diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS new file mode 100644 index 0000000000000000000000000000000000000000..64a2c68c3ababda8d526d6cd995f02cd36f837ab --- /dev/null +++ b/.gitlab/CODEOWNERS @@ -0,0 +1,6 @@ +[Pipelines] +.gitlab-ci.yml @ironbank-notifications/cht +.gitlab-ci.yaml @ironbank-notifications/cht + +[Gitlab Configuration Files] +.gitlab/* @ironbank-notifications/cht diff --git a/.gitlab/issue_templates/Access Request.md b/.gitlab/issue_templates/Access Request.md new file mode 100644 index 0000000000000000000000000000000000000000..1a7b224d6ccdad95fef69b5c8be1ce2b543f338e --- /dev/null +++ b/.gitlab/issue_templates/Access Request.md @@ -0,0 +1,16 @@ +## Summary + +The following individuals are requesting access to this project (one per line): +(List or tag all individuals here) + + +The access level should be: +- [ ] Developer access +- [ ] Remove access + + +## Definition of Done +- [ ] All accounts have been provided the necessary accesses + + +/label ~"Access" ~"To Do" \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Archive.md b/.gitlab/issue_templates/Application - Archive.md new file mode 100644 index 0000000000000000000000000000000000000000..9f3b5fe4d8d43ae9f82411a391b200d4b43f2668 --- /dev/null +++ b/.gitlab/issue_templates/Application - Archive.md @@ -0,0 +1,21 @@ +## Summary + +Requesting this application be archived due to one of the following reasons: +- [ ] Version is no longer supported by vendor +- [ ] Application is End-Of-Life +- [ ] License violation. +- [ ] Other. See below. + +## Detailed Description + +(Please provide a detailed description of why this application should be archived) + + +## Definition of Done +- [ ] Application has been reviewed for archival +- [ ] Project is officially marked as stale +- [ ] Iron Bank frontend no longer lists application as available or approved + + +/label ~"Container::Archive" +/cc @ironbank-notifications/archive \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md new file mode 100644 index 0000000000000000000000000000000000000000..6594a0580b941815c0c7c6264cdfc42e28231f57 --- /dev/null +++ b/.gitlab/issue_templates/Application - Initial.md @@ -0,0 +1,32 @@ +## Summary + +Requesting application to be hardened. This is only for initial hardening of a container. + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Greylist file has been created (requires a member from container hardening) +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process (container hardening team processes): +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Initial" +/cc @ironbank-notifications/cht \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Update.md b/.gitlab/issue_templates/Application - Update.md new file mode 100644 index 0000000000000000000000000000000000000000..caebb3e9aab279c7f109ec0fbfa246b8add6d972 --- /dev/null +++ b/.gitlab/issue_templates/Application - Update.md @@ -0,0 +1,35 @@ +## Summary + +Requesting application be updated to a newer version. + + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Updated version: (State the version you would like the application updated to) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Container version has been updated in greylist file +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Update" +/cc @ironbank-notifications/updates \ No newline at end of file diff --git a/.gitlab/issue_templates/Bug.md b/.gitlab/issue_templates/Bug.md new file mode 100644 index 0000000000000000000000000000000000000000..1427a0caed1833bccd3b1e5f8c5f6eafde05266c --- /dev/null +++ b/.gitlab/issue_templates/Bug.md @@ -0,0 +1,37 @@ +## Summary + +(Summarize the bug encountered concisely) + + +## Steps to reproduce + +(How one can reproduce the issue - this is very important) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Relevant logs and/or screenshots + +(Paste any relevant logs - please use code blocks (```) to format console output, +logs, and code as it's very hard to read otherwise.) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Defintion of Done +- [ ] Bug has been identified and corrected within the container + + +/label ~Bug +/cc @ironbank-notifications/bug \ No newline at end of file diff --git a/.gitlab/issue_templates/Feature Request.md b/.gitlab/issue_templates/Feature Request.md new file mode 100644 index 0000000000000000000000000000000000000000..a0e2f195dc66e4187264381c5e96e8aa96db8a09 --- /dev/null +++ b/.gitlab/issue_templates/Feature Request.md @@ -0,0 +1,32 @@ +## Feature description + +(Detailed description of the feature being requested) + + +## Use cases + + +(Detailed description of the use case for this feature) + + +## Benefits + +(How does this benefit others) + + +## Requirements + +(Any requirements for this feature to be enabled?) + + +## Links / references + +(List of links or references that support this feature) + + +## Definition of Done +- [ ] Feature has been implemented + + +/label ~Feature +/cc @ironbank-notifications/feature \ No newline at end of file diff --git a/.gitlab/issue_templates/Leadership Question.md b/.gitlab/issue_templates/Leadership Question.md new file mode 100644 index 0000000000000000000000000000000000000000..4674f82f930085f34f51b4ecbb4d396519f53192 --- /dev/null +++ b/.gitlab/issue_templates/Leadership Question.md @@ -0,0 +1,7 @@ +## Leadership question + +(Detailed description of the question you'd like to ask the leadership team) + + +/label ~"Question::Leadership" ~"To Do" +/cc @ironbank-notifications/leadership \ No newline at end of file diff --git a/.gitlab/issue_templates/New Findings.md b/.gitlab/issue_templates/New Findings.md new file mode 100644 index 0000000000000000000000000000000000000000..068d029d89cb62dd4d4da5e03924c608172d97d6 --- /dev/null +++ b/.gitlab/issue_templates/New Findings.md @@ -0,0 +1,20 @@ +## Summary + +Container has new findings discovered during continuous monitoring. + + + +## Definition of Done +Justifications: +- [ ] All findings have been justified +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::New Findings" +/cc @ironbank-notifications/security \ No newline at end of file diff --git a/.gitlab/issue_templates/Onboarding Question.md b/.gitlab/issue_templates/Onboarding Question.md new file mode 100644 index 0000000000000000000000000000000000000000..77dea11e56c87d3fb65a1cf2ce7901621058f970 --- /dev/null +++ b/.gitlab/issue_templates/Onboarding Question.md @@ -0,0 +1,7 @@ +## Onboarding question + +(Detailed description of the question you'd like to ask the onboarding team) + + +/label ~"Question::Onboarding" ~"To Do" +/cc @ironbank-notifications/onboarding \ No newline at end of file diff --git a/.gitlab/issue_templates/Pipeline Failure.md b/.gitlab/issue_templates/Pipeline Failure.md new file mode 100644 index 0000000000000000000000000000000000000000..28b82a9454358a542efaa4b9c1c99542e3487fd6 --- /dev/null +++ b/.gitlab/issue_templates/Pipeline Failure.md @@ -0,0 +1,31 @@ +## Summary + +(Summarize the pipeline issue encountered concisely) + + +## Link to failed pipeline + +(Link to the failed pipeline) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Definition of Done +- [ ] Pipeline failure has been resolved + + +/label ~Pipeline +/cc @ironbank-notifications/pipelines \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 0a524b8b7bebadb7399a2d0cd4671dbb8bdb6e6e..019bd2119909c5df4f69bfc2d333503ac7041663 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,15 +41,12 @@ ENTRYPOINT ["tini", "--", "/usr/local/bin/launch.sh"] HEALTHCHECK --interval=5m --timeout=3s \ CMD curl -fsL ${JENKINS_URL}/login || exit 1 -LABEL securitytxt="https://www.cloudbees.com/.well-known/security.txt" -LABEL release=4c482ecc2d194d4868ade0a8cb5f773a3ab1c0d5 -LABEL version=2.249.2.3 +# LABEL securitytxt="https://www.cloudbees.com/.well-known/security.txt" +# LABEL release=69f7102311718b7e0fbed31edb877f1352ca5cf1 +# LABEL version=2.263.2.4-ra -ARG TARBALL=files.tar -COPY ${TARBALL} /tmp -RUN cd / && \ - tar xvf /tmp/files.tar && \ - rm /tmp/files.tar +COPY files.tar /tmp +RUN cd / && tar xvf /tmp/files.tar && rm /tmp/files.tar COPY scripts/ / RUN chmod +x /usr/local/bin/*.sh && \ @@ -68,7 +65,7 @@ ENV VOLUME_SERVICE=http://localhost:31080 ENV TENANT=cjoc ENV JENKINS_VARIANT=cjoc -LABEL name="CloudBees CI Operation Center" \ - vendor="CloudBees, Inc." \ - summary="CloudBees CI is the continuous delivery platform architected for the enterprise" \ - description="This container image will deploy one instance of CloudBees CI Operations Center." +# LABEL name="CloudBees CI Operation Center" +# LABEL vendor="CloudBees, Inc." +# LABEL summary="CloudBees CI is the continuous delivery platform architected for the enterprise" +# LABEL description="This container image will deploy one instance of CloudBees CI Operations Center." diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index 6cbfdbdd8044f2215c4a432829af8c830dcd7f88..0000000000000000000000000000000000000000 --- a/Jenkinsfile +++ /dev/null @@ -1,2 +0,0 @@ -@Library('DCCSCR@master') _ -dccscrPipeline(version: '2.249.2.3') diff --git a/LICENSE.adoc b/LICENSE similarity index 100% rename from LICENSE.adoc rename to LICENSE diff --git a/README.md b/README.md index b2f5ad6b1b78f355900269d9880daddad3ab437e..b77c12bfc1af6e01f3d56c5be66866280e894325 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ CloudBees CI (formerly known as _CloudBees Core_) consists of three Docker image For each image, all files other than UBI and native packages are included in a `files.tar` marked with a SHA-256 checksum. -A version of CloudBees CI is given in the format `2.249.2.3` +A version of CloudBees CI is given in the format `2.263.2.4-ra` where the first three components are aligned with a Jenkins LTS. The Helm chart is coversioned with `core-oc`. The `core-mm` image typically shares the same version, @@ -22,13 +22,13 @@ plus whatever other customizations are desired: ```yaml OperationsCenter: Image: - dockerImage: your-registry/core-oc:2.249.2.3 + dockerImage: your-registry/core-oc:2.263.2.4-ra Master: Image: - dockerImage: your-registry/core-mm:2.249.2.3 + dockerImage: your-registry/core-mm:2.263.2.4-ra Agents: Image: - dockerImage: your-registry/agent:2.249.2.3 + dockerImage: your-registry/agent:2.263.2.4-ra ``` and [install via Helm 3](https://docs.cloudbees.com/docs/cloudbees-core/latest/kubernetes-install-guide/installing-kubernetes-using-helm) using the local copy of the chart: diff --git a/download.json b/download.json deleted file mode 100644 index 667cfd3e48ad6deb35ef2d74dcb8702b44fcb6f3..0000000000000000000000000000000000000000 --- a/download.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "resources": [ - { - "url": "https://downloads.cloudbees.com/dsop-files/core-oc-files-de64bf3a7e6d55e0c13bcf7ddbc72ef820c76548e6d18b4c1d990215e4773698.tar", - "filename": "files.tar", - "validation": { - "type": "sha256", - "value": "de64bf3a7e6d55e0c13bcf7ddbc72ef820c76548e6d18b4c1d990215e4773698" - } - } - ] -} diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b128c489be464b75f560e7c19605efe759a4e0c8 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +name: cloudbees/core/core-oc +tags: +- "2.263.2.4-ra" +- latest +labels: + org.opencontainers.image.title: "core-oc" + org.opencontainers.image.description: "CloudBees CI (core-oc subcomponent)" + org.opencontainers.image.licenses: proprietary + org.opencontainers.image.url: https://docs.cloudbees.com/docs/cloudbees-ci/ + org.opencontainers.image.vendor: CloudBees + org.opencontainers.image.version: "2.263.2.4-ra" + mil.dso.ironbank.image.keywords: cicd + mil.dso.ironbank.image.type: commercial + mil.dso.ironbank.product.name: CloudBees CI +args: + BASE_IMAGE: "redhat/openjdk/openjdk8-devel" + BASE_TAG: "1.8.0" +resources: +- filename: files.tar + url: https://downloads.cloudbees.com/dsop-files/core-oc-files-fdaeb7127afa7670743296125be0d1782e152c6ec14bca5e62ec69ef5d667901.tar + validation: + type: sha256 + value: "fdaeb7127afa7670743296125be0d1782e152c6ec14bca5e62ec69ef5d667901" +maintainers: +- email: productivity-team@cloudbees.com +- email: andre.maksymowicz@centauricorp.com diff --git a/helm/.helmignore b/helm/.helmignore new file mode 100644 index 0000000000000000000000000000000000000000..ecfd1a16f096ff2f2e1f4a8dc9f654d10f75d38f --- /dev/null +++ b/helm/.helmignore @@ -0,0 +1,3 @@ +README.md.gotmpl +.gitignore +.helmignore diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 7175dcbeb3caa7ce0f1b6e5483dcf4640ba919e5..da8ccfd3b47ca313588d9210a75d192dcbd1a172 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,11 +1,12 @@ -apiVersion: v1 -appVersion: 2.249.2.3 -description: The Continuous Delivery Solution for Enterprises -engine: gotpl +name: cloudbees-core home: https://www.cloudbees.com/products/continuous-integration +apiVersion: v1 +appVersion: 2.263.2.3 +version: 3.25.3 +description: Enterprise Continuous Integration with Jenkins icon: https://images.ctfassets.net/vtn4rfaw6n2j/7xprMMXARXDBuVxW4y8XfV/349fff91035050e3f2a8ff37bc0615b5/cloudbees-core-logo_header.svg keywords: -- cloudbees -- jenkins -name: cloudbees-core -version: 3.22.0-DEVELOPMENT + - cloudbees + - jenkins +engine: gotpl + diff --git a/helm/README-template.md b/helm/README-template.md new file mode 100644 index 0000000000000000000000000000000000000000..b86f7f950857766487de290e7be474c2e2cbbb69 --- /dev/null +++ b/helm/README-template.md @@ -0,0 +1,183 @@ +# cloudbees-core + +![Version: 3.25.3](https://img.shields.io/badge/Version-3.25.3-informational?style=flat-square) ![AppVersion: 2.263.2.3](https://img.shields.io/badge/AppVersion-2.263.2.3-informational?style=flat-square) + +[CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides: + +* DevOps at scale +* Resilience and high availability +* Easy management +* Enterprise grade security + +## TL;DR; + +```console +$ helm repo add cloudbees https://charts.cloudbees.com/public/cloudbees +$ helm install cloudbees/cloudbees-core --name +``` + +## Introduction + +This chart bootstraps a CloudBees CI deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + - Kubernetes 1.14 or higher + - Helm 3.0.2 or higher + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.0 | +| https://charts.helm.sh/stable | nginx-ingress | 1.40.2 | +| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 2.15.0 | + +## Installing the Chart + +### Default installation + +To install the chart with the release name `cloudbees-core` and hostname `cloudbees-core.example.com`. The default installation requires nginx-ingress controller to be installed. The chart can install the nginx-ingress controller for you. This installation is described in the next section. + +```console +$ helm install cloudbees/cloudbees-core \ + --name cloudbees-core \ + --set OperationsCenter.HostName='cloudbees-core.example.com' +``` + +The command deploys CloudBees CI on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +### Ingress Controller Installation + +The chart is designed, so it can install an ingress-nginx controller. +The `"ingress-nginx".Enabled` field controls ingress controller installation and setup. +To install the chart with the release name `cloudbees-core` and hostname cloudbees-core.example.com. + +```console +$ helm install cloudbees/cloudbees-core \ + --name cloudbees-core \ + --set "ingress-nginx".Enabled=true +``` + +## Uninstalling the Chart + +To uninstall/delete the `cloudbees-core` deployment: + +```console +$ helm delete cloudbees-core +``` +> **NOTE**: The current version of the CloudBees CI Helm Chart only manages the Operation Center. +Users should manage Managed Master using Operation Center. + +The `helm delete` command stops the CloudBees CI deployment than removes the OperationsCenter Center. +The release is still stored in the Helm database, but it will now have the status deleted. +If you wish to completely remove the release, use the following variation of the `helm delete` command. + +```console +$ helm delete cloudbees-core --purge +``` + +> **IMPORTANT**: The `helm delete` command does NOT remove the persistent volume claims as precaution against data loss. +You will need to use the `kubectl delete pvc` command to delete the persistent volume claims. + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +Please refer to the chart `values.yaml` to get the exhaustive list of values that can be customized. +The easiest way to consult it is through the command `helm inspect values cloudbees/cloudbees-core`. + +Each property can override a default value with a value that specific to your Kubernetes cluster +You can provide this values using the `--set` flag on the Helm command line. + +Helm also support merging values files together, so that you can create a YAML file for each environment. + +### Environment Property Value Files +Helm provides the option to use a custom property values file to override the default values set in the `values.yaml` file. +CloudBees recommends creating a custom properties file to override the default for your environments, instead of directly editing the included values.yaml file. + +To use an environment property value file with Helm, use the -f option as shown in the following example: +`helm install cloudbees-core --name cloudbees-core -f example-values.yaml` + +You can download the latest version of the `example-values.yaml` file from CloudBees Examples GitHub repository at https://github.com/cloudbees/cloudbees-examples/tree/master/helm-custom-value-file-examples. + +## Additional Documentation +CloudBees provides complete and more detailed installation and operation documentation on the CloudBees web site at https://docs.cloudbees.com/docs/cloudbees-ci/latest/kubernetes-install-guide/ + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| Agents.Enabled | bool | `true` | Enable to create agent resources (service account, role) | +| Agents.Image.dockerImage | string | `"@@IMAGE_PREFIX@@/agent:@@IMAGE_TAG@@"` | Used to override the default docker image used for agents | +| Agents.ImagePullSecrets | string | `nil` | Name of image pull secret to pull private Docker images or an array of image pull secrets | +| Agents.SeparateNamespace.Create | bool | `false` | If true, the second namespace will be created when installing this chart. Otherwise, the existing namespace should be labeled with `cloudbees.com/role: agents` in order for network policies to work. | +| Agents.SeparateNamespace.Enabled | bool | `false` | If enabled, agents resources will be created in a separate namespace as well as bindings allowing masters to schedule them. | +| Agents.SeparateNamespace.Name | string | `nil` | Namespace where to create agents resources. Defaults to `${namespace}-builds` where `${namespace}` is the namespace where the chart is installed. | +| Hibernation.Enabled | bool | `false` | Whether to enable the [Hibernation](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-admin-guide/managing-masters#_hibernation_of_managed_masters) feature | +| Hibernation.Image.dockerImage | string | `"cloudbees/managed-master-hibernation-monitor:230.ee066a318539"` | Used to override the default docker image | +| Hibernation.Image.dockerPullPolicy | string | `nil` | Used to override the default pull policy | +| Hibernation.ImagePullSecrets | string | `nil` | Name of image pull secret to pull private Docker images or an array of image pull secrets | +| Hibernation.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | +| Hibernation.Tolerations | list | `[]` | Specify tolerations for the Hibernation Monitor pod. See [documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| Master.Enabled | bool | `true` | Whether to create the resources required to schedule masters. | +| Master.Image.dockerImage | string | `"@@IMAGE_PREFIX@@/core-mm:@@IMAGE_TAG@@"` | Used to override the default docker image | +| Master.JavaOpts | string | `nil` | Additional Java options to pass to managed masters. For example, setting up a JMX port | +| Master.OperationsCenterNamespace | string | `nil` | When deploying Master resources, this grants an Operations Center deployed in another namespace the right to deploy masters | +| NetworkPolicy.Enabled | bool | `false` | Enable only if the cluster supports it. Read the [documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to understand what this is about. | +| NetworkPolicy.JMXSelectors | list | `[]` | Custom selectors for accessing JMX port | +| NetworkPolicy.ingressControllerSelector | list | `[]` | Custom selector for the ingress-controller | +| OperationsCenter.AgentListenerPort | int | `50000` | Container port for agent listener traffic | +| OperationsCenter.Annotations | object | `{}` | Additional annotations to put on the pod running Operations Center | +| OperationsCenter.CSRF.ProxyCompatibility | bool | `false` | Proxy compatibility for the default CSRF issuer | +| OperationsCenter.ContainerPort | int | `8080` | Container port for http traffic | +| OperationsCenter.ContextPath | string | `"/cjoc"` | the path under which Operations Center will be accessible in the given host. | +| OperationsCenter.Enabled | bool | `true` | Disable for particular use case like setting up namespaces to host masters only | +| OperationsCenter.HealthProbeLivenessFailureThreshold | int | `12` | Threshold for liveness failure | +| OperationsCenter.HealthProbes | bool | `true` | Enable Kubernetes Liveness and Readiness Probes | +| OperationsCenter.HostName | string | `nil` | The hostname used to access Operations Center through the ingress controller. | +| OperationsCenter.Image.dockerImage | string | `"@@IMAGE_PREFIX@@/core-oc:@@IMAGE_TAG@@"` | Container image to use for Operations Center | +| OperationsCenter.Image.dockerPullPolicy | string | `nil` | https://kubernetes.io/docs/concepts/containers/images/#updating-images | +| OperationsCenter.ImagePullSecrets | string | `nil` | Name of image pull secret to pull private Docker images or an array of image pull secrets | +| OperationsCenter.Ingress.Annotations | object | `{"kubernetes.io/tls-acme":"false"}` | annotations to put on Ingress object | +| OperationsCenter.Ingress.Class | string | `"nginx"` | Ingress class to use for OC and MM ingresses Should be set to the same value as nginx-ingress.controller.ingressClass if enabled | +| OperationsCenter.Ingress.tls.Enable | bool | `false` | Set this to true in order to enable TLS on the ingress record | +| OperationsCenter.Ingress.tls.SecretName | string | `nil` | The name of the secret containing the certificate and private key to terminate TLS for the ingress | +| OperationsCenter.JavaOpts | string | `nil` | Additional java options to pass to the Operations Center | +| OperationsCenter.JenkinsOpts | string | `nil` | Additional arguments for jenkins.war | +| OperationsCenter.LoadBalancerIP | string | `nil` | Optionally assign a known public LB IP | +| OperationsCenter.LoadBalancerSourceRanges | list | `["0.0.0.0/0"]` | Only applicable when using `ServiceType: LoadBalancer` | +| OperationsCenter.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | +| OperationsCenter.Platform | string | `"standard"` | Enables specific settings depending on the platform platform specific values are: `eks`, `aws`, `gke`, `aks`, `openshift`, `openshift4` Note: `openshift` maps to OpenShift 3.x | +| OperationsCenter.Protocol | string | `"http"` | the protocol used to access CJOC. Possible values are http/https. | +| OperationsCenter.Resources.Limits.Cpu | int | `1` | CPU limit to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu | +| OperationsCenter.Resources.Limits.Memory | string | `"2G"` | Memory limit to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory | +| OperationsCenter.Resources.Requests.Cpu | int | `1` | CPU request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu | +| OperationsCenter.Resources.Requests.Memory | string | `"2G"` | Memory request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory | +| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level | +| OperationsCenter.ServiceAgentListenerPort | int | `50000` | Controls the service port where Operations Center TCP port for agents is exposed. Don't change this parameter unless you know what you are doing | +| OperationsCenter.ServiceAnnotations | object | `{}` | Additional annotations to put on the Operations Center service | +| OperationsCenter.ServicePort | int | `80` | Controls the service port where Operations Center http port is exposed. Don't change this parameter unless you know what you are doing | +| OperationsCenter.ServiceType | string | `"ClusterIP"` | Service Type. Defaults to ClusterIP, since we recommend using an ingress controller. | +| OperationsCenter.Tolerations | list | `[]` | Specify tolerations for the Operations Center pod. See [documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| Persistence.AccessMode | string | `"ReadWriteOnce"` | Access mode for the PVC ([doc](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes)) | +| Persistence.Annotations | object | `{}` | Annotations to put on the PVC | +| Persistence.Size | string | `"20Gi"` | Size of the Operations Center volume | +| Persistence.StorageClass | string | `nil` | Persistent Volume Storage Class for Jenkins Home If defined, storageClassName: . If set to "-", storageClassName: "", which disables dynamic provisioning. If undefined (the default) or set to null, the default storage class will be used, unless specified otherwise below. If setting OperationsCenter.Platform == gke, a storage class backed with SSD drives will be created by this chart and used automatically. | +| PodSecurityPolicy.Annotations | object | `{}` | Additional annotations to put on the PodSecurityPolicy, e.g. AppArmor/Seccomp settings | +| PodSecurityPolicy.Enabled | bool | `false` | Enables [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) support Enable only if the cluster supports it. | +| ingress-nginx.Enabled | bool | `false` | Installs the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) controller (optional). Enable this section if you don't have an existing installation of ingress-nginx controller Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 | +| ingress-nginx.controller.ingressClass | string | `"nginx"` | | +| ingress-nginx.controller.nodeSelector."kubernetes.io/os" | string | `"linux"` | | +| ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | | +| ingress-nginx.defaultBackend.nodeSelector."kubernetes.io/os" | string | `"linux"` | | +| nginx-ingress.Enabled | bool | `false` | Installs the [nginx-ingress](https://github.com/helm/charts/tree/master/stable/nginx-ingress) controller (optional). DEPRECATED - Use ingress-nginx section instead. Enable this section if you don't have an existing installation of nginx-ingress controller Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 | +| nginx-ingress.controller.ingressClass | string | `"nginx"` | | +| nginx-ingress.controller.nodeSelector."kubernetes.io/os" | string | `"linux"` | | +| nginx-ingress.controller.service.externalTrafficPolicy | string | `"Local"` | | +| nginx-ingress.defaultBackend.nodeSelector."kubernetes.io/os" | string | `"linux"` | | +| rbac.agentsServiceAccountName | string | `"jenkins-agents"` | | +| rbac.hibernationMonitorServiceAccountName | string | `"managed-master-hibernation-monitor"` | Name of the service account the Hibernation monitor will run as (if enabled) | +| rbac.install | bool | `true` | Install `role`/`rolebindings`/`serviceAccount`. If false (and rbac is enabled in the cluster anyway), provide valid names for all service accounts. | +| rbac.masterServiceAccountName | string | `"jenkins"` | Name of the service account Jenkins masters will run as | +| rbac.serviceAccountName | string | `"cjoc"` | Name of the service account Operations Center will run as | +| sidecarinjector.Enabled | bool | `false` | Whether to enable installation of Sidecar Injector | diff --git a/helm/README.md b/helm/README.md index 3c7a9e13638816c56bf696d7ae87a9cd63ee68b0..dd51b08265afc2dfce0186f3c9786ba9e05f7f5d 100644 --- a/helm/README.md +++ b/helm/README.md @@ -1,8 +1,8 @@ # cloudbees-core -![Version: 3.22.0](https://img.shields.io/badge/Version-3.22.0-informational?style=flat-square) ![AppVersion: 2.249.2.3](https://img.shields.io/badge/AppVersion-2.249.2.3-informational?style=flat-square) +![Version: 3.25.3](https://img.shields.io/badge/Version-3.25.3-informational?style=flat-square) ![AppVersion: 2.263.2.3](https://img.shields.io/badge/AppVersion-2.263.2.3-informational?style=flat-square) -[CloudBees Core](https://www.cloudbees.com/products/cloudbees-core) is the continuous delivery platform architected for the enterprise. It provides: +[CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides: * DevOps at scale * Resilience and high availability @@ -18,18 +18,18 @@ $ helm install cloudbees/cloudbees-core --name ## Introduction -This chart bootstraps a CloudBees Core deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. +This chart bootstraps a CloudBees CI deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. ## Prerequisites - - Kubernetes 1.10 or higher - - Helm 2.12 or higher + - Kubernetes 1.14 or higher + - Helm 3.0.2 or higher ## Requirements | Repository | Name | Version | |------------|------|---------| -| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.0.7 | -| https://kubernetes-charts.storage.googleapis.com/ | nginx-ingress | 1.40.2 | +| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.0 | +| https://charts.helm.sh/stable | nginx-ingress | 1.40.2 | | https://kubernetes.github.io/ingress-nginx | ingress-nginx | 2.15.0 | ## Installing the Chart @@ -44,18 +44,18 @@ $ helm install cloudbees/cloudbees-core \ --set OperationsCenter.HostName='cloudbees-core.example.com' ``` -The command deploys CloudBees Core on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. +The command deploys CloudBees CI on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. ### Ingress Controller Installation -The chart is designed, so it can install an nginx-ingress controller. -The `nginx.ingress.Enabled` field controls ingress controller installation and setup. +The chart is designed, so it can install an ingress-nginx controller. +The `"ingress-nginx".Enabled` field controls ingress controller installation and setup. To install the chart with the release name `cloudbees-core` and hostname cloudbees-core.example.com. ```console $ helm install cloudbees/cloudbees-core \ --name cloudbees-core \ - --set nginx.ingress.Enabled=true + --set "ingress-nginx".Enabled=true ``` ## Uninstalling the Chart @@ -65,10 +65,10 @@ To uninstall/delete the `cloudbees-core` deployment: ```console $ helm delete cloudbees-core ``` -> **NOTE**: The current version of the CloudBees Core Helm Chart only manages the Operation Center. +> **NOTE**: The current version of the CloudBees CI Helm Chart only manages the Operation Center. Users should manage Managed Master using Operation Center. -The `helm delete` command stops the CloudBees Core deployment than removes the OperationsCenter Center. +The `helm delete` command stops the CloudBees CI deployment than removes the OperationsCenter Center. The release is still stored in the Helm database, but it will now have the status deleted. If you wish to completely remove the release, use the following variation of the `helm delete` command. @@ -76,8 +76,8 @@ If you wish to completely remove the release, use the following variation of the $ helm delete cloudbees-core --purge ``` -> **IMPORTANT**: The `helm delete` command does NOT remove the persistent volume claims as precaution against data losss. -You will need to use the `kubectl delete pvc` command to delete the persistent volumn claims. +> **IMPORTANT**: The `helm delete` command does NOT remove the persistent volume claims as precaution against data loss. +You will need to use the `kubectl delete pvc` command to delete the persistent volume claims. The command removes all the Kubernetes components associated with the chart and deletes the release. @@ -101,22 +101,26 @@ To use an environment property value file with Helm, use the -f option as shown You can download the latest version of the `example-values.yaml` file from CloudBees Examples GitHub repository at https://github.com/cloudbees/cloudbees-examples/tree/master/helm-custom-value-file-examples. ## Additional Documentation -CloudBees provides complete and more detail installation and operation documentation on the CloudBees web site at https://go.cloudbees.com/docs/cloudbees-core/cloud-install-guide/kubernetes-helm-install/ +CloudBees provides complete and more detailed installation and operation documentation on the CloudBees web site at https://docs.cloudbees.com/docs/cloudbees-ci/latest/kubernetes-install-guide/ ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| | Agents.Enabled | bool | `true` | Enable to create agent resources (service account, role) | -| Agents.Image.dockerImage | string | `"063356183961.dkr.ecr.us-east-1.amazonaws.com/ubi/unified-distribution/agent:2.249.2.3"` | Used to override the default docker image used for agents | +| Agents.Image.dockerImage | string | `"test/agent:latest"` | Used to override the default docker image used for agents | +| Agents.ImagePullSecrets | string | `nil` | Name of image pull secret to pull private Docker images or an array of image pull secrets | | Agents.SeparateNamespace.Create | bool | `false` | If true, the second namespace will be created when installing this chart. Otherwise, the existing namespace should be labeled with `cloudbees.com/role: agents` in order for network policies to work. | | Agents.SeparateNamespace.Enabled | bool | `false` | If enabled, agents resources will be created in a separate namespace as well as bindings allowing masters to schedule them. | | Agents.SeparateNamespace.Name | string | `nil` | Namespace where to create agents resources. Defaults to `${namespace}-builds` where `${namespace}` is the namespace where the chart is installed. | | Hibernation.Enabled | bool | `false` | Whether to enable the [Hibernation](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-admin-guide/managing-masters#_hibernation_of_managed_masters) feature | | Hibernation.Image.dockerImage | string | `"cloudbees/managed-master-hibernation-monitor:230.ee066a318539"` | Used to override the default docker image | -| Hibernation.Image.dockerPullPolicy | string | `"IfNotPresent"` | Used to override the default pull policy | +| Hibernation.Image.dockerPullPolicy | string | `nil` | Used to override the default pull policy | +| Hibernation.ImagePullSecrets | string | `nil` | Name of image pull secret to pull private Docker images or an array of image pull secrets | +| Hibernation.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | +| Hibernation.Tolerations | list | `[]` | Specify tolerations for the Hibernation Monitor pod. See [documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | Master.Enabled | bool | `true` | Whether to create the resources required to schedule masters. | -| Master.Image.dockerImage | string | `"063356183961.dkr.ecr.us-east-1.amazonaws.com/ubi/unified-distribution/core-mm:2.249.2.3"` | Used to override the default docker image | +| Master.Image.dockerImage | string | `"test/core-mm:latest"` | Used to override the default docker image | | Master.JavaOpts | string | `nil` | Additional Java options to pass to managed masters. For example, setting up a JMX port | | Master.OperationsCenterNamespace | string | `nil` | When deploying Master resources, this grants an Operations Center deployed in another namespace the right to deploy masters | | NetworkPolicy.Enabled | bool | `false` | Enable only if the cluster supports it. Read the [documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to understand what this is about. | @@ -131,9 +135,9 @@ CloudBees provides complete and more detail installation and operation documenta | OperationsCenter.HealthProbeLivenessFailureThreshold | int | `12` | Threshold for liveness failure | | OperationsCenter.HealthProbes | bool | `true` | Enable Kubernetes Liveness and Readiness Probes | | OperationsCenter.HostName | string | `nil` | The hostname used to access Operations Center through the ingress controller. | -| OperationsCenter.Image.dockerImage | string | `"063356183961.dkr.ecr.us-east-1.amazonaws.com/ubi/unified-distribution/core-oc:2.249.2.3"` | Container image to use for Operations Center | -| OperationsCenter.Image.dockerPullPolicy | string | `"Always"` | https://kubernetes.io/docs/concepts/containers/images/#updating-images | -| OperationsCenter.ImagePullSecrets | string | `nil` | The name of the image pull secret to pull private docker images | +| OperationsCenter.Image.dockerImage | string | `"test/core-oc:latest"` | Container image to use for Operations Center | +| OperationsCenter.Image.dockerPullPolicy | string | `nil` | https://kubernetes.io/docs/concepts/containers/images/#updating-images | +| OperationsCenter.ImagePullSecrets | string | `nil` | Name of image pull secret to pull private Docker images or an array of image pull secrets | | OperationsCenter.Ingress.Annotations | object | `{"kubernetes.io/tls-acme":"false"}` | annotations to put on Ingress object | | OperationsCenter.Ingress.Class | string | `"nginx"` | Ingress class to use for OC and MM ingresses Should be set to the same value as nginx-ingress.controller.ingressClass if enabled | | OperationsCenter.Ingress.tls.Enable | bool | `false` | Set this to true in order to enable TLS on the ingress record | @@ -143,7 +147,7 @@ CloudBees provides complete and more detail installation and operation documenta | OperationsCenter.LoadBalancerIP | string | `nil` | Optionally assign a known public LB IP | | OperationsCenter.LoadBalancerSourceRanges | list | `["0.0.0.0/0"]` | Only applicable when using `ServiceType: LoadBalancer` | | OperationsCenter.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | -| OperationsCenter.Platform | string | `"standard"` | Enables specific settings depending on the platform platform specific values are: `eks`, `aws`, `gke`, `aks`, `pks`, `openshift`, `openshift4` Note: `openshift` maps to OpenShift 3.x | +| OperationsCenter.Platform | string | `"standard"` | Enables specific settings depending on the platform platform specific values are: `eks`, `aws`, `gke`, `aks`, `openshift`, `openshift4` Note: `openshift` maps to OpenShift 3.x | | OperationsCenter.Protocol | string | `"http"` | the protocol used to access CJOC. Possible values are http/https. | | OperationsCenter.Resources.Limits.Cpu | int | `1` | CPU limit to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu | | OperationsCenter.Resources.Limits.Memory | string | `"2G"` | Memory limit to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory | @@ -159,8 +163,6 @@ CloudBees provides complete and more detail installation and operation documenta | Persistence.Annotations | object | `{}` | Annotations to put on the PVC | | Persistence.Size | string | `"20Gi"` | Size of the Operations Center volume | | Persistence.StorageClass | string | `nil` | Persistent Volume Storage Class for Jenkins Home If defined, storageClassName: . If set to "-", storageClassName: "", which disables dynamic provisioning. If undefined (the default) or set to null, the default storage class will be used, unless specified otherwise below. If setting OperationsCenter.Platform == gke, a storage class backed with SSD drives will be created by this chart and used automatically. | -| Persistence.mounts | list | `[]` | Additional volume mounts to attach to Operations Center container | -| Persistence.volumes | list | `[]` | Additional volumes to attach to Operations Center pod | | PodSecurityPolicy.Annotations | object | `{}` | Additional annotations to put on the PodSecurityPolicy, e.g. AppArmor/Seccomp settings | | PodSecurityPolicy.Enabled | bool | `false` | Enables [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) support Enable only if the cluster supports it. | | ingress-nginx.Enabled | bool | `false` | Installs the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) controller (optional). Enable this section if you don't have an existing installation of ingress-nginx controller Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 | @@ -175,7 +177,7 @@ CloudBees provides complete and more detail installation and operation documenta | nginx-ingress.defaultBackend.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | rbac.agentsServiceAccountName | string | `"jenkins-agents"` | | | rbac.hibernationMonitorServiceAccountName | string | `"managed-master-hibernation-monitor"` | Name of the service account the Hibernation monitor will run as (if enabled) | -| rbac.install | bool | `true` | Install `role`/`rolebindings`/`serviceAccount`. If false (and rbac is enabled in the cluster anyway), provide valid names for `serviceAccountName`, `masterServiceAccountName` and `hibernationMonitorServiceAccountName` | +| rbac.install | bool | `true` | Install `role`/`rolebindings`/`serviceAccount`. If false (and rbac is enabled in the cluster anyway), provide valid names for all service accounts. | | rbac.masterServiceAccountName | string | `"jenkins"` | Name of the service account Jenkins masters will run as | | rbac.serviceAccountName | string | `"cjoc"` | Name of the service account Operations Center will run as | | sidecarinjector.Enabled | bool | `false` | Whether to enable installation of Sidecar Injector | diff --git a/helm/README.md.gotmpl b/helm/README.md.gotmpl deleted file mode 100644 index 3f3b13a1f5f868461359ced4c9450f0a6dea83b9..0000000000000000000000000000000000000000 --- a/helm/README.md.gotmpl +++ /dev/null @@ -1,101 +0,0 @@ -# cloudbees-core - -{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} - -[CloudBees Core](https://www.cloudbees.com/products/cloudbees-core) is the continuous delivery platform architected for the enterprise. It provides: - -* DevOps at scale -* Resilience and high availability -* Easy management -* Enterprise grade security - -## TL;DR; - -```console -$ helm repo add cloudbees https://charts.cloudbees.com/public/cloudbees -$ helm install cloudbees/cloudbees-core --name -``` - -## Introduction - -This chart bootstraps a CloudBees Core deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -## Prerequisites - - Kubernetes 1.10 or higher - - Helm 2.12 or higher - -{{ template "chart.requirementsSection" . }} - -## Installing the Chart - -### Default installation - -To install the chart with the release name `cloudbees-core` and hostname `cloudbees-core.example.com`. The default installation requires nginx-ingress controller to be installed. The chart can install the nginx-ingress controller for you. This installation is described in the next section. - -```console -$ helm install cloudbees/cloudbees-core \ - --name cloudbees-core \ - --set OperationsCenter.HostName='cloudbees-core.example.com' -``` - -The command deploys CloudBees Core on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. - -### Ingress Controller Installation - -The chart is designed, so it can install an nginx-ingress controller. -The `nginx.ingress.Enabled` field controls ingress controller installation and setup. -To install the chart with the release name `cloudbees-core` and hostname cloudbees-core.example.com. - -```console -$ helm install cloudbees/cloudbees-core \ - --name cloudbees-core \ - --set nginx.ingress.Enabled=true -``` - -## Uninstalling the Chart - -To uninstall/delete the `cloudbees-core` deployment: - -```console -$ helm delete cloudbees-core -``` -> **NOTE**: The current version of the CloudBees Core Helm Chart only manages the Operation Center. -Users should manage Managed Master using Operation Center. - -The `helm delete` command stops the CloudBees Core deployment than removes the OperationsCenter Center. -The release is still stored in the Helm database, but it will now have the status deleted. -If you wish to completely remove the release, use the following variation of the `helm delete` command. - -```console -$ helm delete cloudbees-core --purge -``` - -> **IMPORTANT**: The `helm delete` command does NOT remove the persistent volume claims as precaution against data losss. -You will need to use the `kubectl delete pvc` command to delete the persistent volumn claims. - - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -Please refer to the chart `values.yaml` to get the exhaustive list of values that can be customized. -The easiest way to consult it is through the command `helm inspect values cloudbees/cloudbees-core`. - -Each property can override a default value with a value that specific to your Kubernetes cluster -You can provide this values using the `--set` flag on the Helm command line. - -Helm also support merging values files together, so that you can create a YAML file for each environment. - -### Environment Property Value Files -Helm provides the option to use a custom property values file to override the default values set in the `values.yaml` file. -CloudBees recommends creating a custom properties file to override the default for your environments, instead of directly editing the included values.yaml file. - -To use an environment property value file with Helm, use the -f option as shown in the following example: -`helm install cloudbees-core --name cloudbees-core -f example-values.yaml` - -You can download the latest version of the `example-values.yaml` file from CloudBees Examples GitHub repository at https://github.com/cloudbees/cloudbees-examples/tree/master/helm-custom-value-file-examples. - -## Additional Documentation -CloudBees provides complete and more detail installation and operation documentation on the CloudBees web site at https://go.cloudbees.com/docs/cloudbees-core/cloud-install-guide/kubernetes-helm-install/ - -{{ template "chart.valuesSection" . }} diff --git a/helm/requirements.lock b/helm/requirements.lock index 8511053a21e654374f92be531fbe227212602d2a..4b08a7fbd90e574682d8d63b95f90a6c92050627 100644 --- a/helm/requirements.lock +++ b/helm/requirements.lock @@ -1,12 +1,12 @@ dependencies: - name: nginx-ingress - repository: https://kubernetes-charts.storage.googleapis.com/ + repository: https://charts.helm.sh/stable version: 1.40.2 - name: ingress-nginx repository: https://kubernetes.github.io/ingress-nginx version: 2.15.0 - name: cloudbees-sidecar-injector repository: https://charts.cloudbees.com/public/cloudbees - version: 2.0.7 -digest: sha256:10f7e8c53d0a6f910f4dbe0fd253fbefd288fb5fc24365635968e99b3bc75dbf -generated: "2020-10-07T14:35:15.239221954Z" + version: 2.1.0 +digest: sha256:996f7a1d8ae1bb7465e7df2865ef4521e1ebe3e10827d6544caebd4d0c811c23 +generated: "2020-11-02T17:56:50.500073-05:00" diff --git a/helm/requirements.yaml b/helm/requirements.yaml index 1747d0150a5aed9b7cac9bebe8cd526877ee447d..417a1df374bf249a36339f88ea3697a460adbbdb 100644 --- a/helm/requirements.yaml +++ b/helm/requirements.yaml @@ -1,13 +1,13 @@ dependencies: - name: nginx-ingress version: 1.40.2 - repository: https://kubernetes-charts.storage.googleapis.com/ + repository: https://charts.helm.sh/stable condition: nginx-ingress.Enabled - name: ingress-nginx version: 2.15.0 repository: https://kubernetes.github.io/ingress-nginx condition: ingress-nginx.Enabled - name: cloudbees-sidecar-injector - version: 2.0.7 + version: 2.1.0 repository: https://charts.cloudbees.com/public/cloudbees condition: sidecarinjector.Enabled diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index 485a0fa5d19eded24e0c90cd2a17c68bc25fe4bc..18a400cee34f0fcdbb2ca5d8df8468a47f290712 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -6,6 +6,13 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Full name of the release +*/}} +{{- define "cloudbees-core.fullname" -}} +{{ printf "%s-%s" .Release.Name .Release.Namespace | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} @@ -95,7 +102,7 @@ helm.sh/chart: {{ include "cloudbees-core.chart" . | quote }} {{- end -}} {{- define "oc.protocol" -}} -{{- if .Values.OperationsCenter.Ingress.tls.Enable -}}https{{- else -}}{{ .Values.OperationsCenter.Protocol }}{{- end -}} +{{- if or (.Values.OperationsCenter.Ingress.tls.Enable) (.Values.OperationsCenter.Route.tls.Enable) -}}https{{- else -}}{{ .Values.OperationsCenter.Protocol }}{{- end -}} {{- end -}} {{/* @@ -133,6 +140,56 @@ Expected Operations Center URL. Always ends with a trailing slash. {{- template "oc.protocol" . -}}://{{ include "oc.hostname" . }}{{ include "oc.contextpath" . }}/ {{- end -}} +{{- define "ingress.annotations" -}} +{{ toYaml .Values.OperationsCenter.Ingress.Annotations }} +{{- if .Values.OperationsCenter.Ingress.Class }} +kubernetes.io/ingress.class: {{ .Values.OperationsCenter.Ingress.Class }} +{{- end }} +{{- if eq .Values.OperationsCenter.Platform "eks" }} + {{- if eq (include "oc.protocol" .) "https" }} +alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80}, {"HTTPS":443}]' +alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' + {{- end }} + {{- if not (eq (include "oc.contextpath" .) "") }} +alb.ingress.kubernetes.io/actions.root-redirect: '{"Type": "redirect", "RedirectConfig": { "Path":{{ include "ingress.root-redirect" . | quote }}, "StatusCode": "HTTP_301"}}' + {{- end }} +alb.ingress.kubernetes.io/group.name: {{ include "cloudbees-core.fullname" .}} +alb.ingress.kubernetes.io/target-type: ip +{{- end }} +{{- if not (include "cloudbees-core.is-openshift" .) }} +nginx.ingress.kubernetes.io/ssl-redirect: "{{- template "ingress.ssl_redirect" . }}" +{{- end }} +{{- end }} + +{{- define "ingress.root-redirect" -}} +{{ include "oc.contextpath" . }}/teams-check/ +{{- end }} + +{{- define "ingress.redirect-rules" -}} +{{- if eq .Values.OperationsCenter.Platform "eks" }} + {{- if eq (include "oc.protocol" .) "https" }} +- path: /* + backend: + serviceName: ssl-redirect + servicePort: use-annotation + {{- end }} + {{- if not (eq (include "oc.contextpath" .) "") }} +- path: / + backend: + serviceName: root-redirect + servicePort: use-annotation + {{- end }} +{{- end }} +{{- end }} + +{{- define "ingress.apiGroup" -}} +{{- if ge (atoi (.Capabilities.KubeVersion.Minor)) 15 -}} +networking.k8s.io +{{- else -}} +extensions +{{- end -}} +{{- end -}} + {{- define "ingress.apiVersion" -}} {{- if ge (atoi (.Capabilities.KubeVersion.Minor)) 15 -}} networking.k8s.io/v1beta1 @@ -405,6 +462,9 @@ status: {{- end -}} {{- define "ingress.check" -}} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress") }} + {{ fail "\n\nERROR: Kubernetes 1.14 or later is required to use Ingress in networking.k8s.io/v1beta1" }} +{{- end -}} {{- if and (index .Values "nginx-ingress" "Enabled") (index .Values "ingress-nginx" "Enabled") -}} {{ fail "\n\nERROR: Only one of nginx-ingress.Enabled or ingress-nginx.Enabled may be true" }} {{- end -}} diff --git a/helm/templates/agents-service-account.yaml b/helm/templates/agents-service-account.yaml index 959ee0c7f7a335f2dddb0465487f0fb490d2e2aa..f4bbe1b9bdb4f498fb0c9a6755991882f05c66be 100644 --- a/helm/templates/agents-service-account.yaml +++ b/helm/templates/agents-service-account.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.rbac.install) (.Values.Agents.SeparateNamespace.Enabled) -}} +{{- if and (.Values.rbac.install) -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/helm/templates/cjoc-configure-jenkins-groovy.yaml b/helm/templates/cjoc-configure-jenkins-groovy.yaml index a88903c805d892c77532bb13dc4bf764fc1c58dd..ac4564723d718cf572327423897eafabf9600103 100644 --- a/helm/templates/cjoc-configure-jenkins-groovy.yaml +++ b/helm/templates/cjoc-configure-jenkins-groovy.yaml @@ -7,7 +7,6 @@ metadata: {{ include "cloudbees-core.labels" . | indent 4 }} data: location.groovy: | - hudson.ExtensionList.lookupSingleton(com.cloudbees.jenkins.support.impl.cloudbees.TcpSlaveAgentListenerMonitor.class).disable(true) {{- if .Values.OperationsCenter.HostName }} jenkins.model.JenkinsLocationConfiguration.get().setUrl("{{- template "oc.url" . -}}") {{- end }} diff --git a/helm/templates/cjoc-ingress.yaml b/helm/templates/cjoc-ingress.yaml index 60ee882992b1e591856996a2f8809f8bfc3cc8bf..123a79316575bf4504cd6f93da702c0ba3c0a938 100644 --- a/helm/templates/cjoc-ingress.yaml +++ b/helm/templates/cjoc-ingress.yaml @@ -8,13 +8,9 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} annotations: -{{ toYaml .Values.OperationsCenter.Ingress.Annotations | indent 4 }} -{{ if .Values.OperationsCenter.Ingress.Class }} - kubernetes.io/ingress.class: {{ .Values.OperationsCenter.Ingress.Class }} -{{- end }} +{{ include "ingress.annotations" . | indent 4 }} {{- if not (include "cloudbees-core.is-openshift" .) }} - nginx.ingress.kubernetes.io/app-root: "{{ template "oc.contextpath" . }}/teams-check/" - nginx.ingress.kubernetes.io/ssl-redirect: "{{- template "ingress.ssl_redirect" . }}" + nginx.ingress.kubernetes.io/app-root: {{ include "ingress.root-redirect" . | quote }} # "413 Request Entity Too Large" uploading plugins, increase client_max_body_size nginx.ingress.kubernetes.io/proxy-body-size: 50m nginx.ingress.kubernetes.io/proxy-request-buffering: "off" @@ -27,10 +23,15 @@ spec: {{- end }} http: paths: +{{- include "ingress.redirect-rules" . | indent 6 }} - path: {{ include "oc.contextpath" . }} backend: serviceName: cjoc servicePort: {{ .Values.OperationsCenter.ServicePort }} + - path: {{ include "oc.contextpath" . }}/* + backend: + serviceName: cjoc + servicePort: {{ .Values.OperationsCenter.ServicePort }} {{- if .Values.OperationsCenter.Ingress.tls.Enable }} tls: - hosts: diff --git a/helm/templates/cjoc-role-master-management.yaml b/helm/templates/cjoc-role-master-management.yaml index 771798e9e3ac4859e4f094e9f3f5ae23b157d5f0..eb4d0564121883073fe9a91b40f4c66a1cbab6ef 100644 --- a/helm/templates/cjoc-role-master-management.yaml +++ b/helm/templates/cjoc-role-master-management.yaml @@ -99,7 +99,9 @@ rules: - create {{- else}} - apiGroups: + # - {{ include "ingress.apiGroup" . }} TODO once we get https://github.com/cloudbees/cloud-platform-master-provisioning-plugin/pull/325 in. - extensions + - networking.k8s.io resources: - ingresses verbs: diff --git a/helm/templates/cjoc-statefulset.yaml b/helm/templates/cjoc-statefulset.yaml index 9e7f843b83ccff054ed1a9b084f7b0a9444bbdc1..788ff4b86fdc2f7dd522e805b37987a66689e821 100644 --- a/helm/templates/cjoc-statefulset.yaml +++ b/helm/templates/cjoc-statefulset.yaml @@ -62,6 +62,7 @@ spec: operator: In values: - slave + enableServiceLinks: false serviceAccountName: {{ .Values.rbac.serviceAccountName }} {{- if .Values.OperationsCenter.NodeSelector }} nodeSelector: @@ -92,8 +93,10 @@ spec: - name: jenkins {{- with .Values.OperationsCenter.Image}} image: "{{ .dockerImage }}" + {{- if .dockerPullPolicy }} imagePullPolicy: "{{ .dockerPullPolicy }}" {{- end}} + {{- end}} env: {{- if .Values.OperationsCenter.ContainerEnv }} {{ toYaml .Values.OperationsCenter.ContainerEnv | indent 8 }} @@ -110,6 +113,7 @@ spec: {{- if .Values.Agents.SeparateNamespace.Enabled }} -Dcom.cloudbees.jenkins.plugins.kube.NamespaceFilter.defaultNamespace={{ template "agents.namespace" . }} {{- end }} + -Dcom.cloudbees.jenkins.plugins.kube.ServiceAccountFilter.defaultServiceAccount={{ .Values.rbac.agentsServiceAccountName }} {{- if .Values.Master.JavaOpts }} {{ .Values.Master.JavaOpts }} {{- end }} @@ -148,7 +152,7 @@ spec: {{- if .Values.OperationsCenter.JavaOpts }} {{ .Values.OperationsCenter.JavaOpts }} {{- end }} - {{- if .Values.OperationsCenter.CSRF.ProxyCompatibility -}} + {{- if .Values.OperationsCenter.CSRF.ProxyCompatibility }} -Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true {{- end }} -XX:+UseG1GC @@ -170,15 +174,14 @@ spec: cpu: "{{ .Values.OperationsCenter.Resources.Requests.Cpu }}" memory: "{{ .Values.OperationsCenter.Resources.Requests.Memory }}" volumeMounts: -{{- if .Values.Persistence.mounts }} -{{ toYaml .Values.Persistence.mounts | indent 12 }} -{{- end }} - name: jenkins-home mountPath: /var/jenkins_home readOnly: false - name: jenkins-configure-jenkins-groovy mountPath: /var/jenkins_config/configure-jenkins.groovy.d readOnly: true + - name: tmp + mountPath: /tmp {{- if .Values.OperationsCenter.ExtraVolumeMounts }} {{toYaml .Values.OperationsCenter.ExtraVolumeMounts | indent 8}} {{- end }} @@ -202,12 +205,11 @@ spec: {{toYaml .Values.OperationsCenter.ExtraContainers | indent 6}} {{- end }} volumes: -{{- if .Values.Persistence.volumes }} -{{ toYaml .Values.Persistence.volumes | indent 6 }} -{{- end }} - name: jenkins-configure-jenkins-groovy configMap: name: cjoc-configure-jenkins-groovy + - name: tmp + emptyDir: {} {{- if .Values.OperationsCenter.ExtraVolumes }} {{toYaml .Values.OperationsCenter.ExtraVolumes | indent 6}} {{- end }} diff --git a/helm/templates/managed-master-hibernation-monitor-deployment.yaml b/helm/templates/managed-master-hibernation-monitor-deployment.yaml index c526a26fdba5baf6ba5e7c6ffb97f82763981dc5..b8b28ca0aeb458c6f34d7787f5a7f57ebdee1d78 100644 --- a/helm/templates/managed-master-hibernation-monitor-deployment.yaml +++ b/helm/templates/managed-master-hibernation-monitor-deployment.yaml @@ -44,8 +44,10 @@ spec: - name: managed-master-hibernation-monitor {{- with .Values.Hibernation.Image}} image: {{ .dockerImage }} + {{- if .dockerPullPolicy }} imagePullPolicy: {{ .dockerPullPolicy }} {{- end}} + {{- end}} ports: - containerPort: 8090 name: http @@ -69,4 +71,13 @@ spec: limits: memory: 250Mi serviceAccountName: {{ .Values.rbac.hibernationMonitorServiceAccountName }} + enableServiceLinks: false + {{- if .Values.Hibernation.NodeSelector }} + nodeSelector: +{{ toYaml .Values.Hibernation.NodeSelector | indent 8 }} + {{- end }} + {{- if .Values.Hibernation.Tolerations }} + tolerations: +{{ toYaml .Values.Hibernation.Tolerations | indent 8 }} + {{- end }} {{- end -}} diff --git a/helm/templates/managed-master-hibernation-monitor-ingress.yaml b/helm/templates/managed-master-hibernation-monitor-ingress.yaml index 3e3b8ebb2381af42625f71f781dde2f74fbc2da0..f1ee17eb1c5b60f3d80e9517302c29f4e88d582b 100644 --- a/helm/templates/managed-master-hibernation-monitor-ingress.yaml +++ b/helm/templates/managed-master-hibernation-monitor-ingress.yaml @@ -7,11 +7,7 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} annotations: -{{ toYaml .Values.OperationsCenter.Ingress.Annotations | indent 4 }} -{{ if .Values.OperationsCenter.Ingress.Class }} - kubernetes.io/ingress.class: {{ .Values.OperationsCenter.Ingress.Class }} -{{- end }} - nginx.ingress.kubernetes.io/ssl-redirect: "{{- template "ingress.ssl_redirect" . }}" +{{ include "ingress.annotations" . | indent 4 }} spec: rules: - @@ -20,11 +16,19 @@ spec: {{- end }} http: paths: - - path: /hibernation + - path: /hibernation/ns/{{ .Release.Namespace }}/ + backend: + serviceName: managed-master-hibernation-monitor + servicePort: 80 + - path: /hibernation/ns/{{ .Release.Namespace }}/* + backend: + serviceName: managed-master-hibernation-monitor + servicePort: 80 + - path: /hibernation/ backend: serviceName: managed-master-hibernation-monitor servicePort: 80 - - path: /hibernation/ns/{{ .Release.Namespace }} + - path: /hibernation/* backend: serviceName: managed-master-hibernation-monitor servicePort: 80 diff --git a/helm/values.yaml b/helm/values.yaml index 9711d1cb30fc1f274ebd2574ad82be9c485a22df..e04ee07b74f4dc42f7e2acd688093baab200331d 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -50,18 +50,18 @@ OperationsCenter: # Operations Center docker image Image: # OperationsCenter.Image.dockerImage -- Container image to use for Operations Center - dockerImage: dcar/core-oc:2.249.2.3 + dockerImage: dcar/core-oc:2.263.2.4-ra # OperationsCenter.Image.dockerPullPolicy -- https://kubernetes.io/docs/concepts/containers/images/#updating-images - dockerPullPolicy: IfNotPresent + dockerPullPolicy: null # Image pull secrets # Enable this option when using a private registry. # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line - # OperationsCenter.ImagePullSecrets -- The name of the image pull secret to pull private docker images + # OperationsCenter.ImagePullSecrets -- Name of image pull secret to pull private Docker images or an array of image pull secrets ImagePullSecrets: null # OperationsCenter.Platform -- Enables specific settings depending on the platform - # platform specific values are: `eks`, `aws`, `gke`, `aks`, `pks`, `openshift`, `openshift4` + # platform specific values are: `eks`, `aws`, `gke`, `aks`, `openshift`, `openshift4` # Note: `openshift` maps to OpenShift 3.x Platform: standard @@ -241,7 +241,7 @@ Master: # Docker image inserted in Operations Center automatically Image: # Master.Image.dockerImage -- Used to override the default docker image - dockerImage: dcar/core-mm:2.249.2.3 + dockerImage: dcar/core-mm:2.263.2.4-ra # Master.JavaOpts -- Additional Java options to pass to managed masters. For example, setting up a JMX port JavaOpts: null @@ -258,7 +258,12 @@ Agents: Create: false Image: # Agents.Image.dockerImage -- Used to override the default docker image used for agents - dockerImage: dcar/agent:2.249.2.3 + dockerImage: dcar/agent:2.263.2.4-ra + # Image pull secrets + # Enable this option when using a private registry. + # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line + # Agents.ImagePullSecrets -- Name of image pull secret to pull private Docker images or an array of image pull secrets + ImagePullSecrets: null Persistence: # Persistence.StorageClass -- Persistent Volume Storage Class for Jenkins Home @@ -283,16 +288,6 @@ Persistence: # Persistence.Size -- Size of the Operations Center volume Size: 20Gi - # Persistence.volumes -- Additional volumes to attach to Operations Center pod - volumes: [] -# - name: nothing -# emptyDir: {} - # Persistence.mounts -- Additional volume mounts to attach to Operations Center container - mounts: [] -# - mountPath: /var/nothing -# name: nothing -# readOnly: true - # Master hibernation Hibernation: # Hibernation.Enabled -- Whether to enable the [Hibernation](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-admin-guide/managing-masters#_hibernation_of_managed_masters) feature @@ -301,7 +296,18 @@ Hibernation: # Hibernation.Image.dockerImage -- Used to override the default docker image dockerImage: cloudbees/managed-master-hibernation-monitor:230.ee066a318539 # Hibernation.Image.dockerPullPolicy -- Used to override the default pull policy - dockerPullPolicy: IfNotPresent + dockerPullPolicy: null + # Image pull secrets + # Enable this option when using a private registry. + # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line + # Hibernation.ImagePullSecrets -- Name of image pull secret to pull private Docker images or an array of image pull secrets + ImagePullSecrets: null + # Hibernation.NodeSelector -- Node labels and tolerations for pod assignment + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + NodeSelector: {} + # Hibernation.Tolerations -- Specify tolerations for the Hibernation Monitor pod. + # See [documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + Tolerations: [] PodSecurityPolicy: # Requires rbac.installCluster = true @@ -338,7 +344,7 @@ NetworkPolicy: ## Install Default RBAC roles and bindings rbac: # rbac.install -- Install `role`/`rolebindings`/`serviceAccount`. - # If false (and rbac is enabled in the cluster anyway), provide valid names for `serviceAccountName`, `masterServiceAccountName` and `hibernationMonitorServiceAccountName` + # If false (and rbac is enabled in the cluster anyway), provide valid names for all service accounts. install: true # rbac.installCluster -- Install `clusterrole`/`clusterrolebinding` diff --git a/scripts/usr/local/bin/jenkins.sh b/scripts/usr/local/bin/jenkins.sh index f67b156dba8ee6c6bc934eba2580902a9723a218..e82afca2b477448922e269e9e0f6055d817540ad 100644 --- a/scripts/usr/local/bin/jenkins.sh +++ b/scripts/usr/local/bin/jenkins.sh @@ -52,7 +52,7 @@ find /usr/share/jenkins/ref/ -type f -exec bash -c "copy_reference_file '{}'" \; # if `docker run` first argument start with `--` the user is passing jenkins launcher arguments if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then - eval "exec java ${JAVA_OPTS:-} -jar -Dcb.distributable.name=\"Docker Common CJE\" -Dcb.distributable.commit_sha=4c482ecc2d194d4868ade0a8cb5f773a3ab1c0d5 /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\"" + eval "exec java ${JAVA_OPTS:-} -jar -Dcb.distributable.name=\"Docker Common CJE\" -Dcb.distributable.commit_sha=69f7102311718b7e0fbed31edb877f1352ca5cf1 /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\"" fi # As argument is not jenkins, assume user want to run his own process, for sample a `bash` shell to explore this image diff --git a/scripts/usr/local/bin/support.sh b/scripts/usr/local/bin/support.sh index 5c47faa6fadcfa72b355c3928f21158928d3cb78..992ef780b08afc99ddd69c606820120aa30dd3eb 100644 --- a/scripts/usr/local/bin/support.sh +++ b/scripts/usr/local/bin/support.sh @@ -2,8 +2,6 @@ set-java-options() { export JAVA_OPTS="-Duser.home=$JENKINS_HOME ${JAVA_OPTS:-}" - # CPLT2-6044: http/2 is causing issues with Openshift 4.x users - #export JAVA_OPTS="-Xbootclasspath/p:/usr/share/jenkins/alpn-boot.jar ${JAVA_OPTS:-}" } set-jenkins-options() {