diff --git a/Dockerfile b/Dockerfile index 01bb305154a43f3125d5a3b374faf52d9e0956c2..019bd2119909c5df4f69bfc2d333503ac7041663 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,11 +42,11 @@ HEALTHCHECK --interval=5m --timeout=3s \ CMD curl -fsL ${JENKINS_URL}/login || exit 1 # LABEL securitytxt="https://www.cloudbees.com/.well-known/security.txt" -# LABEL release=3011be3b5ab0e30ea7af04d1194f4d007a795ef5 -# LABEL version=2.263.1.2 +# LABEL release=69f7102311718b7e0fbed31edb877f1352ca5cf1 +# LABEL version=2.263.2.4-ra -ARG TARBALL=files.tar -ADD ${TARBALL} / +COPY files.tar /tmp +RUN cd / && tar xvf /tmp/files.tar && rm /tmp/files.tar COPY scripts/ / RUN chmod +x /usr/local/bin/*.sh && \ diff --git a/README.md b/README.md index 2d5baa8f3766439f2229b68752065e8573860b41..b77c12bfc1af6e01f3d56c5be66866280e894325 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ CloudBees CI (formerly known as _CloudBees Core_) consists of three Docker image For each image, all files other than UBI and native packages are included in a `files.tar` marked with a SHA-256 checksum. -A version of CloudBees CI is given in the format `2.263.1.2` +A version of CloudBees CI is given in the format `2.263.2.4-ra` where the first three components are aligned with a Jenkins LTS. The Helm chart is coversioned with `core-oc`. The `core-mm` image typically shares the same version, @@ -22,13 +22,13 @@ plus whatever other customizations are desired: ```yaml OperationsCenter: Image: - dockerImage: your-registry/core-oc:2.263.1.2 + dockerImage: your-registry/core-oc:2.263.2.4-ra Master: Image: - dockerImage: your-registry/core-mm:2.263.1.2 + dockerImage: your-registry/core-mm:2.263.2.4-ra Agents: Image: - dockerImage: your-registry/agent:2.263.1.2 + dockerImage: your-registry/agent:2.263.2.4-ra ``` and [install via Helm 3](https://docs.cloudbees.com/docs/cloudbees-core/latest/kubernetes-install-guide/installing-kubernetes-using-helm) using the local copy of the chart: diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 265a91ce079dbc4bdfde4eb1105bb2ec805935c0..b128c489be464b75f560e7c19605efe759a4e0c8 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -1,23 +1,27 @@ apiVersion: v1 name: cloudbees/core/core-oc tags: -- "2.263.1.2" +- "2.263.2.4-ra" - latest labels: - org.opencontainers.image.title: core-oc + org.opencontainers.image.title: "core-oc" org.opencontainers.image.description: "CloudBees CI (core-oc subcomponent)" org.opencontainers.image.licenses: proprietary org.opencontainers.image.url: https://docs.cloudbees.com/docs/cloudbees-ci/ org.opencontainers.image.vendor: CloudBees - org.opencontainers.image.version: "2.263.1.2" + org.opencontainers.image.version: "2.263.2.4-ra" mil.dso.ironbank.image.keywords: cicd mil.dso.ironbank.image.type: commercial mil.dso.ironbank.product.name: CloudBees CI +args: + BASE_IMAGE: "redhat/openjdk/openjdk8-devel" + BASE_TAG: "1.8.0" resources: - filename: files.tar - url: https://downloads.cloudbees.com/dsop-files/core-oc-files-bde4ca940874c9026da7b3cd2ee0e27cd4eccee9ff71e272608c1404882cb231.tar + url: https://downloads.cloudbees.com/dsop-files/core-oc-files-fdaeb7127afa7670743296125be0d1782e152c6ec14bca5e62ec69ef5d667901.tar validation: type: sha256 - value: bde4ca940874c9026da7b3cd2ee0e27cd4eccee9ff71e272608c1404882cb231 + value: "fdaeb7127afa7670743296125be0d1782e152c6ec14bca5e62ec69ef5d667901" maintainers: - email: productivity-team@cloudbees.com +- email: andre.maksymowicz@centauricorp.com diff --git a/helm/Chart.yaml b/helm/Chart.yaml index df2528f955ba947a547ff31df5cb6d283d28533c..da8ccfd3b47ca313588d9210a75d192dcbd1a172 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,9 +1,8 @@ name: cloudbees-core home: https://www.cloudbees.com/products/continuous-integration apiVersion: v1 -appVersion: 2.263.1.2 -version: 3.24.1 -kubeVersion: ^1.14.0-0 +appVersion: 2.263.2.3 +version: 3.25.3 description: Enterprise Continuous Integration with Jenkins icon: https://images.ctfassets.net/vtn4rfaw6n2j/7xprMMXARXDBuVxW4y8XfV/349fff91035050e3f2a8ff37bc0615b5/cloudbees-core-logo_header.svg keywords: diff --git a/helm/README-template.md b/helm/README-template.md index 96141960dcd5e8b61ac88a178ba29c152852199a..b86f7f950857766487de290e7be474c2e2cbbb69 100644 --- a/helm/README-template.md +++ b/helm/README-template.md @@ -1,6 +1,6 @@ # cloudbees-core -![Version: 3.24.1](https://img.shields.io/badge/Version-3.24.1-informational?style=flat-square) ![AppVersion: 2.263.1.2](https://img.shields.io/badge/AppVersion-2.263.1.2-informational?style=flat-square) +![Version: 3.25.3](https://img.shields.io/badge/Version-3.25.3-informational?style=flat-square) ![AppVersion: 2.263.2.3](https://img.shields.io/badge/AppVersion-2.263.2.3-informational?style=flat-square) [CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides: @@ -26,8 +26,6 @@ This chart bootstraps a CloudBees CI deployment on a [Kubernetes](http://kuberne ## Requirements -Kubernetes: `^1.14.0-0` - | Repository | Name | Version | |------------|------|---------| | https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.0 | @@ -119,6 +117,8 @@ CloudBees provides complete and more detailed installation and operation documen | Hibernation.Image.dockerImage | string | `"cloudbees/managed-master-hibernation-monitor:230.ee066a318539"` | Used to override the default docker image | | Hibernation.Image.dockerPullPolicy | string | `nil` | Used to override the default pull policy | | Hibernation.ImagePullSecrets | string | `nil` | Name of image pull secret to pull private Docker images or an array of image pull secrets | +| Hibernation.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | +| Hibernation.Tolerations | list | `[]` | Specify tolerations for the Hibernation Monitor pod. See [documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | Master.Enabled | bool | `true` | Whether to create the resources required to schedule masters. | | Master.Image.dockerImage | string | `"@@IMAGE_PREFIX@@/core-mm:@@IMAGE_TAG@@"` | Used to override the default docker image | | Master.JavaOpts | string | `nil` | Additional Java options to pass to managed masters. For example, setting up a JMX port | diff --git a/helm/README.md b/helm/README.md index 19f19e294f79fa89200557adda90442c06de4510..dd51b08265afc2dfce0186f3c9786ba9e05f7f5d 100644 --- a/helm/README.md +++ b/helm/README.md @@ -1,6 +1,6 @@ # cloudbees-core -![Version: 3.24.1](https://img.shields.io/badge/Version-3.24.1-informational?style=flat-square) ![AppVersion: 2.263.1.2](https://img.shields.io/badge/AppVersion-2.263.1.2-informational?style=flat-square) +![Version: 3.25.3](https://img.shields.io/badge/Version-3.25.3-informational?style=flat-square) ![AppVersion: 2.263.2.3](https://img.shields.io/badge/AppVersion-2.263.2.3-informational?style=flat-square) [CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides: @@ -26,8 +26,6 @@ This chart bootstraps a CloudBees CI deployment on a [Kubernetes](http://kuberne ## Requirements -Kubernetes: `^1.14.0-0` - | Repository | Name | Version | |------------|------|---------| | https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.0 | @@ -119,6 +117,8 @@ CloudBees provides complete and more detailed installation and operation documen | Hibernation.Image.dockerImage | string | `"cloudbees/managed-master-hibernation-monitor:230.ee066a318539"` | Used to override the default docker image | | Hibernation.Image.dockerPullPolicy | string | `nil` | Used to override the default pull policy | | Hibernation.ImagePullSecrets | string | `nil` | Name of image pull secret to pull private Docker images or an array of image pull secrets | +| Hibernation.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | +| Hibernation.Tolerations | list | `[]` | Specify tolerations for the Hibernation Monitor pod. See [documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | Master.Enabled | bool | `true` | Whether to create the resources required to schedule masters. | | Master.Image.dockerImage | string | `"test/core-mm:latest"` | Used to override the default docker image | | Master.JavaOpts | string | `nil` | Additional Java options to pass to managed masters. For example, setting up a JMX port | diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index 6df15239e4bafcb0075f0a4e050adcf379afddd5..18a400cee34f0fcdbb2ca5d8df8468a47f290712 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -6,6 +6,13 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Full name of the release +*/}} +{{- define "cloudbees-core.fullname" -}} +{{ printf "%s-%s" .Release.Name .Release.Namespace | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} @@ -133,6 +140,48 @@ Expected Operations Center URL. Always ends with a trailing slash. {{- template "oc.protocol" . -}}://{{ include "oc.hostname" . }}{{ include "oc.contextpath" . }}/ {{- end -}} +{{- define "ingress.annotations" -}} +{{ toYaml .Values.OperationsCenter.Ingress.Annotations }} +{{- if .Values.OperationsCenter.Ingress.Class }} +kubernetes.io/ingress.class: {{ .Values.OperationsCenter.Ingress.Class }} +{{- end }} +{{- if eq .Values.OperationsCenter.Platform "eks" }} + {{- if eq (include "oc.protocol" .) "https" }} +alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80}, {"HTTPS":443}]' +alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' + {{- end }} + {{- if not (eq (include "oc.contextpath" .) "") }} +alb.ingress.kubernetes.io/actions.root-redirect: '{"Type": "redirect", "RedirectConfig": { "Path":{{ include "ingress.root-redirect" . | quote }}, "StatusCode": "HTTP_301"}}' + {{- end }} +alb.ingress.kubernetes.io/group.name: {{ include "cloudbees-core.fullname" .}} +alb.ingress.kubernetes.io/target-type: ip +{{- end }} +{{- if not (include "cloudbees-core.is-openshift" .) }} +nginx.ingress.kubernetes.io/ssl-redirect: "{{- template "ingress.ssl_redirect" . }}" +{{- end }} +{{- end }} + +{{- define "ingress.root-redirect" -}} +{{ include "oc.contextpath" . }}/teams-check/ +{{- end }} + +{{- define "ingress.redirect-rules" -}} +{{- if eq .Values.OperationsCenter.Platform "eks" }} + {{- if eq (include "oc.protocol" .) "https" }} +- path: /* + backend: + serviceName: ssl-redirect + servicePort: use-annotation + {{- end }} + {{- if not (eq (include "oc.contextpath" .) "") }} +- path: / + backend: + serviceName: root-redirect + servicePort: use-annotation + {{- end }} +{{- end }} +{{- end }} + {{- define "ingress.apiGroup" -}} {{- if ge (atoi (.Capabilities.KubeVersion.Minor)) 15 -}} networking.k8s.io @@ -413,6 +462,9 @@ status: {{- end -}} {{- define "ingress.check" -}} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress") }} + {{ fail "\n\nERROR: Kubernetes 1.14 or later is required to use Ingress in networking.k8s.io/v1beta1" }} +{{- end -}} {{- if and (index .Values "nginx-ingress" "Enabled") (index .Values "ingress-nginx" "Enabled") -}} {{ fail "\n\nERROR: Only one of nginx-ingress.Enabled or ingress-nginx.Enabled may be true" }} {{- end -}} diff --git a/helm/templates/cjoc-ingress.yaml b/helm/templates/cjoc-ingress.yaml index 60ee882992b1e591856996a2f8809f8bfc3cc8bf..123a79316575bf4504cd6f93da702c0ba3c0a938 100644 --- a/helm/templates/cjoc-ingress.yaml +++ b/helm/templates/cjoc-ingress.yaml @@ -8,13 +8,9 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} annotations: -{{ toYaml .Values.OperationsCenter.Ingress.Annotations | indent 4 }} -{{ if .Values.OperationsCenter.Ingress.Class }} - kubernetes.io/ingress.class: {{ .Values.OperationsCenter.Ingress.Class }} -{{- end }} +{{ include "ingress.annotations" . | indent 4 }} {{- if not (include "cloudbees-core.is-openshift" .) }} - nginx.ingress.kubernetes.io/app-root: "{{ template "oc.contextpath" . }}/teams-check/" - nginx.ingress.kubernetes.io/ssl-redirect: "{{- template "ingress.ssl_redirect" . }}" + nginx.ingress.kubernetes.io/app-root: {{ include "ingress.root-redirect" . | quote }} # "413 Request Entity Too Large" uploading plugins, increase client_max_body_size nginx.ingress.kubernetes.io/proxy-body-size: 50m nginx.ingress.kubernetes.io/proxy-request-buffering: "off" @@ -27,10 +23,15 @@ spec: {{- end }} http: paths: +{{- include "ingress.redirect-rules" . | indent 6 }} - path: {{ include "oc.contextpath" . }} backend: serviceName: cjoc servicePort: {{ .Values.OperationsCenter.ServicePort }} + - path: {{ include "oc.contextpath" . }}/* + backend: + serviceName: cjoc + servicePort: {{ .Values.OperationsCenter.ServicePort }} {{- if .Values.OperationsCenter.Ingress.tls.Enable }} tls: - hosts: diff --git a/helm/templates/managed-master-hibernation-monitor-deployment.yaml b/helm/templates/managed-master-hibernation-monitor-deployment.yaml index 25b5a969a6644acd76aa689e1d0c9d195a9a1ec9..b8b28ca0aeb458c6f34d7787f5a7f57ebdee1d78 100644 --- a/helm/templates/managed-master-hibernation-monitor-deployment.yaml +++ b/helm/templates/managed-master-hibernation-monitor-deployment.yaml @@ -72,4 +72,12 @@ spec: memory: 250Mi serviceAccountName: {{ .Values.rbac.hibernationMonitorServiceAccountName }} enableServiceLinks: false + {{- if .Values.Hibernation.NodeSelector }} + nodeSelector: +{{ toYaml .Values.Hibernation.NodeSelector | indent 8 }} + {{- end }} + {{- if .Values.Hibernation.Tolerations }} + tolerations: +{{ toYaml .Values.Hibernation.Tolerations | indent 8 }} + {{- end }} {{- end -}} diff --git a/helm/templates/managed-master-hibernation-monitor-ingress.yaml b/helm/templates/managed-master-hibernation-monitor-ingress.yaml index 3e3b8ebb2381af42625f71f781dde2f74fbc2da0..f1ee17eb1c5b60f3d80e9517302c29f4e88d582b 100644 --- a/helm/templates/managed-master-hibernation-monitor-ingress.yaml +++ b/helm/templates/managed-master-hibernation-monitor-ingress.yaml @@ -7,11 +7,7 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} annotations: -{{ toYaml .Values.OperationsCenter.Ingress.Annotations | indent 4 }} -{{ if .Values.OperationsCenter.Ingress.Class }} - kubernetes.io/ingress.class: {{ .Values.OperationsCenter.Ingress.Class }} -{{- end }} - nginx.ingress.kubernetes.io/ssl-redirect: "{{- template "ingress.ssl_redirect" . }}" +{{ include "ingress.annotations" . | indent 4 }} spec: rules: - @@ -20,11 +16,19 @@ spec: {{- end }} http: paths: - - path: /hibernation + - path: /hibernation/ns/{{ .Release.Namespace }}/ + backend: + serviceName: managed-master-hibernation-monitor + servicePort: 80 + - path: /hibernation/ns/{{ .Release.Namespace }}/* + backend: + serviceName: managed-master-hibernation-monitor + servicePort: 80 + - path: /hibernation/ backend: serviceName: managed-master-hibernation-monitor servicePort: 80 - - path: /hibernation/ns/{{ .Release.Namespace }} + - path: /hibernation/* backend: serviceName: managed-master-hibernation-monitor servicePort: 80 diff --git a/helm/values.yaml b/helm/values.yaml index daaca64f06abea0c75c6a75e800f6ff364592475..e04ee07b74f4dc42f7e2acd688093baab200331d 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -50,7 +50,7 @@ OperationsCenter: # Operations Center docker image Image: # OperationsCenter.Image.dockerImage -- Container image to use for Operations Center - dockerImage: dcar/core-oc:2.263.1.2 + dockerImage: dcar/core-oc:2.263.2.4-ra # OperationsCenter.Image.dockerPullPolicy -- https://kubernetes.io/docs/concepts/containers/images/#updating-images dockerPullPolicy: null @@ -241,7 +241,7 @@ Master: # Docker image inserted in Operations Center automatically Image: # Master.Image.dockerImage -- Used to override the default docker image - dockerImage: dcar/core-mm:2.263.1.2 + dockerImage: dcar/core-mm:2.263.2.4-ra # Master.JavaOpts -- Additional Java options to pass to managed masters. For example, setting up a JMX port JavaOpts: null @@ -258,7 +258,7 @@ Agents: Create: false Image: # Agents.Image.dockerImage -- Used to override the default docker image used for agents - dockerImage: dcar/agent:2.263.1.2 + dockerImage: dcar/agent:2.263.2.4-ra # Image pull secrets # Enable this option when using a private registry. # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line @@ -302,6 +302,12 @@ Hibernation: # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line # Hibernation.ImagePullSecrets -- Name of image pull secret to pull private Docker images or an array of image pull secrets ImagePullSecrets: null + # Hibernation.NodeSelector -- Node labels and tolerations for pod assignment + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + NodeSelector: {} + # Hibernation.Tolerations -- Specify tolerations for the Hibernation Monitor pod. + # See [documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + Tolerations: [] PodSecurityPolicy: # Requires rbac.installCluster = true diff --git a/scripts/usr/local/bin/jenkins.sh b/scripts/usr/local/bin/jenkins.sh index 706584897e2f97cab54c58f4e990782ada2c38e1..e82afca2b477448922e269e9e0f6055d817540ad 100644 --- a/scripts/usr/local/bin/jenkins.sh +++ b/scripts/usr/local/bin/jenkins.sh @@ -52,7 +52,7 @@ find /usr/share/jenkins/ref/ -type f -exec bash -c "copy_reference_file '{}'" \; # if `docker run` first argument start with `--` the user is passing jenkins launcher arguments if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then - eval "exec java ${JAVA_OPTS:-} -jar -Dcb.distributable.name=\"Docker Common CJE\" -Dcb.distributable.commit_sha=3011be3b5ab0e30ea7af04d1194f4d007a795ef5 /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\"" + eval "exec java ${JAVA_OPTS:-} -jar -Dcb.distributable.name=\"Docker Common CJE\" -Dcb.distributable.commit_sha=69f7102311718b7e0fbed31edb877f1352ca5cf1 /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\"" fi # As argument is not jenkins, assume user want to run his own process, for sample a `bash` shell to explore this image