diff --git a/README.md b/README.md index 608f93a4..a3943712 100644 --- a/README.md +++ b/README.md @@ -6,3 +6,9 @@ parameters but _not_ when changing the pipeline to be run, manually trigger the sqre/seeds/dm-jobs job to rebuild the interface. [![Build Status](https://travis-ci.org/lsst-dm/jenkins-dm-jobs.png)](https://travis-ci.org/lsst-dm/jenkins-dm-jobs) + +Installing jenkins +--- + +`seeds` contains a README plus a helm values file for deploying a Jenkins +controller at SLAC. Read that README for more details. diff --git a/seeds/README.md b/seeds/README.md index 28a9e829..fc8bd09b 100644 --- a/seeds/README.md +++ b/seeds/README.md @@ -1,4 +1,64 @@ +# Seed Jobs for Jenkins + This directory is for seed jobs for jenkins. Whilst it is in theory possible to configure seed jobs via the helm file, it seems the groovy inside yaml inside yaml breaks, and so having the groovy files be separate is a smarter thing to do. + +It appears that the original seed job system was based on +. It is worth referring to +that repository to understand how seed jobs are set up. + +## Why use helm to set up jenkins + +As per , there are three +ways of installing jenkins into a kubernetes cluster: + +* Use the kubernetes operator +* Use the provided helm chart +* Manually define the setup using standard kubernetes objects + +Whilst using the kubernetes operator would be ideal, the way it is currently set +up requires that all plugins and jobs are predefined, and there appears to be no +long term storage of config or runs. As jenkins plugins can be quite finicky, +this involves large amounts of trial and error. + +Whilst manually setting up the system might give more control of the system, it +does involve more maintenance overhead than the other two options, and does not +allow as easy configuration of the system. + +## Setting up helm for installing jenkins + +See for how to install helm. + +Once helm is installed, you need to add the helm repository containing the +jenkins helm charts: + +``` +helm repo add jenkinsci +``` + +This should now appear on the list of installed repositories that appear by +running `helm repo list`. + +## Installing jenkins via helm + +As per , running: + +``` +helm install -n jenkinsci/jenkins -f +``` + +will install the jenkins helm chart with the config that has been specific in +the given files. + +You should not need to modify the files too much, but there are certain sections +you will want to be familiar with: + +* `installPlugins` and `additionalPlugins`: Plugins needed for the system. + Jenkins is a bit picky about versions, so you may need to work out which + plugins are leaf plugins and install those, rather than trying to lock + everything. +* `JCasC`: This is where jenkins config is injected. Things like security + properties, seed jobs and authentication are configured here. +* `ingress`: This is where we configure external access to jenkins. diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml new file mode 100644 index 00000000..dddbc1ca --- /dev/null +++ b/seeds/dev-values.yaml @@ -0,0 +1,1537 @@ +--- +# yamllint disable rule:line-length + +# From https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml + +# Default values for jenkins. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +## Overrides for generated resource names +# See templates/_helpers.tpl +# nameOverride: +# fullnameOverride: +# namespaceOverride: + +# For FQDN resolving of the controller service. Change this value to match your existing configuration. +# ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md +clusterZone: "cluster.local" + +renderHelmLabels: true + +controller: + # Used for label app.kubernetes.io/component + componentName: "jenkins-controller" + image: + registry: "docker.io" + repository: "jenkins/jenkins" + tag: "2.440.2-lts-jdk21" + #tagLabel: jdk11 + pullPolicy: "Always" + imagePullSecretName: + # Optionally configure lifetime for controller-container + lifecycle: + postStart: + exec: + command: + [ + "/bin/sh", + "-c", + "echo 'handlers = java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.level = ALL\n.level= ALL' > /var/jenkins_home/logging.properties", + ] + disableRememberMe: false + numExecutors: 0 + # configures the executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE + executorMode: "NORMAL" + # This is ignored if enableRawHtmlMarkupFormatter is true + markupFormatter: plainText + customJenkinsLabels: [] + # The default configuration uses this secret to configure an admin user + # If you don't need that user or use a different security realm then you can disable it + + hostNetworking: false + # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. + # If you disable the non-Jenkins identity store and instead use the Jenkins internal one, + # you should revert controller.adminUser to your preferred admin user: + + # adminPassword: + admin: + existingSecret: "" + userKey: jenkins-admin-user + passwordKey: jenkins-admin-password + createSecret: true + username: "admin" + # This values should not be changed unless you use your custom image of + # jenkins or any devired from. If you want to use Cloudbees Jenkins + # Distribution docker, you should set jenkinsHome: + # "/var/cloudbees-jenkins-distribution" + jenkinsHome: "/var/jenkins_home" + # This values should not be changed unless you use your custom image of + # jenkins or any devired from. If you want to use Cloudbees Jenkins + # Distribution docker, you should set jenkinsRef: + # "/usr/share/cloudbees-jenkins-distribution/ref" + jenkinsRef: "/usr/share/jenkins/ref" + # Path to the jenkins war file which is used by jenkins-plugin-cli. + jenkinsWar: "/usr/share/jenkins/jenkins.war" + # Overrides the default arguments passed to the war + # overrideArgs: + # - --httpPort=8080 + resources: + requests: + cpu: "50m" + memory: "256Mi" + limits: + cpu: "2000m" + memory: "4096Mi" + # Overrides the init container default values + # initContainerResources: + # requests: + # cpu: "50m" + # memory: "256Mi" + # limits: + # cpu: "2000m" + # memory: "4096Mi" + # Environment variables that get added to the init container (useful for e.g. + # http_proxy) + initContainerEnv: + # - name: CASC_VAULT_TOKEN + # valueFrom: + # secretKeyRef: + # name: vault-token + # key: VAULT_TOKEN + + - name: CASC_VAULT_APPROLE + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_ID + - name: CASC_VAULT_APPROLE_SECRET + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_SECRET + - name: CASC_VAULT_URL + value: https://vault.slac.stanford.edu + - name: CASC_VAULT_PATHS + value: secret/rubin/rubin-jenkins-control-dev/common,secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control-dev/aws-eups-push,secret/rubin/rubin-jenkins-control-dev/aws-eups-backup,secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push,secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token,secret/rubin/rubin-jenkins-control-dev/ghslacker,secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control-dev/sqre-osx,secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push,secret/rubin/rubin-jenkins-control-dev/github_backup,secret/rubin/rubin-jenkins-control-dev/squash-api-user,secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws,secret/rubin/rubin-jenkins-control-dev/ltd-keeper,secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa,secret/rubin/rubin-jenkins-control-dev/github-oauth,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control-dev/sqre-osx-dev,secret/rubin/rubin-jenkins-control-dev/sqre-mini + - name: HTTP_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: HTTPS_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: http_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: https_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: no_proxy + value: "*.slac.stanford.edu" + - name: NO_PROXY + value: "*.slac.stanford.edu" + - name: JAVA_TOOL_OPTIONS + value: + "-Dhttp.nonProxyHosts='*.slac.stanford.edu' + -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 + -Dhttps.nonProxyHosts='*.slac.stanford.edu' + -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 + -Duser.timezone=America/Los_Angeles" + #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + - name: TZ + value: America/Los_Angeles + #- name: VAULT_TOKEN_LEASE_DURATION + # valueFrom: + # secretKeyRef: + # name: vault-secrets-operator + # key: VAULT_TOKEN_LEASE_DURATION + # - name: http_proxy + # value: "http://192.168.64.1:3128" + containerEnv: + - name: CASC_VAULT_APPROLE + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_ID + - name: CASC_VAULT_APPROLE_SECRET + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_SECRET + #- name: CASC_VAULT_TOKEN + # valueFrom: + # secretKeyRef: + # name: vault-token2 + # key: VAULT_TOKEN + - name: CASC_VAULT_URL + value: https://vault.slac.stanford.edu + - name: CASC_VAULT_PATHS + value: secret/rubin/rubin-jenkins-control-dev/common,secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control-dev/aws-eups-push,secret/rubin/rubin-jenkins-control-dev/aws-eups-backup,secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push,secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token,secret/rubin/rubin-jenkins-control-dev/ghslacker,secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control-dev/sqre-osx,secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push,secret/rubin/rubin-jenkins-control-dev/github_backup,secret/rubin/rubin-jenkins-control-dev/squash-api-user,secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws,secret/rubin/rubin-jenkins-control-dev/ltd-keeper,secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa,secret/rubin/rubin-jenkins-control-dev/github-oauth,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control-dev/sqre-osx-dev,secret/rubin/rubin-jenkins-control-dev/sqre-mini + - name: HTTP_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: HTTPS_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: http_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: https_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: no_proxy + value: "*.slac.stanford.edu" + - name: NO_PROXY + value: "*.slac.stanford.edu" + - name: TZ + value: America/Los_Angeles + - name: JAVA_TOOL_OPTIONS + value: + "-Dhttp.nonProxyHosts='*.slac.stanford.edu' + -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 + -Dhttps.nonProxyHosts='*.slac.stanford.edu' + -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 + -Duser.timezone=America/Los_Angeles" + #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + #- name: VAULT_TOKEN_LEASE_DURATION + # valueFrom: + # secretKeyRef: + # name: vault-secrets-operator + # key: VAULT_TOKEN_LEASE_DURATION + # Set min/max heap here if needed with: + # javaOpts: "-Xms512m -Xmx512m" + # jenkinsOpts: "" + # If you are using the ingress definitions provided by this chart via the + # `controller.ingress` block the configured hostname will be the ingress + # hostname starting with `https://` or `http://` depending on the `tls` + # configuration. + # The Protocol can be overwritten by specifying + # `controller.jenkinsUrlProtocol`. + # jenkinsUrlProtocol: "https" + # If you are not using the provided ingress you can specify + # `controller.jenkinsUrl` to change the url definition. + # jenkinsUrl: "" + # If you set this prefix and use ingress controller then you might want to set + # the ingress path below + # jenkinsUriPrefix: "/jenkins" + # Enable pod security context (must be `true` if podSecurityContextOverride, + # runAsUser or fsGroup are set) + usePodSecurityContext: true + # Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are + # being deprecated and replaced by `podSecurityContextOverride`. + # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins' which + # exists in 'jenkins/jenkins' docker image. + # When setting runAsUser to a different value than 0 also set fsGroup to the + # same value: + runAsUser: 1000 + fsGroup: 1000 + # If you have PodSecurityPolicies that require dropping of capabilities as + # suggested by CIS K8s benchmark, put them here + securityContextCapabilities: {} + # drop: + # - NET_RAW + # Completely overwrites the contents of the `securityContext`, ignoring the + # values provided for the deprecated fields: `runAsUser`, `fsGroup`, and + # `securityContextCapabilities`. In the case of mounting an ext4 filesystem, + # it might be desirable to use `supplementalGroups` instead of `fsGroup` in + # the `securityContext` block: https://github.com/kubernetes/kubernetes/issues/67014#issuecomment-589915496 + # podSecurityContextOverride: + # runAsUser: 1000 + # runAsNonRoot: true + # supplementalGroups: [1000] + # # capabilities: {} + # Container securityContext + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + servicePort: 8080 + targetPort: 8080 + # For minikube, set this to NodePort, elsewhere use LoadBalancer + # Use ClusterIP if your setup includes ingress controller + serviceType: ClusterIP + # Use Local to preserve the client source IP and avoids a second hop for + # LoadBalancer and Nodeport type services, + # but risks potentially imbalanced traffic spreading. + serviceExternalTrafficPolicy: + # Jenkins controller service annotations + serviceAnnotations: {} + # Jenkins controller custom labels + statefulSetLabels: {} + # foo: bar + # bar: foo + # Jenkins controller service labels + serviceLabels: {} + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https + # Put labels on Jenkins controller pod + podLabels: {} + # Used to create Ingress record (should used with ServiceType: ClusterIP) + # nodePort: + # -Dcom.sun.management.jmxremote.port=4000 + # -Dcom.sun.management.jmxremote.authenticate=false + # -Dcom.sun.management.jmxremote.ssl=false + # jmxPort: 4000 + # Optionally configure other ports to expose in the controller container + extraPorts: [] + # - name: BuildInfoProxy + # port: 9000 + + # List of plugins to be install during Jenkins controller start + installPlugins: + - kubernetes:4147.va_d406fb_66172 + - workflow-aggregator:596.v8c21c963d92d + - job-dsl:1.87 + - blueocean:1.27.9 + - configuration-as-code:1738.v2d8b_a_b_8a_54b_1 + - matrix-auth:3.1.9 + - hashicorp-vault-plugin:364.vf5d54b_3dc313 + + # Set to false to download the minimum required version of all dependencies. + installLatestPlugins: false + + # Set to true to download latest dependencies of any plugin that is requested to have the latest version. + installLatestSpecifiedPlugins: true + + # List of plugins to install in addition to those listed in controller.installPlugins + additionalPlugins: + #- ace-editor:1.1 + - antisamy-markup-formatter:162.v0e6ec0fcfcf6 + - apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 + #depreciated - async-http-client:1.9.40.0 + - authentication-tokens:1.53.v1c90fd9191a_b_ + - blueocean-autofavorite:1.2.5 + - blueocean-bitbucket-pipeline:1.27.9 + - blueocean-commons:1.27.9 + - blueocean-config:1.27.9 + - blueocean-core-js:1.27.9 + - blueocean-dashboard:1.27.9 + - blueocean-display-url:2.4.2 + - blueocean-events:1.27.9 + - blueocean-github-pipeline:1.27.9 + - blueocean-git-pipeline:1.27.9 + - blueocean-i18n:1.27.9 + - blueocean-jwt:1.27.9 + - blueocean-personalization:1.27.9 + - blueocean-pipeline-api-impl:1.27.9 + - blueocean-pipeline-editor:1.27.9 + - blueocean-pipeline-scm-api:1.27.9 + - blueocean-rest:1.27.9 + - blueocean-rest-impl:1.27.9 + - blueocean-web:1.27.9 + - bootstrap5-api:5.3.2-3 + - bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9 + - branch-api:2.1135.v8de8e7899051 + - build-timeout:1.32 + - build-user-vars-plugin:1.9 + - caffeine-api:3.1.8-133.v17b_1ff2e0599 + - checks-api:2.0.2 + - cloudbees-bitbucket-branch-source:856.v04c46c86f911 + - cloudbees-folder:6.858.v898218f3609d + - command-launcher:107.v773860566e2e + - commons-lang3-api:3.13.0-62.v7d18e55f51e2 + - commons-text-api:1.11.0-94.v3e1f4a_926e49 + - copyartifact:722.v0662a_9b_e22a_c + - credentials:1309.v8835d63eb_d8a_ + - credentials-binding:642.v737c34dea_6c2 + - data-tables-api:1.13.8-1 + - display-url-api:2.200.vb_9327d658781 + - docker-commons:439.va_3cb_0a_6a_fb_29 + - dockerhub-notification:2.7.1 + - docker-workflow:572.v950f58993843 + - durable-task:523.va_a_22cf15d5e0 + - echarts-api:5.4.3-1 + - envinject:2.908.v66a_774b_31d93 + - envinject-api:1.199.v3ce31253ed13 + - external-monitor-job:215.v2e88e894db_f8 + - favorite:2.4.3 + - font-awesome-api:6.4.2-1 + - git:5.2.1 + - git-client:4.5.0 + - github:1.37.3.1 + - github-api:1.316-451.v15738eef3414 + - github-branch-source:1751.v90e17c48a_6a_c + - github-oauth:597.ve0c3480fcb_d0 + - git-server:99.va_0826a_b_cdfa_d + #depreciated - greenballs:1.15.1 + - groovy:457.v99900cb_85593 + #depreciated - handlebars:3.0.8 + - handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 + - htmlpublisher:1.32 + #depreciated - icon-shim:3.0.0 + - instance-identity:185.v303dc7c645f9 + - ionicons-api:56.v1b_1c8c49374e + - jackson2-api:2.15.3-372.v309620682326 + - jakarta-activation-api:2.0.1-3 + - jakarta-mail-api:2.0.1-3 + - javadoc:243.vb_b_503b_b_45537 + - javax-activation-api:1.2.0-6 + - javax-mail-api:1.6.2-9 + - jaxb:2.3.9-1 + - jdk-tool:73.vddf737284550 + - jenkins-design-language:1.27.9 + - jersey2-api:2.41-133.va_03323b_a_1396 + - jira:3.11 + - jjwt-api:0.11.5-77.v646c772fddb_0 + - jquery:1.12.4-1 + #depreciated - jquery-detached:1.2.1 + - jquery3-api:3.7.1-1 + - jsch:0.2.8-65.v052c39de79b_2 + - junit:1240.vf9529b_881428 + - kubernetes-client-api:6.8.1-224.vd388fca_4db_3b_ + - kubernetes-credentials:0.11 + - lockable-resources:1185.v0c528656ce04 + - log-parser:2.3.1 + - mailer:463.vedf8358e006b_ + - matrix-project:818.v7eb_e657db_924 + - mercurial:1260.vdfb_723cdcc81 + - mina-sshd-api-common:2.11.0-86.v836f585d47fa_ + - mina-sshd-api-core:2.11.0-86.v836f585d47fa_ + - metrics:4.2.18-442.v02e107157925 + #depreciated - momentjs:1.1.1 + #depreciated - need alternative? - multiple-scms:0.8 + - nodelabelparameter:1.12.0 + - okhttp-api:4.11.0-157.v6852a_a_fa_ec11 + - parameterized-trigger:787.v665fcf2a_830b_ + - pipeline-build-step:516.v8ee60a_81c5b_9 + - pipeline-graph-analysis:202.va_d268e64deb_3 + - pipeline-groovy-lib:689.veec561a_dee13 + - pipeline-input-step:477.v339683a_8d55e + - pipeline-milestone-step:111.v449306f708b_7 + - pipeline-model-api:2.2151.ve32c9d209a_3f + #depreciated - pipeline-model-declarative-agent:1.1.1 + - pipeline-model-definition:2.2151.ve32c9d209a_3f + - pipeline-model-extensions:2.2151.ve32c9d209a_3f + - pipeline-rest-api:2.34 + - pipeline-stage-step:305.ve96d0205c1c6 + - pipeline-stage-tags-metadata:2.2151.ve32c9d209a_3f + - pipeline-stage-view:2.34 + - pipeline-utility-steps:2.16.0 + - plain-credentials:143.v1b_df8b_d3b_e48 + - plugin-util-api:3.6.0 + - popper2-api:2.11.6-4 #depreciated but needed for bootstrap5-api + - postbuildscript:3.2.0-550.v88192b_d3e922 + - pubsub-light:1.18 + - purge-build-queue-plugin:88.v23b_97b_f2c7a_d + - rebuild:330.v645b_7df10e2a_ + - run-condition:1.7 + - saferestart:0.7 + - scm-api:683.vb_16722fb_b_80b_ + - script-security:1281.v22fb_899df1a_e + - snakeyaml-api:2.2-111.vc6598e30cc65 + - sse-gateway:1.26 + - ssh-agent:346.vda_a_c4f2c8e50 + - ssh-credentials:308.ve4497b_ccd8f4 + - sshd:3.312.v1c601b_c83b_0e + - ssh-slaves:1.29.4 + - structs:325.vcb_307d2a_2782 + - swarm:3.41 + - token-macro:384.vf35b_f26814ec + - trilead-api:2.84.v72119de229b_7 + - variant:60.v7290fc0eb_b_cd + #depreciated - windows-slaves:1.8.1 need to find alternative? + - workflow-api:1283.v99c10937efcb_ + - workflow-basic-steps:1042.ve7b_140c4a_e0c + - workflow-cps:3806.va_3a_6988277b_2 + #depreciated - workflow-cps-global-lib:609.vd95673f149b_b + - workflow-durable-task-step:1289.v4d3e7b_01546b_ + - workflow-job:1360.vc6700e3136f5 + - workflow-multibranch:756.v891d88f2cd46 + - workflow-scm-step:415.v434365564324 + - workflow-step-api:639.v6eca_cd8c04a_a_ + - workflow-support:865.v43e78cc44e0d + + # Enable to initialize the Jenkins controller only once on initial installation. + # Without this, whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates which has the potential to cause breakage. + # Note that for this to work, `persistence.enabled` needs to be set to `true` + initializeOnce: false + + # Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment. + # overwritePlugins: true + + # Configures if plugins bundled with `controller.image` should be overwritten with the values of 'controller.installPlugins' on upgrade or redeployment. + overwritePluginsFromImage: true + + # Configures the restrictions for naming projects. Set this key to null or empty to skip it in the default config. + projectNamingStrategy: standard + + # Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter), useful with ghprb plugin. + # The plugin is not installed by default, please update controller.installPlugins. + enableRawHtmlMarkupFormatter: false + # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval + scriptApproval: + - "method java.nio.file.Path getFileName" + - "method groovy.json.JsonBuilder toPrettyString" + - "method groovy.json.JsonSlurperClassic parseText java.lang.String" + - "method groovy.lang.GString getBytes" + - "method hudson.model.Actionable getAction java.lang.Class" + - "method hudson.model.Cause$UserIdCause getUserId" + - "method hudson.model.CauseAction getShortDescription" + - "method hudson.model.Run getCause java.lang.Class" + - "method hudson.model.Run getDurationString" + - "method java.lang.StackTraceElement getMethodName" + - "method java.lang.Throwable getStackTrace" + - "method java.net.HttpURLConnection getResponseCode" + - "method java.net.HttpURLConnection setRequestMethod java.lang.String" + - "method java.net.URL openConnection" + - "method java.net.URLConnection getInputStream" + - "method java.net.URLConnection getOutputStream" + - "method java.net.URLConnection setDoOutput boolean" + - "method java.net.URLConnection setRequestProperty java.lang.String java.lang.String" + - "method java.nio.file.Path relativize java.nio.file.Path" + - "method java.security.MessageDigest digest" + - "method java.security.MessageDigest update byte[]" + - "method java.time.format.DateTimeFormatter format java.time.temporal.TemporalAccessor" + - "method java.time.format.DateTimeFormatter withZone java.time.ZoneId" + - "method org.jenkinsci.plugins.workflow.support.steps.build.RunWrapper build" + - "new groovy.json.JsonBuilder java.lang.Object" + - "new groovy.json.JsonSlurperClassic" + - "new java.lang.Throwable" + - "staticMethod java.lang.Thread sleep long" + - "staticMethod java.net.URLEncoder encode java.lang.String" + - "staticMethod java.nio.file.Path of java.lang.String java.lang.String[]" + - "staticMethod java.security.MessageDigest getInstance java.lang.String" + - "staticMethod java.time.Instant now" + - "staticMethod java.time.Instant ofEpochMilli long" + - "staticMethod java.time.LocalDate now java.time.ZoneId" + - "staticMethod java.time.ZoneId of java.lang.String" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getText java.io.InputStream" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getText java.net.URL" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods isDigit java.lang.Character" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods leftShift java.io.OutputStream java.lang.Object" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tr java.lang.String java.lang.String java.lang.String" + - "staticMethod org.codehaus.groovy.runtime.EncodingGroovyMethods encodeBase64 byte[]" + - "staticMethod org.codehaus.groovy.runtime.EncodingGroovyMethods encodeHex byte[]" + - "staticMethod org.codehaus.groovy.runtime.StackTraceUtils sanitize java.lang.Throwable" + - "method java.net.URL openConnection" + # List of groovy init scripts to be executed during Jenkins controller start + initScripts: {} + # - | + # print 'adding global pipeline libraries, register properties, bootstrap jobs...' + + # 'name' is a name of an existing secret in same namespace as jenkins, + # 'keyName' is the name of one of the keys inside current secret. + # the 'name' and 'keyName' are concatenated with a '-' in between, so for example: + # an existing secret "secret-credentials" and a key inside it named "github-password" should be used in Jcasc as ${secret-credentials-github-password} + # 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', + # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc') + additionalExistingSecrets: [] + # - name: github-oauth + # keyName: client-id + # - name: github-oauth + # keyName: client-secret + + additionalSecrets: [] + # - name: nameOfSecret + # value: secretText + + # Generate SecretClaim resources in order to create Kubernetes secrets from HashiCorp Vault using kube-vault-controller. + # 'name' is name of the secret that will be created in Kubernetes. The Jenkins fullname is prepended to this value. + # 'path' is the fully qualified path to the secret in Vault + # 'type' is an optional Kubernetes secret type. Defaults to 'Opaque' + # 'renew' is an optional secret renewal time in seconds + secretClaims: [] + # - name: secretName # required + # path: testPath # required + # type: kubernetes.io/tls # optional + # renew: 60 # optional + + # Name of default cloud configuration. + cloudName: "kubernetes" + + # Below is the implementation of Jenkins Configuration as Code. Add a key under configScripts for each configuration area, + # where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value. + # Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in + # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | + # become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials, + # etc. Best reference is https:///configuration-as-code/reference. + JCasC: + defaultConfig: true + # Ignored if securityRealm is defined in controller.JCasC.configScripts + securityRealm: |- + #local: + # allowsSignup: false + # enableCaptcha: false + # users: + # - id: "${chart-admin-username}" + # name: "Jenkins Admin" + # password: "${chart-admin-password}" + github: + githubWebUri: "https://github.com" + githubApiUri: "https://api.github.com" + clientID: "${secret/rubin/rubin-jenkins-control-dev/github-oauth/client-id}" + clientSecret: "${secret/rubin/rubin-jenkins-control-dev/github-oauth/client-secret}" + oauthScopes: "read:org" + # Uses matrix-auth plugin to configure user and group permissions + authorizationStrategy: |- + globalMatrix: + permissions: + - "USER:Agent/Connect:sqre-user" + - "USER:Agent/Create:sqre-user" + - "GROUP:Job/Build:lsst*data-management" + - "GROUP:Job/Build:lsst-dm*data-management" + - "GROUP:Job/Build:lsst*simulations" + - "GROUP:Job/Build:lsst-sqre*friends" + - "GROUP:Job/Cancel:lsst*data-management" + - "GROUP:Job/Cancel:lsst-dm*data-management" + - "GROUP:Job/Cancel:lsst*simulations" + - "GROUP:Job/Cancel:lsst-sqre*friends" + - "GROUP:Job/Discover:lsst*data-management" + - "GROUP:Job/Discover:lsst-dm*data-management" + - "GROUP:Job/Discover:lsst*simulations" + - "GROUP:Job/Discover:lsst-sqre*friends" + - "GROUP:Job/Read:lsst*data-management" + - "GROUP:Job/Read:lsst-dm*data-management" + - "GROUP:Job/Read:lsst*simulations" + - "GROUP:Job/Read:lsst-sqre*friends" + - "USER:Overall/Administer:admin" + - "USER:Overall/Administer:aragilar" + - "USER:Overall/Administer:frossie" + - "USER:Overall/Administer:jhoblitt" + - "USER:Overall/Administer:ktlim" + - "USER:Overall/Administer:aranabhat" + - "GROUP:Overall/Administer:lsst-sqre*leeroy-wranglers" + - "GROUP:Overall/Administer:lsst-sqre*square" + - "USER:Overall/Administer:mwittgen" + - "USER:Overall/Administer:yee379" + - "GROUP:Overall/Read:lsst*data-management" + - "GROUP:Overall/Read:lsst-dm*data-management" + - "GROUP:Overall/Read:lsst*simulations" + - "GROUP:Overall/Read:lsst-sqre*friends" + + configScripts: + welcome-message: | + jenkins: + systemMessage: This is the DEVELOPMENT instance of jenkins. + # Connects to specified vault paths and variables to provide all credentials + systemCredentials: |- + credentials: + system: + domainCredentials: + - credentials: + - string: + description: "name of conda channel bucket" + id: "cmirror-s3-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/cmirror-s3-bucket}" + - string: + description: "name of doxygen s3 bucket" + id: "doxygen-push-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/doxygen-push-bucket}" + - string: + description: "URL of doxygen site" + id: "doxygen-url" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/doxygen-url}" + - string: + description: "name of EUPS backup s3 bucket" + id: "eups-backup-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/eups-backup-bucket}" + - string: + description: "name of EUPS s3 bucket" + id: "eups-push-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/eups-push-bucket}" + - string: + description: "URL of eups site" + id: "eups-url" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/eups-url}" + - string: + description: "Name of Jenkins deployment" + id: "jenkins-env" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/jenkins-env}" + - string: + description: "Default slack channel" + id: "slack-default-channel" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/slack-default-channel}" + - string: + description: "Prefix for generated slack channels" + id: "slack-channel-prefix" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/slack-channel-prefix}" + - usernamePassword: + description: "jenkins master snapshot AWS credentials" + id: "aws-jenkins-master-snapshot" + password: "${secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot/username}" + - usernamePassword: + description: "push EUPS packages -> s3" + id: "aws-eups-push" + password: "${secret/rubin/rubin-jenkins-control-dev/aws-eups-push/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/aws-eups-push/username}" + - usernamePassword: + description: "backup EUPS s3 bucket -> s3 bucket" + id: "aws-eups-backup" + password: "${secret/rubin/rubin-jenkins-control-dev/aws-eups-backup/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/aws-eups-backup/username}" + - usernamePassword: + description: "manage eups distrib tags in s3 bucket" + id: "aws-eups-tag-admin" + password: "${secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin/username}" + - usernamePassword: + description: "push doxygen builds -> s3" + id: "aws-doxygen-push" + password: "${secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push/username}" + - string: + description: "slack lsstc org API token" + id: "slack-lsstc-token" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token/token}" + - usernamePassword: + description: "api.lsst.codes/ghslacker" + id: "ghslacker" + password: "${secret/rubin/rubin-jenkins-control-dev/ghslacker/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/ghslacker/username}" + - string: + description: "github API personal access token (sqreadmin)" + id: "github-api-token-sqreadmin" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin/token}" + - basicSSHUserPrivateKey: + description: "github lsst/versiondb deploy key" + id: "github-jenkins-versiondb" + privateKeySource: + directEntry: + privateKey: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/private_key}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/username}" + - basicSSHUserPrivateKey: + description: "SQRE OSX build agents" + id: "sqre-osx" + privateKeySource: + directEntry: + privateKey: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/private_key}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/username}" + - basicSSHUserPrivateKey: + description: "mini OSX build agents" + id: "mini-osx" + privateKeySource: + directEntry: + privateKey: "${secret/rubin/rubin-jenkins-control-dev/sqre-mini/private_key}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/sqre-mini/username}" + - usernamePassword: + description: "push conda packages -> s3" + id: "aws-cmirror-push" + password: "${secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push/username}" + - usernamePassword: + description: "github_backup AWS credentials" + id: "github_backup" + password: "${secret/rubin/rubin-jenkins-control-dev/github_backup/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/github_backup/username}" + - usernamePassword: + description: "user/pass for Squash API endpoint" + id: "squash-api-user" + password: "${secret/rubin/rubin-jenkins-control-dev/squash-api-user/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/squash-api-user/username}" + - usernamePassword: + description: "dockerhub - sqreadmin" + id: "dockerhub-sqreadmin" + password: "${secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin/username}" + - usernamePassword: + description: "ltd-mason" + id: "ltd-mason-aws" + password: "${secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws/username}" + - usernamePassword: + description: "ltd-keeper" + id: "ltd-keeper" + password: "${secret/rubin/rubin-jenkins-control-dev/ltd-keeper/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/ltd-keeper/username}" + - usernamePassword: + description: "Google Archive Registry service account" + id: "google_archive_registry_sa" + password: "${secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa/username}" + + add-seed-job: | + jobs: + - url: https://raw.githubusercontent.com/lsst-dm/jenkins-dm-jobs/main/seeds/sqre/seed-jobs.groovy + security: + globaljobdslsecurityconfiguration: + useScriptSecurity: false + # Connects mac agents to jenkins controller + permanent-nodes: | + jenkins: + nodes: + - permanent: + labelString: "osx-12" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac1.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac1" + numExecutors: 1 + remoteFS: "/Users/squaredev/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-12" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac2.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac2" + numExecutors: 1 + remoteFS: "/Users/squaredev/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac3.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac3" + numExecutors: 1 + remoteFS: "/Users/squaredev/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac4.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac4" + numExecutors: 1 + remoteFS: "/Users/squaredev/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac5.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac5" + numExecutors: 1 + remoteFS: "/Users/squaredev/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac6.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac6" + numExecutors: 1 + remoteFS: "/Users/squaredev/j" + retentionStrategy: "always" + - permanent: + labelString: "mini" + name: "mini01" + launcher: + sSHLauncher: + credentialsId: "mini-osx" + host: "mac01.ls.lsst.org" + javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + numExecutors: 1 + remoteFS: "/Users/jenkins/j" + retentionStrategy: "always" + - permanent: + labelString: "mini" + name: "mini02" + launcher: + sSHLauncher: + credentialsId: "mini-osx" + host: "mac02.ls.lsst.org" + javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + numExecutors: 1 + remoteFS: "/Users/jenkins/j" + retentionStrategy: "always" + - permanent: + labelString: "mini" + name: "mini03" + launcher: + sSHLauncher: + credentialsId: "mini-osx" + host: "mac03.ls.lsst.org" + javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + numExecutors: 1 + remoteFS: "/Users/jenkins/j" + retentionStrategy: "always" + - permanent: + labelString: "mini" + name: "mini04" + launcher: + sSHLauncher: + credentialsId: "mini-osx" + host: "mac04.ls.lsst.org" + javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + numExecutors: 1 + remoteFS: "/Users/jenkins/j" + retentionStrategy: "always" + - permanent: + labelString: "mini" + name: "mini05" + launcher: + sSHLauncher: + credentialsId: "mini-osx" + host: "mac05.ls.lsst.org" + javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + numExecutors: 1 + remoteFS: "/Users/jenkins/j" + retentionStrategy: "always" + - permanent: + labelString: "mini" + name: "mini06" + launcher: + sSHLauncher: + credentialsId: "mini-osx" + host: "mac06.ls.lsst.org" + javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + numExecutors: 1 + remoteFS: "/Users/jenkins/j" + retentionStrategy: "always" + + # Optionally specify additional init-containers + customInitContainers: [] + + sidecars: + configAutoReload: + # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. If false or not-specified, + # jcasc changes will cause a reboot and will only be applied at the subsequent start-up. Auto-reload uses the + # http:///reload-configuration-as-code endpoint to reapply config when changes to the configScripts are detected. + enabled: false + image: + registry: docker.io + repository: kiwigrid/k8s-sidecar + tag: 1.26.1 + imagePullPolicy: IfNotPresent + resources: + {} + # limits: + # cpu: 100m + # memory: 100Mi + # requests: + # cpu: 50m + # memory: 50Mi + # How many connection-related errors to retry on + reqRetryConnect: 10 + # env: + # - name: REQ_TIMEOUT + # value: "30" + # SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random. + # Is only used to reload jcasc config from the sidecar container running in the Jenkins controller pod. + # This TCP port will not be open in the pod (unless you specifically configure this), so Jenkins will not be + # accessible via SSH from outside of the pod. Note if you use non-root pod privileges (runAsUser & fsGroup), + # this must be > 1024: + sshTcpPort: 1044 + # folder in the pod that should hold the collected dashboards: + folder: "/var/jenkins_home/casc_configs" + # If specified, the sidecar will search for JCasC config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces: + # searchNamespace: + containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + + # Allows you to inject additional/other sidecars + other: [] + ## The example below runs the client for https://smee.io as sidecar container next to Jenkins, + ## that allows to trigger build behind a secure firewall. + ## https://jenkins.io/blog/2019/01/07/webhook-firewalls/#triggering-builds-with-webhooks-behind-a-secure-firewall + ## + ## Note: To use it you should go to https://smee.io/new and update the url to the generete one. + # - name: smee + # image: docker.io/twalter/smee-client:1.0.2 + # args: ["--port", "{{ .Values.controller.servicePort }}", "--path", "/github-webhook/", "--url", "https://smee.io/new"] + # resources: + # limits: + # cpu: 50m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 32Mi + # Name of the Kubernetes scheduler to use + schedulerName: "" + # Node labels and tolerations for pod assignment + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + nodeSelector: {} + + terminationGracePeriodSeconds: + + terminationMessagePath: + terminationMessagePolicy: + + tolerations: [] + + affinity: {} + # Leverage a priorityClass to ensure your pods survive resource shortages + # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + priorityClassName: + + podAnnotations: {} + # Add StatefulSet annotations + statefulSetAnnotations: {} + + # StatefulSet updateStrategy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + updateStrategy: {} + + ingress: + enabled: true + # Override for the default paths that map requests to the backend + paths: [] + # - backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + # - backend: + # serviceName: >- + # {{ template "jenkins.fullname" . }} + # # Don't use string here, use only integer value! + # servicePort: 8080 + # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' + # For Kubernetes v1.19+, use 'networking.k8s.io/v1' + apiVersion: "networking.k8s.io/v1" + labels: {} + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # Set this path to jenkinsUriPrefix above or use annotations to rewrite path + # path: "/jenkins" + # configures the hostname e.g. jenkins.example.com + #hostName: jenkins26.lsst.test + hostName: rubin-ci-dev.slac.stanford.edu + tls: + # - secretName: jenkins.cluster.local + # hosts: + # - jenkins.cluster.local + + # often you want to have your controller all locked down and private + # but you still want to get webhooks from your SCM + # A secondary ingress will let you expose different urls + # with a differnt configuration + secondaryingress: + enabled: false + # paths you want forwarded to the backend + # ex /github-webhook + paths: [] + # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' + # For Kubernetes v1.19+, use 'networking.k8s.io/v1' + apiVersion: "extensions/v1beta1" + labels: {} + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # configures the hostname e.g. jenkins-external.example.com + hostName: + tls: + # - secretName: jenkins-external.example.com + # hosts: + # - jenkins-external.example.com + + # If you're running on GKE and need to configure a backendconfig + # to finish ingress setup, use the following values. + # Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig + backendconfig: + enabled: false + apiVersion: "extensions/v1beta1" + name: + labels: {} + annotations: {} + spec: {} + + # Openshift route + route: + enabled: false + labels: {} + annotations: {} + # path: "/jenkins" + + # controller.hostAliases allows for adding entries to Pod /etc/hosts: + # https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + hostAliases: [] + # - ip: 192.168.50.50 + # hostnames: + # - something.local + # - ip: 10.0.50.50 + # hostnames: + # - other.local + + # Expose Prometheus metrics + prometheus: + # If enabled, add the prometheus plugin to the list of plugins to install + # https://plugins.jenkins.io/prometheus + enabled: false + # Additional labels to add to the ServiceMonitor object + serviceMonitorAdditionalLabels: {} + # Set a custom namespace where to deploy ServiceMonitor resource + # serviceMonitorNamespace: monitoring + scrapeInterval: 60s + # This is the default endpoint used by the prometheus plugin + scrapeEndpoint: /prometheus + # Additional labels to add to the PrometheusRule object + alertingRulesAdditionalLabels: {} + # An array of prometheus alerting rules + # See here: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + # The `groups` root object is added by default, simply add the rule entries + alertingrules: [] + # Set a custom namespace where to deploy PrometheusRule resource + prometheusRuleNamespace: "" + + # Can be used to disable rendering controller test resources when using helm template + testEnabled: true + + httpsKeyStore: + jenkinsHttpsJksSecretName: "" + enable: false + httpPort: 8081 + path: "/var/jenkins_keystore" + fileName: "keystore.jks" + password: "password" + # Convert keystore.jks files content to base64 ( cat keystore.jks | base64 ) and put the output here + jenkinsKeyStoreBase64Encoded: +agent: + enabled: false + defaultsProviderTemplate: "" + # URL for connecting to the Jenkins contoller + jenkinsUrl: + # connect to the specified host and port, instead of connecting directly to the Jenkins controller + jenkinsTunnel: + kubernetesConnectTimeout: 5 + kubernetesReadTimeout: 15 + maxRequestsPerHostStr: "32" + namespace: + image: + repository: "jenkins/inbound-agent" + tag: "4.11.2-4" + workingDir: "/home/jenkins/agent" + nodeUsageMode: "NORMAL" + customJenkinsLabels: [] + # name of the secret to be used for image pulling + imagePullSecretName: + componentName: "jenkins-agent" + websocket: false + privileged: false + runAsUser: + runAsGroup: + resources: + requests: + cpu: "512m" + memory: "512Mi" + limits: + cpu: "512m" + memory: "512Mi" + # You may want to change this to true while testing a new image + alwaysPullImage: false + # Controls how agent pods are retained after the Jenkins build completes + # Possible values: Always, Never, OnFailure + podRetention: "Never" + # Disable if you do not want the Yaml the agent pod template to show up + # in the job Console Output. This can be helpful for either security reasons + # or simply to clean up the output to make it easier to read. + showRawYaml: true + # You can define the volumes that you want to mount for this container + # Allowed types are: ConfigMap, EmptyDir, HostPath, Nfs, PVC, Secret + # Configure the attributes as they appear in the corresponding Java class for that type + # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes + volumes: [] + # - type: ConfigMap + # configMapName: myconfigmap + # mountPath: /var/myapp/myconfigmap + # - type: EmptyDir + # mountPath: /var/myapp/myemptydir + # memory: false + # - type: HostPath + # hostPath: /var/lib/containers + # mountPath: /var/myapp/myhostpath + # - type: Nfs + # mountPath: /var/myapp/mynfs + # readOnly: false + # serverAddress: "192.0.2.0" + # serverPath: /var/lib/containers + # - type: PVC + # claimName: mypvc + # mountPath: /var/myapp/mypvc + # readOnly: false + # - type: Secret + # defaultMode: "600" + # mountPath: /var/myapp/mysecret + # secretName: mysecret + # Pod-wide environment, these vars are visible to any container in the agent pod + + # You can define the workspaceVolume that you want to mount for this container + # Allowed types are: DynamicPVC, EmptyDir, HostPath, Nfs, PVC + # Configure the attributes as they appear in the corresponding Java class for that type + # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace + workspaceVolume: {} + ## DynamicPVC example + # type: DynamicPVC + # configMapName: myconfigmap + ## EmptyDir example + # type: EmptyDir + # memory: false + ## HostPath example + # type: HostPath + # hostPath: /var/lib/containers + ## NFS example + # type: Nfs + # readOnly: false + # serverAddress: "192.0.2.0" + # serverPath: /var/lib/containers + ## PVC example + # type: PVC + # claimName: mypvc + # readOnly: false + # + # Pod-wide environment, these vars are visible to any container in the agent pod + envVars: [] + # - name: PATH + # value: /usr/local/bin + nodeSelector: {} + # Key Value selectors. Ex: + # jenkins-agent: v1 + + # Executed command when side container gets started + command: + args: "${computer.jnlpmac} ${computer.name}" + # Side container name + sideContainerName: "jnlp" + # Doesn't allocate pseudo TTY by default + TTYEnabled: false + # Max number of spawned agent + containerCap: 10 + # Pod name + podName: "default" + # Allows the Pod to remain active for reuse until the configured number of + # minutes has passed since the last step was executed on it. + idleMinutes: 0 + # Raw yaml template for the Pod. For example this allows usage of toleration for agent pods. + # https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates + # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + yamlTemplate: "" + # yamlTemplate: |- + # apiVersion: v1 + # kind: Pod + # spec: + # tolerations: + # - key: "key" + # operator: "Equal" + # value: "value" + # Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates: merge or override + yamlMergeStrategy: "override" + # Timeout in seconds for an agent to be online + connectTimeout: 100 + # Annotations to apply to the pod. + annotations: {} + + # Disable the default Jenkins Agent configuration. + # Useful when configuring agents only with the podTemplates value, since the default podTemplate populated by values mentioned above will be excluded in the rendered template. + disableDefaultAgent: false + + # Below is the implementation of custom pod templates for the default configured kubernetes cloud. + # Add a key under podTemplates for each pod template. Each key (prior to | character) is just a label, and can be any value. + # Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers. + # For this pod templates configuration to be loaded the following values must be set: + # controller.JCasC.defaultConfig: true + # Best reference is https:///configuration-as-code/reference#Cloud-kubernetes. The example below creates a python pod template. + podTemplates: {} + # python: | + # - name: python + # label: jenkins-python + # serviceAccount: jenkins + # containers: + # - name: python + # image: python:3 + # command: "/bin/sh -c" + # args: "cat" + # ttyEnabled: true + # privileged: true + # resourceRequestCpu: "400m" + # resourceRequestMemory: "512Mi" + # resourceLimitCpu: "1" + # resourceLimitMemory: "1024Mi" + +# Here you can add additional agents +# They inherit all values from `agent` so you only need to specify values which differ +additionalAgents: {} +# maven: +# podName: maven +# customJenkinsLabels: maven +# # An example of overriding the jnlp container +# # sideContainerName: jnlp +# image: jenkins/jnlp-agent-maven +# tag: latest +# python: +# podName: python +# customJenkinsLabels: python +# sideContainerName: python +# image: python +# tag: "3" +# command: "/bin/sh -c" +# args: "cat" +# TTYEnabled: true + +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: + ## jenkins data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: + annotations: {} + labels: {} + accessMode: "ReadWriteOnce" + size: "800Gi" + volumes: + # - name: nothing + # emptyDir: {} + mounts: + # - mountPath: /var/nothing + # name: nothing + # readOnly: true + +networkPolicy: + # Enable creation of NetworkPolicy resources. + enabled: false + # For Kubernetes v1.4, v1.5 and v1.6, use 'extensions/v1beta1' + # For Kubernetes v1.7, use 'networking.k8s.io/v1' + apiVersion: networking.k8s.io/v1 + # You can allow agents to connect from both within the cluster (from within specific/all namespaces) AND/OR from a given external IP range + internalAgents: + allowed: true + podLabels: {} + namespaceLabels: + {} + # project: myproject + externalAgents: {} + # ipCIDR: 172.17.0.0/16 + # except: + # - 172.17.1.0/24 + +## Install Default RBAC roles and bindings +rbac: + create: true + readSecrets: false + +serviceAccount: + create: true + # The name of the service account is autogenerated by default + name: + annotations: {} + imagePullSecretName: + +serviceAccountAgent: + # Specifies whether a ServiceAccount should be created + create: false + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + annotations: {} + imagePullSecretName: + +## Backup cronjob configuration +## Ref: https://github.com/maorfr/kube-tasks + +checkDeprecation: true + +awsSecurityGroupPolicies: + enabled: false + policies: + - name: "" + securityGroupIds: [] + podSelector: {} +... diff --git a/seeds/values.yaml b/seeds/values.yaml new file mode 100644 index 00000000..22e2185e --- /dev/null +++ b/seeds/values.yaml @@ -0,0 +1,1416 @@ +--- +# yamllint disable rule:line-length + +# From https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml + +# Default values for jenkins. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +## Overrides for generated resource names +# See templates/_helpers.tpl +# nameOverride: +# fullnameOverride: +# namespaceOverride: + +# For FQDN resolving of the controller service. Change this value to match your existing configuration. +# ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md +clusterZone: "cluster.local" + +renderHelmLabels: true + +controller: + # Used for label app.kubernetes.io/component + componentName: "jenkins-controller" + image: + registry: "docker.io" + repository: "jenkins/jenkins" + tag: "2.440.2-lts-jdk21" + #tagLabel: jdk11 + pullPolicy: "Always" + imagePullSecretName: + # Optionally configure lifetime for controller-container + lifecycle: + postStart: + exec: + command: + [ + "/bin/sh", + "-c", + "echo 'handlers = + java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.level + = ALL\n.level= ALL' > /var/jenkins_home/logging.properties", + ] + disableRememberMe: false + numExecutors: 0 + # configures the executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE + executorMode: "NORMAL" + # This is ignored if enableRawHtmlMarkupFormatter is true + markupFormatter: plainText + customJenkinsLabels: [] + # The default configuration uses this secret to configure an admin user + # If you don't need that user or use a different security realm then you can disable it + + hostNetworking: false + # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. + # If you disable the non-Jenkins identity store and instead use the Jenkins internal one, + # you should revert controller.adminUser to your preferred admin user: + + # adminPassword: + admin: + existingSecret: "" + userKey: jenkins-admin-user + passwordKey: jenkins-admin-password + createSecret: true + username: "admin" + # This values should not be changed unless you use your custom image of + # jenkins or any devired from. If you want to use Cloudbees Jenkins + # Distribution docker, you should set jenkinsHome: + # "/var/cloudbees-jenkins-distribution" + jenkinsHome: "/var/jenkins_home" + # This values should not be changed unless you use your custom image of + # jenkins or any devired from. If you want to use Cloudbees Jenkins + # Distribution docker, you should set jenkinsRef: + # "/usr/share/cloudbees-jenkins-distribution/ref" + jenkinsRef: "/usr/share/jenkins/ref" + # Path to the jenkins war file which is used by jenkins-plugin-cli. + jenkinsWar: "/usr/share/jenkins/jenkins.war" + # Overrides the default arguments passed to the war + # overrideArgs: + # - --httpPort=8080 + resources: + requests: + cpu: "50m" + memory: "256Mi" + limits: + cpu: "2000m" + memory: "4096Mi" + # Overrides the init container default values + # initContainerResources: + # requests: + # cpu: "50m" + # memory: "256Mi" + # limits: + # cpu: "2000m" + # memory: "4096Mi" + # Environment variables that get added to the init container (useful for e.g. + # http_proxy) + initContainerEnv: + - name: CASC_VAULT_APPROLE + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_ID + - name: CASC_VAULT_APPROLE_SECRET + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_SECRET + - name: CASC_VAULT_URL + value: https://vault.slac.stanford.edu + - name: CASC_VAULT_PATHS + value: secret/rubin/rubin-jenkins-control/common,secret/rubin/rubin-jenkins-control/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control/aws-eups-push,secret/rubin/rubin-jenkins-control/aws-eups-backup,secret/rubin/rubin-jenkins-control/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control/aws-doxygen-push,secret/rubin/rubin-jenkins-control/slack-lsstc-token,secret/rubin/rubin-jenkins-control/ghslacker,secret/rubin/rubin-jenkins-control/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control/aws-cmirror-push,secret/rubin/rubin-jenkins-control/github_backup,secret/rubin/rubin-jenkins-control/squash-api-user,secret/rubin/rubin-jenkins-control/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control/ltd-mason-aws,secret/rubin/rubin-jenkins-control/ltd-keeper,secret/rubin/rubin-jenkins-control/google_archive_registry_sa,secret/rubin/rubin-jenkins-control/github-oauth + - name: HTTP_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: HTTPS_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: http_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: https_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: no_proxy + value: "*.slac.stanford.edu" + - name: NO_PROXY + value: "*.slac.stanford.edu" + - name: JAVA_TOOL_OPTIONS + value: + "-Dhttp.nonProxyHosts='*.slac.stanford.edu' + -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 + -Dhttps.nonProxyHosts='*.slac.stanford.edu' + -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 + -Duser.timezone=America/Los_Angeles" + #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + - name: TZ + value: America/Los_Angeles + #- name: VAULT_TOKEN_LEASE_DURATION + # valueFrom: + # secretKeyRef: + # name: vault-secrets-operator + # key: VAULT_TOKEN_LEASE_DURATION + # - name: http_proxy + # value: "http://192.168.64.1:3128" + containerEnv: + - name: CASC_VAULT_APPROLE + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_ID + - name: CASC_VAULT_APPROLE_SECRET + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_SECRET + #- name: CASC_VAULT_TOKEN + # valueFrom: + # secretKeyRef: + # name: vault-token2 + # key: VAULT_TOKEN + - name: CASC_VAULT_URL + value: https://vault.slac.stanford.edu + - name: CASC_VAULT_PATHS + value: secret/rubin/rubin-jenkins-control/common,secret/rubin/rubin-jenkins-control/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control/aws-eups-push,secret/rubin/rubin-jenkins-control/aws-eups-backup,secret/rubin/rubin-jenkins-control/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control/aws-doxygen-push,secret/rubin/rubin-jenkins-control/slack-lsstc-token,secret/rubin/rubin-jenkins-control/ghslacker,secret/rubin/rubin-jenkins-control/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control/aws-cmirror-push,secret/rubin/rubin-jenkins-control/github_backup,secret/rubin/rubin-jenkins-control/squash-api-user,secret/rubin/rubin-jenkins-control/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control/ltd-mason-aws,secret/rubin/rubin-jenkins-control/ltd-keeper,secret/rubin/rubin-jenkins-control/google_archive_registry_sa,secret/rubin/rubin-jenkins-control/github-oauth + - name: HTTP_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: HTTPS_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: http_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: https_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: no_proxy + value: "*.slac.stanford.edu" + - name: NO_PROXY + value: "*.slac.stanford.edu" + - name: TZ + value: America/Los_Angeles + - name: JAVA_TOOL_OPTIONS + value: + "-Dhttp.nonProxyHosts='*.slac.stanford.edu' + -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 + -Dhttps.nonProxyHosts='*.slac.stanford.edu' + -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 + -Duser.timezone=America/Los_Angeles" + #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + #- name: VAULT_TOKEN_LEASE_DURATION + # valueFrom: + # secretKeyRef: + # name: vault-secrets-operator + # key: VAULT_TOKEN_LEASE_DURATION + # Set min/max heap here if needed with: + # javaOpts: "-Xms512m -Xmx512m" + # jenkinsOpts: "" + # If you are using the ingress definitions provided by this chart via the + # `controller.ingress` block the configured hostname will be the ingress + # hostname starting with `https://` or `http://` depending on the `tls` + # configuration. + # The Protocol can be overwritten by specifying + # `controller.jenkinsUrlProtocol`. + # jenkinsUrlProtocol: "https" + # If you are not using the provided ingress you can specify + # `controller.jenkinsUrl` to change the url definition. + # jenkinsUrl: "" + # If you set this prefix and use ingress controller then you might want to set + # the ingress path below + # jenkinsUriPrefix: "/jenkins" + # Enable pod security context (must be `true` if podSecurityContextOverride, + # runAsUser or fsGroup are set) + usePodSecurityContext: true + # Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are + # being deprecated and replaced by `podSecurityContextOverride`. + # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins' which + # exists in 'jenkins/jenkins' docker image. + # When setting runAsUser to a different value than 0 also set fsGroup to the + # same value: + runAsUser: 1000 + fsGroup: 1000 + # If you have PodSecurityPolicies that require dropping of capabilities as + # suggested by CIS K8s benchmark, put them here + securityContextCapabilities: {} + # drop: + # - NET_RAW + # Completely overwrites the contents of the `securityContext`, ignoring the + # values provided for the deprecated fields: `runAsUser`, `fsGroup`, and + # `securityContextCapabilities`. In the case of mounting an ext4 filesystem, + # it might be desirable to use `supplementalGroups` instead of `fsGroup` in + # the `securityContext` block: https://github.com/kubernetes/kubernetes/issues/67014#issuecomment-589915496 + # podSecurityContextOverride: + # runAsUser: 1000 + # runAsNonRoot: true + # supplementalGroups: [1000] + # # capabilities: {} + # Container securityContext + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + servicePort: 8080 + targetPort: 8080 + # For minikube, set this to NodePort, elsewhere use LoadBalancer + # Use ClusterIP if your setup includes ingress controller + serviceType: ClusterIP + # Use Local to preserve the client source IP and avoids a second hop for + # LoadBalancer and Nodeport type services, + # but risks potentially imbalanced traffic spreading. + serviceExternalTrafficPolicy: + # Jenkins controller service annotations + serviceAnnotations: {} + # Jenkins controller custom labels + statefulSetLabels: {} + # foo: bar + # bar: foo + # Jenkins controller service labels + serviceLabels: {} + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https + # Put labels on Jenkins controller pod + podLabels: {} + # Used to create Ingress record (should used with ServiceType: ClusterIP) + # nodePort: + # -Dcom.sun.management.jmxremote.port=4000 + # -Dcom.sun.management.jmxremote.authenticate=false + # -Dcom.sun.management.jmxremote.ssl=false + # jmxPort: 4000 + # Optionally configure other ports to expose in the controller container + extraPorts: [] + # - name: BuildInfoProxy + # port: 9000 + + # List of plugins to be install during Jenkins controller start + installPlugins: + - kubernetes:4147.va_d406fb_66172 + - workflow-aggregator:596.v8c21c963d92d + - job-dsl:1.87 + - blueocean:1.27.9 + - configuration-as-code:1738.v2d8b_a_b_8a_54b_1 + - matrix-auth:3.1.9 + - hashicorp-vault-plugin:364.vf5d54b_3dc313 + + # Set to false to download the minimum required version of all dependencies. + installLatestPlugins: false + + # Set to true to download latest dependencies of any plugin that is requested to have the latest version. + installLatestSpecifiedPlugins: true + + # List of plugins to install in addition to those listed in controller.installPlugins + additionalPlugins: + #- ace-editor:1.1 + - antisamy-markup-formatter:162.v0e6ec0fcfcf6 + - apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 + #depreciated - async-http-client:1.9.40.0 + - authentication-tokens:1.53.v1c90fd9191a_b_ + - blueocean-autofavorite:1.2.5 + - blueocean-bitbucket-pipeline:1.27.9 + - blueocean-commons:1.27.9 + - blueocean-config:1.27.9 + - blueocean-core-js:1.27.9 + - blueocean-dashboard:1.27.9 + - blueocean-display-url:2.4.2 + - blueocean-events:1.27.9 + - blueocean-github-pipeline:1.27.9 + - blueocean-git-pipeline:1.27.9 + - blueocean-i18n:1.27.9 + - blueocean-jwt:1.27.9 + - blueocean-personalization:1.27.9 + - blueocean-pipeline-api-impl:1.27.9 + - blueocean-pipeline-editor:1.27.9 + - blueocean-pipeline-scm-api:1.27.9 + - blueocean-rest:1.27.9 + - blueocean-rest-impl:1.27.9 + - blueocean-web:1.27.9 + - bootstrap5-api:5.3.2-3 + - bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9 + - branch-api:2.1135.v8de8e7899051 + - build-timeout:1.32 + - build-user-vars-plugin:1.9 + - caffeine-api:3.1.8-133.v17b_1ff2e0599 + - checks-api:2.0.2 + - cloudbees-bitbucket-branch-source:856.v04c46c86f911 + - cloudbees-folder:6.858.v898218f3609d + - command-launcher:107.v773860566e2e + - commons-lang3-api:3.13.0-62.v7d18e55f51e2 + - commons-text-api:1.11.0-94.v3e1f4a_926e49 + - copyartifact:722.v0662a_9b_e22a_c + - credentials:1309.v8835d63eb_d8a_ + - credentials-binding:642.v737c34dea_6c2 + - data-tables-api:1.13.8-1 + - display-url-api:2.200.vb_9327d658781 + - docker-commons:439.va_3cb_0a_6a_fb_29 + - dockerhub-notification:2.7.1 + - docker-workflow:572.v950f58993843 + - durable-task:523.va_a_22cf15d5e0 + - echarts-api:5.4.3-1 + - envinject:2.908.v66a_774b_31d93 + - envinject-api:1.199.v3ce31253ed13 + - external-monitor-job:215.v2e88e894db_f8 + - favorite:2.4.3 + - font-awesome-api:6.4.2-1 + - git:5.2.1 + - git-client:4.5.0 + - github:1.37.3.1 + - github-api:1.316-451.v15738eef3414 + - github-branch-source:1751.v90e17c48a_6a_c + - github-oauth:597.ve0c3480fcb_d0 + - git-server:99.va_0826a_b_cdfa_d + #depreciated - greenballs:1.15.1 + - groovy:457.v99900cb_85593 + #depreciated - handlebars:3.0.8 + - handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 + - htmlpublisher:1.32 + #depreciated - icon-shim:3.0.0 + - instance-identity:185.v303dc7c645f9 + - ionicons-api:56.v1b_1c8c49374e + - jackson2-api:2.15.3-372.v309620682326 + - jakarta-activation-api:2.0.1-3 + - jakarta-mail-api:2.0.1-3 + - javadoc:243.vb_b_503b_b_45537 + - javax-activation-api:1.2.0-6 + - javax-mail-api:1.6.2-9 + - jaxb:2.3.9-1 + - jdk-tool:73.vddf737284550 + - jenkins-design-language:1.27.9 + - jersey2-api:2.41-133.va_03323b_a_1396 + - jira:3.11 + - jjwt-api:0.11.5-77.v646c772fddb_0 + - jquery:1.12.4-1 + #depreciated - jquery-detached:1.2.1 + - jquery3-api:3.7.1-1 + - jsch:0.2.8-65.v052c39de79b_2 + - junit:1240.vf9529b_881428 + - kubernetes-client-api:6.8.1-224.vd388fca_4db_3b_ + - kubernetes-credentials:0.11 + - lockable-resources:1185.v0c528656ce04 + - log-parser:2.3.1 + - mailer:463.vedf8358e006b_ + - matrix-project:818.v7eb_e657db_924 + - mercurial:1260.vdfb_723cdcc81 + - mina-sshd-api-common:2.11.0-86.v836f585d47fa_ + - mina-sshd-api-core:2.11.0-86.v836f585d47fa_ + - metrics:4.2.18-442.v02e107157925 + #depreciated - momentjs:1.1.1 + #depreciated - need alternative? - multiple-scms:0.8 + - nodelabelparameter:1.12.0 + - okhttp-api:4.11.0-157.v6852a_a_fa_ec11 + - parameterized-trigger:787.v665fcf2a_830b_ + - pipeline-build-step:516.v8ee60a_81c5b_9 + - pipeline-graph-analysis:202.va_d268e64deb_3 + - pipeline-groovy-lib:689.veec561a_dee13 + - pipeline-input-step:477.v339683a_8d55e + - pipeline-milestone-step:111.v449306f708b_7 + - pipeline-model-api:2.2151.ve32c9d209a_3f + #depreciated - pipeline-model-declarative-agent:1.1.1 + - pipeline-model-definition:2.2151.ve32c9d209a_3f + - pipeline-model-extensions:2.2151.ve32c9d209a_3f + - pipeline-rest-api:2.34 + - pipeline-stage-step:305.ve96d0205c1c6 + - pipeline-stage-tags-metadata:2.2151.ve32c9d209a_3f + - pipeline-stage-view:2.34 + - pipeline-utility-steps:2.16.0 + - plain-credentials:143.v1b_df8b_d3b_e48 + - plugin-util-api:3.6.0 + - popper2-api:2.11.6-4 #depreciated but needed for bootstrap5-api + - postbuildscript:3.2.0-550.v88192b_d3e922 + - pubsub-light:1.18 + - purge-build-queue-plugin:88.v23b_97b_f2c7a_d + - rebuild:330.v645b_7df10e2a_ + - run-condition:1.7 + - saferestart:0.7 + - scm-api:683.vb_16722fb_b_80b_ + - script-security:1281.v22fb_899df1a_e + - snakeyaml-api:2.2-111.vc6598e30cc65 + - sse-gateway:1.26 + - ssh-agent:346.vda_a_c4f2c8e50 + - ssh-credentials:308.ve4497b_ccd8f4 + - sshd:3.312.v1c601b_c83b_0e + - ssh-slaves:1.29.4 + - structs:325.vcb_307d2a_2782 + - swarm:3.41 + - token-macro:384.vf35b_f26814ec + - trilead-api:2.84.v72119de229b_7 + - variant:60.v7290fc0eb_b_cd + #depreciated - windows-slaves:1.8.1 need to find alternative? + - workflow-api:1283.v99c10937efcb_ + - workflow-basic-steps:1042.ve7b_140c4a_e0c + - workflow-cps:3806.va_3a_6988277b_2 + #depreciated - workflow-cps-global-lib:609.vd95673f149b_b + - workflow-durable-task-step:1289.v4d3e7b_01546b_ + - workflow-job:1360.vc6700e3136f5 + - workflow-multibranch:756.v891d88f2cd46 + - workflow-scm-step:415.v434365564324 + - workflow-step-api:639.v6eca_cd8c04a_a_ + - workflow-support:865.v43e78cc44e0d + + # Enable to initialize the Jenkins controller only once on initial installation. + # Without this, whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates which has the potential to cause breakage. + # Note that for this to work, `persistence.enabled` needs to be set to `true` + initializeOnce: false + + # Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment. + # overwritePlugins: true + + # Configures if plugins bundled with `controller.image` should be overwritten with the values of 'controller.installPlugins' on upgrade or redeployment. + overwritePluginsFromImage: true + + # Configures the restrictions for naming projects. Set this key to null or empty to skip it in the default config. + projectNamingStrategy: standard + + # Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter), useful with ghprb plugin. + # The plugin is not installed by default, please update controller.installPlugins. + enableRawHtmlMarkupFormatter: false + # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval + scriptApproval: + - "method java.nio.file.Path getFileName" + - "method groovy.json.JsonBuilder toPrettyString" + - "method groovy.json.JsonSlurperClassic parseText java.lang.String" + - "method groovy.lang.GString getBytes" + - "method hudson.model.Actionable getAction java.lang.Class" + - "method hudson.model.Cause$UserIdCause getUserId" + - "method hudson.model.CauseAction getShortDescription" + - "method hudson.model.Run getCause java.lang.Class" + - "method hudson.model.Run getDurationString" + - "method java.lang.StackTraceElement getMethodName" + - "method java.lang.Throwable getStackTrace" + - "method java.net.HttpURLConnection getResponseCode" + - "method java.net.HttpURLConnection setRequestMethod java.lang.String" + - "method java.net.URL openConnection" + - "method java.net.URLConnection getInputStream" + - "method java.net.URLConnection getOutputStream" + - "method java.net.URLConnection setDoOutput boolean" + - "method java.net.URLConnection setRequestProperty java.lang.String java.lang.String" + - "method java.nio.file.Path relativize java.nio.file.Path" + - "method java.security.MessageDigest digest" + - "method java.security.MessageDigest update byte[]" + - "method java.time.format.DateTimeFormatter format java.time.temporal.TemporalAccessor" + - "method java.time.format.DateTimeFormatter withZone java.time.ZoneId" + - "method org.jenkinsci.plugins.workflow.support.steps.build.RunWrapper build" + - "new groovy.json.JsonBuilder java.lang.Object" + - "new groovy.json.JsonSlurperClassic" + - "new java.lang.Throwable" + - "staticMethod java.lang.Thread sleep long" + - "staticMethod java.net.URLEncoder encode java.lang.String" + - "staticMethod java.nio.file.Path of java.lang.String java.lang.String[]" + - "staticMethod java.security.MessageDigest getInstance java.lang.String" + - "staticMethod java.time.Instant now" + - "staticMethod java.time.Instant ofEpochMilli long" + - "staticMethod java.time.LocalDate now java.time.ZoneId" + - "staticMethod java.time.ZoneId of java.lang.String" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getText java.io.InputStream" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getText java.net.URL" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods isDigit java.lang.Character" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods leftShift java.io.OutputStream java.lang.Object" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tr java.lang.String java.lang.String java.lang.String" + - "staticMethod org.codehaus.groovy.runtime.EncodingGroovyMethods encodeBase64 byte[]" + - "staticMethod org.codehaus.groovy.runtime.EncodingGroovyMethods encodeHex byte[]" + - "staticMethod org.codehaus.groovy.runtime.StackTraceUtils sanitize java.lang.Throwable" + - "method java.net.URL openConnection" + # List of groovy init scripts to be executed during Jenkins controller start + initScripts: {} + # - | + # print 'adding global pipeline libraries, register properties, bootstrap jobs...' + + # 'name' is a name of an existing secret in same namespace as jenkins, + # 'keyName' is the name of one of the keys inside current secret. + # the 'name' and 'keyName' are concatenated with a '-' in between, so for example: + # an existing secret "secret-credentials" and a key inside it named "github-password" should be used in Jcasc as ${secret-credentials-github-password} + # 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', + # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc') + additionalExistingSecrets: [] + # - name: github-oauth + # keyName: client-id + # - name: github-oauth + # keyName: client-secret + + additionalSecrets: [] + # - name: nameOfSecret + # value: secretText + + # Generate SecretClaim resources in order to create Kubernetes secrets from HashiCorp Vault using kube-vault-controller. + # 'name' is name of the secret that will be created in Kubernetes. The Jenkins fullname is prepended to this value. + # 'path' is the fully qualified path to the secret in Vault + # 'type' is an optional Kubernetes secret type. Defaults to 'Opaque' + # 'renew' is an optional secret renewal time in seconds + secretClaims: [] + # - name: secretName # required + # path: testPath # required + # type: kubernetes.io/tls # optional + # renew: 60 # optional + + # Name of default cloud configuration. + cloudName: "kubernetes" + + # Below is the implementation of Jenkins Configuration as Code. Add a key under configScripts for each configuration area, + # where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value. + # Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in + # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | + # become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials, + # etc. Best reference is https:///configuration-as-code/reference. + JCasC: + defaultConfig: true + # Ignored if securityRealm is defined in controller.JCasC.configScripts + securityRealm: |- + #local: + # allowsSignup: false + # enableCaptcha: false + # users: + # - id: "${chart-admin-username}" + # name: "Jenkins Admin" + # password: "${chart-admin-password}" + github: + githubWebUri: "https://github.com" + githubApiUri: "https://api.github.com" + clientID: "${secret/rubin/rubin-jenkins-control/github-oauth/client-id}" + clientSecret: "${secret/rubin/rubin-jenkins-control/github-oauth/client-secret}" + oauthScopes: "read:org" + # Uses matrix-auth plugin to configure user and group permissions + authorizationStrategy: |- + globalMatrix: + permissions: + - "USER:Agent/Connect:sqre-user" + - "USER:Agent/Create:sqre-user" + - "GROUP:Job/Build:lsst*data-management" + - "GROUP:Job/Build:lsst-dm*data-management" + - "GROUP:Job/Build:lsst*simulations" + - "GROUP:Job/Build:lsst-sqre*friends" + - "GROUP:Job/Cancel:lsst*data-management" + - "GROUP:Job/Cancel:lsst-dm*data-management" + - "GROUP:Job/Cancel:lsst*simulations" + - "GROUP:Job/Cancel:lsst-sqre*friends" + - "GROUP:Job/Discover:lsst*data-management" + - "GROUP:Job/Discover:lsst-dm*data-management" + - "GROUP:Job/Discover:lsst*simulations" + - "GROUP:Job/Discover:lsst-sqre*friends" + - "GROUP:Job/Read:lsst*data-management" + - "GROUP:Job/Read:lsst-dm*data-management" + - "GROUP:Job/Read:lsst*simulations" + - "GROUP:Job/Read:lsst-sqre*friends" + - "USER:Overall/Administer:admin" + - "USER:Overall/Administer:aragilar" + - "USER:Overall/Administer:frossie" + - "USER:Overall/Administer:jhoblitt" + - "USER:Overall/Administer:ktlim" + - "USER:Overall/Administer:aranabhat" + - "GROUP:Overall/Administer:lsst-sqre*leeroy-wranglers" + - "GROUP:Overall/Administer:lsst-sqre*square" + - "USER:Overall/Administer:mwittgen" + - "USER:Overall/Administer:yee379" + - "GROUP:Overall/Read:lsst*data-management" + - "GROUP:Overall/Read:lsst-dm*data-management" + - "GROUP:Overall/Read:lsst*simulations" + - "GROUP:Overall/Read:lsst-sqre*friends" + + configScripts: + welcome-message: | + jenkins: + systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'. + + systemCredentials: |- + credentials: + system: + domainCredentials: + - credentials: + - string: + description: "name of conda channel bucket" + id: "cmirror-s3-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/cmirror-s3-bucket}" + - string: + description: "name of doxygen s3 bucket" + id: "doxygen-push-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/doxygen-push-bucket}" + - string: + description: "URL of doxygen site" + id: "doxygen-url" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/doxygen-url}" + - string: + description: "name of EUPS backup s3 bucket" + id: "eups-backup-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/eups-backup-bucket}" + - string: + description: "name of EUPS s3 bucket" + id: "eups-push-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/eups-push-bucket}" + - string: + description: "URL of eups site" + id: "eups-url" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/eups-url}" + - string: + description: "Name of Jenkins deployment" + id: "jenkins-env" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/jenkins-env}" + - string: + description: "Default slack channel" + id: "slack-default-channel" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/slack-default-channel}" + - string: + description: "Prefix for generated slack channels" + id: "slack-channel-prefix" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/slack-channel-prefix}" + - usernamePassword: + description: "jenkins master snapshot AWS credentials" + id: "aws-jenkins-master-snapshot" + password: "${secret/rubin/rubin-jenkins-control/aws-jenkins-master-snapshot/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/aws-jenkins-master-snapshot/username}" + - usernamePassword: + description: "push EUPS packages -> s3" + id: "aws-eups-push" + password: "${secret/rubin/rubin-jenkins-control/aws-eups-push/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/aws-eups-push/username}" + - usernamePassword: + description: "backup EUPS s3 bucket -> s3 bucket" + id: "aws-eups-backup" + password: "${secret/rubin/rubin-jenkins-control/aws-eups-backup/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/aws-eups-backup/username}" + - usernamePassword: + description: "manage eups distrib tags in s3 bucket" + id: "aws-eups-tag-admin" + password: "${secret/rubin/rubin-jenkins-control/aws-eups-tag-admin/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/aws-eups-tag-admin/username}" + - usernamePassword: + description: "push doxygen builds -> s3" + id: "aws-doxygen-push" + password: "${secret/rubin/rubin-jenkins-control/aws-doxygen-push/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/aws-doxygen-push/username}" + - string: + description: "slack lsstc org API token" + id: "slack-lsstc-token" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/slack-lsstc-token/token}" + - usernamePassword: + description: "api.lsst.codes/ghslacker" + id: "ghslacker" + password: "${secret/rubin/rubin-jenkins-control/ghslacker/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/ghslacker/username}" + - string: + description: "github API personal access token (sqreadmin)" + id: "github-api-token-sqreadmin" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/github-api-token-sqreadmin/token}" + - basicSSHUserPrivateKey: + description: "github lsst/versiondb deploy key" + id: "github-jenkins-versiondb" + privateKeySource: + directEntry: + privateKey: "${secret/rubin/rubin-jenkins-control/github-jenkins-versiondb/private_key}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/github-jenkins-versiondb/username}" + - basicSSHUserPrivateKey: + description: "SQRE OSX build agents" + id: "sqre-osx" + privateKeySource: + directEntry: + privateKey: "${secret/rubin/rubin-jenkins-control/sqre-osx/private_key}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/sqre-osx/username}" + - usernamePassword: + description: "push conda packages -> s3" + id: "aws-cmirror-push" + password: "${secret/rubin/rubin-jenkins-control/aws-cmirror-push/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/aws-cmirror-push/username}" + - usernamePassword: + description: "github_backup AWS credentials" + id: "github_backup" + password: "${secret/rubin/rubin-jenkins-control/github_backup/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/github_backup/username}" + - usernamePassword: + description: "user/pass for Squash API endpoint" + id: "squash-api-user" + password: "${secret/rubin/rubin-jenkins-control/squash-api-user/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/squash-api-user/username}" + - usernamePassword: + description: "dockerhub - sqreadmin" + id: "dockerhub-sqreadmin" + password: "${secret/rubin/rubin-jenkins-control/dockerhub-sqreadmin/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/dockerhub-sqreadmin/username}" + - usernamePassword: + description: "ltd-mason" + id: "ltd-mason-aws" + password: "${secret/rubin/rubin-jenkins-control/ltd-mason-aws/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/ltd-mason-aws/username}" + - usernamePassword: + description: "ltd-keeper" + id: "ltd-keeper" + password: "${secret/rubin/rubin-jenkins-control/ltd-keeper/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/ltd-keeper/username}" + - usernamePassword: + description: "Google Archive Registry service account" + id: "google_archive_registry_sa" + password: "${secret/rubin/rubin-jenkins-control/google_archive_registry_sa/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/google_archive_registry_sa/username}" + + add-seed-job: | + jobs: + - url: https://raw.githubusercontent.com/lsst-dm/jenkins-dm-jobs/main/seeds/sqre/seed-jobs.groovy + security: + globaljobdslsecurityconfiguration: + useScriptSecurity: false + # Connects mac agents to jenkins controller + permanent-nodes: | + jenkins: + nodes: + - permanent: + labelString: "osx-12" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac1.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac1" + numExecutors: 1 + remoteFS: "/Users/square/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-12" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac2.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac2" + numExecutors: 1 + remoteFS: "/Users/square/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac3.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac3" + numExecutors: 1 + remoteFS: "/Users/square/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac4.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac4" + numExecutors: 1 + remoteFS: "/Users/square/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac5.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac5" + numExecutors: 1 + remoteFS: "/Users/square/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac6.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac6" + numExecutors: 1 + remoteFS: "/Users/square/j" + retentionStrategy: "always" + # Optionally specify additional init-containers + customInitContainers: [] + + sidecars: + configAutoReload: + # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. If false or not-specified, + # jcasc changes will cause a reboot and will only be applied at the subsequent start-up. Auto-reload uses the + # http:///reload-configuration-as-code endpoint to reapply config when changes to the configScripts are detected. + enabled: false + image: + registry: docker.io + repository: kiwigrid/k8s-sidecar + tag: 1.26.1 + imagePullPolicy: IfNotPresent + resources: + {} + # limits: + # cpu: 100m + # memory: 100Mi + # requests: + # cpu: 50m + # memory: 50Mi + # How many connection-related errors to retry on + reqRetryConnect: 10 + # env: + # - name: REQ_TIMEOUT + # value: "30" + # SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random. + # Is only used to reload jcasc config from the sidecar container running in the Jenkins controller pod. + # This TCP port will not be open in the pod (unless you specifically configure this), so Jenkins will not be + # accessible via SSH from outside of the pod. Note if you use non-root pod privileges (runAsUser & fsGroup), + # this must be > 1024: + sshTcpPort: 1044 + # folder in the pod that should hold the collected dashboards: + folder: "/var/jenkins_home/casc_configs" + # If specified, the sidecar will search for JCasC config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces: + # searchNamespace: + containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + + # Allows you to inject additional/other sidecars + other: [] + ## The example below runs the client for https://smee.io as sidecar container next to Jenkins, + ## that allows to trigger build behind a secure firewall. + ## https://jenkins.io/blog/2019/01/07/webhook-firewalls/#triggering-builds-with-webhooks-behind-a-secure-firewall + ## + ## Note: To use it you should go to https://smee.io/new and update the url to the generete one. + # - name: smee + # image: docker.io/twalter/smee-client:1.0.2 + # args: ["--port", "{{ .Values.controller.servicePort }}", "--path", "/github-webhook/", "--url", "https://smee.io/new"] + # resources: + # limits: + # cpu: 50m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 32Mi + # Name of the Kubernetes scheduler to use + schedulerName: "" + # Node labels and tolerations for pod assignment + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + nodeSelector: {} + + terminationGracePeriodSeconds: + + terminationMessagePath: + terminationMessagePolicy: + + tolerations: [] + + affinity: {} + # Leverage a priorityClass to ensure your pods survive resource shortages + # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + priorityClassName: + + podAnnotations: {} + # Add StatefulSet annotations + statefulSetAnnotations: {} + + # StatefulSet updateStrategy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + updateStrategy: {} + + ingress: + enabled: true + # Override for the default paths that map requests to the backend + paths: [] + # - backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + # - backend: + # serviceName: >- + # {{ template "jenkins.fullname" . }} + # # Don't use string here, use only integer value! + # servicePort: 8080 + # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' + # For Kubernetes v1.19+, use 'networking.k8s.io/v1' + apiVersion: "networking.k8s.io/v1" + labels: {} + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # Set this path to jenkinsUriPrefix above or use annotations to rewrite path + # path: "/jenkins" + # configures the hostname e.g. jenkins.example.com + #hostName: jenkins26.lsst.test + hostName: rubin-ci.slac.stanford.edu + tls: + # - secretName: jenkins.cluster.local + # hosts: + # - jenkins.cluster.local + + # often you want to have your controller all locked down and private + # but you still want to get webhooks from your SCM + # A secondary ingress will let you expose different urls + # with a differnt configuration + secondaryingress: + enabled: false + # paths you want forwarded to the backend + # ex /github-webhook + paths: [] + # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' + # For Kubernetes v1.19+, use 'networking.k8s.io/v1' + apiVersion: "extensions/v1beta1" + labels: {} + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # configures the hostname e.g. jenkins-external.example.com + hostName: + tls: + # - secretName: jenkins-external.example.com + # hosts: + # - jenkins-external.example.com + + # If you're running on GKE and need to configure a backendconfig + # to finish ingress setup, use the following values. + # Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig + backendconfig: + enabled: false + apiVersion: "extensions/v1beta1" + name: + labels: {} + annotations: {} + spec: {} + + # Openshift route + route: + enabled: false + labels: {} + annotations: {} + # path: "/jenkins" + + # controller.hostAliases allows for adding entries to Pod /etc/hosts: + # https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + hostAliases: [] + # - ip: 192.168.50.50 + # hostnames: + # - something.local + # - ip: 10.0.50.50 + # hostnames: + # - other.local + + # Expose Prometheus metrics + prometheus: + # If enabled, add the prometheus plugin to the list of plugins to install + # https://plugins.jenkins.io/prometheus + enabled: false + # Additional labels to add to the ServiceMonitor object + serviceMonitorAdditionalLabels: {} + # Set a custom namespace where to deploy ServiceMonitor resource + # serviceMonitorNamespace: monitoring + scrapeInterval: 60s + # This is the default endpoint used by the prometheus plugin + scrapeEndpoint: /prometheus + # Additional labels to add to the PrometheusRule object + alertingRulesAdditionalLabels: {} + # An array of prometheus alerting rules + # See here: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + # The `groups` root object is added by default, simply add the rule entries + alertingrules: [] + # Set a custom namespace where to deploy PrometheusRule resource + prometheusRuleNamespace: "" + + # Can be used to disable rendering controller test resources when using helm template + testEnabled: true + + httpsKeyStore: + jenkinsHttpsJksSecretName: "" + enable: false + httpPort: 8081 + path: "/var/jenkins_keystore" + fileName: "keystore.jks" + password: "password" + # Convert keystore.jks files content to base64 ( cat keystore.jks | base64 ) and put the output here + jenkinsKeyStoreBase64Encoded: +agent: + enabled: false + defaultsProviderTemplate: "" + # URL for connecting to the Jenkins contoller + jenkinsUrl: + # connect to the specified host and port, instead of connecting directly to the Jenkins controller + jenkinsTunnel: + kubernetesConnectTimeout: 5 + kubernetesReadTimeout: 15 + maxRequestsPerHostStr: "32" + namespace: + image: + repository: "jenkins/inbound-agent" + tag: "4.11.2-4" + workingDir: "/home/jenkins/agent" + nodeUsageMode: "NORMAL" + customJenkinsLabels: [] + # name of the secret to be used for image pulling + imagePullSecretName: + componentName: "jenkins-agent" + websocket: false + privileged: false + runAsUser: + runAsGroup: + resources: + requests: + cpu: "512m" + memory: "512Mi" + limits: + cpu: "512m" + memory: "512Mi" + # You may want to change this to true while testing a new image + alwaysPullImage: false + # Controls how agent pods are retained after the Jenkins build completes + # Possible values: Always, Never, OnFailure + podRetention: "Never" + # Disable if you do not want the Yaml the agent pod template to show up + # in the job Console Output. This can be helpful for either security reasons + # or simply to clean up the output to make it easier to read. + showRawYaml: true + # You can define the volumes that you want to mount for this container + # Allowed types are: ConfigMap, EmptyDir, HostPath, Nfs, PVC, Secret + # Configure the attributes as they appear in the corresponding Java class for that type + # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes + volumes: [] + # - type: ConfigMap + # configMapName: myconfigmap + # mountPath: /var/myapp/myconfigmap + # - type: EmptyDir + # mountPath: /var/myapp/myemptydir + # memory: false + # - type: HostPath + # hostPath: /var/lib/containers + # mountPath: /var/myapp/myhostpath + # - type: Nfs + # mountPath: /var/myapp/mynfs + # readOnly: false + # serverAddress: "192.0.2.0" + # serverPath: /var/lib/containers + # - type: PVC + # claimName: mypvc + # mountPath: /var/myapp/mypvc + # readOnly: false + # - type: Secret + # defaultMode: "600" + # mountPath: /var/myapp/mysecret + # secretName: mysecret + # Pod-wide environment, these vars are visible to any container in the agent pod + + # You can define the workspaceVolume that you want to mount for this container + # Allowed types are: DynamicPVC, EmptyDir, HostPath, Nfs, PVC + # Configure the attributes as they appear in the corresponding Java class for that type + # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace + workspaceVolume: {} + ## DynamicPVC example + # type: DynamicPVC + # configMapName: myconfigmap + ## EmptyDir example + # type: EmptyDir + # memory: false + ## HostPath example + # type: HostPath + # hostPath: /var/lib/containers + ## NFS example + # type: Nfs + # readOnly: false + # serverAddress: "192.0.2.0" + # serverPath: /var/lib/containers + ## PVC example + # type: PVC + # claimName: mypvc + # readOnly: false + # + # Pod-wide environment, these vars are visible to any container in the agent pod + envVars: [] + # - name: PATH + # value: /usr/local/bin + nodeSelector: {} + # Key Value selectors. Ex: + # jenkins-agent: v1 + + # Executed command when side container gets started + command: + args: "${computer.jnlpmac} ${computer.name}" + # Side container name + sideContainerName: "jnlp" + # Doesn't allocate pseudo TTY by default + TTYEnabled: false + # Max number of spawned agent + containerCap: 10 + # Pod name + podName: "default" + # Allows the Pod to remain active for reuse until the configured number of + # minutes has passed since the last step was executed on it. + idleMinutes: 0 + # Raw yaml template for the Pod. For example this allows usage of toleration for agent pods. + # https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates + # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + yamlTemplate: "" + # yamlTemplate: |- + # apiVersion: v1 + # kind: Pod + # spec: + # tolerations: + # - key: "key" + # operator: "Equal" + # value: "value" + # Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates: merge or override + yamlMergeStrategy: "override" + # Timeout in seconds for an agent to be online + connectTimeout: 100 + # Annotations to apply to the pod. + annotations: {} + + # Disable the default Jenkins Agent configuration. + # Useful when configuring agents only with the podTemplates value, since the default podTemplate populated by values mentioned above will be excluded in the rendered template. + disableDefaultAgent: false + + # Below is the implementation of custom pod templates for the default configured kubernetes cloud. + # Add a key under podTemplates for each pod template. Each key (prior to | character) is just a label, and can be any value. + # Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers. + # For this pod templates configuration to be loaded the following values must be set: + # controller.JCasC.defaultConfig: true + # Best reference is https:///configuration-as-code/reference#Cloud-kubernetes. The example below creates a python pod template. + podTemplates: {} + # python: | + # - name: python + # label: jenkins-python + # serviceAccount: jenkins + # containers: + # - name: python + # image: python:3 + # command: "/bin/sh -c" + # args: "cat" + # ttyEnabled: true + # privileged: true + # resourceRequestCpu: "400m" + # resourceRequestMemory: "512Mi" + # resourceLimitCpu: "1" + # resourceLimitMemory: "1024Mi" + +# Here you can add additional agents +# They inherit all values from `agent` so you only need to specify values which differ +additionalAgents: {} +# maven: +# podName: maven +# customJenkinsLabels: maven +# # An example of overriding the jnlp container +# # sideContainerName: jnlp +# image: jenkins/jnlp-agent-maven +# tag: latest +# python: +# podName: python +# customJenkinsLabels: python +# sideContainerName: python +# image: python +# tag: "3" +# command: "/bin/sh -c" +# args: "cat" +# TTYEnabled: true + +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: + ## jenkins data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: + annotations: {} + labels: {} + accessMode: "ReadWriteOnce" + size: "800Gi" + volumes: + # - name: nothing + # emptyDir: {} + mounts: + # - mountPath: /var/nothing + # name: nothing + # readOnly: true + +networkPolicy: + # Enable creation of NetworkPolicy resources. + enabled: false + # For Kubernetes v1.4, v1.5 and v1.6, use 'extensions/v1beta1' + # For Kubernetes v1.7, use 'networking.k8s.io/v1' + apiVersion: networking.k8s.io/v1 + # You can allow agents to connect from both within the cluster (from within specific/all namespaces) AND/OR from a given external IP range + internalAgents: + allowed: true + podLabels: {} + namespaceLabels: + {} + # project: myproject + externalAgents: {} + # ipCIDR: 172.17.0.0/16 + # except: + # - 172.17.1.0/24 + +## Install Default RBAC roles and bindings +rbac: + create: true + readSecrets: false + +serviceAccount: + create: true + # The name of the service account is autogenerated by default + name: + annotations: {} + imagePullSecretName: + +serviceAccountAgent: + # Specifies whether a ServiceAccount should be created + create: false + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + annotations: {} + imagePullSecretName: + +## Backup cronjob configuration +## Ref: https://github.com/maorfr/kube-tasks + +checkDeprecation: true + +awsSecurityGroupPolicies: + enabled: false + policies: + - name: "" + securityGroupIds: [] + podSelector: {} +...