diff --git a/Dockerfile b/Dockerfile index 019bd2119909c5df4f69bfc2d333503ac7041663..0e7f94a9c06200a48f5044048bb4d17571e0418b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,9 +41,9 @@ ENTRYPOINT ["tini", "--", "/usr/local/bin/launch.sh"] HEALTHCHECK --interval=5m --timeout=3s \ CMD curl -fsL ${JENKINS_URL}/login || exit 1 -# LABEL securitytxt="https://www.cloudbees.com/.well-known/security.txt" -# LABEL release=69f7102311718b7e0fbed31edb877f1352ca5cf1 -# LABEL version=2.263.2.4-ra +# L-A-B-E-L securitytxt="https://www.cloudbees.com/.well-known/security.txt" +# L-A-B-E-L release=308768c9f176b5155dd19ff01ca06396b66f5afd +# L-A-B-E-L version=2.277.2.1-ra COPY files.tar /tmp RUN cd / && tar xvf /tmp/files.tar && rm /tmp/files.tar @@ -65,7 +65,7 @@ ENV VOLUME_SERVICE=http://localhost:31080 ENV TENANT=cjoc ENV JENKINS_VARIANT=cjoc -# LABEL name="CloudBees CI Operation Center" -# LABEL vendor="CloudBees, Inc." -# LABEL summary="CloudBees CI is the continuous delivery platform architected for the enterprise" -# LABEL description="This container image will deploy one instance of CloudBees CI Operations Center." +# L-A-B-E-L name="CloudBees CI Operation Center" +# L-A-B-E-L vendor="CloudBees, Inc." +# L-A-B-E-L summary="CloudBees CI is the continuous delivery platform architected for the enterprise" +# L-A-B-E-L description="This container image will deploy one instance of CloudBees CI Operations Center." diff --git a/README.md b/README.md index ea3ee64b92c17992c4400eb665af72ef02cc4e9c..cc4dd791c2b5a84bef82846906138ed0809ff5b0 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # CloudBees CI setup -## Approved with Conditions: +## Approved with Conditions Must run behind CNAP or VPN (no internet facing). CloudBees CI (formerly known as _CloudBees Core_) consists of three Docker images installed via Helm chart: @@ -12,7 +12,7 @@ CloudBees CI (formerly known as _CloudBees Core_) consists of three Docker image For each image, all files other than UBI and native packages are included in a `files.tar` marked with a SHA-256 checksum. -A version of CloudBees CI is given in the format `2.263.2.4-ra` +A version of CloudBees CI is given in the format `2.277.2.1-ra` where the first three components are aligned with a Jenkins LTS. The Helm chart is coversioned with `core-oc`. The `core-mm` image typically shares the same version, @@ -25,13 +25,13 @@ plus whatever other customizations are desired: ```yaml OperationsCenter: Image: - dockerImage: your-registry/core-oc:2.263.2.4-ra + dockerImage: your-registry/core-oc:2.277.2.1-ra Master: Image: - dockerImage: your-registry/core-mm:2.263.2.4-ra + dockerImage: your-registry/core-mm:2.277.2.1-ra Agents: Image: - dockerImage: your-registry/agent:2.263.2.4-ra + dockerImage: your-registry/agent:2.277.2.1-ra ``` and [install via Helm 3](https://docs.cloudbees.com/docs/cloudbees-core/latest/kubernetes-install-guide/installing-kubernetes-using-helm) using the local copy of the chart: diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index b128c489be464b75f560e7c19605efe759a4e0c8..5fe8b0dbea56167489ac0b29c95a0b99b5cf50b2 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -1,7 +1,7 @@ apiVersion: v1 -name: cloudbees/core/core-oc +name: "cloudbees/core/core-oc" tags: -- "2.263.2.4-ra" +- "2.277.2.1-ra" - latest labels: org.opencontainers.image.title: "core-oc" @@ -9,7 +9,7 @@ labels: org.opencontainers.image.licenses: proprietary org.opencontainers.image.url: https://docs.cloudbees.com/docs/cloudbees-ci/ org.opencontainers.image.vendor: CloudBees - org.opencontainers.image.version: "2.263.2.4-ra" + org.opencontainers.image.version: "2.277.2.1-ra" mil.dso.ironbank.image.keywords: cicd mil.dso.ironbank.image.type: commercial mil.dso.ironbank.product.name: CloudBees CI @@ -18,10 +18,16 @@ args: BASE_TAG: "1.8.0" resources: - filename: files.tar - url: https://downloads.cloudbees.com/dsop-files/core-oc-files-fdaeb7127afa7670743296125be0d1782e152c6ec14bca5e62ec69ef5d667901.tar + url: https://downloads.cloudbees.com/dsop-files/core-oc-files-a8c75c110388343781c00894fcade262363681eb914929bf19c94be5195463a3.tar validation: type: sha256 - value: "fdaeb7127afa7670743296125be0d1782e152c6ec14bca5e62ec69ef5d667901" + value: "a8c75c110388343781c00894fcade262363681eb914929bf19c94be5195463a3" maintainers: - email: productivity-team@cloudbees.com + name: CloudBees + username: imontero + cht_member: false - email: andre.maksymowicz@centauricorp.com + name: Andy Maksymowicz + username: andymaks + cht_member: true diff --git a/helm/Chart.yaml b/helm/Chart.yaml index da8ccfd3b47ca313588d9210a75d192dcbd1a172..3a767d5a9f97633e5c4e285a7b23dbffbfd3614c 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,12 +1,29 @@ +apiVersion: v2 name: cloudbees-core -home: https://www.cloudbees.com/products/continuous-integration -apiVersion: v1 -appVersion: 2.263.2.3 -version: 3.25.3 +version: 3.29.2 description: Enterprise Continuous Integration with Jenkins -icon: https://images.ctfassets.net/vtn4rfaw6n2j/7xprMMXARXDBuVxW4y8XfV/349fff91035050e3f2a8ff37bc0615b5/cloudbees-core-logo_header.svg keywords: - cloudbees - jenkins -engine: gotpl - +home: https://www.cloudbees.com/products/continuous-integration +dependencies: + - name: nginx-ingress + version: 1.40.2 + repository: https://charts.helm.sh/stable + condition: nginx-ingress.Enabled + - name: ingress-nginx + version: 2.15.0 + repository: https://kubernetes.github.io/ingress-nginx + condition: ingress-nginx.Enabled + - name: cloudbees-sidecar-injector + version: 2.1.3 + repository: https://charts.cloudbees.com/public/cloudbees + condition: sidecarinjector.Enabled +icon: https://images.ctfassets.net/vtn4rfaw6n2j/7xprMMXARXDBuVxW4y8XfV/349fff91035050e3f2a8ff37bc0615b5/cloudbees-core-logo_header.svg +appVersion: 2.277.2.3 +annotations: + artifacthub.io/links: | + - name: Product overview + url: https://www.cloudbees.com/products/continuous-integration + - name: Documentation + url: https://docs.cloudbees.com/docs/cloudbees-ci/latest/ diff --git a/helm/README-template.md b/helm/README-template.md index b86f7f950857766487de290e7be474c2e2cbbb69..1f637a4bf8e658f686e731c790be7f445caa5043 100644 --- a/helm/README-template.md +++ b/helm/README-template.md @@ -1,6 +1,6 @@ # cloudbees-core -![Version: 3.25.3](https://img.shields.io/badge/Version-3.25.3-informational?style=flat-square) ![AppVersion: 2.263.2.3](https://img.shields.io/badge/AppVersion-2.263.2.3-informational?style=flat-square) +![Version: 3.29.2](https://img.shields.io/badge/Version-3.29.2-informational?style=flat-square) ![AppVersion: 2.277.2.3](https://img.shields.io/badge/AppVersion-2.277.2.3-informational?style=flat-square) [CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides: @@ -28,7 +28,7 @@ This chart bootstraps a CloudBees CI deployment on a [Kubernetes](http://kuberne | Repository | Name | Version | |------------|------|---------| -| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.0 | +| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.3 | | https://charts.helm.sh/stable | nginx-ingress | 1.40.2 | | https://kubernetes.github.io/ingress-nginx | ingress-nginx | 2.15.0 | @@ -114,7 +114,7 @@ CloudBees provides complete and more detailed installation and operation documen | Agents.SeparateNamespace.Enabled | bool | `false` | If enabled, agents resources will be created in a separate namespace as well as bindings allowing masters to schedule them. | | Agents.SeparateNamespace.Name | string | `nil` | Namespace where to create agents resources. Defaults to `${namespace}-builds` where `${namespace}` is the namespace where the chart is installed. | | Hibernation.Enabled | bool | `false` | Whether to enable the [Hibernation](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-admin-guide/managing-masters#_hibernation_of_managed_masters) feature | -| Hibernation.Image.dockerImage | string | `"cloudbees/managed-master-hibernation-monitor:230.ee066a318539"` | Used to override the default docker image | +| Hibernation.Image.dockerImage | string | `"cloudbees/managed-master-hibernation-monitor:247.c5dfce00a179"` | Used to override the default docker image | | Hibernation.Image.dockerPullPolicy | string | `nil` | Used to override the default pull policy | | Hibernation.ImagePullSecrets | string | `nil` | Name of image pull secret to pull private Docker images or an array of image pull secrets | | Hibernation.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | @@ -130,8 +130,13 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.Annotations | object | `{}` | Additional annotations to put on the pod running Operations Center | | OperationsCenter.CSRF.ProxyCompatibility | bool | `false` | Proxy compatibility for the default CSRF issuer | | OperationsCenter.ContainerPort | int | `8080` | Container port for http traffic | -| OperationsCenter.ContextPath | string | `"/cjoc"` | the path under which Operations Center will be accessible in the given host. | +| OperationsCenter.ContextPath | string | `nil` | the path under which Operations Center will be accessible in the given host. DEPRECATED - Use OperationsCenter.Name instead. | | OperationsCenter.Enabled | bool | `true` | Disable for particular use case like setting up namespaces to host masters only | +| OperationsCenter.ExtraConfigMaps | list | `[]` | Extra configmaps deployed with the chart | +| OperationsCenter.ExtraContainers | list | `[]` | Extra containers to add to the pod containing Operations Center. | +| OperationsCenter.ExtraGroovyConfiguration | object | `{}` | Provides additional init groovy scripts Each key becomes a file in /var/jenkins_config | +| OperationsCenter.ExtraVolumeMounts | list | `[]` | Extra volume mounts to add to the container containing Operations Center | +| OperationsCenter.ExtraVolumes | list | `[]` | Extra volumes to add to the pod | | OperationsCenter.HealthProbeLivenessFailureThreshold | int | `12` | Threshold for liveness failure | | OperationsCenter.HealthProbes | bool | `true` | Enable Kubernetes Liveness and Readiness Probes | | OperationsCenter.HostName | string | `nil` | The hostname used to access Operations Center through the ingress controller. | @@ -146,6 +151,7 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.JenkinsOpts | string | `nil` | Additional arguments for jenkins.war | | OperationsCenter.LoadBalancerIP | string | `nil` | Optionally assign a known public LB IP | | OperationsCenter.LoadBalancerSourceRanges | list | `["0.0.0.0/0"]` | Only applicable when using `ServiceType: LoadBalancer` | +| OperationsCenter.Name | string | `"cjoc"` | the name in the URL under which Operations Center will be accessible in the given host. For instance, if Subdomain is true, the URL to access Operations Center will be {{OperationsCenter.Protocol}}://{{OperationsCenter.Name}}.{{OperationsCenter.HostName}}:{{OperationsCenter.Port}} If Subdomain is false, the URL to access Operations Center will be {{OperationsCenter.Protocol}}://{{OperationsCenter.HostName}}:{{OperationsCenter.Port}}/{{OperationsCenter.Name}} | | OperationsCenter.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | | OperationsCenter.Platform | string | `"standard"` | Enables specific settings depending on the platform platform specific values are: `eks`, `aws`, `gke`, `aks`, `openshift`, `openshift4` Note: `openshift` maps to OpenShift 3.x | | OperationsCenter.Protocol | string | `"http"` | the protocol used to access CJOC. Possible values are http/https. | @@ -153,7 +159,13 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.Resources.Limits.Memory | string | `"2G"` | Memory limit to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory | | OperationsCenter.Resources.Requests.Cpu | int | `1` | CPU request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu | | OperationsCenter.Resources.Requests.Memory | string | `"2G"` | Memory request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory | -| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level | +| OperationsCenter.Route.tls.CACertificate | string | `nil` | CA Certificate PEM-encoded | +| OperationsCenter.Route.tls.Certificate | string | `nil` | Certificate PEM-encoded | +| OperationsCenter.Route.tls.DestinationCACertificate | string | `nil` | When using `termination=reencrypt`, destination CA PEM-encoded | +| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level Read https://docs.openshift.com/container-platform/4.6/networking/routes/secured-routes.html for details. These also apply to Hibernation monitor if enabled. | +| OperationsCenter.Route.tls.InsecureEdgeTerminationPolicy | string | `"Redirect"` | Whether to redirect http to https | +| OperationsCenter.Route.tls.Key | string | `nil` | Private key PEM-encoded | +| OperationsCenter.Route.tls.Termination | string | `"edge"` | Type of termination | | OperationsCenter.ServiceAgentListenerPort | int | `50000` | Controls the service port where Operations Center TCP port for agents is exposed. Don't change this parameter unless you know what you are doing | | OperationsCenter.ServiceAnnotations | object | `{}` | Additional annotations to put on the Operations Center service | | OperationsCenter.ServicePort | int | `80` | Controls the service port where Operations Center http port is exposed. Don't change this parameter unless you know what you are doing | @@ -165,7 +177,9 @@ CloudBees provides complete and more detailed installation and operation documen | Persistence.StorageClass | string | `nil` | Persistent Volume Storage Class for Jenkins Home If defined, storageClassName: . If set to "-", storageClassName: "", which disables dynamic provisioning. If undefined (the default) or set to null, the default storage class will be used, unless specified otherwise below. If setting OperationsCenter.Platform == gke, a storage class backed with SSD drives will be created by this chart and used automatically. | | PodSecurityPolicy.Annotations | object | `{}` | Additional annotations to put on the PodSecurityPolicy, e.g. AppArmor/Seccomp settings | | PodSecurityPolicy.Enabled | bool | `false` | Enables [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) support Enable only if the cluster supports it. | +| Subdomain | bool | `false` | Whether to use a DNS subdomain for each controller. | | ingress-nginx.Enabled | bool | `false` | Installs the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) controller (optional). Enable this section if you don't have an existing installation of ingress-nginx controller Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 | +| ingress-nginx.controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | ingress-nginx.controller.ingressClass | string | `"nginx"` | | | ingress-nginx.controller.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | | diff --git a/helm/README.md b/helm/README.md index dd51b08265afc2dfce0186f3c9786ba9e05f7f5d..1d07880bf47c99baf95b0c826d5cc57ae6c27e03 100644 --- a/helm/README.md +++ b/helm/README.md @@ -1,6 +1,6 @@ # cloudbees-core -![Version: 3.25.3](https://img.shields.io/badge/Version-3.25.3-informational?style=flat-square) ![AppVersion: 2.263.2.3](https://img.shields.io/badge/AppVersion-2.263.2.3-informational?style=flat-square) +![Version: 3.29.2](https://img.shields.io/badge/Version-3.29.2-informational?style=flat-square) ![AppVersion: 2.277.2.3](https://img.shields.io/badge/AppVersion-2.277.2.3-informational?style=flat-square) [CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides: @@ -28,7 +28,7 @@ This chart bootstraps a CloudBees CI deployment on a [Kubernetes](http://kuberne | Repository | Name | Version | |------------|------|---------| -| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.0 | +| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.3 | | https://charts.helm.sh/stable | nginx-ingress | 1.40.2 | | https://kubernetes.github.io/ingress-nginx | ingress-nginx | 2.15.0 | @@ -114,7 +114,7 @@ CloudBees provides complete and more detailed installation and operation documen | Agents.SeparateNamespace.Enabled | bool | `false` | If enabled, agents resources will be created in a separate namespace as well as bindings allowing masters to schedule them. | | Agents.SeparateNamespace.Name | string | `nil` | Namespace where to create agents resources. Defaults to `${namespace}-builds` where `${namespace}` is the namespace where the chart is installed. | | Hibernation.Enabled | bool | `false` | Whether to enable the [Hibernation](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-admin-guide/managing-masters#_hibernation_of_managed_masters) feature | -| Hibernation.Image.dockerImage | string | `"cloudbees/managed-master-hibernation-monitor:230.ee066a318539"` | Used to override the default docker image | +| Hibernation.Image.dockerImage | string | `"cloudbees/managed-master-hibernation-monitor:247.c5dfce00a179"` | Used to override the default docker image | | Hibernation.Image.dockerPullPolicy | string | `nil` | Used to override the default pull policy | | Hibernation.ImagePullSecrets | string | `nil` | Name of image pull secret to pull private Docker images or an array of image pull secrets | | Hibernation.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | @@ -130,8 +130,13 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.Annotations | object | `{}` | Additional annotations to put on the pod running Operations Center | | OperationsCenter.CSRF.ProxyCompatibility | bool | `false` | Proxy compatibility for the default CSRF issuer | | OperationsCenter.ContainerPort | int | `8080` | Container port for http traffic | -| OperationsCenter.ContextPath | string | `"/cjoc"` | the path under which Operations Center will be accessible in the given host. | +| OperationsCenter.ContextPath | string | `nil` | the path under which Operations Center will be accessible in the given host. DEPRECATED - Use OperationsCenter.Name instead. | | OperationsCenter.Enabled | bool | `true` | Disable for particular use case like setting up namespaces to host masters only | +| OperationsCenter.ExtraConfigMaps | list | `[]` | Extra configmaps deployed with the chart | +| OperationsCenter.ExtraContainers | list | `[]` | Extra containers to add to the pod containing Operations Center. | +| OperationsCenter.ExtraGroovyConfiguration | object | `{}` | Provides additional init groovy scripts Each key becomes a file in /var/jenkins_config | +| OperationsCenter.ExtraVolumeMounts | list | `[]` | Extra volume mounts to add to the container containing Operations Center | +| OperationsCenter.ExtraVolumes | list | `[]` | Extra volumes to add to the pod | | OperationsCenter.HealthProbeLivenessFailureThreshold | int | `12` | Threshold for liveness failure | | OperationsCenter.HealthProbes | bool | `true` | Enable Kubernetes Liveness and Readiness Probes | | OperationsCenter.HostName | string | `nil` | The hostname used to access Operations Center through the ingress controller. | @@ -146,6 +151,7 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.JenkinsOpts | string | `nil` | Additional arguments for jenkins.war | | OperationsCenter.LoadBalancerIP | string | `nil` | Optionally assign a known public LB IP | | OperationsCenter.LoadBalancerSourceRanges | list | `["0.0.0.0/0"]` | Only applicable when using `ServiceType: LoadBalancer` | +| OperationsCenter.Name | string | `"cjoc"` | the name in the URL under which Operations Center will be accessible in the given host. For instance, if Subdomain is true, the URL to access Operations Center will be {{OperationsCenter.Protocol}}://{{OperationsCenter.Name}}.{{OperationsCenter.HostName}}:{{OperationsCenter.Port}} If Subdomain is false, the URL to access Operations Center will be {{OperationsCenter.Protocol}}://{{OperationsCenter.HostName}}:{{OperationsCenter.Port}}/{{OperationsCenter.Name}} | | OperationsCenter.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | | OperationsCenter.Platform | string | `"standard"` | Enables specific settings depending on the platform platform specific values are: `eks`, `aws`, `gke`, `aks`, `openshift`, `openshift4` Note: `openshift` maps to OpenShift 3.x | | OperationsCenter.Protocol | string | `"http"` | the protocol used to access CJOC. Possible values are http/https. | @@ -153,7 +159,13 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.Resources.Limits.Memory | string | `"2G"` | Memory limit to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory | | OperationsCenter.Resources.Requests.Cpu | int | `1` | CPU request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu | | OperationsCenter.Resources.Requests.Memory | string | `"2G"` | Memory request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory | -| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level | +| OperationsCenter.Route.tls.CACertificate | string | `nil` | CA Certificate PEM-encoded | +| OperationsCenter.Route.tls.Certificate | string | `nil` | Certificate PEM-encoded | +| OperationsCenter.Route.tls.DestinationCACertificate | string | `nil` | When using `termination=reencrypt`, destination CA PEM-encoded | +| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level Read https://docs.openshift.com/container-platform/4.6/networking/routes/secured-routes.html for details. These also apply to Hibernation monitor if enabled. | +| OperationsCenter.Route.tls.InsecureEdgeTerminationPolicy | string | `"Redirect"` | Whether to redirect http to https | +| OperationsCenter.Route.tls.Key | string | `nil` | Private key PEM-encoded | +| OperationsCenter.Route.tls.Termination | string | `"edge"` | Type of termination | | OperationsCenter.ServiceAgentListenerPort | int | `50000` | Controls the service port where Operations Center TCP port for agents is exposed. Don't change this parameter unless you know what you are doing | | OperationsCenter.ServiceAnnotations | object | `{}` | Additional annotations to put on the Operations Center service | | OperationsCenter.ServicePort | int | `80` | Controls the service port where Operations Center http port is exposed. Don't change this parameter unless you know what you are doing | @@ -165,7 +177,9 @@ CloudBees provides complete and more detailed installation and operation documen | Persistence.StorageClass | string | `nil` | Persistent Volume Storage Class for Jenkins Home If defined, storageClassName: . If set to "-", storageClassName: "", which disables dynamic provisioning. If undefined (the default) or set to null, the default storage class will be used, unless specified otherwise below. If setting OperationsCenter.Platform == gke, a storage class backed with SSD drives will be created by this chart and used automatically. | | PodSecurityPolicy.Annotations | object | `{}` | Additional annotations to put on the PodSecurityPolicy, e.g. AppArmor/Seccomp settings | | PodSecurityPolicy.Enabled | bool | `false` | Enables [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) support Enable only if the cluster supports it. | +| Subdomain | bool | `false` | Whether to use a DNS subdomain for each controller. | | ingress-nginx.Enabled | bool | `false` | Installs the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) controller (optional). Enable this section if you don't have an existing installation of ingress-nginx controller Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 | +| ingress-nginx.controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | ingress-nginx.controller.ingressClass | string | `"nginx"` | | | ingress-nginx.controller.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | | diff --git a/helm/requirements.lock b/helm/requirements.lock index 4b08a7fbd90e574682d8d63b95f90a6c92050627..b6d8456a8906c84c747398ecb414b7c253eacaf1 100644 --- a/helm/requirements.lock +++ b/helm/requirements.lock @@ -7,6 +7,6 @@ dependencies: version: 2.15.0 - name: cloudbees-sidecar-injector repository: https://charts.cloudbees.com/public/cloudbees - version: 2.1.0 -digest: sha256:996f7a1d8ae1bb7465e7df2865ef4521e1ebe3e10827d6544caebd4d0c811c23 -generated: "2020-11-02T17:56:50.500073-05:00" + version: 2.1.3 +digest: sha256:a1c4f1c479b0edb8530d98691ccb6e935c43867539bf2b0c7df246462c475cd0 +generated: "2021-02-09T09:09:33.126879+01:00" diff --git a/helm/requirements.yaml b/helm/requirements.yaml deleted file mode 100644 index 417a1df374bf249a36339f88ea3697a460adbbdb..0000000000000000000000000000000000000000 --- a/helm/requirements.yaml +++ /dev/null @@ -1,13 +0,0 @@ -dependencies: -- name: nginx-ingress - version: 1.40.2 - repository: https://charts.helm.sh/stable - condition: nginx-ingress.Enabled -- name: ingress-nginx - version: 2.15.0 - repository: https://kubernetes.github.io/ingress-nginx - condition: ingress-nginx.Enabled -- name: cloudbees-sidecar-injector - version: 2.1.0 - repository: https://charts.cloudbees.com/public/cloudbees - condition: sidecarinjector.Enabled diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index 18a400cee34f0fcdbb2ca5d8df8468a47f290712..90998bf3f6a00da60291b7257236ff96f0160995 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -53,7 +53,7 @@ kubectl {{- end -}} {{- define "cloudbees-core.needs-routes" -}} -{{- if include "cloudbees-core.is-openshift" . -}} +{{- if or (include "cloudbees-core.is-openshift" . ) (.Values.OperationsCenter.Route.tls.Enable) -}} true {{- end -}} {{- end -}} @@ -88,6 +88,12 @@ true {{- end -}} {{- end -}} +{{- define "cloudbees-core.use-subdomain" -}} +{{- if and (eq (typeOf .Values.Subdomain) "bool") (eq .Values.Subdomain true) -}} +true +{{- end -}} +{{- end -}} + {{/* Return labels, including instance and name. */}} @@ -109,7 +115,18 @@ helm.sh/chart: {{ include "cloudbees-core.chart" . | quote }} Sanitize Operations Center context path to never have a trailing slash */}} {{- define "oc.contextpath" -}} -{{ trimSuffix "/" .Values.OperationsCenter.ContextPath }} +{{- if not (empty .Values.OperationsCenter.ContextPath) -}} +{{- trimSuffix "/" .Values.OperationsCenter.ContextPath -}} +{{- else -}} +{{- if not (include "cloudbees-core.use-subdomain" .) -}} +/ +{{- include "oc.name" . }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "oc.name" -}} +{{ .Values.OperationsCenter.Name }} {{- end -}} {{- define "oc.defaultPort" -}} @@ -130,14 +147,34 @@ Sanitize Operations Center context path to never have a trailing slash Expected Operations Center Hostname. Include port if not 80/443. */}} {{- define "oc.hostname" -}} -{{ .Values.OperationsCenter.HostName }}{{- include "oc.optionalPort" . -}} +{{- include "oc.hostnamewithoutport" . -}}{{- include "oc.optionalPort" . -}} +{{- end -}} + +{{/* +Expected Operations Center Hostname. Include port if not 80/443. +*/}} +{{- define "oc.hostnamewithoutport" -}} +{{- if (include "cloudbees-core.use-subdomain" .) -}} +{{- include "oc.name" . -}}. +{{- end -}} +{{ .Values.OperationsCenter.HostName }} +{{- end -}} + +{{/* +Expected Operations Center Hostname. Include port if not 80/443. +*/}} +{{- define "hibernation.hostnamewithoutport" -}} +{{- if (include "cloudbees-core.use-subdomain" .) -}} +hibernation-{{ .Release.Namespace }}. +{{- end -}} +{{ .Values.OperationsCenter.HostName }} {{- end -}} {{/* Expected Operations Center URL. Always ends with a trailing slash. */}} {{- define "oc.url" -}} -{{- template "oc.protocol" . -}}://{{ include "oc.hostname" . }}{{ include "oc.contextpath" . }}/ +{{- include "oc.protocol" . -}}://{{ include "oc.hostname" . }}{{ include "oc.contextpath" . }}/ {{- end -}} {{- define "ingress.annotations" -}} @@ -161,6 +198,21 @@ nginx.ingress.kubernetes.io/ssl-redirect: "{{- template "ingress.ssl_redirect" . {{- end }} {{- end }} +{{- define "cjoc.ingress.annotations" -}} +{{ include "ingress.annotations" . }} +{{- if eq .Values.OperationsCenter.Platform "eks" }} +alb.ingress.kubernetes.io/healthcheck-path: {{ include "oc.contextpath" . }}/login +{{- end }} +{{- end }} + +{{- define "hibernationMonitor.ingress.annotations" -}} +{{ include "ingress.annotations" . }} +{{- if eq .Values.OperationsCenter.Platform "eks" }} +alb.ingress.kubernetes.io/healthcheck-path: /health/live +{{- end }} +{{- end }} + + {{- define "ingress.root-redirect" -}} {{ include "oc.contextpath" . }}/teams-check/ {{- end }} @@ -191,7 +243,9 @@ extensions {{- end -}} {{- define "ingress.apiVersion" -}} -{{- if ge (atoi (.Capabilities.KubeVersion.Minor)) 15 -}} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}} +networking.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}} networking.k8s.io/v1beta1 {{- else -}} extensions/v1beta1 @@ -202,6 +256,30 @@ extensions/v1beta1 {{- .Values.OperationsCenter.Ingress.tls.Enable }} {{- end -}} +{{- define "ingress.backend.cjoc" -}} +{{- if eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +service: + name: cjoc + port: + number: {{ .Values.OperationsCenter.ServicePort }} +{{- else -}} +serviceName: cjoc +servicePort: {{ .Values.OperationsCenter.ServicePort }} +{{- end -}} +{{- end -}} + +{{- define "ingress.backend.hibernation" -}} +{{- if eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +service: + name: managed-master-hibernation-monitor + port: + number: 80 +{{- else -}} +serviceName: managed-master-hibernation-monitor +servicePort: 80 +{{- end -}} +{{- end -}} + {{/* If rbac.installCluster is defined, honor it. Otherwise, default to true, except on Openshift 3 where we default to "" (falsy) @@ -228,14 +306,6 @@ true {{- end -}} {{- end -}} -{{- define "rbac.apiVersion" -}} -{{- default .Values.rbac.apiVersion "rbac.authorization.k8s.io/v1" -}} -{{- end -}} - -{{- define "rbac.apiGroup" -}} -{{- default .Values.rbac.apiGroup "rbac.authorization.k8s.io" -}} -{{- end -}} - {{- define "validate.operationscenter" -}} {{- if and (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}} {{ fail "Can't use both OperationsCenter.Enabled=true and Master.OperationsCenterNamespace" }} @@ -330,23 +400,19 @@ ingress-nginx {{/* stable/nginx-ingress chart going away in Nov. 2020. This will be part of the 10/2020 release. Delete this after 4/2021 */}} {{- define "nginxingress.podSelectors" -}} -{{- if index .Values "nginx-ingress" "Enabled" }} -{{ include "nginxingress.includedPodSelector" . }} -{{- else if .Values.NetworkPolicy.ingressControllerSelector }} -{{ toYaml .Values.NetworkPolicy.ingressControllerSelector -}} -{{- else }} -{{ include "nginxingress.defaultPodSelectors" . }} -{{- end }} -{{- end -}} - -{{- define "nginxingress.includedPodSelector" -}} +{{- if (index .Values "nginx-ingress" "Enabled")}} - podSelector: matchLabels: - app: {{ include "ingress.name" . }} + app: nginx-ingress component: controller -{{- end -}} - -{{- define "nginxingress.defaultPodSelectors" -}} +{{- else if (index .Values "ingress-nginx" "Enabled") }} +- podSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller +{{- else if .Values.NetworkPolicy.ingressControllerSelector }} +{{ toYaml .Values.NetworkPolicy.ingressControllerSelector -}} +{{- else }} - namespaceSelector: matchLabels: name: {{ include "ingress.name" . }} @@ -368,25 +434,9 @@ ingress-nginx matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/component: controller -{{- end -}} - -{{- define "ingressnginx.podSelectors" -}} -{{- if index .Values "ingress-nginx" "Enabled" }} -{{ include "ingressnginx.includedPodSelector" . }} -{{- else if .Values.NetworkPolicy.ingressControllerSelector }} -{{ toYaml .Values.NetworkPolicy.ingressControllerSelector -}} -{{- else }} -{{ include "ingressnginx.defaultPodSelectors" . }} {{- end }} {{- end -}} -{{- define "ingressnginx.includedPodSelector" -}} -- podSelector: - matchLabels: - app: {{ include "ingress.name" . }} - component: controller -{{- end -}} - {{- define "networkpolicy.cjoc.http" -}} {{- if include "cloudbees-core.is-openshift" . -}} {{ .Values.OperationsCenter.ContainerPort }} @@ -444,6 +494,30 @@ managed-premium {{- end -}} {{- end -}} +{{- define "openshift.tls" -}} +{{- if .Values.OperationsCenter.Route.tls.Enable -}} +tls: + insecureEdgeTerminationPolicy: {{ .Values.OperationsCenter.Route.tls.InsecureEdgeTerminationPolicy }} + termination: {{ .Values.OperationsCenter.Route.tls.Termination }} +{{- if .Values.OperationsCenter.Route.tls.CACertificate }} + caCertificate: |- +{{ .Values.OperationsCenter.Route.tls.CACertificate | indent 4 }} +{{- end }} +{{- if .Values.OperationsCenter.Route.tls.Certificate }} + certificate: |- +{{ .Values.OperationsCenter.Route.tls.Certificate | indent 4 }} +{{- end }} +{{- if .Values.OperationsCenter.Route.tls.Key }} + key: |- +{{ .Values.OperationsCenter.Route.tls.Key | indent 4 }} +{{- end }} +{{- if .Values.OperationsCenter.Route.tls.DestinationCACertificate }} + destinationCACertificate: |- +{{ .Values.OperationsCenter.Route.tls.DestinationCACertificate | indent 4}} +{{- end }} +{{- end }} +{{- end }} + {{/* Workaround https://github.com/openshift/origin/issues/24060 */}} @@ -462,10 +536,24 @@ status: {{- end -}} {{- define "ingress.check" -}} -{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress") }} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") }} {{ fail "\n\nERROR: Kubernetes 1.14 or later is required to use Ingress in networking.k8s.io/v1beta1" }} {{- end -}} {{- if and (index .Values "nginx-ingress" "Enabled") (index .Values "ingress-nginx" "Enabled") -}} {{ fail "\n\nERROR: Only one of nginx-ingress.Enabled or ingress-nginx.Enabled may be true" }} {{- end -}} {{- end -}} + +{{- define "features.enableServiceLinks-available" -}} +{{- if semverCompare ">=1.13.0-0" .Capabilities.KubeVersion.Version -}} +true +{{- end -}} +{{- end -}} + +{{- define "hibernation.routenonnamespacedurls" -}} +{{- if and (eq (typeOf .Values.OperationsCenter.Enabled) "bool") (eq .Values.OperationsCenter.Enabled false) -}} +true +{{- else -}} +false +{{- end -}} +{{- end -}} diff --git a/helm/templates/cjoc-clusterrole-master-management.yaml b/helm/templates/cjoc-clusterrole-master-management.yaml index b241013cbcf752ded647efa6e66037ccd1525403..76667512724fece394d2a0f5f02e208071473301 100644 --- a/helm/templates/cjoc-clusterrole-master-management.yaml +++ b/helm/templates/cjoc-clusterrole-master-management.yaml @@ -1,6 +1,6 @@ {{- if and .Values.OperationsCenter.Enabled .Values.rbac.install (include "rbac.install-cluster" .) -}} kind: ClusterRole -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cjoc-master-management-{{ .Release.Namespace }} labels: diff --git a/helm/templates/cjoc-clusterrolebinding.yaml b/helm/templates/cjoc-clusterrolebinding.yaml index e7381e001425931c027451f58b48dafba1ed6833..867fa1b286f200a59546a999266d2ccec93bf8a8 100644 --- a/helm/templates/cjoc-clusterrolebinding.yaml +++ b/helm/templates/cjoc-clusterrolebinding.yaml @@ -1,12 +1,12 @@ {{- if and .Values.OperationsCenter.Enabled .Values.rbac.install (include "rbac.install-cluster" .) -}} kind: ClusterRoleBinding -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cjoc-role-binding-{{ .Release.Namespace }} labels: {{ include "cloudbees-core.labels" . | indent 4 }} roleRef: - apiGroup: {{ template "rbac.apiGroup" . }} + apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cjoc-master-management-{{ .Release.Namespace }} subjects: diff --git a/helm/templates/cjoc-configure-jenkins-groovy.yaml b/helm/templates/cjoc-configure-jenkins-groovy.yaml index ac4564723d718cf572327423897eafabf9600103..fddeb085cf42cedcc7cf1c613034ccd48f489882 100644 --- a/helm/templates/cjoc-configure-jenkins-groovy.yaml +++ b/helm/templates/cjoc-configure-jenkins-groovy.yaml @@ -7,7 +7,7 @@ metadata: {{ include "cloudbees-core.labels" . | indent 4 }} data: location.groovy: | -{{- if .Values.OperationsCenter.HostName }} +{{- if (include "oc.hostnamewithoutport" .) }} jenkins.model.JenkinsLocationConfiguration.get().setUrl("{{- template "oc.url" . -}}") {{- end }} {{- if .Values.OperationsCenter.ExtraGroovyConfiguration }} diff --git a/helm/templates/cjoc-ingress.yaml b/helm/templates/cjoc-ingress.yaml index 123a79316575bf4504cd6f93da702c0ba3c0a938..037c8630292fbb78181d0b49c15aa27bc7791927 100644 --- a/helm/templates/cjoc-ingress.yaml +++ b/helm/templates/cjoc-ingress.yaml @@ -8,7 +8,7 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} annotations: -{{ include "ingress.annotations" . | indent 4 }} +{{ include "cjoc.ingress.annotations" . | indent 4 }} {{- if not (include "cloudbees-core.is-openshift" .) }} nginx.ingress.kubernetes.io/app-root: {{ include "ingress.root-redirect" . | quote }} # "413 Request Entity Too Large" uploading plugins, increase client_max_body_size @@ -18,24 +18,26 @@ metadata: spec: rules: - -{{- if .Values.OperationsCenter.HostName }} - host: {{ .Values.OperationsCenter.HostName | quote }} +{{- if (include "oc.hostnamewithoutport" . ) }} + host: {{ include "oc.hostnamewithoutport" . | quote }} {{- end }} http: paths: {{- include "ingress.redirect-rules" . | indent 6 }} - - path: {{ include "oc.contextpath" . }} + - path: {{ include "oc.contextpath" . | quote }} backend: - serviceName: cjoc - servicePort: {{ .Values.OperationsCenter.ServicePort }} +{{ include "ingress.backend.cjoc" . | indent 10 -}} +{{ if eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" }} + pathType: Prefix +{{ else }} - path: {{ include "oc.contextpath" . }}/* backend: - serviceName: cjoc - servicePort: {{ .Values.OperationsCenter.ServicePort }} +{{ include "ingress.backend.cjoc" . | indent 10 -}} +{{- end -}} {{- if .Values.OperationsCenter.Ingress.tls.Enable }} tls: - hosts: - - {{ .Values.OperationsCenter.HostName | quote }} + - {{ include "oc.hostnamewithoutport" . | quote }} secretName: {{ .Values.OperationsCenter.Ingress.tls.SecretName }} {{- end -}} {{- end -}} diff --git a/helm/templates/cjoc-role-agents.yaml b/helm/templates/cjoc-role-agents.yaml new file mode 100644 index 0000000000000000000000000000000000000000..15c036b35cb6f792a68828893d5ba3cbdd3d19a1 --- /dev/null +++ b/helm/templates/cjoc-role-agents.yaml @@ -0,0 +1,21 @@ +{{ template "validate.operationscenter" . }} +{{- if or (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}} +{{- if .Values.Agents.SeparateNamespace.Enabled -}} +{{- if .Values.rbac.install -}} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cjoc-agents-test-connection + namespace: {{ template "agents.namespace" . }} + labels: +{{ include "cloudbees-core.labels" . | indent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - list +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/helm/templates/cjoc-role-master-management.yaml b/helm/templates/cjoc-role-master-management.yaml index eb4d0564121883073fe9a91b40f4c66a1cbab6ef..2e91c9acab4a5e0f4f0837b4a068f362c01f4b07 100644 --- a/helm/templates/cjoc-role-master-management.yaml +++ b/helm/templates/cjoc-role-master-management.yaml @@ -2,12 +2,21 @@ {{- if or (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}} {{- if .Values.rbac.install -}} kind: Role -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cjoc-master-management labels: {{ include "cloudbees-core.labels" . | indent 4 }} rules: +{{- if .Values.Master.OperationsCenterNamespace }} +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +{{- end }} - apiGroups: - "" resources: diff --git a/helm/templates/cjoc-rolebinding-agents.yaml b/helm/templates/cjoc-rolebinding-agents.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8dcf0b44da61653729e3494b0c49c841ffff051a --- /dev/null +++ b/helm/templates/cjoc-rolebinding-agents.yaml @@ -0,0 +1,22 @@ +{{ template "validate.operationscenter" . }} +{{- if or (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}} +{{- if .Values.Agents.SeparateNamespace.Enabled -}} +{{- if .Values.rbac.install -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cjoc-agents-role-binding + namespace: {{ template "agents.namespace" . }} + labels: +{{ include "cloudbees-core.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cjoc-agents-test-connection +subjects: +- kind: ServiceAccount + name: {{ .Values.rbac.serviceAccountName }} + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/helm/templates/cjoc-rolebinding.yaml b/helm/templates/cjoc-rolebinding.yaml index feb48aceb846804c137ae0ffc464a611bfae9ce2..85a145fbcc5133009c95085b33d946dc6d7ea79a 100644 --- a/helm/templates/cjoc-rolebinding.yaml +++ b/helm/templates/cjoc-rolebinding.yaml @@ -1,14 +1,14 @@ {{ template "validate.operationscenter" . }} {{- if or (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}} {{- if .Values.rbac.install -}} -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cjoc-role-binding labels: {{ include "cloudbees-core.labels" . | indent 4 }} roleRef: - apiGroup: {{ template "rbac.apiGroup" . }} + apiGroup: rbac.authorization.k8s.io kind: Role name: cjoc-master-management subjects: diff --git a/helm/templates/cjoc-route.yaml b/helm/templates/cjoc-route.yaml index 65913e9bc4bc7675533c4386b2e618e929c3e3bb..e723d773ac7b90e79e8a29d0a261edca457a14a8 100644 --- a/helm/templates/cjoc-route.yaml +++ b/helm/templates/cjoc-route.yaml @@ -7,8 +7,8 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} spec: -{{- if .Values.OperationsCenter.HostName }} - host: {{ .Values.OperationsCenter.HostName | quote }} +{{- if (include "oc.hostnamewithoutport" .) }} + host: {{ include "oc.hostnamewithoutport" . | quote }} {{- end }} path: {{ include "oc.contextpath" . | quote }} to: @@ -18,11 +18,7 @@ spec: port: targetPort: http wildcardPolicy: None - {{- if eq .Values.OperationsCenter.Route.tls.Enable true }} - tls: - insecureEdgeTerminationPolicy: Redirect - termination: edge - {{end }} +{{ include "openshift.tls" . | indent 2 }} {{ include "chart.helmRouteFix" $ }} {{- end -}} {{- end -}} diff --git a/helm/templates/cjoc-statefulset.yaml b/helm/templates/cjoc-statefulset.yaml index 788ff4b86fdc2f7dd522e805b37987a66689e821..9923a51129a4830f779e93f04874fede0b222c53 100644 --- a/helm/templates/cjoc-statefulset.yaml +++ b/helm/templates/cjoc-statefulset.yaml @@ -62,7 +62,9 @@ spec: operator: In values: - slave + {{- if include "features.enableServiceLinks-available" . }} enableServiceLinks: false + {{- end }} serviceAccountName: {{ .Values.rbac.serviceAccountName }} {{- if .Values.OperationsCenter.NodeSelector }} nodeSelector: @@ -114,6 +116,10 @@ spec: -Dcom.cloudbees.jenkins.plugins.kube.NamespaceFilter.defaultNamespace={{ template "agents.namespace" . }} {{- end }} -Dcom.cloudbees.jenkins.plugins.kube.ServiceAccountFilter.defaultServiceAccount={{ .Values.rbac.agentsServiceAccountName }} + -Dcom.cloudbees.networking.useSubdomain={{ default "false" (include "cloudbees-core.use-subdomain" .) }} + -Dcom.cloudbees.networking.protocol={{ include "oc.protocol" . }} + -Dcom.cloudbees.networking.hostname={{ .Values.OperationsCenter.HostName }} + -Dcom.cloudbees.networking.port={{ include "oc.port" . }} {{- if .Values.Master.JavaOpts }} {{ .Values.Master.JavaOpts }} {{- end }} @@ -135,18 +141,25 @@ spec: -Dcom.cloudbees.opscenter.analytics.reporter.JocAnalyticsReporter.PERIOD=120 -Dcom.cloudbees.opscenter.analytics.reporter.metrics.AperiodicMetricSubmitter.PERIOD=120 -Dcom.cloudbees.opscenter.analytics.FeederConfiguration.PERIOD=120 + -Dcom.cloudbees.networking.useSubdomain={{ default "false" (include "cloudbees-core.use-subdomain" .) }} + -Dcom.cloudbees.networking.protocol={{ include "oc.protocol" . }} + -Dcom.cloudbees.networking.hostname={{ .Values.OperationsCenter.HostName }} + -Dcom.cloudbees.networking.port={{ include "oc.port" . }} -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.fsGroup={{ include "oc.fsGroup" . }} -Dcom.cloudbees.jce.masterprovisioning.DockerImageDefinitionConfiguration.disableAutoConfiguration=true -Dcom.cloudbees.jce.masterprovisioning.DockerImageDefinitionConfiguration.masterImageName={{ include "mm.longname" . | quote}} -Dcom.cloudbees.jce.masterprovisioning.DockerImageDefinitionConfiguration.masterImage={{ .Values.Master.Image.dockerImage}} -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.serviceAccount={{ .Values.rbac.masterServiceAccountName }} + {{- if .Values.Agents.SeparateNamespace.Enabled }} + -Dcom.cloudbees.jenkins.plugins.kube.NamespaceFilter.defaultNamespace={{ template "agents.namespace" . }} + {{- end }} {{- if (include "persistence.storageclass" .) }} -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.storageClassName={{ include "persistence.storageclass" . | quote }} {{- end }} {{- if .Values.OperationsCenter.Ingress.Class }} -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.ingressClass={{ .Values.OperationsCenter.Ingress.Class }} {{- end }} - {{- if not (.Values.OperationsCenter.HostName) }} + {{- if not (include "oc.hostnamewithoutport" .) }} -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesClusterEndpoint.wildcardIngress=true {{- end }} {{- if .Values.OperationsCenter.JavaOpts }} @@ -155,6 +168,12 @@ spec: {{- if .Values.OperationsCenter.CSRF.ProxyCompatibility }} -Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true {{- end }} + {{- if .Values.sda }} + {{- if .Values.OperationsCenter.HostName }} + -Dcom.cloudbees.jenkins.plugins.platform.PlatformConfiguration.url={{- include "oc.protocol" . -}}://{{ include "oc.hostname" . }}/ + {{- end }} + -Dcom.cloudbees.jenkins.plugins.platform.PlatformServer.apiUrl=https://flow-server.{{ .Release.Namespace }}:8443/ + {{- end }} -XX:+UseG1GC -XX:+DisableExplicitGC ports: diff --git a/helm/templates/managed-master-hibernation-monitor-deployment.yaml b/helm/templates/managed-master-hibernation-monitor-deployment.yaml index b8b28ca0aeb458c6f34d7787f5a7f57ebdee1d78..40baf492a867e546ddbd077b3686a90ab0773597 100644 --- a/helm/templates/managed-master-hibernation-monitor-deployment.yaml +++ b/helm/templates/managed-master-hibernation-monitor-deployment.yaml @@ -48,6 +48,9 @@ spec: imagePullPolicy: {{ .dockerPullPolicy }} {{- end}} {{- end}} + args: + - '-Dcom.cloudbees.networking.useSubdomain={{ default "false" (include "cloudbees-core.use-subdomain" .) }}' + - '-Dcom.cloudbees.networking.routeNonnamespacedURLs={{- include "hibernation.routenonnamespacedurls" . }}' ports: - containerPort: 8090 name: http @@ -71,7 +74,9 @@ spec: limits: memory: 250Mi serviceAccountName: {{ .Values.rbac.hibernationMonitorServiceAccountName }} + {{- if include "features.enableServiceLinks-available" . }} enableServiceLinks: false + {{- end }} {{- if .Values.Hibernation.NodeSelector }} nodeSelector: {{ toYaml .Values.Hibernation.NodeSelector | indent 8 }} diff --git a/helm/templates/managed-master-hibernation-monitor-ingress.yaml b/helm/templates/managed-master-hibernation-monitor-ingress.yaml index f1ee17eb1c5b60f3d80e9517302c29f4e88d582b..a1c07c451d951b44a1c691f7159c2d3d1872a31c 100644 --- a/helm/templates/managed-master-hibernation-monitor-ingress.yaml +++ b/helm/templates/managed-master-hibernation-monitor-ingress.yaml @@ -7,35 +7,40 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} annotations: -{{ include "ingress.annotations" . | indent 4 }} +{{ include "hibernationMonitor.ingress.annotations" . | indent 4}} spec: rules: - -{{- if .Values.OperationsCenter.HostName }} - host: {{ .Values.OperationsCenter.HostName | quote }} +{{- if (include "hibernation.hostnamewithoutport" . ) }} + host: {{ include "hibernation.hostnamewithoutport" . | quote }} {{- end }} http: paths: - path: /hibernation/ns/{{ .Release.Namespace }}/ backend: - serviceName: managed-master-hibernation-monitor - servicePort: 80 +{{ include "ingress.backend.hibernation" . | indent 10 }} +{{- if eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" }} + pathType: Prefix +{{- else }} - path: /hibernation/ns/{{ .Release.Namespace }}/* backend: - serviceName: managed-master-hibernation-monitor - servicePort: 80 + +{{ include "ingress.backend.hibernation" . | indent 10 }} +{{- end }} - path: /hibernation/ backend: - serviceName: managed-master-hibernation-monitor - servicePort: 80 +{{ include "ingress.backend.hibernation" . | indent 10 }} +{{- if eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" }} + pathType: Prefix +{{- else }} - path: /hibernation/* backend: - serviceName: managed-master-hibernation-monitor - servicePort: 80 +{{ include "ingress.backend.hibernation" . | indent 10 }} +{{- end }} {{- if .Values.OperationsCenter.Ingress.tls.Enable }} tls: - hosts: - - {{ .Values.OperationsCenter.HostName | quote }} + - {{ include "hibernation.hostnamewithoutport" . | quote }} secretName: {{ .Values.OperationsCenter.Ingress.tls.SecretName }} {{- end -}} {{- end -}} diff --git a/helm/templates/managed-master-hibernation-monitor-role.yaml b/helm/templates/managed-master-hibernation-monitor-role.yaml index 53c54ba901cd04a6ce125ab3e4550d1b5cfddc3b..0ece24ed7fcf315668f8967c5dcdc29773a767f6 100644 --- a/helm/templates/managed-master-hibernation-monitor-role.yaml +++ b/helm/templates/managed-master-hibernation-monitor-role.yaml @@ -1,7 +1,7 @@ {{- if .Values.Hibernation.Enabled -}} {{- if .Values.rbac.install -}} kind: Role -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: managed-master-hibernation-monitor labels: diff --git a/helm/templates/managed-master-hibernation-monitor-rolebinding.yaml b/helm/templates/managed-master-hibernation-monitor-rolebinding.yaml index a0271679b1378e415151146aedce4c261ff86caa..22198b5961b2d2337c38abc0b52e64755ede8d0c 100644 --- a/helm/templates/managed-master-hibernation-monitor-rolebinding.yaml +++ b/helm/templates/managed-master-hibernation-monitor-rolebinding.yaml @@ -1,13 +1,13 @@ {{- if .Values.Hibernation.Enabled -}} {{- if .Values.rbac.install -}} -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: managed-master-hibernation-monitor labels: {{ include "cloudbees-core.labels" . | indent 4 }} roleRef: - apiGroup: {{ template "rbac.apiGroup" . }} + apiGroup: rbac.authorization.k8s.io kind: Role name: managed-master-hibernation-monitor subjects: diff --git a/helm/templates/managed-master-hibernation-monitor-route-namespaced.yaml b/helm/templates/managed-master-hibernation-monitor-route-namespaced.yaml new file mode 100644 index 0000000000000000000000000000000000000000..33d125a5af3ad8d3c56509afc41754f3a1b0c13a --- /dev/null +++ b/helm/templates/managed-master-hibernation-monitor-route-namespaced.yaml @@ -0,0 +1,22 @@ +{{- if .Values.Hibernation.Enabled -}} +{{- if include "cloudbees-core.needs-routes" . -}} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: managed-master-hibernation-monitor-namespaced +spec: +{{- if (include "hibernation.hostnamewithoutport" . ) }} + host: {{ include "hibernation.hostnamewithoutport" . | quote }} +{{- end }} + path: /hibernation/ns/{{ .Release.Namespace }} + to: + kind: Service + name: managed-master-hibernation-monitor + weight: 100 + port: + targetPort: http + wildcardPolicy: None +{{ include "openshift.tls" . | indent 2 }} +{{ include "chart.helmRouteFix" $ }} +{{- end -}} +{{- end -}} diff --git a/helm/templates/managed-master-hibernation-monitor-route.yaml b/helm/templates/managed-master-hibernation-monitor-route.yaml index 50c79e6431e37d276ba23c2893dabfae12403673..d1dfacfe6b86d0a503a04710b729b2e51ede9c8e 100644 --- a/helm/templates/managed-master-hibernation-monitor-route.yaml +++ b/helm/templates/managed-master-hibernation-monitor-route.yaml @@ -5,8 +5,8 @@ kind: Route metadata: name: managed-master-hibernation-monitor spec: -{{- if .Values.OperationsCenter.HostName }} - host: {{ .Values.OperationsCenter.HostName | quote }} +{{- if (include "hibernation.hostnamewithoutport" . ) }} + host: {{ include "hibernation.hostnamewithoutport" . | quote }} {{- end }} path: /hibernation to: @@ -16,11 +16,7 @@ spec: port: targetPort: http wildcardPolicy: None - {{- if eq .Values.OperationsCenter.Route.tls.Enable true }} - tls: - insecureEdgeTerminationPolicy: Redirect - termination: edge - {{end }} +{{ include "openshift.tls" . | indent 2 }} {{ include "chart.helmRouteFix" $ }} {{- end -}} {{- end -}} diff --git a/helm/templates/master-role-agents-management.yaml b/helm/templates/master-role-agents-management.yaml index 9cd8231017ac46bd6d4af8738e896f90b69d5144..891147e85566488b1e17bc207fd7e85b7ea57b85 100644 --- a/helm/templates/master-role-agents-management.yaml +++ b/helm/templates/master-role-agents-management.yaml @@ -1,7 +1,7 @@ {{- if .Values.Master.Enabled -}} {{- if .Values.rbac.install -}} kind: Role -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cjoc-agents namespace: {{ template "agents.namespace" . }} diff --git a/helm/templates/master-rolebinding.yaml b/helm/templates/master-rolebinding.yaml index a8c8c4fe3f2381a63acf2d015f2e6858c496991a..da121adb262f810eb8b5675597a0891689823d6b 100644 --- a/helm/templates/master-rolebinding.yaml +++ b/helm/templates/master-rolebinding.yaml @@ -1,6 +1,6 @@ {{- if .Values.Master.Enabled -}} {{- if .Values.rbac.install -}} -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cjoc-master-role-binding @@ -8,7 +8,7 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} roleRef: - apiGroup: {{ template "rbac.apiGroup" . }} + apiGroup: rbac.authorization.k8s.io kind: Role name: cjoc-agents subjects: diff --git a/helm/templates/psp-restricted-agents-role.yaml b/helm/templates/psp-restricted-agents-role.yaml index b1296a0700a452c4a3cf070723e1bb943ac2c677..caaaa52259883b509c3cb545d2942de7e10302e4 100644 --- a/helm/templates/psp-restricted-agents-role.yaml +++ b/helm/templates/psp-restricted-agents-role.yaml @@ -1,6 +1,6 @@ {{- if and (include "psp.enabled" .) (.Values.Agents.SeparateNamespace.Enabled) }} kind: Role -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: "cb:podsecuritypolicy:restricted" namespace: {{ template "agents.namespace" . }} diff --git a/helm/templates/psp-restricted-agents-rolebinding.yaml b/helm/templates/psp-restricted-agents-rolebinding.yaml index 58ed1338abf83bf4c5a6626624d700e062df0a14..0e8cd57d7914f0322e227082fc913206f62df1e5 100644 --- a/helm/templates/psp-restricted-agents-rolebinding.yaml +++ b/helm/templates/psp-restricted-agents-rolebinding.yaml @@ -1,5 +1,5 @@ {{- if and (include "psp.enabled" .) (.Values.Agents.SeparateNamespace.Enabled) }} -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: "cb:podsecuritypolicy:restricted" @@ -7,7 +7,7 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} roleRef: - apiGroup: {{ template "rbac.apiGroup" . }} + apiGroup: rbac.authorization.k8s.io kind: Role name: "cb:podsecuritypolicy:restricted" subjects: diff --git a/helm/templates/psp-restricted-role.yaml b/helm/templates/psp-restricted-role.yaml index fe65cd70d296d8ec4f03b4521183e1ba707aba56..40e4f39eb9d7e1e8ff515df15dd55393fcb3089b 100644 --- a/helm/templates/psp-restricted-role.yaml +++ b/helm/templates/psp-restricted-role.yaml @@ -1,6 +1,6 @@ {{- if include "psp.enabled" . }} kind: Role -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: "cb:podsecuritypolicy:restricted" labels: diff --git a/helm/templates/psp-restricted-rolebinding.yaml b/helm/templates/psp-restricted-rolebinding.yaml index 7b8649fde1c64e52dd40dda27c5ef3c8ffe79cf9..20d452af05398318c9bce029ba307c8a91503fb6 100644 --- a/helm/templates/psp-restricted-rolebinding.yaml +++ b/helm/templates/psp-restricted-rolebinding.yaml @@ -1,12 +1,12 @@ {{- if include "psp.enabled" . }} -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: "cb:podsecuritypolicy:restricted" labels: {{ include "cloudbees-core.labels" . | indent 4 }} roleRef: - apiGroup: {{ template "rbac.apiGroup" . }} + apiGroup: rbac.authorization.k8s.io kind: Role name: "cb:podsecuritypolicy:restricted" subjects: diff --git a/helm/values.yaml b/helm/values.yaml index e04ee07b74f4dc42f7e2acd688093baab200331d..3725e7bd95ca9a6756c4b0aa0f857d503127395b 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# Subdomain -- Whether to use a DNS subdomain for each controller. +Subdomain: false + # ingress-nginx.Enabled -- Installs the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) controller (optional). # Enable this section if you don't have an existing installation of ingress-nginx controller # Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 @@ -13,6 +16,10 @@ ingress-nginx: kubernetes.io/os: linux service: externalTrafficPolicy: Local + admissionWebhooks: + patch: + nodeSelector: + kubernetes.io/os: linux defaultBackend: nodeSelector: kubernetes.io/os: linux @@ -50,7 +57,7 @@ OperationsCenter: # Operations Center docker image Image: # OperationsCenter.Image.dockerImage -- Container image to use for Operations Center - dockerImage: dcar/core-oc:2.263.2.4-ra + dockerImage: dcar/core-oc:2.277.2.1-ra # OperationsCenter.Image.dockerPullPolicy -- https://kubernetes.io/docs/concepts/containers/images/#updating-images dockerPullPolicy: null @@ -69,7 +76,13 @@ OperationsCenter: HostName: null # OperationsCenter.ContextPath -- the path under which Operations Center will be accessible in the given host. - ContextPath: /cjoc + # DEPRECATED - Use OperationsCenter.Name instead. + ContextPath: null + + # OperationsCenter.Name -- the name in the URL under which Operations Center will be accessible in the given host. + # For instance, if Subdomain is true, the URL to access Operations Center will be {{OperationsCenter.Protocol}}://{{OperationsCenter.Name}}.{{OperationsCenter.HostName}}:{{OperationsCenter.Port}} + # If Subdomain is false, the URL to access Operations Center will be {{OperationsCenter.Protocol}}://{{OperationsCenter.HostName}}:{{OperationsCenter.Port}}/{{OperationsCenter.Name}} + Name: cjoc # OperationsCenter.Protocol -- the protocol used to access CJOC. Possible values are http/https. Protocol: http @@ -184,11 +197,23 @@ OperationsCenter: Route: tls: # OperationsCenter.Route.tls.Enable -- Set this to true in OpenShift to terminate TLS at route level + # Read https://docs.openshift.com/container-platform/4.6/networking/routes/secured-routes.html for details. + # These also apply to Hibernation monitor if enabled. Enable: false - - ## @param ExtraConfigMaps - array of objects - optional - ## Extra configmaps deployed with the chart - # + # OperationsCenter.Route.tls.Termination -- Type of termination + Termination: edge + # OperationsCenter.Route.tls.InsecureEdgeTerminationPolicy -- Whether to redirect http to https + InsecureEdgeTerminationPolicy: Redirect + # OperationsCenter.Route.tls.CACertificate -- CA Certificate PEM-encoded + CACertificate: null + # OperationsCenter.Route.tls.Certificate -- Certificate PEM-encoded + Certificate: null + # OperationsCenter.Route.tls.Key -- Private key PEM-encoded + Key: null + # OperationsCenter.Route.tls.DestinationCACertificate -- When using `termination=reencrypt`, destination CA PEM-encoded + DestinationCACertificate: null + # OperationsCenter.ExtraConfigMaps -- Extra configmaps deployed with the chart + ExtraConfigMaps: [] # ExtraConfigMaps: # - name: my-config-map # labels: @@ -199,33 +224,29 @@ OperationsCenter: # myfile.yaml: | # foo: bar - ## @param ExtraContainers - array of objects - optional - ## Extra containers to add to the pod containing Operations Center. - # + # OperationsCenter.ExtraContainers -- Extra containers to add to the pod containing Operations Center. + ExtraContainers: [] # ExtraContainers: # - name: sleep # image: tutum/curl # command: ["sleep", "infinity"] - ## @param ExtraGroovyConfiguration - list of objects - optional - ## Provides additional init groovy scripts - ## Each key becomes a file in /var/jenkins_config - # + # OperationsCenter.ExtraGroovyConfiguration -- Provides additional init groovy scripts + # Each key becomes a file in /var/jenkins_config + ExtraGroovyConfiguration: {} # ExtraGroovyConfiguration: # hello-world.groovy: | # System.out.println('Hello world!') - ## @param ExtraVolumes - array of objects - optional - ## Extra volumes to add to the pod - # + # OperationsCenter.ExtraVolumes -- Extra volumes to add to the pod + ExtraVolumes: [] # ExtraVolumes: # - name: my-volume # configMap: # name: my-config-map - ## @param ExtraVolumesMounts - array of objects - optional - ## Extra volume mounts to add to the container containing Operations Center - # + # OperationsCenter.ExtraVolumeMounts -- Extra volume mounts to add to the container containing Operations Center + ExtraVolumeMounts: [] # ExtraVolumeMounts: # - name: my-volume # mountPath: /var/my-path @@ -241,7 +262,7 @@ Master: # Docker image inserted in Operations Center automatically Image: # Master.Image.dockerImage -- Used to override the default docker image - dockerImage: dcar/core-mm:2.263.2.4-ra + dockerImage: dcar/core-mm:2.277.2.1-ra # Master.JavaOpts -- Additional Java options to pass to managed masters. For example, setting up a JMX port JavaOpts: null @@ -258,7 +279,7 @@ Agents: Create: false Image: # Agents.Image.dockerImage -- Used to override the default docker image used for agents - dockerImage: dcar/agent:2.263.2.4-ra + dockerImage: dcar/agent:2.277.2.1-ra # Image pull secrets # Enable this option when using a private registry. # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line @@ -294,7 +315,7 @@ Hibernation: Enabled: false Image: # Hibernation.Image.dockerImage -- Used to override the default docker image - dockerImage: cloudbees/managed-master-hibernation-monitor:230.ee066a318539 + dockerImage: cloudbees/managed-master-hibernation-monitor:247.c5dfce00a179 # Hibernation.Image.dockerPullPolicy -- Used to override the default pull policy dockerPullPolicy: null # Image pull secrets diff --git a/scripts/usr/local/bin/jenkins.sh b/scripts/usr/local/bin/jenkins.sh index e82afca2b477448922e269e9e0f6055d817540ad..3b94c876846252c0a0830460f65f2754f3439f99 100644 --- a/scripts/usr/local/bin/jenkins.sh +++ b/scripts/usr/local/bin/jenkins.sh @@ -52,7 +52,7 @@ find /usr/share/jenkins/ref/ -type f -exec bash -c "copy_reference_file '{}'" \; # if `docker run` first argument start with `--` the user is passing jenkins launcher arguments if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then - eval "exec java ${JAVA_OPTS:-} -jar -Dcb.distributable.name=\"Docker Common CJE\" -Dcb.distributable.commit_sha=69f7102311718b7e0fbed31edb877f1352ca5cf1 /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\"" + eval "exec java ${JAVA_OPTS:-} -jar -Dcb.distributable.name=\"Docker Common CJE\" -Dcb.distributable.commit_sha=308768c9f176b5155dd19ff01ca06396b66f5afd /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\"" fi # As argument is not jenkins, assume user want to run his own process, for sample a `bash` shell to explore this image