From 5f31746832059328db2f26a65fedd50b269f7427 Mon Sep 17 00:00:00 2001 From: James Tocknell Date: Tue, 30 Aug 2022 11:54:48 +1000 Subject: [PATCH 01/29] Add example values file and update readme We will want to add security configuration details, as well as a real url to the values file. --- seeds/README.md | 57 +++ seeds/values.yaml | 987 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 1044 insertions(+) create mode 100644 seeds/values.yaml diff --git a/seeds/README.md b/seeds/README.md index 28a9e829..77acf42d 100644 --- a/seeds/README.md +++ b/seeds/README.md @@ -1,4 +1,61 @@ +# Seed Jobs for Jenkins + This directory is for seed jobs for jenkins. Whilst it is in theory possible to configure seed jobs via the helm file, it seems the groovy inside yaml inside yaml breaks, and so having the groovy files be separate is a smarter thing to do. + +It appears that the original seed job system was based on +https://github.com/sheehan/job-dsl-gradle-example/. It is worth referring to +that repository to understand how seed jobs are set up. + +## Why use helm to set up jenkins + +As per https://www.jenkins.io/doc/book/installing/kubernetes/, there are three +ways of installing jenkins into a kubernetes cluster: + + 1. Use the kubernetes operator + 2. Use the provided helm chart + 3. Manually define the setup using standard kubernetes objects + +Whilst using the kubernetes operator would be ideal, the way it is currently set +up requires that all plugins and jobs are predefined, and there appears to be no +long term storage of config or runs. As jenkins plugins can be quite finicky, +this involves large amounts of trial and error. + +Whilst manually setting up the system might give more control of the system, it +does involve more maintenance overhead than the other two options, and does not +allow as easy configuration of the system. + +## Setting up helm for installing jenkins + +See https://helm.sh/docs/intro/install/ for how to install helm. + +Once helm is installed, you need to add the helm repository containing the +jenkins helm charts: +``` +helm repo add jenkinsci https://charts.jenkins.io +``` + +This should now appear on the list of installed repositories that appear by +running `helm repo list`. + +## Installing jenkins via helm + +As per https://helm.sh/docs/intro/using_helm/, running: +``` +helm install -n jenkinsci/jenkins -f +``` +will install the jenkins helm chart with the config that has been specific in +the given files. + +You should not need to modify the files too much, but there are certain sections +you will want to be familiar with: + + * `installPlugins` and `additionalPlugins`: Plugins needed for the system. + Jenkins is a bit picky about versions, so you may need to work out which + plugins are leaf plugins and install those, rather than trying to lock + everything. + * `JCasC`: This is where jenkins config is injected. Things like security + properties, seed jobs and authentication are configured here. + * `ingress`: This is where we configure external access to jenkins. diff --git a/seeds/values.yaml b/seeds/values.yaml new file mode 100644 index 00000000..b7f746d7 --- /dev/null +++ b/seeds/values.yaml @@ -0,0 +1,987 @@ +# From https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml + +# Default values for jenkins. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +## Overrides for generated resource names +# See templates/_helpers.tpl +# nameOverride: +# fullnameOverride: +# namespaceOverride: + +# For FQDN resolving of the controller service. Change this value to match your existing configuration. +# ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md +clusterZone: "cluster.local" + +renderHelmLabels: true + +controller: + # Used for label app.kubernetes.io/component + componentName: "jenkins-controller" + image: "jenkins/jenkins" + # tag: "2.346.3-jdk11" + tagLabel: jdk11 + imagePullPolicy: "Always" + imagePullSecretName: + # Optionally configure lifetime for controller-container + lifecycle: + # postStart: + # exec: + # command: + # - "uname" + # - "-a" + disableRememberMe: false + numExecutors: 0 + # configures the executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE + executorMode: "NORMAL" + # This is ignored if enableRawHtmlMarkupFormatter is true + markupFormatter: plainText + customJenkinsLabels: [] + # The default configuration uses this secret to configure an admin user + # If you don't need that user or use a different security realm then you can disable it + adminSecret: true + + hostNetworking: false + # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. + # If you disable the non-Jenkins identity store and instead use the Jenkins internal one, + # you should revert controller.adminUser to your preferred admin user: + adminUser: "admin" + # adminPassword: + admin: + existingSecret: "" + userKey: jenkins-admin-user + passwordKey: jenkins-admin-password + # This values should not be changed unless you use your custom image of jenkins or any devired from. If you want to use + # Cloudbees Jenkins Distribution docker, you should set jenkinsHome: "/var/cloudbees-jenkins-distribution" + jenkinsHome: "/var/jenkins_home" + # This values should not be changed unless you use your custom image of jenkins or any devired from. If you want to use + # Cloudbees Jenkins Distribution docker, you should set jenkinsRef: "/usr/share/cloudbees-jenkins-distribution/ref" + jenkinsRef: "/usr/share/jenkins/ref" + # Path to the jenkins war file which is used by jenkins-plugin-cli. + jenkinsWar: "/usr/share/jenkins/jenkins.war" + # Overrides the default arguments passed to the war + # overrideArgs: + # - --httpPort=8080 + resources: + requests: + cpu: "50m" + memory: "256Mi" + limits: + cpu: "2000m" + memory: "4096Mi" + # Overrides the init container default values + # initContainerResources: + # requests: + # cpu: "50m" + # memory: "256Mi" + # limits: + # cpu: "2000m" + # memory: "4096Mi" + # Environment variables that get added to the init container (useful for e.g. http_proxy) + # initContainerEnv: + # - name: http_proxy + # value: "http://192.168.64.1:3128" + # containerEnv: + # - name: http_proxy + # value: "http://192.168.64.1:3128" + # Set min/max heap here if needed with: + # javaOpts: "-Xms512m -Xmx512m" + # jenkinsOpts: "" + # If you are using the ingress definitions provided by this chart via the `controller.ingress` block the configured hostname will be the ingress hostname starting with `https://` or `http://` depending on the `tls` configuration. + # The Protocol can be overwritten by specifying `controller.jenkinsUrlProtocol`. + # jenkinsUrlProtocol: "https" + # If you are not using the provided ingress you can specify `controller.jenkinsUrl` to change the url definition. + # jenkinsUrl: "" + # If you set this prefix and use ingress controller then you might want to set the ingress path below + # jenkinsUriPrefix: "/jenkins" + # Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) + usePodSecurityContext: true + # Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are + # being deprecated and replaced by `podSecurityContextOverride`. + # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins' which exists in 'jenkins/jenkins' docker image. + # When setting runAsUser to a different value than 0 also set fsGroup to the same value: + runAsUser: 1000 + fsGroup: 1000 + # If you have PodSecurityPolicies that require dropping of capabilities as suggested by CIS K8s benchmark, put them here + securityContextCapabilities: {} + # drop: + # - NET_RAW + # Completely overwrites the contents of the `securityContext`, ignoring the + # values provided for the deprecated fields: `runAsUser`, `fsGroup`, and + # `securityContextCapabilities`. In the case of mounting an ext4 filesystem, + # it might be desirable to use `supplementalGroups` instead of `fsGroup` in + # the `securityContext` block: https://github.com/kubernetes/kubernetes/issues/67014#issuecomment-589915496 + # podSecurityContextOverride: + # runAsUser: 1000 + # runAsNonRoot: true + # supplementalGroups: [1000] + # # capabilities: {} + # Container securityContext + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + servicePort: 8080 + targetPort: 8080 + # For minikube, set this to NodePort, elsewhere use LoadBalancer + # Use ClusterIP if your setup includes ingress controller + serviceType: ClusterIP + # Use Local to preserve the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, + # but risks potentially imbalanced traffic spreading. + serviceExternalTrafficPolicy: + # Jenkins controller service annotations + serviceAnnotations: {} + # Jenkins controller custom labels + statefulSetLabels: {} + # foo: bar + # bar: foo + # Jenkins controller service labels + serviceLabels: {} + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https + # Put labels on Jenkins controller pod + podLabels: {} + # Used to create Ingress record (should used with ServiceType: ClusterIP) + # nodePort: + # -Dcom.sun.management.jmxremote.port=4000 + # -Dcom.sun.management.jmxremote.authenticate=false + # -Dcom.sun.management.jmxremote.ssl=false + # jmxPort: 4000 + # Optionally configure other ports to expose in the controller container + extraPorts: [] + # - name: BuildInfoProxy + # port: 9000 + + # List of plugins to be install during Jenkins controller start + installPlugins: + - kubernetes:3600.v144b_cd192ca_a_ + - workflow-aggregator:581.v0c46fa_697ffd + - job-dsl:1.78.3 + - blueocean:1.25.6 + - configuration-as-code:1414.v878271fc496f + + + # Set to false to download the minimum required version of all dependencies. + installLatestPlugins: true + + # Set to true to download latest dependencies of any plugin that is requested to have the latest version. + installLatestSpecifiedPlugins: true + + # List of plugins to install in addition to those listed in controller.installPlugins + additionalPlugins: + #- ace-editor:1.1 + - antisamy-markup-formatter:1.5 + #- apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61 + - async-http-client:1.9.40.0 + #- authentication-tokens:1.4 + #- blueocean-autofavorite:1.2.5 + #- blueocean-bitbucket-pipeline:1.25.6 + #- blueocean-commons:1.25.6 + #- blueocean-config:1.25.6 + #- blueocean-core-js:1.25.6 + #- blueocean-dashboard:1.25.6 + #- blueocean-display-url:2.4.1 + #- blueocean-events:1.25.6 + #- blueocean-github-pipeline:1.25.6 + #- blueocean-git-pipeline:1.25.6 + #- blueocean-i18n:1.25.6 + #- blueocean-personalization:1.25.6 + #- blueocean-pipeline-api-impl:1.25.6 + #- blueocean-pipeline-editor:1.25.6 + #- blueocean-pipeline-scm-api:1.25.6 + #- blueocean-rest:1.25.6 + #- blueocean-rest-impl:1.25.6 + #- blueocean-web:1.25.6 + #- bootstrap5-api:5.2.0-1 + #- branch-api:2.1046.v0ca_37783ecc5 + - build-timeout:1.21 + - build-user-vars-plugin:1.8 + - checks-api:1.7.5 + - command-launcher:84.v4a_97f2027398 + - copyartifact:1.47 + - display-url-api:2.3.6 + #- docker-commons:1.19 + - dockerhub-notification:2.6.0 + - docker-workflow:1.17 + - durable-task:500.v8927d9fd99d8 + - echarts-api:5.3.3-1 + - envinject:2.875.v9b_9e962da_a_ec + - envinject-api:1.199.v3ce31253ed13 + - external-monitor-job:1.7 + - favorite:2.4.1 + - font-awesome-api:6.1.2-1 + #- github:1.34.5 + - github-api:1.303-400.v35c2d8258028 + - github-branch-source:1677.v731f745ea_0cf + - github-oauth:0.39 + - git-server:1.7 + - greenballs:1.15.1 + - groovy:442.v817e6d937d6c + - handlebars:1.1.1 + - handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 + - htmlpublisher:1.30 + - icon-shim:2.0.3 + #- jackson2-api:2.13.3-285.vc03c0256d517 + - jakarta-activation-api:2.0.1-1 + - jakarta-mail-api:2.0.1-1 + - javadoc:1.5 + - javax-activation-api:1.2.0-4 + - javax-mail-api:1.6.2-7 + - jaxb:2.3.6-1 + - jdk-tool:55.v1b_32b_6ca_f9ca + - jenkins-design-language:1.25.6 + - jira:3.0.5 + - jjwt-api:0.11.5-77.v646c772fddb_0 + #- jquery:1.12.4-0 + - jquery-detached:1.2.1 + - jquery3-api:3.6.0-4 + - junit:1119.1121.vc43d0fc45561 + - kubernetes-client-api:5.12.2-193.v26a_6078f65a_9 + - kubernetes-credentials:0.9.0 + - lockable-resources:2.5 + - matrix-auth:2.3 + - mercurial:2.5 + #- mina-sshd-api-common:2.8.0-36.v8e25ce90d4b_1 + #- mina-sshd-api-core:2.8.0-36.v8e25ce90d4b_1 + #- momentjs:1.1.1 + - multiple-scms:0.6 + - nodelabelparameter:1.7.2 + - pipeline-build-step:2.18 + - pipeline-graph-analysis:195.v5812d95a_a_2f9 + - pipeline-groovy-lib:612.v84da_9c54906d + - pipeline-input-step:449.v77f0e8b_845c4 + - pipeline-milestone-step:101.vd572fef9d926 + - pipeline-model-api:2.2114.v2654ca_721309 + - pipeline-model-declarative-agent:1.1.1 + - pipeline-model-definition:2.2114.v2654ca_721309 + - pipeline-model-extensions:2.2114.v2654ca_721309 + - pipeline-rest-api:2.10 + - pipeline-stage-step:293.v200037eefcd5 + - pipeline-stage-tags-metadata:2.2114.v2654ca_721309 + - pipeline-stage-view:2.10 + - pipeline-utility-steps:2.3.0 + - plain-credentials:139.ved2b_9cf7587b + - plugin-util-api:2.17.0 + - popper2-api:2.11.5-2 + - postbuildscript:3.1.0-375.v3db_cd92485e1 + - pubsub-light:1.16 + - purge-build-queue-plugin:48.v39c52a_26a_264 + - rebuild:1.34 + - run-condition:1.2 + - saferestart:0.3 + - ssh-agent:1.17 + #- sshd:3.242.va_db_9da_b_26a_c3 + - ssh-slaves:1.29.4 + - swarm:3.34 + #- trilead-api:1.67.vc3938a_35172f + - variant:59.vf075fe829ccb + - windows-slaves:1.4 + - workflow-api:1192.v2d0deb_19d212 + - workflow-basic-steps:991.v43d80fea_ff66 + - workflow-cps:2759.v87459c4eea_ca_ + - workflow-cps-global-lib:2.13 + - workflow-durable-task-step:1199.v02b_9244f8064 + - workflow-job:1207.ve6191ff089f8 + - workflow-multibranch:716.vc692a_e52371b_ + + # Enable to initialize the Jenkins controller only once on initial installation. + # Without this, whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates which has the potential to cause breakage. + # Note that for this to work, `persistence.enabled` needs to be set to `true` + initializeOnce: true + + # Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment. + # overwritePlugins: true + + # Configures if plugins bundled with `controller.image` should be overwritten with the values of 'controller.installPlugins' on upgrade or redeployment. + overwritePluginsFromImage: true + + # Configures the restrictions for naming projects. Set this key to null or empty to skip it in the default config. + projectNamingStrategy: standard + + # Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter), useful with ghprb plugin. + # The plugin is not installed by default, please update controller.installPlugins. + enableRawHtmlMarkupFormatter: false + # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval + scriptApproval: [] + # - "method groovy.json.JsonSlurperClassic parseText java.lang.String" + # - "new groovy.json.JsonSlurperClassic" + # List of groovy init scripts to be executed during Jenkins controller start + initScripts: [] + # - | + # print 'adding global pipeline libraries, register properties, bootstrap jobs...' + + # 'name' is a name of an existing secret in same namespace as jenkins, + # 'keyName' is the name of one of the keys inside current secret. + # the 'name' and 'keyName' are concatenated with a '-' in between, so for example: + # an existing secret "secret-credentials" and a key inside it named "github-password" should be used in Jcasc as ${secret-credentials-github-password} + # 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', + # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc') + additionalExistingSecrets: [] + # - name: secret-name-1 + # keyName: username + # - name: secret-name-1 + # keyName: password + + additionalSecrets: [] + # - name: nameOfSecret + # value: secretText + + # Generate SecretClaim resources in order to create Kubernetes secrets from HashiCorp Vault using kube-vault-controller. + # 'name' is name of the secret that will be created in Kubernetes. The Jenkins fullname is prepended to this value. + # 'path' is the fully qualified path to the secret in Vault + # 'type' is an optional Kubernetes secret type. Defaults to 'Opaque' + # 'renew' is an optional secret renewal time in seconds + secretClaims: [] + # - name: secretName # required + # path: testPath # required + # type: kubernetes.io/tls # optional + # renew: 60 # optional + + # Name of default cloud configuration. + cloudName: "kubernetes" + + # Below is the implementation of Jenkins Configuration as Code. Add a key under configScripts for each configuration area, + # where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value. + # Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in + # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | + # become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials, + # etc. Best reference is https:///configuration-as-code/reference. The example below creates a welcome message: + JCasC: + defaultConfig: true + configScripts: + add-seed-job: | + jobs: + - url: https://raw.githubusercontent.com/lsst-dm/jenkins-dm-jobs/update-gradle/seeds/seed-jobs.groovy + security: + globaljobdslsecurityconfiguration: + useScriptSecurity: false + + welcome-message: | + jenkins: + systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'. + # Ignored if securityRealm is defined in controller.JCasC.configScripts and + securityRealm: |- + local: + allowsSignup: false + enableCaptcha: false + users: + - id: "${chart-admin-username}" + name: "Jenkins Admin" + password: "${chart-admin-password}" + # Ignored if authorizationStrategy is defined in controller.JCasC.configScripts + authorizationStrategy: |- + loggedInUsersCanDoAnything: + allowAnonymousRead: false + # Optionally specify additional init-containers + customInitContainers: [] + # - name: custom-init + # image: "alpine:3.7" + # imagePullPolicy: Always + # command: [ "uname", "-a" ] + + sidecars: + configAutoReload: + # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. If false or not-specified, + # jcasc changes will cause a reboot and will only be applied at the subsequent start-up. Auto-reload uses the + # http:///reload-configuration-as-code endpoint to reapply config when changes to the configScripts are detected. + enabled: true + image: kiwigrid/k8s-sidecar:1.15.0 + imagePullPolicy: IfNotPresent + resources: {} + # limits: + # cpu: 100m + # memory: 100Mi + # requests: + # cpu: 50m + # memory: 50Mi + # How many connection-related errors to retry on + reqRetryConnect: 10 + # env: + # - name: REQ_TIMEOUT + # value: "30" + # SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random. + # Is only used to reload jcasc config from the sidecar container running in the Jenkins controller pod. + # This TCP port will not be open in the pod (unless you specifically configure this), so Jenkins will not be + # accessible via SSH from outside of the pod. Note if you use non-root pod privileges (runAsUser & fsGroup), + # this must be > 1024: + sshTcpPort: 1044 + # folder in the pod that should hold the collected dashboards: + folder: "/var/jenkins_home/casc_configs" + # If specified, the sidecar will search for JCasC config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces: + # searchNamespace: + containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + + # Allows you to inject additional/other sidecars + other: [] + ## The example below runs the client for https://smee.io as sidecar container next to Jenkins, + ## that allows to trigger build behind a secure firewall. + ## https://jenkins.io/blog/2019/01/07/webhook-firewalls/#triggering-builds-with-webhooks-behind-a-secure-firewall + ## + ## Note: To use it you should go to https://smee.io/new and update the url to the generete one. + # - name: smee + # image: docker.io/twalter/smee-client:1.0.2 + # args: ["--port", "{{ .Values.controller.servicePort }}", "--path", "/github-webhook/", "--url", "https://smee.io/new"] + # resources: + # limits: + # cpu: 50m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 32Mi + # Name of the Kubernetes scheduler to use + schedulerName: "" + # Node labels and tolerations for pod assignment + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + nodeSelector: {} + + terminationGracePeriodSeconds: + + terminationMessagePath: + terminationMessagePolicy: + + tolerations: [] + + affinity: {} + # Leverage a priorityClass to ensure your pods survive resource shortages + # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + priorityClassName: + + podAnnotations: {} + # Add StatefulSet annotations + statefulSetAnnotations: {} + + # StatefulSet updateStrategy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + updateStrategy: {} + + ingress: + enabled: true + # Override for the default paths that map requests to the backend + paths: [] + # - backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + # - backend: + # serviceName: >- + # {{ template "jenkins.fullname" . }} + # # Don't use string here, use only integer value! + # servicePort: 8080 + # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' + # For Kubernetes v1.19+, use 'networking.k8s.io/v1' + apiVersion: "networking.k8s.io/v1" + labels: {} + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # Set this path to jenkinsUriPrefix above or use annotations to rewrite path + # path: "/jenkins" + # configures the hostname e.g. jenkins.example.com + hostName: jenkins22.lsst.test + tls: + # - secretName: jenkins.cluster.local + # hosts: + # - jenkins.cluster.local + + # often you want to have your controller all locked down and private + # but you still want to get webhooks from your SCM + # A secondary ingress will let you expose different urls + # with a differnt configuration + secondaryingress: + enabled: false + # paths you want forwarded to the backend + # ex /github-webhook + paths: [] + # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' + # For Kubernetes v1.19+, use 'networking.k8s.io/v1' + apiVersion: "extensions/v1beta1" + labels: {} + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # configures the hostname e.g. jenkins-external.example.com + hostName: + tls: + # - secretName: jenkins-external.example.com + # hosts: + # - jenkins-external.example.com + + # If you're running on GKE and need to configure a backendconfig + # to finish ingress setup, use the following values. + # Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig + backendconfig: + enabled: false + apiVersion: "extensions/v1beta1" + name: + labels: {} + annotations: {} + spec: {} + + # Openshift route + route: + enabled: false + labels: {} + annotations: {} + # path: "/jenkins" + + # controller.hostAliases allows for adding entries to Pod /etc/hosts: + # https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + hostAliases: [] + # - ip: 192.168.50.50 + # hostnames: + # - something.local + # - ip: 10.0.50.50 + # hostnames: + # - other.local + + # Expose Prometheus metrics + prometheus: + # If enabled, add the prometheus plugin to the list of plugins to install + # https://plugins.jenkins.io/prometheus + enabled: false + # Additional labels to add to the ServiceMonitor object + serviceMonitorAdditionalLabels: {} + # Set a custom namespace where to deploy ServiceMonitor resource + # serviceMonitorNamespace: monitoring + scrapeInterval: 60s + # This is the default endpoint used by the prometheus plugin + scrapeEndpoint: /prometheus + # Additional labels to add to the PrometheusRule object + alertingRulesAdditionalLabels: {} + # An array of prometheus alerting rules + # See here: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + # The `groups` root object is added by default, simply add the rule entries + alertingrules: [] + # Set a custom namespace where to deploy PrometheusRule resource + prometheusRuleNamespace: "" + + # Can be used to disable rendering controller test resources when using helm template + testEnabled: true + + httpsKeyStore: + jenkinsHttpsJksSecretName: '' + enable: false + httpPort: 8081 + path: "/var/jenkins_keystore" + fileName: "keystore.jks" + password: "password" + # Convert keystore.jks files content to base64 ( cat keystore.jks | base64 ) and put the output here + jenkinsKeyStoreBase64Encoded: +agent: + enabled: true + defaultsProviderTemplate: "" + # URL for connecting to the Jenkins contoller + jenkinsUrl: + # connect to the specified host and port, instead of connecting directly to the Jenkins controller + jenkinsTunnel: + kubernetesConnectTimeout: 5 + kubernetesReadTimeout: 15 + maxRequestsPerHostStr: "32" + namespace: + image: "jenkins/inbound-agent" + tag: "4.11.2-4" + workingDir: "/home/jenkins/agent" + nodeUsageMode: "NORMAL" + customJenkinsLabels: [] + # name of the secret to be used for image pulling + imagePullSecretName: + componentName: "jenkins-agent" + websocket: false + privileged: false + runAsUser: + runAsGroup: + resources: + requests: + cpu: "512m" + memory: "512Mi" + limits: + cpu: "512m" + memory: "512Mi" + # You may want to change this to true while testing a new image + alwaysPullImage: false + # Controls how agent pods are retained after the Jenkins build completes + # Possible values: Always, Never, OnFailure + podRetention: "Never" + # Disable if you do not want the Yaml the agent pod template to show up + # in the job Console Output. This can be helpful for either security reasons + # or simply to clean up the output to make it easier to read. + showRawYaml: true + # You can define the volumes that you want to mount for this container + # Allowed types are: ConfigMap, EmptyDir, HostPath, Nfs, PVC, Secret + # Configure the attributes as they appear in the corresponding Java class for that type + # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes + volumes: [] + # - type: ConfigMap + # configMapName: myconfigmap + # mountPath: /var/myapp/myconfigmap + # - type: EmptyDir + # mountPath: /var/myapp/myemptydir + # memory: false + # - type: HostPath + # hostPath: /var/lib/containers + # mountPath: /var/myapp/myhostpath + # - type: Nfs + # mountPath: /var/myapp/mynfs + # readOnly: false + # serverAddress: "192.0.2.0" + # serverPath: /var/lib/containers + # - type: PVC + # claimName: mypvc + # mountPath: /var/myapp/mypvc + # readOnly: false + # - type: Secret + # defaultMode: "600" + # mountPath: /var/myapp/mysecret + # secretName: mysecret + # Pod-wide environment, these vars are visible to any container in the agent pod + + # You can define the workspaceVolume that you want to mount for this container + # Allowed types are: DynamicPVC, EmptyDir, HostPath, Nfs, PVC + # Configure the attributes as they appear in the corresponding Java class for that type + # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace + workspaceVolume: {} + ## DynamicPVC example + # type: DynamicPVC + # configMapName: myconfigmap + ## EmptyDir example + # type: EmptyDir + # memory: false + ## HostPath example + # type: HostPath + # hostPath: /var/lib/containers + ## NFS example + # type: Nfs + # readOnly: false + # serverAddress: "192.0.2.0" + # serverPath: /var/lib/containers + ## PVC example + # type: PVC + # claimName: mypvc + # readOnly: false + # + # Pod-wide environment, these vars are visible to any container in the agent pod + envVars: [] + # - name: PATH + # value: /usr/local/bin + nodeSelector: {} + # Key Value selectors. Ex: + # jenkins-agent: v1 + + # Executed command when side container gets started + command: + args: "${computer.jnlpmac} ${computer.name}" + # Side container name + sideContainerName: "jnlp" + # Doesn't allocate pseudo TTY by default + TTYEnabled: false + # Max number of spawned agent + containerCap: 10 + # Pod name + podName: "default" + # Allows the Pod to remain active for reuse until the configured number of + # minutes has passed since the last step was executed on it. + idleMinutes: 0 + # Raw yaml template for the Pod. For example this allows usage of toleration for agent pods. + # https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates + # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + yamlTemplate: "" + # yamlTemplate: |- + # apiVersion: v1 + # kind: Pod + # spec: + # tolerations: + # - key: "key" + # operator: "Equal" + # value: "value" + # Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates: merge or override + yamlMergeStrategy: "override" + # Timeout in seconds for an agent to be online + connectTimeout: 100 + # Annotations to apply to the pod. + annotations: {} + + # Disable the default Jenkins Agent configuration. + # Useful when configuring agents only with the podTemplates value, since the default podTemplate populated by values mentioned above will be excluded in the rendered template. + disableDefaultAgent: false + + # Below is the implementation of custom pod templates for the default configured kubernetes cloud. + # Add a key under podTemplates for each pod template. Each key (prior to | character) is just a label, and can be any value. + # Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers. + # For this pod templates configuration to be loaded the following values must be set: + # controller.JCasC.defaultConfig: true + # Best reference is https:///configuration-as-code/reference#Cloud-kubernetes. The example below creates a python pod template. + podTemplates: {} + # python: | + # - name: python + # label: jenkins-python + # serviceAccount: jenkins + # containers: + # - name: python + # image: python:3 + # command: "/bin/sh -c" + # args: "cat" + # ttyEnabled: true + # privileged: true + # resourceRequestCpu: "400m" + # resourceRequestMemory: "512Mi" + # resourceLimitCpu: "1" + # resourceLimitMemory: "1024Mi" + +# Here you can add additional agents +# They inherit all values from `agent` so you only need to specify values which differ +additionalAgents: {} +# maven: +# podName: maven +# customJenkinsLabels: maven +# # An example of overriding the jnlp container +# # sideContainerName: jnlp +# image: jenkins/jnlp-agent-maven +# tag: latest +# python: +# podName: python +# customJenkinsLabels: python +# sideContainerName: python +# image: python +# tag: "3" +# command: "/bin/sh -c" +# args: "cat" +# TTYEnabled: true + +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: + ## jenkins data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: + annotations: {} + labels: {} + accessMode: "ReadWriteOnce" + size: "8Gi" + volumes: + # - name: nothing + # emptyDir: {} + mounts: + # - mountPath: /var/nothing + # name: nothing + # readOnly: true + +networkPolicy: + # Enable creation of NetworkPolicy resources. + enabled: false + # For Kubernetes v1.4, v1.5 and v1.6, use 'extensions/v1beta1' + # For Kubernetes v1.7, use 'networking.k8s.io/v1' + apiVersion: networking.k8s.io/v1 + # You can allow agents to connect from both within the cluster (from within specific/all namespaces) AND/OR from a given external IP range + internalAgents: + allowed: true + podLabels: {} + namespaceLabels: {} + # project: myproject + externalAgents: {} + # ipCIDR: 172.17.0.0/16 + # except: + # - 172.17.1.0/24 + +## Install Default RBAC roles and bindings +rbac: + create: true + readSecrets: false + +serviceAccount: + create: true + # The name of the service account is autogenerated by default + name: + annotations: {} + imagePullSecretName: + + +serviceAccountAgent: + # Specifies whether a ServiceAccount should be created + create: false + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + annotations: {} + imagePullSecretName: + +## Backup cronjob configuration +## Ref: https://github.com/maorfr/kube-tasks +backup: + # Backup must use RBAC + # So by enabling backup you are enabling RBAC specific for backup + enabled: false + # Used for label app.kubernetes.io/component + componentName: "backup" + # Schedule to run jobs. Must be in cron time format + # Ref: https://crontab.guru/ + schedule: "0 2 * * *" + labels: {} + serviceAccount: + create: true + name: + annotations: {} + # Example for authorization to AWS S3 using kube2iam or IRSA + # Can also be done using environment variables + # iam.amazonaws.com/role: "jenkins" + # "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789012:role/jenkins-backup" + # Set this to terminate the job that is running/failing continously and set the job status to "Failed" + activeDeadlineSeconds: "" + image: + repository: "maorfr/kube-tasks" + tag: "0.2.0" + imagePullSecretName: + # Additional arguments for kube-tasks + # Ref: https://github.com/maorfr/kube-tasks#simple-backup + extraArgs: [] + # Add existingSecret for AWS credentials + existingSecret: {} + ## Example for using an existing secret + # jenkinsaws: + ## Use this key for AWS access key ID + # awsaccesskey: jenkins_aws_access_key + ## Use this key for AWS secret access key + # awssecretkey: jenkins_aws_secret_key + # Add additional environment variables + # jenkinsgcp: + ## Use this key for GCP credentials + # gcpcredentials: credentials.json + env: [] + # Example environment variable required for AWS credentials chain + # - name: "AWS_REGION" + # value: "us-east-1" + resources: + requests: + memory: 1Gi + cpu: 1 + limits: + memory: 1Gi + cpu: 1 + # Destination to store the backup artifacts + # Supported cloud storage services: AWS S3, Minio S3, Azure Blob Storage, Google Cloud Storage + # Additional support can added. Visit this repository for details + # Ref: https://github.com/maorfr/skbn + destination: "s3://jenkins-data/backup" + # By enabling only the jenkins_home/jobs folder gets backed up, not the whole jenkins instance + onlyJobs: false + # Enable backup pod security context (must be `true` if runAsUser or fsGroup are set) + usePodSecurityContext: true + # When setting runAsUser to a different value than 0 also set fsGroup to the same value: + runAsUser: 1000 + fsGroup: 1000 + securityContextCapabilities: {} + # drop: + # - NET_RAW +checkDeprecation: true + +awsSecurityGroupPolicies: + enabled: false + policies: + - name: "" + securityGroupIds: [] + podSelector: {} From 2722dbdd32716bb3d225b42d49dbff95b6d00cfc Mon Sep 17 00:00:00 2001 From: James Tocknell Date: Fri, 4 Aug 2023 15:47:45 +1000 Subject: [PATCH 02/29] Configure a mostly-working system at SLAC The features that this adds/sets are: * Proxy configuration at SLAC * Pulling secrets from Vault into Jenkins * Increasing Jenkins and Java logging levels * Updating some plugins to a newer working version (latest not yet used) * GitHub authentication automatically configured (with secrets in Vault) * Matrix Authentication automatically configured * Mac workers configured (not yet working) * Default agent (run in local kube cluster/namespace) disabled --- seeds/values.yaml | 531 ++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 472 insertions(+), 59 deletions(-) diff --git a/seeds/values.yaml b/seeds/values.yaml index b7f746d7..c387e742 100644 --- a/seeds/values.yaml +++ b/seeds/values.yaml @@ -27,11 +27,9 @@ controller: imagePullSecretName: # Optionally configure lifetime for controller-container lifecycle: - # postStart: - # exec: - # command: - # - "uname" - # - "-a" + postStart: + exec: + command: [ "/bin/sh", "-c", "echo 'handlers = java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.level = ALL\n.level= ALL' > /var/jenkins_home/logging.properties" ] disableRememberMe: false numExecutors: 0 # configures the executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE @@ -53,11 +51,15 @@ controller: existingSecret: "" userKey: jenkins-admin-user passwordKey: jenkins-admin-password - # This values should not be changed unless you use your custom image of jenkins or any devired from. If you want to use - # Cloudbees Jenkins Distribution docker, you should set jenkinsHome: "/var/cloudbees-jenkins-distribution" + # This values should not be changed unless you use your custom image of + # jenkins or any devired from. If you want to use Cloudbees Jenkins + # Distribution docker, you should set jenkinsHome: + # "/var/cloudbees-jenkins-distribution" jenkinsHome: "/var/jenkins_home" - # This values should not be changed unless you use your custom image of jenkins or any devired from. If you want to use - # Cloudbees Jenkins Distribution docker, you should set jenkinsRef: "/usr/share/cloudbees-jenkins-distribution/ref" + # This values should not be changed unless you use your custom image of + # jenkins or any devired from. If you want to use Cloudbees Jenkins + # Distribution docker, you should set jenkinsRef: + # "/usr/share/cloudbees-jenkins-distribution/ref" jenkinsRef: "/usr/share/jenkins/ref" # Path to the jenkins war file which is used by jenkins-plugin-cli. jenkinsWar: "/usr/share/jenkins/jenkins.war" @@ -79,32 +81,99 @@ controller: # limits: # cpu: "2000m" # memory: "4096Mi" - # Environment variables that get added to the init container (useful for e.g. http_proxy) - # initContainerEnv: - # - name: http_proxy - # value: "http://192.168.64.1:3128" - # containerEnv: + # Environment variables that get added to the init container (useful for e.g. + # http_proxy) + initContainerEnv: + - name: CASC_VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-token + key: VAULT_TOKEN + - name: CASC_VAULT_URL + value: https://vault.slac.stanford.edu + - name: CASC_VAULT_PATHS + value: secret/rubin/rubin-jenkins-control/common,secret/rubin/rubin-jenkins-control/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control/aws-eups-push,secret/rubin/rubin-jenkins-control/aws-eups-backup,secret/rubin/rubin-jenkins-control/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control/aws-doxygen-push,secret/rubin/rubin-jenkins-control/slack-lsstc-token,secret/rubin/rubin-jenkins-control/ghslacker,secret/rubin/rubin-jenkins-control/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control/aws-cmirror-push,secret/rubin/rubin-jenkins-control/github_backup,secret/rubin/rubin-jenkins-control/squash-api-user,secret/rubin/rubin-jenkins-control/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control/ltd-mason-aws,secret/rubin/rubin-jenkins-control/ltd-keeper,secret/rubin/rubin-jenkins-control/google_archive_registry_sa,secret/rubin/rubin-jenkins-control/github-oauth + - name: HTTP_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: HTTPS_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: http_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: https_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: no_proxy + value: '*.slac.stanford.edu' + - name: NO_PROXY + value: '*.slac.stanford.edu' + - name: JAVA_TOOL_OPTIONS + value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128" + #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + #- name: VAULT_TOKEN_LEASE_DURATION + # valueFrom: + # secretKeyRef: + # name: vault-secrets-operator + # key: VAULT_TOKEN_LEASE_DURATION # - name: http_proxy # value: "http://192.168.64.1:3128" + containerEnv: + - name: CASC_VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-token + key: VAULT_TOKEN + - name: CASC_VAULT_URL + value: https://vault.slac.stanford.edu + - name: CASC_VAULT_PATHS + value: secret/rubin/rubin-jenkins-control/common,secret/rubin/rubin-jenkins-control/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control/aws-eups-push,secret/rubin/rubin-jenkins-control/aws-eups-backup,secret/rubin/rubin-jenkins-control/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control/aws-doxygen-push,secret/rubin/rubin-jenkins-control/slack-lsstc-token,secret/rubin/rubin-jenkins-control/ghslacker,secret/rubin/rubin-jenkins-control/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control/aws-cmirror-push,secret/rubin/rubin-jenkins-control/github_backup,secret/rubin/rubin-jenkins-control/squash-api-user,secret/rubin/rubin-jenkins-control/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control/ltd-mason-aws,secret/rubin/rubin-jenkins-control/ltd-keeper,secret/rubin/rubin-jenkins-control/google_archive_registry_sa,secret/rubin/rubin-jenkins-control/github-oauth + - name: HTTP_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: HTTPS_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: http_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: https_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: no_proxy + value: '*.slac.stanford.edu' + - name: NO_PROXY + value: '*.slac.stanford.edu' + - name: JAVA_TOOL_OPTIONS + value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128" + #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + #- name: VAULT_TOKEN_LEASE_DURATION + # valueFrom: + # secretKeyRef: + # name: vault-secrets-operator + # key: VAULT_TOKEN_LEASE_DURATION # Set min/max heap here if needed with: # javaOpts: "-Xms512m -Xmx512m" # jenkinsOpts: "" - # If you are using the ingress definitions provided by this chart via the `controller.ingress` block the configured hostname will be the ingress hostname starting with `https://` or `http://` depending on the `tls` configuration. - # The Protocol can be overwritten by specifying `controller.jenkinsUrlProtocol`. + # If you are using the ingress definitions provided by this chart via the + # `controller.ingress` block the configured hostname will be the ingress + # hostname starting with `https://` or `http://` depending on the `tls` + # configuration. + # The Protocol can be overwritten by specifying + # `controller.jenkinsUrlProtocol`. # jenkinsUrlProtocol: "https" - # If you are not using the provided ingress you can specify `controller.jenkinsUrl` to change the url definition. + # If you are not using the provided ingress you can specify + # `controller.jenkinsUrl` to change the url definition. # jenkinsUrl: "" - # If you set this prefix and use ingress controller then you might want to set the ingress path below + # If you set this prefix and use ingress controller then you might want to set + # the ingress path below # jenkinsUriPrefix: "/jenkins" - # Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) + # Enable pod security context (must be `true` if podSecurityContextOverride, + # runAsUser or fsGroup are set) usePodSecurityContext: true # Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are # being deprecated and replaced by `podSecurityContextOverride`. - # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins' which exists in 'jenkins/jenkins' docker image. - # When setting runAsUser to a different value than 0 also set fsGroup to the same value: + # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins' which + # exists in 'jenkins/jenkins' docker image. + # When setting runAsUser to a different value than 0 also set fsGroup to the + # same value: runAsUser: 1000 fsGroup: 1000 - # If you have PodSecurityPolicies that require dropping of capabilities as suggested by CIS K8s benchmark, put them here + # If you have PodSecurityPolicies that require dropping of capabilities as + # suggested by CIS K8s benchmark, put them here securityContextCapabilities: {} # drop: # - NET_RAW @@ -129,7 +198,8 @@ controller: # For minikube, set this to NodePort, elsewhere use LoadBalancer # Use ClusterIP if your setup includes ingress controller serviceType: ClusterIP - # Use Local to preserve the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, + # Use Local to preserve the client source IP and avoids a second hop for + # LoadBalancer and Nodeport type services, # but risks potentially imbalanced traffic spreading. serviceExternalTrafficPolicy: # Jenkins controller service annotations @@ -147,7 +217,9 @@ controller: # nodePort: /configuration-as-code/reference. The example below creates a welcome message: JCasC: defaultConfig: true + # Ignored if securityRealm is defined in controller.JCasC.configScripts and + securityRealm: |- + #local: + # allowsSignup: false + # enableCaptcha: false + # users: + # - id: "${chart-admin-username}" + # name: "Jenkins Admin" + # password: "${chart-admin-password}" + github: + githubWebUri: "https://github.com" + githubApiUri: "https://api.github.com" + clientID: "${secret/rubin/rubin-jenkins-control/github-oauth/client-id}" + clientSecret: "${secret/rubin/rubin-jenkins-control/github-oauth/client-secret}" + oauthScopes: "read:org" + authorizationStrategy: |- + globalMatrix: + permissions: + - "USER:Agent/Connect:sqre-user" + - "USER:Agent/Create:sqre-user" + - "GROUP:Job/Build:lsst*data-management" + - "GROUP:Job/Build:lsst-dm*data-management" + - "GROUP:Job/Build:lsst*simulations" + - "GROUP:Job/Build:lsst-sqre*friends" + - "GROUP:Job/Cancel:lsst*data-management" + - "GROUP:Job/Cancel:lsst-dm*data-management" + - "GROUP:Job/Cancel:lsst*simulations" + - "GROUP:Job/Cancel:lsst-sqre*friends" + - "GROUP:Job/Discover:lsst*data-management" + - "GROUP:Job/Discover:lsst-dm*data-management" + - "GROUP:Job/Discover:lsst*simulations" + - "GROUP:Job/Discover:lsst-sqre*friends" + - "GROUP:Job/Read:lsst*data-management" + - "GROUP:Job/Read:lsst-dm*data-management" + - "GROUP:Job/Read:lsst*simulations" + - "GROUP:Job/Read:lsst-sqre*friends" + - "USER:Overall/Administer:admin" + - "USER:Overall/Administer:aragilar" + - "USER:Overall/Administer:frossie" + - "USER:Overall/Administer:jhoblitt" + - "USER:Overall/Administer:ktlim" + - "GROUP:Overall/Administer:lsst-sqre*leeroy-wranglers" + - "GROUP:Overall/Administer:lsst-sqre*square" + - "USER:Overall/Administer:mwittgen" + - "USER:Overall/Administer:yee379" + - "GROUP:Overall/Read:lsst*data-management" + - "GROUP:Overall/Read:lsst-dm*data-management" + - "GROUP:Overall/Read:lsst*simulations" + - "GROUP:Overall/Read:lsst-sqre*friends" + configScripts: + welcome-message: | + jenkins: + systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'. + + proxy: | + jenkins: + proxy: + name: "sdfproxy.sdf.slac.stanford.edu" + noProxyHost: "*.slac.stanford.edu" + port: 3128 + # + systemCredentials: |- + credentials: + system: + domainCredentials: + - credentials: + - string: + description: "name of conda channel bucket" + id: "cmirror-s3-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/cmirror-s3-bucket}" + - string: + description: "name of doxygen s3 bucket" + id: "doxygen-push-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/doxygen-push-bucket}" + - string: + description: "URL of doxygen site" + id: "doxygen-url" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/doxygen-url}" + - string: + description: "name of EUPS backup s3 bucket" + id: "eups-backup-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/eups-backup-bucket}" + - string: + description: "name of EUPS s3 bucket" + id: "eups-push-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/eups-push-bucket}" + - string: + description: "URL of eups site" + id: "eups-url" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/eups-url}" + - string: + description: "Name of Jenkins deployment" + id: "jenkins-env" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/jenkins-env}" + - string: + description: "Default slack channel" + id: "slack-default-channel" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/slack-default-channel}" + - string: + description: "Prefix for generated slack channels" + id: "slack-channel-prefix" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/common/slack-channel-prefix}" + - usernamePassword: + description: "jenkins master snapshot AWS credentials" + id: "aws-jenkins-master-snapshot" + password: "${secret/rubin/rubin-jenkins-control/aws-jenkins-master-snapshot/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/aws-jenkins-master-snapshot/username}" + - usernamePassword: + description: "push EUPS packages -> s3" + id: "aws-eups-push" + password: "${secret/rubin/rubin-jenkins-control/aws-eups-push/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/aws-eups-push/username}" + - usernamePassword: + description: "backup EUPS s3 bucket -> s3 bucket" + id: "aws-eups-backup" + password: "${secret/rubin/rubin-jenkins-control/aws-eups-backup/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/aws-eups-backup/username}" + - usernamePassword: + description: "manage eups distrib tags in s3 bucket" + id: "aws-eups-tag-admin" + password: "${secret/rubin/rubin-jenkins-control/aws-eups-tag-admin/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/aws-eups-tag-admin/username}" + - usernamePassword: + description: "push doxygen builds -> s3" + id: "aws-doxygen-push" + password: "${secret/rubin/rubin-jenkins-control/aws-doxygen-push/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/aws-doxygen-push/username}" + - string: + description: "slack lsstc org API token" + id: "slack-lsstc-token" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/slack-lsstc-token/token}" + - usernamePassword: + description: "api.lsst.codes/ghslacker" + id: "ghslacker" + password: "${secret/rubin/rubin-jenkins-control/ghslacker/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/ghslacker/username}" + - string: + description: "github API personal access token (sqreadmin)" + id: "github-api-token-sqreadmin" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control/github-api-token-sqreadmin/token}" + - basicSSHUserPrivateKey: + description: "github lsst/versiondb deploy key" + id: "github-jenkins-versiondb" + privateKeySource: + directEntry: + privateKey: "${secret/rubin/rubin-jenkins-control/github-jenkins-versiondb/private_key}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/github-jenkins-versiondb/username}" + - basicSSHUserPrivateKey: + description: "SQRE OSX build agents" + id: "sqre-osx" + privateKeySource: + directEntry: + privateKey: "${secret/rubin/rubin-jenkins-control/sqre-osx/private_key}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/sqre-osx/username}" + - usernamePassword: + description: "push conda packages -> s3" + id: "aws-cmirror-push" + password: "${secret/rubin/rubin-jenkins-control/aws-cmirror-push/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/aws-cmirror-push/username}" + - usernamePassword: + description: "github_backup AWS credentials" + id: "github_backup" + password: "${secret/rubin/rubin-jenkins-control/github_backup/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/github_backup/username}" + - usernamePassword: + description: "user/pass for Squash API endpoint" + id: "squash-api-user" + password: "${secret/rubin/rubin-jenkins-control/squash-api-user/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/squash-api-user/username}" + - usernamePassword: + description: "dockerhub - sqreadmin" + id: "dockerhub-sqreadmin" + password: "${secret/rubin/rubin-jenkins-control/dockerhub-sqreadmin/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/dockerhub-sqreadmin/username}" + - usernamePassword: + description: "ltd-mason" + id: "ltd-mason-aws" + password: "${secret/rubin/rubin-jenkins-control/ltd-mason-aws/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/ltd-mason-aws/username}" + - usernamePassword: + description: "ltd-keeper" + id: "ltd-keeper" + password: "${secret/rubin/rubin-jenkins-control/ltd-keeper/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/ltd-keeper/username}" + - usernamePassword: + description: "Google Archive Registry service account" + id: "google_archive_registry_sa" + password: "${secret/rubin/rubin-jenkins-control/google_archive_registry_sa/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/google_archive_registry_sa/username}" + add-seed-job: | jobs: - url: https://raw.githubusercontent.com/lsst-dm/jenkins-dm-jobs/update-gradle/seeds/seed-jobs.groovy security: globaljobdslsecurityconfiguration: useScriptSecurity: false + #permanent-nodes: | + # jenkins: + # nodes: + # - permanent: + # labelString: "osx osx-10.13 high_sierra" + # launcher: + # sSHLauncher: + # credentialsId: "sqre-osx" + # host: "mac1.lsst.cloud" + # launchTimeoutSeconds: 210 + # maxNumRetries: 0 + # port: 22 + # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" + # retryWaitTime: 15 + # sshHostKeyVerificationStrategy: + # manuallyTrustedKeyVerificationStrategy: + # requireInitialManualTrust: true + # mode: EXCLUSIVE + # name: "high_sierra-1" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + # numExecutors: 1 + # remoteFS: "/Users/square/j" + # - permanent: + # labelString: "osx osx-10.13 high_sierra" + # launcher: + # sSHLauncher: + # credentialsId: "sqre-osx" + # host: "mac2.lsst.cloud" + # launchTimeoutSeconds: 210 + # maxNumRetries: 0 + # port: 22 + # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" + # retryWaitTime: 15 + # sshHostKeyVerificationStrategy: + # manuallyTrustedKeyVerificationStrategy: + # requireInitialManualTrust: true + # mode: EXCLUSIVE + # name: "high_sierra-2" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + # numExecutors: 1 + # remoteFS: "/Users/square/j" + # - permanent: + # labelString: "osx osx-10.14 mojave" + # launcher: + # sSHLauncher: + # credentialsId: "sqre-osx" + # host: "mac3.lsst.cloud" + # launchTimeoutSeconds: 210 + # maxNumRetries: 0 + # port: 22 + # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" + # retryWaitTime: 15 + # sshHostKeyVerificationStrategy: + # manuallyTrustedKeyVerificationStrategy: + # requireInitialManualTrust: true + # mode: EXCLUSIVE + # name: "mojave-1" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + # numExecutors: 1 + # remoteFS: "/Users/square/j" + # - permanent: + # labelString: "osx osx-10.14 mojave" + # launcher: + # sSHLauncher: + # credentialsId: "sqre-osx" + # host: "mac4.lsst.cloud" + # launchTimeoutSeconds: 210 + # maxNumRetries: 0 + # port: 22 + # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" + # retryWaitTime: 15 + # sshHostKeyVerificationStrategy: + # manuallyTrustedKeyVerificationStrategy: + # requireInitialManualTrust: true + # mode: EXCLUSIVE + # name: "mojave-2" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + # numExecutors: 1 + # remoteFS: "/Users/square/j" + # - permanent: + # labelString: "osx osx-10.14 mojave" + # launcher: + # sSHLauncher: + # credentialsId: "sqre-osx" + # host: "mac5.lsst.cloud" + # launchTimeoutSeconds: 210 + # maxNumRetries: 0 + # port: 22 + # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" + # retryWaitTime: 15 + # sshHostKeyVerificationStrategy: + # manuallyTrustedKeyVerificationStrategy: + # requireInitialManualTrust: true + # mode: EXCLUSIVE + # name: "mojave-3" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + # numExecutors: 1 + # remoteFS: "/Users/square/j" + # - permanent: + # labelString: "osx osx-10.14 mojave" + # launcher: + # sSHLauncher: + # credentialsId: "sqre-osx" + # host: "mac6.lsst.cloud" + # launchTimeoutSeconds: 210 + # maxNumRetries: 0 + # port: 22 + # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" + # retryWaitTime: 15 + # sshHostKeyVerificationStrategy: + # manuallyTrustedKeyVerificationStrategy: + # requireInitialManualTrust: true + # mode: EXCLUSIVE + # name: "mojave-4" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + # numExecutors: 1 + # remoteFS: "/Users/square/j" - welcome-message: | - jenkins: - systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'. - # Ignored if securityRealm is defined in controller.JCasC.configScripts and - securityRealm: |- - local: - allowsSignup: false - enableCaptcha: false - users: - - id: "${chart-admin-username}" - name: "Jenkins Admin" - password: "${chart-admin-password}" - # Ignored if authorizationStrategy is defined in controller.JCasC.configScripts - authorizationStrategy: |- - loggedInUsersCanDoAnything: - allowAnonymousRead: false # Optionally specify additional init-containers customInitContainers: [] - # - name: custom-init - # image: "alpine:3.7" - # imagePullPolicy: Always - # command: [ "uname", "-a" ] sidecars: configAutoReload: # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. If false or not-specified, # jcasc changes will cause a reboot and will only be applied at the subsequent start-up. Auto-reload uses the # http:///reload-configuration-as-code endpoint to reapply config when changes to the configScripts are detected. - enabled: true + enabled: false image: kiwigrid/k8s-sidecar:1.15.0 imagePullPolicy: IfNotPresent resources: {} @@ -571,7 +983,8 @@ controller: # Set this path to jenkinsUriPrefix above or use annotations to rewrite path # path: "/jenkins" # configures the hostname e.g. jenkins.example.com - hostName: jenkins22.lsst.test + #hostName: jenkins26.lsst.test + hostName: rubin-ci-dev.slac.stanford.edu tls: # - secretName: jenkins.cluster.local # hosts: @@ -665,7 +1078,7 @@ controller: # Convert keystore.jks files content to base64 ( cat keystore.jks | base64 ) and put the output here jenkinsKeyStoreBase64Encoded: agent: - enabled: true + enabled: false defaultsProviderTemplate: "" # URL for connecting to the Jenkins contoller jenkinsUrl: From 12e1efa3f84377233c4f3bb0ac496cd0c0800387 Mon Sep 17 00:00:00 2001 From: James Tocknell Date: Fri, 4 Aug 2023 15:56:35 +1000 Subject: [PATCH 03/29] Initial version of helmifyed Linux Jenkins Agent This is a direct port of the terraform config, with some adjustments for SLAC. The main missing bit is the authentication to Jenkins, which is done manually (with the name of the secret in the values file). --- lsst-jenkins-swarm-agent/.helmignore | 23 ++ lsst-jenkins-swarm-agent/Chart.yaml | 24 ++ .../templates/_helpers.tpl | 62 ++++ .../templates/service.yaml | 12 + .../templates/serviceaccount.yaml | 12 + .../templates/statefulset.yaml | 268 ++++++++++++++++++ lsst-jenkins-swarm-agent/values.yaml | 92 ++++++ 7 files changed, 493 insertions(+) create mode 100644 lsst-jenkins-swarm-agent/.helmignore create mode 100644 lsst-jenkins-swarm-agent/Chart.yaml create mode 100644 lsst-jenkins-swarm-agent/templates/_helpers.tpl create mode 100644 lsst-jenkins-swarm-agent/templates/service.yaml create mode 100644 lsst-jenkins-swarm-agent/templates/serviceaccount.yaml create mode 100644 lsst-jenkins-swarm-agent/templates/statefulset.yaml create mode 100644 lsst-jenkins-swarm-agent/values.yaml diff --git a/lsst-jenkins-swarm-agent/.helmignore b/lsst-jenkins-swarm-agent/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/lsst-jenkins-swarm-agent/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/lsst-jenkins-swarm-agent/Chart.yaml b/lsst-jenkins-swarm-agent/Chart.yaml new file mode 100644 index 00000000..4a4420c6 --- /dev/null +++ b/lsst-jenkins-swarm-agent/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: lsst-jenkins-swarm-agent +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.0.0" diff --git a/lsst-jenkins-swarm-agent/templates/_helpers.tpl b/lsst-jenkins-swarm-agent/templates/_helpers.tpl new file mode 100644 index 00000000..4c49f7d7 --- /dev/null +++ b/lsst-jenkins-swarm-agent/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "lsst-jenkins-swarm-agent.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "lsst-jenkins-swarm-agent.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "lsst-jenkins-swarm-agent.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "lsst-jenkins-swarm-agent.labels" -}} +helm.sh/chart: {{ include "lsst-jenkins-swarm-agent.chart" . }} +{{ include "lsst-jenkins-swarm-agent.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "lsst-jenkins-swarm-agent.selectorLabels" -}} +app.kubernetes.io/name: {{ include "lsst-jenkins-swarm-agent.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "lsst-jenkins-swarm-agent.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "lsst-jenkins-swarm-agent.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/lsst-jenkins-swarm-agent/templates/service.yaml b/lsst-jenkins-swarm-agent/templates/service.yaml new file mode 100644 index 00000000..00b5892a --- /dev/null +++ b/lsst-jenkins-swarm-agent/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "lsst-jenkins-swarm-agent.fullname" . }} + labels: + {{- include "lsst-jenkins-swarm-agent.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + {{- include "lsst-jenkins-swarm-agent.selectorLabels" . | nindent 4 }} + # See https://kubernetes.io/docs/concepts/services-networking/service/#headless-services + clusterIP: None diff --git a/lsst-jenkins-swarm-agent/templates/serviceaccount.yaml b/lsst-jenkins-swarm-agent/templates/serviceaccount.yaml new file mode 100644 index 00000000..d32f1646 --- /dev/null +++ b/lsst-jenkins-swarm-agent/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "lsst-jenkins-swarm-agent.serviceAccountName" . }} + labels: + {{- include "lsst-jenkins-swarm-agent.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/lsst-jenkins-swarm-agent/templates/statefulset.yaml b/lsst-jenkins-swarm-agent/templates/statefulset.yaml new file mode 100644 index 00000000..743123a2 --- /dev/null +++ b/lsst-jenkins-swarm-agent/templates/statefulset.yaml @@ -0,0 +1,268 @@ +apiVersion: "apps/v1" +kind: StatefulSet +metadata: + name: {{ include "lsst-jenkins-swarm-agent.fullname" . }} + labels: + {{- include "lsst-jenkins-swarm-agent.labels" . | nindent 4 }} +spec: + serviceName: {{ include "lsst-jenkins-swarm-agent.fullname" . }} + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "lsst-jenkins-swarm-agent.selectorLabels" . | nindent 6 }} + podManagementPolicy: Parallel + revisionHistoryLimit: 10 + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "lsst-jenkins-swarm-agent.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "lsst-jenkins-swarm-agent.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: dind + securityContext: + {{- toYaml .Values.dind.securityContext | nindent 12 }} + image: "{{ .Values.dind.image.repository }}:{{ .Values.dind.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.dind.image.pullPolicy }} + command: + - "/usr/local/bin/dockerd" + args: + - "--host=tcp://localhost:2375" + - "--mtu=1376" + ports: + - name: http + containerPort: 80 + protocol: TCP + env: + - name: DOCKER_HOST + value: "tcp://localhost:2375" + volumeMounts: + - name: "docker-graph-storage" + mountPath: "/var/lib/docker" + - name: "ws" + mountPath: "/j" + livenessProbe: + exec: + command: [ + "wget", + "--spider", + "-q", + "http://localhost:2375/_ping", + ] + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 2 + readinessProbe: + exec: + command: [ + "wget", + "--spider", + "-q", + "http://localhost:2375/_ping", + ] + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 2 + resources: + {{- toYaml .Values.dind.resources | nindent 12 }} + - name: "dockergc" + image: "{{ .Values.dockergc.image.repository }}:{{ .Values.dockergc.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.dockergc.image.pullPolicy }} + command: + - "sh" + - "-c" + - "while true; do /usr/local/bin/docker-gc; sleep $GRACE_PERIOD_SECONDS; done" + env: + - name: "DOCKER_HOST" + value: "tcp://localhost:2375" + - name: "GRACE_PERIOD_SECONDS" + value: "3600" + - name: "MINIMUM_IMAGES_TO_SAVE" + value: "5" + - name: "REMOVE_VOLUMES" + value: "1" + - name: "FORCE_CONTAINER_REMOVAL" + value: "1" + - name: "FORCE_IMAGE_REMOVAL" + value: "1" + resources: + {{- toYaml .Values.dockergc.resources | nindent 12 }} + - name: "swarm" + securityContext: + {{- toYaml .Values.swarm.securityContext | nindent 12 }} + image: "{{ .Values.swarm.image.repository }}:{{ .Values.swarm.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.swarm.image.pullPolicy }} + env: + - name: "DOCKER_HOST" + value: "tcp://localhost:2375" + - name: "JSWARM_MASTER_URL" + value: "{{ .Values.swarm.master_url }}" + - name: "JSWARM_MODE" + value: "{{ .Values.swarm.agent_mode }}" + - name: "JSWARM_LABELS" + value: '{{ .Values.swarm.agent_labels | join " " }}' + - name: "JSWARM_EXECUTORS" + value: "{{ .Values.swarm.agent_executors }}" + - name: "JSWARM_AGENT_NAME" + valueFrom: + fieldRef: + fieldPath: "metadata.name" + - name: "JSWARM_DISABLE_CLIENTS_UNIQUE_ID" + value: "true" + - name: "JSWARM_DELETE_EXISTING_CLIENTS" + value: "true" + - name: "JSWARM_USERNAME" + valueFrom: + secretKeyRef: + name: {{ .Values.swarm.secret_name }} + key: "JSWARM_USERNAME" + - name: "JSWARM_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ .Values.swarm.secret_name }} + key: "JSWARM_PASSWORD" + - name: "K8S_NODE_NAME" + valueFrom: + fieldRef: + fieldPath: "spec.nodeName" + - name: "K8S_POD_NAMESPACE" + valueFrom: + fieldRef: + fieldPath: "metadata.namespace" + - name: "K8S_POD_IP" + valueFrom: + fieldRef: + fieldPath: "status.podIP" + - name: "K8S_SWARM_REQUESTS_CPU" + valueFrom: + resourceFieldRef: + containerName: "swarm" + resource: "requests.cpu" + - name: "K8S_SWARM_LIMITS_CPU" + valueFrom: + resourceFieldRef: + containerName: "swarm" + resource: "limits.cpu" + - name: "K8S_SWARM_REQUESTS_MEMORY_GI" + valueFrom: + resourceFieldRef: + containerName: "swarm" + resource: "requests.memory" + divisor: "1Gi" + - name: "K8S_SWARM_LIMITS_MEMORY_GI" + valueFrom: + resourceFieldRef: + containerName: "swarm" + resource: "limits.memory" + divisor: "1Gi" + - name: "K8S_DIND_REQUESTS_CPU" + valueFrom: + resourceFieldRef: + containerName: "dind" + resource: "requests.cpu" + - name: "K8S_DIND_LIMITS_CPU" + valueFrom: + resourceFieldRef: + containerName: "dind" + resource: "limits.cpu" + - name: "K8S_DIND_REQUESTS_MEMORY_GI" + valueFrom: + resourceFieldRef: + containerName: "dind" + resource: "requests.memory" + divisor: "1Gi" + - name: "K8S_DIND_LIMITS_MEMORY_GI" + valueFrom: + resourceFieldRef: + containerName: "dind" + resource: "limits.memory" + divisor: "1Gi" + - name: "K8S_DOCKER_GC_REQUESTS_CPU_M" + valueFrom: + resourceFieldRef: + containerName: "dockergc" + resource: "requests.cpu" + divisor: "1m" + - name: "K8S_DOCKER_GC_LIMITS_CPU_M" + valueFrom: + resourceFieldRef: + containerName: "dockergc" + resource: "limits.cpu" + divisor: "1m" + - name: "K8S_DOCKER_GC_REQUESTS_MEMORY_MI" + valueFrom: + resourceFieldRef: + containerName: "dockergc" + resource: "requests.memory" + divisor: "1Mi" + - name: "K8S_DOCKER_GC_LIMITS_MEMORY_MI" + valueFrom: + resourceFieldRef: + containerName: "dockergc" + resource: "limits.memory" + divisor: "1Mi" + volumeMounts: + - name: "ws" + mountPath: "/j" + livenessProbe: + exec: + command: [ + "wget", + "--spider", + "-q", + "http://localhost:2375/_ping", + ] + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 2 + readinessProbe: + exec: + command: [ + "wget", + "--spider", + "-q", + "http://localhost:2375/_ping", + ] + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 2 + resources: + {{- toYaml .Values.swarm.resources | nindent 12 }} + volumes: + - name: "docker-graph-storage" + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: "ws" + spec: + accessModes: + - "ReadWriteMany" + resources: + requests: + storage: "{{ .Values.swarm.agent_volume_size }}" diff --git a/lsst-jenkins-swarm-agent/values.yaml b/lsst-jenkins-swarm-agent/values.yaml new file mode 100644 index 00000000..93a201ef --- /dev/null +++ b/lsst-jenkins-swarm-agent/values.yaml @@ -0,0 +1,92 @@ +# Default values for lsst-jenkins-swarm-agent. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +### Chart values +nameOverride: "" +fullnameOverride: "" + +# StatefulSet values +replicaCount: 1 + +### Container values + +# values for dind container +dind: + resources: + limits: + cpu: "8" + memory: "64Gi" + requests: + cpu: "8" + memory: "64Gi" + + securityContext: + privileged: True + image: + repository: lsstsqre/dind + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "18.09.5" + +# values for docker-gc container +dockergc: + resources: + limits: + cpu: "500m" + memory: "512Mi" + requests: + cpu: "500m" + memory: "512Mi" + securityContext: + # docker-gc writes to /var by default + runAsUser: 0 + image: + repository: lsstsqre/jenkins-swarm-client + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "3.15-ldfc" + +# values for swarm container +swarm: + agent_volume_size: "1023Gi" + agent_labels: + secret_name: "jswarm-secret" + resources: + limits: + cpu: "1" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + securityContext: + # TODO: Pull these out so they can be configured in one place + runAsUser: 888 + runAsGroup: 888 + image: + repository: lsstsqre/docker-gc + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "latest" + + +### Pod values +podAnnotations: {} +imagePullSecrets: [] +podSecurityContext: + # Used for swarm agent gid + # intended primary for dind; can not set fs_group at container level + fsGroup: 888 +nodeSelector: {} +tolerations: [] +affinity: {} + +### Service account values +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" From 0bf50aca7729770aa40edcac7945c4c4add27366 Mon Sep 17 00:00:00 2001 From: James Tocknell Date: Fri, 4 Aug 2023 16:22:33 +1000 Subject: [PATCH 04/29] Update top-level README for new directories Actual documentation needs writing... --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 608f93a4..a7c5464e 100644 --- a/README.md +++ b/README.md @@ -6,3 +6,12 @@ parameters but _not_ when changing the pipeline to be run, manually trigger the sqre/seeds/dm-jobs job to rebuild the interface. [![Build Status](https://travis-ci.org/lsst-dm/jenkins-dm-jobs.png)](https://travis-ci.org/lsst-dm/jenkins-dm-jobs) + +## Installing Jenkins + +`seeds` contains a README plus a helm values file for deploying a Jenkins +controller at SLAC. Read that README for more details. + +`lsst-jenkins-swarm-agent` contains a helm chart to run a Linux Jenkins Agent +and associated containers needed for tests/package. Documentation for this has +not yet been created (you'll need to look at the individual templates). From ee2da39964a962baa0fa0556cd34d4fb1a529600 Mon Sep 17 00:00:00 2001 From: James Tocknell Date: Mon, 7 Aug 2023 17:07:32 +1000 Subject: [PATCH 05/29] Add latest improves to controller helm deploy * Set timezone to be LA * Fill scriptApproval with the required values * Update docker-workflow and parameterized-trigger * Add a dev-values file to make it easier to update one without changes the other. --- seeds/dev-values.yaml | 1438 +++++++++++++++++++++++++++++++++++++++++ seeds/values.yaml | 66 +- 2 files changed, 1490 insertions(+), 14 deletions(-) create mode 100644 seeds/dev-values.yaml diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml new file mode 100644 index 00000000..efee7a8a --- /dev/null +++ b/seeds/dev-values.yaml @@ -0,0 +1,1438 @@ +# From https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml + +# Default values for jenkins. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +## Overrides for generated resource names +# See templates/_helpers.tpl +# nameOverride: +# fullnameOverride: +# namespaceOverride: + +# For FQDN resolving of the controller service. Change this value to match your existing configuration. +# ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md +clusterZone: "cluster.local" + +renderHelmLabels: true + +controller: + # Used for label app.kubernetes.io/component + componentName: "jenkins-controller" + image: "jenkins/jenkins" + # tag: "2.346.3-jdk11" + tagLabel: jdk11 + imagePullPolicy: "Always" + imagePullSecretName: + # Optionally configure lifetime for controller-container + lifecycle: + postStart: + exec: + command: [ "/bin/sh", "-c", "echo 'handlers = java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.level = ALL\n.level= ALL' > /var/jenkins_home/logging.properties" ] + disableRememberMe: false + numExecutors: 0 + # configures the executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE + executorMode: "NORMAL" + # This is ignored if enableRawHtmlMarkupFormatter is true + markupFormatter: plainText + customJenkinsLabels: [] + # The default configuration uses this secret to configure an admin user + # If you don't need that user or use a different security realm then you can disable it + adminSecret: true + + hostNetworking: false + # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. + # If you disable the non-Jenkins identity store and instead use the Jenkins internal one, + # you should revert controller.adminUser to your preferred admin user: + adminUser: "admin" + # adminPassword: + admin: + existingSecret: "" + userKey: jenkins-admin-user + passwordKey: jenkins-admin-password + # This values should not be changed unless you use your custom image of + # jenkins or any devired from. If you want to use Cloudbees Jenkins + # Distribution docker, you should set jenkinsHome: + # "/var/cloudbees-jenkins-distribution" + jenkinsHome: "/var/jenkins_home" + # This values should not be changed unless you use your custom image of + # jenkins or any devired from. If you want to use Cloudbees Jenkins + # Distribution docker, you should set jenkinsRef: + # "/usr/share/cloudbees-jenkins-distribution/ref" + jenkinsRef: "/usr/share/jenkins/ref" + # Path to the jenkins war file which is used by jenkins-plugin-cli. + jenkinsWar: "/usr/share/jenkins/jenkins.war" + # Overrides the default arguments passed to the war + # overrideArgs: + # - --httpPort=8080 + resources: + requests: + cpu: "50m" + memory: "256Mi" + limits: + cpu: "2000m" + memory: "4096Mi" + # Overrides the init container default values + # initContainerResources: + # requests: + # cpu: "50m" + # memory: "256Mi" + # limits: + # cpu: "2000m" + # memory: "4096Mi" + # Environment variables that get added to the init container (useful for e.g. + # http_proxy) + initContainerEnv: + - name: CASC_VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-token + key: VAULT_TOKEN + - name: CASC_VAULT_URL + value: https://vault.slac.stanford.edu + - name: CASC_VAULT_PATHS + value: secret/rubin/rubin-jenkins-control-dev/common,secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control-dev/aws-eups-push,secret/rubin/rubin-jenkins-control-dev/aws-eups-backup,secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push,secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token,secret/rubin/rubin-jenkins-control-dev/ghslacker,secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control-dev/sqre-osx,secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push,secret/rubin/rubin-jenkins-control-dev/github_backup,secret/rubin/rubin-jenkins-control-dev/squash-api-user,secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws,secret/rubin/rubin-jenkins-control-dev/ltd-keeper,secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa,secret/rubin/rubin-jenkins-control-dev/github-oauth + - name: HTTP_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: HTTPS_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: http_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: https_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: no_proxy + value: '*.slac.stanford.edu' + - name: NO_PROXY + value: '*.slac.stanford.edu' + - name: JAVA_TOOL_OPTIONS + value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" + #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + - name: TZ + value: America/Los_Angeles + #- name: VAULT_TOKEN_LEASE_DURATION + # valueFrom: + # secretKeyRef: + # name: vault-secrets-operator + # key: VAULT_TOKEN_LEASE_DURATION + # - name: http_proxy + # value: "http://192.168.64.1:3128" + containerEnv: + - name: CASC_VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-token + key: VAULT_TOKEN + - name: CASC_VAULT_URL + value: https://vault.slac.stanford.edu + - name: CASC_VAULT_PATHS + value: secret/rubin/rubin-jenkins-control-dev/common,secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control-dev/aws-eups-push,secret/rubin/rubin-jenkins-control-dev/aws-eups-backup,secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push,secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token,secret/rubin/rubin-jenkins-control-dev/ghslacker,secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control-dev/sqre-osx,secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push,secret/rubin/rubin-jenkins-control-dev/github_backup,secret/rubin/rubin-jenkins-control-dev/squash-api-user,secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws,secret/rubin/rubin-jenkins-control-dev/ltd-keeper,secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa,secret/rubin/rubin-jenkins-control-dev/github-oauth + - name: HTTP_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: HTTPS_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: http_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: https_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: no_proxy + value: '*.slac.stanford.edu' + - name: NO_PROXY + value: '*.slac.stanford.edu' + - name: TZ + value: America/Los_Angeles + - name: JAVA_TOOL_OPTIONS + value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" + #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + #- name: VAULT_TOKEN_LEASE_DURATION + # valueFrom: + # secretKeyRef: + # name: vault-secrets-operator + # key: VAULT_TOKEN_LEASE_DURATION + # Set min/max heap here if needed with: + # javaOpts: "-Xms512m -Xmx512m" + # jenkinsOpts: "" + # If you are using the ingress definitions provided by this chart via the + # `controller.ingress` block the configured hostname will be the ingress + # hostname starting with `https://` or `http://` depending on the `tls` + # configuration. + # The Protocol can be overwritten by specifying + # `controller.jenkinsUrlProtocol`. + # jenkinsUrlProtocol: "https" + # If you are not using the provided ingress you can specify + # `controller.jenkinsUrl` to change the url definition. + # jenkinsUrl: "" + # If you set this prefix and use ingress controller then you might want to set + # the ingress path below + # jenkinsUriPrefix: "/jenkins" + # Enable pod security context (must be `true` if podSecurityContextOverride, + # runAsUser or fsGroup are set) + usePodSecurityContext: true + # Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are + # being deprecated and replaced by `podSecurityContextOverride`. + # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins' which + # exists in 'jenkins/jenkins' docker image. + # When setting runAsUser to a different value than 0 also set fsGroup to the + # same value: + runAsUser: 1000 + fsGroup: 1000 + # If you have PodSecurityPolicies that require dropping of capabilities as + # suggested by CIS K8s benchmark, put them here + securityContextCapabilities: {} + # drop: + # - NET_RAW + # Completely overwrites the contents of the `securityContext`, ignoring the + # values provided for the deprecated fields: `runAsUser`, `fsGroup`, and + # `securityContextCapabilities`. In the case of mounting an ext4 filesystem, + # it might be desirable to use `supplementalGroups` instead of `fsGroup` in + # the `securityContext` block: https://github.com/kubernetes/kubernetes/issues/67014#issuecomment-589915496 + # podSecurityContextOverride: + # runAsUser: 1000 + # runAsNonRoot: true + # supplementalGroups: [1000] + # # capabilities: {} + # Container securityContext + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + servicePort: 8080 + targetPort: 8080 + # For minikube, set this to NodePort, elsewhere use LoadBalancer + # Use ClusterIP if your setup includes ingress controller + serviceType: ClusterIP + # Use Local to preserve the client source IP and avoids a second hop for + # LoadBalancer and Nodeport type services, + # but risks potentially imbalanced traffic spreading. + serviceExternalTrafficPolicy: + # Jenkins controller service annotations + serviceAnnotations: {} + # Jenkins controller custom labels + statefulSetLabels: {} + # foo: bar + # bar: foo + # Jenkins controller service labels + serviceLabels: {} + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https + # Put labels on Jenkins controller pod + podLabels: {} + # Used to create Ingress record (should used with ServiceType: ClusterIP) + # nodePort: + # -Dcom.sun.management.jmxremote.port=4000 + # -Dcom.sun.management.jmxremote.authenticate=false + # -Dcom.sun.management.jmxremote.ssl=false + # jmxPort: 4000 + # Optionally configure other ports to expose in the controller container + extraPorts: [] + # - name: BuildInfoProxy + # port: 9000 + + # List of plugins to be install during Jenkins controller start + installPlugins: + - kubernetes:3600.v144b_cd192ca_a_ + - workflow-aggregator:581.v0c46fa_697ffd + - job-dsl:1.78.3 + - blueocean:1.25.6 + - configuration-as-code:1511.vb_f985b_894e40 + - matrix-auth:3.1.5 + - hashicorp-vault-plugin:359.v2da_3b_45f17d5 + + + # Set to false to download the minimum required version of all dependencies. + installLatestPlugins: false + + # Set to true to download latest dependencies of any plugin that is requested to have the latest version. + installLatestSpecifiedPlugins: true + + # List of plugins to install in addition to those listed in controller.installPlugins + additionalPlugins: + #- ace-editor:1.1 + - antisamy-markup-formatter:1.5 + #- apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61 + - async-http-client:1.9.40.0 + #- authentication-tokens:1.4 + #- blueocean-autofavorite:1.2.5 + #- blueocean-bitbucket-pipeline:1.25.6 + #- blueocean-commons:1.25.6 + #- blueocean-config:1.25.6 + #- blueocean-core-js:1.25.6 + #- blueocean-dashboard:1.25.6 + #- blueocean-display-url:2.4.1 + #- blueocean-events:1.25.6 + #- blueocean-github-pipeline:1.25.6 + #- blueocean-git-pipeline:1.25.6 + #- blueocean-i18n:1.25.6 + #- blueocean-personalization:1.25.6 + #- blueocean-pipeline-api-impl:1.25.6 + #- blueocean-pipeline-editor:1.25.6 + #- blueocean-pipeline-scm-api:1.25.6 + #- blueocean-rest:1.25.6 + #- blueocean-rest-impl:1.25.6 + #- blueocean-web:1.25.6 + #- bootstrap5-api:5.2.0-1 + #- branch-api:2.1046.v0ca_37783ecc5 + - build-timeout:1.21 + - build-user-vars-plugin:1.8 + - checks-api:1.7.5 + - command-launcher:84.v4a_97f2027398 + - copyartifact:1.47 + - display-url-api:2.3.6 + #- docker-commons:1.19 + - dockerhub-notification:2.6.0 + - docker-workflow:563.vd5d2e5c4007f + - durable-task:500.v8927d9fd99d8 + - echarts-api:5.3.3-1 + - envinject:2.875.v9b_9e962da_a_ec + - envinject-api:1.199.v3ce31253ed13 + - external-monitor-job:1.7 + - favorite:2.4.1 + - font-awesome-api:6.1.2-1 + #- github:1.34.5 + - github-api:1.303-400.v35c2d8258028 + - github-branch-source:1677.v731f745ea_0cf + - github-oauth:0.39 + - git-server:1.7 + - greenballs:1.15.1 + - groovy:442.v817e6d937d6c + - handlebars:1.1.1 + - handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 + - htmlpublisher:1.30 + - icon-shim:2.0.3 + #- jackson2-api:2.13.3-285.vc03c0256d517 + - jakarta-activation-api:2.0.1-1 + - jakarta-mail-api:2.0.1-1 + - javadoc:1.5 + - javax-activation-api:1.2.0-4 + - javax-mail-api:1.6.2-7 + - jaxb:2.3.6-1 + - jdk-tool:55.v1b_32b_6ca_f9ca + - jenkins-design-language:1.25.6 + - jira:3.0.5 + - jjwt-api:0.11.5-77.v646c772fddb_0 + #- jquery:1.12.4-0 + - jquery-detached:1.2.1 + - jquery3-api:3.6.0-4 + - junit:1119.1121.vc43d0fc45561 + - kubernetes-client-api:5.12.2-193.v26a_6078f65a_9 + - kubernetes-credentials:0.9.0 + - lockable-resources:2.5 + - mercurial:2.5 + #- mina-sshd-api-common:2.8.0-36.v8e25ce90d4b_1 + #- mina-sshd-api-core:2.8.0-36.v8e25ce90d4b_1 + #- momentjs:1.1.1 + - multiple-scms:0.6 + - nodelabelparameter:1.7.2 + - parameterized-trigger:2.45 + - pipeline-build-step:2.18 + - pipeline-graph-analysis:195.v5812d95a_a_2f9 + - pipeline-groovy-lib:612.v84da_9c54906d + - pipeline-input-step:449.v77f0e8b_845c4 + - pipeline-milestone-step:101.vd572fef9d926 + - pipeline-model-api:2.2114.v2654ca_721309 + - pipeline-model-declarative-agent:1.1.1 + - pipeline-model-definition:2.2114.v2654ca_721309 + - pipeline-model-extensions:2.2114.v2654ca_721309 + - pipeline-rest-api:2.10 + - pipeline-stage-step:293.v200037eefcd5 + - pipeline-stage-tags-metadata:2.2114.v2654ca_721309 + - pipeline-stage-view:2.10 + - pipeline-utility-steps:2.3.0 + - plain-credentials:139.ved2b_9cf7587b + - plugin-util-api:2.17.0 + - popper2-api:2.11.5-2 + - postbuildscript:3.1.0-375.v3db_cd92485e1 + - pubsub-light:1.16 + - purge-build-queue-plugin:48.v39c52a_26a_264 + - rebuild:1.34 + - run-condition:1.2 + - saferestart:0.3 + - ssh-agent:1.17 + #- sshd:3.242.va_db_9da_b_26a_c3 + - ssh-slaves:1.29.4 + - swarm:3.34 + #- trilead-api:1.67.vc3938a_35172f + - variant:59.vf075fe829ccb + - windows-slaves:1.4 + - workflow-api:1192.v2d0deb_19d212 + - workflow-basic-steps:991.v43d80fea_ff66 + - workflow-cps:2759.v87459c4eea_ca_ + - workflow-cps-global-lib:2.13 + - workflow-durable-task-step:1199.v02b_9244f8064 + - workflow-job:1207.ve6191ff089f8 + - workflow-multibranch:716.vc692a_e52371b_ + + # Enable to initialize the Jenkins controller only once on initial installation. + # Without this, whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates which has the potential to cause breakage. + # Note that for this to work, `persistence.enabled` needs to be set to `true` + initializeOnce: true + + # Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment. + # overwritePlugins: true + + # Configures if plugins bundled with `controller.image` should be overwritten with the values of 'controller.installPlugins' on upgrade or redeployment. + overwritePluginsFromImage: true + + # Configures the restrictions for naming projects. Set this key to null or empty to skip it in the default config. + projectNamingStrategy: standard + + # Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter), useful with ghprb plugin. + # The plugin is not installed by default, please update controller.installPlugins. + enableRawHtmlMarkupFormatter: false + # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval + scriptApproval: + - "method groovy.json.JsonBuilder toPrettyString" + - "method groovy.json.JsonSlurperClassic parseText java.lang.String" + - "method groovy.lang.GString getBytes" + - "method hudson.model.Actionable getAction java.lang.Class" + - "method hudson.model.Cause$UserIdCause getUserId" + - "method hudson.model.CauseAction getShortDescription" + - "method hudson.model.Run getCause java.lang.Class" + - "method hudson.model.Run getDurationString" + - "method java.lang.StackTraceElement getMethodName" + - "method java.lang.Throwable getStackTrace" + - "method java.net.HttpURLConnection getResponseCode" + - "method java.net.HttpURLConnection setRequestMethod java.lang.String" + - "method java.net.URL openConnection" + - "method java.net.URLConnection getInputStream" + - "method java.net.URLConnection getOutputStream" + - "method java.net.URLConnection setDoOutput boolean" + - "method java.net.URLConnection setRequestProperty java.lang.String java.lang.String" + - "method java.nio.file.Path relativize java.nio.file.Path" + - "method java.security.MessageDigest digest" + - "method java.security.MessageDigest update byte[]" + - "method java.time.format.DateTimeFormatter format java.time.temporal.TemporalAccessor" + - "method java.time.format.DateTimeFormatter withZone java.time.ZoneId" + - "method org.jenkinsci.plugins.workflow.support.steps.build.RunWrapper build" + - "new groovy.json.JsonBuilder java.lang.Object" + - "new groovy.json.JsonSlurperClassic" + - "new java.lang.Throwable" + - "staticMethod java.lang.Thread sleep long" + - "staticMethod java.net.URLEncoder encode java.lang.String" + - "staticMethod java.security.MessageDigest getInstance java.lang.String" + - "staticMethod java.time.Instant now" + - "staticMethod java.time.Instant ofEpochMilli long" + - "staticMethod java.time.LocalDate now java.time.ZoneId" + - "staticMethod java.time.ZoneId of java.lang.String" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getText java.io.InputStream" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getText java.net.URL" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods isDigit java.lang.Character" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods leftShift java.io.OutputStream java.lang.Object" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tr java.lang.String java.lang.String java.lang.String" + - "staticMethod org.codehaus.groovy.runtime.EncodingGroovyMethods encodeBase64 byte[]" + - "staticMethod org.codehaus.groovy.runtime.EncodingGroovyMethods encodeHex byte[]" + - "staticMethod org.codehaus.groovy.runtime.StackTraceUtils sanitize java.lang.Throwable" + - "method java.net.URL openConnection" + # List of groovy init scripts to be executed during Jenkins controller start + initScripts: [] + # - | + # print 'adding global pipeline libraries, register properties, bootstrap jobs...' + + # 'name' is a name of an existing secret in same namespace as jenkins, + # 'keyName' is the name of one of the keys inside current secret. + # the 'name' and 'keyName' are concatenated with a '-' in between, so for example: + # an existing secret "secret-credentials" and a key inside it named "github-password" should be used in Jcasc as ${secret-credentials-github-password} + # 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', + # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc') + additionalExistingSecrets: [] + # - name: github-oauth + # keyName: client-id + # - name: github-oauth + # keyName: client-secret + + additionalSecrets: [] + # - name: nameOfSecret + # value: secretText + + # Generate SecretClaim resources in order to create Kubernetes secrets from HashiCorp Vault using kube-vault-controller. + # 'name' is name of the secret that will be created in Kubernetes. The Jenkins fullname is prepended to this value. + # 'path' is the fully qualified path to the secret in Vault + # 'type' is an optional Kubernetes secret type. Defaults to 'Opaque' + # 'renew' is an optional secret renewal time in seconds + secretClaims: [] + # - name: secretName # required + # path: testPath # required + # type: kubernetes.io/tls # optional + # renew: 60 # optional + + # Name of default cloud configuration. + cloudName: "kubernetes" + + # Below is the implementation of Jenkins Configuration as Code. Add a key under configScripts for each configuration area, + # where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value. + # Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in + # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | + # become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials, + # etc. Best reference is https:///configuration-as-code/reference. The example below creates a welcome message: + JCasC: + defaultConfig: true + # Ignored if securityRealm is defined in controller.JCasC.configScripts and + securityRealm: |- + #local: + # allowsSignup: false + # enableCaptcha: false + # users: + # - id: "${chart-admin-username}" + # name: "Jenkins Admin" + # password: "${chart-admin-password}" + github: + githubWebUri: "https://github.com" + githubApiUri: "https://api.github.com" + clientID: "${secret/rubin/rubin-jenkins-control-dev/github-oauth/client-id}" + clientSecret: "${secret/rubin/rubin-jenkins-control-dev/github-oauth/client-secret}" + oauthScopes: "read:org" + authorizationStrategy: |- + globalMatrix: + permissions: + - "USER:Agent/Connect:sqre-user" + - "USER:Agent/Create:sqre-user" + - "GROUP:Job/Build:lsst*data-management" + - "GROUP:Job/Build:lsst-dm*data-management" + - "GROUP:Job/Build:lsst*simulations" + - "GROUP:Job/Build:lsst-sqre*friends" + - "GROUP:Job/Cancel:lsst*data-management" + - "GROUP:Job/Cancel:lsst-dm*data-management" + - "GROUP:Job/Cancel:lsst*simulations" + - "GROUP:Job/Cancel:lsst-sqre*friends" + - "GROUP:Job/Discover:lsst*data-management" + - "GROUP:Job/Discover:lsst-dm*data-management" + - "GROUP:Job/Discover:lsst*simulations" + - "GROUP:Job/Discover:lsst-sqre*friends" + - "GROUP:Job/Read:lsst*data-management" + - "GROUP:Job/Read:lsst-dm*data-management" + - "GROUP:Job/Read:lsst*simulations" + - "GROUP:Job/Read:lsst-sqre*friends" + - "USER:Overall/Administer:admin" + - "USER:Overall/Administer:aragilar" + - "USER:Overall/Administer:frossie" + - "USER:Overall/Administer:jhoblitt" + - "USER:Overall/Administer:ktlim" + - "GROUP:Overall/Administer:lsst-sqre*leeroy-wranglers" + - "GROUP:Overall/Administer:lsst-sqre*square" + - "USER:Overall/Administer:mwittgen" + - "USER:Overall/Administer:yee379" + - "GROUP:Overall/Read:lsst*data-management" + - "GROUP:Overall/Read:lsst-dm*data-management" + - "GROUP:Overall/Read:lsst*simulations" + - "GROUP:Overall/Read:lsst-sqre*friends" + + configScripts: + welcome-message: | + jenkins: + systemMessage: This is the DEVELOPMENT instance of jenkins. + + systemCredentials: |- + credentials: + system: + domainCredentials: + - credentials: + - string: + description: "name of conda channel bucket" + id: "cmirror-s3-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/cmirror-s3-bucket}" + - string: + description: "name of doxygen s3 bucket" + id: "doxygen-push-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/doxygen-push-bucket}" + - string: + description: "URL of doxygen site" + id: "doxygen-url" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/doxygen-url}" + - string: + description: "name of EUPS backup s3 bucket" + id: "eups-backup-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/eups-backup-bucket}" + - string: + description: "name of EUPS s3 bucket" + id: "eups-push-bucket" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/eups-push-bucket}" + - string: + description: "URL of eups site" + id: "eups-url" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/eups-url}" + - string: + description: "Name of Jenkins deployment" + id: "jenkins-env" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/jenkins-env}" + - string: + description: "Default slack channel" + id: "slack-default-channel" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/slack-default-channel}" + - string: + description: "Prefix for generated slack channels" + id: "slack-channel-prefix" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/common/slack-channel-prefix}" + - usernamePassword: + description: "jenkins master snapshot AWS credentials" + id: "aws-jenkins-master-snapshot" + password: "${secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot/username}" + - usernamePassword: + description: "push EUPS packages -> s3" + id: "aws-eups-push" + password: "${secret/rubin/rubin-jenkins-control-dev/aws-eups-push/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/aws-eups-push/username}" + - usernamePassword: + description: "backup EUPS s3 bucket -> s3 bucket" + id: "aws-eups-backup" + password: "${secret/rubin/rubin-jenkins-control-dev/aws-eups-backup/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/aws-eups-backup/username}" + - usernamePassword: + description: "manage eups distrib tags in s3 bucket" + id: "aws-eups-tag-admin" + password: "${secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin/username}" + - usernamePassword: + description: "push doxygen builds -> s3" + id: "aws-doxygen-push" + password: "${secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push/username}" + - string: + description: "slack lsstc org API token" + id: "slack-lsstc-token" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token/token}" + - usernamePassword: + description: "api.lsst.codes/ghslacker" + id: "ghslacker" + password: "${secret/rubin/rubin-jenkins-control-dev/ghslacker/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/ghslacker/username}" + - string: + description: "github API personal access token (sqreadmin)" + id: "github-api-token-sqreadmin" + scope: GLOBAL + secret: "${secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin/token}" + - basicSSHUserPrivateKey: + description: "github lsst/versiondb deploy key" + id: "github-jenkins-versiondb" + privateKeySource: + directEntry: + privateKey: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/private_key}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/username}" + - basicSSHUserPrivateKey: + description: "SQRE OSX build agents" + id: "sqre-osx" + privateKeySource: + directEntry: + privateKey: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/private_key}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/username}" + - usernamePassword: + description: "push conda packages -> s3" + id: "aws-cmirror-push" + password: "${secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push/username}" + - usernamePassword: + description: "github_backup AWS credentials" + id: "github_backup" + password: "${secret/rubin/rubin-jenkins-control-dev/github_backup/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/github_backup/username}" + - usernamePassword: + description: "user/pass for Squash API endpoint" + id: "squash-api-user" + password: "${secret/rubin/rubin-jenkins-control-dev/squash-api-user/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/squash-api-user/username}" + - usernamePassword: + description: "dockerhub - sqreadmin" + id: "dockerhub-sqreadmin" + password: "${secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin/username}" + - usernamePassword: + description: "ltd-mason" + id: "ltd-mason-aws" + password: "${secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws/username}" + - usernamePassword: + description: "ltd-keeper" + id: "ltd-keeper" + password: "${secret/rubin/rubin-jenkins-control-dev/ltd-keeper/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/ltd-keeper/username}" + - usernamePassword: + description: "Google Archive Registry service account" + id: "google_archive_registry_sa" + password: "${secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa/password}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa/username}" + + add-seed-job: | + jobs: + - url: https://raw.githubusercontent.com/lsst-dm/jenkins-dm-jobs/update-gradle/seeds/seed-jobs.groovy + security: + globaljobdslsecurityconfiguration: + useScriptSecurity: false + #permanent-nodes: | + # jenkins: + # nodes: + # - permanent: + # labelString: "osx osx-10.13 high_sierra" + # launcher: + # sSHLauncher: + # credentialsId: "sqre-osx" + # host: "mac1.lsst.cloud" + # launchTimeoutSeconds: 210 + # maxNumRetries: 0 + # port: 22 + # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" + # retryWaitTime: 15 + # sshHostKeyVerificationStrategy: + # manuallyTrustedKeyVerificationStrategy: + # requireInitialManualTrust: true + # mode: EXCLUSIVE + # name: "high_sierra-1" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + # numExecutors: 1 + # remoteFS: "/Users/square/j" + # - permanent: + # labelString: "osx osx-10.13 high_sierra" + # launcher: + # sSHLauncher: + # credentialsId: "sqre-osx" + # host: "mac2.lsst.cloud" + # launchTimeoutSeconds: 210 + # maxNumRetries: 0 + # port: 22 + # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" + # retryWaitTime: 15 + # sshHostKeyVerificationStrategy: + # manuallyTrustedKeyVerificationStrategy: + # requireInitialManualTrust: true + # mode: EXCLUSIVE + # name: "high_sierra-2" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + # numExecutors: 1 + # remoteFS: "/Users/square/j" + # - permanent: + # labelString: "osx osx-10.14 mojave" + # launcher: + # sSHLauncher: + # credentialsId: "sqre-osx" + # host: "mac3.lsst.cloud" + # launchTimeoutSeconds: 210 + # maxNumRetries: 0 + # port: 22 + # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" + # retryWaitTime: 15 + # sshHostKeyVerificationStrategy: + # manuallyTrustedKeyVerificationStrategy: + # requireInitialManualTrust: true + # mode: EXCLUSIVE + # name: "mojave-1" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + # numExecutors: 1 + # remoteFS: "/Users/square/j" + # - permanent: + # labelString: "osx osx-10.14 mojave" + # launcher: + # sSHLauncher: + # credentialsId: "sqre-osx" + # host: "mac4.lsst.cloud" + # launchTimeoutSeconds: 210 + # maxNumRetries: 0 + # port: 22 + # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" + # retryWaitTime: 15 + # sshHostKeyVerificationStrategy: + # manuallyTrustedKeyVerificationStrategy: + # requireInitialManualTrust: true + # mode: EXCLUSIVE + # name: "mojave-2" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + # numExecutors: 1 + # remoteFS: "/Users/square/j" + # - permanent: + # labelString: "osx osx-10.14 mojave" + # launcher: + # sSHLauncher: + # credentialsId: "sqre-osx" + # host: "mac5.lsst.cloud" + # launchTimeoutSeconds: 210 + # maxNumRetries: 0 + # port: 22 + # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" + # retryWaitTime: 15 + # sshHostKeyVerificationStrategy: + # manuallyTrustedKeyVerificationStrategy: + # requireInitialManualTrust: true + # mode: EXCLUSIVE + # name: "mojave-3" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + # numExecutors: 1 + # remoteFS: "/Users/square/j" + # - permanent: + # labelString: "osx osx-10.14 mojave" + # launcher: + # sSHLauncher: + # credentialsId: "sqre-osx" + # host: "mac6.lsst.cloud" + # launchTimeoutSeconds: 210 + # maxNumRetries: 0 + # port: 22 + # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" + # retryWaitTime: 15 + # sshHostKeyVerificationStrategy: + # manuallyTrustedKeyVerificationStrategy: + # requireInitialManualTrust: true + # mode: EXCLUSIVE + # name: "mojave-4" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + # numExecutors: 1 + # remoteFS: "/Users/square/j" + + # Optionally specify additional init-containers + customInitContainers: [] + + sidecars: + configAutoReload: + # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. If false or not-specified, + # jcasc changes will cause a reboot and will only be applied at the subsequent start-up. Auto-reload uses the + # http:///reload-configuration-as-code endpoint to reapply config when changes to the configScripts are detected. + enabled: false + image: kiwigrid/k8s-sidecar:1.15.0 + imagePullPolicy: IfNotPresent + resources: {} + # limits: + # cpu: 100m + # memory: 100Mi + # requests: + # cpu: 50m + # memory: 50Mi + # How many connection-related errors to retry on + reqRetryConnect: 10 + # env: + # - name: REQ_TIMEOUT + # value: "30" + # SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random. + # Is only used to reload jcasc config from the sidecar container running in the Jenkins controller pod. + # This TCP port will not be open in the pod (unless you specifically configure this), so Jenkins will not be + # accessible via SSH from outside of the pod. Note if you use non-root pod privileges (runAsUser & fsGroup), + # this must be > 1024: + sshTcpPort: 1044 + # folder in the pod that should hold the collected dashboards: + folder: "/var/jenkins_home/casc_configs" + # If specified, the sidecar will search for JCasC config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces: + # searchNamespace: + containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + + # Allows you to inject additional/other sidecars + other: [] + ## The example below runs the client for https://smee.io as sidecar container next to Jenkins, + ## that allows to trigger build behind a secure firewall. + ## https://jenkins.io/blog/2019/01/07/webhook-firewalls/#triggering-builds-with-webhooks-behind-a-secure-firewall + ## + ## Note: To use it you should go to https://smee.io/new and update the url to the generete one. + # - name: smee + # image: docker.io/twalter/smee-client:1.0.2 + # args: ["--port", "{{ .Values.controller.servicePort }}", "--path", "/github-webhook/", "--url", "https://smee.io/new"] + # resources: + # limits: + # cpu: 50m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 32Mi + # Name of the Kubernetes scheduler to use + schedulerName: "" + # Node labels and tolerations for pod assignment + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + nodeSelector: {} + + terminationGracePeriodSeconds: + + terminationMessagePath: + terminationMessagePolicy: + + tolerations: [] + + affinity: {} + # Leverage a priorityClass to ensure your pods survive resource shortages + # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + priorityClassName: + + podAnnotations: {} + # Add StatefulSet annotations + statefulSetAnnotations: {} + + # StatefulSet updateStrategy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + updateStrategy: {} + + ingress: + enabled: true + # Override for the default paths that map requests to the backend + paths: [] + # - backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + # - backend: + # serviceName: >- + # {{ template "jenkins.fullname" . }} + # # Don't use string here, use only integer value! + # servicePort: 8080 + # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' + # For Kubernetes v1.19+, use 'networking.k8s.io/v1' + apiVersion: "networking.k8s.io/v1" + labels: {} + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # Set this path to jenkinsUriPrefix above or use annotations to rewrite path + # path: "/jenkins" + # configures the hostname e.g. jenkins.example.com + #hostName: jenkins26.lsst.test + hostName: rubin-ci-dev.slac.stanford.edu + tls: + # - secretName: jenkins.cluster.local + # hosts: + # - jenkins.cluster.local + + # often you want to have your controller all locked down and private + # but you still want to get webhooks from your SCM + # A secondary ingress will let you expose different urls + # with a differnt configuration + secondaryingress: + enabled: false + # paths you want forwarded to the backend + # ex /github-webhook + paths: [] + # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' + # For Kubernetes v1.19+, use 'networking.k8s.io/v1' + apiVersion: "extensions/v1beta1" + labels: {} + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # configures the hostname e.g. jenkins-external.example.com + hostName: + tls: + # - secretName: jenkins-external.example.com + # hosts: + # - jenkins-external.example.com + + # If you're running on GKE and need to configure a backendconfig + # to finish ingress setup, use the following values. + # Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig + backendconfig: + enabled: false + apiVersion: "extensions/v1beta1" + name: + labels: {} + annotations: {} + spec: {} + + # Openshift route + route: + enabled: false + labels: {} + annotations: {} + # path: "/jenkins" + + # controller.hostAliases allows for adding entries to Pod /etc/hosts: + # https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + hostAliases: [] + # - ip: 192.168.50.50 + # hostnames: + # - something.local + # - ip: 10.0.50.50 + # hostnames: + # - other.local + + # Expose Prometheus metrics + prometheus: + # If enabled, add the prometheus plugin to the list of plugins to install + # https://plugins.jenkins.io/prometheus + enabled: false + # Additional labels to add to the ServiceMonitor object + serviceMonitorAdditionalLabels: {} + # Set a custom namespace where to deploy ServiceMonitor resource + # serviceMonitorNamespace: monitoring + scrapeInterval: 60s + # This is the default endpoint used by the prometheus plugin + scrapeEndpoint: /prometheus + # Additional labels to add to the PrometheusRule object + alertingRulesAdditionalLabels: {} + # An array of prometheus alerting rules + # See here: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + # The `groups` root object is added by default, simply add the rule entries + alertingrules: [] + # Set a custom namespace where to deploy PrometheusRule resource + prometheusRuleNamespace: "" + + # Can be used to disable rendering controller test resources when using helm template + testEnabled: true + + httpsKeyStore: + jenkinsHttpsJksSecretName: '' + enable: false + httpPort: 8081 + path: "/var/jenkins_keystore" + fileName: "keystore.jks" + password: "password" + # Convert keystore.jks files content to base64 ( cat keystore.jks | base64 ) and put the output here + jenkinsKeyStoreBase64Encoded: +agent: + enabled: false + defaultsProviderTemplate: "" + # URL for connecting to the Jenkins contoller + jenkinsUrl: + # connect to the specified host and port, instead of connecting directly to the Jenkins controller + jenkinsTunnel: + kubernetesConnectTimeout: 5 + kubernetesReadTimeout: 15 + maxRequestsPerHostStr: "32" + namespace: + image: "jenkins/inbound-agent" + tag: "4.11.2-4" + workingDir: "/home/jenkins/agent" + nodeUsageMode: "NORMAL" + customJenkinsLabels: [] + # name of the secret to be used for image pulling + imagePullSecretName: + componentName: "jenkins-agent" + websocket: false + privileged: false + runAsUser: + runAsGroup: + resources: + requests: + cpu: "512m" + memory: "512Mi" + limits: + cpu: "512m" + memory: "512Mi" + # You may want to change this to true while testing a new image + alwaysPullImage: false + # Controls how agent pods are retained after the Jenkins build completes + # Possible values: Always, Never, OnFailure + podRetention: "Never" + # Disable if you do not want the Yaml the agent pod template to show up + # in the job Console Output. This can be helpful for either security reasons + # or simply to clean up the output to make it easier to read. + showRawYaml: true + # You can define the volumes that you want to mount for this container + # Allowed types are: ConfigMap, EmptyDir, HostPath, Nfs, PVC, Secret + # Configure the attributes as they appear in the corresponding Java class for that type + # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes + volumes: [] + # - type: ConfigMap + # configMapName: myconfigmap + # mountPath: /var/myapp/myconfigmap + # - type: EmptyDir + # mountPath: /var/myapp/myemptydir + # memory: false + # - type: HostPath + # hostPath: /var/lib/containers + # mountPath: /var/myapp/myhostpath + # - type: Nfs + # mountPath: /var/myapp/mynfs + # readOnly: false + # serverAddress: "192.0.2.0" + # serverPath: /var/lib/containers + # - type: PVC + # claimName: mypvc + # mountPath: /var/myapp/mypvc + # readOnly: false + # - type: Secret + # defaultMode: "600" + # mountPath: /var/myapp/mysecret + # secretName: mysecret + # Pod-wide environment, these vars are visible to any container in the agent pod + + # You can define the workspaceVolume that you want to mount for this container + # Allowed types are: DynamicPVC, EmptyDir, HostPath, Nfs, PVC + # Configure the attributes as they appear in the corresponding Java class for that type + # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace + workspaceVolume: {} + ## DynamicPVC example + # type: DynamicPVC + # configMapName: myconfigmap + ## EmptyDir example + # type: EmptyDir + # memory: false + ## HostPath example + # type: HostPath + # hostPath: /var/lib/containers + ## NFS example + # type: Nfs + # readOnly: false + # serverAddress: "192.0.2.0" + # serverPath: /var/lib/containers + ## PVC example + # type: PVC + # claimName: mypvc + # readOnly: false + # + # Pod-wide environment, these vars are visible to any container in the agent pod + envVars: [] + # - name: PATH + # value: /usr/local/bin + nodeSelector: {} + # Key Value selectors. Ex: + # jenkins-agent: v1 + + # Executed command when side container gets started + command: + args: "${computer.jnlpmac} ${computer.name}" + # Side container name + sideContainerName: "jnlp" + # Doesn't allocate pseudo TTY by default + TTYEnabled: false + # Max number of spawned agent + containerCap: 10 + # Pod name + podName: "default" + # Allows the Pod to remain active for reuse until the configured number of + # minutes has passed since the last step was executed on it. + idleMinutes: 0 + # Raw yaml template for the Pod. For example this allows usage of toleration for agent pods. + # https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates + # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + yamlTemplate: "" + # yamlTemplate: |- + # apiVersion: v1 + # kind: Pod + # spec: + # tolerations: + # - key: "key" + # operator: "Equal" + # value: "value" + # Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates: merge or override + yamlMergeStrategy: "override" + # Timeout in seconds for an agent to be online + connectTimeout: 100 + # Annotations to apply to the pod. + annotations: {} + + # Disable the default Jenkins Agent configuration. + # Useful when configuring agents only with the podTemplates value, since the default podTemplate populated by values mentioned above will be excluded in the rendered template. + disableDefaultAgent: false + + # Below is the implementation of custom pod templates for the default configured kubernetes cloud. + # Add a key under podTemplates for each pod template. Each key (prior to | character) is just a label, and can be any value. + # Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label + # characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers. + # For this pod templates configuration to be loaded the following values must be set: + # controller.JCasC.defaultConfig: true + # Best reference is https:///configuration-as-code/reference#Cloud-kubernetes. The example below creates a python pod template. + podTemplates: {} + # python: | + # - name: python + # label: jenkins-python + # serviceAccount: jenkins + # containers: + # - name: python + # image: python:3 + # command: "/bin/sh -c" + # args: "cat" + # ttyEnabled: true + # privileged: true + # resourceRequestCpu: "400m" + # resourceRequestMemory: "512Mi" + # resourceLimitCpu: "1" + # resourceLimitMemory: "1024Mi" + +# Here you can add additional agents +# They inherit all values from `agent` so you only need to specify values which differ +additionalAgents: {} +# maven: +# podName: maven +# customJenkinsLabels: maven +# # An example of overriding the jnlp container +# # sideContainerName: jnlp +# image: jenkins/jnlp-agent-maven +# tag: latest +# python: +# podName: python +# customJenkinsLabels: python +# sideContainerName: python +# image: python +# tag: "3" +# command: "/bin/sh -c" +# args: "cat" +# TTYEnabled: true + +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: + ## jenkins data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: + annotations: {} + labels: {} + accessMode: "ReadWriteOnce" + size: "8Gi" + volumes: + # - name: nothing + # emptyDir: {} + mounts: + # - mountPath: /var/nothing + # name: nothing + # readOnly: true + +networkPolicy: + # Enable creation of NetworkPolicy resources. + enabled: false + # For Kubernetes v1.4, v1.5 and v1.6, use 'extensions/v1beta1' + # For Kubernetes v1.7, use 'networking.k8s.io/v1' + apiVersion: networking.k8s.io/v1 + # You can allow agents to connect from both within the cluster (from within specific/all namespaces) AND/OR from a given external IP range + internalAgents: + allowed: true + podLabels: {} + namespaceLabels: {} + # project: myproject + externalAgents: {} + # ipCIDR: 172.17.0.0/16 + # except: + # - 172.17.1.0/24 + +## Install Default RBAC roles and bindings +rbac: + create: true + readSecrets: false + +serviceAccount: + create: true + # The name of the service account is autogenerated by default + name: + annotations: {} + imagePullSecretName: + + +serviceAccountAgent: + # Specifies whether a ServiceAccount should be created + create: false + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + annotations: {} + imagePullSecretName: + +## Backup cronjob configuration +## Ref: https://github.com/maorfr/kube-tasks +backup: + # Backup must use RBAC + # So by enabling backup you are enabling RBAC specific for backup + enabled: false + # Used for label app.kubernetes.io/component + componentName: "backup" + # Schedule to run jobs. Must be in cron time format + # Ref: https://crontab.guru/ + schedule: "0 2 * * *" + labels: {} + serviceAccount: + create: true + name: + annotations: {} + # Example for authorization to AWS S3 using kube2iam or IRSA + # Can also be done using environment variables + # iam.amazonaws.com/role: "jenkins" + # "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789012:role/jenkins-backup" + # Set this to terminate the job that is running/failing continously and set the job status to "Failed" + activeDeadlineSeconds: "" + image: + repository: "maorfr/kube-tasks" + tag: "0.2.0" + imagePullSecretName: + # Additional arguments for kube-tasks + # Ref: https://github.com/maorfr/kube-tasks#simple-backup + extraArgs: [] + # Add existingSecret for AWS credentials + existingSecret: {} + ## Example for using an existing secret + # jenkinsaws: + ## Use this key for AWS access key ID + # awsaccesskey: jenkins_aws_access_key + ## Use this key for AWS secret access key + # awssecretkey: jenkins_aws_secret_key + # Add additional environment variables + # jenkinsgcp: + ## Use this key for GCP credentials + # gcpcredentials: credentials.json + env: [] + # Example environment variable required for AWS credentials chain + # - name: "AWS_REGION" + # value: "us-east-1" + resources: + requests: + memory: 1Gi + cpu: 1 + limits: + memory: 1Gi + cpu: 1 + # Destination to store the backup artifacts + # Supported cloud storage services: AWS S3, Minio S3, Azure Blob Storage, Google Cloud Storage + # Additional support can added. Visit this repository for details + # Ref: https://github.com/maorfr/skbn + destination: "s3://jenkins-data/backup" + # By enabling only the jenkins_home/jobs folder gets backed up, not the whole jenkins instance + onlyJobs: false + # Enable backup pod security context (must be `true` if runAsUser or fsGroup are set) + usePodSecurityContext: true + # When setting runAsUser to a different value than 0 also set fsGroup to the same value: + runAsUser: 1000 + fsGroup: 1000 + securityContextCapabilities: {} + # drop: + # - NET_RAW +checkDeprecation: true + +awsSecurityGroupPolicies: + enabled: false + policies: + - name: "" + securityGroupIds: [] + podSelector: {} diff --git a/seeds/values.yaml b/seeds/values.yaml index c387e742..f50ff162 100644 --- a/seeds/values.yaml +++ b/seeds/values.yaml @@ -106,8 +106,10 @@ controller: - name: NO_PROXY value: '*.slac.stanford.edu' - name: JAVA_TOOL_OPTIONS - value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128" + value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + - name: TZ + value: America/Los_Angeles #- name: VAULT_TOKEN_LEASE_DURATION # valueFrom: # secretKeyRef: @@ -137,8 +139,10 @@ controller: value: '*.slac.stanford.edu' - name: NO_PROXY value: '*.slac.stanford.edu' + - name: TZ + value: America/Los_Angeles - name: JAVA_TOOL_OPTIONS - value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128" + value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" #- name: VAULT_TOKEN_LEASE_DURATION # valueFrom: @@ -364,7 +368,7 @@ controller: - display-url-api:2.3.6 #- docker-commons:1.19 - dockerhub-notification:2.6.0 - - docker-workflow:1.17 + - docker-workflow:563.vd5d2e5c4007f - durable-task:500.v8927d9fd99d8 - echarts-api:5.3.3-1 - envinject:2.875.v9b_9e962da_a_ec @@ -407,6 +411,7 @@ controller: #- momentjs:1.1.1 - multiple-scms:0.6 - nodelabelparameter:1.7.2 + - parameterized-trigger:2.45 - pipeline-build-step:2.18 - pipeline-graph-analysis:195.v5812d95a_a_2f9 - pipeline-groovy-lib:612.v84da_9c54906d @@ -463,9 +468,49 @@ controller: # The plugin is not installed by default, please update controller.installPlugins. enableRawHtmlMarkupFormatter: false # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval - scriptApproval: [] - # - "method groovy.json.JsonSlurperClassic parseText java.lang.String" - # - "new groovy.json.JsonSlurperClassic" + scriptApproval: + - "method groovy.json.JsonBuilder toPrettyString" + - "method groovy.json.JsonSlurperClassic parseText java.lang.String" + - "method groovy.lang.GString getBytes" + - "method hudson.model.Actionable getAction java.lang.Class" + - "method hudson.model.Cause$UserIdCause getUserId" + - "method hudson.model.CauseAction getShortDescription" + - "method hudson.model.Run getCause java.lang.Class" + - "method hudson.model.Run getDurationString" + - "method java.lang.StackTraceElement getMethodName" + - "method java.lang.Throwable getStackTrace" + - "method java.net.HttpURLConnection getResponseCode" + - "method java.net.HttpURLConnection setRequestMethod java.lang.String" + - "method java.net.URL openConnection" + - "method java.net.URLConnection getInputStream" + - "method java.net.URLConnection getOutputStream" + - "method java.net.URLConnection setDoOutput boolean" + - "method java.net.URLConnection setRequestProperty java.lang.String java.lang.String" + - "method java.nio.file.Path relativize java.nio.file.Path" + - "method java.security.MessageDigest digest" + - "method java.security.MessageDigest update byte[]" + - "method java.time.format.DateTimeFormatter format java.time.temporal.TemporalAccessor" + - "method java.time.format.DateTimeFormatter withZone java.time.ZoneId" + - "method org.jenkinsci.plugins.workflow.support.steps.build.RunWrapper build" + - "new groovy.json.JsonBuilder java.lang.Object" + - "new groovy.json.JsonSlurperClassic" + - "new java.lang.Throwable" + - "staticMethod java.lang.Thread sleep long" + - "staticMethod java.net.URLEncoder encode java.lang.String" + - "staticMethod java.security.MessageDigest getInstance java.lang.String" + - "staticMethod java.time.Instant now" + - "staticMethod java.time.Instant ofEpochMilli long" + - "staticMethod java.time.LocalDate now java.time.ZoneId" + - "staticMethod java.time.ZoneId of java.lang.String" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getText java.io.InputStream" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getText java.net.URL" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods isDigit java.lang.Character" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods leftShift java.io.OutputStream java.lang.Object" + - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods tr java.lang.String java.lang.String java.lang.String" + - "staticMethod org.codehaus.groovy.runtime.EncodingGroovyMethods encodeBase64 byte[]" + - "staticMethod org.codehaus.groovy.runtime.EncodingGroovyMethods encodeHex byte[]" + - "staticMethod org.codehaus.groovy.runtime.StackTraceUtils sanitize java.lang.Throwable" + - "method java.net.URL openConnection" # List of groovy init scripts to be executed during Jenkins controller start initScripts: [] # - | @@ -565,13 +610,6 @@ controller: jenkins: systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'. - proxy: | - jenkins: - proxy: - name: "sdfproxy.sdf.slac.stanford.edu" - noProxyHost: "*.slac.stanford.edu" - port: 3128 - # systemCredentials: |- credentials: system: @@ -984,7 +1022,7 @@ controller: # path: "/jenkins" # configures the hostname e.g. jenkins.example.com #hostName: jenkins26.lsst.test - hostName: rubin-ci-dev.slac.stanford.edu + hostName: rubin-ci.slac.stanford.edu tls: # - secretName: jenkins.cluster.local # hosts: From 7309062aeb30361e3e3685cd26c2539fdc32a2b8 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Thu, 17 Aug 2023 11:40:30 +1000 Subject: [PATCH 06/29] Update values.yaml dind 64Gi - 30Gi bc node memory resources are at 32Gi, CPU 8 - 6. --- lsst-jenkins-swarm-agent/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lsst-jenkins-swarm-agent/values.yaml b/lsst-jenkins-swarm-agent/values.yaml index 93a201ef..ced295fc 100644 --- a/lsst-jenkins-swarm-agent/values.yaml +++ b/lsst-jenkins-swarm-agent/values.yaml @@ -15,11 +15,11 @@ replicaCount: 1 dind: resources: limits: - cpu: "8" - memory: "64Gi" + cpu: "6" + memory: "30Gi" requests: - cpu: "8" - memory: "64Gi" + cpu: "6" + memory: "30i" securityContext: privileged: True From f4ebbb4879ccb1d16c4712d708d9a1d7c9e6ffc3 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Thu, 17 Aug 2023 12:34:22 +1000 Subject: [PATCH 07/29] Update values.yaml typo i -> Gi --- lsst-jenkins-swarm-agent/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lsst-jenkins-swarm-agent/values.yaml b/lsst-jenkins-swarm-agent/values.yaml index ced295fc..da31dd32 100644 --- a/lsst-jenkins-swarm-agent/values.yaml +++ b/lsst-jenkins-swarm-agent/values.yaml @@ -19,7 +19,7 @@ dind: memory: "30Gi" requests: cpu: "6" - memory: "30i" + memory: "30Gi" securityContext: privileged: True From ed70ebb20325b988a2228ffe4330e367fccb45c3 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Thu, 5 Oct 2023 15:58:32 +1100 Subject: [PATCH 08/29] Update dev-values.yaml Current config for running dev at https://rubin-ci-dev.slac.stanford.edu/ - including mac1 agent --- seeds/dev-values.yaml | 339 +++++++++++++++++++++++------------------- 1 file changed, 187 insertions(+), 152 deletions(-) diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index efee7a8a..b016abc8 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -21,8 +21,8 @@ controller: # Used for label app.kubernetes.io/component componentName: "jenkins-controller" image: "jenkins/jenkins" - # tag: "2.346.3-jdk11" - tagLabel: jdk11 + tag: "2.414.2-lts-jdk11" + #tagLabel: jdk11 imagePullPolicy: "Always" imagePullSecretName: # Optionally configure lifetime for controller-container @@ -231,8 +231,8 @@ controller: path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' port: http periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 120 + timeoutSeconds: 10 + failureThreshold: 300 livenessProbe: failureThreshold: 5 httpGet: @@ -318,13 +318,13 @@ controller: # List of plugins to be install during Jenkins controller start installPlugins: - - kubernetes:3600.v144b_cd192ca_a_ - - workflow-aggregator:581.v0c46fa_697ffd - - job-dsl:1.78.3 - - blueocean:1.25.6 - - configuration-as-code:1511.vb_f985b_894e40 - - matrix-auth:3.1.5 - - hashicorp-vault-plugin:359.v2da_3b_45f17d5 + - kubernetes:4029.v5712230ccb_f8 + - workflow-aggregator:596.v8c21c963d92d + - job-dsl:1.85 + - blueocean:1.27.7 + - configuration-as-code:1700.v6f448841296e + - matrix-auth:3.1.9 + - hashicorp-vault-plugin:361.v44fea_4fc08d9 # Set to false to download the minimum required version of all dependencies. @@ -336,119 +336,151 @@ controller: # List of plugins to install in addition to those listed in controller.installPlugins additionalPlugins: #- ace-editor:1.1 - - antisamy-markup-formatter:1.5 - #- apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61 - - async-http-client:1.9.40.0 - #- authentication-tokens:1.4 - #- blueocean-autofavorite:1.2.5 - #- blueocean-bitbucket-pipeline:1.25.6 - #- blueocean-commons:1.25.6 - #- blueocean-config:1.25.6 - #- blueocean-core-js:1.25.6 - #- blueocean-dashboard:1.25.6 - #- blueocean-display-url:2.4.1 - #- blueocean-events:1.25.6 - #- blueocean-github-pipeline:1.25.6 - #- blueocean-git-pipeline:1.25.6 - #- blueocean-i18n:1.25.6 - #- blueocean-personalization:1.25.6 - #- blueocean-pipeline-api-impl:1.25.6 - #- blueocean-pipeline-editor:1.25.6 - #- blueocean-pipeline-scm-api:1.25.6 - #- blueocean-rest:1.25.6 - #- blueocean-rest-impl:1.25.6 - #- blueocean-web:1.25.6 - #- bootstrap5-api:5.2.0-1 - #- branch-api:2.1046.v0ca_37783ecc5 - - build-timeout:1.21 - - build-user-vars-plugin:1.8 - - checks-api:1.7.5 - - command-launcher:84.v4a_97f2027398 - - copyartifact:1.47 - - display-url-api:2.3.6 - #- docker-commons:1.19 - - dockerhub-notification:2.6.0 - - docker-workflow:563.vd5d2e5c4007f - - durable-task:500.v8927d9fd99d8 - - echarts-api:5.3.3-1 - - envinject:2.875.v9b_9e962da_a_ec + - antisamy-markup-formatter:162.v0e6ec0fcfcf6 + - apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 +#depreciated - async-http-client:1.9.40.0 + - authentication-tokens:1.53.v1c90fd9191a_b_ + - blueocean-autofavorite:1.2.5 + - blueocean-bitbucket-pipeline:1.27.7 + - blueocean-commons:1.27.7 + - blueocean-config:1.27.7 + - blueocean-core-js:1.27.7 + - blueocean-dashboard:1.27.7 + - blueocean-display-url:2.4.2 + - blueocean-events:1.27.7 + - blueocean-github-pipeline:1.27.7 + - blueocean-git-pipeline:1.27.7 + - blueocean-i18n:1.27.7 + - blueocean-jwt:1.27.7 + - blueocean-personalization:1.27.7 + - blueocean-pipeline-api-impl:1.27.7 + - blueocean-pipeline-editor:1.27.7 + - blueocean-pipeline-scm-api:1.27.7 + - blueocean-rest:1.27.7 + - blueocean-rest-impl:1.27.7 + - blueocean-web:1.27.7 + - bootstrap5-api:5.3.2-1 + - bouncycastle-api:2.29 + - branch-api:2.1128.v717130d4f816 + - build-timeout:1.31 + - build-user-vars-plugin:1.9 + - caffeine-api:3.1.8-133.v17b_1ff2e0599 + - checks-api:2.0.2 + - cloudbees-bitbucket-branch-source:845.v27a_d5823911b_ + - cloudbees-folder:6.848.ve3b_fd7839a_81 + - command-launcher:107.v773860566e2e + - commons-lang3-api:3.13.0-62.v7d18e55f51e2 + - commons-text-api:1.10.0-78.v3e7b_ea_d5a_fe1 + - copyartifact:714.v28a_34f8c563f + - credentials:1271.v54b_1c2c6388a_ + - credentials-binding:636.v55f1275c7b_27 + - data-tables-api:1.13.6-4 + - display-url-api:2.3.9 + - docker-commons:439.va_3cb_0a_6a_fb_29 + - dockerhub-notification:2.7.0 + - docker-workflow:572.v950f58993843 + - durable-task:523.va_a_22cf15d5e0 + - echarts-api:5.4.0-6 + - envinject:2.908.v66a_774b_31d93 - envinject-api:1.199.v3ce31253ed13 - - external-monitor-job:1.7 - - favorite:2.4.1 - - font-awesome-api:6.1.2-1 - #- github:1.34.5 - - github-api:1.303-400.v35c2d8258028 - - github-branch-source:1677.v731f745ea_0cf - - github-oauth:0.39 - - git-server:1.7 - - greenballs:1.15.1 - - groovy:442.v817e6d937d6c - - handlebars:1.1.1 + - external-monitor-job:215.v2e88e894db_f8 + - favorite:2.4.3 + - font-awesome-api:6.4.2-1 + - git:5.2.0 + - git-client:4.5.0 + - github:1.37.3 + - github-api:1.314-431.v78d72a_3fe4c3 + - github-branch-source:1741.va_3028eb_9fd21 + - github-oauth:588.vf696a_350572a_ + - git-server:99.va_0826a_b_cdfa_d +#depreciated - greenballs:1.15.1 + - groovy:453.vcdb_a_c5c99890 +#depreciated - handlebars:3.0.8 - handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 - - htmlpublisher:1.30 - - icon-shim:2.0.3 - #- jackson2-api:2.13.3-285.vc03c0256d517 - - jakarta-activation-api:2.0.1-1 - - jakarta-mail-api:2.0.1-1 - - javadoc:1.5 - - javax-activation-api:1.2.0-4 - - javax-mail-api:1.6.2-7 - - jaxb:2.3.6-1 - - jdk-tool:55.v1b_32b_6ca_f9ca - - jenkins-design-language:1.25.6 - - jira:3.0.5 + - htmlpublisher:1.32 +#depreciated - icon-shim:3.0.0 + - instance-identity:173.va_37c494ec4e5 + - ionicons-api:56.v1b_1c8c49374e + - jackson2-api:2.15.2-350.v0c2f3f8fc595 + - jakarta-activation-api:2.0.1-3 + - jakarta-mail-api:2.0.1-3 + - javadoc:243.vb_b_503b_b_45537 + - javax-activation-api:1.2.0-6 + - javax-mail-api:1.6.2-9 + - jaxb:2.3.8-1 + - jdk-tool:73.vddf737284550 + - jenkins-design-language:1.27.7 + - jersey2-api:2.40-1 + - jira:3.11 - jjwt-api:0.11.5-77.v646c772fddb_0 - #- jquery:1.12.4-0 - - jquery-detached:1.2.1 - - jquery3-api:3.6.0-4 - - junit:1119.1121.vc43d0fc45561 - - kubernetes-client-api:5.12.2-193.v26a_6078f65a_9 - - kubernetes-credentials:0.9.0 - - lockable-resources:2.5 - - mercurial:2.5 - #- mina-sshd-api-common:2.8.0-36.v8e25ce90d4b_1 - #- mina-sshd-api-core:2.8.0-36.v8e25ce90d4b_1 - #- momentjs:1.1.1 - - multiple-scms:0.6 - - nodelabelparameter:1.7.2 - - parameterized-trigger:2.45 - - pipeline-build-step:2.18 - - pipeline-graph-analysis:195.v5812d95a_a_2f9 - - pipeline-groovy-lib:612.v84da_9c54906d - - pipeline-input-step:449.v77f0e8b_845c4 - - pipeline-milestone-step:101.vd572fef9d926 - - pipeline-model-api:2.2114.v2654ca_721309 - - pipeline-model-declarative-agent:1.1.1 - - pipeline-model-definition:2.2114.v2654ca_721309 - - pipeline-model-extensions:2.2114.v2654ca_721309 - - pipeline-rest-api:2.10 - - pipeline-stage-step:293.v200037eefcd5 - - pipeline-stage-tags-metadata:2.2114.v2654ca_721309 - - pipeline-stage-view:2.10 - - pipeline-utility-steps:2.3.0 - - plain-credentials:139.ved2b_9cf7587b - - plugin-util-api:2.17.0 - - popper2-api:2.11.5-2 - - postbuildscript:3.1.0-375.v3db_cd92485e1 - - pubsub-light:1.16 - - purge-build-queue-plugin:48.v39c52a_26a_264 - - rebuild:1.34 - - run-condition:1.2 - - saferestart:0.3 - - ssh-agent:1.17 - #- sshd:3.242.va_db_9da_b_26a_c3 + - jquery:1.12.4-1 +#depreciated - jquery-detached:1.2.1 + - jquery3-api:3.7.1-1 + - jsch:0.2.8-65.v052c39de79b_2 + - junit:1240.vf9529b_881428 + - kubernetes-client-api:6.8.1-224.vd388fca_4db_3b_ + - kubernetes-credentials:0.11 + - lockable-resources:1185.v0c528656ce04 + - log-parser:2.3.1 + - mailer:463.vedf8358e006b_ + - matrix-project:808.v5a_b_5f56d6966 + - mercurial:1260.vdfb_723cdcc81 + - mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_ + - mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_ + - metrics:4.2.18-442.v02e107157925 +#depreciated - momentjs:1.1.1 +#depreciated - need alternative? - multiple-scms:0.8 + - nodelabelparameter:1.12.0 + - okhttp-api:4.11.0-157.v6852a_a_fa_ec11 + - parameterized-trigger:2.46 + - pipeline-build-step:505.v5f0844d8d126 + - pipeline-graph-analysis:202.va_d268e64deb_3 + - pipeline-groovy-lib:689.veec561a_dee13 + - pipeline-input-step:477.v339683a_8d55e + - pipeline-milestone-step:111.v449306f708b_7 + - pipeline-model-api:2.2144.v077a_d1928a_40 +#depreciated - pipeline-model-declarative-agent:1.1.1 + - pipeline-model-definition:2.2144.v077a_d1928a_40 + - pipeline-model-extensions:2.2144.v077a_d1928a_40 + - pipeline-rest-api:2.33 + - pipeline-stage-step:305.ve96d0205c1c6 + - pipeline-stage-tags-metadata:2.2144.v077a_d1928a_40 + - pipeline-stage-view:2.33 + - pipeline-utility-steps:2.16.0 + - plain-credentials:143.v1b_df8b_d3b_e48 + - plugin-util-api:3.3.0 + - popper2-api:2.11.6-2 #depreciated but needed for bootstrap5-api + - postbuildscript:3.2.0-550.v88192b_d3e922 + - pubsub-light:1.17 + - purge-build-queue-plugin:88.v23b_97b_f2c7a_d + - rebuild:320.v5a_0933a_e7d61 + - run-condition:1.7 + - saferestart:0.7 + - scm-api:676.v886669a_199a_a_ + - script-security:1275.v23895f409fb_d + - snakeyaml-api:2.2-111.vc6598e30cc65 + - sse-gateway:1.26 + - ssh-agent:333.v878b_53c89511 + - ssh-credentials:308.ve4497b_ccd8f4 + - sshd:3.312.v1c601b_c83b_0e - ssh-slaves:1.29.4 - - swarm:3.34 - #- trilead-api:1.67.vc3938a_35172f - - variant:59.vf075fe829ccb - - windows-slaves:1.4 - - workflow-api:1192.v2d0deb_19d212 - - workflow-basic-steps:991.v43d80fea_ff66 - - workflow-cps:2759.v87459c4eea_ca_ - - workflow-cps-global-lib:2.13 - - workflow-durable-task-step:1199.v02b_9244f8064 - - workflow-job:1207.ve6191ff089f8 - - workflow-multibranch:716.vc692a_e52371b_ + - structs:325.vcb_307d2a_2782 + - swarm:3.40 + - token-macro:384.vf35b_f26814ec + - trilead-api:2.84.v72119de229b_7 + - variant:60.v7290fc0eb_b_cd +#depreciated - windows-slaves:1.8.1 need to find alternative? + - workflow-api:1281.vca_5fddb_3fceb_ + - workflow-basic-steps:1042.ve7b_140c4a_e0c + - workflow-cps:3791.va_c0338ea_b_59c +#depreciated - workflow-cps-global-lib:609.vd95673f149b_b + - workflow-durable-task-step:1289.v4d3e7b_01546b_ + - workflow-job:1346.v180a_63f40267 + - workflow-multibranch:756.v891d88f2cd46 + - workflow-scm-step:415.v434365564324 + - workflow-step-api:639.v6eca_cd8c04a_a_ + - workflow-support:865.v43e78cc44e0d + # Enable to initialize the Jenkins controller only once on initial installation. # Without this, whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates which has the potential to cause breakage. @@ -552,10 +584,10 @@ controller: # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | # become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials, - # etc. Best reference is https:///configuration-as-code/reference. The example below creates a welcome message: - JCasC: + # etc. Best reference is https:///configuration-as-code/reference. + JCasC: defaultConfig: true - # Ignored if securityRealm is defined in controller.JCasC.configScripts and + # Ignored if securityRealm is defined in controller.JCasC.configScripts securityRealm: |- #local: # allowsSignup: false @@ -570,7 +602,8 @@ controller: clientID: "${secret/rubin/rubin-jenkins-control-dev/github-oauth/client-id}" clientSecret: "${secret/rubin/rubin-jenkins-control-dev/github-oauth/client-secret}" oauthScopes: "read:org" - authorizationStrategy: |- + # Uses matrix-auth plugin to configure user and group permissions + authorizationStrategy: |- globalMatrix: permissions: - "USER:Agent/Connect:sqre-user" @@ -596,6 +629,7 @@ controller: - "USER:Overall/Administer:frossie" - "USER:Overall/Administer:jhoblitt" - "USER:Overall/Administer:ktlim" + - "USER:Overall/Administer:aranabhat" - "GROUP:Overall/Administer:lsst-sqre*leeroy-wranglers" - "GROUP:Overall/Administer:lsst-sqre*square" - "USER:Overall/Administer:mwittgen" @@ -609,8 +643,8 @@ controller: welcome-message: | jenkins: systemMessage: This is the DEVELOPMENT instance of jenkins. - - systemCredentials: |- + # Connects to vault to provide all credentials + systemCredentials: |- credentials: system: domainCredentials: @@ -771,32 +805,33 @@ controller: security: globaljobdslsecurityconfiguration: useScriptSecurity: false - #permanent-nodes: | - # jenkins: - # nodes: - # - permanent: - # labelString: "osx osx-10.13 high_sierra" - # launcher: - # sSHLauncher: - # credentialsId: "sqre-osx" - # host: "mac1.lsst.cloud" - # launchTimeoutSeconds: 210 - # maxNumRetries: 0 - # port: 22 - # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" - # retryWaitTime: 15 - # sshHostKeyVerificationStrategy: - # manuallyTrustedKeyVerificationStrategy: - # requireInitialManualTrust: true - # mode: EXCLUSIVE - # name: "high_sierra-1" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" - # numExecutors: 1 - # remoteFS: "/Users/square/j" + # Connects mac agents to jenkins controller + permanent-nodes: | + jenkins: + nodes: + - permanent: + labelString: "osx-12" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac1.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: true + name: "mac1" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + numExecutors: 1 + remoteFS: "/Users/squaredev/j" + retentionStrategy: "always" + # Additional mac agents for prod jenkins # - permanent: # labelString: "osx osx-10.13 high_sierra" # launcher: From d1ab2d9e8f86df2c5d15cc3438a0ac031aa59de0 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Thu, 23 Nov 2023 12:09:52 +1100 Subject: [PATCH 09/29] Update dev-values.yaml --- seeds/dev-values.yaml | 47 ++++++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index b016abc8..6e01bbeb 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -84,11 +84,16 @@ controller: # Environment variables that get added to the init container (useful for e.g. # http_proxy) initContainerEnv: - - name: CASC_VAULT_TOKEN + - name: CASC_VAULT_APPROLE valueFrom: secretKeyRef: - name: vault-token - key: VAULT_TOKEN + name: vault-approle + key: APPROLE_ID + - name: CASC_VAULT_APPROLE_SECRET + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_SECRET - name: CASC_VAULT_URL value: https://vault.slac.stanford.edu - name: CASC_VAULT_PATHS @@ -118,11 +123,16 @@ controller: # - name: http_proxy # value: "http://192.168.64.1:3128" containerEnv: - - name: CASC_VAULT_TOKEN + - name: CASC_VAULT_APPROLE + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_ID + - name: CASC_VAULT_APPROLE_SECRET valueFrom: secretKeyRef: - name: vault-token - key: VAULT_TOKEN + name: vault-approle + key: APPROLE_SECRET - name: CASC_VAULT_URL value: https://vault.slac.stanford.edu - name: CASC_VAULT_PATHS @@ -243,7 +253,7 @@ controller: # If Startup Probe is not supported on your Kubernetes cluster, you might # want to use "initialDelaySeconds" instead. # It delays the initial liveness probe while Jenkins is starting - initialDelaySeconds: 600 + initialDelaySeconds: 120 readinessProbe: failureThreshold: 3 httpGet: @@ -254,7 +264,7 @@ controller: # If Startup Probe is not supported on your Kubernetes cluster, you might # want to use "initialDelaySeconds" instead. # It delays the initial readyness probe while Jenkins is starting - initialDelaySeconds: 600 + initialDelaySeconds: 120 # PodDisruptionBudget config podDisruptionBudget: @@ -286,11 +296,12 @@ controller: # Note if you set this to 'LoadBalancer', you *must* define annotations to secure it. By default # this will be an external load balancer and allowing inbound 0.0.0.0/0, a HUGE # security risk: https://github.com/kubernetes/charts/issues/1341 - agentListenerServiceType: "ClusterIP" + agentListenerServiceType: "LoadBalancer" # Optionally assign an IP to the LoadBalancer agentListenerService LoadBalancer # GKE users: only regional static IPs will work for Service Load balancer. agentListenerLoadBalancerIP: - agentListenerServiceAnnotations: {} + agentListenerServiceAnnotations: + metallb.universe.tf/address-pool: sdf-services # Example of 'LoadBalancer' type of agent listener with annotations securing it # agentListenerServiceType: LoadBalancer @@ -643,7 +654,7 @@ controller: welcome-message: | jenkins: systemMessage: This is the DEVELOPMENT instance of jenkins. - # Connects to vault to provide all credentials + # Connects to specified vault paths and variables to provide all credentials systemCredentials: |- credentials: system: @@ -801,7 +812,7 @@ controller: add-seed-job: | jobs: - - url: https://raw.githubusercontent.com/lsst-dm/jenkins-dm-jobs/update-gradle/seeds/seed-jobs.groovy + - url: https://raw.githubusercontent.com/lsst-dm/jenkins-dm-jobs/main/seeds/seed-jobs.groovy security: globaljobdslsecurityconfiguration: useScriptSecurity: false @@ -821,13 +832,13 @@ controller: retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: - requireInitialManualTrust: true + requireInitialManualTrust: false name: "mac1" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/squaredev/j" retentionStrategy: "always" From 1d2bdd605bcfb9e3376981af5e59b02b28118ed3 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 24 Jan 2024 13:05:46 +1100 Subject: [PATCH 10/29] Update README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index a7c5464e..6532e909 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,4 @@ -jenkins-dm-jobs -=== +## jenkins-dm-jobs When updating a job in this repo, for example when changing the user-specified parameters but _not_ when changing the pipeline to be run, manually trigger From 3611cdd47480fb3d77b670a7ac593a4a2fd1ec0c Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 24 Jan 2024 13:11:05 +1100 Subject: [PATCH 11/29] Update README.md updated from failed linter test --- seeds/README.md | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/seeds/README.md b/seeds/README.md index 77acf42d..57df37f6 100644 --- a/seeds/README.md +++ b/seeds/README.md @@ -6,17 +6,17 @@ yaml breaks, and so having the groovy files be separate is a smarter thing to do. It appears that the original seed job system was based on -https://github.com/sheehan/job-dsl-gradle-example/. It is worth referring to +. It is worth referring to that repository to understand how seed jobs are set up. ## Why use helm to set up jenkins -As per https://www.jenkins.io/doc/book/installing/kubernetes/, there are three +As per , there are three ways of installing jenkins into a kubernetes cluster: - 1. Use the kubernetes operator - 2. Use the provided helm chart - 3. Manually define the setup using standard kubernetes objects +1. Use the kubernetes operator +2. Use the provided helm chart +3. Manually define the setup using standard kubernetes objects Whilst using the kubernetes operator would be ideal, the way it is currently set up requires that all plugins and jobs are predefined, and there appears to be no @@ -29,12 +29,13 @@ allow as easy configuration of the system. ## Setting up helm for installing jenkins -See https://helm.sh/docs/intro/install/ for how to install helm. +See for how to install helm. Once helm is installed, you need to add the helm repository containing the jenkins helm charts: + ``` -helm repo add jenkinsci https://charts.jenkins.io +helm repo add jenkinsci ``` This should now appear on the list of installed repositories that appear by @@ -43,19 +44,21 @@ running `helm repo list`. ## Installing jenkins via helm As per https://helm.sh/docs/intro/using_helm/, running: + ``` helm install -n jenkinsci/jenkins -f ``` + will install the jenkins helm chart with the config that has been specific in the given files. You should not need to modify the files too much, but there are certain sections you will want to be familiar with: - * `installPlugins` and `additionalPlugins`: Plugins needed for the system. +* `installPlugins` and `additionalPlugins`: Plugins needed for the system. Jenkins is a bit picky about versions, so you may need to work out which plugins are leaf plugins and install those, rather than trying to lock everything. - * `JCasC`: This is where jenkins config is injected. Things like security +* `JCasC`: This is where jenkins config is injected. Things like security properties, seed jobs and authentication are configured here. - * `ingress`: This is where we configure external access to jenkins. +* `ingress`: This is where we configure external access to jenkins. From 6864620e63d3aeb3d8ffcfdb9df3ede04eb06e8f Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 24 Jan 2024 13:16:44 +1100 Subject: [PATCH 12/29] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6532e909..d23c2f18 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -## jenkins-dm-jobs +# jenkins-dm-jobs When updating a job in this repo, for example when changing the user-specified parameters but _not_ when changing the pipeline to be run, manually trigger From 014484ffcc25842d2070bf4c09f5d4184dea290f Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 24 Jan 2024 13:18:12 +1100 Subject: [PATCH 13/29] Update README.md --- seeds/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/seeds/README.md b/seeds/README.md index 57df37f6..fc8bd09b 100644 --- a/seeds/README.md +++ b/seeds/README.md @@ -14,9 +14,9 @@ that repository to understand how seed jobs are set up. As per , there are three ways of installing jenkins into a kubernetes cluster: -1. Use the kubernetes operator -2. Use the provided helm chart -3. Manually define the setup using standard kubernetes objects +* Use the kubernetes operator +* Use the provided helm chart +* Manually define the setup using standard kubernetes objects Whilst using the kubernetes operator would be ideal, the way it is currently set up requires that all plugins and jobs are predefined, and there appears to be no @@ -43,7 +43,7 @@ running `helm repo list`. ## Installing jenkins via helm -As per https://helm.sh/docs/intro/using_helm/, running: +As per , running: ``` helm install -n jenkinsci/jenkins -f From 7943e9cae6e6d1d3f159e40ae366250721fd7dec Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 28 Feb 2024 10:13:26 +1100 Subject: [PATCH 14/29] Updated dev-values.yaml to most recent version --- seeds/dev-values.yaml | 416 ++++++++++++++++++++++-------------------- 1 file changed, 217 insertions(+), 199 deletions(-) diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index 6e01bbeb..67c522ad 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -21,7 +21,7 @@ controller: # Used for label app.kubernetes.io/component componentName: "jenkins-controller" image: "jenkins/jenkins" - tag: "2.414.2-lts-jdk11" + tag: "2.426.3-lts-jdk11" #tagLabel: jdk11 imagePullPolicy: "Always" imagePullSecretName: @@ -84,6 +84,12 @@ controller: # Environment variables that get added to the init container (useful for e.g. # http_proxy) initContainerEnv: + # - name: CASC_VAULT_TOKEN + # valueFrom: + # secretKeyRef: + # name: vault-token + # key: VAULT_TOKEN + - name: CASC_VAULT_APPROLE valueFrom: secretKeyRef: @@ -97,7 +103,7 @@ controller: - name: CASC_VAULT_URL value: https://vault.slac.stanford.edu - name: CASC_VAULT_PATHS - value: secret/rubin/rubin-jenkins-control-dev/common,secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control-dev/aws-eups-push,secret/rubin/rubin-jenkins-control-dev/aws-eups-backup,secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push,secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token,secret/rubin/rubin-jenkins-control-dev/ghslacker,secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control-dev/sqre-osx,secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push,secret/rubin/rubin-jenkins-control-dev/github_backup,secret/rubin/rubin-jenkins-control-dev/squash-api-user,secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws,secret/rubin/rubin-jenkins-control-dev/ltd-keeper,secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa,secret/rubin/rubin-jenkins-control-dev/github-oauth + value: secret/rubin/rubin-jenkins-control-dev/common,secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control-dev/aws-eups-push,secret/rubin/rubin-jenkins-control-dev/aws-eups-backup,secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push,secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token,secret/rubin/rubin-jenkins-control-dev/ghslacker,secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control-dev/sqre-osx,secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push,secret/rubin/rubin-jenkins-control-dev/github_backup,secret/rubin/rubin-jenkins-control-dev/squash-api-user,secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws,secret/rubin/rubin-jenkins-control-dev/ltd-keeper,secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa,secret/rubin/rubin-jenkins-control-dev/github-oauth,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control-dev/sqre-osx-dev - name: HTTP_PROXY value: http://sdfproxy.sdf.slac.stanford.edu:3128 - name: HTTPS_PROXY @@ -133,10 +139,15 @@ controller: secretKeyRef: name: vault-approle key: APPROLE_SECRET + #- name: CASC_VAULT_TOKEN + # valueFrom: + # secretKeyRef: + # name: vault-token2 + # key: VAULT_TOKEN - name: CASC_VAULT_URL value: https://vault.slac.stanford.edu - name: CASC_VAULT_PATHS - value: secret/rubin/rubin-jenkins-control-dev/common,secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control-dev/aws-eups-push,secret/rubin/rubin-jenkins-control-dev/aws-eups-backup,secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push,secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token,secret/rubin/rubin-jenkins-control-dev/ghslacker,secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control-dev/sqre-osx,secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push,secret/rubin/rubin-jenkins-control-dev/github_backup,secret/rubin/rubin-jenkins-control-dev/squash-api-user,secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws,secret/rubin/rubin-jenkins-control-dev/ltd-keeper,secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa,secret/rubin/rubin-jenkins-control-dev/github-oauth + value: secret/rubin/rubin-jenkins-control-dev/common,secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control-dev/aws-eups-push,secret/rubin/rubin-jenkins-control-dev/aws-eups-backup,secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push,secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token,secret/rubin/rubin-jenkins-control-dev/ghslacker,secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control-dev/sqre-osx,secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push,secret/rubin/rubin-jenkins-control-dev/github_backup,secret/rubin/rubin-jenkins-control-dev/squash-api-user,secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws,secret/rubin/rubin-jenkins-control-dev/ltd-keeper,secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa,secret/rubin/rubin-jenkins-control-dev/github-oauth,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control-dev/sqre-osx-dev - name: HTTP_PROXY value: http://sdfproxy.sdf.slac.stanford.edu:3128 - name: HTTPS_PROXY @@ -277,12 +288,11 @@ controller: # maxUnavailable: "0" agentListenerEnabled: true - agentListenerPort: 50000 + agentListenerPort: 20000 agentListenerHostPort: agentListenerNodePort: agentListenerExternalTrafficPolicy: agentListenerLoadBalancerSourceRanges: - - 0.0.0.0/0 disabledAgentProtocols: - JNLP-connect - JNLP2-connect @@ -301,7 +311,7 @@ controller: # GKE users: only regional static IPs will work for Service Load balancer. agentListenerLoadBalancerIP: agentListenerServiceAnnotations: - metallb.universe.tf/address-pool: sdf-services + metallb.universe.tf/address-pool: sdf-dmz # Example of 'LoadBalancer' type of agent listener with annotations securing it # agentListenerServiceType: LoadBalancer @@ -312,7 +322,7 @@ controller: # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to # set allowed inbound rules on the security group assigned to the controller load balancer loadBalancerSourceRanges: - - 0.0.0.0/0 +# - 0.0.0.0/0 # Optionally assign a known public LB IP # loadBalancerIP: 1.2.3.4 # Optionally configure a JMX port @@ -329,13 +339,13 @@ controller: # List of plugins to be install during Jenkins controller start installPlugins: - - kubernetes:4029.v5712230ccb_f8 + - kubernetes:4147.va_d406fb_66172 - workflow-aggregator:596.v8c21c963d92d - - job-dsl:1.85 - - blueocean:1.27.7 - - configuration-as-code:1700.v6f448841296e + - job-dsl:1.87 + - blueocean:1.27.9 + - configuration-as-code:1738.v2d8b_a_b_8a_54b_1 - matrix-auth:3.1.9 - - hashicorp-vault-plugin:361.v44fea_4fc08d9 + - hashicorp-vault-plugin:364.vf5d54b_3dc313 # Set to false to download the minimum required version of all dependencies. @@ -352,76 +362,76 @@ controller: #depreciated - async-http-client:1.9.40.0 - authentication-tokens:1.53.v1c90fd9191a_b_ - blueocean-autofavorite:1.2.5 - - blueocean-bitbucket-pipeline:1.27.7 - - blueocean-commons:1.27.7 - - blueocean-config:1.27.7 - - blueocean-core-js:1.27.7 - - blueocean-dashboard:1.27.7 + - blueocean-bitbucket-pipeline:1.27.9 + - blueocean-commons:1.27.9 + - blueocean-config:1.27.9 + - blueocean-core-js:1.27.9 + - blueocean-dashboard:1.27.9 - blueocean-display-url:2.4.2 - - blueocean-events:1.27.7 - - blueocean-github-pipeline:1.27.7 - - blueocean-git-pipeline:1.27.7 - - blueocean-i18n:1.27.7 - - blueocean-jwt:1.27.7 - - blueocean-personalization:1.27.7 - - blueocean-pipeline-api-impl:1.27.7 - - blueocean-pipeline-editor:1.27.7 - - blueocean-pipeline-scm-api:1.27.7 - - blueocean-rest:1.27.7 - - blueocean-rest-impl:1.27.7 - - blueocean-web:1.27.7 - - bootstrap5-api:5.3.2-1 - - bouncycastle-api:2.29 - - branch-api:2.1128.v717130d4f816 - - build-timeout:1.31 + - blueocean-events:1.27.9 + - blueocean-github-pipeline:1.27.9 + - blueocean-git-pipeline:1.27.9 + - blueocean-i18n:1.27.9 + - blueocean-jwt:1.27.9 + - blueocean-personalization:1.27.9 + - blueocean-pipeline-api-impl:1.27.9 + - blueocean-pipeline-editor:1.27.9 + - blueocean-pipeline-scm-api:1.27.9 + - blueocean-rest:1.27.9 + - blueocean-rest-impl:1.27.9 + - blueocean-web:1.27.9 + - bootstrap5-api:5.3.2-3 + - bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9 + - branch-api:2.1135.v8de8e7899051 + - build-timeout:1.32 - build-user-vars-plugin:1.9 - caffeine-api:3.1.8-133.v17b_1ff2e0599 - checks-api:2.0.2 - - cloudbees-bitbucket-branch-source:845.v27a_d5823911b_ - - cloudbees-folder:6.848.ve3b_fd7839a_81 + - cloudbees-bitbucket-branch-source:856.v04c46c86f911 + - cloudbees-folder:6.858.v898218f3609d - command-launcher:107.v773860566e2e - commons-lang3-api:3.13.0-62.v7d18e55f51e2 - - commons-text-api:1.10.0-78.v3e7b_ea_d5a_fe1 - - copyartifact:714.v28a_34f8c563f - - credentials:1271.v54b_1c2c6388a_ - - credentials-binding:636.v55f1275c7b_27 - - data-tables-api:1.13.6-4 - - display-url-api:2.3.9 + - commons-text-api:1.11.0-94.v3e1f4a_926e49 + - copyartifact:722.v0662a_9b_e22a_c + - credentials:1309.v8835d63eb_d8a_ + - credentials-binding:642.v737c34dea_6c2 + - data-tables-api:1.13.8-1 + - display-url-api:2.200.vb_9327d658781 - docker-commons:439.va_3cb_0a_6a_fb_29 - - dockerhub-notification:2.7.0 + - dockerhub-notification:2.7.1 - docker-workflow:572.v950f58993843 - durable-task:523.va_a_22cf15d5e0 - - echarts-api:5.4.0-6 + - echarts-api:5.4.3-1 - envinject:2.908.v66a_774b_31d93 - envinject-api:1.199.v3ce31253ed13 - external-monitor-job:215.v2e88e894db_f8 - favorite:2.4.3 - font-awesome-api:6.4.2-1 - - git:5.2.0 + - git:5.2.1 - git-client:4.5.0 - - github:1.37.3 - - github-api:1.314-431.v78d72a_3fe4c3 - - github-branch-source:1741.va_3028eb_9fd21 - - github-oauth:588.vf696a_350572a_ + - github:1.37.3.1 + - github-api:1.316-451.v15738eef3414 + - github-branch-source:1751.v90e17c48a_6a_c + - github-oauth:597.ve0c3480fcb_d0 - git-server:99.va_0826a_b_cdfa_d #depreciated - greenballs:1.15.1 - - groovy:453.vcdb_a_c5c99890 + - groovy:457.v99900cb_85593 #depreciated - handlebars:3.0.8 - handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 - htmlpublisher:1.32 #depreciated - icon-shim:3.0.0 - - instance-identity:173.va_37c494ec4e5 + - instance-identity:185.v303dc7c645f9 - ionicons-api:56.v1b_1c8c49374e - - jackson2-api:2.15.2-350.v0c2f3f8fc595 + - jackson2-api:2.15.3-372.v309620682326 - jakarta-activation-api:2.0.1-3 - jakarta-mail-api:2.0.1-3 - javadoc:243.vb_b_503b_b_45537 - javax-activation-api:1.2.0-6 - javax-mail-api:1.6.2-9 - - jaxb:2.3.8-1 + - jaxb:2.3.9-1 - jdk-tool:73.vddf737284550 - - jenkins-design-language:1.27.7 - - jersey2-api:2.40-1 + - jenkins-design-language:1.27.9 + - jersey2-api:2.41-133.va_03323b_a_1396 - jira:3.11 - jjwt-api:0.11.5-77.v646c772fddb_0 - jquery:1.12.4-1 @@ -434,59 +444,59 @@ controller: - lockable-resources:1185.v0c528656ce04 - log-parser:2.3.1 - mailer:463.vedf8358e006b_ - - matrix-project:808.v5a_b_5f56d6966 + - matrix-project:818.v7eb_e657db_924 - mercurial:1260.vdfb_723cdcc81 - - mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_ - - mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_ + - mina-sshd-api-common:2.11.0-86.v836f585d47fa_ + - mina-sshd-api-core:2.11.0-86.v836f585d47fa_ - metrics:4.2.18-442.v02e107157925 #depreciated - momentjs:1.1.1 #depreciated - need alternative? - multiple-scms:0.8 - nodelabelparameter:1.12.0 - okhttp-api:4.11.0-157.v6852a_a_fa_ec11 - - parameterized-trigger:2.46 - - pipeline-build-step:505.v5f0844d8d126 + - parameterized-trigger:787.v665fcf2a_830b_ + - pipeline-build-step:516.v8ee60a_81c5b_9 - pipeline-graph-analysis:202.va_d268e64deb_3 - pipeline-groovy-lib:689.veec561a_dee13 - pipeline-input-step:477.v339683a_8d55e - pipeline-milestone-step:111.v449306f708b_7 - - pipeline-model-api:2.2144.v077a_d1928a_40 + - pipeline-model-api:2.2151.ve32c9d209a_3f #depreciated - pipeline-model-declarative-agent:1.1.1 - - pipeline-model-definition:2.2144.v077a_d1928a_40 - - pipeline-model-extensions:2.2144.v077a_d1928a_40 - - pipeline-rest-api:2.33 + - pipeline-model-definition:2.2151.ve32c9d209a_3f + - pipeline-model-extensions:2.2151.ve32c9d209a_3f + - pipeline-rest-api:2.34 - pipeline-stage-step:305.ve96d0205c1c6 - - pipeline-stage-tags-metadata:2.2144.v077a_d1928a_40 - - pipeline-stage-view:2.33 + - pipeline-stage-tags-metadata:2.2151.ve32c9d209a_3f + - pipeline-stage-view:2.34 - pipeline-utility-steps:2.16.0 - plain-credentials:143.v1b_df8b_d3b_e48 - - plugin-util-api:3.3.0 - - popper2-api:2.11.6-2 #depreciated but needed for bootstrap5-api + - plugin-util-api:3.6.0 + - popper2-api:2.11.6-4 #depreciated but needed for bootstrap5-api - postbuildscript:3.2.0-550.v88192b_d3e922 - - pubsub-light:1.17 + - pubsub-light:1.18 - purge-build-queue-plugin:88.v23b_97b_f2c7a_d - - rebuild:320.v5a_0933a_e7d61 + - rebuild:330.v645b_7df10e2a_ - run-condition:1.7 - saferestart:0.7 - - scm-api:676.v886669a_199a_a_ - - script-security:1275.v23895f409fb_d + - scm-api:683.vb_16722fb_b_80b_ + - script-security:1281.v22fb_899df1a_e - snakeyaml-api:2.2-111.vc6598e30cc65 - sse-gateway:1.26 - - ssh-agent:333.v878b_53c89511 + - ssh-agent:346.vda_a_c4f2c8e50 - ssh-credentials:308.ve4497b_ccd8f4 - sshd:3.312.v1c601b_c83b_0e - ssh-slaves:1.29.4 - structs:325.vcb_307d2a_2782 - - swarm:3.40 + - swarm:3.41 - token-macro:384.vf35b_f26814ec - trilead-api:2.84.v72119de229b_7 - variant:60.v7290fc0eb_b_cd #depreciated - windows-slaves:1.8.1 need to find alternative? - - workflow-api:1281.vca_5fddb_3fceb_ + - workflow-api:1283.v99c10937efcb_ - workflow-basic-steps:1042.ve7b_140c4a_e0c - - workflow-cps:3791.va_c0338ea_b_59c + - workflow-cps:3806.va_3a_6988277b_2 #depreciated - workflow-cps-global-lib:609.vd95673f149b_b - workflow-durable-task-step:1289.v4d3e7b_01546b_ - - workflow-job:1346.v180a_63f40267 + - workflow-job:1360.vc6700e3136f5 - workflow-multibranch:756.v891d88f2cd46 - workflow-scm-step:415.v434365564324 - workflow-step-api:639.v6eca_cd8c04a_a_ @@ -496,7 +506,7 @@ controller: # Enable to initialize the Jenkins controller only once on initial installation. # Without this, whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates which has the potential to cause breakage. # Note that for this to work, `persistence.enabled` needs to be set to `true` - initializeOnce: true + initializeOnce: false # Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment. # overwritePlugins: true @@ -512,6 +522,7 @@ controller: enableRawHtmlMarkupFormatter: false # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval scriptApproval: + - "method java.nio.file.Path getFileName" - "method groovy.json.JsonBuilder toPrettyString" - "method groovy.json.JsonSlurperClassic parseText java.lang.String" - "method groovy.lang.GString getBytes" @@ -540,6 +551,7 @@ controller: - "new java.lang.Throwable" - "staticMethod java.lang.Thread sleep long" - "staticMethod java.net.URLEncoder encode java.lang.String" + - "staticMethod java.nio.file.Path of java.lang.String java.lang.String[]" - "staticMethod java.security.MessageDigest getInstance java.lang.String" - "staticMethod java.time.Instant now" - "staticMethod java.time.Instant ofEpochMilli long" @@ -759,7 +771,8 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/username}" - - basicSSHUserPrivateKey: + + - basicSSHUserPrivateKey: description: "SQRE OSX build agents" id: "sqre-osx" privateKeySource: @@ -767,6 +780,16 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/username}" + + # - basicSSHUserPrivateKey: + # description: "SQRE OSX build agents" + # id: "sqre-osx" + # privateKeySource: + # directEntry: + # privateKey: "${secret/rubin/rubin-jenkins-control/sqre-osx/private_key}" + # scope: GLOBAL + # username: "${secret/rubin/rubin-jenkins-control/sqre-osx/username}" + - usernamePassword: description: "push conda packages -> s3" id: "aws-cmirror-push" @@ -812,7 +835,7 @@ controller: add-seed-job: | jobs: - - url: https://raw.githubusercontent.com/lsst-dm/jenkins-dm-jobs/main/seeds/seed-jobs.groovy + - url: https://raw.githubusercontent.com/lsst-dm/jenkins-dm-jobs/main/seeds/sqre/seed-jobs.groovy security: globaljobdslsecurityconfiguration: useScriptSecurity: false @@ -842,122 +865,116 @@ controller: numExecutors: 1 remoteFS: "/Users/squaredev/j" retentionStrategy: "always" - # Additional mac agents for prod jenkins - # - permanent: - # labelString: "osx osx-10.13 high_sierra" - # launcher: - # sSHLauncher: - # credentialsId: "sqre-osx" - # host: "mac2.lsst.cloud" - # launchTimeoutSeconds: 210 - # maxNumRetries: 0 - # port: 22 - # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" - # retryWaitTime: 15 - # sshHostKeyVerificationStrategy: - # manuallyTrustedKeyVerificationStrategy: - # requireInitialManualTrust: true - # mode: EXCLUSIVE - # name: "high_sierra-2" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" - # numExecutors: 1 - # remoteFS: "/Users/square/j" - # - permanent: - # labelString: "osx osx-10.14 mojave" - # launcher: - # sSHLauncher: - # credentialsId: "sqre-osx" - # host: "mac3.lsst.cloud" - # launchTimeoutSeconds: 210 - # maxNumRetries: 0 - # port: 22 - # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" - # retryWaitTime: 15 - # sshHostKeyVerificationStrategy: - # manuallyTrustedKeyVerificationStrategy: - # requireInitialManualTrust: true - # mode: EXCLUSIVE - # name: "mojave-1" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" - # numExecutors: 1 - # remoteFS: "/Users/square/j" - # - permanent: - # labelString: "osx osx-10.14 mojave" - # launcher: - # sSHLauncher: - # credentialsId: "sqre-osx" - # host: "mac4.lsst.cloud" - # launchTimeoutSeconds: 210 - # maxNumRetries: 0 - # port: 22 - # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" - # retryWaitTime: 15 - # sshHostKeyVerificationStrategy: - # manuallyTrustedKeyVerificationStrategy: - # requireInitialManualTrust: true - # mode: EXCLUSIVE - # name: "mojave-2" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" - # numExecutors: 1 - # remoteFS: "/Users/square/j" - # - permanent: - # labelString: "osx osx-10.14 mojave" - # launcher: - # sSHLauncher: - # credentialsId: "sqre-osx" - # host: "mac5.lsst.cloud" - # launchTimeoutSeconds: 210 - # maxNumRetries: 0 - # port: 22 - # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" - # retryWaitTime: 15 - # sshHostKeyVerificationStrategy: - # manuallyTrustedKeyVerificationStrategy: - # requireInitialManualTrust: true - # mode: EXCLUSIVE - # name: "mojave-3" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" - # numExecutors: 1 - # remoteFS: "/Users/square/j" - # - permanent: - # labelString: "osx osx-10.14 mojave" - # launcher: - # sSHLauncher: - # credentialsId: "sqre-osx" - # host: "mac6.lsst.cloud" - # launchTimeoutSeconds: 210 - # maxNumRetries: 0 - # port: 22 - # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" - # retryWaitTime: 15 - # sshHostKeyVerificationStrategy: - # manuallyTrustedKeyVerificationStrategy: - # requireInitialManualTrust: true - # mode: EXCLUSIVE - # name: "mojave-4" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" - # numExecutors: 1 - # remoteFS: "/Users/square/j" + - permanent: + labelString: "osx-12" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac2.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac2" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + numExecutors: 1 + remoteFS: "/Users/squaredev/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac3.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac3" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + numExecutors: 1 + remoteFS: "/Users/squaredev/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac4.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac4" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + numExecutors: 1 + remoteFS: "/Users/squaredev/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac5.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac5" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + numExecutors: 1 + remoteFS: "/Users/squaredev/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac6.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac6" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + numExecutors: 1 + remoteFS: "/Users/squaredev/j" + retentionStrategy: "always" # Optionally specify additional init-containers customInitContainers: [] @@ -1347,7 +1364,7 @@ persistence: ## A manually managed Persistent Volume and Claim ## Requires persistence.enabled: true ## If defined, PVC must be created manually before volume will be bound - existingClaim: + existingClaim: #"dev-jenkins" ## jenkins data Persistent Volume Storage Class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning @@ -1355,11 +1372,12 @@ persistence: ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## - storageClass: - annotations: {} + storageClass: #"wekafs--sdf-k8s01" + annotations: +#volume.beta.kubernetes.io/storage-provisioner: csi.weka.io labels: {} accessMode: "ReadWriteOnce" - size: "8Gi" + size: "800Gi" volumes: # - name: nothing # emptyDir: {} From 070109793ca62769513fbc22c85880a138bce8fb Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 28 Feb 2024 10:14:49 +1100 Subject: [PATCH 15/29] Update values.yaml --- seeds/values.yaml | 608 +++++++++++++++++++++++++--------------------- 1 file changed, 327 insertions(+), 281 deletions(-) diff --git a/seeds/values.yaml b/seeds/values.yaml index f50ff162..082f718b 100644 --- a/seeds/values.yaml +++ b/seeds/values.yaml @@ -21,8 +21,8 @@ controller: # Used for label app.kubernetes.io/component componentName: "jenkins-controller" image: "jenkins/jenkins" - # tag: "2.346.3-jdk11" - tagLabel: jdk11 + tag: "2.426.3-lts-jdk11" + #tagLabel: jdk11 imagePullPolicy: "Always" imagePullSecretName: # Optionally configure lifetime for controller-container @@ -84,11 +84,16 @@ controller: # Environment variables that get added to the init container (useful for e.g. # http_proxy) initContainerEnv: - - name: CASC_VAULT_TOKEN + - name: CASC_VAULT_APPROLE valueFrom: secretKeyRef: - name: vault-token - key: VAULT_TOKEN + name: vault-approle + key: APPROLE_ID + - name: CASC_VAULT_APPROLE_SECRET + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_SECRET - name: CASC_VAULT_URL value: https://vault.slac.stanford.edu - name: CASC_VAULT_PATHS @@ -118,11 +123,21 @@ controller: # - name: http_proxy # value: "http://192.168.64.1:3128" containerEnv: - - name: CASC_VAULT_TOKEN + - name: CASC_VAULT_APPROLE valueFrom: secretKeyRef: - name: vault-token - key: VAULT_TOKEN + name: vault-approle + key: APPROLE_ID + - name: CASC_VAULT_APPROLE_SECRET + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_SECRET + #- name: CASC_VAULT_TOKEN + # valueFrom: + # secretKeyRef: + # name: vault-token2 + # key: VAULT_TOKEN - name: CASC_VAULT_URL value: https://vault.slac.stanford.edu - name: CASC_VAULT_PATHS @@ -231,8 +246,8 @@ controller: path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' port: http periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 120 + timeoutSeconds: 10 + failureThreshold: 300 livenessProbe: failureThreshold: 5 httpGet: @@ -243,7 +258,7 @@ controller: # If Startup Probe is not supported on your Kubernetes cluster, you might # want to use "initialDelaySeconds" instead. # It delays the initial liveness probe while Jenkins is starting - initialDelaySeconds: 600 + initialDelaySeconds: 120 readinessProbe: failureThreshold: 3 httpGet: @@ -254,7 +269,7 @@ controller: # If Startup Probe is not supported on your Kubernetes cluster, you might # want to use "initialDelaySeconds" instead. # It delays the initial readyness probe while Jenkins is starting - initialDelaySeconds: 600 + initialDelaySeconds: 120 # PodDisruptionBudget config podDisruptionBudget: @@ -267,12 +282,11 @@ controller: # maxUnavailable: "0" agentListenerEnabled: true - agentListenerPort: 50000 + agentListenerPort: 20000 agentListenerHostPort: agentListenerNodePort: agentListenerExternalTrafficPolicy: agentListenerLoadBalancerSourceRanges: - - 0.0.0.0/0 disabledAgentProtocols: - JNLP-connect - JNLP2-connect @@ -286,11 +300,12 @@ controller: # Note if you set this to 'LoadBalancer', you *must* define annotations to secure it. By default # this will be an external load balancer and allowing inbound 0.0.0.0/0, a HUGE # security risk: https://github.com/kubernetes/charts/issues/1341 - agentListenerServiceType: "ClusterIP" + agentListenerServiceType: "LoadBalancer" # Optionally assign an IP to the LoadBalancer agentListenerService LoadBalancer # GKE users: only regional static IPs will work for Service Load balancer. agentListenerLoadBalancerIP: - agentListenerServiceAnnotations: {} + agentListenerServiceAnnotations: + metallb.universe.tf/address-pool: sdf-dmz # Example of 'LoadBalancer' type of agent listener with annotations securing it # agentListenerServiceType: LoadBalancer @@ -301,7 +316,7 @@ controller: # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to # set allowed inbound rules on the security group assigned to the controller load balancer loadBalancerSourceRanges: - - 0.0.0.0/0 +# - 0.0.0.0/0 # Optionally assign a known public LB IP # loadBalancerIP: 1.2.3.4 # Optionally configure a JMX port @@ -318,13 +333,13 @@ controller: # List of plugins to be install during Jenkins controller start installPlugins: - - kubernetes:3600.v144b_cd192ca_a_ - - workflow-aggregator:581.v0c46fa_697ffd - - job-dsl:1.78.3 - - blueocean:1.25.6 - - configuration-as-code:1511.vb_f985b_894e40 - - matrix-auth:3.1.5 - - hashicorp-vault-plugin:359.v2da_3b_45f17d5 + - kubernetes:4147.va_d406fb_66172 + - workflow-aggregator:596.v8c21c963d92d + - job-dsl:1.87 + - blueocean:1.27.9 + - configuration-as-code:1738.v2d8b_a_b_8a_54b_1 + - matrix-auth:3.1.9 + - hashicorp-vault-plugin:364.vf5d54b_3dc313 # Set to false to download the minimum required version of all dependencies. @@ -336,124 +351,156 @@ controller: # List of plugins to install in addition to those listed in controller.installPlugins additionalPlugins: #- ace-editor:1.1 - - antisamy-markup-formatter:1.5 - #- apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61 - - async-http-client:1.9.40.0 - #- authentication-tokens:1.4 - #- blueocean-autofavorite:1.2.5 - #- blueocean-bitbucket-pipeline:1.25.6 - #- blueocean-commons:1.25.6 - #- blueocean-config:1.25.6 - #- blueocean-core-js:1.25.6 - #- blueocean-dashboard:1.25.6 - #- blueocean-display-url:2.4.1 - #- blueocean-events:1.25.6 - #- blueocean-github-pipeline:1.25.6 - #- blueocean-git-pipeline:1.25.6 - #- blueocean-i18n:1.25.6 - #- blueocean-personalization:1.25.6 - #- blueocean-pipeline-api-impl:1.25.6 - #- blueocean-pipeline-editor:1.25.6 - #- blueocean-pipeline-scm-api:1.25.6 - #- blueocean-rest:1.25.6 - #- blueocean-rest-impl:1.25.6 - #- blueocean-web:1.25.6 - #- bootstrap5-api:5.2.0-1 - #- branch-api:2.1046.v0ca_37783ecc5 - - build-timeout:1.21 - - build-user-vars-plugin:1.8 - - checks-api:1.7.5 - - command-launcher:84.v4a_97f2027398 - - copyartifact:1.47 - - display-url-api:2.3.6 - #- docker-commons:1.19 - - dockerhub-notification:2.6.0 - - docker-workflow:563.vd5d2e5c4007f - - durable-task:500.v8927d9fd99d8 - - echarts-api:5.3.3-1 - - envinject:2.875.v9b_9e962da_a_ec + - antisamy-markup-formatter:162.v0e6ec0fcfcf6 + - apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 +#depreciated - async-http-client:1.9.40.0 + - authentication-tokens:1.53.v1c90fd9191a_b_ + - blueocean-autofavorite:1.2.5 + - blueocean-bitbucket-pipeline:1.27.9 + - blueocean-commons:1.27.9 + - blueocean-config:1.27.9 + - blueocean-core-js:1.27.9 + - blueocean-dashboard:1.27.9 + - blueocean-display-url:2.4.2 + - blueocean-events:1.27.9 + - blueocean-github-pipeline:1.27.9 + - blueocean-git-pipeline:1.27.9 + - blueocean-i18n:1.27.9 + - blueocean-jwt:1.27.9 + - blueocean-personalization:1.27.9 + - blueocean-pipeline-api-impl:1.27.9 + - blueocean-pipeline-editor:1.27.9 + - blueocean-pipeline-scm-api:1.27.9 + - blueocean-rest:1.27.9 + - blueocean-rest-impl:1.27.9 + - blueocean-web:1.27.9 + - bootstrap5-api:5.3.2-3 + - bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9 + - branch-api:2.1135.v8de8e7899051 + - build-timeout:1.32 + - build-user-vars-plugin:1.9 + - caffeine-api:3.1.8-133.v17b_1ff2e0599 + - checks-api:2.0.2 + - cloudbees-bitbucket-branch-source:856.v04c46c86f911 + - cloudbees-folder:6.858.v898218f3609d + - command-launcher:107.v773860566e2e + - commons-lang3-api:3.13.0-62.v7d18e55f51e2 + - commons-text-api:1.11.0-94.v3e1f4a_926e49 + - copyartifact:722.v0662a_9b_e22a_c + - credentials:1309.v8835d63eb_d8a_ + - credentials-binding:642.v737c34dea_6c2 + - data-tables-api:1.13.8-1 + - display-url-api:2.200.vb_9327d658781 + - docker-commons:439.va_3cb_0a_6a_fb_29 + - dockerhub-notification:2.7.1 + - docker-workflow:572.v950f58993843 + - durable-task:523.va_a_22cf15d5e0 + - echarts-api:5.4.3-1 + - envinject:2.908.v66a_774b_31d93 - envinject-api:1.199.v3ce31253ed13 - - external-monitor-job:1.7 - - favorite:2.4.1 - - font-awesome-api:6.1.2-1 - #- github:1.34.5 - - github-api:1.303-400.v35c2d8258028 - - github-branch-source:1677.v731f745ea_0cf - - github-oauth:0.39 - - git-server:1.7 - - greenballs:1.15.1 - - groovy:442.v817e6d937d6c - - handlebars:1.1.1 + - external-monitor-job:215.v2e88e894db_f8 + - favorite:2.4.3 + - font-awesome-api:6.4.2-1 + - git:5.2.1 + - git-client:4.5.0 + - github:1.37.3.1 + - github-api:1.316-451.v15738eef3414 + - github-branch-source:1751.v90e17c48a_6a_c + - github-oauth:597.ve0c3480fcb_d0 + - git-server:99.va_0826a_b_cdfa_d +#depreciated - greenballs:1.15.1 + - groovy:457.v99900cb_85593 +#depreciated - handlebars:3.0.8 - handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 - - htmlpublisher:1.30 - - icon-shim:2.0.3 - #- jackson2-api:2.13.3-285.vc03c0256d517 - - jakarta-activation-api:2.0.1-1 - - jakarta-mail-api:2.0.1-1 - - javadoc:1.5 - - javax-activation-api:1.2.0-4 - - javax-mail-api:1.6.2-7 - - jaxb:2.3.6-1 - - jdk-tool:55.v1b_32b_6ca_f9ca - - jenkins-design-language:1.25.6 - - jira:3.0.5 + - htmlpublisher:1.32 +#depreciated - icon-shim:3.0.0 + - instance-identity:185.v303dc7c645f9 + - ionicons-api:56.v1b_1c8c49374e + - jackson2-api:2.15.3-372.v309620682326 + - jakarta-activation-api:2.0.1-3 + - jakarta-mail-api:2.0.1-3 + - javadoc:243.vb_b_503b_b_45537 + - javax-activation-api:1.2.0-6 + - javax-mail-api:1.6.2-9 + - jaxb:2.3.9-1 + - jdk-tool:73.vddf737284550 + - jenkins-design-language:1.27.9 + - jersey2-api:2.41-133.va_03323b_a_1396 + - jira:3.11 - jjwt-api:0.11.5-77.v646c772fddb_0 - #- jquery:1.12.4-0 - - jquery-detached:1.2.1 - - jquery3-api:3.6.0-4 - - junit:1119.1121.vc43d0fc45561 - - kubernetes-client-api:5.12.2-193.v26a_6078f65a_9 - - kubernetes-credentials:0.9.0 - - lockable-resources:2.5 - - mercurial:2.5 - #- mina-sshd-api-common:2.8.0-36.v8e25ce90d4b_1 - #- mina-sshd-api-core:2.8.0-36.v8e25ce90d4b_1 - #- momentjs:1.1.1 - - multiple-scms:0.6 - - nodelabelparameter:1.7.2 - - parameterized-trigger:2.45 - - pipeline-build-step:2.18 - - pipeline-graph-analysis:195.v5812d95a_a_2f9 - - pipeline-groovy-lib:612.v84da_9c54906d - - pipeline-input-step:449.v77f0e8b_845c4 - - pipeline-milestone-step:101.vd572fef9d926 - - pipeline-model-api:2.2114.v2654ca_721309 - - pipeline-model-declarative-agent:1.1.1 - - pipeline-model-definition:2.2114.v2654ca_721309 - - pipeline-model-extensions:2.2114.v2654ca_721309 - - pipeline-rest-api:2.10 - - pipeline-stage-step:293.v200037eefcd5 - - pipeline-stage-tags-metadata:2.2114.v2654ca_721309 - - pipeline-stage-view:2.10 - - pipeline-utility-steps:2.3.0 - - plain-credentials:139.ved2b_9cf7587b - - plugin-util-api:2.17.0 - - popper2-api:2.11.5-2 - - postbuildscript:3.1.0-375.v3db_cd92485e1 - - pubsub-light:1.16 - - purge-build-queue-plugin:48.v39c52a_26a_264 - - rebuild:1.34 - - run-condition:1.2 - - saferestart:0.3 - - ssh-agent:1.17 - #- sshd:3.242.va_db_9da_b_26a_c3 + - jquery:1.12.4-1 +#depreciated - jquery-detached:1.2.1 + - jquery3-api:3.7.1-1 + - jsch:0.2.8-65.v052c39de79b_2 + - junit:1240.vf9529b_881428 + - kubernetes-client-api:6.8.1-224.vd388fca_4db_3b_ + - kubernetes-credentials:0.11 + - lockable-resources:1185.v0c528656ce04 + - log-parser:2.3.1 + - mailer:463.vedf8358e006b_ + - matrix-project:818.v7eb_e657db_924 + - mercurial:1260.vdfb_723cdcc81 + - mina-sshd-api-common:2.11.0-86.v836f585d47fa_ + - mina-sshd-api-core:2.11.0-86.v836f585d47fa_ + - metrics:4.2.18-442.v02e107157925 +#depreciated - momentjs:1.1.1 +#depreciated - need alternative? - multiple-scms:0.8 + - nodelabelparameter:1.12.0 + - okhttp-api:4.11.0-157.v6852a_a_fa_ec11 + - parameterized-trigger:787.v665fcf2a_830b_ + - pipeline-build-step:516.v8ee60a_81c5b_9 + - pipeline-graph-analysis:202.va_d268e64deb_3 + - pipeline-groovy-lib:689.veec561a_dee13 + - pipeline-input-step:477.v339683a_8d55e + - pipeline-milestone-step:111.v449306f708b_7 + - pipeline-model-api:2.2151.ve32c9d209a_3f +#depreciated - pipeline-model-declarative-agent:1.1.1 + - pipeline-model-definition:2.2151.ve32c9d209a_3f + - pipeline-model-extensions:2.2151.ve32c9d209a_3f + - pipeline-rest-api:2.34 + - pipeline-stage-step:305.ve96d0205c1c6 + - pipeline-stage-tags-metadata:2.2151.ve32c9d209a_3f + - pipeline-stage-view:2.34 + - pipeline-utility-steps:2.16.0 + - plain-credentials:143.v1b_df8b_d3b_e48 + - plugin-util-api:3.6.0 + - popper2-api:2.11.6-4 #depreciated but needed for bootstrap5-api + - postbuildscript:3.2.0-550.v88192b_d3e922 + - pubsub-light:1.18 + - purge-build-queue-plugin:88.v23b_97b_f2c7a_d + - rebuild:330.v645b_7df10e2a_ + - run-condition:1.7 + - saferestart:0.7 + - scm-api:683.vb_16722fb_b_80b_ + - script-security:1281.v22fb_899df1a_e + - snakeyaml-api:2.2-111.vc6598e30cc65 + - sse-gateway:1.26 + - ssh-agent:346.vda_a_c4f2c8e50 + - ssh-credentials:308.ve4497b_ccd8f4 + - sshd:3.312.v1c601b_c83b_0e - ssh-slaves:1.29.4 - - swarm:3.34 - #- trilead-api:1.67.vc3938a_35172f - - variant:59.vf075fe829ccb - - windows-slaves:1.4 - - workflow-api:1192.v2d0deb_19d212 - - workflow-basic-steps:991.v43d80fea_ff66 - - workflow-cps:2759.v87459c4eea_ca_ - - workflow-cps-global-lib:2.13 - - workflow-durable-task-step:1199.v02b_9244f8064 - - workflow-job:1207.ve6191ff089f8 - - workflow-multibranch:716.vc692a_e52371b_ + - structs:325.vcb_307d2a_2782 + - swarm:3.41 + - token-macro:384.vf35b_f26814ec + - trilead-api:2.84.v72119de229b_7 + - variant:60.v7290fc0eb_b_cd +#depreciated - windows-slaves:1.8.1 need to find alternative? + - workflow-api:1283.v99c10937efcb_ + - workflow-basic-steps:1042.ve7b_140c4a_e0c + - workflow-cps:3806.va_3a_6988277b_2 +#depreciated - workflow-cps-global-lib:609.vd95673f149b_b + - workflow-durable-task-step:1289.v4d3e7b_01546b_ + - workflow-job:1360.vc6700e3136f5 + - workflow-multibranch:756.v891d88f2cd46 + - workflow-scm-step:415.v434365564324 + - workflow-step-api:639.v6eca_cd8c04a_a_ + - workflow-support:865.v43e78cc44e0d + # Enable to initialize the Jenkins controller only once on initial installation. # Without this, whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates which has the potential to cause breakage. # Note that for this to work, `persistence.enabled` needs to be set to `true` - initializeOnce: true + initializeOnce: false # Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment. # overwritePlugins: true @@ -469,6 +516,7 @@ controller: enableRawHtmlMarkupFormatter: false # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval scriptApproval: + - "method java.nio.file.Path getFileName" - "method groovy.json.JsonBuilder toPrettyString" - "method groovy.json.JsonSlurperClassic parseText java.lang.String" - "method groovy.lang.GString getBytes" @@ -497,6 +545,7 @@ controller: - "new java.lang.Throwable" - "staticMethod java.lang.Thread sleep long" - "staticMethod java.net.URLEncoder encode java.lang.String" + - "staticMethod java.nio.file.Path of java.lang.String java.lang.String[]" - "staticMethod java.security.MessageDigest getInstance java.lang.String" - "staticMethod java.time.Instant now" - "staticMethod java.time.Instant ofEpochMilli long" @@ -552,10 +601,10 @@ controller: # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | # become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials, - # etc. Best reference is https:///configuration-as-code/reference. The example below creates a welcome message: - JCasC: + # etc. Best reference is https:///configuration-as-code/reference. + JCasC: defaultConfig: true - # Ignored if securityRealm is defined in controller.JCasC.configScripts and + # Ignored if securityRealm is defined in controller.JCasC.configScripts securityRealm: |- #local: # allowsSignup: false @@ -570,7 +619,8 @@ controller: clientID: "${secret/rubin/rubin-jenkins-control/github-oauth/client-id}" clientSecret: "${secret/rubin/rubin-jenkins-control/github-oauth/client-secret}" oauthScopes: "read:org" - authorizationStrategy: |- + # Uses matrix-auth plugin to configure user and group permissions + authorizationStrategy: |- globalMatrix: permissions: - "USER:Agent/Connect:sqre-user" @@ -596,6 +646,7 @@ controller: - "USER:Overall/Administer:frossie" - "USER:Overall/Administer:jhoblitt" - "USER:Overall/Administer:ktlim" + - "USER:Overall/Administer:aranabhat" - "GROUP:Overall/Administer:lsst-sqre*leeroy-wranglers" - "GROUP:Overall/Administer:lsst-sqre*square" - "USER:Overall/Administer:mwittgen" @@ -767,151 +818,146 @@ controller: add-seed-job: | jobs: - - url: https://raw.githubusercontent.com/lsst-dm/jenkins-dm-jobs/update-gradle/seeds/seed-jobs.groovy + - url: https://raw.githubusercontent.com/lsst-dm/jenkins-dm-jobs/main/seeds/sqre/seed-jobs.groovy security: globaljobdslsecurityconfiguration: useScriptSecurity: false - #permanent-nodes: | - # jenkins: - # nodes: - # - permanent: - # labelString: "osx osx-10.13 high_sierra" - # launcher: - # sSHLauncher: - # credentialsId: "sqre-osx" - # host: "mac1.lsst.cloud" - # launchTimeoutSeconds: 210 - # maxNumRetries: 0 - # port: 22 - # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" - # retryWaitTime: 15 - # sshHostKeyVerificationStrategy: - # manuallyTrustedKeyVerificationStrategy: - # requireInitialManualTrust: true - # mode: EXCLUSIVE - # name: "high_sierra-1" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" - # numExecutors: 1 - # remoteFS: "/Users/square/j" - # - permanent: - # labelString: "osx osx-10.13 high_sierra" - # launcher: - # sSHLauncher: - # credentialsId: "sqre-osx" - # host: "mac2.lsst.cloud" - # launchTimeoutSeconds: 210 - # maxNumRetries: 0 - # port: 22 - # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" - # retryWaitTime: 15 - # sshHostKeyVerificationStrategy: - # manuallyTrustedKeyVerificationStrategy: - # requireInitialManualTrust: true - # mode: EXCLUSIVE - # name: "high_sierra-2" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" - # numExecutors: 1 - # remoteFS: "/Users/square/j" - # - permanent: - # labelString: "osx osx-10.14 mojave" - # launcher: - # sSHLauncher: - # credentialsId: "sqre-osx" - # host: "mac3.lsst.cloud" - # launchTimeoutSeconds: 210 - # maxNumRetries: 0 - # port: 22 - # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" - # retryWaitTime: 15 - # sshHostKeyVerificationStrategy: - # manuallyTrustedKeyVerificationStrategy: - # requireInitialManualTrust: true - # mode: EXCLUSIVE - # name: "mojave-1" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" - # numExecutors: 1 - # remoteFS: "/Users/square/j" - # - permanent: - # labelString: "osx osx-10.14 mojave" - # launcher: - # sSHLauncher: - # credentialsId: "sqre-osx" - # host: "mac4.lsst.cloud" - # launchTimeoutSeconds: 210 - # maxNumRetries: 0 - # port: 22 - # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" - # retryWaitTime: 15 - # sshHostKeyVerificationStrategy: - # manuallyTrustedKeyVerificationStrategy: - # requireInitialManualTrust: true - # mode: EXCLUSIVE - # name: "mojave-2" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" - # numExecutors: 1 - # remoteFS: "/Users/square/j" - # - permanent: - # labelString: "osx osx-10.14 mojave" - # launcher: - # sSHLauncher: - # credentialsId: "sqre-osx" - # host: "mac5.lsst.cloud" - # launchTimeoutSeconds: 210 - # maxNumRetries: 0 - # port: 22 - # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" - # retryWaitTime: 15 - # sshHostKeyVerificationStrategy: - # manuallyTrustedKeyVerificationStrategy: - # requireInitialManualTrust: true - # mode: EXCLUSIVE - # name: "mojave-3" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" - # numExecutors: 1 - # remoteFS: "/Users/square/j" - # - permanent: - # labelString: "osx osx-10.14 mojave" - # launcher: - # sSHLauncher: - # credentialsId: "sqre-osx" - # host: "mac6.lsst.cloud" - # launchTimeoutSeconds: 210 - # maxNumRetries: 0 - # port: 22 - # prefixStartSlaveCmd: "export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin;" - # retryWaitTime: 15 - # sshHostKeyVerificationStrategy: - # manuallyTrustedKeyVerificationStrategy: - # requireInitialManualTrust: true - # mode: EXCLUSIVE - # name: "mojave-4" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" - # numExecutors: 1 - # remoteFS: "/Users/square/j" + # Connects mac agents to jenkins controller + permanent-nodes: | + jenkins: + nodes: + - permanent: + labelString: "osx-12" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac1.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac1" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + numExecutors: 1 + remoteFS: "/Users/square/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-12" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac2.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac2" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + numExecutors: 1 + remoteFS: "/Users/square/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac3.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac3" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + numExecutors: 1 + remoteFS: "/Users/square/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac4.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac4" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + numExecutors: 1 + remoteFS: "/Users/square/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac5.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac5" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + numExecutors: 1 + remoteFS: "/Users/square/j" + retentionStrategy: "always" + - permanent: + labelString: "osx-13" + launcher: + sSHLauncher: + credentialsId: "sqre-osx" + host: "mac6.lsst.cloud" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + name: "mac6" + # nodeProperties: + # - envVars: + # env: + # - key: "PATH+LOCAL_BIN" + # value: "/usr/local/bin" + numExecutors: 1 + remoteFS: "/Users/square/j" + retentionStrategy: "always" # Optionally specify additional init-containers customInitContainers: [] @@ -1313,7 +1359,7 @@ persistence: annotations: {} labels: {} accessMode: "ReadWriteOnce" - size: "8Gi" + size: "800Gi" volumes: # - name: nothing # emptyDir: {} From 9fd403fa2eadcb08b69cda51b1cc8f70c93ef269 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Tue, 2 Apr 2024 08:52:06 +1100 Subject: [PATCH 16/29] Create .yamllint.yaml --- seeds/.yamllint.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 seeds/.yamllint.yaml diff --git a/seeds/.yamllint.yaml b/seeds/.yamllint.yaml new file mode 100644 index 00000000..acf70dee --- /dev/null +++ b/seeds/.yamllint.yaml @@ -0,0 +1,9 @@ +extends: default +rules: + document-start: {present: false} + line-length: + max: 132 + allow-non-breakable-words: true + allow-non-breakable-inline-mappings: true + indentation: + indent-sequences: consistent From c309970ad52891b8326aa5ffa021b3d5577a1bd0 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Tue, 2 Apr 2024 08:53:27 +1100 Subject: [PATCH 17/29] Update dev-values.yaml --- seeds/dev-values.yaml | 429 ++++++++++++++++++++++++------------------ 1 file changed, 243 insertions(+), 186 deletions(-) diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index 67c522ad..dada89ca 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -20,16 +20,23 @@ renderHelmLabels: true controller: # Used for label app.kubernetes.io/component componentName: "jenkins-controller" - image: "jenkins/jenkins" - tag: "2.426.3-lts-jdk11" - #tagLabel: jdk11 - imagePullPolicy: "Always" + image: + registry: "docker.io" + repository: "jenkins/jenkins" + tag: "2.440.2-lts-jdk21" + #tagLabel: jdk11 + pullPolicy: "Always" imagePullSecretName: # Optionally configure lifetime for controller-container lifecycle: postStart: exec: - command: [ "/bin/sh", "-c", "echo 'handlers = java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.level = ALL\n.level= ALL' > /var/jenkins_home/logging.properties" ] + command: + [ + "/bin/sh", + "-c", + "echo 'handlers = java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.level = ALL\n.level= ALL' > /var/jenkins_home/logging.properties", + ] disableRememberMe: false numExecutors: 0 # configures the executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE @@ -39,18 +46,19 @@ controller: customJenkinsLabels: [] # The default configuration uses this secret to configure an admin user # If you don't need that user or use a different security realm then you can disable it - adminSecret: true hostNetworking: false # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. # If you disable the non-Jenkins identity store and instead use the Jenkins internal one, # you should revert controller.adminUser to your preferred admin user: - adminUser: "admin" + # adminPassword: admin: existingSecret: "" userKey: jenkins-admin-user passwordKey: jenkins-admin-password + createSecret: true + username: "admin" # This values should not be changed unless you use your custom image of # jenkins or any devired from. If you want to use Cloudbees Jenkins # Distribution docker, you should set jenkinsHome: @@ -84,43 +92,44 @@ controller: # Environment variables that get added to the init container (useful for e.g. # http_proxy) initContainerEnv: - # - name: CASC_VAULT_TOKEN - # valueFrom: - # secretKeyRef: - # name: vault-token - # key: VAULT_TOKEN + # - name: CASC_VAULT_TOKEN + # valueFrom: + # secretKeyRef: + # name: vault-token + # key: VAULT_TOKEN - - name: CASC_VAULT_APPROLE - valueFrom: - secretKeyRef: - name: vault-approle - key: APPROLE_ID - - name: CASC_VAULT_APPROLE_SECRET - valueFrom: - secretKeyRef: - name: vault-approle - key: APPROLE_SECRET - - name: CASC_VAULT_URL - value: https://vault.slac.stanford.edu - - name: CASC_VAULT_PATHS - value: secret/rubin/rubin-jenkins-control-dev/common,secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control-dev/aws-eups-push,secret/rubin/rubin-jenkins-control-dev/aws-eups-backup,secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push,secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token,secret/rubin/rubin-jenkins-control-dev/ghslacker,secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control-dev/sqre-osx,secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push,secret/rubin/rubin-jenkins-control-dev/github_backup,secret/rubin/rubin-jenkins-control-dev/squash-api-user,secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws,secret/rubin/rubin-jenkins-control-dev/ltd-keeper,secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa,secret/rubin/rubin-jenkins-control-dev/github-oauth,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control-dev/sqre-osx-dev - - name: HTTP_PROXY - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: HTTPS_PROXY - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: http_proxy - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: https_proxy - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: no_proxy - value: '*.slac.stanford.edu' - - name: NO_PROXY - value: '*.slac.stanford.edu' - - name: JAVA_TOOL_OPTIONS - value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" - #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" - - name: TZ - value: America/Los_Angeles + - name: CASC_VAULT_APPROLE + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_ID + - name: CASC_VAULT_APPROLE_SECRET + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_SECRET + - name: CASC_VAULT_URL + value: https://vault.slac.stanford.edu + - name: CASC_VAULT_PATHS + value: secret/rubin/rubin-jenkins-control-dev/common,secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control-dev/aws-eups-push,secret/rubin/rubin-jenkins-control-dev/aws-eups-backup,secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push,secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token,secret/rubin/rubin-jenkins-control-dev/ghslacker,secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control-dev/sqre-osx,secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push,secret/rubin/rubin-jenkins-control-dev/github_backup,secret/rubin/rubin-jenkins-control-dev/squash-api-user,secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws,secret/rubin/rubin-jenkins-control-dev/ltd-keeper,secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa,secret/rubin/rubin-jenkins-control-dev/github-oauth,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control-dev/sqre-osx-dev,secret/rubin/rubin-jenkins-control-dev/sqre-mini + - name: HTTP_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: HTTPS_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: http_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: https_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: no_proxy + value: "*.slac.stanford.edu" + - name: NO_PROXY + value: "*.slac.stanford.edu" + - name: JAVA_TOOL_OPTIONS + value: + "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" + #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + - name: TZ + value: America/Los_Angeles #- name: VAULT_TOKEN_LEASE_DURATION # valueFrom: # secretKeyRef: @@ -129,42 +138,43 @@ controller: # - name: http_proxy # value: "http://192.168.64.1:3128" containerEnv: - - name: CASC_VAULT_APPROLE - valueFrom: - secretKeyRef: - name: vault-approle - key: APPROLE_ID - - name: CASC_VAULT_APPROLE_SECRET - valueFrom: - secretKeyRef: - name: vault-approle - key: APPROLE_SECRET - #- name: CASC_VAULT_TOKEN - # valueFrom: - # secretKeyRef: - # name: vault-token2 - # key: VAULT_TOKEN - - name: CASC_VAULT_URL - value: https://vault.slac.stanford.edu - - name: CASC_VAULT_PATHS - value: secret/rubin/rubin-jenkins-control-dev/common,secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control-dev/aws-eups-push,secret/rubin/rubin-jenkins-control-dev/aws-eups-backup,secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push,secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token,secret/rubin/rubin-jenkins-control-dev/ghslacker,secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control-dev/sqre-osx,secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push,secret/rubin/rubin-jenkins-control-dev/github_backup,secret/rubin/rubin-jenkins-control-dev/squash-api-user,secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws,secret/rubin/rubin-jenkins-control-dev/ltd-keeper,secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa,secret/rubin/rubin-jenkins-control-dev/github-oauth,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control-dev/sqre-osx-dev - - name: HTTP_PROXY - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: HTTPS_PROXY - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: http_proxy - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: https_proxy - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: no_proxy - value: '*.slac.stanford.edu' - - name: NO_PROXY - value: '*.slac.stanford.edu' - - name: TZ - value: America/Los_Angeles - - name: JAVA_TOOL_OPTIONS - value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" - #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + - name: CASC_VAULT_APPROLE + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_ID + - name: CASC_VAULT_APPROLE_SECRET + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_SECRET + #- name: CASC_VAULT_TOKEN + # valueFrom: + # secretKeyRef: + # name: vault-token2 + # key: VAULT_TOKEN + - name: CASC_VAULT_URL + value: https://vault.slac.stanford.edu + - name: CASC_VAULT_PATHS + value: secret/rubin/rubin-jenkins-control-dev/common,secret/rubin/rubin-jenkins-control-dev/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control-dev/aws-eups-push,secret/rubin/rubin-jenkins-control-dev/aws-eups-backup,secret/rubin/rubin-jenkins-control-dev/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control-dev/aws-doxygen-push,secret/rubin/rubin-jenkins-control-dev/slack-lsstc-token,secret/rubin/rubin-jenkins-control-dev/ghslacker,secret/rubin/rubin-jenkins-control-dev/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control-dev/sqre-osx,secret/rubin/rubin-jenkins-control-dev/aws-cmirror-push,secret/rubin/rubin-jenkins-control-dev/github_backup,secret/rubin/rubin-jenkins-control-dev/squash-api-user,secret/rubin/rubin-jenkins-control-dev/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control-dev/ltd-mason-aws,secret/rubin/rubin-jenkins-control-dev/ltd-keeper,secret/rubin/rubin-jenkins-control-dev/google_archive_registry_sa,secret/rubin/rubin-jenkins-control-dev/github-oauth,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control-dev/sqre-osx-dev,secret/rubin/rubin-jenkins-control-dev/sqre-mini + - name: HTTP_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: HTTPS_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: http_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: https_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: no_proxy + value: "*.slac.stanford.edu" + - name: NO_PROXY + value: "*.slac.stanford.edu" + - name: TZ + value: America/Los_Angeles + - name: JAVA_TOOL_OPTIONS + value: + "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" + #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" #- name: VAULT_TOKEN_LEASE_DURATION # valueFrom: # secretKeyRef: @@ -310,7 +320,7 @@ controller: # Optionally assign an IP to the LoadBalancer agentListenerService LoadBalancer # GKE users: only regional static IPs will work for Service Load balancer. agentListenerLoadBalancerIP: - agentListenerServiceAnnotations: + agentListenerServiceAnnotations: metallb.universe.tf/address-pool: sdf-dmz # Example of 'LoadBalancer' type of agent listener with annotations securing it @@ -322,7 +332,7 @@ controller: # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to # set allowed inbound rules on the security group assigned to the controller load balancer loadBalancerSourceRanges: -# - 0.0.0.0/0 + # - 0.0.0.0/0 # Optionally assign a known public LB IP # loadBalancerIP: 1.2.3.4 # Optionally configure a JMX port @@ -347,7 +357,6 @@ controller: - matrix-auth:3.1.9 - hashicorp-vault-plugin:364.vf5d54b_3dc313 - # Set to false to download the minimum required version of all dependencies. installLatestPlugins: false @@ -358,8 +367,8 @@ controller: additionalPlugins: #- ace-editor:1.1 - antisamy-markup-formatter:162.v0e6ec0fcfcf6 - - apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 -#depreciated - async-http-client:1.9.40.0 + - apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 + #depreciated - async-http-client:1.9.40.0 - authentication-tokens:1.53.v1c90fd9191a_b_ - blueocean-autofavorite:1.2.5 - blueocean-bitbucket-pipeline:1.27.9 @@ -414,12 +423,12 @@ controller: - github-branch-source:1751.v90e17c48a_6a_c - github-oauth:597.ve0c3480fcb_d0 - git-server:99.va_0826a_b_cdfa_d -#depreciated - greenballs:1.15.1 + #depreciated - greenballs:1.15.1 - groovy:457.v99900cb_85593 -#depreciated - handlebars:3.0.8 + #depreciated - handlebars:3.0.8 - handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 - htmlpublisher:1.32 -#depreciated - icon-shim:3.0.0 + #depreciated - icon-shim:3.0.0 - instance-identity:185.v303dc7c645f9 - ionicons-api:56.v1b_1c8c49374e - jackson2-api:2.15.3-372.v309620682326 @@ -435,7 +444,7 @@ controller: - jira:3.11 - jjwt-api:0.11.5-77.v646c772fddb_0 - jquery:1.12.4-1 -#depreciated - jquery-detached:1.2.1 + #depreciated - jquery-detached:1.2.1 - jquery3-api:3.7.1-1 - jsch:0.2.8-65.v052c39de79b_2 - junit:1240.vf9529b_881428 @@ -449,8 +458,8 @@ controller: - mina-sshd-api-common:2.11.0-86.v836f585d47fa_ - mina-sshd-api-core:2.11.0-86.v836f585d47fa_ - metrics:4.2.18-442.v02e107157925 -#depreciated - momentjs:1.1.1 -#depreciated - need alternative? - multiple-scms:0.8 + #depreciated - momentjs:1.1.1 + #depreciated - need alternative? - multiple-scms:0.8 - nodelabelparameter:1.12.0 - okhttp-api:4.11.0-157.v6852a_a_fa_ec11 - parameterized-trigger:787.v665fcf2a_830b_ @@ -460,7 +469,7 @@ controller: - pipeline-input-step:477.v339683a_8d55e - pipeline-milestone-step:111.v449306f708b_7 - pipeline-model-api:2.2151.ve32c9d209a_3f -#depreciated - pipeline-model-declarative-agent:1.1.1 + #depreciated - pipeline-model-declarative-agent:1.1.1 - pipeline-model-definition:2.2151.ve32c9d209a_3f - pipeline-model-extensions:2.2151.ve32c9d209a_3f - pipeline-rest-api:2.34 @@ -482,7 +491,7 @@ controller: - snakeyaml-api:2.2-111.vc6598e30cc65 - sse-gateway:1.26 - ssh-agent:346.vda_a_c4f2c8e50 - - ssh-credentials:308.ve4497b_ccd8f4 + - ssh-credentials:308.ve4497b_ccd8f4 - sshd:3.312.v1c601b_c83b_0e - ssh-slaves:1.29.4 - structs:325.vcb_307d2a_2782 @@ -490,11 +499,11 @@ controller: - token-macro:384.vf35b_f26814ec - trilead-api:2.84.v72119de229b_7 - variant:60.v7290fc0eb_b_cd -#depreciated - windows-slaves:1.8.1 need to find alternative? + #depreciated - windows-slaves:1.8.1 need to find alternative? - workflow-api:1283.v99c10937efcb_ - workflow-basic-steps:1042.ve7b_140c4a_e0c - workflow-cps:3806.va_3a_6988277b_2 -#depreciated - workflow-cps-global-lib:609.vd95673f149b_b + #depreciated - workflow-cps-global-lib:609.vd95673f149b_b - workflow-durable-task-step:1289.v4d3e7b_01546b_ - workflow-job:1360.vc6700e3136f5 - workflow-multibranch:756.v891d88f2cd46 @@ -502,7 +511,6 @@ controller: - workflow-step-api:639.v6eca_cd8c04a_a_ - workflow-support:865.v43e78cc44e0d - # Enable to initialize the Jenkins controller only once on initial installation. # Without this, whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates which has the potential to cause breakage. # Note that for this to work, `persistence.enabled` needs to be set to `true` @@ -567,7 +575,7 @@ controller: - "staticMethod org.codehaus.groovy.runtime.StackTraceUtils sanitize java.lang.Throwable" - "method java.net.URL openConnection" # List of groovy init scripts to be executed during Jenkins controller start - initScripts: [] + initScripts: {} # - | # print 'adding global pipeline libraries, register properties, bootstrap jobs...' @@ -607,10 +615,10 @@ controller: # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | # become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials, - # etc. Best reference is https:///configuration-as-code/reference. - JCasC: + # etc. Best reference is https:///configuration-as-code/reference. + JCasC: defaultConfig: true - # Ignored if securityRealm is defined in controller.JCasC.configScripts + # Ignored if securityRealm is defined in controller.JCasC.configScripts securityRealm: |- #local: # allowsSignup: false @@ -626,7 +634,7 @@ controller: clientSecret: "${secret/rubin/rubin-jenkins-control-dev/github-oauth/client-secret}" oauthScopes: "read:org" # Uses matrix-auth plugin to configure user and group permissions - authorizationStrategy: |- + authorizationStrategy: |- globalMatrix: permissions: - "USER:Agent/Connect:sqre-user" @@ -666,8 +674,8 @@ controller: welcome-message: | jenkins: systemMessage: This is the DEVELOPMENT instance of jenkins. - # Connects to specified vault paths and variables to provide all credentials - systemCredentials: |- + # Connects to specified vault paths and variables to provide all credentials + systemCredentials: |- credentials: system: domainCredentials: @@ -781,14 +789,14 @@ controller: scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/username}" - # - basicSSHUserPrivateKey: - # description: "SQRE OSX build agents" - # id: "sqre-osx" - # privateKeySource: - # directEntry: - # privateKey: "${secret/rubin/rubin-jenkins-control/sqre-osx/private_key}" - # scope: GLOBAL - # username: "${secret/rubin/rubin-jenkins-control/sqre-osx/username}" + - basicSSHUserPrivateKey: + description: "mini OSX build agents" + id: "mini-osx" + privateKeySource: + directEntry: + privateKey: "${secret/rubin/rubin-jenkins-control-dev/sqre-mini/private_key}" + scope: GLOBAL + username: "${secret/rubin/rubin-jenkins-control/sqre-mini/username}" - usernamePassword: description: "push conda packages -> s3" @@ -839,8 +847,8 @@ controller: security: globaljobdslsecurityconfiguration: useScriptSecurity: false - # Connects mac agents to jenkins controller - permanent-nodes: | + # Connects mac agents to jenkins controller + permanent-nodes: | jenkins: nodes: - permanent: @@ -975,6 +983,114 @@ controller: numExecutors: 1 remoteFS: "/Users/squaredev/j" retentionStrategy: "always" + - permanent: + labelString: "mini" + name: "mini01" + launcher: + sSHLauncher: + credentialsId: "mini-osx" + host: "mac01.ls.lsst.org" + javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + numExecutors: 1 + remoteFS: "/Users/jenkins/j" + retentionStrategy: "always" + - permanent: + labelString: "mini" + name: "mini02" + launcher: + sSHLauncher: + credentialsId: "mini-osx" + host: "mac02.ls.lsst.org" + javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + numExecutors: 1 + remoteFS: "/Users/jenkins/j" + retentionStrategy: "always" + - permanent: + labelString: "mini" + name: "mini03" + launcher: + sSHLauncher: + credentialsId: "mini-osx" + host: "mac03.ls.lsst.org" + javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + numExecutors: 1 + remoteFS: "/Users/jenkins/j" + retentionStrategy: "always" + - permanent: + labelString: "mini" + name: "mini04" + launcher: + sSHLauncher: + credentialsId: "mini-osx" + host: "mac04.ls.lsst.org" + javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + numExecutors: 1 + remoteFS: "/Users/jenkins/j" + retentionStrategy: "always" + - permanent: + labelString: "mini" + name: "mini05" + launcher: + sSHLauncher: + credentialsId: "mini-osx" + host: "mac05.ls.lsst.org" + javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + numExecutors: 1 + remoteFS: "/Users/jenkins/j" + retentionStrategy: "always" + - permanent: + labelString: "mini" + name: "mini06" + launcher: + sSHLauncher: + credentialsId: "mini-osx" + host: "mac06.ls.lsst.org" + javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" + launchTimeoutSeconds: 210 + maxNumRetries: 10 + port: 22 + retryWaitTime: 15 + sshHostKeyVerificationStrategy: + manuallyTrustedKeyVerificationStrategy: + requireInitialManualTrust: false + numExecutors: 1 + remoteFS: "/Users/jenkins/j" + retentionStrategy: "always" # Optionally specify additional init-containers customInitContainers: [] @@ -985,9 +1101,13 @@ controller: # jcasc changes will cause a reboot and will only be applied at the subsequent start-up. Auto-reload uses the # http:///reload-configuration-as-code endpoint to reapply config when changes to the configScripts are detected. enabled: false - image: kiwigrid/k8s-sidecar:1.15.0 + image: + registry: docker.io + repository: kiwigrid/k8s-sidecar + tag: 1.26.1 imagePullPolicy: IfNotPresent - resources: {} + resources: + {} # limits: # cpu: 100m # memory: 100Mi @@ -1170,7 +1290,7 @@ controller: testEnabled: true httpsKeyStore: - jenkinsHttpsJksSecretName: '' + jenkinsHttpsJksSecretName: "" enable: false httpPort: 8081 path: "/var/jenkins_keystore" @@ -1189,8 +1309,9 @@ agent: kubernetesReadTimeout: 15 maxRequestsPerHostStr: "32" namespace: - image: "jenkins/inbound-agent" - tag: "4.11.2-4" + image: + repository: "jenkins/inbound-agent" + tag: "4.11.2-4" workingDir: "/home/jenkins/agent" nodeUsageMode: "NORMAL" customJenkinsLabels: [] @@ -1373,8 +1494,8 @@ persistence: ## GKE, AWS & OpenStack) ## storageClass: #"wekafs--sdf-k8s01" - annotations: -#volume.beta.kubernetes.io/storage-provisioner: csi.weka.io + annotations: + #volume.beta.kubernetes.io/storage-provisioner: csi.weka.io labels: {} accessMode: "ReadWriteOnce" size: "800Gi" @@ -1396,7 +1517,8 @@ networkPolicy: internalAgents: allowed: true podLabels: {} - namespaceLabels: {} + namespaceLabels: + {} # project: myproject externalAgents: {} # ipCIDR: 172.17.0.0/16 @@ -1415,7 +1537,6 @@ serviceAccount: annotations: {} imagePullSecretName: - serviceAccountAgent: # Specifies whether a ServiceAccount should be created create: false @@ -1427,71 +1548,7 @@ serviceAccountAgent: ## Backup cronjob configuration ## Ref: https://github.com/maorfr/kube-tasks -backup: - # Backup must use RBAC - # So by enabling backup you are enabling RBAC specific for backup - enabled: false - # Used for label app.kubernetes.io/component - componentName: "backup" - # Schedule to run jobs. Must be in cron time format - # Ref: https://crontab.guru/ - schedule: "0 2 * * *" - labels: {} - serviceAccount: - create: true - name: - annotations: {} - # Example for authorization to AWS S3 using kube2iam or IRSA - # Can also be done using environment variables - # iam.amazonaws.com/role: "jenkins" - # "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789012:role/jenkins-backup" - # Set this to terminate the job that is running/failing continously and set the job status to "Failed" - activeDeadlineSeconds: "" - image: - repository: "maorfr/kube-tasks" - tag: "0.2.0" - imagePullSecretName: - # Additional arguments for kube-tasks - # Ref: https://github.com/maorfr/kube-tasks#simple-backup - extraArgs: [] - # Add existingSecret for AWS credentials - existingSecret: {} - ## Example for using an existing secret - # jenkinsaws: - ## Use this key for AWS access key ID - # awsaccesskey: jenkins_aws_access_key - ## Use this key for AWS secret access key - # awssecretkey: jenkins_aws_secret_key - # Add additional environment variables - # jenkinsgcp: - ## Use this key for GCP credentials - # gcpcredentials: credentials.json - env: [] - # Example environment variable required for AWS credentials chain - # - name: "AWS_REGION" - # value: "us-east-1" - resources: - requests: - memory: 1Gi - cpu: 1 - limits: - memory: 1Gi - cpu: 1 - # Destination to store the backup artifacts - # Supported cloud storage services: AWS S3, Minio S3, Azure Blob Storage, Google Cloud Storage - # Additional support can added. Visit this repository for details - # Ref: https://github.com/maorfr/skbn - destination: "s3://jenkins-data/backup" - # By enabling only the jenkins_home/jobs folder gets backed up, not the whole jenkins instance - onlyJobs: false - # Enable backup pod security context (must be `true` if runAsUser or fsGroup are set) - usePodSecurityContext: true - # When setting runAsUser to a different value than 0 also set fsGroup to the same value: - runAsUser: 1000 - fsGroup: 1000 - securityContextCapabilities: {} - # drop: - # - NET_RAW + checkDeprecation: true awsSecurityGroupPolicies: From 79a3d0666d63ab07b66bdf2b8d7d2d4fe192104c Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 3 Apr 2024 21:17:08 +0000 Subject: [PATCH 18/29] adding longer line length in .yamllint --- seeds/.yamllint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/seeds/.yamllint.yaml b/seeds/.yamllint.yaml index acf70dee..62196e72 100644 --- a/seeds/.yamllint.yaml +++ b/seeds/.yamllint.yaml @@ -2,7 +2,7 @@ extends: default rules: document-start: {present: false} line-length: - max: 132 + max: 800 allow-non-breakable-words: true allow-non-breakable-inline-mappings: true indentation: From 198bb053b28fab8bf9c72994aaeb52d3c8fe2a2f Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 3 Apr 2024 21:52:56 +0000 Subject: [PATCH 19/29] moving .yamllint to workflows --- {seeds => .github/workflows}/.yamllint.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename {seeds => .github/workflows}/.yamllint.yaml (87%) diff --git a/seeds/.yamllint.yaml b/.github/workflows/.yamllint.yaml similarity index 87% rename from seeds/.yamllint.yaml rename to .github/workflows/.yamllint.yaml index 62196e72..b57cc54d 100644 --- a/seeds/.yamllint.yaml +++ b/.github/workflows/.yamllint.yaml @@ -2,7 +2,8 @@ extends: default rules: document-start: {present: false} line-length: - max: 800 + ignore: | + /seeds/ allow-non-breakable-words: true allow-non-breakable-inline-mappings: true indentation: From 07398b9cb8b39c2dea2be2a9e397133ab46e21f5 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:04:53 +0000 Subject: [PATCH 20/29] disable yamllint line length for dev-values.yaml --- seeds/dev-values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index dada89ca..20f9402a 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -13,6 +13,9 @@ # For FQDN resolving of the controller service. Change this value to match your existing configuration. # ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md + + +# yamllint disable rule:line-length clusterZone: "cluster.local" renderHelmLabels: true From d92c609af095b59670320aece16a9fde477ac31f Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:11:15 +0000 Subject: [PATCH 21/29] remove trailing spaces --- seeds/dev-values.yaml | 61 ++++++++++--------------------------------- 1 file changed, 14 insertions(+), 47 deletions(-) diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index 20f9402a..20e63af3 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -1,5 +1,6 @@ -# From https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml +# yamllint disable rule:line-length +# From https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml # Default values for jenkins. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. @@ -15,7 +16,6 @@ # ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md -# yamllint disable rule:line-length clusterZone: "cluster.local" renderHelmLabels: true @@ -782,7 +782,6 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/username}" - - basicSSHUserPrivateKey: description: "SQRE OSX build agents" id: "sqre-osx" @@ -791,7 +790,6 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/username}" - - basicSSHUserPrivateKey: description: "mini OSX build agents" id: "mini-osx" @@ -800,7 +798,6 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/sqre-mini/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control/sqre-mini/username}" - - usernamePassword: description: "push conda packages -> s3" id: "aws-cmirror-push" @@ -862,17 +859,12 @@ controller: host: "mac1.lsst.cloud" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: requireInitialManualTrust: false name: "mac1" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/squaredev/j" retentionStrategy: "always" @@ -884,17 +876,12 @@ controller: host: "mac2.lsst.cloud" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: requireInitialManualTrust: false name: "mac2" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/squaredev/j" retentionStrategy: "always" @@ -906,17 +893,12 @@ controller: host: "mac3.lsst.cloud" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: requireInitialManualTrust: false name: "mac3" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/squaredev/j" retentionStrategy: "always" @@ -928,17 +910,12 @@ controller: host: "mac4.lsst.cloud" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: requireInitialManualTrust: false name: "mac4" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/squaredev/j" retentionStrategy: "always" @@ -950,17 +927,12 @@ controller: host: "mac5.lsst.cloud" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: requireInitialManualTrust: false name: "mac5" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/squaredev/j" retentionStrategy: "always" @@ -972,17 +944,12 @@ controller: host: "mac6.lsst.cloud" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: requireInitialManualTrust: false name: "mac6" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/squaredev/j" retentionStrategy: "always" @@ -996,7 +963,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1014,7 +981,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1032,7 +999,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1050,7 +1017,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1068,7 +1035,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1086,7 +1053,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: From f5011424b423154ae0237ce052db39003ee5df19 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:16:54 +0000 Subject: [PATCH 22/29] edit values.yaml --- .github/workflows/.yamllint.yaml | 10 ---------- seeds/dev-values.yaml | 2 +- seeds/values.yaml | 3 +++ 3 files changed, 4 insertions(+), 11 deletions(-) delete mode 100644 .github/workflows/.yamllint.yaml diff --git a/.github/workflows/.yamllint.yaml b/.github/workflows/.yamllint.yaml deleted file mode 100644 index b57cc54d..00000000 --- a/.github/workflows/.yamllint.yaml +++ /dev/null @@ -1,10 +0,0 @@ -extends: default -rules: - document-start: {present: false} - line-length: - ignore: | - /seeds/ - allow-non-breakable-words: true - allow-non-breakable-inline-mappings: true - indentation: - indent-sequences: consistent diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index 20e63af3..4254059c 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -782,7 +782,7 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/username}" - - basicSSHUserPrivateKey: + - basicSSHUserPrivateKey: description: "SQRE OSX build agents" id: "sqre-osx" privateKeySource: diff --git a/seeds/values.yaml b/seeds/values.yaml index 082f718b..52841ead 100644 --- a/seeds/values.yaml +++ b/seeds/values.yaml @@ -1,3 +1,6 @@ +# yamllint disable rule:line-length + + # From https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml # Default values for jenkins. From 920dd6257ae157f628243530f5379116aaf732ae Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:24:34 +0000 Subject: [PATCH 23/29] more changes to values.yaml --- seeds/values.yaml | 88 +++++++++++++++++------------------------------ 1 file changed, 31 insertions(+), 57 deletions(-) diff --git a/seeds/values.yaml b/seeds/values.yaml index 52841ead..3c8d9ddb 100644 --- a/seeds/values.yaml +++ b/seeds/values.yaml @@ -32,7 +32,12 @@ controller: lifecycle: postStart: exec: - command: [ "/bin/sh", "-c", "echo 'handlers = java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.level = ALL\n.level= ALL' > /var/jenkins_home/logging.properties" ] + command: + [ + "/bin/sh", + "-c", + "echo 'handlers = java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.level = ALL\n.level= ALL' > /var/jenkins_home/logging.properties" + ] disableRememberMe: false numExecutors: 0 # configures the executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE @@ -87,16 +92,16 @@ controller: # Environment variables that get added to the init container (useful for e.g. # http_proxy) initContainerEnv: - - name: CASC_VAULT_APPROLE - valueFrom: - secretKeyRef: - name: vault-approle - key: APPROLE_ID - - name: CASC_VAULT_APPROLE_SECRET - valueFrom: - secretKeyRef: - name: vault-approle - key: APPROLE_SECRET + - name: CASC_VAULT_APPROLE + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_ID + - name: CASC_VAULT_APPROLE_SECRET + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_SECRET - name: CASC_VAULT_URL value: https://vault.slac.stanford.edu - name: CASC_VAULT_PATHS @@ -307,7 +312,7 @@ controller: # Optionally assign an IP to the LoadBalancer agentListenerService LoadBalancer # GKE users: only regional static IPs will work for Service Load balancer. agentListenerLoadBalancerIP: - agentListenerServiceAnnotations: + agentListenerServiceAnnotations: metallb.universe.tf/address-pool: sdf-dmz # Example of 'LoadBalancer' type of agent listener with annotations securing it @@ -355,7 +360,7 @@ controller: additionalPlugins: #- ace-editor:1.1 - antisamy-markup-formatter:162.v0e6ec0fcfcf6 - - apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 + - apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 #depreciated - async-http-client:1.9.40.0 - authentication-tokens:1.53.v1c90fd9191a_b_ - blueocean-autofavorite:1.2.5 @@ -479,7 +484,7 @@ controller: - snakeyaml-api:2.2-111.vc6598e30cc65 - sse-gateway:1.26 - ssh-agent:346.vda_a_c4f2c8e50 - - ssh-credentials:308.ve4497b_ccd8f4 + - ssh-credentials:308.ve4497b_ccd8f4 - sshd:3.312.v1c601b_c83b_0e - ssh-slaves:1.29.4 - structs:325.vcb_307d2a_2782 @@ -604,10 +609,10 @@ controller: # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | # become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials, - # etc. Best reference is https:///configuration-as-code/reference. - JCasC: + # etc. Best reference is https:///configuration-as-code/reference. + JCasC: defaultConfig: true - # Ignored if securityRealm is defined in controller.JCasC.configScripts + # Ignored if securityRealm is defined in controller.JCasC.configScripts securityRealm: |- #local: # allowsSignup: false @@ -623,7 +628,7 @@ controller: clientSecret: "${secret/rubin/rubin-jenkins-control/github-oauth/client-secret}" oauthScopes: "read:org" # Uses matrix-auth plugin to configure user and group permissions - authorizationStrategy: |- + authorizationStrategy: |- globalMatrix: permissions: - "USER:Agent/Connect:sqre-user" @@ -825,8 +830,8 @@ controller: security: globaljobdslsecurityconfiguration: useScriptSecurity: false - # Connects mac agents to jenkins controller - permanent-nodes: | + # Connects mac agents to jenkins controller + permanent-nodes: | jenkins: nodes: - permanent: @@ -837,17 +842,12 @@ controller: host: "mac1.lsst.cloud" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: requireInitialManualTrust: false name: "mac1" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/square/j" retentionStrategy: "always" @@ -859,17 +859,12 @@ controller: host: "mac2.lsst.cloud" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: requireInitialManualTrust: false name: "mac2" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/square/j" retentionStrategy: "always" @@ -881,17 +876,12 @@ controller: host: "mac3.lsst.cloud" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: requireInitialManualTrust: false name: "mac3" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/square/j" retentionStrategy: "always" @@ -903,17 +893,12 @@ controller: host: "mac4.lsst.cloud" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: requireInitialManualTrust: false name: "mac4" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/square/j" retentionStrategy: "always" @@ -925,17 +910,12 @@ controller: host: "mac5.lsst.cloud" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: requireInitialManualTrust: false name: "mac5" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/square/j" retentionStrategy: "always" @@ -947,21 +927,15 @@ controller: host: "mac6.lsst.cloud" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: requireInitialManualTrust: false name: "mac6" - # nodeProperties: - # - envVars: - # env: - # - key: "PATH+LOCAL_BIN" - # value: "/usr/local/bin" numExecutors: 1 remoteFS: "/Users/square/j" retentionStrategy: "always" - # Optionally specify additional init-containers customInitContainers: [] From 929e264a8f060febf9309b97f3bbe251d18bf476 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:34:37 +0000 Subject: [PATCH 24/29] add document start and end --- seeds/dev-values.yaml | 5 ++ seeds/values.yaml | 107 ++++++++++++++++++++++-------------------- 2 files changed, 61 insertions(+), 51 deletions(-) diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index 4254059c..6389702d 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -1,3 +1,5 @@ +--- + # yamllint disable rule:line-length # From https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml @@ -1527,3 +1529,6 @@ awsSecurityGroupPolicies: - name: "" securityGroupIds: [] podSelector: {} + + +... \ No newline at end of file diff --git a/seeds/values.yaml b/seeds/values.yaml index 3c8d9ddb..47ad1dbf 100644 --- a/seeds/values.yaml +++ b/seeds/values.yaml @@ -1,3 +1,4 @@ +--- # yamllint disable rule:line-length @@ -32,7 +33,7 @@ controller: lifecycle: postStart: exec: - command: + command: [ "/bin/sh", "-c", @@ -102,27 +103,27 @@ controller: secretKeyRef: name: vault-approle key: APPROLE_SECRET - - name: CASC_VAULT_URL - value: https://vault.slac.stanford.edu - - name: CASC_VAULT_PATHS - value: secret/rubin/rubin-jenkins-control/common,secret/rubin/rubin-jenkins-control/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control/aws-eups-push,secret/rubin/rubin-jenkins-control/aws-eups-backup,secret/rubin/rubin-jenkins-control/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control/aws-doxygen-push,secret/rubin/rubin-jenkins-control/slack-lsstc-token,secret/rubin/rubin-jenkins-control/ghslacker,secret/rubin/rubin-jenkins-control/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control/aws-cmirror-push,secret/rubin/rubin-jenkins-control/github_backup,secret/rubin/rubin-jenkins-control/squash-api-user,secret/rubin/rubin-jenkins-control/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control/ltd-mason-aws,secret/rubin/rubin-jenkins-control/ltd-keeper,secret/rubin/rubin-jenkins-control/google_archive_registry_sa,secret/rubin/rubin-jenkins-control/github-oauth - - name: HTTP_PROXY - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: HTTPS_PROXY - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: http_proxy - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: https_proxy - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: no_proxy - value: '*.slac.stanford.edu' - - name: NO_PROXY - value: '*.slac.stanford.edu' - - name: JAVA_TOOL_OPTIONS - value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" + - name: CASC_VAULT_URL + value: https://vault.slac.stanford.edu + - name: CASC_VAULT_PATHS + value: secret/rubin/rubin-jenkins-control/common,secret/rubin/rubin-jenkins-control/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control/aws-eups-push,secret/rubin/rubin-jenkins-control/aws-eups-backup,secret/rubin/rubin-jenkins-control/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control/aws-doxygen-push,secret/rubin/rubin-jenkins-control/slack-lsstc-token,secret/rubin/rubin-jenkins-control/ghslacker,secret/rubin/rubin-jenkins-control/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control/aws-cmirror-push,secret/rubin/rubin-jenkins-control/github_backup,secret/rubin/rubin-jenkins-control/squash-api-user,secret/rubin/rubin-jenkins-control/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control/ltd-mason-aws,secret/rubin/rubin-jenkins-control/ltd-keeper,secret/rubin/rubin-jenkins-control/google_archive_registry_sa,secret/rubin/rubin-jenkins-control/github-oauth + - name: HTTP_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: HTTPS_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: http_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: https_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: no_proxy + value: '*.slac.stanford.edu' + - name: NO_PROXY + value: '*.slac.stanford.edu' + - name: JAVA_TOOL_OPTIONS + value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" - - name: TZ - value: America/Los_Angeles + - name: TZ + value: America/Los_Angeles #- name: VAULT_TOKEN_LEASE_DURATION # valueFrom: # secretKeyRef: @@ -131,41 +132,41 @@ controller: # - name: http_proxy # value: "http://192.168.64.1:3128" containerEnv: - - name: CASC_VAULT_APPROLE - valueFrom: - secretKeyRef: - name: vault-approle - key: APPROLE_ID - - name: CASC_VAULT_APPROLE_SECRET - valueFrom: - secretKeyRef: - name: vault-approle - key: APPROLE_SECRET + - name: CASC_VAULT_APPROLE + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_ID + - name: CASC_VAULT_APPROLE_SECRET + valueFrom: + secretKeyRef: + name: vault-approle + key: APPROLE_SECRET #- name: CASC_VAULT_TOKEN # valueFrom: # secretKeyRef: # name: vault-token2 # key: VAULT_TOKEN - - name: CASC_VAULT_URL - value: https://vault.slac.stanford.edu - - name: CASC_VAULT_PATHS - value: secret/rubin/rubin-jenkins-control/common,secret/rubin/rubin-jenkins-control/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control/aws-eups-push,secret/rubin/rubin-jenkins-control/aws-eups-backup,secret/rubin/rubin-jenkins-control/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control/aws-doxygen-push,secret/rubin/rubin-jenkins-control/slack-lsstc-token,secret/rubin/rubin-jenkins-control/ghslacker,secret/rubin/rubin-jenkins-control/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control/aws-cmirror-push,secret/rubin/rubin-jenkins-control/github_backup,secret/rubin/rubin-jenkins-control/squash-api-user,secret/rubin/rubin-jenkins-control/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control/ltd-mason-aws,secret/rubin/rubin-jenkins-control/ltd-keeper,secret/rubin/rubin-jenkins-control/google_archive_registry_sa,secret/rubin/rubin-jenkins-control/github-oauth - - name: HTTP_PROXY - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: HTTPS_PROXY - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: http_proxy - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: https_proxy - value: http://sdfproxy.sdf.slac.stanford.edu:3128 - - name: no_proxy - value: '*.slac.stanford.edu' - - name: NO_PROXY - value: '*.slac.stanford.edu' - - name: TZ - value: America/Los_Angeles - - name: JAVA_TOOL_OPTIONS - value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" + - name: CASC_VAULT_URL + value: https://vault.slac.stanford.edu + - name: CASC_VAULT_PATHS + value: secret/rubin/rubin-jenkins-control/common,secret/rubin/rubin-jenkins-control/aws-jenkins-master-snapshot,secret/rubin/rubin-jenkins-control/aws-eups-push,secret/rubin/rubin-jenkins-control/aws-eups-backup,secret/rubin/rubin-jenkins-control/aws-eups-tag-admin,secret/rubin/rubin-jenkins-control/aws-doxygen-push,secret/rubin/rubin-jenkins-control/slack-lsstc-token,secret/rubin/rubin-jenkins-control/ghslacker,secret/rubin/rubin-jenkins-control/github-api-token-sqreadmin,secret/rubin/rubin-jenkins-control/github-jenkins-versiondb,secret/rubin/rubin-jenkins-control/sqre-osx,secret/rubin/rubin-jenkins-control/aws-cmirror-push,secret/rubin/rubin-jenkins-control/github_backup,secret/rubin/rubin-jenkins-control/squash-api-user,secret/rubin/rubin-jenkins-control/dockerhub-sqreadmin,secret/rubin/rubin-jenkins-control/ltd-mason-aws,secret/rubin/rubin-jenkins-control/ltd-keeper,secret/rubin/rubin-jenkins-control/google_archive_registry_sa,secret/rubin/rubin-jenkins-control/github-oauth + - name: HTTP_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: HTTPS_PROXY + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: http_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: https_proxy + value: http://sdfproxy.sdf.slac.stanford.edu:3128 + - name: no_proxy + value: '*.slac.stanford.edu' + - name: NO_PROXY + value: '*.slac.stanford.edu' + - name: TZ + value: America/Los_Angeles + - name: JAVA_TOOL_OPTIONS + value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" #- name: VAULT_TOKEN_LEASE_DURATION # valueFrom: @@ -1459,3 +1460,7 @@ awsSecurityGroupPolicies: - name: "" securityGroupIds: [] podSelector: {} + + + +... \ No newline at end of file From 6bdca84ccc3fd89332cf72e1c382f28d5ce40fed Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:37:22 +0000 Subject: [PATCH 25/29] end document edit --- seeds/dev-values.yaml | 2 -- seeds/values.yaml | 3 --- 2 files changed, 5 deletions(-) diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index 6389702d..391c19f4 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -1529,6 +1529,4 @@ awsSecurityGroupPolicies: - name: "" securityGroupIds: [] podSelector: {} - - ... \ No newline at end of file diff --git a/seeds/values.yaml b/seeds/values.yaml index 47ad1dbf..0cddabf1 100644 --- a/seeds/values.yaml +++ b/seeds/values.yaml @@ -1460,7 +1460,4 @@ awsSecurityGroupPolicies: - name: "" securityGroupIds: [] podSelector: {} - - - ... \ No newline at end of file From 0d2357711e331b7e5dedbf2b27cc9727c27ca089 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:39:57 +0000 Subject: [PATCH 26/29] new line --- seeds/dev-values.yaml | 2 +- seeds/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index 391c19f4..33d8976b 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -1529,4 +1529,4 @@ awsSecurityGroupPolicies: - name: "" securityGroupIds: [] podSelector: {} -... \ No newline at end of file +... diff --git a/seeds/values.yaml b/seeds/values.yaml index 0cddabf1..520f4dd0 100644 --- a/seeds/values.yaml +++ b/seeds/values.yaml @@ -1460,4 +1460,4 @@ awsSecurityGroupPolicies: - name: "" securityGroupIds: [] podSelector: {} -... \ No newline at end of file +... From b34538bbe608ebdb6911497b5a527113207fbc63 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:52:36 +0000 Subject: [PATCH 27/29] values.yaml to new format --- seeds/dev-values.yaml | 44 +++++++----- seeds/values.yaml | 163 +++++++++++++++--------------------------- 2 files changed, 84 insertions(+), 123 deletions(-) diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index 33d8976b..e9a604fa 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -1,8 +1,8 @@ --- - # yamllint disable rule:line-length # From https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml + # Default values for jenkins. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. @@ -16,8 +16,6 @@ # For FQDN resolving of the controller service. Change this value to match your existing configuration. # ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md - - clusterZone: "cluster.local" renderHelmLabels: true @@ -131,8 +129,12 @@ controller: value: "*.slac.stanford.edu" - name: JAVA_TOOL_OPTIONS value: - "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" - #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + "-Dhttp.nonProxyHosts='*.slac.stanford.edu' + -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 + -Dhttps.nonProxyHosts='*.slac.stanford.edu' + -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 + -Duser.timezone=America/Los_Angeles" + #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" - name: TZ value: America/Los_Angeles #- name: VAULT_TOKEN_LEASE_DURATION @@ -178,8 +180,12 @@ controller: value: America/Los_Angeles - name: JAVA_TOOL_OPTIONS value: - "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" - #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" + "-Dhttp.nonProxyHosts='*.slac.stanford.edu' + -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 + -Dhttps.nonProxyHosts='*.slac.stanford.edu' + -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 + -Duser.timezone=America/Los_Angeles" + #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" #- name: VAULT_TOKEN_LEASE_DURATION # valueFrom: # secretKeyRef: @@ -784,7 +790,8 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/username}" - - basicSSHUserPrivateKey: + + - basicSSHUserPrivateKey: description: "SQRE OSX build agents" id: "sqre-osx" privateKeySource: @@ -792,6 +799,7 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/username}" + - basicSSHUserPrivateKey: description: "mini OSX build agents" id: "mini-osx" @@ -800,6 +808,7 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/sqre-mini/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control/sqre-mini/username}" + - usernamePassword: description: "push conda packages -> s3" id: "aws-cmirror-push" @@ -965,7 +974,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -983,7 +992,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1001,7 +1010,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1019,7 +1028,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1037,7 +1046,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1055,7 +1064,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1457,7 +1466,7 @@ persistence: ## A manually managed Persistent Volume and Claim ## Requires persistence.enabled: true ## If defined, PVC must be created manually before volume will be bound - existingClaim: #"dev-jenkins" + existingClaim: ## jenkins data Persistent Volume Storage Class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning @@ -1465,9 +1474,8 @@ persistence: ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## - storageClass: #"wekafs--sdf-k8s01" - annotations: - #volume.beta.kubernetes.io/storage-provisioner: csi.weka.io + storageClass: + annotations: {} labels: {} accessMode: "ReadWriteOnce" size: "800Gi" diff --git a/seeds/values.yaml b/seeds/values.yaml index 520f4dd0..22e2185e 100644 --- a/seeds/values.yaml +++ b/seeds/values.yaml @@ -1,7 +1,6 @@ --- # yamllint disable rule:line-length - # From https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml # Default values for jenkins. @@ -24,10 +23,12 @@ renderHelmLabels: true controller: # Used for label app.kubernetes.io/component componentName: "jenkins-controller" - image: "jenkins/jenkins" - tag: "2.426.3-lts-jdk11" - #tagLabel: jdk11 - imagePullPolicy: "Always" + image: + registry: "docker.io" + repository: "jenkins/jenkins" + tag: "2.440.2-lts-jdk21" + #tagLabel: jdk11 + pullPolicy: "Always" imagePullSecretName: # Optionally configure lifetime for controller-container lifecycle: @@ -37,7 +38,9 @@ controller: [ "/bin/sh", "-c", - "echo 'handlers = java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.level = ALL\n.level= ALL' > /var/jenkins_home/logging.properties" + "echo 'handlers = + java.util.logging.ConsoleHandler\njava.util.logging.ConsoleHandler.level + = ALL\n.level= ALL' > /var/jenkins_home/logging.properties", ] disableRememberMe: false numExecutors: 0 @@ -48,18 +51,19 @@ controller: customJenkinsLabels: [] # The default configuration uses this secret to configure an admin user # If you don't need that user or use a different security realm then you can disable it - adminSecret: true hostNetworking: false # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. # If you disable the non-Jenkins identity store and instead use the Jenkins internal one, # you should revert controller.adminUser to your preferred admin user: - adminUser: "admin" + # adminPassword: admin: existingSecret: "" userKey: jenkins-admin-user passwordKey: jenkins-admin-password + createSecret: true + username: "admin" # This values should not be changed unless you use your custom image of # jenkins or any devired from. If you want to use Cloudbees Jenkins # Distribution docker, you should set jenkinsHome: @@ -116,11 +120,16 @@ controller: - name: https_proxy value: http://sdfproxy.sdf.slac.stanford.edu:3128 - name: no_proxy - value: '*.slac.stanford.edu' + value: "*.slac.stanford.edu" - name: NO_PROXY - value: '*.slac.stanford.edu' + value: "*.slac.stanford.edu" - name: JAVA_TOOL_OPTIONS - value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" + value: + "-Dhttp.nonProxyHosts='*.slac.stanford.edu' + -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 + -Dhttps.nonProxyHosts='*.slac.stanford.edu' + -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 + -Duser.timezone=America/Los_Angeles" #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" - name: TZ value: America/Los_Angeles @@ -142,11 +151,11 @@ controller: secretKeyRef: name: vault-approle key: APPROLE_SECRET - #- name: CASC_VAULT_TOKEN - # valueFrom: - # secretKeyRef: - # name: vault-token2 - # key: VAULT_TOKEN + #- name: CASC_VAULT_TOKEN + # valueFrom: + # secretKeyRef: + # name: vault-token2 + # key: VAULT_TOKEN - name: CASC_VAULT_URL value: https://vault.slac.stanford.edu - name: CASC_VAULT_PATHS @@ -160,13 +169,18 @@ controller: - name: https_proxy value: http://sdfproxy.sdf.slac.stanford.edu:3128 - name: no_proxy - value: '*.slac.stanford.edu' + value: "*.slac.stanford.edu" - name: NO_PROXY - value: '*.slac.stanford.edu' + value: "*.slac.stanford.edu" - name: TZ value: America/Los_Angeles - name: JAVA_TOOL_OPTIONS - value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Duser.timezone=America/Los_Angeles" + value: + "-Dhttp.nonProxyHosts='*.slac.stanford.edu' + -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 + -Dhttps.nonProxyHosts='*.slac.stanford.edu' + -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 + -Duser.timezone=America/Los_Angeles" #value: "-Dhttp.nonProxyHosts='*.slac.stanford.edu' -Dhttp.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttp.proxyPort=3128 -Dhttps.nonProxyHosts='*.slac.stanford.edu' -Dhttps.proxyHost=sdfproxy.sdf.slac.stanford.edu -Dhttps.proxyPort=3128 -Djava.util.logging.config.file=/var/jenkins_home/logging.properties" #- name: VAULT_TOKEN_LEASE_DURATION # valueFrom: @@ -325,7 +339,7 @@ controller: # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to # set allowed inbound rules on the security group assigned to the controller load balancer loadBalancerSourceRanges: -# - 0.0.0.0/0 + # - 0.0.0.0/0 # Optionally assign a known public LB IP # loadBalancerIP: 1.2.3.4 # Optionally configure a JMX port @@ -350,7 +364,6 @@ controller: - matrix-auth:3.1.9 - hashicorp-vault-plugin:364.vf5d54b_3dc313 - # Set to false to download the minimum required version of all dependencies. installLatestPlugins: false @@ -362,7 +375,7 @@ controller: #- ace-editor:1.1 - antisamy-markup-formatter:162.v0e6ec0fcfcf6 - apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 -#depreciated - async-http-client:1.9.40.0 + #depreciated - async-http-client:1.9.40.0 - authentication-tokens:1.53.v1c90fd9191a_b_ - blueocean-autofavorite:1.2.5 - blueocean-bitbucket-pipeline:1.27.9 @@ -417,12 +430,12 @@ controller: - github-branch-source:1751.v90e17c48a_6a_c - github-oauth:597.ve0c3480fcb_d0 - git-server:99.va_0826a_b_cdfa_d -#depreciated - greenballs:1.15.1 + #depreciated - greenballs:1.15.1 - groovy:457.v99900cb_85593 -#depreciated - handlebars:3.0.8 + #depreciated - handlebars:3.0.8 - handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 - htmlpublisher:1.32 -#depreciated - icon-shim:3.0.0 + #depreciated - icon-shim:3.0.0 - instance-identity:185.v303dc7c645f9 - ionicons-api:56.v1b_1c8c49374e - jackson2-api:2.15.3-372.v309620682326 @@ -438,7 +451,7 @@ controller: - jira:3.11 - jjwt-api:0.11.5-77.v646c772fddb_0 - jquery:1.12.4-1 -#depreciated - jquery-detached:1.2.1 + #depreciated - jquery-detached:1.2.1 - jquery3-api:3.7.1-1 - jsch:0.2.8-65.v052c39de79b_2 - junit:1240.vf9529b_881428 @@ -452,8 +465,8 @@ controller: - mina-sshd-api-common:2.11.0-86.v836f585d47fa_ - mina-sshd-api-core:2.11.0-86.v836f585d47fa_ - metrics:4.2.18-442.v02e107157925 -#depreciated - momentjs:1.1.1 -#depreciated - need alternative? - multiple-scms:0.8 + #depreciated - momentjs:1.1.1 + #depreciated - need alternative? - multiple-scms:0.8 - nodelabelparameter:1.12.0 - okhttp-api:4.11.0-157.v6852a_a_fa_ec11 - parameterized-trigger:787.v665fcf2a_830b_ @@ -463,7 +476,7 @@ controller: - pipeline-input-step:477.v339683a_8d55e - pipeline-milestone-step:111.v449306f708b_7 - pipeline-model-api:2.2151.ve32c9d209a_3f -#depreciated - pipeline-model-declarative-agent:1.1.1 + #depreciated - pipeline-model-declarative-agent:1.1.1 - pipeline-model-definition:2.2151.ve32c9d209a_3f - pipeline-model-extensions:2.2151.ve32c9d209a_3f - pipeline-rest-api:2.34 @@ -493,11 +506,11 @@ controller: - token-macro:384.vf35b_f26814ec - trilead-api:2.84.v72119de229b_7 - variant:60.v7290fc0eb_b_cd -#depreciated - windows-slaves:1.8.1 need to find alternative? + #depreciated - windows-slaves:1.8.1 need to find alternative? - workflow-api:1283.v99c10937efcb_ - workflow-basic-steps:1042.ve7b_140c4a_e0c - workflow-cps:3806.va_3a_6988277b_2 -#depreciated - workflow-cps-global-lib:609.vd95673f149b_b + #depreciated - workflow-cps-global-lib:609.vd95673f149b_b - workflow-durable-task-step:1289.v4d3e7b_01546b_ - workflow-job:1360.vc6700e3136f5 - workflow-multibranch:756.v891d88f2cd46 @@ -505,7 +518,6 @@ controller: - workflow-step-api:639.v6eca_cd8c04a_a_ - workflow-support:865.v43e78cc44e0d - # Enable to initialize the Jenkins controller only once on initial installation. # Without this, whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates which has the potential to cause breakage. # Note that for this to work, `persistence.enabled` needs to be set to `true` @@ -570,7 +582,7 @@ controller: - "staticMethod org.codehaus.groovy.runtime.StackTraceUtils sanitize java.lang.Throwable" - "method java.net.URL openConnection" # List of groovy init scripts to be executed during Jenkins controller start - initScripts: [] + initScripts: {} # - | # print 'adding global pipeline libraries, register properties, bootstrap jobs...' @@ -946,9 +958,13 @@ controller: # jcasc changes will cause a reboot and will only be applied at the subsequent start-up. Auto-reload uses the # http:///reload-configuration-as-code endpoint to reapply config when changes to the configScripts are detected. enabled: false - image: kiwigrid/k8s-sidecar:1.15.0 + image: + registry: docker.io + repository: kiwigrid/k8s-sidecar + tag: 1.26.1 imagePullPolicy: IfNotPresent - resources: {} + resources: + {} # limits: # cpu: 100m # memory: 100Mi @@ -1131,7 +1147,7 @@ controller: testEnabled: true httpsKeyStore: - jenkinsHttpsJksSecretName: '' + jenkinsHttpsJksSecretName: "" enable: false httpPort: 8081 path: "/var/jenkins_keystore" @@ -1150,8 +1166,9 @@ agent: kubernetesReadTimeout: 15 maxRequestsPerHostStr: "32" namespace: - image: "jenkins/inbound-agent" - tag: "4.11.2-4" + image: + repository: "jenkins/inbound-agent" + tag: "4.11.2-4" workingDir: "/home/jenkins/agent" nodeUsageMode: "NORMAL" customJenkinsLabels: [] @@ -1356,7 +1373,8 @@ networkPolicy: internalAgents: allowed: true podLabels: {} - namespaceLabels: {} + namespaceLabels: + {} # project: myproject externalAgents: {} # ipCIDR: 172.17.0.0/16 @@ -1375,7 +1393,6 @@ serviceAccount: annotations: {} imagePullSecretName: - serviceAccountAgent: # Specifies whether a ServiceAccount should be created create: false @@ -1387,71 +1404,7 @@ serviceAccountAgent: ## Backup cronjob configuration ## Ref: https://github.com/maorfr/kube-tasks -backup: - # Backup must use RBAC - # So by enabling backup you are enabling RBAC specific for backup - enabled: false - # Used for label app.kubernetes.io/component - componentName: "backup" - # Schedule to run jobs. Must be in cron time format - # Ref: https://crontab.guru/ - schedule: "0 2 * * *" - labels: {} - serviceAccount: - create: true - name: - annotations: {} - # Example for authorization to AWS S3 using kube2iam or IRSA - # Can also be done using environment variables - # iam.amazonaws.com/role: "jenkins" - # "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789012:role/jenkins-backup" - # Set this to terminate the job that is running/failing continously and set the job status to "Failed" - activeDeadlineSeconds: "" - image: - repository: "maorfr/kube-tasks" - tag: "0.2.0" - imagePullSecretName: - # Additional arguments for kube-tasks - # Ref: https://github.com/maorfr/kube-tasks#simple-backup - extraArgs: [] - # Add existingSecret for AWS credentials - existingSecret: {} - ## Example for using an existing secret - # jenkinsaws: - ## Use this key for AWS access key ID - # awsaccesskey: jenkins_aws_access_key - ## Use this key for AWS secret access key - # awssecretkey: jenkins_aws_secret_key - # Add additional environment variables - # jenkinsgcp: - ## Use this key for GCP credentials - # gcpcredentials: credentials.json - env: [] - # Example environment variable required for AWS credentials chain - # - name: "AWS_REGION" - # value: "us-east-1" - resources: - requests: - memory: 1Gi - cpu: 1 - limits: - memory: 1Gi - cpu: 1 - # Destination to store the backup artifacts - # Supported cloud storage services: AWS S3, Minio S3, Azure Blob Storage, Google Cloud Storage - # Additional support can added. Visit this repository for details - # Ref: https://github.com/maorfr/skbn - destination: "s3://jenkins-data/backup" - # By enabling only the jenkins_home/jobs folder gets backed up, not the whole jenkins instance - onlyJobs: false - # Enable backup pod security context (must be `true` if runAsUser or fsGroup are set) - usePodSecurityContext: true - # When setting runAsUser to a different value than 0 also set fsGroup to the same value: - runAsUser: 1000 - fsGroup: 1000 - securityContextCapabilities: {} - # drop: - # - NET_RAW + checkDeprecation: true awsSecurityGroupPolicies: From 1865ccf3f4faa254441807e2f7c66c1462057886 Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:56:20 +0000 Subject: [PATCH 28/29] spaces --- seeds/dev-values.yaml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index e9a604fa..81dda1be 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -790,7 +790,6 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/username}" - - basicSSHUserPrivateKey: description: "SQRE OSX build agents" id: "sqre-osx" @@ -799,7 +798,6 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control-dev/sqre-osx/username}" - - basicSSHUserPrivateKey: description: "mini OSX build agents" id: "mini-osx" @@ -808,7 +806,6 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/sqre-mini/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control/sqre-mini/username}" - - usernamePassword: description: "push conda packages -> s3" id: "aws-cmirror-push" @@ -974,7 +971,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -992,7 +989,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1010,7 +1007,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1028,7 +1025,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1046,7 +1043,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: @@ -1064,7 +1061,7 @@ controller: javaPath: "~/jdk-21.0.2.jdk/Contents/Home/bin/java" launchTimeoutSeconds: 210 maxNumRetries: 10 - port: 22 + port: 22 retryWaitTime: 15 sshHostKeyVerificationStrategy: manuallyTrustedKeyVerificationStrategy: From e58cb67de0c63535cf72ce647981553ad1fb969d Mon Sep 17 00:00:00 2001 From: aranabhat <138172063+aranabhat@users.noreply.github.com> Date: Wed, 3 Apr 2024 22:58:31 +0000 Subject: [PATCH 29/29] space --- seeds/dev-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/seeds/dev-values.yaml b/seeds/dev-values.yaml index 81dda1be..dddbc1ca 100644 --- a/seeds/dev-values.yaml +++ b/seeds/dev-values.yaml @@ -790,7 +790,7 @@ controller: privateKey: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/private_key}" scope: GLOBAL username: "${secret/rubin/rubin-jenkins-control-dev/github-jenkins-versiondb/username}" - - basicSSHUserPrivateKey: + - basicSSHUserPrivateKey: description: "SQRE OSX build agents" id: "sqre-osx" privateKeySource: