalAgents.allowed](./values.yaml#L1267) | bool | Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels | `true` | -| [networkPolicy.internalAgents.namespaceLabels](./values.yaml#L1271) | object | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller | `{}` | -| [networkPolicy.internalAgents.podLabels](./values.yaml#L1269) | object | A map of labels (keys/values) that agent pods must have to be able to connect to controller | `{}` | -| [persistence.accessMode](./values.yaml#L1233) | string | The PVC access mode | `"ReadWriteOnce"` | -| [persistence.annotations](./values.yaml#L1229) | object | Annotations for the PVC | `{}` | -| [persistence.dataSource](./values.yaml#L1239) | object | Existing data source to clone PVC from | `{}` | -| [persistence.enabled](./values.yaml#L1213) | bool | Enable the use of a Jenkins PVC | `true` | -| [persistence.existingClaim](./values.yaml#L1219) | string | Provide the name of a PVC | `nil` | -| [persistence.labels](./values.yaml#L1231) | object | Labels for the PVC | `{}` | -| [persistence.mounts](./values.yaml#L1251) | list | Additional mounts | `[]` | -| [persistence.size](./values.yaml#L1235) | string | The size of the PVC | `"8Gi"` | -| [persistence.storageClass](./values.yaml#L1227) | string | Storage class for the PVC | `nil` | -| [persistence.subPath](./values.yaml#L1244) | string | SubPath for jenkins-home mount | `nil` | -| [persistence.volumes](./values.yaml#L1246) | list | Additional volumes | `[]` | -| [rbac.create](./values.yaml#L1283) | bool | Whether RBAC resources are created | `true` | -| [rbac.readSecrets](./values.yaml#L1285) | bool | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` | +| [networkPolicy.apiVersion](./values.yaml#L1283) | string | NetworkPolicy ApiVersion | `"networking.k8s.io/v1"` | +| [networkPolicy.enabled](./values.yaml#L1278) | bool | Enable the creation of NetworkPolicy resources | `false` | +| [networkPolicy.externalAgents.except](./values.yaml#L1297) | list | A list of IP sub-ranges to be excluded from the allowlisted IP range | `[]` | +| [networkPolicy.externalAgents.ipCIDR](./values.yaml#L1295) | string | The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 | `nil` | +| [networkPolicy.internalAgents.allowed](./values.yaml#L1287) | bool | Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels | `true` | +| [networkPolicy.internalAgents.namespaceLabels](./values.yaml#L1291) | object | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller | `{}` | +| [networkPolicy.internalAgents.podLabels](./values.yaml#L1289) | object | A map of labels (keys/values) that agent pods must have to be able to connect to controller | `{}` | +| [persistence.accessMode](./values.yaml#L1253) | string | The PVC access mode | `"ReadWriteOnce"` | +| [persistence.annotations](./values.yaml#L1249) | object | Annotations for the PVC | `{}` | +| [persistence.dataSource](./values.yaml#L1259) | object | Existing data source to clone PVC from | `{}` | +| [persistence.enabled](./values.yaml#L1233) | bool | Enable the use of a Jenkins PVC | `true` | +| [persistence.existingClaim](./values.yaml#L1239) | string | Provide the name of a PVC | `nil` | +| [persistence.labels](./values.yaml#L1251) | object | Labels for the PVC | `{}` | +| [persistence.mounts](./values.yaml#L1271) | list | Additional mounts | `[]` | +| [persistence.size](./values.yaml#L1255) | string | The size of the PVC | `"8Gi"` | +| [persistence.storageClass](./values.yaml#L1247) | string | Storage class for the PVC | `nil` | +| [persistence.subPath](./values.yaml#L1264) | string | SubPath for jenkins-home mount | `nil` | +| [persistence.volumes](./values.yaml#L1266) | list | Additional volumes | `[]` | +| [rbac.create](./values.yaml#L1303) | bool | Whether RBAC resources are created | `true` | +| [rbac.readSecrets](./values.yaml#L1305) | bool | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` | | [renderHelmLabels](./values.yaml#L30) | bool | Enables rendering of the helm.sh/chart label to the annotations | `true` | -| [serviceAccount.annotations](./values.yaml#L1295) | object | Configures annotations for the ServiceAccount | `{}` | -| [serviceAccount.create](./values.yaml#L1289) | bool | Configures if a ServiceAccount with this name should be created | `true` | -| [serviceAccount.extraLabels](./values.yaml#L1297) | object | Configures extra labels for the ServiceAccount | `{}` | -| [serviceAccount.imagePullSecretName](./values.yaml#L1299) | string | Controller ServiceAccount image pull secret | `nil` | -| [serviceAccount.name](./values.yaml#L1293) | string | | `nil` | -| [serviceAccountAgent.annotations](./values.yaml#L1310) | object | Configures annotations for the agent ServiceAccount | `{}` | -| [serviceAccountAgent.create](./values.yaml#L1304) | bool | Configures if an agent ServiceAccount should be created | `false` | -| [serviceAccountAgent.extraLabels](./values.yaml#L1312) | object | Configures extra labels for the agent ServiceAccount | `{}` | -| [serviceAccountAgent.imagePullSecretName](./values.yaml#L1314) | string | Agent ServiceAccount image pull secret | `nil` | -| [serviceAccountAgent.name](./values.yaml#L1308) | string | The name of the agent ServiceAccount to be used by access-controlled resources | `nil` | +| [serviceAccount.annotations](./values.yaml#L1315) | object | Configures annotations for the ServiceAccount | `{}` | +| [serviceAccount.create](./values.yaml#L1309) | bool | Configures if a ServiceAccount with this name should be created | `true` | +| [serviceAccount.extraLabels](./values.yaml#L1317) | object | Configures extra labels for the ServiceAccount | `{}` | +| [serviceAccount.imagePullSecretName](./values.yaml#L1319) | string | Controller ServiceAccount image pull secret | `nil` | +| [serviceAccount.name](./values.yaml#L1313) | string | | `nil` | +| [serviceAccountAgent.annotations](./values.yaml#L1330) | object | Configures annotations for the agent ServiceAccount | `{}` | +| [serviceAccountAgent.create](./values.yaml#L1324) | bool | Configures if an agent ServiceAccount should be created | `false` | +| [serviceAccountAgent.extraLabels](./values.yaml#L1332) | object | Configures extra labels for the agent ServiceAccount | `{}` | +| [serviceAccountAgent.imagePullSecretName](./values.yaml#L1334) | string | Agent ServiceAccount image pull secret | `nil` | +| [serviceAccountAgent.name](./values.yaml#L1328) | string | The name of the agent ServiceAccount to be used by access-controlled resources | `nil` | diff --git a/charts/kubezero-ci/charts/jenkins/templates/_helpers.tpl b/charts/kubezero-ci/charts/jenkins/templates/_helpers.tpl index 11bad3af..edc4b9ab 100644 --- a/charts/kubezero-ci/charts/jenkins/templates/_helpers.tpl +++ b/charts/kubezero-ci/charts/jenkins/templates/_helpers.tpl @@ -140,6 +140,14 @@ jenkins: clouds: - kubernetes: containerCapStr: "{{ .Values.agent.containerCap }}" + {{- if .Values.agent.garbageCollection.enabled }} + garbageCollection: + {{- if .Values.agent.garbageCollection.namespaces }} + namespaces: |- + {{- .Values.agent.garbageCollection.namespaces | nindent 10 }} + {{- end }} + timeout: "{{ .Values.agent.garbageCollection.timeout }}" + {{- end }} {{- if .Values.agent.jnlpregistry }} jnlpregistry: "{{ .Values.agent.jnlpregistry }}" {{- end }} @@ -475,7 +483,10 @@ Returns kubernetes pod template configuration as code nodeUsageMode: {{ quote .Values.agent.nodeUsageMode }} podRetention: {{ .Values.agent.podRetention }} showRawYaml: {{ .Values.agent.showRawYaml }} - serviceAccount: "{{ include "jenkins.serviceAccountAgentName" . }}" +{{- $asaname := default (include "jenkins.serviceAccountAgentName" .) .Values.agent.serviceAccount -}} +{{- if or (.Values.agent.useDefaultServiceAccount) (.Values.agent.serviceAccount) }} + serviceAccount: "{{ $asaname }}" +{{- end }} slaveConnectTimeoutStr: "{{ .Values.agent.connectTimeout }}" {{- if .Values.agent.volumes }} volumes: diff --git a/charts/kubezero-ci/charts/jenkins/values.yaml b/charts/kubezero-ci/charts/jenkins/values.yaml index ea9e836a..212b9a12 100644 --- a/charts/kubezero-ci/charts/jenkins/values.yaml +++ b/charts/kubezero-ci/charts/jenkins/values.yaml @@ -393,7 +393,7 @@ controller: # Plugins will be installed during Jenkins controller start # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` installPlugins: - - kubernetes:4280.vd919fa_528c7e + - kubernetes:4285.v50ed5f624918 - workflow-aggregator:600.vb_57cdd26fdd7 - git:5.3.0 - configuration-as-code:1836.vccda_4a_122a_a_e @@ -906,6 +906,14 @@ agent: # -- The name of the pod template to use for providing default values defaultsProviderTemplate: "" + # Useful for not including a serviceAccount in the template if `false` + # -- Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount` + useDefaultServiceAccount: true + + # -- Override the default service account + # @default -- `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true` + serviceAccount: + # For connecting to the Jenkins controller # -- Overrides the Kubernetes Jenkins URL jenkinsUrl: @@ -937,7 +945,7 @@ agent: # -- Repository to pull the agent jnlp image from repository: "jenkins/inbound-agent" # -- Tag of the image to pull - tag: "3256.v88a_f6e922152-1" + tag: "3261.v9c670a_4748a_9-1" # -- Configure working directory for default agent workingDir: "/home/jenkins/agent" nodeUsageMode: "NORMAL" @@ -1090,6 +1098,18 @@ agent: # -- Agent Pod base name podName: "default" + # Enables garbage collection of orphan pods for this Kubernetes cloud. (beta) + garbageCollection: + # -- When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them. + enabled: false + # -- Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line. + namespaces: "" + # namespaces: |- + # namespaceOne + # namespaceTwo + # -- Timeout value for orphaned pods + timeout: 300 + # -- Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it idleMinutes: 0