1
0
This commit is contained in:
sido 2018-06-29 21:57:46 +02:00
commit 8919984691
6 changed files with 258 additions and 399 deletions

View File

@ -1,6 +1,6 @@
name: molgenis-jenkins name: molgenis-jenkins
home: https://jenkins.io/ home: https://jenkins.io/
version: 0.2.2 version: 0.2.5
appVersion: 2.107 appVersion: 2.107
description: Molgenis installation for the jenkins chart. description: Molgenis installation for the jenkins chart.
sources: sources:

View File

@ -1,10 +1,7 @@
# Molgenis Jenkins Helm Chart # Molgenis Jenkins Helm Chart
Jenkins master and slave cluster utilizing the Jenkins Kubernetes plugin Jenkins master and slave cluster utilizing the Jenkins Kubernetes plugin.
Wraps [the kuberenetes jenkins chart](https://github.com/kubernetes/charts/tree/master/stable/jenkins), see documentation there!
* https://wiki.jenkins-ci.org/display/JENKINS/Kubernetes+Plugin
Inspired by the awesome work of Carlos Sanchez <mailto:carlos@apache.org>
## Chart Details ## Chart Details
@ -15,223 +12,70 @@ This chart will do the following:
## Installing the Chart ## Installing the Chart
In the rancher UI, choose the molgenis-jenkins app from the catalog and deploy it. Usually, you'll be deploying this to the molgenis cluster.
In the [Rancher Catalog](https://rancher.molgenis.org:7443/g/catalog), add the latest version of this repository.
In the [molgenis cluster management page](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/apps), choose the
catalog, pick the molgenis-jenkins app from the catalog and deploy it.
## Configuration ## Configuration
The following tables list the configurable parameters of the Jenkins chart and their default values. When deploying, you can paste values into the Rancher Answers to override the defaults in this chart.
You can paste these values into the Rancher Answers if you like. Array values can be added as {value, value, value}.
Array values can be added as {value, value, value}, e.g.
``` ```
jenkins.Master.HostName=jenkins.molgenis.org
jenkins.Master.AdminPassword=pa$$word
jenkins.Persistence.Enabled=false
jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1} jenkins.Master.InstallPlugins={kubernetes:1.8.4, workflow-aggregator:2.5, workflow-job:2.21, credentials-binding:1.16, git:3.9.1}
PipelineSecrets.Env.PGPPassphrase=literal:S3cr3t
``` ```
> Because we use jenkins as a sub-chart, you should prefix all values with `jenkins`!
### Jenkins Master You can use [all configuration values of the jenkins subchart](https://github.com/kubernetes/charts/tree/master/stable/jenkins).
| Parameter | Description | Default | > Because we use jenkins as a sub-chart, you should prefix all value keys with `jenkins`!
| --------------------------------- | ------------------------------------ | ---------------------------------------------------------------------------- |
| `nameOverride` | Override the resource name prefix | `jenkins` |
| `fullnameOverride` | Override the full resource names | `jenkins-{release-name}` (or `jenkins` if release-name is `jenkins`) |
| `Master.Name` | Jenkins master name | `jenkins-master` |
| `Master.Image` | Master image name | `jenkinsci/jenkins` |
| `Master.ImageTag` | Master image tag | `lts` |
| `Master.ImagePullPolicy` | Master image pull policy | `Always` |
| `Master.ImagePullSecret` | Master image pull secret | Not set |
| `Master.Component` | k8s selector key | `jenkins-master` |
| `Master.UseSecurity` | Use basic security | `true` |
| `Master.AdminUser` | Admin username (and password) created as a secret if useSecurity is true | `admin` |
| `Master.Cpu` | Master requested cpu | `200m` |
| `Master.Memory` | Master requested memory | `256Mi` |
| `Master.InitContainerEnv` | Environment variables for Init Container | Not set |
| `Master.ContainerEnv` | Environment variables for Jenkins Container | Not set |
| `Master.RunAsUser` | uid that jenkins runs with | `0` |
| `Master.FsGroup` | uid that will be used for persistent volume | `0` |
| `Master.ServiceAnnotations` | Service annotations | `{}` |
| `Master.ServiceType` | k8s service type | `LoadBalancer` |
| `Master.ServicePort` | k8s service port | `8080` |
| `Master.NodePort` | k8s node port | Not set |
| `Master.HealthProbes` | Enable k8s liveness and readiness probes | `true` |
| `Master.HealthProbesLivenessTimeout` | Set the timeout for the liveness probe | `120` |
| `Master.HealthProbesReadinessTimeout` | Set the timeout for the readiness probe | `60` |
| `Master.HealthProbeLivenessFailureThreshold` | Set the failure threshold for the liveness probe | `12` |
| `Master.ContainerPort` | Master listening port | `8080` |
| `Master.SlaveListenerPort` | Listening port for agents | `50000` |
| `Master.DisabledAgentProtocols` | Disabled agent protocols | `JNLP-connect JNLP2-connect` |
| `Master.CSRF.DefaultCrumbIssuer.Enabled` | Enable the default CSRF Crumb issuer | `true` |
| `Master.CSRF.DefaultCrumbIssuer.ProxyCompatability` | Enable proxy compatibility | `true` |
| `Master.CLI` | Enable CLI over remoting | `false` |
| `Master.LoadBalancerSourceRanges` | Allowed inbound IP addresses | `0.0.0.0/0` |
| `Master.LoadBalancerIP` | Optional fixed external IP | Not set |
| `Master.JMXPort` | Open a port, for JMX stats | Not set |
| `Master.CustomConfigMap` | Use a custom ConfigMap | `false` |
| `Master.Ingress.Annotations` | Ingress annotations | `{}` |
| `Master.Ingress.TLS` | Ingress TLS configuration | `[]` |
| `Master.InitScripts` | List of Jenkins init scripts | Not set |
| `Master.CredentialsXmlSecret` | Kubernetes secret that contains a 'credentials.xml' file | Not set |
| `Master.SecretsFilesSecret` | Kubernetes secret that contains 'secrets' files | Not set |
| `Master.Jobs` | Jenkins XML job configs | Not set |
| `Master.InstallPlugins` | List of Jenkins plugins to install | `kubernetes:0.11 workflow-aggregator:2.5 credentials-binding:1.11 git:3.2.0` |
| `Master.ScriptApproval` | List of groovy functions to approve | Not set |
| `Master.NodeSelector` | Node labels for pod assignment | `{}` |
| `Master.Affinity` | Affinity settings | `{}` |
| `Master.Tolerations` | Toleration labels for pod assignment | `{}` |
| `NetworkPolicy.Enabled` | Enable creation of NetworkPolicy resources. | `false` |
| `NetworkPolicy.ApiVersion` | NetworkPolicy ApiVersion | `extensions/v1beta1` |
| `rbac.install` | Create service account and ClusterRoleBinding for Kubernetes plugin | `false` |
| `rbac.apiVersion` | RBAC API version | `v1beta1` |
| `rbac.roleRef` | Cluster role name to bind to | `cluster-admin` |
### Jenkins Agent There is one additional group of configuration items specific for this chart, so not prefixed with `jenkins`:
## PipelineSecrets
When deployed, the chart creates a couple of kubernetes secrets that get used by jenkins and mounted in the jenkins
build pods. The secrets, like the rest of the deployment, is namespaced so multiple instances can run beside
each other with their own secrets.
You can override the values at deploy time but otherwise also configure them
[in Rancher](https://rancher.molgenis.org:7443/p/c-mhkqb:project-2pf45/secrets) or through kubectl.
### Env
Environment variables stored in molgenis-pipeline-env secret, to be added as environment variables
in the slave pods.
| Parameter | Description | Default | | Parameter | Description | Default |
| ----------------------- | ----------------------------------------------- | ---------------------- | | ---------------------------------- | ------------------------------------ | --------------- |
| `Agent.AlwaysPullImage` | Always pull agent container image before build | `false` | | `PipelineSecrets.Env.Replace` | Replace molgenis-pipeline-env secret | `true` |
| `Agent.Enabled` | Enable Kubernetes plugin jnlp-agent podTemplate | `true` | | `PipelineSecrets.Env.PGPPassphrase`| passphrase for the pgp signing key | `literal:xxxx` |
| `Agent.Image` | Agent image name | `jenkinsci/jnlp-slave` | | `PipelineSecrets.Env.CodecovToken` | token for codecov.io | `xxxx` |
| `Agent.ImagePullSecret` | Agent image pull secret | Not set | | `PipelineSecrets.Env.GitHubToken` | token for GH molgenis-jenkins user | `xxxx` |
| `Agent.ImageTag` | Agent image tag | `2.62` | | `PipelineSecrets.Env.SonarToken` | token for sonarcloud.io | `xxxx` | |
| `Agent.Privileged` | Agent privileged container | `false` |
| `Agent.Cpu` | Agent requested cpu | `200m` |
| `Agent.Memory` | Agent requested memory | `256Mi` |
| `Agent.volumes` | Additional volumes | `nil` |
### File
Environment variables stored in molgenis-pipeline-file secret, to be mounted as files
in the `/root/.m2` directory of the slave pods.
> The settings.xml file references the
| Parameter | Description | Default |
| -------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
| `PipelineSecrets.File.Replace` | Replace molgenis-pipeline-file secret | `true` |
| `PipelineSecrets.File.PGPPrivateKeyAsc`| pgp signing key in ascii form | `-----BEGIN PGP PRIVATE KEY BLOCK-----xxxxx-----END PGP PRIVATE KEY BLOCK-----` |
| `PipelineSecrets.File.MavenSettingsXML`| Maven settings.xml file | `<settings>[...]</settings>` (see actual [values.yaml](values.yaml)) |
## Command line use
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart.
For example,
```bash ```bash
$ helm install --name my-release -f values.yaml stable/jenkins $ helm install --name jenkins -f values.yaml molgenis-jenkins
``` ```
> **Tip**: You can use the default [values.yaml](values.yaml) > **Tip**: You can use the default [values.yaml](values.yaml)
## Mounting volumes into your Agent pods
Your Jenkins Agents will run as pods, and it's possible to inject volumes where needed:
```yaml
Agent:
volumes:
- type: Secret
secretName: jenkins-mysecrets
mountPath: /var/run/secrets/jenkins-mysecrets
```
The supported volume types are: `ConfigMap`, `EmptyDir`, `HostPath`, `Nfs`, `Pod`, `Secret`. Each type supports a different set of configurable attributes, defined by [the corresponding Java class](https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes).
## NetworkPolicy
To make use of the NetworkPolicy resources created by default,
install [a networking plugin that implements the Kubernetes
NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin).
For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting
the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace:
kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
Install helm chart with network policy enabled:
$ helm install stable/jenkins --set NetworkPolicy.Enabled=true
## Persistence
The Jenkins image stores persistence under `/var/jenkins_home` path of the container. A dynamically managed Persistent Volume
Claim is used to keep the data across deployments, by default. This is known to work in GCE, AWS, and minikube. Alternatively,
a previously configured Persistent Volume Claim can be used.
It is possible to mount several volumes using `Persistence.volumes` and `Persistence.mounts` parameters.
### Persistence Values
| Parameter | Description | Default |
| --------------------------- | ------------------------------- | --------------- |
| `Persistence.Enabled` | Enable the use of a Jenkins PVC | `true` |
| `Persistence.ExistingClaim` | Provide the name of a PVC | `nil` |
| `Persistence.AccessMode` | The PVC access mode | `ReadWriteOnce` |
| `Persistence.Size` | The size of the PVC | `8Gi` |
| `Persistence.volumes` | Additional volumes | `nil` |
| `Persistence.mounts` | Additional mounts | `nil` |
#### Existing PersistentVolumeClaim
1. Create the PersistentVolume
1. Create the PersistentVolumeClaim
1. Install the chart
```bash
$ helm install --name my-release --set Persistence.ExistingClaim=PVC_NAME stable/jenkins
```
## Custom ConfigMap
When creating a new parent chart with this chart as a dependency, the `CustomConfigMap` parameter can be used to override the default config.xml provided.
It also allows for providing additional xml configuration files that will be copied into `/var/jenkins_home`. In the parent chart's values.yaml,
set the `jenkins.Master.CustomConfigMap` value to true like so
```yaml
jenkins:
Master:
CustomConfigMap: true
```
and provide the file `templates/config.tpl` in your parent chart for your use case. You can start by copying the contents of `config.yaml` from this chart into your parent charts `templates/config.tpl` as a basis for customization. Finally, you'll need to wrap the contents of `templates/config.tpl` like so:
```yaml
{{- define "override_config_map" }}
<CONTENTS_HERE>
{{ end }}
```
## RBAC
If running upon a cluster with RBAC enabled you will need to do the following:
* `helm install stable/jenkins --set rbac.install=true`
* Create a Jenkins credential of type Kubernetes service account with service account name provided in the `helm status` output.
* Under configure Jenkins -- Update the credentials config in the cloud section to use the service account credential you created in the step above.
## Run Jenkins as non root user
The default settings of this helm chart let Jenkins run as root user with uid `0`.
Due to security reasons you may want to run Jenkins as a non root user.
Fortunately the default jenkins docker image `jenkins/jenkins` contains a user `jenkins` with uid `1000` that can be used for this purpose.
Simply use the following settings to run Jenkins as `jenkins` user with uid `1000`.
```yaml
jenkins:
Master:
RunAsUser: 1000
FsGroup: 1000
```
Docs taken from https://github.com/jenkinsci/docker/blob/master/Dockerfile:
_Jenkins is run with user `jenkins`, uid = 1000. If you bind mount a volume from the host or a data container,ensure you use the same uid_
## Running behind a forward proxy
The master pod uses an Init Container to install plugins etc. If you are behind a corporate proxy it may be useful to set `Master.InitContainerEnv` to add environment variables such as `http_proxy`, so that these can be downloaded.
Additionally, you may want to add env vars for the Jenkins container, and the JVM (`Master.JavaOpts`).
```yaml
Master:
InitContainerEnv:
- name: http_proxy
value: "http://192.168.64.1:3128"
- name: https_proxy
value: "http://192.168.64.1:3128"
- name: no_proxy
value: ""
ContainerEnv:
- name: http_proxy
value: "http://192.168.64.1:3128"
- name: https_proxy
value: "http://192.168.64.1:3128"
JavaOpts: >-
-Dhttp.proxyHost=192.168.64.1
-Dhttp.proxyPort=3128
-Dhttps.proxyHost=192.168.64.1
-Dhttps.proxyPort=3128
```

View File

@ -28,149 +28,93 @@ data:
<org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud plugin="kubernetes@{{ template "jenkins.kubernetes-version" . }}"> <org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud plugin="kubernetes@{{ template "jenkins.kubernetes-version" . }}">
<name>kubernetes</name> <name>kubernetes</name>
<templates> <templates>
{{- if .Values.Agent.Enabled }} {{- range $podName, $pod := .Values.Pods }}
<org.csanchez.jenkins.plugins.kubernetes.PodTemplate> <org.csanchez.jenkins.plugins.kubernetes.PodTemplate>
<inheritFrom></inheritFrom> <inheritFrom></inheritFrom>
<name>default</name> <name>{{ $podName }}</name>
<instanceCap>2147483647</instanceCap> <instanceCap>2147483647</instanceCap>
<idleMinutes>0</idleMinutes> <idleMinutes>0</idleMinutes>
<label>{{ .Release.Name }}-{{ .Values.Agent.Component }}</label> <label>{{ .Label }}</label>
<nodeSelector> <nodeSelector>
{{- $local := dict "first" true }} {{- $local := dict "first" true }}
{{- range $key, $value := .Values.Agent.NodeSelector }} {{- range $key, $value := .NodeSelector }}
{{- if not $local.first }},{{- end }} {{- if not $local.first }},{{- end }}
{{- $key }}={{ $value }} {{- $key }}={{ $value }}
{{- $_ := set $local "first" false }} {{- $_ := set $local "first" false }}
{{- end }}</nodeSelector> {{- end }}</nodeSelector>
<nodeUsageMode>EXCLUSIVE</nodeUsageMode> <nodeUsageMode>{{ .NodeUsageMode }}</nodeUsageMode>
<volumes> <volumes>
{{- range $index, $volume := .Values.Agent.volumes }} {{- range $index, $volume := .volumes }}
<org.csanchez.jenkins.plugins.kubernetes.volumes.{{ $volume.type }}Volume> <org.csanchez.jenkins.plugins.kubernetes.volumes.{{ .type }}Volume>
{{- range $key, $value := $volume }}{{- if not (eq $key "type") }} {{- range $key, $value := $volume }}{{- if not (eq $key "type") }}
<{{ $key }}>{{ $value }}</{{ $key }}> <{{ $key }}>{{ $value }}</{{ $key }}>
{{- end }}{{- end }} {{- end }}{{- end }}
</org.csanchez.jenkins.plugins.kubernetes.volumes.{{ $volume.type }}Volume> </org.csanchez.jenkins.plugins.kubernetes.volumes.{{ .type }}Volume>
{{- end }} {{- end }}
</volumes> </volumes>
<containers> <containers>
{{- range $containerName, $container := .Containers }}
<org.csanchez.jenkins.plugins.kubernetes.ContainerTemplate> <org.csanchez.jenkins.plugins.kubernetes.ContainerTemplate>
<name>jnlp</name> <name>{{ $containerName }}</name>
<image>{{ .Values.Agent.Image }}:{{ .Values.Agent.ImageTag }}</image> <image>{{ .Image }}:{{ .ImageTag | default "latest" }}</image>
{{- if .Values.Agent.Privileged }} <ports>
{{- range $index, $envVar := .Ports }}
<org.csanchez.jenkins.plugins.kubernetes.PortMapping>
<name>{{ .name }}</name>
<containerPort>{{ .containerPort }}</containerPort>
<hostPort>{{ .hostPort }}</hostPort>
</org.csanchez.jenkins.plugins.kubernetes.PortMapping>
{{- end }}
</ports>
{{- if .Privileged }}
<privileged>true</privileged> <privileged>true</privileged>
{{- else }} {{- else }}
<privileged>false</privileged> <privileged>false</privileged>
{{- end }} {{- end }}
<alwaysPullImage>{{ .Values.Agent.AlwaysPullImage }}</alwaysPullImage> {{- if .AlwaysPullImage }}
<workingDir>/home/jenkins</workingDir> <alwaysPullImage>true</alwaysPullImage>
<command></command>
<args>${computer.jnlpmac} ${computer.name}</args>
<ttyEnabled>false</ttyEnabled>
<resourceRequestCpu>{{.Values.Agent.Cpu}}</resourceRequestCpu>
<resourceRequestMemory>{{.Values.Agent.Memory}}</resourceRequestMemory>
<resourceLimitCpu>{{.Values.Agent.Cpu}}</resourceLimitCpu>
<resourceLimitMemory>{{.Values.Agent.Memory}}</resourceLimitMemory>
<envVars>
<org.csanchez.jenkins.plugins.kubernetes.ContainerEnvVar>
<key>JENKINS_URL</key>
<value>http://{{ template "jenkins.fullname" . }}:{{.Values.Master.ServicePort}}{{ default "" .Values.Master.JenkinsUriPrefix }}</value>
</org.csanchez.jenkins.plugins.kubernetes.ContainerEnvVar>
</envVars>
</org.csanchez.jenkins.plugins.kubernetes.ContainerTemplate>
</containers>
<envVars/>
<annotations/>
{{- if .Values.Agent.ImagePullSecret }}
<imagePullSecrets>
<org.csanchez.jenkins.plugins.kubernetes.PodImagePullSecret>
<name>{{ .Values.Agent.ImagePullSecret }}</name>
</org.csanchez.jenkins.plugins.kubernetes.PodImagePullSecret>
</imagePullSecrets>
{{- else }} {{- else }}
<imagePullSecrets/> <alwaysPullImage>false</alwaysPullImage>
{{- end }} {{- end }}
<nodeProperties/>
</org.csanchez.jenkins.plugins.kubernetes.PodTemplate>
{{- end -}}
{{- if .Values.Pod.Enabled }}
<org.csanchez.jenkins.plugins.kubernetes.PodTemplate>
<inheritFrom></inheritFrom>
<name>{{ .Values.Pod.Label }}</name>
<instanceCap>2147483647</instanceCap>
<idleMinutes>0</idleMinutes>
<label>{{ .Values.Pod.Label }}</label>
<nodeSelector>
{{- $local := dict "first" true }}
{{- range $key, $value := .Values.Pod.NodeSelector }}
{{- if not $local.first }},{{- end }}
{{- $key }}={{ $value }}
{{- $_ := set $local "first" false }}
{{- end }}</nodeSelector>
<nodeUsageMode>NORMAL</nodeUsageMode>
<volumes>
{{- range $index, $volume := .Values.Pod.volumes }}
<org.csanchez.jenkins.plugins.kubernetes.volumes.{{ $volume.type }}Volume>
{{- range $key, $value := $volume }}{{- if not (eq $key "type") }}
<{{ $key }}>{{ $value }}</{{ $key }}>
{{- end }}{{- end }}
</org.csanchez.jenkins.plugins.kubernetes.volumes.{{ $volume.type }}Volume>
{{- end }}
</volumes>
<containers>
<org.csanchez.jenkins.plugins.kubernetes.ContainerTemplate>
<name>{{ .Values.Pod.Label }}</name>
<image>{{ .Values.Pod.Image }}:{{ .Values.Pod.ImageTag }}</image>
{{- if .Values.Pod.Privileged }}
<privileged>true</privileged>
{{- else }}
<privileged>false</privileged>
{{- end }}
<alwaysPullImage>{{ .Values.Pod.AlwaysPullImage }}</alwaysPullImage>
<workingDir>/home/jenkins</workingDir> <workingDir>/home/jenkins</workingDir>
<command>{{ .Values.Pod.Command }}</command> <command>{{ .Command | default "cat" }}</command>
<args>{{ .Values.Pod.Args }}</args> <args>{{ .Args | default "" }}</args>
{{- if .Values.Pod.TTY }} {{- if .TTY }}
<ttyEnabled>true</ttyEnabled> <ttyEnabled>true</ttyEnabled>
{{- else }} {{- else }}
<ttyEnabled>false</ttyEnabled> <ttyEnabled>false</ttyEnabled>
{{- end }} {{- end }}
<resourceRequestCpu>{{.Values.Pod.Cpu}}</resourceRequestCpu> {{- if .resources }}
<resourceRequestMemory>{{.Values.Pod.Memory}}</resourceRequestMemory> {{- if .resources.requests }}
<resourceLimitCpu>{{.Values.Pod.Cpu}}</resourceLimitCpu> <resourceRequestCpu>{{ .resources.requests.cpu | default "" }}</resourceRequestCpu>
<resourceLimitMemory>{{.Values.Pod.Memory}}</resourceLimitMemory> <resourceRequestMemory>{{ .resources.requests.memory | default "" }}</resourceRequestMemory>
{{- end }}
{{- if .resources.limits }}
<resourceLimitCpu>{{ .resources.limits.cpu | default "" }}</resourceLimitCpu>
<resourceLimitMemory>{{ .resources.limits.memory | default "" }}</resourceLimitMemory>
{{- end }}
{{- end }}
</org.csanchez.jenkins.plugins.kubernetes.ContainerTemplate> </org.csanchez.jenkins.plugins.kubernetes.ContainerTemplate>
{{- end }}
</containers> </containers>
<envVars> <envVars>
<org.csanchez.jenkins.plugins.kubernetes.model.SecretEnvVar>
<key>PGP_PASSPHRASE</key>
<secretName>molgenis-pipeline-env-secret</secretName>
<secretKey>pgpPassphrase</secretKey>
</org.csanchez.jenkins.plugins.kubernetes.model.SecretEnvVar>
<org.csanchez.jenkins.plugins.kubernetes.model.KeyValueEnvVar> <org.csanchez.jenkins.plugins.kubernetes.model.KeyValueEnvVar>
<key>PGP_SECRETKEY</key> <key>JENKINS_URL</key>
<value>keyfile:/root/.m2/key.asc</value> <value>http://{{ template "jenkins.fullname" $ }}:{{$.Values.Master.ServicePort}}{{ default "" $.Values.Master.JenkinsUriPrefix }}</value>
</org.csanchez.jenkins.plugins.kubernetes.model.KeyValueEnvVar> </org.csanchez.jenkins.plugins.kubernetes.model.KeyValueEnvVar>
<org.csanchez.jenkins.plugins.kubernetes.model.SecretEnvVar> {{- range $index, $envVar := .EnvVars }}
<key>SONAR_TOKEN</key> <org.csanchez.jenkins.plugins.kubernetes.model.{{ .type }}EnvVar>
<secretName>molgenis-pipeline-env-secret</secretName> {{- range $key, $value := $envVar }}{{- if not (eq $key "type") }}
<secretKey>sonarToken</secretKey> <{{ $key }}>{{ $value }}</{{ $key }}>
</org.csanchez.jenkins.plugins.kubernetes.model.SecretEnvVar> {{- end }}{{- end }}
<org.csanchez.jenkins.plugins.kubernetes.model.SecretEnvVar> </org.csanchez.jenkins.plugins.kubernetes.model.{{ .type }}EnvVar>
<key>CODECOV_TOKEN</key> {{- end }}
<secretName>molgenis-pipeline-env-secret</secretName>
<secretKey>codecovToken</secretKey>
</org.csanchez.jenkins.plugins.kubernetes.model.SecretEnvVar>
<org.csanchez.jenkins.plugins.kubernetes.model.SecretEnvVar>
<key>GITHUB_TOKEN</key>
<secretName>molgenis-pipeline-env-secret</secretName>
<secretKey>githubToken</secretKey>
</org.csanchez.jenkins.plugins.kubernetes.model.SecretEnvVar>
</envVars> </envVars>
<annotations/> <annotations/>
{{- if .Values.Pod.ImagePullSecret }} {{- if .ImagePullSecret }}
<imagePullSecrets> <imagePullSecrets>
<org.csanchez.jenkins.plugins.kubernetes.PodImagePullSecret> <org.csanchez.jenkins.plugins.kubernetes.PodImagePullSecret>
<name>{{ .Values.Pod.ImagePullSecret }}</name> <name>{{ .ImagePullSecret }}</name>
</org.csanchez.jenkins.plugins.kubernetes.PodImagePullSecret> </org.csanchez.jenkins.plugins.kubernetes.PodImagePullSecret>
</imagePullSecrets> </imagePullSecrets>
{{- else }} {{- else }}
@ -178,7 +122,7 @@ data:
{{- end }} {{- end }}
<nodeProperties/> <nodeProperties/>
</org.csanchez.jenkins.plugins.kubernetes.PodTemplate> </org.csanchez.jenkins.plugins.kubernetes.PodTemplate>
{{- end -}} {{- end }}
</templates> </templates>
<serverUrl>https://kubernetes.default</serverUrl> <serverUrl>https://kubernetes.default</serverUrl>
<skipTlsVerify>false</skipTlsVerify> <skipTlsVerify>false</skipTlsVerify>

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
name: "molgenis-jenkins-github-secret"
labels:
# so we know what type it is.
"jenkins.io/credentials-type": "usernamePassword"
annotations: {
# description - can not be a label as spaces are not allowed
"jenkins.io/credentials-description" : "oauth token for the molgenis-jenkins github user"
}
type: Opaque
data:
username: {{ "molgenis-jenkins" | b64enc | quote }}
password: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}

View File

@ -12,6 +12,6 @@ type: Opaque
data: data:
pgpPassphrase: {{ .Values.PipelineSecrets.Env.PGPPassphrase | b64enc | quote }} pgpPassphrase: {{ .Values.PipelineSecrets.Env.PGPPassphrase | b64enc | quote }}
codecovToken: {{ .Values.PipelineSecrets.Env.CodecovToken | b64enc | quote }} codecovToken: {{ .Values.PipelineSecrets.Env.CodecovToken | b64enc | quote }}
githubToken: {{ .Values.PipelineSecrets.Env.GithubToken | b64enc | quote }} githubToken: {{ .Values.PipelineSecrets.Env.GitHubToken | b64enc | quote }}
sonarToken: {{ .Values.PipelineSecrets.Env.SonarToken | b64enc | quote }} sonarToken: {{ .Values.PipelineSecrets.Env.SonarToken | b64enc | quote }}
{{- end }} {{- end }}

View File

@ -8,59 +8,72 @@ jenkins:
- workflow-job:2.21 - workflow-job:2.21
- credentials-binding:1.16 - credentials-binding:1.16
- git:3.9.1 - git:3.9.1
- github-branch-source:2.3.6
- kubernetes-credentials-provider:0.9
- blueocean:1.6.1
Jobs: |- Jobs: |-
molgenis: |- molgenis: |-
<?xml version='1.1' encoding='UTF-8'?> <?xml version='1.1' encoding='UTF-8'?>
<org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject plugin="workflow-multibranch@2.19"> <jenkins.branch.OrganizationFolder plugin="branch-api@2.0.20">
<actions/> <actions/>
<description></description> <description></description>
<properties> <properties>
<org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig plugin="pipeline-model-definition@1.3"> <org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig plugin="pipeline-model-definition@1.3.1">
<dockerLabel></dockerLabel> <dockerLabel></dockerLabel>
<registry plugin="docker-commons@1.13"/> <registry plugin="docker-commons@1.13"/>
</org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig> </org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig>
<jenkins.branch.NoTriggerOrganizationFolderProperty>
<branches>.*</branches>
</jenkins.branch.NoTriggerOrganizationFolderProperty>
</properties> </properties>
<folderViews class="jenkins.branch.MultiBranchProjectViewHolder" plugin="branch-api@2.0.20"> <folderViews class="jenkins.branch.OrganizationFolderViewHolder">
<owner class="org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject" reference="../.."/> <owner reference="../.."/>
</folderViews> </folderViews>
<healthMetrics> <healthMetrics>
<com.cloudbees.hudson.plugins.folder.health.WorstChildHealthMetric plugin="cloudbees-folder@6.5.1"> <com.cloudbees.hudson.plugins.folder.health.WorstChildHealthMetric plugin="cloudbees-folder@6.5.1">
<nonRecursive>false</nonRecursive> <nonRecursive>false</nonRecursive>
</com.cloudbees.hudson.plugins.folder.health.WorstChildHealthMetric> </com.cloudbees.hudson.plugins.folder.health.WorstChildHealthMetric>
</healthMetrics> </healthMetrics>
<icon class="jenkins.branch.MetadataActionFolderIcon" plugin="branch-api@2.0.20"> <icon class="jenkins.branch.MetadataActionFolderIcon">
<owner class="org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject" reference="../.."/> <owner class="jenkins.branch.OrganizationFolder" reference="../.."/>
</icon> </icon>
<orphanedItemStrategy class="com.cloudbees.hudson.plugins.folder.computed.DefaultOrphanedItemStrategy" plugin="cloudbees-folder@6.5.1"> <orphanedItemStrategy class="com.cloudbees.hudson.plugins.folder.computed.DefaultOrphanedItemStrategy" plugin="cloudbees-folder@6.5.1">
<pruneDeadBranches>true</pruneDeadBranches> <pruneDeadBranches>true</pruneDeadBranches>
<daysToKeep>-1</daysToKeep> <daysToKeep>-1</daysToKeep>
<numToKeep>-1</numToKeep> <numToKeep>-1</numToKeep>
</orphanedItemStrategy> </orphanedItemStrategy>
<triggers/> <triggers>
<com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger plugin="cloudbees-folder@6.5.1">
<spec>H H * * *</spec>
<interval>86400000</interval>
</com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger>
</triggers>
<disabled>false</disabled> <disabled>false</disabled>
<sources class="jenkins.branch.MultiBranchProject$BranchSourceList" plugin="branch-api@2.0.20"> <navigators>
<data> <org.jenkinsci.plugins.github__branch__source.GitHubSCMNavigator plugin="github-branch-source@2.3.6">
<jenkins.branch.BranchSource> <repoOwner>molgenis</repoOwner>
<source class="jenkins.plugins.git.GitSCMSource" plugin="git@3.9.1"> <credentialsId>molgenis-jenkins-github-secret</credentialsId>
<id>a1f535cd-ab83-4d42-8993-0c3e59cf139f</id>
<remote>http://github.com/molgenis/molgenis.git</remote>
<credentialsId></credentialsId>
<traits> <traits>
<jenkins.plugins.git.traits.BranchDiscoveryTrait/> <org.jenkinsci.plugins.github__branch__source.BranchDiscoveryTrait>
<strategyId>1</strategyId>
</org.jenkinsci.plugins.github__branch__source.BranchDiscoveryTrait>
<org.jenkinsci.plugins.github__branch__source.OriginPullRequestDiscoveryTrait>
<strategyId>1</strategyId>
</org.jenkinsci.plugins.github__branch__source.OriginPullRequestDiscoveryTrait>
<org.jenkinsci.plugins.github__branch__source.ForkPullRequestDiscoveryTrait>
<strategyId>1</strategyId>
<trust class="org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission"/>
</org.jenkinsci.plugins.github__branch__source.ForkPullRequestDiscoveryTrait>
</traits> </traits>
</source> </org.jenkinsci.plugins.github__branch__source.GitHubSCMNavigator>
<strategy class="jenkins.branch.DefaultBranchPropertyStrategy"> </navigators>
<properties class="empty-list"/> <projectFactories>
</strategy> <org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProjectFactory plugin="workflow-multibranch@2.19">
</jenkins.branch.BranchSource>
</data>
<owner class="org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject" reference="../.."/>
</sources>
<factory class="org.jenkinsci.plugins.workflow.multibranch.WorkflowBranchProjectFactory">
<owner class="org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject" reference="../.."/>
<scriptPath>Jenkinsfile</scriptPath> <scriptPath>Jenkinsfile</scriptPath>
</factory> </org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProjectFactory>
</org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject> </projectFactories>
<buildStrategies/>
</jenkins.branch.OrganizationFolder>
# Kubernetes secret that contains a 'credentials.xml' for Jenkins # Kubernetes secret that contains a 'credentials.xml' for Jenkins
# CredentialsXmlSecret: jenkins-credentials # CredentialsXmlSecret: jenkins-credentials
# Kubernetes secret that contains files to be put in the Jenkins 'secrets' directory, # Kubernetes secret that contains files to be put in the Jenkins 'secrets' directory,
@ -70,25 +83,10 @@ jenkins:
CustomConfigMap: true CustomConfigMap: true
rbac: rbac:
install: true install: true
# A second pod template for maven builds Pods:
Pod: molgenis:
Enabled: true Label: molgenis
Image: "webhost12.service.rug.nl/molgenis/molgenis-maven" NodeUsageMode: NORMAL
ImageTag: latest
# ImagePullSecret: jenkins
Label: "molgenis-maven"
Privileged: false
Cpu: ""
Memory: ""
# You may want to change this to true while testing a new image
AlwaysPullImage: false
Command: "/bin/sh -c"
Args: "cat"
TTY: true
# You can define the volumes that you want to mount for this container
# Allowed types are: ConfigMap, EmptyDir, HostPath, Nfs, Pod, Secret
# Configure the attributes as they appear in the corresponding Java class for that type
# https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes
volumes: volumes:
- type: HostPath - type: HostPath
hostPath: "/var/run/docker.sock" hostPath: "/var/run/docker.sock"
@ -96,9 +94,66 @@ jenkins:
- type: Secret - type: Secret
secretName: molgenis-pipeline-file-secret secretName: molgenis-pipeline-file-secret
mountPath: "/root/.m2" mountPath: "/root/.m2"
Containers:
maven:
Image: "registry.webhosting.rug.nl/molgenis/maven"
TTY: true
resources:
requests:
cpu: "1000m"
limits:
memory: "1Gi"
alpine:
Image: "spotify/alpine"
TTY: true
elasticsearch:
Image: "elasticsearch"
ImageTag: "5.5.1"
TTY: true
Ports:
- name: rest
containerPort: "9200"
hostPort: "9200"
- name: api
containerPort: "9300"
hostPort: "9300"
postgres:
Image: "postgres"
ImageTag: "9.6-alpine"
TTY: true
Ports:
- name: postgres
containerPort: "5432"
hostPort: "5432"
EnvVars:
- type: Secret
key: PGP_PASSPHRASE
secretName: molgenis-pipeline-env-secret
secretKey: pgpPassphrase
- type: KeyValue
key: PGP_SECRETKEY
value: "keyfile:/root/.m2/key.asc"
- type: KeyValue
key: npm_config_registry
value: "http://nexus.molgenis-nexus:8081/repository/npm-central"
- type: KeyValue
key: yarn_proxy
value: "http://nexus.molgenis-nexus:8081/repository/npm-central"
- type: Secret
key: SONAR_TOKEN
secretName: molgenis-pipeline-env-secret
secretKey: sonarToken
- type: Secret
key: CODECOV_TOKEN
secretName: molgenis-pipeline-env-secret
secretKey: codecovToken
- type: Secret
key: GITHUB_TOKEN
secretName: molgenis-pipeline-env-secret
secretKey: githubToken
# If needed
# ImagePullSecret: jenkins
NodeSelector: {} NodeSelector: {}
# Key Value selectors. Ex:
# jenkins-agent: v1
PipelineSecrets: PipelineSecrets:
Env: Env:
# Set to false to keep existing secret # Set to false to keep existing secret
@ -108,7 +163,7 @@ PipelineSecrets:
# Token for codecov.io service # Token for codecov.io service
CodecovToken: xxxx CodecovToken: xxxx
# Token for github bot account # Token for github bot account
GithubToken: xxxx GitHubToken: xxxx
# Token for sonarcloud.io # Token for sonarcloud.io
SonarToken: xxxx SonarToken: xxxx
File: File:
@ -128,7 +183,7 @@ PipelineSecrets:
<mirror> <mirror>
<id>nexus</id> <id>nexus</id>
<mirrorOf>external:*</mirrorOf> <mirrorOf>external:*</mirrorOf>
<url>https://registry.molgenis.org/repository/maven-central/</url> <url>http://nexus.molgenis-nexus:8081/repository/maven-central/</url>
</mirror> </mirror>
</mirrors> </mirrors>
<servers> <servers>
@ -140,7 +195,7 @@ PipelineSecrets:
</server> </server>
<server> <server>
<id>local-nexus</id> <id>local-nexus</id>
<url>https://registry.molgenis.org/repository/maven-snapshots/</url> <url>http://nexus.molgenis-nexus:8081/repository/maven-snapshots/</url>
<username>admin</username> <username>admin</username>
<password>xxxxx</password> <password>xxxxx</password>
</server> </server>