2.277.1.7-ra

Dockerfile

@@ -41,9 +41,9 @@ ENTRYPOINT ["tini", "--", "/usr/local/bin/launch.sh"]
 HEALTHCHECK --interval=5m --timeout=3s \
   CMD curl -fsL ${JENKINS_URL}/login || exit 1
 
-# LABEL securitytxt="https://www.cloudbees.com/.well-known/security.txt"
-# LABEL release=69f7102311718b7e0fbed31edb877f1352ca5cf1
-# LABEL version=2.263.2.4-ra
+# L-A-B-E-L securitytxt="https://www.cloudbees.com/.well-known/security.txt"
+# L-A-B-E-L release=d7a5eee17fd68064fb4268ca23a591bdc00af60b
+# L-A-B-E-L version=2.277.1.7-ra
 
 COPY files.tar /tmp
 RUN cd / && tar xvf /tmp/files.tar && rm /tmp/files.tar
@@ -65,7 +65,7 @@ ENV VOLUME_SERVICE=http://localhost:31080
 ENV TENANT=cjoc
 ENV JENKINS_VARIANT=cjoc
 
-# LABEL name="CloudBees CI Operation Center"
-# LABEL vendor="CloudBees, Inc."
-# LABEL summary="CloudBees CI is the continuous delivery platform architected for the enterprise"
-# LABEL description="This container image will deploy one instance of CloudBees CI Operations Center."
+# L-A-B-E-L name="CloudBees CI Operation Center"
+# L-A-B-E-L vendor="CloudBees, Inc."
+# L-A-B-E-L summary="CloudBees CI is the continuous delivery platform architected for the enterprise"
+# L-A-B-E-L description="This container image will deploy one instance of CloudBees CI Operations Center."

README.md

 # CloudBees CI setup
 
-## Approved with Conditions:
+## Approved with Conditions
 Must run behind CNAP or VPN (no internet facing).
 
 CloudBees CI (formerly known as _CloudBees Core_) consists of three Docker images installed via Helm chart:
@@ -12,7 +12,7 @@ CloudBees CI (formerly known as _CloudBees Core_) consists of three Docker image
 For each image, all files other than UBI and native packages
 are included in a `files.tar` marked with a SHA-256 checksum.
 
-A version of CloudBees CI is given in the format `2.263.2.4-ra`
+A version of CloudBees CI is given in the format `2.277.1.7-ra`
 where the first three components are aligned with a Jenkins LTS.
 The Helm chart is coversioned with `core-oc`.
 The `core-mm` image typically shares the same version,
@@ -25,13 +25,13 @@ plus whatever other customizations are desired:
 ```yaml
 OperationsCenter:
   Image:
-    dockerImage: your-registry/core-oc:2.263.2.4-ra
+    dockerImage: your-registry/core-oc:2.277.1.7-ra
 Master:
   Image:
-    dockerImage: your-registry/core-mm:2.263.2.4-ra
+    dockerImage: your-registry/core-mm:2.277.1.7-ra
 Agents:
   Image:
-    dockerImage: your-registry/agent:2.263.2.4-ra
+    dockerImage: your-registry/agent:2.277.1.7-ra
 ```
 
 and [install via Helm 3](https://docs.cloudbees.com/docs/cloudbees-core/latest/kubernetes-install-guide/installing-kubernetes-using-helm) using the local copy of the chart:

hardening_manifest.yaml

 apiVersion: v1
-name: cloudbees/core/core-oc
+name: "cloudbees/core/core-oc"
 tags:
-- "2.263.2.4-ra"
+- "2.277.1.7-ra"
 - latest
 labels:
   org.opencontainers.image.title: "core-oc"
@@ -9,7 +9,7 @@ labels:
   org.opencontainers.image.licenses: proprietary
   org.opencontainers.image.url: https://docs.cloudbees.com/docs/cloudbees-ci/
   org.opencontainers.image.vendor: CloudBees
-  org.opencontainers.image.version: "2.263.2.4-ra"
+  org.opencontainers.image.version: "2.277.1.7-ra"
   mil.dso.ironbank.image.keywords: cicd
   mil.dso.ironbank.image.type: commercial
   mil.dso.ironbank.product.name: CloudBees CI
@@ -18,10 +18,16 @@ args:
   BASE_TAG: "1.8.0"
 resources:
 - filename: files.tar
-  url: https://downloads.cloudbees.com/dsop-files/core-oc-files-fdaeb7127afa7670743296125be0d1782e152c6ec14bca5e62ec69ef5d667901.tar
+  url: https://downloads.cloudbees.com/dsop-files/core-oc-files-5ef009a0f4b225510975a80b9a9ab9327de74ba12412d7044c9ef589f4521a3d.tar
   validation:
     type: sha256
-    value: "fdaeb7127afa7670743296125be0d1782e152c6ec14bca5e62ec69ef5d667901"
+    value: "5ef009a0f4b225510975a80b9a9ab9327de74ba12412d7044c9ef589f4521a3d"
 maintainers:
 - email: productivity-team@cloudbees.com
+  name: CloudBees
+  username: imontero
+  cht_member: false
 - email: andre.maksymowicz@centauricorp.com
+  name: Andy Maksymowicz
+  username: andymaks
+  cht_member: true

helm/Chart.yaml

+apiVersion: v2
 name: cloudbees-core
-home: https://www.cloudbees.com/products/continuous-integration
-apiVersion: v1
-appVersion: 2.263.2.3
-version: 3.25.3
+version: 3.28.1
 description: Enterprise Continuous Integration with Jenkins
-icon: https://images.ctfassets.net/vtn4rfaw6n2j/7xprMMXARXDBuVxW4y8XfV/349fff91035050e3f2a8ff37bc0615b5/cloudbees-core-logo_header.svg
 keywords:
   - cloudbees
   - jenkins
-engine: gotpl
-
+home: https://www.cloudbees.com/products/continuous-integration
+dependencies:
+  - name: nginx-ingress
+    version: 1.40.2
+    repository: https://charts.helm.sh/stable
+    condition: nginx-ingress.Enabled
+  - name: ingress-nginx
+    version: 2.15.0
+    repository: https://kubernetes.github.io/ingress-nginx
+    condition: ingress-nginx.Enabled
+  - name: cloudbees-sidecar-injector
+    version: 2.1.3
+    repository: https://charts.cloudbees.com/public/cloudbees
+    condition: sidecarinjector.Enabled
+icon: https://images.ctfassets.net/vtn4rfaw6n2j/7xprMMXARXDBuVxW4y8XfV/349fff91035050e3f2a8ff37bc0615b5/cloudbees-core-logo_header.svg
+appVersion: 2.277.1.2
+annotations:
+  artifacthub.io/links: |
+    - name: Product overview
+      url: https://www.cloudbees.com/products/continuous-integration
+    - name: Documentation
+      url: https://docs.cloudbees.com/docs/cloudbees-ci/latest/

helm/README-template.md

 # cloudbees-core
 
-![Version: 3.25.3](https://img.shields.io/badge/Version-3.25.3-informational?style=flat-square) ![AppVersion: 2.263.2.3](https://img.shields.io/badge/AppVersion-2.263.2.3-informational?style=flat-square)
+![Version: 3.28.1](https://img.shields.io/badge/Version-3.28.1-informational?style=flat-square) ![AppVersion: 2.277.1.2](https://img.shields.io/badge/AppVersion-2.277.1.2-informational?style=flat-square)
 
 [CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides:
 
@@ -28,7 +28,7 @@ This chart bootstraps a CloudBees CI deployment on a [Kubernetes](http://kuberne
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.0 |
+| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.3 |
 | https://charts.helm.sh/stable | nginx-ingress | 1.40.2 |
 | https://kubernetes.github.io/ingress-nginx | ingress-nginx | 2.15.0 |
 
@@ -132,6 +132,11 @@ CloudBees provides complete and more detailed installation and operation documen
 | OperationsCenter.ContainerPort | int | `8080` | Container port for http traffic |
 | OperationsCenter.ContextPath | string | `"/cjoc"` | the path under which Operations Center will be accessible in the given host. |
 | OperationsCenter.Enabled | bool | `true` | Disable for particular use case like setting up namespaces to host masters only |
+| OperationsCenter.ExtraConfigMaps | list | `[]` | Extra configmaps deployed with the chart |
+| OperationsCenter.ExtraContainers | list | `[]` | Extra containers to add to the pod containing Operations Center. |
+| OperationsCenter.ExtraGroovyConfiguration | object | `{}` | Provides additional init groovy scripts Each key becomes a file in /var/jenkins_config |
+| OperationsCenter.ExtraVolumeMounts | list | `[]` | Extra volume mounts to add to the container containing Operations Center |
+| OperationsCenter.ExtraVolumes | list | `[]` | Extra volumes to add to the pod |
 | OperationsCenter.HealthProbeLivenessFailureThreshold | int | `12` | Threshold for liveness failure |
 | OperationsCenter.HealthProbes | bool | `true` | Enable Kubernetes Liveness and Readiness Probes |
 | OperationsCenter.HostName | string | `nil` | The hostname used to access Operations Center through the ingress controller. |
@@ -153,7 +158,13 @@ CloudBees provides complete and more detailed installation and operation documen
 | OperationsCenter.Resources.Limits.Memory | string | `"2G"` | Memory limit to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory |
 | OperationsCenter.Resources.Requests.Cpu | int | `1` | CPU request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu |
 | OperationsCenter.Resources.Requests.Memory | string | `"2G"` | Memory request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory |
-| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level |
+| OperationsCenter.Route.tls.CACertificate | string | `nil` | CA Certificate PEM-encoded |
+| OperationsCenter.Route.tls.Certificate | string | `nil` | Certificate PEM-encoded |
+| OperationsCenter.Route.tls.DestinationCACertificate | string | `nil` | When using `termination=reencrypt`, destination CA PEM-encoded |
+| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level Read https://docs.openshift.com/container-platform/4.6/networking/routes/secured-routes.html for details. These also apply to Hibernation monitor if enabled. |
+| OperationsCenter.Route.tls.InsecureEdgeTerminationPolicy | string | `"Redirect"` | Whether to redirect http to https |
+| OperationsCenter.Route.tls.Key | string | `nil` | Private key PEM-encoded |
+| OperationsCenter.Route.tls.Termination | string | `"edge"` | Type of termination |
 | OperationsCenter.ServiceAgentListenerPort | int | `50000` | Controls the service port where Operations Center TCP port for agents is exposed. Don't change this parameter unless you know what you are doing |
 | OperationsCenter.ServiceAnnotations | object | `{}` | Additional annotations to put on the Operations Center service |
 | OperationsCenter.ServicePort | int | `80` | Controls the service port where Operations Center http port is exposed. Don't change this parameter unless you know what you are doing |
@@ -166,6 +177,7 @@ CloudBees provides complete and more detailed installation and operation documen
 | PodSecurityPolicy.Annotations | object | `{}` | Additional annotations to put on the PodSecurityPolicy, e.g. AppArmor/Seccomp settings |
 | PodSecurityPolicy.Enabled | bool | `false` | Enables [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) support Enable only if the cluster supports it. |
 | ingress-nginx.Enabled | bool | `false` | Installs the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) controller (optional). Enable this section if you don't have an existing installation of ingress-nginx controller Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 |
+| ingress-nginx.controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | ingress-nginx.controller.ingressClass | string | `"nginx"` |  |
 | ingress-nginx.controller.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` |  |

helm/README.md

 # cloudbees-core
 
-![Version: 3.25.3](https://img.shields.io/badge/Version-3.25.3-informational?style=flat-square) ![AppVersion: 2.263.2.3](https://img.shields.io/badge/AppVersion-2.263.2.3-informational?style=flat-square)
+![Version: 3.28.1](https://img.shields.io/badge/Version-3.28.1-informational?style=flat-square) ![AppVersion: 2.277.1.2](https://img.shields.io/badge/AppVersion-2.277.1.2-informational?style=flat-square)
 
 [CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides:
 
@@ -28,7 +28,7 @@ This chart bootstraps a CloudBees CI deployment on a [Kubernetes](http://kuberne
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.0 |
+| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.3 |
 | https://charts.helm.sh/stable | nginx-ingress | 1.40.2 |
 | https://kubernetes.github.io/ingress-nginx | ingress-nginx | 2.15.0 |
 
@@ -132,6 +132,11 @@ CloudBees provides complete and more detailed installation and operation documen
 | OperationsCenter.ContainerPort | int | `8080` | Container port for http traffic |
 | OperationsCenter.ContextPath | string | `"/cjoc"` | the path under which Operations Center will be accessible in the given host. |
 | OperationsCenter.Enabled | bool | `true` | Disable for particular use case like setting up namespaces to host masters only |
+| OperationsCenter.ExtraConfigMaps | list | `[]` | Extra configmaps deployed with the chart |
+| OperationsCenter.ExtraContainers | list | `[]` | Extra containers to add to the pod containing Operations Center. |
+| OperationsCenter.ExtraGroovyConfiguration | object | `{}` | Provides additional init groovy scripts Each key becomes a file in /var/jenkins_config |
+| OperationsCenter.ExtraVolumeMounts | list | `[]` | Extra volume mounts to add to the container containing Operations Center |
+| OperationsCenter.ExtraVolumes | list | `[]` | Extra volumes to add to the pod |
 | OperationsCenter.HealthProbeLivenessFailureThreshold | int | `12` | Threshold for liveness failure |
 | OperationsCenter.HealthProbes | bool | `true` | Enable Kubernetes Liveness and Readiness Probes |
 | OperationsCenter.HostName | string | `nil` | The hostname used to access Operations Center through the ingress controller. |
@@ -153,7 +158,13 @@ CloudBees provides complete and more detailed installation and operation documen
 | OperationsCenter.Resources.Limits.Memory | string | `"2G"` | Memory limit to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory |
 | OperationsCenter.Resources.Requests.Cpu | int | `1` | CPU request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu |
 | OperationsCenter.Resources.Requests.Memory | string | `"2G"` | Memory request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory |
-| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level |
+| OperationsCenter.Route.tls.CACertificate | string | `nil` | CA Certificate PEM-encoded |
+| OperationsCenter.Route.tls.Certificate | string | `nil` | Certificate PEM-encoded |
+| OperationsCenter.Route.tls.DestinationCACertificate | string | `nil` | When using `termination=reencrypt`, destination CA PEM-encoded |
+| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level Read https://docs.openshift.com/container-platform/4.6/networking/routes/secured-routes.html for details. These also apply to Hibernation monitor if enabled. |
+| OperationsCenter.Route.tls.InsecureEdgeTerminationPolicy | string | `"Redirect"` | Whether to redirect http to https |
+| OperationsCenter.Route.tls.Key | string | `nil` | Private key PEM-encoded |
+| OperationsCenter.Route.tls.Termination | string | `"edge"` | Type of termination |
 | OperationsCenter.ServiceAgentListenerPort | int | `50000` | Controls the service port where Operations Center TCP port for agents is exposed. Don't change this parameter unless you know what you are doing |
 | OperationsCenter.ServiceAnnotations | object | `{}` | Additional annotations to put on the Operations Center service |
 | OperationsCenter.ServicePort | int | `80` | Controls the service port where Operations Center http port is exposed. Don't change this parameter unless you know what you are doing |
@@ -166,6 +177,7 @@ CloudBees provides complete and more detailed installation and operation documen
 | PodSecurityPolicy.Annotations | object | `{}` | Additional annotations to put on the PodSecurityPolicy, e.g. AppArmor/Seccomp settings |
 | PodSecurityPolicy.Enabled | bool | `false` | Enables [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) support Enable only if the cluster supports it. |
 | ingress-nginx.Enabled | bool | `false` | Installs the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) controller (optional). Enable this section if you don't have an existing installation of ingress-nginx controller Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 |
+| ingress-nginx.controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | ingress-nginx.controller.ingressClass | string | `"nginx"` |  |
 | ingress-nginx.controller.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` |  |

helm/requirements.lock

@@ -7,6 +7,6 @@ dependencies:
   version: 2.15.0
 - name: cloudbees-sidecar-injector
   repository: https://charts.cloudbees.com/public/cloudbees
-  version: 2.1.0
-digest: sha256:996f7a1d8ae1bb7465e7df2865ef4521e1ebe3e10827d6544caebd4d0c811c23
-generated: "2020-11-02T17:56:50.500073-05:00"
+  version: 2.1.3
+digest: sha256:a1c4f1c479b0edb8530d98691ccb6e935c43867539bf2b0c7df246462c475cd0
+generated: "2021-02-09T09:09:33.126879+01:00"

helm/requirements.yaml

-dependencies:
-- name: nginx-ingress
-  version: 1.40.2
-  repository: https://charts.helm.sh/stable
-  condition: nginx-ingress.Enabled
-- name: ingress-nginx
-  version: 2.15.0
-  repository: https://kubernetes.github.io/ingress-nginx
-  condition: ingress-nginx.Enabled
-- name: cloudbees-sidecar-injector
-  version: 2.1.0
-  repository: https://charts.cloudbees.com/public/cloudbees
-  condition: sidecarinjector.Enabled

helm/templates/_helpers.tpl

@@ -53,7 +53,7 @@ kubectl
 {{- end -}}
 
 {{- define "cloudbees-core.needs-routes" -}}
-{{- if include "cloudbees-core.is-openshift" . -}}
+{{- if or (include "cloudbees-core.is-openshift" . ) (.Values.OperationsCenter.Route.tls.Enable) -}}
 true
 {{- end -}}
 {{- end -}}
@@ -228,14 +228,6 @@ true
 {{- end -}}
 {{- end -}}
 
-{{- define "rbac.apiVersion" -}}
-{{- default .Values.rbac.apiVersion "rbac.authorization.k8s.io/v1" -}}
-{{- end -}}
-
-{{- define "rbac.apiGroup" -}}
-{{- default .Values.rbac.apiGroup "rbac.authorization.k8s.io" -}}
-{{- end -}}
-
 {{- define "validate.operationscenter" -}}
 {{- if and (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}}
 {{ fail "Can't use both OperationsCenter.Enabled=true and Master.OperationsCenterNamespace" }}
@@ -330,23 +322,19 @@ ingress-nginx
 
 {{/* stable/nginx-ingress chart going away in Nov. 2020. This will be part of the 10/2020 release. Delete this after 4/2021 */}}
 {{- define "nginxingress.podSelectors" -}}
-{{- if  index .Values "nginx-ingress" "Enabled" }}
-{{ include "nginxingress.includedPodSelector" . }}
-{{- else if .Values.NetworkPolicy.ingressControllerSelector }}
-{{ toYaml .Values.NetworkPolicy.ingressControllerSelector -}}
-{{- else }}
-{{ include "nginxingress.defaultPodSelectors" . }}
-{{- end }}
-{{- end -}}
-
-{{- define "nginxingress.includedPodSelector" -}}
+{{- if  (index .Values "nginx-ingress" "Enabled")}}
 - podSelector:
     matchLabels:
-      app: {{ include "ingress.name" . }}
+      app: nginx-ingress
       component: controller
-{{- end -}}
-
-{{- define "nginxingress.defaultPodSelectors" -}}
+{{- else if (index .Values "ingress-nginx" "Enabled") }}
+- podSelector:
+    matchLabels:
+      app.kubernetes.io/name: ingress-nginx
+      app.kubernetes.io/component: controller
+{{- else if .Values.NetworkPolicy.ingressControllerSelector }}
+{{ toYaml .Values.NetworkPolicy.ingressControllerSelector -}}
+{{- else }}
 - namespaceSelector:
     matchLabels:
       name: {{ include "ingress.name" . }}
@@ -368,25 +356,9 @@ ingress-nginx
     matchLabels:
       app.kubernetes.io/name: ingress-nginx
       app.kubernetes.io/component: controller
-{{- end -}}
-
-{{- define "ingressnginx.podSelectors" -}}
-{{- if  index .Values "ingress-nginx" "Enabled" }}
-{{ include "ingressnginx.includedPodSelector" . }}
-{{- else if .Values.NetworkPolicy.ingressControllerSelector }}
-{{ toYaml .Values.NetworkPolicy.ingressControllerSelector -}}
-{{- else }}
-{{ include "ingressnginx.defaultPodSelectors" . }}
 {{- end }}
 {{- end -}}
 
-{{- define "ingressnginx.includedPodSelector" -}}
-- podSelector:
-    matchLabels:
-      app: {{ include "ingress.name" . }}
-      component: controller
-{{- end -}}
-
 {{- define "networkpolicy.cjoc.http" -}}
 {{- if include "cloudbees-core.is-openshift" . -}}
 {{ .Values.OperationsCenter.ContainerPort }}
@@ -444,6 +416,30 @@ managed-premium
 {{- end -}}
 {{- end -}}
 
+{{- define "openshift.tls" -}}
+{{- if .Values.OperationsCenter.Route.tls.Enable -}}
+tls:
+  insecureEdgeTerminationPolicy: {{ .Values.OperationsCenter.Route.tls.InsecureEdgeTerminationPolicy }}
+  termination: {{ .Values.OperationsCenter.Route.tls.Termination }}
+{{- if .Values.OperationsCenter.Route.tls.CACertificate }}
+  caCertificate: |-
+{{ .Values.OperationsCenter.Route.tls.CACertificate | indent 4 }}
+{{- end }}
+{{- if .Values.OperationsCenter.Route.tls.Certificate }}
+  certificate: |-
+{{ .Values.OperationsCenter.Route.tls.Certificate | indent 4 }}
+{{- end }}
+{{- if .Values.OperationsCenter.Route.tls.Key }}
+  key: |-
+{{ .Values.OperationsCenter.Route.tls.Key | indent 4 }}
+{{- end }}
+{{- if .Values.OperationsCenter.Route.tls.DestinationCACertificate }}
+  destinationCACertificate: |-
+{{ .Values.OperationsCenter.Route.tls.DestinationCACertificate | indent 4}}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{/*
 Workaround https://github.com/openshift/origin/issues/24060
 */}}
@@ -462,10 +458,16 @@ status:
 {{- end -}}
 
 {{- define "ingress.check" -}}
-{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress") }}
+{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") }}
   {{ fail "\n\nERROR: Kubernetes 1.14 or later is required to use Ingress in networking.k8s.io/v1beta1" }}
 {{- end -}}
 {{- if and (index .Values "nginx-ingress" "Enabled") (index .Values "ingress-nginx" "Enabled") -}}
   {{ fail "\n\nERROR: Only one of nginx-ingress.Enabled or ingress-nginx.Enabled may be true" }}
 {{- end -}}
 {{- end -}}
+
+{{- define "features.enableServiceLinks-available" -}}
+{{- if semverCompare ">=1.13.0-0" .Capabilities.KubeVersion.Version -}}
+true
+{{- end -}}
+{{- end -}}

helm/templates/cjoc-clusterrole-master-management.yaml

 {{- if and .Values.OperationsCenter.Enabled .Values.rbac.install (include "rbac.install-cluster" .) -}}
 kind: ClusterRole
-apiVersion: {{ template "rbac.apiVersion" . }}
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cjoc-master-management-{{ .Release.Namespace }}
   labels:

helm/templates/cjoc-clusterrolebinding.yaml

 {{- if and .Values.OperationsCenter.Enabled .Values.rbac.install (include "rbac.install-cluster" .) -}}
 kind: ClusterRoleBinding
-apiVersion: {{ template "rbac.apiVersion" . }}
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cjoc-role-binding-{{ .Release.Namespace }}
   labels:
 {{ include "cloudbees-core.labels" . | indent 4 }}
 roleRef:
-  apiGroup: {{ template "rbac.apiGroup" . }}
+  apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cjoc-master-management-{{ .Release.Namespace }}
 subjects:

helm/templates/cjoc-role-agents.yaml

+{{ template "validate.operationscenter" . }}
+{{- if or (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}}
+{{- if .Values.Agents.SeparateNamespace.Enabled -}}
+{{- if .Values.rbac.install -}}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cjoc-agents-test-connection
+  namespace: {{ template "agents.namespace" . }}
+  labels:
+{{ include "cloudbees-core.labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+{{- end -}}
+{{- end -}}
+{{- end -}}

helm/templates/cjoc-role-master-management.yaml

@@ -2,12 +2,21 @@
 {{- if or (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}}
 {{- if .Values.rbac.install -}}
 kind: Role
-apiVersion: {{ template "rbac.apiVersion" . }}
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cjoc-master-management
   labels:
 {{ include "cloudbees-core.labels" . | indent 4 }}
 rules:
+{{- if .Values.Master.OperationsCenterNamespace }}
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+{{- end }}
 - apiGroups:
   - ""
   resources:

helm/templates/cjoc-rolebinding-agents.yaml

+{{ template "validate.operationscenter" . }}
+{{- if or (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}}
+{{- if .Values.Agents.SeparateNamespace.Enabled -}}
+{{- if .Values.rbac.install -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cjoc-agents-role-binding
+  namespace: {{ template "agents.namespace" . }}
+  labels:
+{{ include "cloudbees-core.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cjoc-agents-test-connection
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.rbac.serviceAccountName }}
+  namespace: {{ .Release.Namespace }}
+{{- end -}}
+{{- end -}}
+{{- end -}}

helm/templates/cjoc-rolebinding.yaml

 {{ template "validate.operationscenter" . }}
 {{- if or (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}}
 {{- if .Values.rbac.install -}}
-apiVersion: {{ template "rbac.apiVersion" . }}
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: cjoc-role-binding
   labels:
 {{ include "cloudbees-core.labels" . | indent 4 }}
 roleRef:
-  apiGroup: {{ template "rbac.apiGroup" . }}
+  apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: cjoc-master-management
 subjects:

helm/templates/cjoc-route.yaml

@@ -18,11 +18,7 @@ spec:
   port:
     targetPort: http
   wildcardPolicy: None
-        {{- if eq .Values.OperationsCenter.Route.tls.Enable true }}
-  tls:
-    insecureEdgeTerminationPolicy: Redirect
-    termination: edge
-        {{end }}
+{{ include "openshift.tls" . | indent 2 }}
 {{ include "chart.helmRouteFix" $ }}
 {{- end -}}
 {{- end -}}

helm/templates/cjoc-statefulset.yaml

@@ -62,7 +62,9 @@ spec:
                       operator: In
                       values:
                         - slave
+      {{- if include "features.enableServiceLinks-available" . }}
       enableServiceLinks: false
+      {{- end }}
       serviceAccountName: {{ .Values.rbac.serviceAccountName }}
       {{- if .Values.OperationsCenter.NodeSelector }}
       nodeSelector:
@@ -140,6 +142,9 @@ spec:
             -Dcom.cloudbees.jce.masterprovisioning.DockerImageDefinitionConfiguration.masterImageName={{ include "mm.longname" . | quote}}
             -Dcom.cloudbees.jce.masterprovisioning.DockerImageDefinitionConfiguration.masterImage={{ .Values.Master.Image.dockerImage}}
             -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.serviceAccount={{ .Values.rbac.masterServiceAccountName }}
+            {{- if .Values.Agents.SeparateNamespace.Enabled }}
+            -Dcom.cloudbees.jenkins.plugins.kube.NamespaceFilter.defaultNamespace={{ template "agents.namespace" . }}
+            {{- end }}
             {{- if (include "persistence.storageclass" .) }}
             -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.storageClassName={{ include "persistence.storageclass" . | quote }}
             {{- end }}
@@ -155,6 +160,12 @@ spec:
             {{- if .Values.OperationsCenter.CSRF.ProxyCompatibility }}
             -Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true
             {{- end }}
+            {{- if .Values.sda }}
+            {{- if .Values.OperationsCenter.HostName }}
+            -Dcom.cloudbees.jenkins.plugins.platform.PlatformConfiguration.url={{- include "oc.protocol" . -}}://{{ include "oc.hostname" . }}/
+            {{- end }}
+            -Dcom.cloudbees.jenkins.plugins.platform.PlatformServer.apiUrl=https://flow-server:8443/
+            {{- end }}
             -XX:+UseG1GC
             -XX:+DisableExplicitGC
         ports:

helm/templates/managed-master-hibernation-monitor-deployment.yaml

@@ -71,7 +71,9 @@ spec:
           limits:
             memory: 250Mi
       serviceAccountName: {{ .Values.rbac.hibernationMonitorServiceAccountName }}
+      {{- if include "features.enableServiceLinks-available" . }}
       enableServiceLinks: false
+      {{- end }}
       {{- if .Values.Hibernation.NodeSelector }}
       nodeSelector:
 {{ toYaml .Values.Hibernation.NodeSelector | indent 8 }}

helm/templates/managed-master-hibernation-monitor-role.yaml

 {{- if .Values.Hibernation.Enabled -}}
 {{- if .Values.rbac.install -}}
 kind: Role
-apiVersion: {{ template "rbac.apiVersion" . }}
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: managed-master-hibernation-monitor
   labels:

helm/templates/managed-master-hibernation-monitor-rolebinding.yaml

 {{- if .Values.Hibernation.Enabled -}}
 {{- if .Values.rbac.install -}}
-apiVersion: {{ template "rbac.apiVersion" . }}
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: managed-master-hibernation-monitor
   labels:
 {{ include "cloudbees-core.labels" . | indent 4 }}
 roleRef:
-  apiGroup: {{ template "rbac.apiGroup" . }}
+  apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: managed-master-hibernation-monitor
 subjects: