├── .github └── pull_request_template.md ├── .gitignore ├── .gitmodules ├── .helmignore ├── Chart.yaml ├── Copyright and License ├── LICENSE.md ├── README.rst ├── charts ├── jenkins │ ├── Chart.yaml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── bc-jenkins-agent.yaml │ │ ├── bc-jenkins-master.yaml │ │ ├── credential-secrets.yaml │ │ ├── dc-jenkins-agent.yaml │ │ ├── dc-jenkins-master.yaml │ │ ├── is-jenkins-agent.yaml │ │ ├── is-jenkins-master.yaml │ │ ├── pipeline-images.yaml │ │ ├── rolebinding-jenkins-edit.yaml │ │ ├── route-jenkins.yaml │ │ ├── sa-jenkins.yaml │ │ ├── svc-jenkins-agent.yaml │ │ └── svc-jenkins-master.yaml │ └── values.yaml ├── selenium │ ├── Chart.yaml │ ├── templates │ │ ├── bc-selenium-chrome.yaml │ │ ├── dc-selenium-chrome.yaml │ │ ├── dc-selenium-firefox.yaml │ │ ├── dc-selenium-hub.yaml │ │ ├── is-selenium-chrome.yaml │ │ ├── is-selenium-firefox.yaml │ │ ├── is-selenium-hub.yaml │ │ ├── route-selenium.yaml │ │ └── svc-selenium-hub.yaml │ └── values.yaml └── sonarqube │ ├── Chart.yaml │ ├── templates │ ├── NOTES.txt │ ├── bc.yaml │ ├── dc.yaml │ ├── is.yaml │ ├── route.yaml │ ├── service.yaml │ └── sq-secret.yaml │ └── values.yaml ├── installer.sh ├── requirements.yaml ├── resources ├── helm │ ├── README.md │ ├── project_tiller_role.yaml │ ├── provision_app_envs.sh │ └── tiller_role.yaml ├── jenkins-agent │ ├── Dockerfile │ ├── README.md │ ├── jenkins-agent.sh │ └── supervisord.conf ├── jenkins-master │ ├── Dockerfile │ ├── README.md │ └── resources │ │ ├── plugins │ │ └── plugins.txt │ │ └── scripts │ │ ├── configure.groovy │ │ ├── jenkins-preboot.sh │ │ ├── jenkins.sh │ │ └── sdp_entrypoint.groovy ├── jenkins-pipeline-images │ ├── README.md │ ├── a11y │ │ ├── Dockerfile │ │ └── README.md │ ├── openshift_helm │ │ └── Dockerfile │ ├── protractor │ │ └── Dockerfile │ ├── sonar-scanner │ │ ├── Dockerfile │ │ └── sonar-runner.properties │ └── zap │ │ └── Dockerfile ├── selenium_grid │ └── chrome │ │ ├── Dockerfile │ │ └── entry_point.sh └── sonarqube │ ├── Dockerfile │ ├── README.md │ ├── run.sh │ └── sonar.properties ├── templates └── NOTES.txt └── values.template.yaml /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | # PR Details 2 | 3 | 4 | 5 | ## Description 6 | 7 | 8 | 9 | ## How Has This Been Tested 10 | 11 | 12 | 13 | 14 | 15 | ## Types of Changes 16 | 17 | 18 | 19 | - [ ] Docs change / refactoring / dependency upgrade 20 | - [ ] Bug fix (non-breaking change which fixes an issue) 21 | - [ ] New feature (non-breaking change which adds functionality) 22 | - [ ] Breaking change (fix or feature that would cause existing functionality to change) 23 | 24 | ## Checklist 25 | 26 | 27 | 28 | 29 | - [ ] My change requires a change to the documentation. 30 | - [ ] I have updated the documentation accordingly. 31 | - [ ] All new and existing tests passed. 32 | - [ ] I have updated the Change Log appropriately. -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /values.yaml 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule ".license"] 2 | path = .license 3 | url = https://github.com/boozallen/boozallen.github.io 4 | -------------------------------------------------------------------------------- /.helmignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .git 3 | .gitignore 4 | resources 5 | -------------------------------------------------------------------------------- /Chart.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: v1 5 | appVersion: "1.0" 6 | description: A Helm chart for the solutions delivery platform 7 | name: "sdp-helm-chart" 8 | version: 0.1.1 9 | -------------------------------------------------------------------------------- /Copyright and License: -------------------------------------------------------------------------------- 1 | Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | This software package is licensed under the Booz Allen Public License. The license can be found here: http://boozallen.github.io/licenses/bapl 3 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | ## Booz Allen Public License v1.0 2 | 3 | 4 | ### INTRODUCTION 5 | The Booz Allen Public License allows government, non-profit academic, other non-profit, and commercial entities access to distinctive, disruptive, and robust code with the goal of Empowering People to Change the World℠. Products licensed under the Booz Allen Public License are founded on the basis that collective ingenuity can make the largest impact in the community. 6 | 7 | ### DEFINITIONS 8 | * **Commercial Entity.** “Commercial Entity” means any individual or entity other than a government, non-profit academic, or other non-profit entity. 9 | * **Derivative.** “Derivative” means any work of authorship in Source Code or Object Code form that results from an addition to, deletion from, or modification of the Source Code of the Product. 10 | * **License.** “License” means this Booz Allen Public License. 11 | * **Object Code.** “Object Code” means the form resulting from transformation or translation of Source Code into machine readable code, including but not limited to, compiled object code. 12 | * **Originator.** “Originator” means each individual or legal entity that creates, contributes to the creation of, or owns the Product. 13 | * **Patent Claims.** “Patent Claims” means any patent claim(s) in any patent to which Originator has a right to grant a license that would be infringed by Your making, using, selling, offering for sale, having made, or importing of the Product, but for the grant of this License. 14 | * **Product.** “Product” means the Source Code of the software which the initial Originator made available under this License, and any Derivative of such Source Code. 15 | * **Source Code.** “Source Code” means software in human-readable form. 16 | * **You.** “You” means either an individual or an entity (if you are taking this license on behalf of an entity) that exercises the rights granted under this License. 17 | 18 | ### LICENSE 19 | **Government/Non-Profit Academic/Other Non-Profit.** 20 | This Section applies if You are not a Commercial Entity. 21 | 22 | * **License.** Subject to the terms and conditions of this License, each Originator hereby grants You a perpetual, worldwide, non-exclusive, royalty-free license to reproduce, display, perform, modify, distribute and otherwise use the Product and Derivatives, in Source Code and Object Code form, in accordance with the terms and conditions of this License in order to support the general public good and for your internal business purposes. 23 | * **Distribution.** You may distribute to third parties copies of the Product, including any Derivative that You create, in Source Code or Object Code form. If You distribute copies of the Product, including any Derivative that You create, in Source Code form, such distribution must be under the terms of this License and You must inform recipients of the Source Code that the Product is governed under this License and how they can obtain a copy of this License. You may distribute to third parties copies of the Product, including any Derivative that You create, in Object Code form, or allow third parties to access or use the Product, including any Derivative that You create, under a license of Your choice. 24 | * **Commercial Sales.** You may not distribute, or allow third parties to access or use, the Product or any Derivative for a fee, unless You first obtain permission from the Originator. If Booz Allen Hamilton is the Originator, please contact Booz Allen Hamilton at . 25 | 26 | **Commercial Entities**. 27 | This Section applies if You are a Commercial Entity. 28 | 29 | * **License.** Subject to the terms and conditions of this License, each Originator hereby grants You a perpetual, worldwide, non-exclusive, royalty-free license to reproduce, display, perform, modify, distribute and otherwise use the Product and Derivatives, in Source Code and Object Code form, in accordance with the terms and conditions of this License for the sole purpose of Your internal business purposes and the provision of services to government, non-profit academic, and other non-profit entities. 30 | * **Distribution and Derivatives.** You may distribute to third parties copies of the Product, including any Derivative that You create, in Source Code or Object Code form. If You distribute copies of the Product, including any Derivative that You create, in Source Code form, such distribution must be under the terms of this License and You must inform recipients of the Source Code that the Product is governed under this License and how they can obtain a copy of this License. You may distribute to third parties copies of the Product, including any Derivative that You create, in Object Code form, or allow third parties to access or use the Product, including any Derivative that You create, under a license of Your choice, provided that You make available, and inform the recipient of such distribution how they can obtain, a copy of the Source Code thereof, at no charge, and inform the recipient of the Source Code that the Product is governed under this License and how they can obtain a copy of this License. 31 | * **Commercial Sales.** You may not distribute, or allow third parties to access or use, the Product or any Derivative for a fee, unless You first obtain permission from the Originator. If Booz Allen Hamilton, please contact Booz Allen Hamilton at . 32 | 33 | **Patent Claim(s)**. 34 | This Section applies regardless of whether You are a government, non-profit academic, or other non-profit entity or a Commercial Entity. 35 | 36 | * **Patent License.** Subject to the limitations in the Sections above, each Originator hereby grants You a perpetual, worldwide, non-exclusive, royalty-free license under Patent Claims of such Originator to make, use, sell, offer for sale, have made, and import the Product. The foregoing patent license does not apply (a) to any code that an Originator has removed from the Product, or (b) for infringement caused by Your modifications of the Product or the combination of any Derivative created by You or on Your behalf with other software. 37 | 38 | ### GENERAL TERMS 39 | This Section applies regardless of whether You are a government, non-profit academic, or other non-profit entity or a Commercial Entity. 40 | 41 | * **Required Notices.** If You distribute the Product or a Derivative, in Object Code or Source Code form, You shall not remove or otherwise modify any proprietary markings or notices contained within or placed upon the Product or any Derivative. Any distribution of the Product or a Derivative, in Object Code or Source Code form, shall contain a clear and conspicuous Originator copyright and license reference in accordance with the below: 42 | * *Unmodified Product Notice*: “This software package is licensed under the Booz Allen Public License. Copyright © 20__ [Copyright Holder Name]. All Rights Reserved.” 43 | * *Derivative Notice*: “This software package is licensed under the Booz Allen Public License. Portions of this code are Copyright © 20__ [Copyright Holder Name]. All Rights Reserved.” 44 | * **Compliance with Laws.** You agree that You shall not reproduce, display, perform, modify, distribute and otherwise use the Product in any way that violates applicable law or regulation or infringes or violates the rights of others, including, but not limited to, third party intellectual property, privacy, and publicity rights. 45 | * **Disclaimer.** You understand that the Product is licensed to You, and not sold. The Product is provided on an “As Is” basis, without any warranties, representations, and guarantees, whether oral or written, express, implied or statutory, with regard to the Product, including without limitation, warranties of merchantability, fitness for a particular purpose, title, non-infringement, non-interference, and warranties arising from course of dealing or usage of trade, to the maximum extent permitted by applicable law. Originator does not warrant that (i) the Product will meet your needs; (ii) the Product will be error-free or accessible at all times; or (iii) the use or the results of the use of the Product will be correct, accurate, timely, or otherwise reliable. You acknowledge that the Product has not been prepared to meet Your individual requirements, whether or not such requirements have been communicated to Originator. You assume all responsibility for use of the Product. 46 | * **Limitation of Liability.** Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Originator, or anyone who distributes the Product in accordance with this License, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if informed of the possibility of such damages. 47 | * **Severability.** If the application of any provision of this License to any particular facts or circumstances shall be held to be invalid or unenforceable, then the validity and enforceability of other provisions of this License shall not in any way be affected or impaired thereby. 48 | 49 | 50 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | --------------------------------------- 2 | **This repository is deprecated.** 3 | --------------------------------------- 4 | 5 | Please see the `SDP-IAC Repository `_. 6 | 7 | -------------------------- 8 | SDP Deployment Helm Charts 9 | -------------------------- 10 | 11 | To deploy the `Solutions Delivery Platform`_: 12 | 13 | ============================================================ 14 | Configure the chart by customizing the ``values.yaml`` file. 15 | ============================================================ 16 | 17 | ********************** 18 | ``values.yaml`` Fields 19 | ********************** 20 | 21 | :: 22 | 23 | # default values can be found in values.yaml for global values 24 | # or charts/${subchart}/values.yaml for subcharts' values. 25 | 26 | # Note that anything set in values.yaml takes priority over 27 | # what's set in any /charts/${subchart}/values.yaml files 28 | 29 | global: 30 | openshift: String True if deploying to Openshift 31 | persistentStorage: Boolean True if your cluster is configured for persistent storage 32 | domain: String A domain managed by your router 33 | sourceRepositoryUrl: String A default github repository containing SDP image source code (i.e. this one) 34 | sourceSecret: String secret in "namespace" with credentials for "sourceRepositoryUrl" 35 | 36 | 37 | jenkins: 38 | domain: String A domain managed by your router; overwrites the global value 39 | subdomain: String The prefix for your Jenkins URL (i.e. subdomain.example.com) 40 | masterDockerContextDir: String The directory containing your Jenkins-master source code 41 | agentDockerContextDir: String The directory containing your Jenkins-agent source code 42 | numAgents: (+)Int The number of Jenkins-agents to create 43 | sourceRepositoryUrl: String A default github repository containing SDP image source code (i.e. this one) 44 | sourceRepositoryBranch: String The branch of your context directories to use 45 | imageTag: String What to tag the Jenkins images (master/agent) you create as part of the install 46 | sourceSecret: String overwrites global.sourceSecret for the Jenkins source repositories 47 | credentials: Map See below 48 | resources: Map See below 49 | dockerStorage: String Sets the amount of storage reserved for the Jenkins-agents' docker daemon (only used if persistentStorage is true) 50 | dockerDaemonArgs: string Supplies args for the docker daemon running in the Jenkins agent (only used if persistentStorage is false) 51 | 52 | 53 | sonarqube: 54 | enabled: Boolean Set to true if installing Sonarqube as part of the SDP installation 55 | domain: String A domain managed by your router; overwrites the global value 56 | subdomain: String The prefix for your Sonarqube URL (i.e. subdomain.example.com) 57 | dockerContextDir: String The directory containing your Sonarqube source code 58 | sourceRepositoryUrl: String A github repository containing Sonarqube image source code; overwrites the global value 59 | imageTag: String What to tag the Sonarqube images (master/agent) you create as part of the install 60 | resources: Map See below 61 | 62 | 63 | 64 | ******************* 65 | Configuring Jenkins 66 | ******************* 67 | 68 | ++++++++++++++++++++++ 69 | Credentials (Optional) 70 | ++++++++++++++++++++++ 71 | 72 | While the installation process automatically creates and stores the credentials 73 | necessary for most users, you can set additional credentials you want available 74 | to Jenkins. These can be credentials for different GitHub users, artifact 75 | repositories, or services you wish to use as part of your CI/CD pipeline. 76 | 77 | Any credentials you list here are automatically added to the Jenkins credential 78 | store. 79 | 80 | :: 81 | 82 | jenkins: 83 | credentials: 84 | - id: Required. Unique name for the credential by which it can be referenced 85 | username: Required. The username for the credential 86 | password: Required. The password for the credential 87 | - ... (multiple can be defined) 88 | 89 | The credentials that are created automatically (**and should not be listed in the values file**) are: 90 | 91 | * github: the GitHub credential supplied by the user during the installation 92 | * openshift-service-account: the credentials for the jenkins ServiceAccount that Jenkins uses to authenticate to Openshift 93 | * openshift-docker-registry: the same as above, but in a more convenient username/password format; use this for the sdp and docker SDP libraries 94 | * sonarqube: credentials for interfacing w/ the Sonarqube server deployed alongside Jenkins 95 | 96 | ++++++++++++++++++++ 97 | Resources (Optional) 98 | ++++++++++++++++++++ 99 | 100 | Set the CPU and memory guarantees and limits. The requests ensure that containers 101 | get adequate computing resources on whichever node they're scheduled on, 102 | while the limits ensure containers are restarted and rescheduled should they begin 103 | consuming too many resources. Together, this ensures quality of service for Jenkins 104 | and the other containers on the cluster. 105 | 106 | Note that you shouldn't need to configure this in order to set up SDP, as sensible 107 | defaults have already been set. 108 | 109 | More information on resource requests and limits can be found on the `Kubernetes website`_, 110 | but note that users are currently restricted to placing requests and limits on cpu and memory. 111 | 112 | 113 | :: 114 | 115 | jenkins: 116 | resources: 117 | master: Values for the Jenkins Master 118 | limits: The resources the container can use before being evicted 119 | cpu: Cpu limit 120 | memory: Memory limit 121 | requests: The node's necessary resources for a container to be scheduled 122 | cpu: Requested CPUs 123 | memory: Requested memory 124 | agent: Values for the Jenkins Agent (structure same as above) 125 | limits: The resources the container can use before being evicted 126 | cpu: Cpu limit 127 | memory: Memory limit 128 | requests: The resources a node must have available before the container can be scheduled 129 | cpu: Requested CPUs 130 | memory: Requested memory 131 | 132 | sonarqube: 133 | resources: Values for the Sonarqube container 134 | limits: The resources the container can use before being evicted 135 | cpu: Cpu limit 136 | memory: Memory limit 137 | requests: The resources a node must have available before the container can be scheduled 138 | cpu: Requested CPUs 139 | memory: Requested memory 140 | 141 | 142 | +++++++++++++++++++++ 143 | Example Configuration 144 | +++++++++++++++++++++ 145 | 146 | :: 147 | 148 | global: 149 | persistentStorage: true 150 | domain: apps.ocp.example.com 151 | 152 | jenkins: 153 | numAgents: 4 154 | 155 | #Github Username and Access Token 156 | credentials: 157 | - id: doe-john-github 158 | username: doe-john 159 | password: 1234abcd5678efgh 160 | 161 | # Computing Resource Guarantees and Limits 162 | # Requests and limits are equal to guarantee quality of service 163 | resources: 164 | master: 165 | limits: 166 | cpu: "1000m" 167 | memory: "3000Mi" 168 | requests: 169 | cpu: "1000m" 170 | memory: "3000Mi" 171 | agent: 172 | limits: 173 | cpu: "1000m" 174 | memory: "1500Mi" 175 | requests: 176 | cpu: "1000m" 177 | memory: "1500Mi" 178 | 179 | sonarqube: 180 | enabled: true 181 | resources: 182 | limits: 183 | cpu: "150m" 184 | memory: "2000Mi" 185 | requests: 186 | cpu: "150m" 187 | memory: "2000Mi" 188 | 189 | 190 | ======================== 191 | Run the Installer Script 192 | ======================== 193 | 194 | From your terminal, login to Openshift as a cluster-admin and run the installer 195 | script. 196 | 197 | .. code:: shell 198 | 199 | ./installer.sh 200 | 201 | Supply a GitHub username and password (or access token) when prompted. 202 | 203 | ************************ 204 | Installer Script Options 205 | ************************ 206 | 207 | Run ``./installer.sh -h`` to view the installer script's options. 208 | 209 | .. _Solutions Delivery Platform: https://boozallen.github.io/sdp-docs/ 210 | .. _Kubernetes website: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ 211 | -------------------------------------------------------------------------------- /charts/jenkins/Chart.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: v1 5 | appVersion: "1.0" 6 | description: A Helm chart for SDP Jenkins 7 | name: jenkins 8 | version: 0.1.0 9 | -------------------------------------------------------------------------------- /charts/jenkins/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Jenkins deployed: 2 | {{- if .Values.domain -}} 3 | {{ .Values.subdomain }}.{{ .Values.domain}} 4 | {{- else if .Values.global.domain -}} 5 | {{ .Values.subdomain }}.{{ .Values.global.domain }} 6 | {{- end -}} 7 | -------------------------------------------------------------------------------- /charts/jenkins/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 3 | This software package is licensed under the Booz Allen Public License. The license can be found here: http://boozallen.github.io/licenses/bapl 4 | */ -}} 5 | 6 | {{/* Generate the Jenkins DSL Script to create credentials */}} 7 | {{- define "jenkins.createCredentials" }} 8 | 9 | import jenkins.* 10 | import hudson.* 11 | import hudson.util.Secret 12 | import hudson.model.* 13 | import jenkins.model.* 14 | import hudson.security.* 15 | import jenkins.security.* 16 | import com.cloudbees.plugins.credentials.* 17 | import com.cloudbees.plugins.credentials.impl.* 18 | import com.cloudbees.plugins.credentials.common.* 19 | import com.cloudbees.plugins.credentials.domains.* 20 | import com.cloudbees.jenkins.plugins.sshcredentials.impl.* 21 | import com.cloudbees.plugins.credentials.CredentialsProvider 22 | import java.util.logging.Logger 23 | 24 | def logger = Logger.getLogger("") 25 | log = { message -> 26 | logger.info("${message}..") 27 | } 28 | {{- range .Values.credentials }} 29 | log "Creating secret {{.id}}" 30 | try{ 31 | def username = {{ required "Required property .Values.credentials.username missing" .username | quote }} 32 | def password = {{ required "Required property .Values.credentials.password missing" .password | quote }} 33 | def credential_id = {{ required "Required property .Values.credentials.id missing" .id | quote }} 34 | def cred_obj = (Credentials) new UsernamePasswordCredentialsImpl( 35 | CredentialsScope.GLOBAL, 36 | credential_id, 37 | credential_id, 38 | username, 39 | password 40 | ) 41 | SystemCredentialsProvider.getInstance().getStore().addCredentials(Domain.global(), cred_obj) 42 | }catch(any){} 43 | {{- end }} 44 | 45 | {{- end }} 46 | -------------------------------------------------------------------------------- /charts/jenkins/templates/bc-jenkins-agent.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | {{- if .Values.global.openshift }} 5 | kind: "BuildConfig" 6 | apiVersion: "build.openshift.io/v1" 7 | metadata: 8 | name: jenkins-agent 9 | namespace: {{ .Release.Namespace }} 10 | spec: 11 | source: 12 | type: "Git" 13 | git: 14 | ref: {{ .Values.sourceRepositoryBranch | default "master" }} 15 | {{- if .Values.sourceRepositoryUrl }} 16 | uri: {{ .Values.sourceRepositoryUrl }} 17 | {{- else }} 18 | uri: {{ .Values.global.sourceRepositoryUrl }} 19 | {{- end }} 20 | contextDir: {{ .Values.agentDockerContextDir }} 21 | sourceSecret: 22 | {{- if .Values.sourceSecret }} 23 | name: {{ .Values.sourceSecret }} 24 | {{- else }} 25 | name: {{ .Values.global.sourceSecret }} 26 | {{- end }} 27 | strategy: 28 | type: "Docker" 29 | output: 30 | to: 31 | kind: ImageStreamTag 32 | name: "jenkins-agent:{{ .Values.imageTag | default .Chart.Version }}" 33 | triggers: 34 | - type: ConfigChange 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /charts/jenkins/templates/bc-jenkins-master.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | {{- if .Values.global.openshift }} 5 | kind: BuildConfig 6 | apiVersion: build.openshift.io/v1 7 | metadata: 8 | name: jenkins-master 9 | namespace: {{ .Release.Namespace }} 10 | labels: 11 | app: jenkins 12 | spec: 13 | source: 14 | type: Git 15 | git: 16 | ref: {{ .Values.sourceRepositoryBranch | default "master" }} 17 | {{- if .Values.sourceRepositoryUrl }} 18 | uri: {{ .Values.sourceRepositoryUrl }} 19 | {{- else }} 20 | uri: {{ .Values.global.sourceRepositoryUrl }} 21 | {{- end }} 22 | contextDir: {{ .Values.masterDockerContextDir | quote }} 23 | sourceSecret: 24 | {{- if .Values.sourceSecret }} 25 | name: {{ .Values.sourceSecret }} 26 | {{- else }} 27 | name: {{ .Values.global.sourceSecret }} 28 | {{- end }} 29 | strategy: 30 | type: Docker 31 | output: 32 | to: 33 | kind: ImageStreamTag 34 | name: "jenkins-master:{{.Values.imageTag | default .Chart.Version}}" 35 | triggers: 36 | - type: ConfigChange 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /charts/jenkins/templates/credential-secrets.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | kind: List 5 | apiVersion: v1 6 | metadata: 7 | name: credential-secrets 8 | items: 9 | - kind: Secret 10 | apiVersion: v1 11 | metadata: 12 | name: jenkins-credential-configuration 13 | namespace: {{ .Release.Namespace }} 14 | labels: 15 | app: jenkins 16 | data: 17 | credential-configuration: | 18 | {{ include "jenkins.createCredentials" . | b64enc }} 19 | -------------------------------------------------------------------------------- /charts/jenkins/templates/dc-jenkins-agent.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | {{- if .Values.global.persistentStorage -}} # use the StatefulSet 5 | kind: StatefulSet 6 | apiVersion: apps/v1beta1 7 | metadata: 8 | name: jenkins-agent 9 | namespace: {{ .Release.Namespace }} 10 | labels: 11 | app: jenkins 12 | name: jenkins-agent 13 | spec: 14 | replicas: {{ .Values.numAgents }} 15 | selector: 16 | matchLabels: 17 | app: jenkins 18 | statefulset: jenkins-agent 19 | triggers: 20 | - type: ConfigChange 21 | - type: ImageChange 22 | imageChangeParams: 23 | automatic: true 24 | containerNames: 25 | - jenkins-agent 26 | from: 27 | kind: ImageStreamTag 28 | name: "jenkins-agent:{{ .Values.imageTag | default .Chart.Version }}" 29 | template: 30 | metadata: 31 | labels: 32 | app: jenkins 33 | statefulset: jenkins-agent 34 | spec: 35 | serviceAccountName: jenkins 36 | containers: 37 | - image: "docker-registry.default.svc:5000/{{.Release.Namespace}}/jenkins-agent:{{ .Values.imageTag | default .Chart.Version }}" 38 | name: jenkins-agent 39 | securityContext: 40 | privileged: true 41 | env: 42 | - name: JENKINS_URL 43 | value: "http://jenkins-master:8080/" 44 | - name: JENKINS_TUNNEL 45 | value: "jenkins-agent:50000" 46 | - name: EXECUTORS 47 | value: "1" 48 | - name: JENKINS_USERNAME 49 | valueFrom: 50 | secretKeyRef: 51 | key: username 52 | name: jenkins-access 53 | - name: JENKINS_PASSWORD 54 | valueFrom: 55 | secretKeyRef: 56 | key: token 57 | name: jenkins-access 58 | volumeMounts: 59 | - name: docker-storage 60 | mountPath: /var/lib/docker 61 | resources: 62 | limits: 63 | cpu: {{ .Values.resources.agent.limits.cpu | quote }} 64 | memory: {{ .Values.resources.agent.limits.memory | quote }} 65 | requests: 66 | cpu: {{ .Values.resources.agent.requests.cpu | quote }} 67 | memory: {{ .Values.resources.agent.requests.memory | quote }} 68 | securityContext: 69 | privileged: true 70 | volumeClaimTemplates: 71 | - metadata: 72 | name: docker-storage 73 | spec: 74 | accessModes: [ "ReadWriteOnce" ] 75 | resources: 76 | requests: 77 | storage: {{ .Values.dockerStorage | default "100Gi" | quote }} 78 | 79 | 80 | {{- else -}} # Just use a DeploymentConfig 81 | 82 | kind: DeploymentConfig 83 | apiVersion: "apps.openshift.io/v1" 84 | metadata: 85 | name: jenkins-agent 86 | namespace: {{ .Release.Namespace }} 87 | labels: 88 | app: jenkins 89 | name: jenkins-agent 90 | spec: 91 | replicas: {{.Values.numAgents}} 92 | selector: 93 | app: jenkins 94 | deploymentconfig: jenkins-agent 95 | triggers: 96 | - type: ConfigChange 97 | - type: ImageChange 98 | imageChangeParams: 99 | automatic: true 100 | containerNames: 101 | - jenkins-agent 102 | from: 103 | kind: ImageStreamTag 104 | name: "jenkins-agent:{{ .Values.imageTag | default .Chart.Version }}" 105 | template: 106 | metadata: 107 | labels: 108 | app: jenkins 109 | deploymentconfig: jenkins-agent 110 | spec: 111 | serviceAccountName: jenkins 112 | containers: 113 | - image: "docker-registry.default.svc:5000/{{.Release.Namespace}}/jenkins-agent:{{ .Values.imageTag | default .Chart.Version }}" 114 | name: "jenkins-agent" 115 | securityContext: 116 | privileged: true 117 | env: 118 | - name: DOCKER_DAEMON_ARGS 119 | value: {{ .Values.dockerDaemonArgs | default "--insecure-registry docker-registry.default.svc:5000" }} 120 | - name: JENKINS_URL 121 | value: "http://jenkins-master:8080/" 122 | - name: JENKINS_TUNNEL 123 | value: "jenkins-agent:50000" 124 | - name: EXECUTORS 125 | value: "1" 126 | - name: JENKINS_USERNAME 127 | valueFrom: 128 | secretKeyRef: 129 | key: username 130 | name: jenkins-access 131 | - name: JENKINS_PASSWORD 132 | valueFrom: 133 | secretKeyRef: 134 | key: token 135 | name: jenkins-access 136 | resources: 137 | limits: 138 | cpu: {{ .Values.resources.agent.limits.cpu | quote }} 139 | memory: {{ .Values.resources.agent.limits.memory | quote }} 140 | requests: 141 | cpu: {{ .Values.resources.agent.requests.cpu | quote }} 142 | memory: {{ .Values.resources.agent.requests.memory | quote }} 143 | securityContext: 144 | privileged: true 145 | {{- end -}} 146 | -------------------------------------------------------------------------------- /charts/jenkins/templates/dc-jenkins-master.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | kind: DeploymentConfig 5 | apiVersion: apps.openshift.io/v1 6 | metadata: 7 | name: jenkins-master 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | app: jenkins 11 | name: jenkins-master 12 | spec: 13 | replicas: 1 14 | selector: 15 | app: jenkins 16 | deploymentconfig: jenkins-master 17 | triggers: 18 | - type: ConfigChange 19 | - type: ImageChange 20 | imageChangeParams: 21 | automatic: true 22 | containerNames: 23 | - jenkins-master 24 | from: 25 | kind: ImageStreamTag 26 | name: "jenkins-master:{{ .Values.imageTag | default .Chart.Version }}" 27 | template: 28 | metadata: 29 | labels: 30 | app: jenkins 31 | deploymentconfig: jenkins-master 32 | spec: 33 | serviceAccountName: jenkins 34 | containers: 35 | - image: "docker-registry.default.svc:5000/{{.Release.Namespace}}/jenkins-master:{{ .Values.imageTag | default .Chart.Version }}" 36 | name: jenkins-master 37 | {{- if .Values.global.openshift }} 38 | env: 39 | - name: OPENSHIFT 40 | value: "true" 41 | {{- end }} 42 | ports: 43 | - containerPort: 8080 44 | protocol: TCP 45 | - containerPort: 50000 46 | protocol: TCP 47 | resources: 48 | limits: 49 | cpu: {{ .Values.resources.master.limits.cpu | quote }} 50 | memory: {{ .Values.resources.master.limits.memory | quote }} 51 | requests: 52 | cpu: {{ .Values.resources.master.requests.cpu | quote }} 53 | memory: {{ .Values.resources.master.requests.memory | quote }} 54 | volumeMounts: 55 | - name: jenkins-credential-configuration 56 | mountPath: /var/jenkins_home/init.groovy.d/configure_credentials.groovy 57 | subPath: configure_credentials.groovy 58 | securityContext: 59 | privileged: true 60 | volumes: 61 | - name: jenkins-credential-configuration 62 | secret: 63 | secretName: jenkins-credential-configuration 64 | items: 65 | - key: credential-configuration 66 | path: configure_credentials.groovy 67 | -------------------------------------------------------------------------------- /charts/jenkins/templates/is-jenkins-agent.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | {{- if .Values.global.openshift }} 5 | kind: ImageStream 6 | apiVersion: "image.openshift.io/v1" 7 | metadata: 8 | name: jenkins-agent 9 | namespace: {{ .Release.Namespace }} 10 | {{- end }} -------------------------------------------------------------------------------- /charts/jenkins/templates/is-jenkins-master.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | {{- if .Values.global.openshift }} 5 | kind: ImageStream 6 | apiVersion: image.openshift.io/v1 7 | metadata: 8 | name: jenkins-master 9 | namespace: {{ .Release.Namespace }} 10 | {{- end }} -------------------------------------------------------------------------------- /charts/jenkins/templates/pipeline-images.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | {{- if .Values.global.openshift }} 5 | kind: List 6 | apiVersion: v1 7 | metadata: 8 | name: pipeline-images 9 | items: 10 | 11 | - kind: ImageStream 12 | apiVersion: "image.openshift.io/v1" 13 | metadata: 14 | name: a11y 15 | namespace: {{ .Release.Namespace }} 16 | 17 | - kind: "BuildConfig" 18 | apiVersion: "build.openshift.io/v1" 19 | metadata: 20 | name: a11y 21 | namespace: {{ $.Release.Namespace }} 22 | spec: 23 | source: 24 | type: "Git" 25 | git: 26 | ref: {{ $.Values.sourceRepositoryBranch | default "master" }} 27 | {{- if $.Values.sourceRepositoryUrl }} 28 | uri: {{ $.Values.sourceRepositoryUrl }} 29 | {{- else }} 30 | uri: {{ $.Values.global.sourceRepositoryUrl }} 31 | {{- end }} 32 | contextDir: "resources/jenkins-pipeline-images/a11y" 33 | sourceSecret: 34 | {{- if $.Values.sourceSecret }} 35 | name: {{ $.Values.sourceSecret }} 36 | {{- else }} 37 | name: {{ $.Values.global.sourceSecret }} 38 | {{- end }} 39 | strategy: 40 | type: "Docker" 41 | output: 42 | to: 43 | kind: ImageStreamTag 44 | name: "a11y:latest" 45 | triggers: 46 | - type: ConfigChange 47 | 48 | - kind: ImageStream 49 | apiVersion: "image.openshift.io/v1" 50 | metadata: 51 | name: openshift_helm 52 | namespace: {{ .Release.Namespace }} 53 | 54 | - kind: "BuildConfig" 55 | apiVersion: "build.openshift.io/v1" 56 | metadata: 57 | name: openshift-helm 58 | namespace: {{ $.Release.Namespace }} 59 | spec: 60 | source: 61 | type: "Git" 62 | git: 63 | ref: {{ $.Values.sourceRepositoryBranch | default "master" }} 64 | {{- if $.Values.sourceRepositoryUrl }} 65 | uri: {{ $.Values.sourceRepositoryUrl }} 66 | {{- else }} 67 | uri: {{ $.Values.global.sourceRepositoryUrl }} 68 | {{- end }} 69 | contextDir: "resources/jenkins-pipeline-images/openshift_helm" 70 | sourceSecret: 71 | {{- if $.Values.sourceSecret }} 72 | name: {{ $.Values.sourceSecret }} 73 | {{- else }} 74 | name: {{ $.Values.global.sourceSecret }} 75 | {{- end }} 76 | strategy: 77 | type: "Docker" 78 | output: 79 | to: 80 | kind: ImageStreamTag 81 | name: "openshift_helm:latest" 82 | triggers: 83 | - type: ConfigChange 84 | 85 | - kind: ImageStream 86 | apiVersion: "image.openshift.io/v1" 87 | metadata: 88 | name: protractor 89 | namespace: {{ .Release.Namespace }} 90 | 91 | - kind: "BuildConfig" 92 | apiVersion: "build.openshift.io/v1" 93 | metadata: 94 | name: protractor 95 | namespace: {{ $.Release.Namespace }} 96 | spec: 97 | source: 98 | type: "Git" 99 | git: 100 | ref: {{ $.Values.sourceRepositoryBranch | default "master" }} 101 | {{- if $.Values.sourceRepositoryUrl }} 102 | uri: {{ $.Values.sourceRepositoryUrl }} 103 | {{- else }} 104 | uri: {{ $.Values.global.sourceRepositoryUrl }} 105 | {{- end }} 106 | contextDir: "resources/jenkins-pipeline-images/protractor" 107 | sourceSecret: 108 | {{- if $.Values.sourceSecret }} 109 | name: {{ $.Values.sourceSecret }} 110 | {{- else }} 111 | name: {{ $.Values.global.sourceSecret }} 112 | {{- end }} 113 | strategy: 114 | type: "Docker" 115 | output: 116 | to: 117 | kind: ImageStreamTag 118 | name: "protractor:latest" 119 | triggers: 120 | - type: ConfigChange 121 | 122 | - kind: ImageStream 123 | apiVersion: "image.openshift.io/v1" 124 | metadata: 125 | name: sonar-scanner 126 | namespace: {{ .Release.Namespace }} 127 | 128 | - kind: "BuildConfig" 129 | apiVersion: "build.openshift.io/v1" 130 | metadata: 131 | name: sonar-scanner 132 | namespace: {{ $.Release.Namespace }} 133 | spec: 134 | source: 135 | type: "Git" 136 | git: 137 | ref: {{ $.Values.sourceRepositoryBranch | default "master" }} 138 | {{- if $.Values.sourceRepositoryUrl }} 139 | uri: {{ $.Values.sourceRepositoryUrl }} 140 | {{- else }} 141 | uri: {{ $.Values.global.sourceRepositoryUrl }} 142 | {{- end }} 143 | contextDir: "resources/jenkins-pipeline-images/sonar-scanner" 144 | sourceSecret: 145 | {{- if $.Values.sourceSecret }} 146 | name: {{ $.Values.sourceSecret }} 147 | {{- else }} 148 | name: {{ $.Values.global.sourceSecret }} 149 | {{- end }} 150 | strategy: 151 | type: "Docker" 152 | output: 153 | to: 154 | kind: ImageStreamTag 155 | name: "sonar-scanner:latest" 156 | triggers: 157 | - type: ConfigChange 158 | 159 | - kind: ImageStream 160 | apiVersion: "image.openshift.io/v1" 161 | metadata: 162 | name: zap 163 | namespace: {{ .Release.Namespace }} 164 | 165 | - kind: "BuildConfig" 166 | apiVersion: "build.openshift.io/v1" 167 | metadata: 168 | name: zap 169 | namespace: {{ $.Release.Namespace }} 170 | spec: 171 | source: 172 | type: "Git" 173 | git: 174 | ref: {{ $.Values.sourceRepositoryBranch | default "master" }} 175 | {{- if $.Values.sourceRepositoryUrl }} 176 | uri: {{ $.Values.sourceRepositoryUrl }} 177 | {{- else }} 178 | uri: {{ $.Values.global.sourceRepositoryUrl }} 179 | {{- end }} 180 | contextDir: "resources/jenkins-pipeline-images/zap" 181 | sourceSecret: 182 | {{- if $.Values.sourceSecret }} 183 | name: {{ $.Values.sourceSecret }} 184 | {{- else }} 185 | name: {{ $.Values.global.sourceSecret }} 186 | {{- end }} 187 | strategy: 188 | type: "Docker" 189 | output: 190 | to: 191 | kind: ImageStreamTag 192 | name: "zap:latest" 193 | triggers: 194 | - type: ConfigChange 195 | {{- end }} 196 | -------------------------------------------------------------------------------- /charts/jenkins/templates/rolebinding-jenkins-edit.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | kind: RoleBinding 5 | apiVersion: authorization.openshift.io/v1 6 | metadata: 7 | name: "jenkins_edit" 8 | namespace: {{ .Release.Namespace }} 9 | groupNames: 10 | subjects: 11 | - kind: ServiceAccount 12 | name: jenkins 13 | roleRef: 14 | name: edit 15 | -------------------------------------------------------------------------------- /charts/jenkins/templates/route-jenkins.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | {{- if .Values.global.openshift }} 5 | kind: Route 6 | apiVersion: "route.openshift.io/v1" 7 | metadata: 8 | #note: this name must match the oauth redirect used in the jenkins-sa chart 9 | name: jenkins 10 | namespace: {{ .Release.Namespace }} 11 | spec: 12 | {{- if .Values.domain }} 13 | host: "{{.Values.subdomain}}.{{.Values.domain}}" 14 | {{- else if .Values.global.domain }} 15 | host: "{{.Values.subdomain}}.{{.Values.global.domain}}" 16 | {{- end }} 17 | to: 18 | kind: Service 19 | name: jenkins-master 20 | {{- end }} -------------------------------------------------------------------------------- /charts/jenkins/templates/sa-jenkins.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | kind: ServiceAccount 5 | apiVersion: v1 6 | metadata: 7 | name: jenkins 8 | namespace: {{ .Release.Namespace }} 9 | annotations: 10 | serviceaccounts.openshift.io/oauth-redirectreference.jenkins: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"jenkins"}}' 11 | -------------------------------------------------------------------------------- /charts/jenkins/templates/svc-jenkins-agent.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | kind: Service 5 | apiVersion: v1 6 | metadata: 7 | name: jenkins-agent 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | app: jenkins 11 | spec: 12 | ports: 13 | - name: web 14 | protocol: TCP 15 | port: 50000 16 | targetPort: 50000 17 | nodePort: 0 18 | selector: 19 | app: jenkins 20 | deploymentconfig: jenkins-master 21 | -------------------------------------------------------------------------------- /charts/jenkins/templates/svc-jenkins-master.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | kind: Service 5 | apiVersion: v1 6 | metadata: 7 | name: jenkins-master 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | app: jenkins 11 | spec: 12 | ports: 13 | - name: web 14 | protocol: TCP 15 | port: 8080 16 | targetPort: 8080 17 | nodePort: 0 18 | selector: 19 | app: jenkins 20 | deploymentconfig: jenkins-master 21 | -------------------------------------------------------------------------------- /charts/jenkins/values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | global: 4 | openshift: true 5 | persistentStorage: true 6 | domain: apps.ocp.example.com 7 | sourceRepositoryUrl: "https://github.com/boozallen/sdp-helm-chart" 8 | sourceSecret: github 9 | 10 | #domain: null 11 | subdomain: jenkins 12 | masterDockerContextDir: resources/jenkins-master 13 | agentDockerContextDir: resources/jenkins-agent 14 | numAgents: 4 15 | #sourceRepositoryUrl: null 16 | #sourceRepositoryBranch: null # defaults to master 17 | #imageTag: null # defaults to .Chart.version 18 | #sourceSecret: null 19 | resources: 20 | master: 21 | limits: 22 | cpu: "1000m" 23 | memory: "4000Mi" 24 | requests: 25 | cpu: "1000m" 26 | memory: "4000Mi" 27 | agent: 28 | limits: 29 | cpu: "1000m" 30 | memory: "1500Mi" 31 | requests: 32 | cpu: "1000m" 33 | memory: "1500Mi" 34 | dockerStorage: "100Gi" 35 | dockerDaemonArgs: "--insecure-registry docker-registry.default.svc:5000" 36 | -------------------------------------------------------------------------------- /charts/selenium/Chart.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: v1 5 | appVersion: "3.12.0" 6 | description: A Helm chart for SDP Selenium-Grid 7 | name: selenium 8 | version: 0.1.0 9 | -------------------------------------------------------------------------------- /charts/selenium/templates/bc-selenium-chrome.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | {{- if .Values.global.openshift }} 5 | kind: BuildConfig 6 | apiVersion: build.openshift.io/v1 7 | metadata: 8 | name: selenium-chrome 9 | namespace: {{ .Release.Namespace }} 10 | labels: 11 | app: selenium 12 | spec: 13 | source: 14 | type: Git 15 | git: 16 | ref: {{ .Values.sourceRepositoryBranch | default "master" }} 17 | {{- if .Values.sourceRepositoryUrl }} 18 | uri: {{ .Values.sourceRepositoryUrl }} 19 | {{- else }} 20 | uri: {{ .Values.global.sourceRepositoryUrl }} 21 | {{- end }} 22 | contextDir: {{ .Values.chromeDockerContextDir | quote }} 23 | sourceSecret: 24 | {{- if .Values.sourceSecret }} 25 | name: {{ .Values.sourceSecret }} 26 | {{- else }} 27 | name: {{ .Values.global.sourceSecret }} 28 | {{- end }} 29 | strategy: 30 | type: Docker 31 | output: 32 | to: 33 | kind: ImageStreamTag 34 | name: "selenium-chrome:{{.Values.imageTag | default .Chart.AppVersion}}" 35 | triggers: 36 | - type: ConfigChange 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /charts/selenium/templates/dc-selenium-chrome.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | kind: DeploymentConfig 5 | apiVersion: apps.openshift.io/v1 6 | metadata: 7 | labels: 8 | app: selenium 9 | node: chrome 10 | name: selenium-chrome 11 | namespace: {{ .Release.Namespace }} 12 | spec: 13 | replicas: 1 14 | selector: 15 | app: selenium 16 | deploymentconfig: selenium-chrome 17 | node: chrome 18 | template: 19 | metadata: 20 | labels: 21 | app: selenium 22 | deploymentconfig: selenium-chrome 23 | node: chrome 24 | spec: 25 | containers: 26 | - image: docker-registry.default.svc:5000/{{ .Release.Namespace }}/selenium-chrome:{{.Values.imageTag | default .Chart.AppVersion}} 27 | env: 28 | - name: HOME 29 | value: /home/seluser 30 | - name: USER_NAME 31 | value: seluser 32 | - name: HUB_PORT_PARAM 33 | value: '4444' 34 | - name: HUB_HOST 35 | value: selenium-hub.{{ .Release.Namespace }}.svc 36 | imagePullPolicy: Always 37 | name: selenium-chrome 38 | triggers: 39 | - type: ConfigChange 40 | - imageChangeParams: 41 | automatic: true 42 | containerNames: 43 | - selenium-chrome 44 | from: 45 | kind: ImageStreamTag 46 | name: 'selenium-chrome:{{.Values.imageTag | default .Chart.AppVersion}}' 47 | type: ImageChange 48 | 49 | -------------------------------------------------------------------------------- /charts/selenium/templates/dc-selenium-firefox.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: apps.openshift.io/v1 5 | kind: DeploymentConfig 6 | metadata: 7 | labels: 8 | app: selenium 9 | name: selenium-firefox 10 | namespace: {{ .Release.Namespace }} 11 | spec: 12 | replicas: 1 13 | selector: 14 | app: selenium 15 | deploymentconfig: selenium-firefox 16 | template: 17 | metadata: 18 | labels: 19 | app: selenium 20 | deploymentconfig: selenium-firefox 21 | spec: 22 | containers: 23 | - env: 24 | - name: HUB_HOST 25 | value: selenium-hub.{{ .Release.Namespace }}.svc 26 | - name: HUB_PORT_PARAM 27 | value: '4444' 28 | image: >- 29 | selenium/node-firefox:{{ .Values.imageTag | default .Chart.AppVersion }} 30 | imagePullPolicy: IfNotPresent 31 | name: selenium-firefox 32 | triggers: 33 | - type: ConfigChange 34 | - imageChangeParams: 35 | automatic: true 36 | containerNames: 37 | - selenium-firefox 38 | from: 39 | kind: ImageStreamTag 40 | name: 'selenium-firefox:{{ .Values.imageTag | default .Chart.AppVersion }}' 41 | type: ImageChange 42 | -------------------------------------------------------------------------------- /charts/selenium/templates/dc-selenium-hub.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | kind: DeploymentConfig 5 | apiVersion: apps.openshift.io/v1 6 | metadata: 7 | labels: 8 | app: selenium 9 | node: hub 10 | name: selenium-hub 11 | namespace: {{ .Release.Namespace }} 12 | spec: 13 | replicas: 1 14 | selector: 15 | app: selenium 16 | deploymentconfig: selenium-hub 17 | node: hub 18 | template: 19 | metadata: 20 | labels: 21 | app: selenium 22 | deploymentconfig: selenium-hub 23 | node: hub 24 | spec: 25 | containers: 26 | - image: selenium/hub:{{ .Values.imageTag | default .Chart.AppVersion }} 27 | imagePullPolicy: IfNotPresent 28 | name: selenium-hub 29 | ports: 30 | - containerPort: 4444 31 | protocol: TCP 32 | triggers: 33 | - type: ConfigChange 34 | - imageChangeParams: 35 | automatic: true 36 | containerNames: 37 | - selenium-hub 38 | from: 39 | kind: ImageStreamTag 40 | name: 'selenium-hub:{{ .Values.imageTag | default .Chart.AppVersion }}' 41 | namespace: {{ .Release.Namespace }} 42 | type: ImageChange 43 | 44 | -------------------------------------------------------------------------------- /charts/selenium/templates/is-selenium-chrome.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: image.openshift.io/v1 5 | kind: ImageStream 6 | metadata: 7 | name: selenium-chrome 8 | namespace: {{ .Release.Namespace }} 9 | spec: 10 | lookupPolicy: 11 | local: false 12 | -------------------------------------------------------------------------------- /charts/selenium/templates/is-selenium-firefox.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: image.openshift.io/v1 5 | kind: ImageStream 6 | metadata: 7 | labels: 8 | app: selenium 9 | name: selenium-firefox 10 | namespace: {{ .Release.Namespace }} 11 | spec: 12 | lookupPolicy: 13 | local: false 14 | tags: 15 | - from: 16 | kind: DockerImage 17 | name: 'selenium/node-firefox:{{ .Values.imageTag | default .Chart.AppVersion }}' 18 | name: {{ .Values.imageTag | default .Chart.AppVersion }} 19 | -------------------------------------------------------------------------------- /charts/selenium/templates/is-selenium-hub.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: image.openshift.io/v1 5 | kind: ImageStream 6 | metadata: 7 | labels: 8 | app: selenium 9 | node: hub 10 | name: selenium-hub 11 | namespace: {{ .Release.Namespace }} 12 | spec: 13 | lookupPolicy: 14 | local: false 15 | tags: 16 | - from: 17 | kind: DockerImage 18 | name: 'selenium/hub:{{ .Values.imageTag | default .Chart.AppVersion }}' 19 | name: {{ .Values.imageTag | default .Chart.AppVersion }} 20 | -------------------------------------------------------------------------------- /charts/selenium/templates/route-selenium.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | {{- if .Values.global.openshift }} 5 | kind: Route 6 | apiVersion: "route.openshift.io/v1" 7 | metadata: 8 | labels: 9 | app: selenium 10 | name: selenium-route 11 | namespace: {{ .Release.Namespace }} 12 | spec: 13 | {{- if .Values.domain }} 14 | host: "{{.Values.subdomain}}.{{.Values.domain}}" 15 | {{- else if .Values.global.domain }} 16 | host: "{{.Values.subdomain}}.{{.Values.global.domain}}" 17 | {{- end }} 18 | port: 19 | targetPort: 4444-tcp 20 | to: 21 | kind: Service 22 | name: selenium-hub 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /charts/selenium/templates/svc-selenium-hub.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: v1 5 | kind: Service 6 | metadata: 7 | labels: 8 | app: selenium 9 | node: hub 10 | name: selenium-hub 11 | namespace: {{ .Release.Namespace }} 12 | spec: 13 | ports: 14 | - name: 4444-tcp 15 | port: 4444 16 | protocol: TCP 17 | targetPort: 4444 18 | selector: 19 | deploymentconfig: selenium-hub 20 | 21 | -------------------------------------------------------------------------------- /charts/selenium/values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | global: 4 | openshift: true 5 | domain: apps.ocp.example.com 6 | sourceRepositoryUrl: "https://github.com/boozallen/sdp-helm-chart" 7 | sourceSecret: github 8 | 9 | chromeDockerContextDir: resources/selenium_grid/chrome 10 | imageTag: 3.12.0 11 | subdomain: selenium-grid 12 | -------------------------------------------------------------------------------- /charts/sonarqube/Chart.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: v1 5 | appVersion: "1.0" 6 | description: A Helm chart for SonarQube 7 | name: sonarqube 8 | version: 0.1.0 9 | -------------------------------------------------------------------------------- /charts/sonarqube/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Successfully installed SonarQube: 2 | {{- if .Values.domain -}} 3 | {{ .Values.subdomain }}.{{ .Values.domain}} 4 | {{- else if .Values.global.domain -}} 5 | {{ .Values.subdomain }}.{{ .Values.global.domain }} 6 | {{- end -}} 7 | -------------------------------------------------------------------------------- /charts/sonarqube/templates/bc.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | {{- if .Values.global.openshift }} 5 | kind: "BuildConfig" 6 | apiVersion: "build.openshift.io/v1" 7 | metadata: 8 | name: sonarqube 9 | namespace: {{ .Release.Namespace }} 10 | spec: 11 | source: 12 | type: "Git" 13 | git: 14 | {{- if .Values.sourceRepositoryUrl }} 15 | uri: {{ .Values.sourceRepositoryUrl }} 16 | {{- else }} 17 | uri: {{ .Values.global.sourceRepositoryUrl }} 18 | {{- end }} 19 | contextDir: {{ .Values.dockerContextDir }} 20 | sourceSecret: 21 | {{- if .Values.sourceSecret }} 22 | name: {{ .Values.sourceSecret }} 23 | {{- else }} 24 | name: {{ .Values.global.sourceSecret }} 25 | {{- end }} 26 | strategy: 27 | type: "Docker" 28 | output: 29 | to: 30 | kind: ImageStreamTag 31 | name: "sonarqube:{{ .Values.imageTag | default .Chart.Version }}" 32 | triggers: 33 | - type: ConfigChange 34 | {{- end }} -------------------------------------------------------------------------------- /charts/sonarqube/templates/dc.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | kind: List 5 | apiVersion: "apps.openshift.io/v1" 6 | metadata: 7 | name: list 8 | items: 9 | - kind: DeploymentConfig 10 | apiVersion: "apps.openshift.io/v1" 11 | metadata: 12 | name: sonarqube 13 | namespace: {{ .Release.Namespace }} 14 | labels: 15 | app: sonarqube 16 | deploymentconfig: sonarqube 17 | spec: 18 | strategy: 19 | rollingParams: 20 | post: 21 | execNewPod: 22 | env: 23 | - name: JENKINS_USER 24 | valueFrom: 25 | secretKeyRef: 26 | name: jenkins-access 27 | key: jenkins-user 28 | - name: JENKINS_PASSWORD 29 | valueFrom: 30 | secretKeyRef: 31 | name: jenkins-access 32 | key: jenkins-password 33 | command: 34 | - /bin/sh 35 | - /opt/sonarqube/post-install-on-sonarqube.sh 36 | containerName: sonarqube-bootstrap 37 | failurePolicy: ignore 38 | type: Recreate 39 | triggers: 40 | - type: ConfigChange 41 | - type: ImageChange 42 | imageChangeParams: 43 | automatic: true 44 | containerNames: 45 | - sonarqube 46 | from: 47 | kind: ImageStreamTag 48 | name: sonarqube:{{ .Values.imageTag | default .Chart.Version }} 49 | replicas: 1 50 | selector: 51 | name: sonarqube 52 | template: 53 | metadata: 54 | labels: 55 | name: sonarqube 56 | app: sonarqube 57 | deploymentconfig: sonarqube 58 | spec: 59 | containers: 60 | - name: sonarqube 61 | image: "docker-registry.default.svc:5000/{{.Release.Namespace}}/sonarqube:{{ .Values.imageTag | default .Chart.Version }}" 62 | imagePullSecrets: Always 63 | imagePullPolicy: IfNotPresent 64 | resources: 65 | limits: 66 | cpu: {{ .Values.resources.limits.cpu | quote }} 67 | memory: {{ .Values.resources.limits.memory | quote }} 68 | requests: 69 | cpu: {{ .Values.resources.requests.cpu | quote }} 70 | memory: {{ .Values.resources.requests.memory | quote }} 71 | volumeMounts: 72 | - name: sonarqube-data 73 | mountPath: /opt/sonarqube/data 74 | - name: sonarqube-credential-configuration 75 | mountPath: /opt/sonarqube/data2 76 | - name: configure-sonarqube 77 | image: centos 78 | imagePullSecrets: Always 79 | imagePullPolicy: IfNotPresent 80 | env: 81 | - name: API_USER 82 | valueFrom: 83 | secretKeyRef: 84 | name: jenkins-access 85 | key: username 86 | - name: API_TOKEN 87 | valueFrom: 88 | secretKeyRef: 89 | name: jenkins-access 90 | key: token 91 | - name: SQ_USER 92 | valueFrom: 93 | secretKeyRef: 94 | name: sonarqube-credential-configuration 95 | key: username 96 | - name: SQ_PW 97 | valueFrom: 98 | secretKeyRef: 99 | name: sonarqube-credential-configuration 100 | key: password 101 | command: [ "/bin/bash" ] 102 | args: [ "-c", "until curl -sL -w %{http_code} -u $API_USER:$API_TOKEN http://jenkins-master:8080 -o /dev/null | grep 200 ; do echo \"waiting on jenkins..\" && sleep 2; done && echo \"waiting on sonarqube...\" && until curl -s -u admin:admin http://localhost:9000/api/system/health | grep -i green ; do echo \"sleeping..\" && sleep 2; done && bash /scripts/script.sh && curl --user \"$API_USER:$API_TOKEN\" --data-urlencode \"script=$(< /scripts2/sonarqube-secret.groovy)\" http://jenkins-master:8080/scriptText && echo \"completed script...\" && tail -f /dev/null"] 103 | livenessProbe: 104 | exec: 105 | command: 106 | - /bin/sh 107 | - '-c' 108 | - curl -sL -w %{http_code} -u $API_USER:$API_TOKEN http://jenkins-master:8080/credentials/store/system/domain/_/credential/sonarqube/api/json -o /dev/null | grep 200 109 | initialDelaySeconds: 5 110 | periodSeconds: 5 111 | volumeMounts: 112 | - mountPath: /scripts 113 | name: configure-sonarqube-mount 114 | - mountPath: /scripts2 115 | name: sonarqube-secret-config 116 | volumes: 117 | - name: configure-sonarqube-mount 118 | configMap: 119 | name: sonarqube-config 120 | items: 121 | - key: sonarqube.script 122 | path: script.sh 123 | - name: sonarqube-secret-config 124 | configMap: 125 | name: sonarqube-inject 126 | items: 127 | - key: sonarqube-secret.script 128 | path: sonarqube-secret.groovy 129 | - name: sonarqube-credential-configuration 130 | secret: 131 | secretName: sonarqube-credential-configuration 132 | items: 133 | - key: username 134 | path: username 135 | - key: password 136 | path: password 137 | - emptyDir: {} 138 | name: sonarqube-data 139 | 140 | - kind: ConfigMap 141 | apiVersion: v1 142 | metadata: 143 | name: sonarqube-inject 144 | namespace: {{ .Release.Namespace }} 145 | labels: 146 | app: sonarqube 147 | data: 148 | sonarqube-secret.script: | 149 | import com.cloudbees.plugins.credentials.impl.* 150 | import com.cloudbees.plugins.credentials.domains.* 151 | import jenkins.model.Jenkins 152 | import hudson.plugins.sonar.SonarInstallation 153 | import hudson.plugins.sonar.SonarRunnerInstallation 154 | import hudson.plugins.sonar.SonarRunnerInstaller 155 | import hudson.plugins.sonar.model.TriggersConfig 156 | import hudson.tools.InstallSourceProperty 157 | // Setup the Sonar Scanner configuration 158 | def sonar = Jenkins.getInstance().getDescriptor("hudson.plugins.sonar.SonarGlobalConfiguration") 159 | sonar.setInstallations(new SonarInstallation("SonarQube","http://sonarqube:9000","", "5.3", "", new TriggersConfig(), "")) 160 | def scanner = Jenkins.getInstance().getDescriptor("hudson.plugins.sonar.SonarRunnerInstallation") 161 | def prop = new InstallSourceProperty([new SonarRunnerInstaller("3.0.3.778")]) 162 | scanner.setInstallations(new SonarRunnerInstallation("Sonar Scanner", "", [prop])) 163 | scanner.save() 164 | - kind: ConfigMap 165 | apiVersion: v1 166 | metadata: 167 | name: sonarqube-config 168 | namespace: {{ .Release.Namespace }} 169 | labels: 170 | app: sonarqube 171 | data: 172 | sonarqube.script: | 173 | curl -X POST -s -u admin:admin http://sonarqube:9000/api/users/create\?login\=$SQ_USER\&name\=user\&password\=$SQ_PW && \ 174 | curl -X POST --data "key=sonar.webhooks.global" --data "fieldValues={"name":$SQ_USER, "url":\"http://jenkins-master:8080/sonarqube-webhook/\"}" -u admin:admin http://sonarqube:9000/api/settings/set && \ 175 | curl -X POST --verbose -u "$API_USER:$API_TOKEN" -H $(curl -u $API_USER:$API_TOKEN 'http://jenkins-master:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)') "http://jenkins-master:8080/credentials/store/system/domain/_/createCredentials" --data-urlencode 'json={ 176 | "": "0", 177 | "credentials": { 178 | "scope": "GLOBAL", 179 | "id": "sonarqube", 180 | "username": "'$SQ_USER'", 181 | "password": "'$SQ_PW'", 182 | "description": "sonarqube api credentials", 183 | "stapler-class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl" 184 | } 185 | }' 186 | -------------------------------------------------------------------------------- /charts/sonarqube/templates/is.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | {{ if .Values.global.openshift }} 5 | kind: ImageStream 6 | apiVersion: image.openshift.io/v1 7 | metadata: 8 | name: sonarqube 9 | namespace: {{ .Release.Namespace }} 10 | labels: 11 | app: sonarqube 12 | {{ end }} 13 | -------------------------------------------------------------------------------- /charts/sonarqube/templates/route.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | {{- if .Values.global.openshift }} 5 | kind: Route 6 | apiVersion: route.openshift.io/v1 7 | metadata: 8 | labels: 9 | app: sonarqube 10 | name: sonarqube 11 | namespace: {{ .Release.Namespace }} 12 | spec: 13 | {{- if .Values.domain }} 14 | host: "{{.Values.subdomain}}.{{.Values.domain}}" 15 | {{- else if .Values.global.domain }} 16 | host: "{{.Values.subdomain}}.{{.Values.global.domain}}" 17 | {{- end }} 18 | port: 19 | targetPort: 9000-tcp 20 | to: 21 | kind: Service 22 | name: sonarqube 23 | weight: 100 24 | wildcardPolicy: None 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /charts/sonarqube/templates/service.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: v1 5 | kind: Service 6 | metadata: 7 | labels: 8 | app: sonarqube 9 | name: sonarqube 10 | namespace: {{ .Release.Namespace }} 11 | spec: 12 | ports: 13 | - name: 9000-tcp 14 | port: 9000 15 | protocol: TCP 16 | targetPort: 9000 17 | selector: 18 | deploymentconfig: sonarqube 19 | sessionAffinity: None 20 | type: ClusterIP 21 | -------------------------------------------------------------------------------- /charts/sonarqube/templates/sq-secret.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: v1 5 | kind: Secret 6 | metadata: 7 | name: sonarqube-credential-configuration 8 | annotations: 9 | "helm.sh/hook": pre-install 10 | "helm.sh/hook-delete-policy": hook-failed 11 | namespace: {{ .Release.Namespace }} 12 | labels: 13 | app: jenkins 14 | data: 15 | username: {{ randAlphaNum 10 | b64enc | quote }} 16 | password: {{ randAlphaNum 10 | b64enc | quote }} 17 | -------------------------------------------------------------------------------- /charts/sonarqube/values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | global: 4 | openshift: true 5 | persistentStorage: true 6 | domain: apps.ocp.example.com 7 | sourceRepositoryUrl: "https://github.com/boozallen/sdp-helm-chart" 8 | sourceSecret: github 9 | 10 | #domain: null 11 | subdomain: sonarqube 12 | dockerContextDir: resources/sonarqube 13 | #sourceRepositoryUrl: null 14 | #imageTag: null # defaults to .Chart.version 15 | resources: 16 | limits: 17 | cpu: "250m" 18 | memory: "2000Mi" 19 | requests: 20 | cpu: "250m" 21 | memory: "2000Mi" 22 | -------------------------------------------------------------------------------- /installer.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 4 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 5 | 6 | # Constants 7 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 8 | 9 | # if [ -z "$1" ]; then 10 | # DEPLOYMENT_NAME="sdp" 11 | # else 12 | # DEPLOYMENT_NAME="$1" 13 | # fi 14 | 15 | # Helper Methods: 16 | # pretty pass/fail notations 17 | pass(){ 18 | printf "\xE2\x9C\x94 $1 \n" 19 | } 20 | fail(){ 21 | printf "\xE2\x9C\x97 $1 \n\n" 22 | } 23 | 24 | 25 | title(){ 26 | for i in $(seq -2 $(echo "$1" | wc -c)); do printf "-"; done && printf "\n" 27 | echo "| $1 |" 28 | for i in $(seq -2 $(echo "$1" | wc -c)); do printf "-"; done && printf "\n" 29 | } 30 | 31 | GENERATE_SUBDOMAINS=0 #Setting default value 32 | 33 | # parsing input arguments 34 | while getopts "n: j: s: a h" OPT; do 35 | case "$OPT" in 36 | n) 37 | if [ -z ${DEPLOYMENT_NAME+x} ]; then 38 | DEPLOYMENT_NAME="${OPTARG}" 39 | else 40 | echo "deployment name (-n) can only be used once." 41 | echo "see -h for help" 42 | exit 1 43 | fi 44 | ;; 45 | 46 | j) 47 | if [ -z ${JENKINS_SUBDOMAIN+x} ]; then 48 | JENKINS_SUBDOMAIN="${OPTARG}" 49 | else 50 | echo "Jenkins subdomain (-j) can only be used once." 51 | echo "see -h for help" 52 | exit 1 53 | fi 54 | ;; 55 | 56 | s) 57 | if [ -z ${SONARQUBE_SUBDOMAIN+x} ]; then 58 | SONARQUBE_SUBDOMAIN="${OPTARG}" 59 | else 60 | echo "Sonarqube subdomain (-s) can only be used once." 61 | echo "see -h for help" 62 | exit 1 63 | fi 64 | ;; 65 | 66 | a) 67 | GENERATE_SUBDOMAINS=1 68 | ;; 69 | 70 | \?|h) 71 | echo "script usage: " 72 | echo " -a | automatically generate subdomains for routes; overridden" 73 | echo " by -j and -s options, and overrides helm values files" 74 | echo " -h | displays this help message" 75 | echo " -j | sets and overrides the subdomain for the Jenkins route" 76 | echo " -n | sets the deployment name (default = \"sdp\")" 77 | echo " -s | sets and overrides the subdomain for the Sonarqube route" 78 | echo "" 79 | echo " example: " 80 | echo " ./installer.sh -n my-sdp -a -j my-jenkins" 81 | echo "" 82 | echo " This example would create the following projects: " 83 | echo "" 84 | echo " 1) \"my-sdp\", which contains Jenkins, as well as any" 85 | echo " other services (sonarqube, selenium, etc.) for which" 86 | echo " the \"enabled\" value was set to \"true\" in values.yaml" 87 | echo "" 88 | echo " 2) \"my-sdp-tiller\", which contains the tiller server" 89 | echo " the SDP uses to its deployment and related services" 90 | echo " on Openshift" 91 | exit 0 92 | ;; 93 | esac 94 | done 95 | 96 | #setting default values 97 | if [ -z ${DEPLOYMENT_NAME+x} ]; then 98 | DEPLOYMENT_NAME="sdp" 99 | fi 100 | 101 | if [ -z ${JENKINS_SUBDOMAIN+x} ]; then 102 | JENKINS_SUBDOMAIN="" 103 | fi 104 | 105 | if [ -z ${SONARQUBE_SUBDOMAIN+x} ]; then 106 | SONARQUBE_SUBDOMAIN="" 107 | fi 108 | 109 | # ----------------------------- 110 | title "Validate Requirements" 111 | 112 | # validate oc is installed 113 | if command -v oc &> /dev/null; then 114 | pass "oc installed" 115 | else 116 | fail "oc installed" 117 | echo "OpenShift CLI required" 118 | echo "See: https://docs.openshift.com/container-platform/latest/cli_reference/get_started_cli.html" 119 | echo "for installation instructions" 120 | exit 1 121 | fi 122 | 123 | # validate user is logged into OpenShift 124 | if oc version | grep Server &> /dev/null; then 125 | pass "logged in with oc" 126 | else 127 | fail "logged in with oc" 128 | echo "You must be logged in with the OpenShift CLI" 129 | echo "Please run the oc login command from the OpenShift Web Console." 130 | exit 1 131 | fi 132 | 133 | # validate helm is installed 134 | if command -v helm &> /dev/null; then 135 | pass "helm installed" 136 | else 137 | fail "helm installed" 138 | echo "Helm CLI required" 139 | echo "See: https://docs.helm.sh/using_helm/#install-helm" 140 | echo "for installation instructions" 141 | exit 1 142 | fi 143 | 144 | # not support brownfield deployments. 145 | # validate sdp-tiller and sdp projects don't exist 146 | if oc get project $DEPLOYMENT_NAME-tiller &> /dev/null; then 147 | fail "project $DEPLOYMENT_NAME-tiller already exists" 148 | echo "Brownfield deployments not supported." 149 | echo "Uninstall existing infrastructure via: " 150 | echo " oc delete project $DEPLOYMENT_NAME-tiller" 151 | exit 1 152 | fi 153 | if oc get project $DEPLOYMENT_NAME &> /dev/null; then 154 | fail "project $DEPLOYMENT_NAME already exists" 155 | echo "Brownfield deployments not supported." 156 | echo "Uninstall existing infrastructure via: " 157 | echo " oc delete project $DEPLOYMENT_NAME" 158 | exit 1 159 | fi 160 | 161 | # ----------------------------- 162 | title "Install Tiller Server" 163 | 164 | # create sdp-tiller project 165 | if oc new-project $DEPLOYMENT_NAME-tiller --display-name="$DEPLOYMENT_NAME Tiller Server" --description="Tiller Server to deploy sdp resources" > /dev/null; then 166 | pass "project $DEPLOYMENT_NAME-tiller created" 167 | else 168 | fail "project $DEPLOYMENT_NAME-tiller created" 169 | exit 1 170 | fi 171 | 172 | # create sdp-tiller service account 173 | if oc create serviceaccount tiller -n $DEPLOYMENT_NAME-tiller > /dev/null; then 174 | pass "service account tiller created" 175 | else 176 | fail "service account tiller created" 177 | exit 1 178 | fi 179 | 180 | # install tiller server in sdp-tiller 181 | if helm init --tiller-namespace $DEPLOYMENT_NAME-tiller --service-account tiller --wait > /dev/null; then 182 | pass "Helm installed in $DEPLOYMENT_NAME-tiller" 183 | else 184 | fail "Helm installed in $DEPLOYMENT_NAME-tiller" 185 | exit 1 186 | fi 187 | 188 | # give tiller sa requisite permissions 189 | if oc apply -f <(oc process -f $SCRIPT_DIR/resources/helm/tiller_role.yaml -p TILLER_NAMESPACE=$DEPLOYMENT_NAME-tiller) -n $DEPLOYMENT_NAME-tiller > /dev/null; then 190 | pass "tiller sa given permissions to $DEPLOYMENT_NAME-tiller" 191 | else 192 | fail "tiller sa given permissions to $DEPLOYMENT_NAME-tiller" 193 | exit 1 194 | fi 195 | 196 | # ----------------------------- 197 | title "Prepare SDP Resources" 198 | 199 | # create sdp project 200 | if oc new-project $DEPLOYMENT_NAME --display-name="$DEPLOYMENT_NAME - Solutions Delivery Platform" --description="CI/CD Tools for sdp" > /dev/null; then 201 | pass "project $DEPLOYMENT_NAME created" 202 | else 203 | fail "project $DEPLOYMENT_NAME created" 204 | exit 1 205 | fi 206 | 207 | if oc apply -f <(oc process -f $SCRIPT_DIR/resources/helm/project_tiller_role.yaml -p TILLER_NAMESPACE=$DEPLOYMENT_NAME-tiller -p PROJECT=$DEPLOYMENT_NAME) -n $DEPLOYMENT_NAME > /dev/null; then 208 | pass "tiller sa given permissions to $DEPLOYMENT_NAME project" 209 | else 210 | fail "tiller sa given permissions to $DEPLOYMENT_NAME project" 211 | exit 1 212 | fi 213 | 214 | # # create github secret 215 | if [ -z "$GH_USER" ] || [ -z "$GH_PAT" ]; then 216 | echo -n "Enter GitHub User: " 217 | read GH_USER 218 | 219 | echo -n "Enter GitHub Personal Access Token: " 220 | read -s GH_PAT 221 | echo 222 | fi 223 | 224 | if oc create secret generic github --from-literal=username="$GH_USER" --from-literal=password="$GH_PAT" > /dev/null; then 225 | pass "secret github created" 226 | else 227 | fail "secret github created" 228 | fi 229 | 230 | HELM_OPTIONS="--set jenkins.credentials.github.username=$GH_USER,jenkins.credentials.github.password=$GH_PAT,jenkins.credentials.github.id=github " 231 | 232 | # give jenkins sa required permissions 233 | if oc adm policy add-scc-to-user privileged -z jenkins -n $DEPLOYMENT_NAME > /dev/null; then 234 | pass "make jenkins sa privileged" 235 | else 236 | fail "make jenkins sa privileged" 237 | fi 238 | 239 | 240 | if oc adm policy add-cluster-role-to-user system:image-builder system:serviceaccount:$DEPLOYMENT_NAME:jenkins > /dev/null; then 241 | 242 | pass "make jenkins sa image-pusher" 243 | else 244 | fail "make jenkins sa image-pusher" 245 | fi 246 | 247 | # install SDP chart 248 | title "Helm Install" 249 | 250 | 251 | if [ ! "$JENKINS_SUBDOMAIN" = "" ]; then 252 | HELM_OPTIONS+="--set jenkins.subdomain=$JENKINS_SUBDOMAIN " 253 | elif ([ "$JENKINS_SUBDOMAIN" = "" ] && [ "$GENERATE_SUBDOMAINS" = "1" ]); then 254 | JENKINS_SUBDOMAIN="jenkins-$DEPLOYMENT_NAME" 255 | HELM_OPTIONS+="--set jenkins.subdomain=$JENKINS_SUBDOMAIN " 256 | fi 257 | 258 | if [ ! "$SONARQUBE_SUBDOMAIN" = "" ]; then 259 | HELM_OPTIONS+="--set sonarqube.subdomain=$SONARQUBE_SUBDOMAIN " 260 | elif ([ "$SONARQUBE_SUBDOMAIN" = "" ] && [ "$GENERATE_SUBDOMAINS" = "1" ]); then 261 | SONARQUBE_SUBDOMAIN="sonarqube-$DEPLOYMENT_NAME" 262 | HELM_OPTIONS+="--set sonarqube.subdomain=$SONARQUBE_SUBDOMAIN " 263 | fi 264 | 265 | if helm install $SCRIPT_DIR -n $DEPLOYMENT_NAME --tiller-namespace $DEPLOYMENT_NAME-tiller $HELM_OPTIONS; then 266 | pass "Solutions Delivery Platform Installed" 267 | else 268 | fail "Solutions Delivery Platform Install Failed" 269 | fi 270 | -------------------------------------------------------------------------------- /requirements.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | dependencies: 5 | - name: jenkins 6 | - name: sonarqube 7 | condition: sonarqube.enabled 8 | - name: selenium 9 | condition: selenium.enabled 10 | -------------------------------------------------------------------------------- /resources/helm/README.md: -------------------------------------------------------------------------------- 1 | 5 | 6 | # Deploying Helm For Multitenancy on OpenShift 7 | 8 | ## Overview 9 | To enable a multitenant OpenShift cluster, each organization must have its own tiller server. 10 | 11 | The steps below will assume we're creating an instance of tiller for an org called cameo 12 | 13 | ## Steps 14 | 1. Create the tiller namespace 15 | ~~~ 16 | oc new-project tiller 17 | ~~~ 18 | 19 | 2. Create a service account for tiller to use 20 | ~~~ 21 | oc create serviceaccount tiller 22 | ~~~ 23 | 24 | 3. Deploy tiller to the namespace using the serviceaccount 25 | ~~~ 26 | helm init --tiller-namespace tiller --service-account tiller 27 | ~~~ 28 | 29 | 4. Give tiller service account permissions to create configmaps in the project and list namespaces 30 | ~~~ 31 | oc apply -f <(oc process -f tiller_role.yaml -p TILLER_NAMESPACE=tiller) -n tiller 32 | ~~~ 33 | 34 | 5. Authorize tiller to deploy to projects: cameo-dev, cameo-prod 35 | ~~~ 36 | oc apply -f <(oc process -f project_tiller_role.yaml -p TILLER_NAMESPACE=tiller -p PROJECT=sdp) -n sdp 37 | oc apply -f <(oc process -f project_tiller_role.yaml -p TILLER_NAMESPACE=tiller -p PROJECT=my-project) -n my-project 38 | ~~~ 39 | -------------------------------------------------------------------------------- /resources/helm/project_tiller_role.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: v1 5 | kind: Template 6 | metadata: 7 | name: tiller-project-role 8 | annotations: 9 | description: "RBAC required for helm to deploy to a project" 10 | objects: 11 | 12 | # lets tiller deploy resources to $PROJECT 13 | - kind: Role 14 | apiVersion: v1 15 | metadata: 16 | name: tiller-manager 17 | namespace: ${PROJECT} 18 | rules: 19 | - apiGroups: 20 | - '*' 21 | resources: 22 | - '*' 23 | verbs: 24 | - '*' 25 | 26 | - kind: RoleBinding 27 | apiVersion: v1 28 | metadata: 29 | name: tiller-manager 30 | namespace: ${PROJECT} 31 | roleRef: 32 | name: tiller-manager 33 | namespace: ${PROJECT} 34 | subjects: 35 | - kind: ServiceAccount 36 | name: tiller 37 | namespace: ${TILLER_NAMESPACE} 38 | userNames: 39 | - system:serviceaccount:${TILLER_NAMESPACE}:tiller 40 | 41 | parameters: 42 | - name: TILLER_NAMESPACE 43 | description: "the tiller namespace" 44 | - name: PROJECT 45 | description: "the project tiller should be able to deploy to" 46 | 47 | -------------------------------------------------------------------------------- /resources/helm/provision_app_envs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 4 | #This software package is licensed under the Booz Allen Public License. The license can be found here: http://boozallen.github.io/licenses/bapl 5 | 6 | # Constants 7 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 8 | 9 | # Helper Methods: 10 | pass(){ 11 | printf "\xE2\x9C\x94 $1 \n" 12 | } 13 | fail(){ 14 | printf "\xE2\x9C\x97 $1 \n\n" 15 | } 16 | 17 | title(){ 18 | for i in $(seq -2 $(echo "$1" | wc -c)); do printf "-"; done && printf "\n" 19 | echo "| $1 |" 20 | for i in $(seq -2 $(echo "$1" | wc -c)); do printf "-"; done && printf "\n" 21 | } 22 | 23 | 24 | # parsing input arguments 25 | while getopts "h p: e: i:" OPT; do 26 | case "$OPT" in 27 | p) 28 | if [ -z ${PREFIX+x} ]; then 29 | PREFIX="${OPTARG}" 30 | else 31 | echo "tenant prefix (-p) can only be used once." 32 | echo "see -h for help" 33 | exit 1 34 | fi 35 | ;; 36 | e) 37 | ENVS+=("${OPTARG}") 38 | ;; 39 | i) 40 | if [ -z ${IMAGE_PROJECT+x} ]; then 41 | IMAGE_PROJECT="${OPTARG}" 42 | else 43 | echo "image project (-i) can only be used once." 44 | echo "see -h for help" 45 | exit 1 46 | fi 47 | ;; 48 | \?|h) 49 | echo "script usage: " 50 | echo " -p | set's the tenant prefix. " 51 | echo " -e | define an app env. can be used multiple times." 52 | echo " -i | defines the project images will be pushed to." 53 | echo "" 54 | echo "example: " 55 | echo " ./provision_app_envs.sh -p rhs -e dev -e test -e staging -e prod -i red-hat-summit" 56 | echo "" 57 | echo "this example would create the following projects: " 58 | echo " 1) rhs-tiller | tiller server for this tenant" 59 | echo " 2) red-hat-summit | project for storing pushed images" 60 | echo " 3) rhs-dev | dev app environment " 61 | echo " 4) rhs-test | test app environment" 62 | echo " 5) rhs-staging | staging app environment" 63 | echo " 6) rhs-prod | prod app environment" 64 | echo "where: " 65 | echo " 1) rhs-{dev,test,staging} can pull images from red-hat-summit" 66 | echo " 2) rhs-tiller can deploy resources to rhs-{dev,test,staging}" 67 | exit 1 68 | ;; 69 | esac 70 | done 71 | 72 | if [ -z ${PREFIX+x} ]; then 73 | echo "you must set the tenant prefix" 74 | exit 1 75 | fi 76 | 77 | if [ -z ${ENVS+x} ]; then 78 | echo "you must set at least one application environment" 79 | exit 1 80 | fi 81 | 82 | if [ -z ${IMAGE_PROJECT+x} ]; then 83 | echo "you must set the image project" 84 | exit 1 85 | fi 86 | 87 | # ----------------------------- 88 | title "Validate Requirements" 89 | 90 | # validate oc is installed 91 | if command -v oc &> /dev/null; then 92 | pass "oc installed" 93 | else 94 | fail "oc installed" 95 | echo "OpenShift CLI required" 96 | echo "See: https://docs.openshift.com/container-platform/latest/cli_reference/get_started_cli.html" 97 | echo "for installation instructions" 98 | exit 1 99 | fi 100 | 101 | # validate user is logged into OpenShift 102 | if oc version | grep Server &> /dev/null; then 103 | pass "logged in with oc" 104 | else 105 | fail "logged in with oc" 106 | echo "You must be logged in with the OpenShift CLI" 107 | echo "Please run the oc login command from the OpenShift Web Console." 108 | exit 1 109 | fi 110 | 111 | # validate helm is installed 112 | if command -v helm &> /dev/null; then 113 | pass "helm installed" 114 | else 115 | fail "helm installed" 116 | echo "Helm CLI required" 117 | echo "See: https://docs.helm.sh/using_helm/#install-helm" 118 | echo "for installation instructions" 119 | exit 1 120 | fi 121 | 122 | # Install tiller server 123 | title "Install Tiller" 124 | 125 | # create tiller project 126 | if oc new-project $PREFIX-tiller > /dev/null; then 127 | pass "created project $PREFIX-tiller" 128 | else 129 | fail "created project $PREFIX-tiller" 130 | exit 1 131 | fi 132 | 133 | # create sdp-tiller service account 134 | if oc create serviceaccount tiller -n $PREFIX-tiller > /dev/null; then 135 | pass "service account tiller created" 136 | else 137 | fail "service account tiller created" 138 | exit 1 139 | fi 140 | 141 | # install tiller 142 | if helm init --tiller-namespace $PREFIX-tiller --service-account tiller --wait > /dev/null; then 143 | pass "tiller installed in $PREFIX-tiller" 144 | else 145 | fail "tiller installed in $PREFIX-tiller" 146 | exit 1 147 | fi 148 | 149 | # give tiller sa permissions 150 | if oc apply -f <(oc process -f $SCRIPT_DIR/tiller_role.yaml -p TILLER_NAMESPACE=$PREFIX-tiller) -n $PREFIX-tiller > /dev/null; then 151 | pass "tiller sa given permissions to $PREFIX-tiller" 152 | else 153 | fail "tiller sa given permissions to $PREFIX-tiller" 154 | exit 1 155 | fi 156 | 157 | # create project where images will be stored 158 | title "Create Image Repository Project" 159 | 160 | if oc new-project $IMAGE_PROJECT > /dev/null; then 161 | pass "created project $IMAGE_PROJECT" 162 | else 163 | fail "created project $IMAGE_PROJECT" 164 | exit 1 165 | fi 166 | 167 | # create application environments 168 | title "Create Application Environment Projects" 169 | for APP_ENV in "${ENVS[@]}"; do 170 | 171 | # create app env project 172 | if oc new-project $PREFIX-$APP_ENV > /dev/null; then 173 | pass "created app env: $PREFIX-$APP_ENV" 174 | else 175 | fail "created app env: $PREFIX-$APP_ENV" 176 | exit 1 177 | fi 178 | 179 | # let tiller deploy to app env 180 | if oc apply -f <(oc process -f $SCRIPT_DIR/project_tiller_role.yaml -p TILLER_NAMESPACE=$PREFIX-tiller -p PROJECT=$PREFIX-$APP_ENV) -n $PREFIX-$APP_ENV > /dev/null; then 181 | pass "$PREFIX-tiller sa given permissions to manage $PREFIX-$APP_ENV" 182 | else 183 | fail "$PREFIX-tiller sa given permissions to manage $PREFIX-$APP_ENV" 184 | exit 1 185 | fi 186 | 187 | # let project pull images from $IMAGE_PROJECT 188 | if oc policy add-role-to-user system:image-puller system:serviceaccount:$PREFIX-$APP_ENV:default -n $IMAGE_PROJECT > /dev/null; then 189 | pass "let $PREFIX-$APP_ENV pull images from $IMAGE_PROJECT" 190 | else 191 | fail "let $PREFIX-$APP_ENV pull images from $IMAGE_PROJECT" 192 | exit 1 193 | fi 194 | 195 | done 196 | -------------------------------------------------------------------------------- /resources/helm/tiller_role.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | apiVersion: v1 5 | kind: Template 6 | metadata: 7 | name: tiller-roles 8 | annotations: 9 | description: "RBAC required for helm" 10 | objects: 11 | 12 | # lets tiller store release information in configmaps 13 | - kind: Role 14 | apiVersion: v1 15 | metadata: 16 | name: tiller-manager 17 | namespace: ${TILLER_NAMESPACE} 18 | rules: 19 | - apiGroups: 20 | - "" 21 | attributeRestrictions: null 22 | resources: 23 | - "*" 24 | verbs: 25 | - "*" 26 | 27 | - kind: RoleBinding 28 | apiVersion: v1 29 | metadata: 30 | name: tiller-manager 31 | namespace: ${TILLER_NAMESPACE} 32 | roleRef: 33 | name: tiller-manager 34 | namespace: ${TILLER_NAMESPACE} 35 | subjects: 36 | - kind: ServiceAccount 37 | name: tiller 38 | namespace: ${TILLER_NAMESPACE} 39 | userNames: 40 | - system:serviceaccount:${TILLER_NAMESPACE}:tiller 41 | 42 | parameters: 43 | - name: TILLER_NAMESPACE 44 | description: "the tiller namespace" 45 | -------------------------------------------------------------------------------- /resources/jenkins-agent/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | FROM docker:dind 5 | 6 | ENV JENKINS_SWARM_VERSION 3.9 7 | ENV JNLP_SLAVE_VERSION 3.9 8 | ENV HOME /root 9 | ENV JAVA_HOME /usr/lib/jvm/java 10 | 11 | RUN mkdir -p /opt/jenkins-slave/bin ${HOME} && \ 12 | apk add --no-cache curl openjdk8 git device-mapper openssl-dev build-base nss && \ 13 | # install docker-compose 14 | apk add --no-cache py-pip curl supervisor libffi-dev python-dev && \ 15 | pip install docker-compose && \ 16 | # set PID max to 99999 17 | # bc of docker bug w/ 6 character pid 18 | echo "kernel.pid_max=99999" >> /etc/sysctl.d/00-alpine.conf 19 | 20 | # Copy script 21 | COPY jenkins-agent.sh /opt/jenkins-slave/bin/jenkins-slave 22 | RUN chmod 777 /opt/jenkins-slave/bin/jenkins-slave && \ 23 | chmod +x /opt/jenkins-slave/bin/jenkins-slave && \ 24 | # Download plugin and modify permissions 25 | curl --create-dirs -sSLo /opt/jenkins-slave/bin/swarm-client-$JENKINS_SWARM_VERSION.jar http://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/swarm-client/$JENKINS_SWARM_VERSION/swarm-client-$JENKINS_SWARM_VERSION.jar && \ 26 | curl --create-dirs -sSLo /opt/jenkins-slave/bin/slave.jar http://repo.jenkins-ci.org/public/org/jenkins-ci/main/remoting/$JNLP_SLAVE_VERSION/remoting-$JNLP_SLAVE_VERSION.jar 27 | 28 | COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf 29 | 30 | ENTRYPOINT ["/bin/sh", "-c"] 31 | CMD ["/usr/bin/supervisord --configuration /etc/supervisor/conf.d/supervisord.conf"] -------------------------------------------------------------------------------- /resources/jenkins-agent/README.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /resources/jenkins-agent/jenkins-agent.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 4 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 5 | 6 | # Temporary way to login to docker registry 7 | # oc whoami -t | docker login docker-registry.default.svc:5000 -u $REGISTRY_USERNAME --password-stdin 8 | 9 | # jenkins swarm slave 10 | JAR=`ls -1 /opt/jenkins-slave/bin/swarm-client-*.jar | tail -n 1` 11 | PARAMS="-master $JENKINS_URL -tunnel $JENKINS_TUNNEL -username ${JENKINS_USERNAME} -password ${JENKINS_PASSWORD} -executors ${EXECUTORS} -name $(hostname)" 12 | exec java $JAVA_OPTS -jar $JAR -fsroot $HOME $PARAMS "$@" -------------------------------------------------------------------------------- /resources/jenkins-agent/supervisord.conf: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found here: http://boozallen.github.io/licenses/bapl 3 | 4 | [supervisord] 5 | nodaemon=true 6 | 7 | [program:docker] 8 | command=dockerd --host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:2375 --insecure-registry docker-registry.default.svc:5000 9 | stdout_logfile=/dev/stdout 10 | stdout_logfile_maxbytes=0 11 | stderr_logfile=/dev/stderr 12 | stderr_logfile_maxbytes=0 13 | 14 | [program:jenkins-agent] 15 | command=sh /opt/jenkins-slave/bin/jenkins-slave 16 | stdout_logfile=/dev/stdout 17 | stdout_logfile_maxbytes=0 18 | stderr_logfile=/dev/stderr 19 | stderr_logfile_maxbytes=0 20 | -------------------------------------------------------------------------------- /resources/jenkins-master/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | FROM jenkins/jenkins:2.164.2 5 | 6 | ENV JAVA_OPTS "-Djenkins.install.runSetupWizard=false" 7 | ENV JTE_RELEASE "v0.1-alpha" 8 | 9 | EXPOSE 8080 10 | EXPOSE 50000 11 | 12 | USER root 13 | 14 | # install oc client 15 | RUN mkdir -p /tmp/oc-client && cd /tmp/oc-client && \ 16 | wget -O oc-client.tar.gz https://github.com/openshift/origin/releases/download/v3.6.1/openshift-origin-client-tools-v3.6.1-008f2d5-linux-64bit.tar.gz && \ 17 | tar -xvf oc-client.tar.gz && \ 18 | mv */oc /usr/bin/oc 19 | 20 | # install plugins 21 | COPY resources/plugins/plugins.txt /usr/share/jenkins/ref/plugins.txt 22 | RUN /usr/local/bin/install-plugins.sh < /usr/share/jenkins/ref/plugins.txt 23 | 24 | # insert configuration script 25 | COPY resources/scripts/configure.groovy /var/jenkins_home/init.groovy.d/configure.groovy 26 | RUN chmod 777 /var/jenkins_home/init.groovy.d/* 27 | 28 | # copy in entry point scripts 29 | COPY resources/scripts/jenkins-preboot.sh /usr/local/bin/jenkins_preboot 30 | COPY resources/scripts/jenkins.sh /usr/local/bin/jenkins.sh 31 | RUN chmod +x /usr/local/bin/jenkins_preboot && chmod 777 /usr/local/bin/jenkins_preboot /usr/local/bin/jenkins.sh 32 | 33 | # modify permissions for OpenShift 34 | RUN chgrp -R 0 $JENKINS_HOME && \ 35 | chmod -R g=u $JENKINS_HOME /etc/passwd 36 | -------------------------------------------------------------------------------- /resources/jenkins-master/README.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /resources/jenkins-master/resources/plugins/plugins.txt: -------------------------------------------------------------------------------- 1 | ace-editor:1.1 2 | analysis-core:1.96 3 | ant:1.9 4 | antisamy-markup-formatter:1.5 5 | apache-httpcomponents-client-4-api:4.5.5-3.0 6 | artifactory:3.2.2 7 | authentication-tokens:1.3 8 | blueocean:1.16.0 9 | blueocean-autofavorite:1.2.4 10 | blueocean-bitbucket-pipeline:1.16.0 11 | blueocean-commons:1.16.0 12 | blueocean-config:1.16.0 13 | blueocean-core-js:1.16.0 14 | blueocean-dashboard:1.16.0 15 | blueocean-display-url:2.3.0 16 | blueocean-events:1.16.0 17 | blueocean-executor-info:1.16.0 18 | blueocean-git-pipeline:1.16.0 19 | blueocean-github-pipeline:1.16.0 20 | blueocean-i18n:1.16.0 21 | blueocean-jira:1.16.0 22 | blueocean-jwt:1.16.0 23 | blueocean-personalization:1.16.0 24 | blueocean-pipeline-api-impl:1.16.0 25 | blueocean-pipeline-editor:1.16.0 26 | blueocean-pipeline-scm-api:1.16.0 27 | blueocean-rest:1.16.0 28 | blueocean-rest-impl:1.16.0 29 | blueocean-web:1.16.0 30 | bouncycastle-api:2.17 31 | branch-api:2.5.2 32 | build-timeout:1.19 33 | cloudbees-bitbucket-branch-source:2.4.4 34 | cloudbees-folder:6.8 35 | command-launcher:1.3 36 | config-file-provider:3.6 37 | credentials:2.1.19 38 | credentials-binding:1.18 39 | dependency-check-jenkins-plugin:4.0.2 40 | dependency-track:2.1.0 41 | display-url-api:2.3.1 42 | docker-commons:1.15 43 | docker-workflow:1.18 44 | durable-task:1.29 45 | email-ext:2.66 46 | favorite:2.3.2 47 | filesystem_scm:2.1 48 | git:3.10.0 49 | git-client:2.7.7 50 | git-server:1.7 51 | github:1.29.4 52 | github-api:1.95 53 | github-branch-source:2.5.3 54 | gradle:1.32 55 | handlebars:1.1.1 56 | handy-uri-templates-2-api:2.1.7-1.0 57 | htmlpublisher:1.18 58 | ivy:2.1 59 | jackson2-api:2.9.9 60 | javadoc:1.5 61 | jdk-tool:1.2 62 | jenkins-design-language:1.16.0 63 | jira:3.0.7 64 | job-dsl:1.74 65 | jquery:1.12.4-0 66 | jquery-detached:1.2.1 67 | jsch:0.1.55 68 | junit:1.28 69 | kubernetes-credentials:0.4.0 70 | ldap:1.20 71 | lockable-resources:2.5 72 | mailer:1.23 73 | mapdb-api:1.0.9.0 74 | matrix-auth:2.4.2 75 | matrix-project:1.14 76 | maven-plugin:3.2 77 | mercurial:2.6 78 | momentjs:1.1.1 79 | openshift-client:1.0.30 80 | openshift-login:1.0.17 81 | pam-auth:1.5.1 82 | pipeline-build-step:2.9 83 | pipeline-github-lib:1.0 84 | pipeline-graph-analysis:1.10 85 | pipeline-input-step:2.10 86 | pipeline-milestone-step:1.3.1 87 | pipeline-model-api:1.3.8 88 | pipeline-model-declarative-agent:1.1.1 89 | pipeline-model-definition:1.3.8 90 | pipeline-model-extensions:1.3.8 91 | pipeline-rest-api:2.11 92 | pipeline-stage-step:2.3 93 | pipeline-stage-tags-metadata:1.3.8 94 | pipeline-stage-view:2.11 95 | pipeline-utility-steps:2.3.0 96 | plain-credentials:1.5 97 | pubsub-light:1.12 98 | resource-disposer:0.12 99 | scm-api:2.4.1 100 | script-security:1.59 101 | sonar:2.9 102 | sse-gateway:1.17 103 | ssh-credentials:1.16 104 | ssh-slaves:1.29.4 105 | structs:1.19 106 | subversion:2.12.1 107 | swarm:3.16 108 | templating-engine:1.1.1 109 | timestamper:1.9 110 | token-macro:2.7 111 | variant:1.2 112 | windows-slaves:1.4 113 | workflow-aggregator:2.6 114 | workflow-api:2.34 115 | workflow-basic-steps:2.16 116 | workflow-cps:2.68 117 | workflow-cps-global-lib:2.13 118 | workflow-durable-task-step:2.30 119 | workflow-job:2.32 120 | workflow-multibranch:2.21 121 | workflow-remote-loader:1.4 122 | workflow-scm-step:2.7 123 | workflow-step-api:2.19 124 | workflow-support:3.3 125 | ws-cleanup:0.37 -------------------------------------------------------------------------------- /resources/jenkins-master/resources/scripts/configure.groovy: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 3 | This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 4 | */ 5 | 6 | import jenkins.* 7 | import hudson.* 8 | import hudson.util.Secret 9 | import hudson.model.* 10 | import jenkins.model.* 11 | import hudson.security.* 12 | import jenkins.security.* 13 | import com.cloudbees.plugins.credentials.* 14 | import com.cloudbees.plugins.credentials.impl.* 15 | import com.cloudbees.plugins.credentials.common.* 16 | import com.cloudbees.plugins.credentials.domains.* 17 | import com.cloudbees.jenkins.plugins.sshcredentials.impl.* 18 | import com.cloudbees.plugins.credentials.CredentialsProvider 19 | import hudson.plugins.sshslaves.* 20 | import org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm 21 | import com.openshift.jenkins.plugins.OpenShiftTokenCredentials 22 | import com.openshift.jenkins.plugins.ClusterConfig 23 | import groovy.io.FileType 24 | import javaposse.jobdsl.dsl.DslScriptLoader 25 | import javaposse.jobdsl.plugin.JenkinsJobManagement 26 | import java.util.logging.Logger 27 | import org.jenkinsci.plugins.github_branch_source.GitHubConfiguration 28 | import org.jenkinsci.plugins.github_branch_source.Endpoint 29 | 30 | // for shared libraries 31 | import org.jenkinsci.plugins.workflow.libs.GlobalLibraries 32 | import org.jenkinsci.plugins.workflow.libs.LibraryConfiguration 33 | import org.jenkinsci.plugins.workflow.libs.SCMSourceRetriever 34 | import org.jenkinsci.plugins.workflow.libs.SCMRetriever 35 | import org.jenkinsci.plugins.github_branch_source.GitHubSCMSource 36 | import hudson.plugins.filesystem_scm.FSSCM 37 | 38 | // for security 39 | import jenkins.security.s2m.AdminWhitelistRule 40 | import hudson.security.csrf.DefaultCrumbIssuer 41 | import org.jenkinsci.plugins.configfiles.groovy.GroovyScript 42 | import org.jenkinsci.plugins.configfiles.GlobalConfigFiles 43 | import org.jenkinsci.plugins.scriptsecurity.scripts.languages.GroovyLanguage 44 | import jenkins.model.JenkinsLocationConfiguration 45 | import org.jenkinsci.plugins.workflow.flow.FlowDurabilityHint 46 | 47 | //for sonar installation 48 | import hudson.plugins.sonar.SonarInstallation 49 | import hudson.plugins.sonar.SonarRunnerInstallation 50 | import hudson.plugins.sonar.SonarRunnerInstaller 51 | import hudson.plugins.sonar.model.TriggersConfig 52 | import hudson.tools.InstallSourceProperty 53 | 54 | 55 | ////////////////////// 56 | // Define Constants // 57 | ////////////////////// 58 | 59 | Boolean on_openshift = System.getenv("OPENSHIFT") ? true : false 60 | 61 | def project_name, jenkins_secret 62 | if (on_openshift){ 63 | whoami = "oc whoami".execute() 64 | whoami.waitFor() 65 | project_name = whoami.text.split(":").getAt(2) 66 | 67 | jenkins_secret = "jenkins-access" 68 | } 69 | 70 | //////////////// 71 | 72 | def logger = Logger.getLogger("") 73 | log = { message -> 74 | logger.info("${message}..") 75 | } 76 | 77 | log "found project to be: ${project_name}" 78 | 79 | def jenkins = Jenkins.getInstance() 80 | 81 | // master executors 82 | def num_master_executors = 0 83 | if (!on_openshift){ num_master_executors = 2 } 84 | log "Setting master executors to ${num_master_executors}" 85 | jenkins.setNumExecutors(num_master_executors) 86 | jenkins.save() 87 | 88 | // slave agent port 89 | log "Setting agent port to 50000" 90 | jenkins.setSlaveAgentPort(50000) 91 | jenkins.save() 92 | 93 | // durability set to performance optimized 94 | durability = jenkins.getDescriptor("org.jenkinsci.plugins.workflow.flow.GlobalDefaultFlowDurabilityLevel") 95 | durability.setDurabilityHint(FlowDurabilityHint.PERFORMANCE_OPTIMIZED) 96 | jenkins.save() 97 | 98 | // set jenkins url 99 | if (on_openshift){ 100 | log "setting Jenkins URL" 101 | route = "oc get route jenkins | tail -n +2 | '{print \$2}'".execute() 102 | route.waitFor() 103 | url = route.text 104 | jlc = new JenkinsLocationConfiguration().get() 105 | jlc.setUrl(url) 106 | jlc.save() 107 | 108 | 109 | // create dummy admin user for connection agents 110 | log "Creating admin service account: jenkins-admin" 111 | jenkins_dummy_user = "jenkins-admin" 112 | def user = hudson.model.User.get(jenkins_dummy_user) 113 | user.setFullName("Jenkins Administrator") 114 | dummy_pass = (1..20).collect([]){ ("a".."z").getAt(new Random().nextInt(26) % 26) }.join() 115 | user.addProperty(hudson.security.HudsonPrivateSecurityRealm.Details.fromPlainPassword(dummy_pass)) 116 | 117 | // create dummy admin user api token and create openshift secret 118 | ApiTokenProperty t = user.getProperty(ApiTokenProperty.class) 119 | apitoken.ApiTokenStore.TokenUuidAndPlainValue tokenUuidAndPlainValue = t.tokenStore.generateNewToken('jenkins-access') 120 | def token = tokenUuidAndPlainValue.plainValue 121 | user.save() 122 | 123 | log "Creating OpenShift secret ${jenkins_secret} with admin service account API token" 124 | 125 | def proc1 = "oc delete secret ${jenkins_secret} || true".execute() 126 | proc1.waitFor() 127 | log proc1.text 128 | 129 | def proc2 = "oc create secret generic ${jenkins_secret} --from-literal=username=${jenkins_dummy_user} --from-literal=token=${token}".execute() 130 | proc2.waitFor() 131 | log proc2.text 132 | 133 | // create security matrix 134 | log "Creating authorization strategy to Global Matrix Authorization" 135 | GlobalMatrixAuthorizationStrategy newAuthMgr = new GlobalMatrixAuthorizationStrategy() 136 | 137 | // set default authenticated user permissions 138 | log "Setting default permissions for authenticated user" 139 | [ 140 | Hudson.READ, 141 | Item.READ, 142 | Item.DISCOVER, 143 | CredentialsProvider.VIEW 144 | ].each{ permission -> 145 | log " - ${permission}" 146 | newAuthMgr.add(permission, "authenticated"); 147 | } 148 | 149 | // give dummy admin user ability to configure agents 150 | log "Giving permissions to jenkins admin service account" 151 | [ 152 | Jenkins.ADMINISTER, 153 | hudson.model.Computer.BUILD, 154 | hudson.model.Computer.CONFIGURE, 155 | hudson.model.Computer.CONNECT, 156 | hudson.model.Computer.CREATE, 157 | hudson.model.Computer.DELETE, 158 | hudson.model.Computer.DISCONNECT, 159 | hudson.model.Computer.EXTENDED_READ 160 | ].each{ permission -> 161 | log " - ${permission}" 162 | newAuthMgr.add(permission, jenkins_dummy_user) 163 | } 164 | 165 | // apply matrix auth 166 | log "Applying Global Matrix Authorization Strategy" 167 | jenkins.setAuthorizationStrategy(newAuthMgr) 168 | jenkins.save() 169 | 170 | // add openshift oauth realm 171 | log "Setting Security Realm to: OpenShiftOAuth2SecurityRealm" 172 | def secRealm = new OpenShiftOAuth2SecurityRealm(null, null, null, null, null, null); 173 | jenkins.setSecurityRealm(secRealm) 174 | jenkins.save() 175 | 176 | // create openshift clusters 177 | log "Creating OpenShift Service Account Secret in Jenkins Credential Store" 178 | def get_sa_token = "oc whoami -t".execute() 179 | get_sa_token.waitFor() 180 | sa_token = get_sa_token.text - '\n' 181 | def cred_obj_1 = new OpenShiftTokenCredentials( 182 | CredentialsScope.GLOBAL, 183 | "openshift-service-account", 184 | "OCP Jenkins Service Account API Token", 185 | new Secret(sa_token) 186 | ) 187 | SystemCredentialsProvider.getInstance().getStore().addCredentials(Domain.global(), cred_obj_1) 188 | 189 | log "Creating Openshift Docker Registry Secret in Jenkins Credential Store" 190 | def cred_obj_2 = (Credentials) new UsernamePasswordCredentialsImpl( 191 | CredentialsScope.GLOBAL, 192 | "openshift-docker-registry", 193 | "openshift-docker-registry", 194 | "service", 195 | sa_token 196 | ) 197 | SystemCredentialsProvider.getInstance().getStore().addCredentials(Domain.global(), cred_obj_2) 198 | 199 | 200 | } 201 | 202 | // optimize agents disconnecting post termination 203 | log "Configuring optmized agent pod deregistration settings" 204 | jenkins.injector.getInstance(hudson.slaves.ChannelPinger.class).@pingIntervalSeconds = 1 205 | jenkins.injector.getInstance(hudson.slaves.ChannelPinger.class).@pingTimeoutSeconds = 10 206 | 207 | // additional security settings 208 | log "Turning on Agent -> Master Control" 209 | jenkins.injector.getInstance(AdminWhitelistRule.class).setMasterKillSwitch(false) 210 | 211 | log "Disabling CLI Over Remoting" 212 | jenkins.CLI.get().setEnabled(false) 213 | 214 | log "Enabling CSRF Protection" 215 | jenkins.setCrumbIssuer(new DefaultCrumbIssuer(true)) 216 | jenkins.save() 217 | 218 | log "Removing Deprecated Protocols" 219 | def protocols = jenkins.AgentProtocol.all() 220 | protocols.each{ p -> 221 | if (!(p.name in [ "Ping", "JNLP4-connect" ])) 222 | protocols.remove(p) 223 | } 224 | -------------------------------------------------------------------------------- /resources/jenkins-master/resources/scripts/jenkins-preboot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 4 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 5 | 6 | # Install the JTE Plugin 7 | # cp /usr/share/jenkins/ref/jte.jpi $JENKINS_HOME/plugins 8 | -------------------------------------------------------------------------------- /resources/jenkins-master/resources/scripts/jenkins.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash -e 2 | 3 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 4 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 5 | 6 | : "${JENKINS_WAR:="/usr/share/jenkins/jenkins.war"}" 7 | : "${JENKINS_HOME:="/var/jenkins_home"}" 8 | touch "${COPY_REFERENCE_FILE_LOG}" || { echo "Can not write to ${COPY_REFERENCE_FILE_LOG}. Wrong volume permissions?"; exit 1; } 9 | echo "--- Copying files at $(date)" >> "$COPY_REFERENCE_FILE_LOG" 10 | find /usr/share/jenkins/ref/ \( -type f -o -type l \) -exec bash -c '. /usr/local/bin/jenkins-support; for arg; do copy_reference_file "$arg"; done' _ {} + 11 | 12 | jenkins_preboot 13 | 14 | 15 | # Jenkins Performance Tuning ############################## 16 | CONTAINER_MEMORY_IN_BYTES=$(cat /sys/fs/cgroup/memory/memory.limit_in_bytes) 17 | CONTAINER_MEMORY_IN_MB=$((CONTAINER_MEMORY_IN_BYTES/2**20)) 18 | 19 | # initialize java performance opts 20 | JAVA_PERFORMANCE_OPTS="-Dsun.zip.disableMemoryMapping=true -XX:+UnlockExperimentalVMOptions" 21 | 22 | # set heap settings 23 | CONTAINER_HEAP_PERCENT=0.50 24 | CONTAINER_HEAP_MAX=$(echo "${CONTAINER_MEMORY_IN_MB} ${CONTAINER_HEAP_PERCENT}" | awk '{ printf "%d", $1 * $2 }') 25 | JAVA_PERFORMANCE_OPTS="$JAVA_PERFORMANCE_OPTS -Xmx${CONTAINER_HEAP_MAX}m" 26 | 27 | # set gc settings 28 | JAVA_GC_OPTS="-server -XX:+AlwaysPreTouch -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled -XX:+UseStringDeduplication -XX:+UnlockDiagnosticVMOptions -XX:G1SummarizeRSetStatsPeriod=1" 29 | JAVA_PERFORMANCE_OPTS="$JAVA_PERFORMANCE_OPTS $JAVA_GC_OPTS" 30 | 31 | # allow for multiple Jenkins Opts 32 | jenkins_opts_array=( ) 33 | while IFS= read -r -d '' item; do 34 | jenkins_opts_array+=( "$item" ) 35 | done < <([[ $JENKINS_OPTS ]] && xargs printf '%s\0' <<<"$JENKINS_OPTS") 36 | 37 | # allow for multiple Java Opts 38 | java_opts_array=() 39 | while IFS= read -r -d '' item; do 40 | java_opts_array+=( "$item" ) 41 | done < <([[ $JAVA_OPTS ]] && xargs printf '%s\0' <<<"$JAVA_OPTS") 42 | 43 | ########################################################## 44 | echo java -Duser.home="$JENKINS_HOME" "${java_opts_array[@]}" "$JAVA_PERFORMANCE_OPTS" -jar ${JENKINS_WAR} "${jenkins_opts_array[@]}" "$@" 45 | exec java -Duser.home="$JENKINS_HOME" "${java_opts_array[@]}" "$JAVA_PERFORMANCE_OPTS" -jar ${JENKINS_WAR} "${jenkins_opts_array[@]}" "$@" 46 | -------------------------------------------------------------------------------- /resources/jenkins-master/resources/scripts/sdp_entrypoint.groovy: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 3 | This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 4 | */ 5 | 6 | @Library("solutions_delivery_platform@master") _ 7 | 8 | node{ 9 | cleanWs() 10 | checkout scm 11 | stash "workspace" 12 | stash name: "git-info", 13 | includes: ".git/**", 14 | useDefaultExcludes: false 15 | aggregate_pipeline_config() 16 | pipeline_template = get_pipeline_template() 17 | } 18 | 19 | load_libraries this 20 | create_application_environments this 21 | create_stages this 22 | create_jenkinsfile_variables this 23 | create_default_steps this 24 | 25 | // execute pipeline 26 | try{ 27 | evaluate pipeline_template 28 | } 29 | catch(ex){ 30 | currentBuild.result = "Failure" 31 | println ex 32 | } 33 | 34 | // notify 35 | pipeline_config().notifiers.each{ notifier -> 36 | try{ 37 | this.getProperty(notifier)() 38 | } 39 | catch(any){ 40 | println "Notifier ${notifier} failed" 41 | println ex 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /resources/jenkins-pipeline-images/README.md: -------------------------------------------------------------------------------- 1 | 5 | # pipeline-images 6 | Holds resources for building SDP Pipeline container images 7 | -------------------------------------------------------------------------------- /resources/jenkins-pipeline-images/a11y/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | FROM node:5 5 | 6 | ENV NPM_CONFIG_LOGLEVEL=warn \ 7 | NPM_CONFIG_PROGRESS=false \ 8 | NPM_CONFIG_SPIN=false 9 | 10 | RUN npm install -g the-a11y-machine 11 | 12 | CMD /bin/bash -------------------------------------------------------------------------------- /resources/jenkins-pipeline-images/a11y/README.md: -------------------------------------------------------------------------------- 1 | a11y -------------------------------------------------------------------------------- /resources/jenkins-pipeline-images/openshift_helm/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | FROM alpine 5 | 6 | RUN apk add --no-cache \ 7 | openssl \ 8 | git \ 9 | openjdk8 \ 10 | curl \ 11 | bash \ 12 | openssh-client \ 13 | unzip \ 14 | bash \ 15 | ttf-dejavu \ 16 | coreutils \ 17 | iptables \ 18 | ip6tables \ 19 | ipset \ 20 | iproute2 \ 21 | python \ 22 | py-pip \ 23 | groff \ 24 | less \ 25 | mailcap 26 | 27 | # install oc client 28 | RUN apk add --no-cache ca-certificates wget openssl curl && update-ca-certificates && \ 29 | curl -o glibc.apk -L "https://github.com/andyshinn/alpine-pkg-glibc/releases/download/2.23-r1/glibc-2.23-r1.apk" && \ 30 | apk add --allow-untrusted glibc.apk && \ 31 | curl -o glibc-bin.apk -L "https://github.com/andyshinn/alpine-pkg-glibc/releases/download/2.23-r1/glibc-bin-2.23-r1.apk" && \ 32 | apk add --allow-untrusted glibc-bin.apk && \ 33 | /usr/glibc-compat/sbin/ldconfig /lib /usr/glibc/usr/lib && \ 34 | echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf && \ 35 | rm -f glibc.apk glibc-bin.apk 36 | 37 | RUN mkdir -p /tmp/oc-client && cd /tmp/oc-client && \ 38 | wget -O oc-client.tar.gz https://github.com/openshift/origin/releases/download/v3.6.1/openshift-origin-client-tools-v3.6.1-008f2d5-linux-64bit.tar.gz && \ 39 | tar -xvf oc-client.tar.gz && \ 40 | mv */oc /usr/local/bin/oc 41 | 42 | RUN wget -O get_helm.sh https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get && \ 43 | chmod 700 ./get_helm.sh && \ 44 | sh ./get_helm.sh --version v2.8.2 && \ 45 | rm -rf /var/cache/apk/* -------------------------------------------------------------------------------- /resources/jenkins-pipeline-images/protractor/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | FROM java:openjdk-8-jdk 5 | 6 | # install node 7 | RUN curl -sL https://deb.nodesource.com/setup_8.x | bash - && \ 8 | apt-get install -y nodejs 9 | 10 | RUN npm install -g protractor gulp jasmine-spec-reporter && \ 11 | webdriver-manager update && \ 12 | apt-get update && \ 13 | apt-get install -y xvfb wget && \ 14 | wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb && \ 15 | dpkg --unpack google-chrome-stable_current_amd64.deb && \ 16 | apt-get install -f -y && \ 17 | apt-get clean && \ 18 | rm google-chrome-stable_current_amd64.deb 19 | 20 | # Install all npm packages from package.json 21 | # RUN npm install 22 | 23 | CMD /bin/bash 24 | -------------------------------------------------------------------------------- /resources/jenkins-pipeline-images/sonar-scanner/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | FROM openjdk:8-alpine 5 | 6 | ENV SONAR_RUNNER_HOME=/root/sonar-scanner-3.0.3.778-linux 7 | ENV PATH $PATH:/root/sonar-scanner-3.0.3.778-linux/bin 8 | 9 | WORKDIR /root 10 | 11 | RUN apk add --no-cache curl grep sed unzip && \ 12 | curl --insecure -o ./sonarscanner.zip -L https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-3.0.3.778-linux.zip && \ 13 | unzip sonarscanner.zip && \ 14 | rm sonarscanner.zip 15 | 16 | COPY sonar-runner.properties ./sonar-scanner-3.0.3.778-linux/conf/sonar-scanner.properties 17 | 18 | # ensure Sonar uses the provided Java for must instead of a borked glibc one 19 | RUN sed -i 's/use_embedded_jre=true/use_embedded_jre=false/g' /root/sonar-scanner-3.0.3.778-linux/bin/sonar-scanner 20 | 21 | # Use bash if you want to run the environment from inside the shell, otherwise use the command that actually runs the underlying stuff 22 | #CMD /bin/bash 23 | CMD sonar-scanner -------------------------------------------------------------------------------- /resources/jenkins-pipeline-images/sonar-scanner/sonar-runner.properties: -------------------------------------------------------------------------------- 1 | #Configure here general information about the environment, such as SonarQube DB details for example 2 | #No information about specific project should appear here 3 | 4 | #----- Default SonarQube server 5 | #sonar.host.url=http://sonarqube:9000 6 | 7 | #----- Default source code encoding 8 | #sonar.sourceEncoding=UTF-8 9 | 10 | #----- Global database settings (not used for SonarQube 5.2+) 11 | #sonar.jdbc.username=sonar 12 | #sonar.jdbc.password=sonar 13 | 14 | #----- PostgreSQL 15 | #sonar.jdbc.url=jdbc:postgresql://localhost/sonar 16 | 17 | #----- MySQL 18 | #sonar.jdbc.url=jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8 19 | 20 | #----- Oracle 21 | #sonar.jdbc.url=jdbc:oracle:thin:@localhost/XE 22 | 23 | #----- Microsoft SQLServer 24 | #sonar.jdbc.url=jdbc:jtds:sqlserver://localhost/sonar;SelectMethod=Cursor 25 | 26 | # H2 database from Docker Sonar container 27 | #sonar.jdbc.url=jdbc:h2:tcp://sonarqube/sonar 28 | #sonar.projectKey=MyProjectKey 29 | #sonar.projectName=My Project Name 30 | #sonar.projectVersion=1 31 | #sonar.projectBaseDir=/root/src 32 | #sonar.sources=./ -------------------------------------------------------------------------------- /resources/jenkins-pipeline-images/zap/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | FROM owasp/zap2docker-stable 5 | LABEL description="sdp version of zap" -------------------------------------------------------------------------------- /resources/selenium_grid/chrome/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | FROM selenium/node-chrome:3.12.0 5 | USER root 6 | COPY entry_point.sh /opt/bin/ 7 | RUN chgrp -R 0 /opt/bin \ 8 | && chmod -R g=u /opt/bin \ 9 | && chmod +x /opt/bin/* \ 10 | && chgrp -R 0 /opt/selenium \ 11 | && chmod -R g=u /opt/selenium \ 12 | && chmod +x /opt/selenium/* 13 | USER seluser 14 | ENTRYPOINT [ "/opt/bin/entry_point.sh" ] 15 | 16 | -------------------------------------------------------------------------------- /resources/selenium_grid/chrome/entry_point.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 4 | #This software package is licensed under the Booz Allen Public License. The license can be found here: http://boozallen.github.io/licenses/bapl 5 | 6 | if ! whoami &> /dev/null; then 7 | if [ -w /etc/passwd ]; then 8 | echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd 9 | fi 10 | fi 11 | 12 | source /opt/bin/functions.sh 13 | /opt/bin/generate_config > /opt/selenium/config.json 14 | 15 | export GEOMETRY="$SCREEN_WIDTH""x""$SCREEN_HEIGHT""x""$SCREEN_DEPTH" 16 | 17 | if [ ! -e /opt/selenium/config.json ]; then 18 | echo No Selenium Node configuration file, the node-base image is not intended to be run directly. 1>&2 19 | exit 1 20 | fi 21 | 22 | # In the long term the idea is to remove $HUB_PORT_4444_TCP_ADDR and $HUB_PORT_4444_TCP_PORT and only work with 23 | # $HUB_HOST and $HUB_PORT 24 | if [ ! -z "$HUB_HOST" ]; then 25 | HUB_PORT_PARAM=4444 26 | if [ ! -z "$HUB_PORT" ]; then 27 | HUB_PORT_PARAM=${HUB_PORT} 28 | fi 29 | echo "Connecting to the Hub using the host ${HUB_HOST} and port ${HUB_PORT_PARAM}" 30 | HUB_PORT_4444_TCP_ADDR=${HUB_HOST} 31 | HUB_PORT_4444_TCP_PORT=${HUB_PORT_PARAM} 32 | fi 33 | 34 | if [ -z "$HUB_PORT_4444_TCP_ADDR" ]; then 35 | echo "Not linked with a running Hub container" 1>&2 36 | exit 1 37 | fi 38 | 39 | function shutdown { 40 | kill -s SIGTERM $NODE_PID 41 | wait $NODE_PID 42 | } 43 | 44 | REMOTE_HOST_PARAM="" 45 | if [ ! -z "$REMOTE_HOST" ]; then 46 | echo "REMOTE_HOST variable is set, appending -remoteHost" 47 | REMOTE_HOST_PARAM="-remoteHost $REMOTE_HOST" 48 | fi 49 | 50 | if [ ! -z "$SE_OPTS" ]; then 51 | echo "appending selenium options: ${SE_OPTS}" 52 | fi 53 | 54 | SERVERNUM=$(get_server_num) 55 | 56 | rm -f /tmp/.X*lock 57 | 58 | xvfb-run -n $SERVERNUM --server-args="-screen 0 $GEOMETRY -ac +extension RANDR" \ 59 | java ${JAVA_OPTS} -jar /opt/selenium/selenium-server-standalone.jar \ 60 | -role node \ 61 | -hub http://$HUB_PORT_4444_TCP_ADDR:$HUB_PORT_4444_TCP_PORT/grid/register \ 62 | ${REMOTE_HOST_PARAM} \ 63 | -nodeConfig /opt/selenium/config.json \ 64 | ${SE_OPTS} & 65 | NODE_PID=$! 66 | 67 | trap shutdown SIGTERM SIGINT 68 | wait $NODE_PID 69 | -------------------------------------------------------------------------------- /resources/sonarqube/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | FROM sonarqube:6.7 5 | 6 | ENV PLUGINS $SONARQUBE_HOME/extensions/plugins 7 | 8 | ADD run.sh $SONARQUBE_HOME/bin/run.sh 9 | ADD sonar.properties /opt/sonarqube/conf/sonar.properties 10 | 11 | USER root 12 | RUN curl -L -O https://binaries.sonarsource.com/Distribution/sonar-java-plugin/sonar-java-plugin-5.1.0.13090.jar && \ 13 | curl -L -O https://github.com/SonarQubeCommunity/sonar-pmd/releases/download/2.6/sonar-pmd-plugin-2.6.jar && \ 14 | curl -L -O https://github.com/checkstyle/sonar-checkstyle/releases/download/4.8/checkstyle-sonar-plugin-4.8.jar && \ 15 | curl -L -O https://github.com/spotbugs/sonar-findbugs/releases/download/3.6.0/sonar-findbugs-plugin-3.6.0.jar && \ 16 | curl -L -O https://binaries.sonarsource.com/Distribution/sonar-javascript-plugin/sonar-javascript-plugin-4.0.0.5862.jar && \ 17 | mv $SONARQUBE_HOME/*.jar $PLUGINS && \ 18 | chmod +x $SONARQUBE_HOME/bin/run.sh && \ 19 | chown -R sonarqube $SONARQUBE_HOME && \ 20 | chgrp -R 0 $SONARQUBE_HOME && \ 21 | chmod -R g+rw $SONARQUBE_HOME && \ 22 | find $SONARQUBE_HOME -type d -exec chmod g+x {} + 23 | 24 | 25 | USER sonarqube 26 | ENTRYPOINT $SONARQUBE_HOME/bin/run.sh 27 | -------------------------------------------------------------------------------- /resources/sonarqube/README.md: -------------------------------------------------------------------------------- 1 | 5 | # Sonarqube 6 | This repository builds a fully configured image of Sonarqube. 7 | 8 | ### Installing 9 | 1. A secret named `sonarqube-db-secrets` must exist in the project. It must contain the following keys: 10 | 1. `database-name` - should be `sonar`. Consider hardcoding this in the yaml file in the future. 11 | 1. `database-user` - The username in the db for sonar to use 12 | 1. `database-password` - The password in the db for sonar to use 13 | 1. `oc create -f sonarqube.yaml` 14 | 1. Wait ~20s 15 | 1. `oc create -f job.yaml` 16 | 17 | ### Nutrition Facts 18 | 1. Plugins 19 | 1. FindBugs 20 | 1. SonarJava 21 | 1. CheckStyle 22 | 1. PMD 23 | 1. SonarJS 24 | 1. API Token 25 | 1. Generate an API token 26 | 1. Put that API token in the Jenkins credentials store, specifically the one named `sonarqube` 27 | 1. Also put that API token at "Manage Jenkins > Configure System > SonarQube servers > Server authentication token" 28 | 1. WebHook 29 | 1. Create a webhook named `Jenkins` that points to the SDP Jenkins Server 30 | i Note that that url is just the jenkins route plus "/sonarqube-webhook/" 31 | 32 | ### Components 33 | Each piece of the repo and how it should be used 34 | 35 | ##### Jenkinsfile 36 | Interpreted by jenkins in order to build the image and push to the docker repository 37 | 38 | ##### Dockerfile 39 | Base image plus Sonar and plugins download 40 | 41 | ##### docker-entrypoint.sh 42 | Installs/moves the plugins, and then starts Sonarqube Server. This needed to be at runtime due to PV configuration in the base image. Once we update the base image, this can probably be moved to the Dockerfile. 43 | 44 | ##### sonarqube.yaml 45 | Sets up an instance of this Sonarqube, along with a basic postgres instance 46 | 47 | What it does: 48 | * Creates Sonar and postgres pods, services, and route 49 | 50 | ##### job.yaml 51 | Creates a job to finish setting up sonarqube 52 | 53 | What it does: 54 | * Adds a config file for the Jenkins Sonarqube plugin 55 | * Creates a user token in Sonarqube 56 | * Store that user token in the Jenkins credential store 57 | * Add a webhook for Jenkins in Sonarqube 58 | -------------------------------------------------------------------------------- /resources/sonarqube/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 4 | #This software package is licensed under the Booz Allen Public License. The license can be found here: http://boozallen.github.io/licenses/bapl 5 | 6 | set -e 7 | 8 | if [ "${1:0:1}" != '-' ]; then 9 | exec "$@" 10 | fi 11 | 12 | exec java -jar lib/sonar-application-$SONAR_VERSION.jar \ 13 | -Dsonar.log.console=true \ 14 | -Dsonar.jdbc.username="$SONARQUBE_JDBC_USERNAME" \ 15 | -Dsonar.jdbc.password="$SONARQUBE_JDBC_PASSWORD" \ 16 | -Dsonar.jdbc.url="$SONARQUBE_JDBC_URL" \ 17 | -Dsonar.web.javaAdditionalOpts="$SONARQUBE_WEB_JVM_OPTS -Djava.security.egd=file:/dev/./urandom" \ 18 | "$@" 19 | -------------------------------------------------------------------------------- /resources/sonarqube/sonar.properties: -------------------------------------------------------------------------------- 1 | 2 | # Property values can: 3 | # - reference an environment variable, for example sonar.jdbc.url= ${env:SONAR_JDBC_URL} 4 | # - be encrypted. See https://redirect.sonarsource.com/doc/settings-encryption.html 5 | 6 | #-------------------------------------------------------------------------------------------------- 7 | # DATABASE 8 | # 9 | # IMPORTANT: 10 | # - The embedded H2 database is used by default. It is recommended for tests but not for 11 | # production use. Supported databases are MySQL, Oracle, PostgreSQL and Microsoft SQLServer. 12 | # - Changes to database connection URL (sonar.jdbc.url) can affect SonarSource licensed products. 13 | 14 | # User credentials. 15 | # Permissions to create tables, indices and triggers must be granted to JDBC user. 16 | # The schema must be created first. 17 | #sonar.jdbc.username= 18 | #sonar.jdbc.password= 19 | 20 | #----- Embedded Database (default) 21 | # H2 embedded database server listening port, defaults to 9092 22 | #sonar.embeddedDatabase.port=9092 23 | 24 | #----- MySQL 5.6 or greater 25 | # Only InnoDB storage engine is supported (not myISAM). 26 | # Only the bundled driver is supported. It can not be changed. 27 | #sonar.jdbc.url=jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance&useSSL=false 28 | 29 | 30 | #----- Oracle 11g/12c 31 | # The Oracle JDBC driver must be copied into the directory extensions/jdbc-driver/oracle/. 32 | # Only the thin client is supported, and only the versions 11.2.x or 12.2.x must be used. See 33 | # https://jira.sonarsource.com/browse/SONAR-9758 for more details. 34 | # If you need to set the schema, please refer to http://jira.sonarsource.com/browse/SONAR-5000 35 | #sonar.jdbc.url=jdbc:oracle:thin:@localhost:1521/XE 36 | 37 | 38 | #----- PostgreSQL 8.x/9.x 39 | # If you don't use the schema named "public", please refer to http://jira.sonarsource.com/browse/SONAR-5000 40 | #sonar.jdbc.url=jdbc:postgresql://localhost/sonar 41 | 42 | 43 | #----- Microsoft SQLServer 2014/2016 and SQL Azure 44 | # A database named sonar must exist and its collation must be case-sensitive (CS) and accent-sensitive (AS) 45 | # Use the following connection string if you want to use integrated security with Microsoft Sql Server 46 | # Do not set sonar.jdbc.username or sonar.jdbc.password property if you are using Integrated Security 47 | # For Integrated Security to work, you have to download the Microsoft SQL JDBC driver package from 48 | # https://www.microsoft.com/en-us/download/details.aspx?id=55539 49 | # and copy sqljdbc_auth.dll to your path. You have to copy the 32 bit or 64 bit version of the dll 50 | # depending upon the architecture of your server machine. 51 | #sonar.jdbc.url=jdbc:sqlserver://localhost;databaseName=sonar;integratedSecurity=true 52 | 53 | # Use the following connection string if you want to use SQL Auth while connecting to MS Sql Server. 54 | # Set the sonar.jdbc.username and sonar.jdbc.password appropriately. 55 | #sonar.jdbc.url=jdbc:sqlserver://localhost;databaseName=sonar 56 | 57 | 58 | #----- Connection pool settings 59 | # The maximum number of active connections that can be allocated 60 | # at the same time, or negative for no limit. 61 | # The recommended value is 1.2 * max sizes of HTTP pools. For example if HTTP ports are 62 | # enabled with default sizes (50, see property sonar.web.http.maxThreads) 63 | # then sonar.jdbc.maxActive should be 1.2 * 50 = 60. 64 | #sonar.jdbc.maxActive=60 65 | 66 | # The maximum number of connections that can remain idle in the 67 | # pool, without extra ones being released, or negative for no limit. 68 | #sonar.jdbc.maxIdle=5 69 | 70 | # The minimum number of connections that can remain idle in the pool, 71 | # without extra ones being created, or zero to create none. 72 | #sonar.jdbc.minIdle=2 73 | 74 | # The maximum number of milliseconds that the pool will wait (when there 75 | # are no available connections) for a connection to be returned before 76 | # throwing an exception, or <= 0 to wait indefinitely. 77 | #sonar.jdbc.maxWait=5000 78 | 79 | #sonar.jdbc.minEvictableIdleTimeMillis=600000 80 | #sonar.jdbc.timeBetweenEvictionRunsMillis=30000 81 | 82 | 83 | 84 | #-------------------------------------------------------------------------------------------------- 85 | # WEB SERVER 86 | # Web server is executed in a dedicated Java process. By default heap size is 512Mb. 87 | # Use the following property to customize JVM options. 88 | # Recommendations: 89 | # 90 | # The HotSpot Server VM is recommended. The property -server should be added if server mode 91 | # is not enabled by default on your environment: 92 | # http://docs.oracle.com/javase/8/docs/technotes/guides/vm/server-class.html 93 | # 94 | # Startup can be long if entropy source is short of entropy. Adding 95 | # -Djava.security.egd=file:/dev/./urandom is an option to resolve the problem. 96 | # See https://wiki.apache.org/tomcat/HowTo/FasterStartUp#Entropy_Source 97 | # 98 | #sonar.web.javaOpts=-Xmx512m -Xms128m -XX:+HeapDumpOnOutOfMemoryError 99 | 100 | # Same as previous property, but allows to not repeat all other settings like -Xmx 101 | #sonar.web.javaAdditionalOpts= 102 | 103 | # Binding IP address. For servers with more than one IP address, this property specifies which 104 | # address will be used for listening on the specified ports. 105 | # By default, ports will be used on all IP addresses associated with the server. 106 | #sonar.web.host=0.0.0.0 107 | 108 | # Web context. When set, it must start with forward slash (for example /sonarqube). 109 | # The default value is root context (empty value). 110 | #sonar.web.context= 111 | # TCP port for incoming HTTP connections. Default value is 9000. 112 | #sonar.web.port=9000 113 | 114 | 115 | # The maximum number of connections that the server will accept and process at any given time. 116 | # When this number has been reached, the server will not accept any more connections until 117 | # the number of connections falls below this value. The operating system may still accept connections 118 | # based on the sonar.web.connections.acceptCount property. The default value is 50. 119 | #sonar.web.http.maxThreads=50 120 | 121 | # The minimum number of threads always kept running. The default value is 5. 122 | #sonar.web.http.minThreads=5 123 | 124 | # The maximum queue length for incoming connection requests when all possible request processing 125 | # threads are in use. Any requests received when the queue is full will be refused. 126 | # The default value is 25. 127 | #sonar.web.http.acceptCount=25 128 | 129 | # By default users are logged out and sessions closed when server is restarted. 130 | # If you prefer keeping user sessions open, a secret should be defined. Value is 131 | # HS256 key encoded with base64. It must be unique for each installation of SonarQube. 132 | # Example of command-line: 133 | # echo -n "type_what_you_want" | openssl dgst -sha256 -hmac "key" -binary | base64 134 | #sonar.auth.jwtBase64Hs256Secret= 135 | 136 | # The inactivity timeout duration of user sessions, in minutes. After the configured 137 | # period of time, the user is logged out. 138 | # The default value is set to 3 days (4320 minutes) 139 | # and cannot be greater than 3 months. Value must be strictly positive. 140 | #sonar.web.sessionTimeoutInMinutes=4320 141 | 142 | # A passcode can be defined to access some web services from monitoring 143 | # tools without having to use the credentials of a system administrator. 144 | # Check the Web API documentation to know which web services are supporting this authentication mode. 145 | # The passcode should be provided in HTTP requests with the header "X-Sonar-Passcode". 146 | # By default feature is disabled. 147 | #sonar.web.systemPasscode= 148 | 149 | 150 | #-------------------------------------------------------------------------------------------------- 151 | # SSO AUTHENTICATION 152 | 153 | # Enable authentication using HTTP headers 154 | #sonar.web.sso.enable=false 155 | 156 | # Name of the header to get the user login. 157 | # Only alphanumeric, '.' and '@' characters are allowed 158 | #sonar.web.sso.loginHeader=X-Forwarded-Login 159 | 160 | # Name of the header to get the user name 161 | #sonar.web.sso.nameHeader=X-Forwarded-Name 162 | 163 | # Name of the header to get the user email (optional) 164 | #sonar.web.sso.emailHeader=X-Forwarded-Email 165 | 166 | # Name of the header to get the list of user groups, separated by comma (optional). 167 | # If the sonar.sso.groupsHeader is set, the user will belong to those groups if groups exist in SonarQube. 168 | # If none of the provided groups exists in SonarQube, the user won't belong to any group. 169 | # Note that the default group will NOT be automatically added when using SSO, it should be provided in the groups list, if needed. 170 | #sonar.web.sso.groupsHeader=X-Forwarded-Groups 171 | 172 | # Interval used to know when to refresh name, email and groups. 173 | # During this interval, if for instance the name of the user is changed in the header, it will only be updated after X minutes. 174 | #sonar.web.sso.refreshIntervalInMinutes=5 175 | 176 | 177 | #-------------------------------------------------------------------------------------------------- 178 | # COMPUTE ENGINE 179 | # The Compute Engine is responsible for processing background tasks. 180 | # Compute Engine is executed in a dedicated Java process. Default heap size is 512Mb. 181 | # Use the following property to customize JVM options. 182 | # Recommendations: 183 | # 184 | # The HotSpot Server VM is recommended. The property -server should be added if server mode 185 | # is not enabled by default on your environment: 186 | # http://docs.oracle.com/javase/8/docs/technotes/guides/vm/server-class.html 187 | # 188 | #sonar.ce.javaOpts=-Xmx512m -Xms128m -XX:+HeapDumpOnOutOfMemoryError 189 | 190 | # Same as previous property, but allows to not repeat all other settings like -Xmx 191 | #sonar.ce.javaAdditionalOpts= 192 | 193 | 194 | #-------------------------------------------------------------------------------------------------- 195 | # ELASTICSEARCH 196 | # Elasticsearch is used to facilitate fast and accurate information retrieval. 197 | # It is executed in a dedicated Java process. Default heap size is 512Mb. 198 | # 199 | # -------------------------------------------------- 200 | # Word of caution for Linux users on 64bits systems 201 | # -------------------------------------------------- 202 | # Please ensure Virtual Memory on your system is correctly configured for Elasticsearch to run properly 203 | # (see https://www.elastic.co/guide/en/elasticsearch/reference/5.5/vm-max-map-count.html for details). 204 | # 205 | # When SonarQube runs standalone, a warning such as the following may appear in logs/es.log: 206 | # "max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]" 207 | # When SonarQube runs as a cluster, however, Elasticsearch will refuse to start. 208 | # 209 | 210 | # JVM options of Elasticsearch process 211 | #sonar.search.javaOpts=-Xms512m \ 212 | # -Xmx512m \ 213 | # -XX:+HeapDumpOnOutOfMemoryError 214 | 215 | # Same as previous property, but allows to not repeat all other settings like -Xmx 216 | #sonar.search.javaAdditionalOpts= 217 | 218 | # Elasticsearch port. Default is 9001. Use 0 to get a free port. 219 | # As a security precaution, should be blocked by a firewall and not exposed to the Internet. 220 | #sonar.search.port=9001 221 | 222 | # Elasticsearch host. The search server will bind this address and the search client will connect to it. 223 | # Default is loopback address. 224 | # As a security precaution, should NOT be set to a publicly available address. 225 | #sonar.search.host= 226 | 227 | 228 | #-------------------------------------------------------------------------------------------------- 229 | # UPDATE CENTER 230 | 231 | # Update Center requires an internet connection to request https://update.sonarsource.org 232 | # It is enabled by default. 233 | #sonar.updatecenter.activate=true 234 | 235 | # HTTP proxy (default none) 236 | #http.proxyHost= 237 | #http.proxyPort= 238 | # HTTPS proxy (defaults are values of http.proxyHost and http.proxyPort) 239 | #https.proxyHost= 240 | #https.proxyPort= 241 | 242 | # NT domain name if NTLM proxy is used 243 | #http.auth.ntlm.domain= 244 | 245 | # SOCKS proxy (default none) 246 | #socksProxyHost= 247 | #socksProxyPort= 248 | 249 | # Proxy authentication (used for HTTP, HTTPS and SOCKS proxies) 250 | #http.proxyUser= 251 | #http.proxyPassword= 252 | 253 | 254 | #-------------------------------------------------------------------------------------------------- 255 | # LOGGING 256 | 257 | # SonarQube produces logs in 4 logs files located in the same directory (see property sonar.path.logs below), 258 | # one per process: 259 | # Main process (aka. App) logs in sonar.log 260 | # Web Server (aka. Web) logs in web.log 261 | # Compute Engine (aka. CE) logs in ce.log 262 | # Elasticsearch (aka. ES) logs in es.log 263 | # 264 | # All 4 files follow the same rolling policy (see sonar.log.rollingPolicy and sonar.log.maxFiles) but it applies 265 | # individually (eg. if sonar.log.maxFiles=4, there can be at most 4 of each files, ie. 16 files in total). 266 | # 267 | # All 4 files have logs in the same format: 268 | # 1 2 3 4 5 6 269 | # |-----------------| |---| |-|--------------------||------------------------------| |------------------------------------------------------------------------------------------------------------------------------| 270 | # 2016.11.16 16:47:00 INFO ce[AVht0dNXFcyiYejytc3m][o.s.s.c.t.CeWorkerCallableImpl] Executed task | project=org.sonarqube:example-java-maven | type=REPORT | id=AVht0dNXFcyiYejytc3m | submitter=admin | time=1699ms 271 | # 272 | # 1: timestamp. Format is YYYY.MM.DD HH:MM:SS 273 | # YYYY: year on 4 digits 274 | # MM: month on 2 digits 275 | # DD: day on 2 digits 276 | # HH: hour of day on 2 digits in 24 hours format 277 | # MM: minutes on 2 digits 278 | # SS: seconds on 2 digits 279 | # 2: log level. 280 | # Possible values (in order of descending criticality): ERROR, WARN, INFO, DEBUG and TRACE 281 | # 3: process identifier. Possible values: app (main), web (Web Server), ce (Compute Engine) and es (Elasticsearch) 282 | # 4: SQ thread identifier. Can be empty. 283 | # In the Web Server, if present, it will be the HTTP request ID. 284 | # In the Compute Engine, if present, it will be the task ID. 285 | # 5: logger name. Usually a class canonical name. 286 | # Package names are truncated to keep the whole field to 20 characters max 287 | # 6: log payload. Content of this field does not follow any specific format, can vary in length and include line returns. 288 | # Some logs, however, will follow the convention to provide data in payload in the format " | key=value" 289 | # Especially, log of profiled pieces of code will end with " | time=XXXXms". 290 | 291 | # Global level of logs (applies to all 4 processes). 292 | # Supported values are INFO (default), DEBUG and TRACE 293 | #sonar.log.level=INFO 294 | 295 | # Level of logs of each process can be controlled individually with their respective properties. 296 | # When specified, they overwrite the level defined at global level. 297 | # Supported values are INFO, DEBUG and TRACE 298 | #sonar.log.level.app=INFO 299 | #sonar.log.level.web=INFO 300 | #sonar.log.level.ce=INFO 301 | #sonar.log.level.es=INFO 302 | 303 | # Path to log files. Can be absolute or relative to installation directory. 304 | # Default is /logs 305 | #sonar.path.logs=logs 306 | 307 | # Rolling policy of log files 308 | # - based on time if value starts with "time:", for example by day ("time:yyyy-MM-dd") 309 | # or by month ("time:yyyy-MM") 310 | # - based on size if value starts with "size:", for example "size:10MB" 311 | # - disabled if value is "none". That needs logs to be managed by an external system like logrotate. 312 | #sonar.log.rollingPolicy=time:yyyy-MM-dd 313 | 314 | # Maximum number of files to keep if a rolling policy is enabled. 315 | # - maximum value is 20 on size rolling policy 316 | # - unlimited on time rolling policy. Set to zero to disable old file purging. 317 | #sonar.log.maxFiles=7 318 | 319 | # Access log is the list of all the HTTP requests received by server. If enabled, it is stored 320 | # in the file {sonar.path.logs}/access.log. This file follows the same rolling policy as other log file 321 | # (see sonar.log.rollingPolicy and sonar.log.maxFiles). 322 | #sonar.web.accessLogs.enable=true 323 | 324 | # Format of access log. It is ignored if sonar.web.accessLogs.enable=false. Possible values are: 325 | # - "common" is the Common Log Format, shortcut to: %h %l %u %user %date "%r" %s %b 326 | # - "combined" is another format widely recognized, shortcut to: %h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" 327 | # - else a custom pattern. See http://logback.qos.ch/manual/layouts.html#AccessPatternLayout. 328 | # The login of authenticated user is not implemented with "%u" but with "%reqAttribute{LOGIN}" (since version 6.1). 329 | # The value displayed for anonymous users is "-". 330 | # The SonarQube's HTTP request ID can be added to the pattern with "%reqAttribute{ID}" (since version 6.2). 331 | # If SonarQube is behind a reverse proxy, then the following value allows to display the correct remote IP address: 332 | #sonar.web.accessLogs.pattern=%i{X-Forwarded-For} %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" "%reqAttribute{ID}" 333 | # Default value (which was "combined" before version 6.2) is equivalent to "combined + SQ HTTP request ID": 334 | #sonar.web.accessLogs.pattern=%h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" "%reqAttribute{ID}" 335 | 336 | 337 | #-------------------------------------------------------------------------------------------------- 338 | # OTHERS 339 | 340 | # Delay in seconds between processing of notification queue. Default is 60 seconds. 341 | #sonar.notifications.delay=60 342 | 343 | # Paths to persistent data files (embedded database and search index) and temporary files. 344 | # Can be absolute or relative to installation directory. 345 | # Defaults are respectively /data and /temp 346 | #sonar.path.data=data 347 | #sonar.path.temp=temp 348 | 349 | # Telemetry - Share anonymous SonarQube statistics 350 | # By sharing anonymous SonarQube statistics, you help us understand how SonarQube is used so we can improve the product to work even better for you. 351 | # We don't collect source code or IP addresses. And we don't share the data with anyone else. 352 | # To see an example of the data shared: login as a global administrator, call the WS api/system/info and check the Statistics field. 353 | #sonar.telemetry.enable=true 354 | 355 | 356 | #-------------------------------------------------------------------------------------------------- 357 | # DEVELOPMENT - only for developers 358 | # The following properties MUST NOT be used in production environments. 359 | 360 | # Elasticsearch HTTP connector 361 | #sonar.search.httpPort=-1 362 | 363 | sonar.forceAuthentication=${env:FORCE_AUTHENTICATION} 364 | sonar.auth.github.enabled=true 365 | sonar.auth.github.clientId=${env:GITHUB_SONARQUBE_OAUTH_CLIENT_ID} 366 | sonar.auth.github.clientSecret=${env:GITHUB_SONARQUBE_OAUTH_CLIENT_SECRET} 367 | sonar.auth.github.allowUsersToSignUp=false 368 | -------------------------------------------------------------------------------- /templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Successfully Installed the Solutions Delivery Platform. 2 | -------------------------------------------------------------------------------- /values.template.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2018 Booz Allen Hamilton. All Rights Reserved. 2 | # This software package is licensed under the Booz Allen Public License. The license can be found in the License file or at http://boozallen.github.io/licenses/bapl 3 | 4 | global: 5 | domain: apps.ocp.example.com # Set this to the domain of your Openshift routes (or K8's services) 6 | # Configure any other global variables (e.g. openshift, persistentStorage) below 7 | 8 | # something 9 | jenkins: 10 | numAgents: 4 # Set this to the desired number of Jenkins Agents/Executors 11 | # Configure additional Jenkins variables as necessary 12 | 13 | sonarqube: 14 | enabled: true 15 | # Configure additional Sonarqube variables as necessary 16 | 17 | selenium: 18 | enabled: true 19 | # Configure additional Selenium variables as necessary 20 | --------------------------------------------------------------------------------