From 2c13d980a0431cef6135f5fe0694eff0bfae5449 Mon Sep 17 00:00:00 2001 From: imontero Date: Thu, 18 Mar 2021 08:32:43 +0000 Subject: [PATCH 1/2] 2.277.1.7-ra --- Dockerfile | 14 ++-- README.md | 10 +-- hardening_manifest.yaml | 16 ++-- helm/Chart.yaml | 31 +++++-- helm/README-template.md | 18 +++- helm/README.md | 18 +++- helm/requirements.lock | 6 +- helm/requirements.yaml | 13 --- helm/templates/_helpers.tpl | 82 ++++++++++--------- .../cjoc-clusterrole-master-management.yaml | 2 +- helm/templates/cjoc-clusterrolebinding.yaml | 4 +- helm/templates/cjoc-role-agents.yaml | 21 +++++ .../cjoc-role-master-management.yaml | 11 ++- helm/templates/cjoc-rolebinding-agents.yaml | 22 +++++ helm/templates/cjoc-rolebinding.yaml | 4 +- helm/templates/cjoc-route.yaml | 6 +- helm/templates/cjoc-statefulset.yaml | 11 +++ ...master-hibernation-monitor-deployment.yaml | 2 + ...naged-master-hibernation-monitor-role.yaml | 2 +- ...aster-hibernation-monitor-rolebinding.yaml | 4 +- ...-hibernation-monitor-route-namespaced.yaml | 22 +++++ ...aged-master-hibernation-monitor-route.yaml | 8 +- .../master-role-agents-management.yaml | 2 +- helm/templates/master-rolebinding.yaml | 4 +- .../templates/psp-restricted-agents-role.yaml | 2 +- .../psp-restricted-agents-rolebinding.yaml | 4 +- helm/templates/psp-restricted-role.yaml | 2 +- .../templates/psp-restricted-rolebinding.yaml | 4 +- helm/values.yaml | 52 +++++++----- scripts/usr/local/bin/jenkins.sh | 2 +- 30 files changed, 264 insertions(+), 135 deletions(-) delete mode 100644 helm/requirements.yaml create mode 100644 helm/templates/cjoc-role-agents.yaml create mode 100644 helm/templates/cjoc-rolebinding-agents.yaml create mode 100644 helm/templates/managed-master-hibernation-monitor-route-namespaced.yaml diff --git a/Dockerfile b/Dockerfile index 019bd21..9a9f6fa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,9 +41,9 @@ ENTRYPOINT ["tini", "--", "/usr/local/bin/launch.sh"] HEALTHCHECK --interval=5m --timeout=3s \ CMD curl -fsL ${JENKINS_URL}/login || exit 1 -# LABEL securitytxt="https://www.cloudbees.com/.well-known/security.txt" -# LABEL release=69f7102311718b7e0fbed31edb877f1352ca5cf1 -# LABEL version=2.263.2.4-ra +# L-A-B-E-L securitytxt="https://www.cloudbees.com/.well-known/security.txt" +# L-A-B-E-L release=d7a5eee17fd68064fb4268ca23a591bdc00af60b +# L-A-B-E-L version=2.277.1.7-ra COPY files.tar /tmp RUN cd / && tar xvf /tmp/files.tar && rm /tmp/files.tar @@ -65,7 +65,7 @@ ENV VOLUME_SERVICE=http://localhost:31080 ENV TENANT=cjoc ENV JENKINS_VARIANT=cjoc -# LABEL name="CloudBees CI Operation Center" -# LABEL vendor="CloudBees, Inc." -# LABEL summary="CloudBees CI is the continuous delivery platform architected for the enterprise" -# LABEL description="This container image will deploy one instance of CloudBees CI Operations Center." +# L-A-B-E-L name="CloudBees CI Operation Center" +# L-A-B-E-L vendor="CloudBees, Inc." +# L-A-B-E-L summary="CloudBees CI is the continuous delivery platform architected for the enterprise" +# L-A-B-E-L description="This container image will deploy one instance of CloudBees CI Operations Center." diff --git a/README.md b/README.md index ea3ee64..f14508c 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # CloudBees CI setup -## Approved with Conditions: +## Approved with Conditions Must run behind CNAP or VPN (no internet facing). CloudBees CI (formerly known as _CloudBees Core_) consists of three Docker images installed via Helm chart: @@ -12,7 +12,7 @@ CloudBees CI (formerly known as _CloudBees Core_) consists of three Docker image For each image, all files other than UBI and native packages are included in a `files.tar` marked with a SHA-256 checksum. -A version of CloudBees CI is given in the format `2.263.2.4-ra` +A version of CloudBees CI is given in the format `2.277.1.7-ra` where the first three components are aligned with a Jenkins LTS. The Helm chart is coversioned with `core-oc`. The `core-mm` image typically shares the same version, @@ -25,13 +25,13 @@ plus whatever other customizations are desired: ```yaml OperationsCenter: Image: - dockerImage: your-registry/core-oc:2.263.2.4-ra + dockerImage: your-registry/core-oc:2.277.1.7-ra Master: Image: - dockerImage: your-registry/core-mm:2.263.2.4-ra + dockerImage: your-registry/core-mm:2.277.1.7-ra Agents: Image: - dockerImage: your-registry/agent:2.263.2.4-ra + dockerImage: your-registry/agent:2.277.1.7-ra ``` and [install via Helm 3](https://docs.cloudbees.com/docs/cloudbees-core/latest/kubernetes-install-guide/installing-kubernetes-using-helm) using the local copy of the chart: diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index b128c48..decc513 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -1,7 +1,7 @@ apiVersion: v1 -name: cloudbees/core/core-oc +name: "cloudbees/core/core-oc" tags: -- "2.263.2.4-ra" +- "2.277.1.7-ra" - latest labels: org.opencontainers.image.title: "core-oc" @@ -9,7 +9,7 @@ labels: org.opencontainers.image.licenses: proprietary org.opencontainers.image.url: https://docs.cloudbees.com/docs/cloudbees-ci/ org.opencontainers.image.vendor: CloudBees - org.opencontainers.image.version: "2.263.2.4-ra" + org.opencontainers.image.version: "2.277.1.7-ra" mil.dso.ironbank.image.keywords: cicd mil.dso.ironbank.image.type: commercial mil.dso.ironbank.product.name: CloudBees CI @@ -18,10 +18,16 @@ args: BASE_TAG: "1.8.0" resources: - filename: files.tar - url: https://downloads.cloudbees.com/dsop-files/core-oc-files-fdaeb7127afa7670743296125be0d1782e152c6ec14bca5e62ec69ef5d667901.tar + url: https://downloads.cloudbees.com/dsop-files/core-oc-files-5ef009a0f4b225510975a80b9a9ab9327de74ba12412d7044c9ef589f4521a3d.tar validation: type: sha256 - value: "fdaeb7127afa7670743296125be0d1782e152c6ec14bca5e62ec69ef5d667901" + value: "5ef009a0f4b225510975a80b9a9ab9327de74ba12412d7044c9ef589f4521a3d" maintainers: - email: productivity-team@cloudbees.com + name: CloudBees + username: imontero + cht_member: false - email: andre.maksymowicz@centauricorp.com + name: Andy Maksymowicz + username: andymaks + cht_member: true diff --git a/helm/Chart.yaml b/helm/Chart.yaml index da8ccfd..ab3c7f6 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,12 +1,29 @@ +apiVersion: v2 name: cloudbees-core -home: https://www.cloudbees.com/products/continuous-integration -apiVersion: v1 -appVersion: 2.263.2.3 -version: 3.25.3 +version: 3.28.1 description: Enterprise Continuous Integration with Jenkins -icon: https://images.ctfassets.net/vtn4rfaw6n2j/7xprMMXARXDBuVxW4y8XfV/349fff91035050e3f2a8ff37bc0615b5/cloudbees-core-logo_header.svg keywords: - cloudbees - jenkins -engine: gotpl - +home: https://www.cloudbees.com/products/continuous-integration +dependencies: + - name: nginx-ingress + version: 1.40.2 + repository: https://charts.helm.sh/stable + condition: nginx-ingress.Enabled + - name: ingress-nginx + version: 2.15.0 + repository: https://kubernetes.github.io/ingress-nginx + condition: ingress-nginx.Enabled + - name: cloudbees-sidecar-injector + version: 2.1.3 + repository: https://charts.cloudbees.com/public/cloudbees + condition: sidecarinjector.Enabled +icon: https://images.ctfassets.net/vtn4rfaw6n2j/7xprMMXARXDBuVxW4y8XfV/349fff91035050e3f2a8ff37bc0615b5/cloudbees-core-logo_header.svg +appVersion: 2.277.1.2 +annotations: + artifacthub.io/links: | + - name: Product overview + url: https://www.cloudbees.com/products/continuous-integration + - name: Documentation + url: https://docs.cloudbees.com/docs/cloudbees-ci/latest/ diff --git a/helm/README-template.md b/helm/README-template.md index b86f7f9..4d452b0 100644 --- a/helm/README-template.md +++ b/helm/README-template.md @@ -1,6 +1,6 @@ # cloudbees-core -![Version: 3.25.3](https://img.shields.io/badge/Version-3.25.3-informational?style=flat-square) ![AppVersion: 2.263.2.3](https://img.shields.io/badge/AppVersion-2.263.2.3-informational?style=flat-square) +![Version: 3.28.1](https://img.shields.io/badge/Version-3.28.1-informational?style=flat-square) ![AppVersion: 2.277.1.2](https://img.shields.io/badge/AppVersion-2.277.1.2-informational?style=flat-square) [CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides: @@ -28,7 +28,7 @@ This chart bootstraps a CloudBees CI deployment on a [Kubernetes](http://kuberne | Repository | Name | Version | |------------|------|---------| -| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.0 | +| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.3 | | https://charts.helm.sh/stable | nginx-ingress | 1.40.2 | | https://kubernetes.github.io/ingress-nginx | ingress-nginx | 2.15.0 | @@ -132,6 +132,11 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.ContainerPort | int | `8080` | Container port for http traffic | | OperationsCenter.ContextPath | string | `"/cjoc"` | the path under which Operations Center will be accessible in the given host. | | OperationsCenter.Enabled | bool | `true` | Disable for particular use case like setting up namespaces to host masters only | +| OperationsCenter.ExtraConfigMaps | list | `[]` | Extra configmaps deployed with the chart | +| OperationsCenter.ExtraContainers | list | `[]` | Extra containers to add to the pod containing Operations Center. | +| OperationsCenter.ExtraGroovyConfiguration | object | `{}` | Provides additional init groovy scripts Each key becomes a file in /var/jenkins_config | +| OperationsCenter.ExtraVolumeMounts | list | `[]` | Extra volume mounts to add to the container containing Operations Center | +| OperationsCenter.ExtraVolumes | list | `[]` | Extra volumes to add to the pod | | OperationsCenter.HealthProbeLivenessFailureThreshold | int | `12` | Threshold for liveness failure | | OperationsCenter.HealthProbes | bool | `true` | Enable Kubernetes Liveness and Readiness Probes | | OperationsCenter.HostName | string | `nil` | The hostname used to access Operations Center through the ingress controller. | @@ -153,7 +158,13 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.Resources.Limits.Memory | string | `"2G"` | Memory limit to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory | | OperationsCenter.Resources.Requests.Cpu | int | `1` | CPU request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu | | OperationsCenter.Resources.Requests.Memory | string | `"2G"` | Memory request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory | -| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level | +| OperationsCenter.Route.tls.CACertificate | string | `nil` | CA Certificate PEM-encoded | +| OperationsCenter.Route.tls.Certificate | string | `nil` | Certificate PEM-encoded | +| OperationsCenter.Route.tls.DestinationCACertificate | string | `nil` | When using `termination=reencrypt`, destination CA PEM-encoded | +| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level Read https://docs.openshift.com/container-platform/4.6/networking/routes/secured-routes.html for details. These also apply to Hibernation monitor if enabled. | +| OperationsCenter.Route.tls.InsecureEdgeTerminationPolicy | string | `"Redirect"` | Whether to redirect http to https | +| OperationsCenter.Route.tls.Key | string | `nil` | Private key PEM-encoded | +| OperationsCenter.Route.tls.Termination | string | `"edge"` | Type of termination | | OperationsCenter.ServiceAgentListenerPort | int | `50000` | Controls the service port where Operations Center TCP port for agents is exposed. Don't change this parameter unless you know what you are doing | | OperationsCenter.ServiceAnnotations | object | `{}` | Additional annotations to put on the Operations Center service | | OperationsCenter.ServicePort | int | `80` | Controls the service port where Operations Center http port is exposed. Don't change this parameter unless you know what you are doing | @@ -166,6 +177,7 @@ CloudBees provides complete and more detailed installation and operation documen | PodSecurityPolicy.Annotations | object | `{}` | Additional annotations to put on the PodSecurityPolicy, e.g. AppArmor/Seccomp settings | | PodSecurityPolicy.Enabled | bool | `false` | Enables [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) support Enable only if the cluster supports it. | | ingress-nginx.Enabled | bool | `false` | Installs the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) controller (optional). Enable this section if you don't have an existing installation of ingress-nginx controller Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 | +| ingress-nginx.controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | ingress-nginx.controller.ingressClass | string | `"nginx"` | | | ingress-nginx.controller.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | | diff --git a/helm/README.md b/helm/README.md index dd51b08..fb94fbb 100644 --- a/helm/README.md +++ b/helm/README.md @@ -1,6 +1,6 @@ # cloudbees-core -![Version: 3.25.3](https://img.shields.io/badge/Version-3.25.3-informational?style=flat-square) ![AppVersion: 2.263.2.3](https://img.shields.io/badge/AppVersion-2.263.2.3-informational?style=flat-square) +![Version: 3.28.1](https://img.shields.io/badge/Version-3.28.1-informational?style=flat-square) ![AppVersion: 2.277.1.2](https://img.shields.io/badge/AppVersion-2.277.1.2-informational?style=flat-square) [CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides: @@ -28,7 +28,7 @@ This chart bootstraps a CloudBees CI deployment on a [Kubernetes](http://kuberne | Repository | Name | Version | |------------|------|---------| -| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.0 | +| https://charts.cloudbees.com/public/cloudbees | cloudbees-sidecar-injector | 2.1.3 | | https://charts.helm.sh/stable | nginx-ingress | 1.40.2 | | https://kubernetes.github.io/ingress-nginx | ingress-nginx | 2.15.0 | @@ -132,6 +132,11 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.ContainerPort | int | `8080` | Container port for http traffic | | OperationsCenter.ContextPath | string | `"/cjoc"` | the path under which Operations Center will be accessible in the given host. | | OperationsCenter.Enabled | bool | `true` | Disable for particular use case like setting up namespaces to host masters only | +| OperationsCenter.ExtraConfigMaps | list | `[]` | Extra configmaps deployed with the chart | +| OperationsCenter.ExtraContainers | list | `[]` | Extra containers to add to the pod containing Operations Center. | +| OperationsCenter.ExtraGroovyConfiguration | object | `{}` | Provides additional init groovy scripts Each key becomes a file in /var/jenkins_config | +| OperationsCenter.ExtraVolumeMounts | list | `[]` | Extra volume mounts to add to the container containing Operations Center | +| OperationsCenter.ExtraVolumes | list | `[]` | Extra volumes to add to the pod | | OperationsCenter.HealthProbeLivenessFailureThreshold | int | `12` | Threshold for liveness failure | | OperationsCenter.HealthProbes | bool | `true` | Enable Kubernetes Liveness and Readiness Probes | | OperationsCenter.HostName | string | `nil` | The hostname used to access Operations Center through the ingress controller. | @@ -153,7 +158,13 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.Resources.Limits.Memory | string | `"2G"` | Memory limit to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory | | OperationsCenter.Resources.Requests.Cpu | int | `1` | CPU request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu | | OperationsCenter.Resources.Requests.Memory | string | `"2G"` | Memory request to run Operations Center https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory | -| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level | +| OperationsCenter.Route.tls.CACertificate | string | `nil` | CA Certificate PEM-encoded | +| OperationsCenter.Route.tls.Certificate | string | `nil` | Certificate PEM-encoded | +| OperationsCenter.Route.tls.DestinationCACertificate | string | `nil` | When using `termination=reencrypt`, destination CA PEM-encoded | +| OperationsCenter.Route.tls.Enable | bool | `false` | Set this to true in OpenShift to terminate TLS at route level Read https://docs.openshift.com/container-platform/4.6/networking/routes/secured-routes.html for details. These also apply to Hibernation monitor if enabled. | +| OperationsCenter.Route.tls.InsecureEdgeTerminationPolicy | string | `"Redirect"` | Whether to redirect http to https | +| OperationsCenter.Route.tls.Key | string | `nil` | Private key PEM-encoded | +| OperationsCenter.Route.tls.Termination | string | `"edge"` | Type of termination | | OperationsCenter.ServiceAgentListenerPort | int | `50000` | Controls the service port where Operations Center TCP port for agents is exposed. Don't change this parameter unless you know what you are doing | | OperationsCenter.ServiceAnnotations | object | `{}` | Additional annotations to put on the Operations Center service | | OperationsCenter.ServicePort | int | `80` | Controls the service port where Operations Center http port is exposed. Don't change this parameter unless you know what you are doing | @@ -166,6 +177,7 @@ CloudBees provides complete and more detailed installation and operation documen | PodSecurityPolicy.Annotations | object | `{}` | Additional annotations to put on the PodSecurityPolicy, e.g. AppArmor/Seccomp settings | | PodSecurityPolicy.Enabled | bool | `false` | Enables [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) support Enable only if the cluster supports it. | | ingress-nginx.Enabled | bool | `false` | Installs the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) controller (optional). Enable this section if you don't have an existing installation of ingress-nginx controller Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 | +| ingress-nginx.controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | ingress-nginx.controller.ingressClass | string | `"nginx"` | | | ingress-nginx.controller.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | ingress-nginx.controller.service.externalTrafficPolicy | string | `"Local"` | | diff --git a/helm/requirements.lock b/helm/requirements.lock index 4b08a7f..b6d8456 100644 --- a/helm/requirements.lock +++ b/helm/requirements.lock @@ -7,6 +7,6 @@ dependencies: version: 2.15.0 - name: cloudbees-sidecar-injector repository: https://charts.cloudbees.com/public/cloudbees - version: 2.1.0 -digest: sha256:996f7a1d8ae1bb7465e7df2865ef4521e1ebe3e10827d6544caebd4d0c811c23 -generated: "2020-11-02T17:56:50.500073-05:00" + version: 2.1.3 +digest: sha256:a1c4f1c479b0edb8530d98691ccb6e935c43867539bf2b0c7df246462c475cd0 +generated: "2021-02-09T09:09:33.126879+01:00" diff --git a/helm/requirements.yaml b/helm/requirements.yaml deleted file mode 100644 index 417a1df..0000000 --- a/helm/requirements.yaml +++ /dev/null @@ -1,13 +0,0 @@ -dependencies: -- name: nginx-ingress - version: 1.40.2 - repository: https://charts.helm.sh/stable - condition: nginx-ingress.Enabled -- name: ingress-nginx - version: 2.15.0 - repository: https://kubernetes.github.io/ingress-nginx - condition: ingress-nginx.Enabled -- name: cloudbees-sidecar-injector - version: 2.1.0 - repository: https://charts.cloudbees.com/public/cloudbees - condition: sidecarinjector.Enabled diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index 18a400c..6b62e4f 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -53,7 +53,7 @@ kubectl {{- end -}} {{- define "cloudbees-core.needs-routes" -}} -{{- if include "cloudbees-core.is-openshift" . -}} +{{- if or (include "cloudbees-core.is-openshift" . ) (.Values.OperationsCenter.Route.tls.Enable) -}} true {{- end -}} {{- end -}} @@ -228,14 +228,6 @@ true {{- end -}} {{- end -}} -{{- define "rbac.apiVersion" -}} -{{- default .Values.rbac.apiVersion "rbac.authorization.k8s.io/v1" -}} -{{- end -}} - -{{- define "rbac.apiGroup" -}} -{{- default .Values.rbac.apiGroup "rbac.authorization.k8s.io" -}} -{{- end -}} - {{- define "validate.operationscenter" -}} {{- if and (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}} {{ fail "Can't use both OperationsCenter.Enabled=true and Master.OperationsCenterNamespace" }} @@ -330,23 +322,19 @@ ingress-nginx {{/* stable/nginx-ingress chart going away in Nov. 2020. This will be part of the 10/2020 release. Delete this after 4/2021 */}} {{- define "nginxingress.podSelectors" -}} -{{- if index .Values "nginx-ingress" "Enabled" }} -{{ include "nginxingress.includedPodSelector" . }} -{{- else if .Values.NetworkPolicy.ingressControllerSelector }} -{{ toYaml .Values.NetworkPolicy.ingressControllerSelector -}} -{{- else }} -{{ include "nginxingress.defaultPodSelectors" . }} -{{- end }} -{{- end -}} - -{{- define "nginxingress.includedPodSelector" -}} +{{- if (index .Values "nginx-ingress" "Enabled")}} - podSelector: matchLabels: - app: {{ include "ingress.name" . }} + app: nginx-ingress component: controller -{{- end -}} - -{{- define "nginxingress.defaultPodSelectors" -}} +{{- else if (index .Values "ingress-nginx" "Enabled") }} +- podSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller +{{- else if .Values.NetworkPolicy.ingressControllerSelector }} +{{ toYaml .Values.NetworkPolicy.ingressControllerSelector -}} +{{- else }} - namespaceSelector: matchLabels: name: {{ include "ingress.name" . }} @@ -368,25 +356,9 @@ ingress-nginx matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/component: controller -{{- end -}} - -{{- define "ingressnginx.podSelectors" -}} -{{- if index .Values "ingress-nginx" "Enabled" }} -{{ include "ingressnginx.includedPodSelector" . }} -{{- else if .Values.NetworkPolicy.ingressControllerSelector }} -{{ toYaml .Values.NetworkPolicy.ingressControllerSelector -}} -{{- else }} -{{ include "ingressnginx.defaultPodSelectors" . }} {{- end }} {{- end -}} -{{- define "ingressnginx.includedPodSelector" -}} -- podSelector: - matchLabels: - app: {{ include "ingress.name" . }} - component: controller -{{- end -}} - {{- define "networkpolicy.cjoc.http" -}} {{- if include "cloudbees-core.is-openshift" . -}} {{ .Values.OperationsCenter.ContainerPort }} @@ -444,6 +416,30 @@ managed-premium {{- end -}} {{- end -}} +{{- define "openshift.tls" -}} +{{- if .Values.OperationsCenter.Route.tls.Enable -}} +tls: + insecureEdgeTerminationPolicy: {{ .Values.OperationsCenter.Route.tls.InsecureEdgeTerminationPolicy }} + termination: {{ .Values.OperationsCenter.Route.tls.Termination }} +{{- if .Values.OperationsCenter.Route.tls.CACertificate }} + caCertificate: |- +{{ .Values.OperationsCenter.Route.tls.CACertificate | indent 4 }} +{{- end }} +{{- if .Values.OperationsCenter.Route.tls.Certificate }} + certificate: |- +{{ .Values.OperationsCenter.Route.tls.Certificate | indent 4 }} +{{- end }} +{{- if .Values.OperationsCenter.Route.tls.Key }} + key: |- +{{ .Values.OperationsCenter.Route.tls.Key | indent 4 }} +{{- end }} +{{- if .Values.OperationsCenter.Route.tls.DestinationCACertificate }} + destinationCACertificate: |- +{{ .Values.OperationsCenter.Route.tls.DestinationCACertificate | indent 4}} +{{- end }} +{{- end }} +{{- end }} + {{/* Workaround https://github.com/openshift/origin/issues/24060 */}} @@ -462,10 +458,16 @@ status: {{- end -}} {{- define "ingress.check" -}} -{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress") }} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") }} {{ fail "\n\nERROR: Kubernetes 1.14 or later is required to use Ingress in networking.k8s.io/v1beta1" }} {{- end -}} {{- if and (index .Values "nginx-ingress" "Enabled") (index .Values "ingress-nginx" "Enabled") -}} {{ fail "\n\nERROR: Only one of nginx-ingress.Enabled or ingress-nginx.Enabled may be true" }} {{- end -}} {{- end -}} + +{{- define "features.enableServiceLinks-available" -}} +{{- if semverCompare ">=1.13.0-0" .Capabilities.KubeVersion.Version -}} +true +{{- end -}} +{{- end -}} diff --git a/helm/templates/cjoc-clusterrole-master-management.yaml b/helm/templates/cjoc-clusterrole-master-management.yaml index b241013..7666751 100644 --- a/helm/templates/cjoc-clusterrole-master-management.yaml +++ b/helm/templates/cjoc-clusterrole-master-management.yaml @@ -1,6 +1,6 @@ {{- if and .Values.OperationsCenter.Enabled .Values.rbac.install (include "rbac.install-cluster" .) -}} kind: ClusterRole -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cjoc-master-management-{{ .Release.Namespace }} labels: diff --git a/helm/templates/cjoc-clusterrolebinding.yaml b/helm/templates/cjoc-clusterrolebinding.yaml index e7381e0..867fa1b 100644 --- a/helm/templates/cjoc-clusterrolebinding.yaml +++ b/helm/templates/cjoc-clusterrolebinding.yaml @@ -1,12 +1,12 @@ {{- if and .Values.OperationsCenter.Enabled .Values.rbac.install (include "rbac.install-cluster" .) -}} kind: ClusterRoleBinding -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cjoc-role-binding-{{ .Release.Namespace }} labels: {{ include "cloudbees-core.labels" . | indent 4 }} roleRef: - apiGroup: {{ template "rbac.apiGroup" . }} + apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cjoc-master-management-{{ .Release.Namespace }} subjects: diff --git a/helm/templates/cjoc-role-agents.yaml b/helm/templates/cjoc-role-agents.yaml new file mode 100644 index 0000000..15c036b --- /dev/null +++ b/helm/templates/cjoc-role-agents.yaml @@ -0,0 +1,21 @@ +{{ template "validate.operationscenter" . }} +{{- if or (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}} +{{- if .Values.Agents.SeparateNamespace.Enabled -}} +{{- if .Values.rbac.install -}} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cjoc-agents-test-connection + namespace: {{ template "agents.namespace" . }} + labels: +{{ include "cloudbees-core.labels" . | indent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - list +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/helm/templates/cjoc-role-master-management.yaml b/helm/templates/cjoc-role-master-management.yaml index eb4d056..2e91c9a 100644 --- a/helm/templates/cjoc-role-master-management.yaml +++ b/helm/templates/cjoc-role-master-management.yaml @@ -2,12 +2,21 @@ {{- if or (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}} {{- if .Values.rbac.install -}} kind: Role -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cjoc-master-management labels: {{ include "cloudbees-core.labels" . | indent 4 }} rules: +{{- if .Values.Master.OperationsCenterNamespace }} +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +{{- end }} - apiGroups: - "" resources: diff --git a/helm/templates/cjoc-rolebinding-agents.yaml b/helm/templates/cjoc-rolebinding-agents.yaml new file mode 100644 index 0000000..8dcf0b4 --- /dev/null +++ b/helm/templates/cjoc-rolebinding-agents.yaml @@ -0,0 +1,22 @@ +{{ template "validate.operationscenter" . }} +{{- if or (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}} +{{- if .Values.Agents.SeparateNamespace.Enabled -}} +{{- if .Values.rbac.install -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cjoc-agents-role-binding + namespace: {{ template "agents.namespace" . }} + labels: +{{ include "cloudbees-core.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cjoc-agents-test-connection +subjects: +- kind: ServiceAccount + name: {{ .Values.rbac.serviceAccountName }} + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/helm/templates/cjoc-rolebinding.yaml b/helm/templates/cjoc-rolebinding.yaml index feb48ac..85a145f 100644 --- a/helm/templates/cjoc-rolebinding.yaml +++ b/helm/templates/cjoc-rolebinding.yaml @@ -1,14 +1,14 @@ {{ template "validate.operationscenter" . }} {{- if or (.Values.OperationsCenter.Enabled) (.Values.Master.OperationsCenterNamespace) -}} {{- if .Values.rbac.install -}} -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cjoc-role-binding labels: {{ include "cloudbees-core.labels" . | indent 4 }} roleRef: - apiGroup: {{ template "rbac.apiGroup" . }} + apiGroup: rbac.authorization.k8s.io kind: Role name: cjoc-master-management subjects: diff --git a/helm/templates/cjoc-route.yaml b/helm/templates/cjoc-route.yaml index 65913e9..def9f6f 100644 --- a/helm/templates/cjoc-route.yaml +++ b/helm/templates/cjoc-route.yaml @@ -18,11 +18,7 @@ spec: port: targetPort: http wildcardPolicy: None - {{- if eq .Values.OperationsCenter.Route.tls.Enable true }} - tls: - insecureEdgeTerminationPolicy: Redirect - termination: edge - {{end }} +{{ include "openshift.tls" . | indent 2 }} {{ include "chart.helmRouteFix" $ }} {{- end -}} {{- end -}} diff --git a/helm/templates/cjoc-statefulset.yaml b/helm/templates/cjoc-statefulset.yaml index 788ff4b..bab0812 100644 --- a/helm/templates/cjoc-statefulset.yaml +++ b/helm/templates/cjoc-statefulset.yaml @@ -62,7 +62,9 @@ spec: operator: In values: - slave + {{- if include "features.enableServiceLinks-available" . }} enableServiceLinks: false + {{- end }} serviceAccountName: {{ .Values.rbac.serviceAccountName }} {{- if .Values.OperationsCenter.NodeSelector }} nodeSelector: @@ -140,6 +142,9 @@ spec: -Dcom.cloudbees.jce.masterprovisioning.DockerImageDefinitionConfiguration.masterImageName={{ include "mm.longname" . | quote}} -Dcom.cloudbees.jce.masterprovisioning.DockerImageDefinitionConfiguration.masterImage={{ .Values.Master.Image.dockerImage}} -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.serviceAccount={{ .Values.rbac.masterServiceAccountName }} + {{- if .Values.Agents.SeparateNamespace.Enabled }} + -Dcom.cloudbees.jenkins.plugins.kube.NamespaceFilter.defaultNamespace={{ template "agents.namespace" . }} + {{- end }} {{- if (include "persistence.storageclass" .) }} -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.storageClassName={{ include "persistence.storageclass" . | quote }} {{- end }} @@ -155,6 +160,12 @@ spec: {{- if .Values.OperationsCenter.CSRF.ProxyCompatibility }} -Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true {{- end }} + {{- if .Values.sda }} + {{- if .Values.OperationsCenter.HostName }} + -Dcom.cloudbees.jenkins.plugins.platform.PlatformConfiguration.url={{- include "oc.protocol" . -}}://{{ include "oc.hostname" . }}/ + {{- end }} + -Dcom.cloudbees.jenkins.plugins.platform.PlatformServer.apiUrl=https://flow-server:8443/ + {{- end }} -XX:+UseG1GC -XX:+DisableExplicitGC ports: diff --git a/helm/templates/managed-master-hibernation-monitor-deployment.yaml b/helm/templates/managed-master-hibernation-monitor-deployment.yaml index b8b28ca..9c7e106 100644 --- a/helm/templates/managed-master-hibernation-monitor-deployment.yaml +++ b/helm/templates/managed-master-hibernation-monitor-deployment.yaml @@ -71,7 +71,9 @@ spec: limits: memory: 250Mi serviceAccountName: {{ .Values.rbac.hibernationMonitorServiceAccountName }} + {{- if include "features.enableServiceLinks-available" . }} enableServiceLinks: false + {{- end }} {{- if .Values.Hibernation.NodeSelector }} nodeSelector: {{ toYaml .Values.Hibernation.NodeSelector | indent 8 }} diff --git a/helm/templates/managed-master-hibernation-monitor-role.yaml b/helm/templates/managed-master-hibernation-monitor-role.yaml index 53c54ba..0ece24e 100644 --- a/helm/templates/managed-master-hibernation-monitor-role.yaml +++ b/helm/templates/managed-master-hibernation-monitor-role.yaml @@ -1,7 +1,7 @@ {{- if .Values.Hibernation.Enabled -}} {{- if .Values.rbac.install -}} kind: Role -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: managed-master-hibernation-monitor labels: diff --git a/helm/templates/managed-master-hibernation-monitor-rolebinding.yaml b/helm/templates/managed-master-hibernation-monitor-rolebinding.yaml index a027167..22198b5 100644 --- a/helm/templates/managed-master-hibernation-monitor-rolebinding.yaml +++ b/helm/templates/managed-master-hibernation-monitor-rolebinding.yaml @@ -1,13 +1,13 @@ {{- if .Values.Hibernation.Enabled -}} {{- if .Values.rbac.install -}} -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: managed-master-hibernation-monitor labels: {{ include "cloudbees-core.labels" . | indent 4 }} roleRef: - apiGroup: {{ template "rbac.apiGroup" . }} + apiGroup: rbac.authorization.k8s.io kind: Role name: managed-master-hibernation-monitor subjects: diff --git a/helm/templates/managed-master-hibernation-monitor-route-namespaced.yaml b/helm/templates/managed-master-hibernation-monitor-route-namespaced.yaml new file mode 100644 index 0000000..3a7d53d --- /dev/null +++ b/helm/templates/managed-master-hibernation-monitor-route-namespaced.yaml @@ -0,0 +1,22 @@ +{{- if .Values.Hibernation.Enabled -}} +{{- if include "cloudbees-core.needs-routes" . -}} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: managed-master-hibernation-monitor-namespaced +spec: +{{- if .Values.OperationsCenter.HostName }} + host: {{ .Values.OperationsCenter.HostName | quote }} +{{- end }} + path: /hibernation/ns/{{ .Release.Namespace }} + to: + kind: Service + name: managed-master-hibernation-monitor + weight: 100 + port: + targetPort: http + wildcardPolicy: None +{{ include "openshift.tls" . | indent 2 }} +{{ include "chart.helmRouteFix" $ }} +{{- end -}} +{{- end -}} diff --git a/helm/templates/managed-master-hibernation-monitor-route.yaml b/helm/templates/managed-master-hibernation-monitor-route.yaml index 50c79e6..6b8344e 100644 --- a/helm/templates/managed-master-hibernation-monitor-route.yaml +++ b/helm/templates/managed-master-hibernation-monitor-route.yaml @@ -1,3 +1,4 @@ +{{- if .Values.OperationsCenter.Enabled -}} {{- if .Values.Hibernation.Enabled -}} {{- if include "cloudbees-core.needs-routes" . -}} apiVersion: route.openshift.io/v1 @@ -16,11 +17,8 @@ spec: port: targetPort: http wildcardPolicy: None - {{- if eq .Values.OperationsCenter.Route.tls.Enable true }} - tls: - insecureEdgeTerminationPolicy: Redirect - termination: edge - {{end }} +{{ include "openshift.tls" . | indent 2 }} {{ include "chart.helmRouteFix" $ }} {{- end -}} {{- end -}} +{{- end -}} diff --git a/helm/templates/master-role-agents-management.yaml b/helm/templates/master-role-agents-management.yaml index 9cd8231..891147e 100644 --- a/helm/templates/master-role-agents-management.yaml +++ b/helm/templates/master-role-agents-management.yaml @@ -1,7 +1,7 @@ {{- if .Values.Master.Enabled -}} {{- if .Values.rbac.install -}} kind: Role -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cjoc-agents namespace: {{ template "agents.namespace" . }} diff --git a/helm/templates/master-rolebinding.yaml b/helm/templates/master-rolebinding.yaml index a8c8c4f..da121ad 100644 --- a/helm/templates/master-rolebinding.yaml +++ b/helm/templates/master-rolebinding.yaml @@ -1,6 +1,6 @@ {{- if .Values.Master.Enabled -}} {{- if .Values.rbac.install -}} -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cjoc-master-role-binding @@ -8,7 +8,7 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} roleRef: - apiGroup: {{ template "rbac.apiGroup" . }} + apiGroup: rbac.authorization.k8s.io kind: Role name: cjoc-agents subjects: diff --git a/helm/templates/psp-restricted-agents-role.yaml b/helm/templates/psp-restricted-agents-role.yaml index b1296a0..caaaa52 100644 --- a/helm/templates/psp-restricted-agents-role.yaml +++ b/helm/templates/psp-restricted-agents-role.yaml @@ -1,6 +1,6 @@ {{- if and (include "psp.enabled" .) (.Values.Agents.SeparateNamespace.Enabled) }} kind: Role -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: "cb:podsecuritypolicy:restricted" namespace: {{ template "agents.namespace" . }} diff --git a/helm/templates/psp-restricted-agents-rolebinding.yaml b/helm/templates/psp-restricted-agents-rolebinding.yaml index 58ed133..0e8cd57 100644 --- a/helm/templates/psp-restricted-agents-rolebinding.yaml +++ b/helm/templates/psp-restricted-agents-rolebinding.yaml @@ -1,5 +1,5 @@ {{- if and (include "psp.enabled" .) (.Values.Agents.SeparateNamespace.Enabled) }} -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: "cb:podsecuritypolicy:restricted" @@ -7,7 +7,7 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} roleRef: - apiGroup: {{ template "rbac.apiGroup" . }} + apiGroup: rbac.authorization.k8s.io kind: Role name: "cb:podsecuritypolicy:restricted" subjects: diff --git a/helm/templates/psp-restricted-role.yaml b/helm/templates/psp-restricted-role.yaml index fe65cd7..40e4f39 100644 --- a/helm/templates/psp-restricted-role.yaml +++ b/helm/templates/psp-restricted-role.yaml @@ -1,6 +1,6 @@ {{- if include "psp.enabled" . }} kind: Role -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: "cb:podsecuritypolicy:restricted" labels: diff --git a/helm/templates/psp-restricted-rolebinding.yaml b/helm/templates/psp-restricted-rolebinding.yaml index 7b8649f..20d452a 100644 --- a/helm/templates/psp-restricted-rolebinding.yaml +++ b/helm/templates/psp-restricted-rolebinding.yaml @@ -1,12 +1,12 @@ {{- if include "psp.enabled" . }} -apiVersion: {{ template "rbac.apiVersion" . }} +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: "cb:podsecuritypolicy:restricted" labels: {{ include "cloudbees-core.labels" . | indent 4 }} roleRef: - apiGroup: {{ template "rbac.apiGroup" . }} + apiGroup: rbac.authorization.k8s.io kind: Role name: "cb:podsecuritypolicy:restricted" subjects: diff --git a/helm/values.yaml b/helm/values.yaml index e04ee07..4edaa61 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -13,6 +13,10 @@ ingress-nginx: kubernetes.io/os: linux service: externalTrafficPolicy: Local + admissionWebhooks: + patch: + nodeSelector: + kubernetes.io/os: linux defaultBackend: nodeSelector: kubernetes.io/os: linux @@ -50,7 +54,7 @@ OperationsCenter: # Operations Center docker image Image: # OperationsCenter.Image.dockerImage -- Container image to use for Operations Center - dockerImage: dcar/core-oc:2.263.2.4-ra + dockerImage: dcar/core-oc:2.277.1.7-ra # OperationsCenter.Image.dockerPullPolicy -- https://kubernetes.io/docs/concepts/containers/images/#updating-images dockerPullPolicy: null @@ -184,11 +188,23 @@ OperationsCenter: Route: tls: # OperationsCenter.Route.tls.Enable -- Set this to true in OpenShift to terminate TLS at route level + # Read https://docs.openshift.com/container-platform/4.6/networking/routes/secured-routes.html for details. + # These also apply to Hibernation monitor if enabled. Enable: false - - ## @param ExtraConfigMaps - array of objects - optional - ## Extra configmaps deployed with the chart - # + # OperationsCenter.Route.tls.Termination -- Type of termination + Termination: edge + # OperationsCenter.Route.tls.InsecureEdgeTerminationPolicy -- Whether to redirect http to https + InsecureEdgeTerminationPolicy: Redirect + # OperationsCenter.Route.tls.CACertificate -- CA Certificate PEM-encoded + CACertificate: null + # OperationsCenter.Route.tls.Certificate -- Certificate PEM-encoded + Certificate: null + # OperationsCenter.Route.tls.Key -- Private key PEM-encoded + Key: null + # OperationsCenter.Route.tls.DestinationCACertificate -- When using `termination=reencrypt`, destination CA PEM-encoded + DestinationCACertificate: null + # OperationsCenter.ExtraConfigMaps -- Extra configmaps deployed with the chart + ExtraConfigMaps: [] # ExtraConfigMaps: # - name: my-config-map # labels: @@ -199,33 +215,29 @@ OperationsCenter: # myfile.yaml: | # foo: bar - ## @param ExtraContainers - array of objects - optional - ## Extra containers to add to the pod containing Operations Center. - # + # OperationsCenter.ExtraContainers -- Extra containers to add to the pod containing Operations Center. + ExtraContainers: [] # ExtraContainers: # - name: sleep # image: tutum/curl # command: ["sleep", "infinity"] - ## @param ExtraGroovyConfiguration - list of objects - optional - ## Provides additional init groovy scripts - ## Each key becomes a file in /var/jenkins_config - # + # OperationsCenter.ExtraGroovyConfiguration -- Provides additional init groovy scripts + # Each key becomes a file in /var/jenkins_config + ExtraGroovyConfiguration: {} # ExtraGroovyConfiguration: # hello-world.groovy: | # System.out.println('Hello world!') - ## @param ExtraVolumes - array of objects - optional - ## Extra volumes to add to the pod - # + # OperationsCenter.ExtraVolumes -- Extra volumes to add to the pod + ExtraVolumes: [] # ExtraVolumes: # - name: my-volume # configMap: # name: my-config-map - ## @param ExtraVolumesMounts - array of objects - optional - ## Extra volume mounts to add to the container containing Operations Center - # + # OperationsCenter.ExtraVolumeMounts -- Extra volume mounts to add to the container containing Operations Center + ExtraVolumeMounts: [] # ExtraVolumeMounts: # - name: my-volume # mountPath: /var/my-path @@ -241,7 +253,7 @@ Master: # Docker image inserted in Operations Center automatically Image: # Master.Image.dockerImage -- Used to override the default docker image - dockerImage: dcar/core-mm:2.263.2.4-ra + dockerImage: dcar/core-mm:2.277.1.7-ra # Master.JavaOpts -- Additional Java options to pass to managed masters. For example, setting up a JMX port JavaOpts: null @@ -258,7 +270,7 @@ Agents: Create: false Image: # Agents.Image.dockerImage -- Used to override the default docker image used for agents - dockerImage: dcar/agent:2.263.2.4-ra + dockerImage: dcar/agent:2.277.1.7-ra # Image pull secrets # Enable this option when using a private registry. # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line diff --git a/scripts/usr/local/bin/jenkins.sh b/scripts/usr/local/bin/jenkins.sh index e82afca..bbfd10f 100644 --- a/scripts/usr/local/bin/jenkins.sh +++ b/scripts/usr/local/bin/jenkins.sh @@ -52,7 +52,7 @@ find /usr/share/jenkins/ref/ -type f -exec bash -c "copy_reference_file '{}'" \; # if `docker run` first argument start with `--` the user is passing jenkins launcher arguments if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then - eval "exec java ${JAVA_OPTS:-} -jar -Dcb.distributable.name=\"Docker Common CJE\" -Dcb.distributable.commit_sha=69f7102311718b7e0fbed31edb877f1352ca5cf1 /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\"" + eval "exec java ${JAVA_OPTS:-} -jar -Dcb.distributable.name=\"Docker Common CJE\" -Dcb.distributable.commit_sha=d7a5eee17fd68064fb4268ca23a591bdc00af60b /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\"" fi # As argument is not jenkins, assume user want to run his own process, for sample a `bash` shell to explore this image -- GitLab From fe9bd55ca07785f6f9bab7394a7d7e69b34b787c Mon Sep 17 00:00:00 2001 From: imontero Date: Wed, 31 Mar 2021 16:48:22 +0000 Subject: [PATCH 2/2] 2.277.2.1-ra --- Dockerfile | 4 +- README.md | 8 +- hardening_manifest.yaml | 8 +- helm/Chart.yaml | 4 +- helm/README-template.md | 8 +- helm/README.md | 8 +- helm/templates/_helpers.tpl | 94 ++++++++++++++++++- .../cjoc-configure-jenkins-groovy.yaml | 2 +- helm/templates/cjoc-ingress.yaml | 20 ++-- helm/templates/cjoc-route.yaml | 4 +- helm/templates/cjoc-statefulset.yaml | 12 ++- ...master-hibernation-monitor-deployment.yaml | 3 + ...ed-master-hibernation-monitor-ingress.yaml | 29 +++--- ...-hibernation-monitor-route-namespaced.yaml | 4 +- ...aged-master-hibernation-monitor-route.yaml | 6 +- helm/values.yaml | 19 +++- scripts/usr/local/bin/jenkins.sh | 2 +- 17 files changed, 175 insertions(+), 60 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9a9f6fa..0e7f94a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,8 +42,8 @@ HEALTHCHECK --interval=5m --timeout=3s \ CMD curl -fsL ${JENKINS_URL}/login || exit 1 # L-A-B-E-L securitytxt="https://www.cloudbees.com/.well-known/security.txt" -# L-A-B-E-L release=d7a5eee17fd68064fb4268ca23a591bdc00af60b -# L-A-B-E-L version=2.277.1.7-ra +# L-A-B-E-L release=308768c9f176b5155dd19ff01ca06396b66f5afd +# L-A-B-E-L version=2.277.2.1-ra COPY files.tar /tmp RUN cd / && tar xvf /tmp/files.tar && rm /tmp/files.tar diff --git a/README.md b/README.md index f14508c..cc4dd79 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ CloudBees CI (formerly known as _CloudBees Core_) consists of three Docker image For each image, all files other than UBI and native packages are included in a `files.tar` marked with a SHA-256 checksum. -A version of CloudBees CI is given in the format `2.277.1.7-ra` +A version of CloudBees CI is given in the format `2.277.2.1-ra` where the first three components are aligned with a Jenkins LTS. The Helm chart is coversioned with `core-oc`. The `core-mm` image typically shares the same version, @@ -25,13 +25,13 @@ plus whatever other customizations are desired: ```yaml OperationsCenter: Image: - dockerImage: your-registry/core-oc:2.277.1.7-ra + dockerImage: your-registry/core-oc:2.277.2.1-ra Master: Image: - dockerImage: your-registry/core-mm:2.277.1.7-ra + dockerImage: your-registry/core-mm:2.277.2.1-ra Agents: Image: - dockerImage: your-registry/agent:2.277.1.7-ra + dockerImage: your-registry/agent:2.277.2.1-ra ``` and [install via Helm 3](https://docs.cloudbees.com/docs/cloudbees-core/latest/kubernetes-install-guide/installing-kubernetes-using-helm) using the local copy of the chart: diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index decc513..5fe8b0d 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: "cloudbees/core/core-oc" tags: -- "2.277.1.7-ra" +- "2.277.2.1-ra" - latest labels: org.opencontainers.image.title: "core-oc" @@ -9,7 +9,7 @@ labels: org.opencontainers.image.licenses: proprietary org.opencontainers.image.url: https://docs.cloudbees.com/docs/cloudbees-ci/ org.opencontainers.image.vendor: CloudBees - org.opencontainers.image.version: "2.277.1.7-ra" + org.opencontainers.image.version: "2.277.2.1-ra" mil.dso.ironbank.image.keywords: cicd mil.dso.ironbank.image.type: commercial mil.dso.ironbank.product.name: CloudBees CI @@ -18,10 +18,10 @@ args: BASE_TAG: "1.8.0" resources: - filename: files.tar - url: https://downloads.cloudbees.com/dsop-files/core-oc-files-5ef009a0f4b225510975a80b9a9ab9327de74ba12412d7044c9ef589f4521a3d.tar + url: https://downloads.cloudbees.com/dsop-files/core-oc-files-a8c75c110388343781c00894fcade262363681eb914929bf19c94be5195463a3.tar validation: type: sha256 - value: "5ef009a0f4b225510975a80b9a9ab9327de74ba12412d7044c9ef589f4521a3d" + value: "a8c75c110388343781c00894fcade262363681eb914929bf19c94be5195463a3" maintainers: - email: productivity-team@cloudbees.com name: CloudBees diff --git a/helm/Chart.yaml b/helm/Chart.yaml index ab3c7f6..3a767d5 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: cloudbees-core -version: 3.28.1 +version: 3.29.2 description: Enterprise Continuous Integration with Jenkins keywords: - cloudbees @@ -20,7 +20,7 @@ dependencies: repository: https://charts.cloudbees.com/public/cloudbees condition: sidecarinjector.Enabled icon: https://images.ctfassets.net/vtn4rfaw6n2j/7xprMMXARXDBuVxW4y8XfV/349fff91035050e3f2a8ff37bc0615b5/cloudbees-core-logo_header.svg -appVersion: 2.277.1.2 +appVersion: 2.277.2.3 annotations: artifacthub.io/links: | - name: Product overview diff --git a/helm/README-template.md b/helm/README-template.md index 4d452b0..1f637a4 100644 --- a/helm/README-template.md +++ b/helm/README-template.md @@ -1,6 +1,6 @@ # cloudbees-core -![Version: 3.28.1](https://img.shields.io/badge/Version-3.28.1-informational?style=flat-square) ![AppVersion: 2.277.1.2](https://img.shields.io/badge/AppVersion-2.277.1.2-informational?style=flat-square) +![Version: 3.29.2](https://img.shields.io/badge/Version-3.29.2-informational?style=flat-square) ![AppVersion: 2.277.2.3](https://img.shields.io/badge/AppVersion-2.277.2.3-informational?style=flat-square) [CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides: @@ -114,7 +114,7 @@ CloudBees provides complete and more detailed installation and operation documen | Agents.SeparateNamespace.Enabled | bool | `false` | If enabled, agents resources will be created in a separate namespace as well as bindings allowing masters to schedule them. | | Agents.SeparateNamespace.Name | string | `nil` | Namespace where to create agents resources. Defaults to `${namespace}-builds` where `${namespace}` is the namespace where the chart is installed. | | Hibernation.Enabled | bool | `false` | Whether to enable the [Hibernation](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-admin-guide/managing-masters#_hibernation_of_managed_masters) feature | -| Hibernation.Image.dockerImage | string | `"cloudbees/managed-master-hibernation-monitor:230.ee066a318539"` | Used to override the default docker image | +| Hibernation.Image.dockerImage | string | `"cloudbees/managed-master-hibernation-monitor:247.c5dfce00a179"` | Used to override the default docker image | | Hibernation.Image.dockerPullPolicy | string | `nil` | Used to override the default pull policy | | Hibernation.ImagePullSecrets | string | `nil` | Name of image pull secret to pull private Docker images or an array of image pull secrets | | Hibernation.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | @@ -130,7 +130,7 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.Annotations | object | `{}` | Additional annotations to put on the pod running Operations Center | | OperationsCenter.CSRF.ProxyCompatibility | bool | `false` | Proxy compatibility for the default CSRF issuer | | OperationsCenter.ContainerPort | int | `8080` | Container port for http traffic | -| OperationsCenter.ContextPath | string | `"/cjoc"` | the path under which Operations Center will be accessible in the given host. | +| OperationsCenter.ContextPath | string | `nil` | the path under which Operations Center will be accessible in the given host. DEPRECATED - Use OperationsCenter.Name instead. | | OperationsCenter.Enabled | bool | `true` | Disable for particular use case like setting up namespaces to host masters only | | OperationsCenter.ExtraConfigMaps | list | `[]` | Extra configmaps deployed with the chart | | OperationsCenter.ExtraContainers | list | `[]` | Extra containers to add to the pod containing Operations Center. | @@ -151,6 +151,7 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.JenkinsOpts | string | `nil` | Additional arguments for jenkins.war | | OperationsCenter.LoadBalancerIP | string | `nil` | Optionally assign a known public LB IP | | OperationsCenter.LoadBalancerSourceRanges | list | `["0.0.0.0/0"]` | Only applicable when using `ServiceType: LoadBalancer` | +| OperationsCenter.Name | string | `"cjoc"` | the name in the URL under which Operations Center will be accessible in the given host. For instance, if Subdomain is true, the URL to access Operations Center will be {{OperationsCenter.Protocol}}://{{OperationsCenter.Name}}.{{OperationsCenter.HostName}}:{{OperationsCenter.Port}} If Subdomain is false, the URL to access Operations Center will be {{OperationsCenter.Protocol}}://{{OperationsCenter.HostName}}:{{OperationsCenter.Port}}/{{OperationsCenter.Name}} | | OperationsCenter.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | | OperationsCenter.Platform | string | `"standard"` | Enables specific settings depending on the platform platform specific values are: `eks`, `aws`, `gke`, `aks`, `openshift`, `openshift4` Note: `openshift` maps to OpenShift 3.x | | OperationsCenter.Protocol | string | `"http"` | the protocol used to access CJOC. Possible values are http/https. | @@ -176,6 +177,7 @@ CloudBees provides complete and more detailed installation and operation documen | Persistence.StorageClass | string | `nil` | Persistent Volume Storage Class for Jenkins Home If defined, storageClassName: . If set to "-", storageClassName: "", which disables dynamic provisioning. If undefined (the default) or set to null, the default storage class will be used, unless specified otherwise below. If setting OperationsCenter.Platform == gke, a storage class backed with SSD drives will be created by this chart and used automatically. | | PodSecurityPolicy.Annotations | object | `{}` | Additional annotations to put on the PodSecurityPolicy, e.g. AppArmor/Seccomp settings | | PodSecurityPolicy.Enabled | bool | `false` | Enables [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) support Enable only if the cluster supports it. | +| Subdomain | bool | `false` | Whether to use a DNS subdomain for each controller. | | ingress-nginx.Enabled | bool | `false` | Installs the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) controller (optional). Enable this section if you don't have an existing installation of ingress-nginx controller Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 | | ingress-nginx.controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | ingress-nginx.controller.ingressClass | string | `"nginx"` | | diff --git a/helm/README.md b/helm/README.md index fb94fbb..1d07880 100644 --- a/helm/README.md +++ b/helm/README.md @@ -1,6 +1,6 @@ # cloudbees-core -![Version: 3.28.1](https://img.shields.io/badge/Version-3.28.1-informational?style=flat-square) ![AppVersion: 2.277.1.2](https://img.shields.io/badge/AppVersion-2.277.1.2-informational?style=flat-square) +![Version: 3.29.2](https://img.shields.io/badge/Version-3.29.2-informational?style=flat-square) ![AppVersion: 2.277.2.3](https://img.shields.io/badge/AppVersion-2.277.2.3-informational?style=flat-square) [CloudBees CI](https://www.cloudbees.com/products/continuous-integration) is the continuous integration platform architected for the enterprise. It provides: @@ -114,7 +114,7 @@ CloudBees provides complete and more detailed installation and operation documen | Agents.SeparateNamespace.Enabled | bool | `false` | If enabled, agents resources will be created in a separate namespace as well as bindings allowing masters to schedule them. | | Agents.SeparateNamespace.Name | string | `nil` | Namespace where to create agents resources. Defaults to `${namespace}-builds` where `${namespace}` is the namespace where the chart is installed. | | Hibernation.Enabled | bool | `false` | Whether to enable the [Hibernation](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-admin-guide/managing-masters#_hibernation_of_managed_masters) feature | -| Hibernation.Image.dockerImage | string | `"cloudbees/managed-master-hibernation-monitor:230.ee066a318539"` | Used to override the default docker image | +| Hibernation.Image.dockerImage | string | `"cloudbees/managed-master-hibernation-monitor:247.c5dfce00a179"` | Used to override the default docker image | | Hibernation.Image.dockerPullPolicy | string | `nil` | Used to override the default pull policy | | Hibernation.ImagePullSecrets | string | `nil` | Name of image pull secret to pull private Docker images or an array of image pull secrets | | Hibernation.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | @@ -130,7 +130,7 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.Annotations | object | `{}` | Additional annotations to put on the pod running Operations Center | | OperationsCenter.CSRF.ProxyCompatibility | bool | `false` | Proxy compatibility for the default CSRF issuer | | OperationsCenter.ContainerPort | int | `8080` | Container port for http traffic | -| OperationsCenter.ContextPath | string | `"/cjoc"` | the path under which Operations Center will be accessible in the given host. | +| OperationsCenter.ContextPath | string | `nil` | the path under which Operations Center will be accessible in the given host. DEPRECATED - Use OperationsCenter.Name instead. | | OperationsCenter.Enabled | bool | `true` | Disable for particular use case like setting up namespaces to host masters only | | OperationsCenter.ExtraConfigMaps | list | `[]` | Extra configmaps deployed with the chart | | OperationsCenter.ExtraContainers | list | `[]` | Extra containers to add to the pod containing Operations Center. | @@ -151,6 +151,7 @@ CloudBees provides complete and more detailed installation and operation documen | OperationsCenter.JenkinsOpts | string | `nil` | Additional arguments for jenkins.war | | OperationsCenter.LoadBalancerIP | string | `nil` | Optionally assign a known public LB IP | | OperationsCenter.LoadBalancerSourceRanges | list | `["0.0.0.0/0"]` | Only applicable when using `ServiceType: LoadBalancer` | +| OperationsCenter.Name | string | `"cjoc"` | the name in the URL under which Operations Center will be accessible in the given host. For instance, if Subdomain is true, the URL to access Operations Center will be {{OperationsCenter.Protocol}}://{{OperationsCenter.Name}}.{{OperationsCenter.HostName}}:{{OperationsCenter.Port}} If Subdomain is false, the URL to access Operations Center will be {{OperationsCenter.Protocol}}://{{OperationsCenter.HostName}}:{{OperationsCenter.Port}}/{{OperationsCenter.Name}} | | OperationsCenter.NodeSelector | object | `{}` | Node labels and tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector | | OperationsCenter.Platform | string | `"standard"` | Enables specific settings depending on the platform platform specific values are: `eks`, `aws`, `gke`, `aks`, `openshift`, `openshift4` Note: `openshift` maps to OpenShift 3.x | | OperationsCenter.Protocol | string | `"http"` | the protocol used to access CJOC. Possible values are http/https. | @@ -176,6 +177,7 @@ CloudBees provides complete and more detailed installation and operation documen | Persistence.StorageClass | string | `nil` | Persistent Volume Storage Class for Jenkins Home If defined, storageClassName: . If set to "-", storageClassName: "", which disables dynamic provisioning. If undefined (the default) or set to null, the default storage class will be used, unless specified otherwise below. If setting OperationsCenter.Platform == gke, a storage class backed with SSD drives will be created by this chart and used automatically. | | PodSecurityPolicy.Annotations | object | `{}` | Additional annotations to put on the PodSecurityPolicy, e.g. AppArmor/Seccomp settings | | PodSecurityPolicy.Enabled | bool | `false` | Enables [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) support Enable only if the cluster supports it. | +| Subdomain | bool | `false` | Whether to use a DNS subdomain for each controller. | | ingress-nginx.Enabled | bool | `false` | Installs the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) controller (optional). Enable this section if you don't have an existing installation of ingress-nginx controller Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 | | ingress-nginx.controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | ingress-nginx.controller.ingressClass | string | `"nginx"` | | diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index 6b62e4f..90998bf 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -88,6 +88,12 @@ true {{- end -}} {{- end -}} +{{- define "cloudbees-core.use-subdomain" -}} +{{- if and (eq (typeOf .Values.Subdomain) "bool") (eq .Values.Subdomain true) -}} +true +{{- end -}} +{{- end -}} + {{/* Return labels, including instance and name. */}} @@ -109,7 +115,18 @@ helm.sh/chart: {{ include "cloudbees-core.chart" . | quote }} Sanitize Operations Center context path to never have a trailing slash */}} {{- define "oc.contextpath" -}} -{{ trimSuffix "/" .Values.OperationsCenter.ContextPath }} +{{- if not (empty .Values.OperationsCenter.ContextPath) -}} +{{- trimSuffix "/" .Values.OperationsCenter.ContextPath -}} +{{- else -}} +{{- if not (include "cloudbees-core.use-subdomain" .) -}} +/ +{{- include "oc.name" . }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "oc.name" -}} +{{ .Values.OperationsCenter.Name }} {{- end -}} {{- define "oc.defaultPort" -}} @@ -130,14 +147,34 @@ Sanitize Operations Center context path to never have a trailing slash Expected Operations Center Hostname. Include port if not 80/443. */}} {{- define "oc.hostname" -}} -{{ .Values.OperationsCenter.HostName }}{{- include "oc.optionalPort" . -}} +{{- include "oc.hostnamewithoutport" . -}}{{- include "oc.optionalPort" . -}} +{{- end -}} + +{{/* +Expected Operations Center Hostname. Include port if not 80/443. +*/}} +{{- define "oc.hostnamewithoutport" -}} +{{- if (include "cloudbees-core.use-subdomain" .) -}} +{{- include "oc.name" . -}}. +{{- end -}} +{{ .Values.OperationsCenter.HostName }} +{{- end -}} + +{{/* +Expected Operations Center Hostname. Include port if not 80/443. +*/}} +{{- define "hibernation.hostnamewithoutport" -}} +{{- if (include "cloudbees-core.use-subdomain" .) -}} +hibernation-{{ .Release.Namespace }}. +{{- end -}} +{{ .Values.OperationsCenter.HostName }} {{- end -}} {{/* Expected Operations Center URL. Always ends with a trailing slash. */}} {{- define "oc.url" -}} -{{- template "oc.protocol" . -}}://{{ include "oc.hostname" . }}{{ include "oc.contextpath" . }}/ +{{- include "oc.protocol" . -}}://{{ include "oc.hostname" . }}{{ include "oc.contextpath" . }}/ {{- end -}} {{- define "ingress.annotations" -}} @@ -161,6 +198,21 @@ nginx.ingress.kubernetes.io/ssl-redirect: "{{- template "ingress.ssl_redirect" . {{- end }} {{- end }} +{{- define "cjoc.ingress.annotations" -}} +{{ include "ingress.annotations" . }} +{{- if eq .Values.OperationsCenter.Platform "eks" }} +alb.ingress.kubernetes.io/healthcheck-path: {{ include "oc.contextpath" . }}/login +{{- end }} +{{- end }} + +{{- define "hibernationMonitor.ingress.annotations" -}} +{{ include "ingress.annotations" . }} +{{- if eq .Values.OperationsCenter.Platform "eks" }} +alb.ingress.kubernetes.io/healthcheck-path: /health/live +{{- end }} +{{- end }} + + {{- define "ingress.root-redirect" -}} {{ include "oc.contextpath" . }}/teams-check/ {{- end }} @@ -191,7 +243,9 @@ extensions {{- end -}} {{- define "ingress.apiVersion" -}} -{{- if ge (atoi (.Capabilities.KubeVersion.Minor)) 15 -}} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}} +networking.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}} networking.k8s.io/v1beta1 {{- else -}} extensions/v1beta1 @@ -202,6 +256,30 @@ extensions/v1beta1 {{- .Values.OperationsCenter.Ingress.tls.Enable }} {{- end -}} +{{- define "ingress.backend.cjoc" -}} +{{- if eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +service: + name: cjoc + port: + number: {{ .Values.OperationsCenter.ServicePort }} +{{- else -}} +serviceName: cjoc +servicePort: {{ .Values.OperationsCenter.ServicePort }} +{{- end -}} +{{- end -}} + +{{- define "ingress.backend.hibernation" -}} +{{- if eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +service: + name: managed-master-hibernation-monitor + port: + number: 80 +{{- else -}} +serviceName: managed-master-hibernation-monitor +servicePort: 80 +{{- end -}} +{{- end -}} + {{/* If rbac.installCluster is defined, honor it. Otherwise, default to true, except on Openshift 3 where we default to "" (falsy) @@ -471,3 +549,11 @@ status: true {{- end -}} {{- end -}} + +{{- define "hibernation.routenonnamespacedurls" -}} +{{- if and (eq (typeOf .Values.OperationsCenter.Enabled) "bool") (eq .Values.OperationsCenter.Enabled false) -}} +true +{{- else -}} +false +{{- end -}} +{{- end -}} diff --git a/helm/templates/cjoc-configure-jenkins-groovy.yaml b/helm/templates/cjoc-configure-jenkins-groovy.yaml index ac45647..fddeb08 100644 --- a/helm/templates/cjoc-configure-jenkins-groovy.yaml +++ b/helm/templates/cjoc-configure-jenkins-groovy.yaml @@ -7,7 +7,7 @@ metadata: {{ include "cloudbees-core.labels" . | indent 4 }} data: location.groovy: | -{{- if .Values.OperationsCenter.HostName }} +{{- if (include "oc.hostnamewithoutport" .) }} jenkins.model.JenkinsLocationConfiguration.get().setUrl("{{- template "oc.url" . -}}") {{- end }} {{- if .Values.OperationsCenter.ExtraGroovyConfiguration }} diff --git a/helm/templates/cjoc-ingress.yaml b/helm/templates/cjoc-ingress.yaml index 123a793..037c863 100644 --- a/helm/templates/cjoc-ingress.yaml +++ b/helm/templates/cjoc-ingress.yaml @@ -8,7 +8,7 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} annotations: -{{ include "ingress.annotations" . | indent 4 }} +{{ include "cjoc.ingress.annotations" . | indent 4 }} {{- if not (include "cloudbees-core.is-openshift" .) }} nginx.ingress.kubernetes.io/app-root: {{ include "ingress.root-redirect" . | quote }} # "413 Request Entity Too Large" uploading plugins, increase client_max_body_size @@ -18,24 +18,26 @@ metadata: spec: rules: - -{{- if .Values.OperationsCenter.HostName }} - host: {{ .Values.OperationsCenter.HostName | quote }} +{{- if (include "oc.hostnamewithoutport" . ) }} + host: {{ include "oc.hostnamewithoutport" . | quote }} {{- end }} http: paths: {{- include "ingress.redirect-rules" . | indent 6 }} - - path: {{ include "oc.contextpath" . }} + - path: {{ include "oc.contextpath" . | quote }} backend: - serviceName: cjoc - servicePort: {{ .Values.OperationsCenter.ServicePort }} +{{ include "ingress.backend.cjoc" . | indent 10 -}} +{{ if eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" }} + pathType: Prefix +{{ else }} - path: {{ include "oc.contextpath" . }}/* backend: - serviceName: cjoc - servicePort: {{ .Values.OperationsCenter.ServicePort }} +{{ include "ingress.backend.cjoc" . | indent 10 -}} +{{- end -}} {{- if .Values.OperationsCenter.Ingress.tls.Enable }} tls: - hosts: - - {{ .Values.OperationsCenter.HostName | quote }} + - {{ include "oc.hostnamewithoutport" . | quote }} secretName: {{ .Values.OperationsCenter.Ingress.tls.SecretName }} {{- end -}} {{- end -}} diff --git a/helm/templates/cjoc-route.yaml b/helm/templates/cjoc-route.yaml index def9f6f..e723d77 100644 --- a/helm/templates/cjoc-route.yaml +++ b/helm/templates/cjoc-route.yaml @@ -7,8 +7,8 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} spec: -{{- if .Values.OperationsCenter.HostName }} - host: {{ .Values.OperationsCenter.HostName | quote }} +{{- if (include "oc.hostnamewithoutport" .) }} + host: {{ include "oc.hostnamewithoutport" . | quote }} {{- end }} path: {{ include "oc.contextpath" . | quote }} to: diff --git a/helm/templates/cjoc-statefulset.yaml b/helm/templates/cjoc-statefulset.yaml index bab0812..9923a51 100644 --- a/helm/templates/cjoc-statefulset.yaml +++ b/helm/templates/cjoc-statefulset.yaml @@ -116,6 +116,10 @@ spec: -Dcom.cloudbees.jenkins.plugins.kube.NamespaceFilter.defaultNamespace={{ template "agents.namespace" . }} {{- end }} -Dcom.cloudbees.jenkins.plugins.kube.ServiceAccountFilter.defaultServiceAccount={{ .Values.rbac.agentsServiceAccountName }} + -Dcom.cloudbees.networking.useSubdomain={{ default "false" (include "cloudbees-core.use-subdomain" .) }} + -Dcom.cloudbees.networking.protocol={{ include "oc.protocol" . }} + -Dcom.cloudbees.networking.hostname={{ .Values.OperationsCenter.HostName }} + -Dcom.cloudbees.networking.port={{ include "oc.port" . }} {{- if .Values.Master.JavaOpts }} {{ .Values.Master.JavaOpts }} {{- end }} @@ -137,6 +141,10 @@ spec: -Dcom.cloudbees.opscenter.analytics.reporter.JocAnalyticsReporter.PERIOD=120 -Dcom.cloudbees.opscenter.analytics.reporter.metrics.AperiodicMetricSubmitter.PERIOD=120 -Dcom.cloudbees.opscenter.analytics.FeederConfiguration.PERIOD=120 + -Dcom.cloudbees.networking.useSubdomain={{ default "false" (include "cloudbees-core.use-subdomain" .) }} + -Dcom.cloudbees.networking.protocol={{ include "oc.protocol" . }} + -Dcom.cloudbees.networking.hostname={{ .Values.OperationsCenter.HostName }} + -Dcom.cloudbees.networking.port={{ include "oc.port" . }} -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.fsGroup={{ include "oc.fsGroup" . }} -Dcom.cloudbees.jce.masterprovisioning.DockerImageDefinitionConfiguration.disableAutoConfiguration=true -Dcom.cloudbees.jce.masterprovisioning.DockerImageDefinitionConfiguration.masterImageName={{ include "mm.longname" . | quote}} @@ -151,7 +159,7 @@ spec: {{- if .Values.OperationsCenter.Ingress.Class }} -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.ingressClass={{ .Values.OperationsCenter.Ingress.Class }} {{- end }} - {{- if not (.Values.OperationsCenter.HostName) }} + {{- if not (include "oc.hostnamewithoutport" .) }} -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesClusterEndpoint.wildcardIngress=true {{- end }} {{- if .Values.OperationsCenter.JavaOpts }} @@ -164,7 +172,7 @@ spec: {{- if .Values.OperationsCenter.HostName }} -Dcom.cloudbees.jenkins.plugins.platform.PlatformConfiguration.url={{- include "oc.protocol" . -}}://{{ include "oc.hostname" . }}/ {{- end }} - -Dcom.cloudbees.jenkins.plugins.platform.PlatformServer.apiUrl=https://flow-server:8443/ + -Dcom.cloudbees.jenkins.plugins.platform.PlatformServer.apiUrl=https://flow-server.{{ .Release.Namespace }}:8443/ {{- end }} -XX:+UseG1GC -XX:+DisableExplicitGC diff --git a/helm/templates/managed-master-hibernation-monitor-deployment.yaml b/helm/templates/managed-master-hibernation-monitor-deployment.yaml index 9c7e106..40baf49 100644 --- a/helm/templates/managed-master-hibernation-monitor-deployment.yaml +++ b/helm/templates/managed-master-hibernation-monitor-deployment.yaml @@ -48,6 +48,9 @@ spec: imagePullPolicy: {{ .dockerPullPolicy }} {{- end}} {{- end}} + args: + - '-Dcom.cloudbees.networking.useSubdomain={{ default "false" (include "cloudbees-core.use-subdomain" .) }}' + - '-Dcom.cloudbees.networking.routeNonnamespacedURLs={{- include "hibernation.routenonnamespacedurls" . }}' ports: - containerPort: 8090 name: http diff --git a/helm/templates/managed-master-hibernation-monitor-ingress.yaml b/helm/templates/managed-master-hibernation-monitor-ingress.yaml index f1ee17e..a1c07c4 100644 --- a/helm/templates/managed-master-hibernation-monitor-ingress.yaml +++ b/helm/templates/managed-master-hibernation-monitor-ingress.yaml @@ -7,35 +7,40 @@ metadata: labels: {{ include "cloudbees-core.labels" . | indent 4 }} annotations: -{{ include "ingress.annotations" . | indent 4 }} +{{ include "hibernationMonitor.ingress.annotations" . | indent 4}} spec: rules: - -{{- if .Values.OperationsCenter.HostName }} - host: {{ .Values.OperationsCenter.HostName | quote }} +{{- if (include "hibernation.hostnamewithoutport" . ) }} + host: {{ include "hibernation.hostnamewithoutport" . | quote }} {{- end }} http: paths: - path: /hibernation/ns/{{ .Release.Namespace }}/ backend: - serviceName: managed-master-hibernation-monitor - servicePort: 80 +{{ include "ingress.backend.hibernation" . | indent 10 }} +{{- if eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" }} + pathType: Prefix +{{- else }} - path: /hibernation/ns/{{ .Release.Namespace }}/* backend: - serviceName: managed-master-hibernation-monitor - servicePort: 80 + +{{ include "ingress.backend.hibernation" . | indent 10 }} +{{- end }} - path: /hibernation/ backend: - serviceName: managed-master-hibernation-monitor - servicePort: 80 +{{ include "ingress.backend.hibernation" . | indent 10 }} +{{- if eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" }} + pathType: Prefix +{{- else }} - path: /hibernation/* backend: - serviceName: managed-master-hibernation-monitor - servicePort: 80 +{{ include "ingress.backend.hibernation" . | indent 10 }} +{{- end }} {{- if .Values.OperationsCenter.Ingress.tls.Enable }} tls: - hosts: - - {{ .Values.OperationsCenter.HostName | quote }} + - {{ include "hibernation.hostnamewithoutport" . | quote }} secretName: {{ .Values.OperationsCenter.Ingress.tls.SecretName }} {{- end -}} {{- end -}} diff --git a/helm/templates/managed-master-hibernation-monitor-route-namespaced.yaml b/helm/templates/managed-master-hibernation-monitor-route-namespaced.yaml index 3a7d53d..33d125a 100644 --- a/helm/templates/managed-master-hibernation-monitor-route-namespaced.yaml +++ b/helm/templates/managed-master-hibernation-monitor-route-namespaced.yaml @@ -5,8 +5,8 @@ kind: Route metadata: name: managed-master-hibernation-monitor-namespaced spec: -{{- if .Values.OperationsCenter.HostName }} - host: {{ .Values.OperationsCenter.HostName | quote }} +{{- if (include "hibernation.hostnamewithoutport" . ) }} + host: {{ include "hibernation.hostnamewithoutport" . | quote }} {{- end }} path: /hibernation/ns/{{ .Release.Namespace }} to: diff --git a/helm/templates/managed-master-hibernation-monitor-route.yaml b/helm/templates/managed-master-hibernation-monitor-route.yaml index 6b8344e..d1dfacf 100644 --- a/helm/templates/managed-master-hibernation-monitor-route.yaml +++ b/helm/templates/managed-master-hibernation-monitor-route.yaml @@ -1,4 +1,3 @@ -{{- if .Values.OperationsCenter.Enabled -}} {{- if .Values.Hibernation.Enabled -}} {{- if include "cloudbees-core.needs-routes" . -}} apiVersion: route.openshift.io/v1 @@ -6,8 +5,8 @@ kind: Route metadata: name: managed-master-hibernation-monitor spec: -{{- if .Values.OperationsCenter.HostName }} - host: {{ .Values.OperationsCenter.HostName | quote }} +{{- if (include "hibernation.hostnamewithoutport" . ) }} + host: {{ include "hibernation.hostnamewithoutport" . | quote }} {{- end }} path: /hibernation to: @@ -21,4 +20,3 @@ spec: {{ include "chart.helmRouteFix" $ }} {{- end -}} {{- end -}} -{{- end -}} diff --git a/helm/values.yaml b/helm/values.yaml index 4edaa61..3725e7b 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# Subdomain -- Whether to use a DNS subdomain for each controller. +Subdomain: false + # ingress-nginx.Enabled -- Installs the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx) controller (optional). # Enable this section if you don't have an existing installation of ingress-nginx controller # Note: use `beta.kubernetes.io/os` when deploying on Kubernetes versions below 1.16 @@ -54,7 +57,7 @@ OperationsCenter: # Operations Center docker image Image: # OperationsCenter.Image.dockerImage -- Container image to use for Operations Center - dockerImage: dcar/core-oc:2.277.1.7-ra + dockerImage: dcar/core-oc:2.277.2.1-ra # OperationsCenter.Image.dockerPullPolicy -- https://kubernetes.io/docs/concepts/containers/images/#updating-images dockerPullPolicy: null @@ -73,7 +76,13 @@ OperationsCenter: HostName: null # OperationsCenter.ContextPath -- the path under which Operations Center will be accessible in the given host. - ContextPath: /cjoc + # DEPRECATED - Use OperationsCenter.Name instead. + ContextPath: null + + # OperationsCenter.Name -- the name in the URL under which Operations Center will be accessible in the given host. + # For instance, if Subdomain is true, the URL to access Operations Center will be {{OperationsCenter.Protocol}}://{{OperationsCenter.Name}}.{{OperationsCenter.HostName}}:{{OperationsCenter.Port}} + # If Subdomain is false, the URL to access Operations Center will be {{OperationsCenter.Protocol}}://{{OperationsCenter.HostName}}:{{OperationsCenter.Port}}/{{OperationsCenter.Name}} + Name: cjoc # OperationsCenter.Protocol -- the protocol used to access CJOC. Possible values are http/https. Protocol: http @@ -253,7 +262,7 @@ Master: # Docker image inserted in Operations Center automatically Image: # Master.Image.dockerImage -- Used to override the default docker image - dockerImage: dcar/core-mm:2.277.1.7-ra + dockerImage: dcar/core-mm:2.277.2.1-ra # Master.JavaOpts -- Additional Java options to pass to managed masters. For example, setting up a JMX port JavaOpts: null @@ -270,7 +279,7 @@ Agents: Create: false Image: # Agents.Image.dockerImage -- Used to override the default docker image used for agents - dockerImage: dcar/agent:2.277.1.7-ra + dockerImage: dcar/agent:2.277.2.1-ra # Image pull secrets # Enable this option when using a private registry. # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line @@ -306,7 +315,7 @@ Hibernation: Enabled: false Image: # Hibernation.Image.dockerImage -- Used to override the default docker image - dockerImage: cloudbees/managed-master-hibernation-monitor:230.ee066a318539 + dockerImage: cloudbees/managed-master-hibernation-monitor:247.c5dfce00a179 # Hibernation.Image.dockerPullPolicy -- Used to override the default pull policy dockerPullPolicy: null # Image pull secrets diff --git a/scripts/usr/local/bin/jenkins.sh b/scripts/usr/local/bin/jenkins.sh index bbfd10f..3b94c87 100644 --- a/scripts/usr/local/bin/jenkins.sh +++ b/scripts/usr/local/bin/jenkins.sh @@ -52,7 +52,7 @@ find /usr/share/jenkins/ref/ -type f -exec bash -c "copy_reference_file '{}'" \; # if `docker run` first argument start with `--` the user is passing jenkins launcher arguments if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then - eval "exec java ${JAVA_OPTS:-} -jar -Dcb.distributable.name=\"Docker Common CJE\" -Dcb.distributable.commit_sha=d7a5eee17fd68064fb4268ca23a591bdc00af60b /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\"" + eval "exec java ${JAVA_OPTS:-} -jar -Dcb.distributable.name=\"Docker Common CJE\" -Dcb.distributable.commit_sha=308768c9f176b5155dd19ff01ca06396b66f5afd /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\"" fi # As argument is not jenkins, assume user want to run his own process, for sample a `bash` shell to explore this image -- GitLab