github.com/replicatedcom/ship@v0.50.0/integration/update/helm-values-files-and-new-files/expected/.ship/upstream/README.md (about) 1 # Jenkins Helm Chart 2 3 Jenkins master and slave cluster utilizing the Jenkins Kubernetes plugin 4 5 * https://wiki.jenkins-ci.org/display/JENKINS/Kubernetes+Plugin 6 7 Inspired by the awesome work of Carlos Sanchez <mailto:carlos@apache.org> 8 9 ## Chart Details 10 11 This chart will do the following: 12 13 * 1 x Jenkins Master with port 8080 exposed on an external LoadBalancer 14 * All using Kubernetes Deployments 15 16 ## Installing the Chart 17 18 To install the chart with the release name `my-release`: 19 20 ```bash 21 $ helm install --name my-release stable/jenkins 22 ``` 23 24 ## Configuration 25 26 The following tables list the configurable parameters of the Jenkins chart and their default values. 27 28 ### Jenkins Master 29 | Parameter | Description | Default | 30 | --------------------------------- | ------------------------------------ | ---------------------------------------------------------------------------- | 31 | `nameOverride` | Override the resource name prefix | `jenkins` | 32 | `fullnameOverride` | Override the full resource names | `jenkins-{release-name}` (or `jenkins` if release-name is `jenkins`) | 33 | `Master.Name` | Jenkins master name | `jenkins-master` | 34 | `Master.Image` | Master image name | `jenkinsci/jenkins` | 35 | `Master.ImageTag` | Master image tag | `lts` | 36 | `Master.ImagePullPolicy` | Master image pull policy | `Always` | 37 | `Master.ImagePullSecret` | Master image pull secret | Not set | 38 | `Master.Component` | k8s selector key | `jenkins-master` | 39 | `Master.UseSecurity` | Use basic security | `true` | 40 | `Master.AdminUser` | Admin username (and password) created as a secret if useSecurity is true | `admin` | 41 | `Master.AdminPassword` | Admin password (and user) created as a secret if useSecurity is true | Random value | 42 | `Master.JenkinsAdminEmail` | Email address for the administrator of the Jenkins instance | Not set | 43 | `Master.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 50m, memory: 256Mi}, limits: {cpu: 2000m, memory: 2048Mi}}`| 44 | `Master.InitContainerEnv` | Environment variables for Init Container | Not set | 45 | `Master.ContainerEnv` | Environment variables for Jenkins Container | Not set | 46 | `Master.UsePodSecurityContext` | Enable pod security context (must be `true` if `RunAsUser` or `FsGroup` are set) | `true` | 47 | `Master.RunAsUser` | uid that jenkins runs with | `0` | 48 | `Master.FsGroup` | uid that will be used for persistent volume | `0` | 49 | `Master.ServiceAnnotations` | Service annotations | `{}` | 50 | `Master.ServiceType` | k8s service type | `LoadBalancer` | 51 | `Master.ServicePort` | k8s service port | `8080` | 52 | `Master.NodePort` | k8s node port | Not set | 53 | `Master.HealthProbes` | Enable k8s liveness and readiness probes | `true` | 54 | `Master.HealthProbesLivenessTimeout` | Set the timeout for the liveness probe | `120` | 55 | `Master.HealthProbesReadinessTimeout` | Set the timeout for the readiness probe | `60` | 56 | `Master.HealthProbeLivenessFailureThreshold` | Set the failure threshold for the liveness probe | `12` | 57 | `Master.SlaveListenerPort` | Listening port for agents | `50000` | 58 | `Master.DisabledAgentProtocols` | Disabled agent protocols | `JNLP-connect JNLP2-connect` | 59 | `Master.CSRF.DefaultCrumbIssuer.Enabled` | Enable the default CSRF Crumb issuer | `true` | 60 | `Master.CSRF.DefaultCrumbIssuer.ProxyCompatability` | Enable proxy compatibility | `true` | 61 | `Master.CLI` | Enable CLI over remoting | `false` | 62 | `Master.LoadBalancerSourceRanges` | Allowed inbound IP addresses | `0.0.0.0/0` | 63 | `Master.LoadBalancerIP` | Optional fixed external IP | Not set | 64 | `Master.JMXPort` | Open a port, for JMX stats | Not set | 65 | `Master.ExtraPorts` | Open extra ports, for other uses | Not set | 66 | `Master.CustomConfigMap` | Use a custom ConfigMap | `false` | 67 | `Master.OverwriteConfig` | Replace config w/ ConfigMap on boot | `false` | 68 | `Master.Ingress.Annotations` | Ingress annotations | `{}` | 69 | `Master.Ingress.TLS` | Ingress TLS configuration | `[]` | 70 | `Master.InitScripts` | List of Jenkins init scripts | Not set | 71 | `Master.CredentialsXmlSecret` | Kubernetes secret that contains a 'credentials.xml' file | Not set | 72 | `Master.SecretsFilesSecret` | Kubernetes secret that contains 'secrets' files | Not set | 73 | `Master.Jobs` | Jenkins XML job configs | Not set | 74 | `Master.InstallPlugins` | List of Jenkins plugins to install | `kubernetes:1.12.0 workflow-aggregator:2.5 credentials-binding:1.16 git:3.9.1 workflow-job:2.23` | 75 | `Master.ScriptApproval` | List of groovy functions to approve | Not set | 76 | `Master.NodeSelector` | Node labels for pod assignment | `{}` | 77 | `Master.Affinity` | Affinity settings | `{}` | 78 | `Master.Tolerations` | Toleration labels for pod assignment | `{}` | 79 | `Master.PodAnnotations` | Annotations for master pod | `{}` | 80 | `NetworkPolicy.Enabled` | Enable creation of NetworkPolicy resources. | `false` | 81 | `NetworkPolicy.ApiVersion` | NetworkPolicy ApiVersion | `extensions/v1beta1` | 82 | `rbac.install` | Create service account and ClusterRoleBinding for Kubernetes plugin | `false` | 83 | `rbac.roleRef` | Cluster role name to bind to | `cluster-admin` | 84 | `rbac.roleBindingKind` | Role kind (`RoleBinding` or `ClusterRoleBinding`)| `ClusterRoleBinding` | 85 86 ### Jenkins Agent 87 88 | Parameter | Description | Default | 89 | -------------------------- | ----------------------------------------------- | ---------------------- | 90 | `Agent.AlwaysPullImage` | Always pull agent container image before build | `false` | 91 | `Agent.CustomJenkinsLabels`| Append Jenkins labels to the agent | `{}` | 92 | `Agent.Enabled` | Enable Kubernetes plugin jnlp-agent podTemplate | `true` | 93 | `Agent.Image` | Agent image name | `jenkinsci/jnlp-slave` | 94 | `Agent.ImagePullSecret` | Agent image pull secret | Not set | 95 | `Agent.ImageTag` | Agent image tag | `2.62` | 96 | `Agent.Privileged` | Agent privileged container | `false` | 97 | `Agent.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 200m, memory: 256Mi}, limits: {cpu: 200m, memory: 256Mi}}`| 98 | `Agent.volumes` | Additional volumes | `nil` | 99 100 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. 101 102 Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, 103 104 ```bash 105 $ helm install --name my-release -f values.yaml stable/jenkins 106 ``` 107 108 > **Tip**: You can use the default [values.yaml](values.yaml) 109 110 ## Mounting volumes into your Agent pods 111 112 Your Jenkins Agents will run as pods, and it's possible to inject volumes where needed: 113 114 ```yaml 115 Agent: 116 volumes: 117 - type: Secret 118 secretName: jenkins-mysecrets 119 mountPath: /var/run/secrets/jenkins-mysecrets 120 ``` 121 122 The supported volume types are: `ConfigMap`, `EmptyDir`, `HostPath`, `Nfs`, `Pod`, `Secret`. Each type supports a different set of configurable attributes, defined by [the corresponding Java class](https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes). 123 124 ## NetworkPolicy 125 126 To make use of the NetworkPolicy resources created by default, 127 install [a networking plugin that implements the Kubernetes 128 NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin). 129 130 For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting 131 the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: 132 133 kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" 134 135 Install helm chart with network policy enabled: 136 137 $ helm install stable/jenkins --set NetworkPolicy.Enabled=true 138 139 ## Persistence 140 141 The Jenkins image stores persistence under `/var/jenkins_home` path of the container. A dynamically managed Persistent Volume 142 Claim is used to keep the data across deployments, by default. This is known to work in GCE, AWS, and minikube. Alternatively, 143 a previously configured Persistent Volume Claim can be used. 144 145 It is possible to mount several volumes using `Persistence.volumes` and `Persistence.mounts` parameters. 146 147 ### Persistence Values 148 149 | Parameter | Description | Default | 150 | --------------------------- | ------------------------------- | --------------- | 151 | `Persistence.Enabled` | Enable the use of a Jenkins PVC | `true` | 152 | `Persistence.ExistingClaim` | Provide the name of a PVC | `nil` | 153 | `Persistence.AccessMode` | The PVC access mode | `ReadWriteOnce` | 154 | `Persistence.Size` | The size of the PVC | `8Gi` | 155 | `Persistence.volumes` | Additional volumes | `nil` | 156 | `Persistence.mounts` | Additional mounts | `nil` | 157 158 #### Existing PersistentVolumeClaim 159 160 1. Create the PersistentVolume 161 1. Create the PersistentVolumeClaim 162 1. Install the chart 163 164 ```bash 165 $ helm install --name my-release --set Persistence.ExistingClaim=PVC_NAME stable/jenkins 166 ``` 167 168 ## Custom ConfigMap 169 170 When creating a new parent chart with this chart as a dependency, the `CustomConfigMap` parameter can be used to override the default config.xml provided. 171 It also allows for providing additional xml configuration files that will be copied into `/var/jenkins_home`. In the parent chart's values.yaml, 172 set the `jenkins.Master.CustomConfigMap` value to true like so 173 174 ```yaml 175 jenkins: 176 Master: 177 CustomConfigMap: true 178 ``` 179 180 and provide the file `templates/config.tpl` in your parent chart for your use case. You can start by copying the contents of `config.yaml` from this chart into your parent charts `templates/config.tpl` as a basis for customization. Finally, you'll need to wrap the contents of `templates/config.tpl` like so: 181 182 ```yaml 183 {{- define "override_config_map" }} 184 <CONTENTS_HERE> 185 {{ end }} 186 ``` 187 188 ## RBAC 189 190 If running upon a cluster with RBAC enabled you will need to do the following: 191 192 * `helm install stable/jenkins --set rbac.install=true` 193 * Create a Jenkins credential of type Kubernetes service account with service account name provided in the `helm status` output. 194 * Under configure Jenkins -- Update the credentials config in the cloud section to use the service account credential you created in the step above. 195 196 ## Run Jenkins as non root user 197 198 The default settings of this helm chart let Jenkins run as root user with uid `0`. 199 Due to security reasons you may want to run Jenkins as a non root user. 200 Fortunately the default jenkins docker image `jenkins/jenkins` contains a user `jenkins` with uid `1000` that can be used for this purpose. 201 202 Simply use the following settings to run Jenkins as `jenkins` user with uid `1000`. 203 204 ```yaml 205 jenkins: 206 Master: 207 RunAsUser: 1000 208 FsGroup: 1000 209 ``` 210 211 ## Providing jobs xml 212 213 Jobs can be created (and overwritten) by providing jenkins config xml within the `values.yaml` file. 214 The keys of the map will become a directory within the jobs directory. 215 The values of the map will become the `config.xml` file in the respective directory. 216 217 Below is an example of a `values.yaml` file and the directory structure created: 218 219 #### values.yaml 220 ```yaml 221 Master: 222 Jobs: 223 test-job: |- 224 <?xml version='1.0' encoding='UTF-8'?> 225 <project> 226 <keepDependencies>false</keepDependencies> 227 <properties/> 228 <scm class="hudson.scm.NullSCM"/> 229 <canRoam>false</canRoam> 230 <disabled>false</disabled> 231 <blockBuildWhenDownstreamBuilding>false</blockBuildWhenDownstreamBuilding> 232 <blockBuildWhenUpstreamBuilding>false</blockBuildWhenUpstreamBuilding> 233 <triggers/> 234 <concurrentBuild>false</concurrentBuild> 235 <builders/> 236 <publishers/> 237 <buildWrappers/> 238 </project> 239 test-job-2: |- 240 <?xml version='1.0' encoding='UTF-8'?> 241 <project> 242 <keepDependencies>false</keepDependencies> 243 <properties/> 244 <scm class="hudson.scm.NullSCM"/> 245 <canRoam>false</canRoam> 246 <disabled>false</disabled> 247 <blockBuildWhenDownstreamBuilding>false</blockBuildWhenDownstreamBuilding> 248 <blockBuildWhenUpstreamBuilding>false</blockBuildWhenUpstreamBuilding> 249 <triggers/> 250 <concurrentBuild>false</concurrentBuild> 251 <builders/> 252 <publishers/> 253 <buildWrappers/> 254 ``` 255 256 #### Directory structure of jobs directory 257 ``` 258 . 259 ├── _test-job-1 260 | └── config.xml 261 ├── _test-job-2 262 | └── config.xml 263 ``` 264 265 Docs taken from https://github.com/jenkinsci/docker/blob/master/Dockerfile: 266 _Jenkins is run with user `jenkins`, uid = 1000. If you bind mount a volume from the host or a data container,ensure you use the same uid_ 267 268 ## Running behind a forward proxy 269 270 The master pod uses an Init Container to install plugins etc. If you are behind a corporate proxy it may be useful to set `Master.InitContainerEnv` to add environment variables such as `http_proxy`, so that these can be downloaded. 271 272 Additionally, you may want to add env vars for the Jenkins container, and the JVM (`Master.JavaOpts`). 273 274 ```yaml 275 Master: 276 InitContainerEnv: 277 - name: http_proxy 278 value: "http://192.168.64.1:3128" 279 - name: https_proxy 280 value: "http://192.168.64.1:3128" 281 - name: no_proxy 282 value: "" 283 ContainerEnv: 284 - name: http_proxy 285 value: "http://192.168.64.1:3128" 286 - name: https_proxy 287 value: "http://192.168.64.1:3128" 288 JavaOpts: >- 289 -Dhttp.proxyHost=192.168.64.1 290 -Dhttp.proxyPort=3128 291 -Dhttps.proxyHost=192.168.64.1 292 -Dhttps.proxyPort=3128 293 ```