--- # Source: jenkins/templates/service-account.yaml apiVersion: v1 kind: ServiceAccount metadata: name: jenkins namespace: default labels: "app.kubernetes.io/name": 'jenkins' "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" --- # Source: jenkins/templates/secret.yaml apiVersion: v1 kind: Secret metadata: name: jenkins namespace: default labels: "app.kubernetes.io/name": 'jenkins' "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" type: Opaque data: jenkins-admin-password: "SUwyYzdKTEFqVUpPMTZRRXp5SldMYg==" jenkins-admin-user: "YWRtaW4=" --- # Source: jenkins/templates/config.yaml apiVersion: v1 kind: ConfigMap metadata: name: jenkins namespace: default labels: "app.kubernetes.io/name": 'jenkins' "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" data: apply_config.sh: |- set -e echo "disable Setup Wizard" # Prevent Setup Wizard when JCasC is enabled echo $JENKINS_VERSION > /var/jenkins_home/jenkins.install.UpgradeWizard.state echo $JENKINS_VERSION > /var/jenkins_home/jenkins.install.InstallUtil.lastExecVersion echo "download plugins" # Install missing plugins cp /var/jenkins_config/plugins.txt /var/jenkins_home; rm -rf /usr/share/jenkins/ref/plugins/*.lock version () { echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; } if [ -f "/usr/share/jenkins/jenkins.war" ] && [ -n "$(command -v jenkins-plugin-cli)" 2>/dev/null ] && [ $(version $(jenkins-plugin-cli --version)) -ge $(version "2.1.1") ]; then jenkins-plugin-cli --verbose --war "/usr/share/jenkins/jenkins.war" --plugin-file "/var/jenkins_home/plugins.txt" --latest true; else /usr/local/bin/install-plugins.sh `echo $(cat /var/jenkins_home/plugins.txt)`; fi echo "copy plugins to shared volume" # Copy plugins to shared volume yes n | cp -i /usr/share/jenkins/ref/plugins/* /var/jenkins_plugins/; echo "finished initialization" plugins.txt: |- kubernetes:4285.v50ed5f624918 workflow-aggregator:600.vb_57cdd26fdd7 git:5.3.0 configuration-as-code:1836.vccda_4a_122a_a_e --- # Source: jenkins/templates/jcasc-config.yaml apiVersion: v1 kind: ConfigMap metadata: name: "jenkins-jenkins-jcasc-config" namespace: default labels: "app.kubernetes.io/name": jenkins "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" jenkins-jenkins-config: "true" data: jcasc-default-config.yaml: |- jenkins: authorizationStrategy: loggedInUsersCanDoAnything: allowAnonymousRead: false securityRealm: local: allowsSignup: false enableCaptcha: false users: - id: "${chart-admin-username}" name: "Jenkins Admin" password: "${chart-admin-password}" disableRememberMe: false mode: NORMAL numExecutors: 0 labelString: "" projectNamingStrategy: "standard" markupFormatter: plainText clouds: - kubernetes: containerCapStr: "10" defaultsProviderTemplate: "" connectTimeout: "5" readTimeout: "15" jenkinsUrl: "http://jenkins.default.svc.cluster.local:8080" jenkinsTunnel: "jenkins-agent.default.svc.cluster.local:50000" skipTlsVerify: false usageRestricted: false maxRequestsPerHostStr: "32" retentionTimeout: "5" waitForPodSec: "600" name: "kubernetes" namespace: "default" restrictedPssSecurityContext: false serverUrl: "https://kubernetes.default" credentialsId: "" podLabels: - key: "jenkins/jenkins-jenkins-agent" value: "true" templates: - name: "default" namespace: "default" id: 8314dfa444f232ecf345f75c14013fa4f399429ecdcb1e392744d515228c1cfa containers: - name: "jnlp" alwaysPullImage: false args: "^${computer.jnlpmac} ^${computer.name}" envVars: - envVar: key: "JENKINS_URL" value: "http://jenkins.default.svc.cluster.local:8080/" image: "registry.cn-hangzhou.aliyuncs.com/newrain857/inbound-agent:3261.v9c670a_4748a_9-1" privileged: "false" resourceLimitCpu: 512m resourceLimitMemory: 512Mi resourceRequestCpu: 512m resourceRequestMemory: 512Mi ttyEnabled: false workingDir: /home/jenkins/agent idleMinutes: 0 instanceCap: 2147483647 label: "jenkins-jenkins-agent " nodeUsageMode: "NORMAL" podRetention: Never showRawYaml: true serviceAccount: "default" slaveConnectTimeoutStr: "100" yamlMergeStrategy: override inheritYamlMergeStrategy: false crumbIssuer: standard: excludeClientIPFromCrumb: true security: apiToken: creationOfLegacyTokenEnabled: false tokenGenerationOnCreationEnabled: false usageStatisticsEnabled: true unclassified: location: url: http://jenkins:8080 --- # Source: jenkins/templates/home-pvc.yaml kind: PersistentVolumeClaim apiVersion: v1 metadata: name: jenkins namespace: default labels: "app.kubernetes.io/name": 'jenkins' "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" spec: accessModes: - "ReadWriteOnce" resources: requests: storage: "8Gi" --- kind: PersistentVolumeClaim apiVersion: v1 metadata: name: jenkins-cache namespace: default labels: "app.kubernetes.io/name": 'jenkins' "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" spec: accessModes: - "ReadWriteOnce" resources: requests: storage: "8Gi" --- kind: PersistentVolumeClaim apiVersion: v1 metadata: name: jenkins-tmp namespace: default labels: "app.kubernetes.io/name": 'jenkins' "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" spec: accessModes: - "ReadWriteOnce" resources: requests: storage: "3Gi" --- # Source: jenkins/templates/rbac.yaml # This role is used to allow Jenkins scheduling of agents via Kubernetes plugin. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: jenkins-schedule-agents namespace: default labels: "app.kubernetes.io/name": 'jenkins' "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" rules: - apiGroups: [""] resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["pods", "pods/exec", "persistentvolumeclaims"] verbs: ["create", "delete", "deletecollection", "patch", "update"] --- # Source: jenkins/templates/rbac.yaml # The sidecar container which is responsible for reloading configuration changes # needs permissions to watch ConfigMaps apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: jenkins-casc-reload namespace: default labels: "app.kubernetes.io/name": 'jenkins' "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "watch", "list"] --- # Source: jenkins/templates/rbac.yaml # We bind the role to the Jenkins service account. The role binding is created in the namespace # where the agents are supposed to run. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: jenkins-schedule-agents namespace: default labels: "app.kubernetes.io/name": 'jenkins' "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: jenkins-schedule-agents subjects: - kind: ServiceAccount name: jenkins namespace: default --- # Source: jenkins/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: jenkins-watch-configmaps namespace: default labels: "app.kubernetes.io/name": 'jenkins' "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: jenkins-casc-reload subjects: - kind: ServiceAccount name: jenkins namespace: default --- # Source: jenkins/templates/jenkins-agent-svc.yaml apiVersion: v1 kind: Service metadata: name: jenkins-agent namespace: default labels: "app.kubernetes.io/name": 'jenkins' "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" spec: ports: - port: 50000 targetPort: 50000 name: agent-listener selector: "app.kubernetes.io/component": "jenkins-controller" "app.kubernetes.io/instance": "jenkins" type: ClusterIP --- # Source: jenkins/templates/jenkins-controller-svc.yaml apiVersion: v1 kind: Service metadata: name: jenkins namespace: default labels: "app.kubernetes.io/name": 'jenkins' "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" spec: ports: - port: 8080 name: http targetPort: 8080 selector: "app.kubernetes.io/component": "jenkins-controller" "app.kubernetes.io/instance": "jenkins" type: ClusterIP --- # Source: jenkins/templates/jenkins-controller-statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: jenkins namespace: default labels: "app.kubernetes.io/name": 'jenkins' "helm.sh/chart": "jenkins-5.5.8" "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" spec: serviceName: jenkins replicas: 1 selector: matchLabels: "app.kubernetes.io/component": "jenkins-controller" "app.kubernetes.io/instance": "jenkins" template: metadata: labels: "app.kubernetes.io/name": 'jenkins' "app.kubernetes.io/managed-by": "Helm" "app.kubernetes.io/instance": "jenkins" "app.kubernetes.io/component": "jenkins-controller" annotations: checksum/config: 3a3286781194b90bc13d5d3ddd8a95f1fee4cd0da9b327167b798a030c73a3fa spec: securityContext: runAsUser: 1000 fsGroup: 1000 runAsNonRoot: true serviceAccountName: "jenkins" initContainers: - name: config-reload-init image: "registry.cn-hangzhou.aliyuncs.com/newrain857/k8s-sidecar:1.27.5" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: LABEL value: "jenkins-jenkins-config" - name: FOLDER value: "/var/jenkins_home/casc_configs" - name: NAMESPACE value: 'default' - name: METHOD value: "LIST" resources: {} volumeMounts: - name: sc-config-volume mountPath: "/var/jenkins_home/casc_configs" - name: jenkins-home mountPath: /var/jenkins_home - name: "init" image: "registry.cn-hangzhou.aliyuncs.com/newrain857/jenkins:2.462.1-jdk17" imagePullPolicy: "IfNotPresent" securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsUser: 1000 command: [ "sh", "/var/jenkins_config/apply_config.sh" ] resources: limits: cpu: 2000m memory: 4096Mi requests: cpu: 50m memory: 256Mi volumeMounts: - mountPath: /var/jenkins_home name: jenkins-home - mountPath: /var/jenkins_config name: jenkins-config - mountPath: /usr/share/jenkins/ref/plugins name: plugins - mountPath: /var/jenkins_plugins name: plugin-dir - mountPath: /tmp name: tmp-volume containers: - name: jenkins image: "registry.cn-hangzhou.aliyuncs.com/newrain857/jenkins:2.462.1-jdk17" imagePullPolicy: "IfNotPresent" securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsUser: 1000 args: [ "--httpPort=8080"] env: - name: SECRETS value: /run/secrets/additional - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: JAVA_OPTS value: >- -Dcasc.reload.token=$(POD_NAME) - name: JENKINS_OPTS value: >- --webroot=/var/jenkins_cache/war - name: JENKINS_SLAVE_AGENT_PORT value: "50000" - name: CASC_JENKINS_CONFIG value: /var/jenkins_home/casc_configs ports: - containerPort: 8080 name: http - containerPort: 50000 name: agent-listener startupProbe: failureThreshold: 12 httpGet: path: '/login' port: http periodSeconds: 10 timeoutSeconds: 5 livenessProbe: failureThreshold: 5 httpGet: path: '/login' port: http periodSeconds: 10 timeoutSeconds: 5 readinessProbe: failureThreshold: 3 httpGet: path: '/login' port: http periodSeconds: 10 timeoutSeconds: 5 resources: limits: cpu: 2000m memory: 4096Mi requests: cpu: 50m memory: 256Mi volumeMounts: - mountPath: /var/jenkins_home name: jenkins-home readOnly: false - mountPath: /var/jenkins_config name: jenkins-config readOnly: true - mountPath: /usr/share/jenkins/ref/plugins/ name: plugin-dir readOnly: false - name: sc-config-volume mountPath: /var/jenkins_home/casc_configs - name: jenkins-secrets mountPath: /run/secrets/additional readOnly: true - name: jenkins-cache mountPath: /var/jenkins_cache - mountPath: /tmp name: tmp-volume - name: config-reload image: "registry.cn-hangzhou.aliyuncs.com/newrain857/k8s-sidecar:1.27.5" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: LABEL value: "jenkins-jenkins-config" - name: FOLDER value: "/var/jenkins_home/casc_configs" - name: NAMESPACE value: 'default' - name: REQ_URL value: "http://localhost:8080/reload-configuration-as-code/?casc-reload-token=$(POD_NAME)" - name: REQ_METHOD value: "POST" - name: REQ_RETRY_CONNECT value: "10" resources: {} volumeMounts: - name: sc-config-volume mountPath: "/var/jenkins_home/casc_configs" - name: jenkins-home mountPath: /var/jenkins_home volumes: - name: plugins emptyDir: {} - name: jenkins-config configMap: name: jenkins - name: plugin-dir hostPath: path: /mnt/nfs-data/plugins - name: jenkins-secrets projected: sources: - secret: name: jenkins items: - key: jenkins-admin-user path: chart-admin-username - key: jenkins-admin-password path: chart-admin-password - name: jenkins-cache persistentVolumeClaim: claimName: jenkins-cache - name: jenkins-home persistentVolumeClaim: claimName: jenkins - name: sc-config-volume emptyDir: {} - name: tmp-volume persistentVolumeClaim: claimName: jenkins-tmp