├── config ├── acme.yaml ├── jenkins-infra-agents-infracijioagents2.yaml ├── jenkins-kubernetes-agents_ci.jenkins.io_cijioagents2.yaml ├── jenkins-kubernetes-agents_ci.jenkins.io_cijioagents2-bom.yaml ├── publick8s_falco.yaml ├── jenkins-kubernetes-agents_release.ci.jenkins.io.yaml ├── publick8s_ipv6-lb-service.yaml ├── rss2twitter.yaml ├── NOTES.txt ├── custom-distribution-service.yaml ├── private-nginx-ingress_privatek8s.yaml ├── github-comment-ops.yaml ├── cert-manager.yaml ├── datadog_publick8s.yaml ├── publick8s_incrementals-jenkins-io.yaml ├── cert-manager_publick8s.yaml ├── datadog_infracijioagents2.yaml ├── publick8s_updates-jenkins-io-rsync.yaml ├── publick8s_redis.yaml ├── publick8s_rating-jenkins-io.yaml ├── datadog_privatek8s.yaml ├── publick8s_plugin-site-issues-jenkins-io.yaml ├── publick8s_private-nginx-ingress.yaml ├── public-nginx-ingress_privatek8s.yaml ├── publick8s_uplink-jenkins-io.yaml ├── datadog_cijenkinsio-agents-2.yaml ├── publick8s_plugin-health-jenkins-io.yaml ├── publick8s_wiki.yaml ├── publick8s_plugins-jenkins-io.yaml ├── publick8s_staging-get-jenkins-io.yaml ├── datadog.yaml.gotmpl ├── cijioagents2-maven-cacher.yaml ├── publick8s_docs-jenkins-io.yaml ├── publick8s_contributors-jenkins-io.yaml ├── publick8s_accounts-jenkins-io.yaml ├── publick8s_public-nginx-ingress.yaml ├── publick8s_issue-redirect-jenkins-io.yaml ├── publick8s_get-jenkins-io-httpd.yaml ├── publick8s_updates-jenkins-io-redirections.yaml ├── javadoc-jenkins-io.yaml ├── publick8s_javadoc-jenkins-io.yaml ├── publick8s_reports-jenkins-io.yaml ├── publick8s_builds-reports-jenkins-io.yaml ├── hub-mirror_cijioagents2.yaml ├── private-nginx-ingress__common.yaml ├── publick8s_stats-jenkins-io.yaml ├── artifact-caching-proxy_aws-cijenkinsio-agents-2.yaml ├── publick8s_admin-accounts-jenkins-io.yaml ├── public-nginx-ingress__common.yaml ├── publick8s_ldap-jenkins-io.yaml ├── publick8s_updates-jenkins-io-content.yaml ├── publick8s_get-jenkins-io-mirrorbits.yaml ├── publick8s_pkg-origin-jenkins-io.yaml ├── publick8s_staging-pkg-origin-jenkins-io.yaml ├── publick8s_www-jenkins-io.yaml └── publick8s_weekly-ci-jenkins-io.yaml ├── .gitignore ├── yamllint.config ├── updatecli ├── values.yaml └── updatecli.d │ ├── docker-images │ ├── NOTES.txt │ ├── jenkins-lts.yaml │ ├── issue-redirect.yaml │ ├── jenkins-weekly_infra.ci.jenkins.io.yaml │ ├── 404.yaml │ ├── jenkins-weekly_weekly.ci.jenkins.io.yaml │ ├── keycloak-theme.yaml │ └── maven-cacher.yaml │ ├── charts │ ├── falco.yaml │ ├── httpd.yaml │ ├── ldap.yaml │ ├── wiki.yaml │ ├── uplink.yaml │ ├── rsyncd.yaml │ ├── codecentric-keycloak.yaml │ ├── rating.yaml │ ├── accountapp.yaml │ ├── mirrorbits.yaml │ ├── plugin-site.yaml │ ├── rss2twitter.yaml │ ├── acme.yaml │ ├── cert-manager.yaml │ ├── ipv6-lb-service.yaml │ ├── docker-registry.yaml │ ├── maven-cacher.yaml │ ├── plugin-site-issues.yaml │ ├── github-comment-ops.yaml │ ├── jenkins-infra-jobs.yaml │ ├── datadog.yaml │ ├── incrementals-publisher.yaml │ ├── artifact-caching-proxy.yaml │ ├── jenkins.yaml │ ├── plugin-health-scoring.yaml │ ├── nginx-website.yaml │ ├── nginx-ingress.yaml │ └── jenkins-kubernetes-agent.yaml │ ├── configs │ ├── cijenkinsioagents2-maven-cacher.yaml │ ├── pvc-ldap.yaml │ ├── pvc-get-jenkins-io-httpd.yaml │ ├── pvc-updates-jenkins-io-redirections.yaml │ ├── allowed-github-hooks-ips.yaml │ ├── cijenkinsioagents2-hub-mirror.yaml │ ├── pvc-get-jenkins-io-mirrorbits.yaml │ ├── cijenkinsioagents2-acp-lb.yaml │ ├── cijenkinsioagents2-jenkins-kubernetes-agents.yaml │ ├── pvc-updates-jenkins-io-content.yaml │ └── ldap-restricted-ips.yaml │ └── jenkins-controllers │ ├── tools-maven.yaml │ └── jenkins-agents-infra.ci.jenkins.io.yaml ├── CODEOWNERS ├── Makefile ├── clusters ├── infracijioagents2.yaml ├── cijioagents2.yaml ├── privatek8s.yaml └── publick8s.yaml ├── LICENSE ├── Jenkinsfile_updatecli ├── Jenkinsfile_k8s ├── CONTRIBUTING.md └── README.md /config/acme.yaml: -------------------------------------------------------------------------------- 1 | acme: 2 | email: "jenkins-infra-team@googlegroups.com" 3 | -------------------------------------------------------------------------------- /config/jenkins-infra-agents-infracijioagents2.yaml: -------------------------------------------------------------------------------- 1 | quotas: 2 | pods: 150 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | bin/* 2 | *.tgz 3 | .keyvault 4 | secrets 5 | values.local.yaml 6 | requirements.lock 7 | -------------------------------------------------------------------------------- /config/jenkins-kubernetes-agents_ci.jenkins.io_cijioagents2.yaml: -------------------------------------------------------------------------------- 1 | quotas: 2 | pods: 150 3 | 4 | groups: 5 | - ci-jenkins-io 6 | -------------------------------------------------------------------------------- /config/jenkins-kubernetes-agents_ci.jenkins.io_cijioagents2-bom.yaml: -------------------------------------------------------------------------------- 1 | quotas: 2 | pods: 150 3 | 4 | groups: 5 | - ci-jenkins-io 6 | -------------------------------------------------------------------------------- /config/publick8s_falco.yaml: -------------------------------------------------------------------------------- 1 | tolerations: 2 | - key: "kubernetes.io/arch" 3 | operator: "Equal" 4 | value: "arm64" 5 | effect: "NoSchedule" 6 | -------------------------------------------------------------------------------- /yamllint.config: -------------------------------------------------------------------------------- 1 | extends: default 2 | 3 | rules: 4 | line-length: disable 5 | document-start: disable 6 | comments: 7 | min-spaces-from-content: 1 8 | -------------------------------------------------------------------------------- /config/jenkins-kubernetes-agents_release.ci.jenkins.io.yaml: -------------------------------------------------------------------------------- 1 | # TODO: track with updatecli from https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 2 | existingServiceAccount: release-ci-jenkins-io:release-ci-jenkins-io-controller 3 | -------------------------------------------------------------------------------- /updatecli/values.yaml: -------------------------------------------------------------------------------- 1 | github: 2 | user: "Jenkins Infra Bot (updatecli)" 3 | email: "60776566+jenkins-infra-bot@users.noreply.github.com" 4 | token: "UPDATECLI_GITHUB_TOKEN" 5 | branch: "main" 6 | owner: "jenkins-infra" 7 | repository: "kubernetes-management" 8 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/docker-images/NOTES.txt: -------------------------------------------------------------------------------- 1 | This folder contains updatecli manifests to update the Docker image tag of official/external helm charts. 2 | 3 | The Docker tag updates for our custom charts are here: https://github.com/jenkins-infra/helm-charts/tree/main/updatecli 4 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # Order is important. The last matching pattern has the most precedence. 2 | 3 | * @jenkins-infra/jenkins-infra-sre-team 4 | 5 | plugin-site.yaml @jenkins-infra/jenkins-infra-sre-team @jenkins-infra/plugin-site 6 | plugin-site-issues.yaml @jenkins-infra/jenkins-infra-sre-team @jenkins-infra/plugin-site 7 | -------------------------------------------------------------------------------- /config/publick8s_ipv6-lb-service.yaml: -------------------------------------------------------------------------------- 1 | # azurerm_public_ip.publick8s_ipv6.ip_address in https://github.com/jenkins-infra/azure/blob/main/publick8s.tf 2 | ipv6PipName: publick8s-public-ipv6 3 | resourceGroup: prod-public-ips 4 | app: 5 | name: "ingress-nginx" 6 | component: "controller" 7 | instance: "public-nginx-ingress" 8 | -------------------------------------------------------------------------------- /config/rss2twitter.yaml: -------------------------------------------------------------------------------- 1 | env: 2 | rssFeed: https://www.jenkins.io/releases.rss 3 | rssRefreshRate: 1m 4 | template: | 5 | {{.Title}} 6 | {{.Link}}?utm_source=rss2twitter&utm_medium=twitter 7 | # disables publishing to twitter and sends updates to logger only 8 | dryMode: false 9 | 10 | nodeSelector: 11 | kubernetes.azure.com/agentpool: linuxpool 12 | -------------------------------------------------------------------------------- /config/NOTES.txt: -------------------------------------------------------------------------------- 1 | In these config, we're setting/surcharging and updating the image.tag with updatecli (See ./updatecli/updatecli.d/docker-images). 2 | In ours charts config, there isn't any image.tag as we're updating the docker images in the helm charts and the corresponding repository https://github.com/jenkins-infra/helm-charts, generating new helm charts versions, monitored by updatecli in this repository. (See ./updatecli/updatecli.d/charts) 3 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | 2 | # docker pull quay.io/roboll/helmfile:v0.48.0 3 | 4 | #sops -e -i values/datadog/secrets.yaml 5 | init: 6 | kubectl apply -f helm/rbac.yaml 7 | helm init --service-account tiller 8 | 9 | lint: 10 | helmfile -f clusters lint 11 | 12 | apply: 13 | helmfile -f clusters apply --suppress-secrets 14 | 15 | delete: 16 | helmfile -f clusters delete --purge 17 | 18 | diff: 19 | helmfile -f clusters diff --suppress-secrets 20 | 21 | yamllint: 22 | yamllint --config-file yamllint.config config/ 23 | -------------------------------------------------------------------------------- /config/custom-distribution-service.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | annotations: 4 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 5 | 6 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 7 | "nginx.ingress.kubernetes.io/enable-cors": "true" 8 | className: public-nginx 9 | hosts: 10 | - host: customize.jenkins.io 11 | paths: 12 | - path: / 13 | tls: 14 | - secretName: customize-tls 15 | hosts: 16 | - customize.jenkins.io 17 | image: 18 | pullPolicy: IfNotPresent 19 | -------------------------------------------------------------------------------- /config/private-nginx-ingress_privatek8s.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | service: 3 | annotations: 4 | service.beta.kubernetes.io/azure-load-balancer-internal: "true" 5 | # TODO: track with updatecli from https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 6 | service.beta.kubernetes.io/azure-load-balancer-internal-subnet: privatek8s-tier 7 | # TODO: track with updatecli from https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 8 | service.beta.kubernetes.io/azure-load-balancer-ipv4: "10.249.255.254" 9 | -------------------------------------------------------------------------------- /config/github-comment-ops.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | className: public-nginx 4 | annotations: 5 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 6 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 7 | hosts: 8 | - host: webhook-github-comment-ops.jenkins.io 9 | paths: 10 | - path: / 11 | pathType: ImplementationSpecific 12 | tls: 13 | - secretName: github-comment-ops-tls 14 | hosts: 15 | - webhook-github-comment-ops.jenkins.io 16 | 17 | nodeSelector: 18 | kubernetes.azure.com/agentpool: linuxpool 19 | -------------------------------------------------------------------------------- /config/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | crds: 2 | # Install CRD as part of the release 3 | enabled: true 4 | # Keep CRDs when the release is uninstalled (to keep the resources in cluster) 5 | keep: true 6 | prometheus: 7 | # It's enabled by default but we do not use it 8 | enabled: false 9 | webhook: 10 | # need to be between 1 and 30 for Digital Ocean see https://github.com/jenkins-infra/helpdesk/issues/3948#issuecomment-1948206377 11 | timeoutSeconds: 25 12 | config: 13 | featureGates: 14 | # Disable the use of Exact PathType in Ingress resources, to work around a bug in ingress-nginx 15 | # https://github.com/kubernetes/ingress-nginx/issues/11176 16 | ACMEHTTP01IngressPathTypeExact: false 17 | -------------------------------------------------------------------------------- /config/datadog_publick8s.yaml: -------------------------------------------------------------------------------- 1 | providers: 2 | aks: 3 | enabled: true 4 | datadog: 5 | clusterName: 'publick8s' 6 | env: 7 | - name: DD_HOSTNAME 8 | valueFrom: 9 | fieldRef: 10 | fieldPath: spec.nodeName 11 | ignoreAutoConfig: 12 | - apache # Our Apache instances do not expose any /server-status endpoint. Let's avoid unneeded requests 13 | agents: 14 | tolerations: 15 | - key: "kubernetes.io/arch" 16 | operator: "Equal" 17 | value: "arm64" 18 | effect: "NoSchedule" 19 | clusterAgent: 20 | nodeSelector: 21 | kubernetes.io/arch: arm64 22 | tolerations: 23 | - key: "kubernetes.io/arch" 24 | operator: "Equal" 25 | value: "arm64" 26 | effect: "NoSchedule" 27 | -------------------------------------------------------------------------------- /config/publick8s_incrementals-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | className: public-nginx 4 | annotations: 5 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 6 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 7 | hosts: 8 | - host: incrementals.jenkins.io 9 | paths: 10 | - path: / 11 | tls: 12 | - secretName: incrementals-tls 13 | hosts: 14 | - incrementals.jenkins.io 15 | 16 | permissions_url: https://reports.jenkins.io/github.index.json 17 | 18 | nodeSelector: 19 | kubernetes.io/arch: arm64 20 | 21 | tolerations: 22 | - key: "kubernetes.io/arch" 23 | operator: "Equal" 24 | value: "arm64" 25 | effect: "NoSchedule" 26 | 27 | podAnnotations: 28 | ad.datadoghq.com/incrementals-publisher.logs: | 29 | [ 30 | {"source":"nodejs","service":"incrementals.jenkins.io"} 31 | ] 32 | -------------------------------------------------------------------------------- /config/cert-manager_publick8s.yaml: -------------------------------------------------------------------------------- 1 | nodeSelector: 2 | kubernetes.io/arch: arm64 3 | 4 | tolerations: 5 | - key: "kubernetes.io/arch" 6 | operator: "Equal" 7 | value: "arm64" 8 | effect: "NoSchedule" 9 | 10 | webhook: 11 | nodeSelector: 12 | kubernetes.io/arch: arm64 13 | 14 | tolerations: 15 | - key: "kubernetes.io/arch" 16 | operator: "Equal" 17 | value: "arm64" 18 | effect: "NoSchedule" 19 | 20 | cainjector: 21 | nodeSelector: 22 | kubernetes.io/arch: arm64 23 | 24 | tolerations: 25 | - key: "kubernetes.io/arch" 26 | operator: "Equal" 27 | value: "arm64" 28 | effect: "NoSchedule" 29 | 30 | startupapicheck: 31 | nodeSelector: 32 | kubernetes.io/arch: arm64 33 | 34 | tolerations: 35 | - key: "kubernetes.io/arch" 36 | operator: "Equal" 37 | value: "arm64" 38 | effect: "NoSchedule" 39 | -------------------------------------------------------------------------------- /config/datadog_infracijioagents2.yaml: -------------------------------------------------------------------------------- 1 | providers: 2 | aks: 3 | enabled: true 4 | datadog: 5 | clusterName: 'infracijioagents2' 6 | env: 7 | - name: DD_HOSTNAME 8 | valueFrom: 9 | fieldRef: 10 | fieldPath: spec.nodeName 11 | clusterAgent: 12 | nodeSelector: 13 | kubernetes.io/arch: arm64 14 | kubernetes.azure.com/mode: system 15 | # allow to start on system nodepool 16 | tolerations: 17 | - key: "CriticalAddonsOnly" 18 | operator: "Equal" 19 | value: "true" 20 | effect: "NoSchedule" 21 | agents: 22 | tolerations: 23 | # These tolerations are needed to run the agents on all the pools 24 | - key: "infra.ci.jenkins.io/agents" 25 | operator: "Equal" 26 | value: "true" 27 | effect: "NoSchedule" 28 | - key: "CriticalAddonsOnly" 29 | operator: "Equal" 30 | value: "true" 31 | effect: "NoSchedule" 32 | -------------------------------------------------------------------------------- /config/publick8s_updates-jenkins-io-rsync.yaml: -------------------------------------------------------------------------------- 1 | enabled: true 2 | configuration: 3 | components: 4 | - name: jenkins 5 | path: /rsyncd/data/jenkins 6 | comment: "Jenkins Read-Only Mirror" 7 | volumeTpl: updates-jenkins-io 8 | volumeSubDir: ./updates.jenkins.io/content/ 9 | writeEnabled: false 10 | podSecurityContext: 11 | runAsUser: 1000 # User 'rsyncd' 12 | runAsGroup: 1000 # Group 'rsyncd' 13 | runAsNonRoot: true 14 | containerSecurityContext: 15 | readOnlyRootFilesystem: true 16 | allowPrivilegeEscalation: false 17 | capabilities: 18 | drop: 19 | - ALL 20 | resources: 21 | limits: 22 | cpu: 100m 23 | memory: 128Mi 24 | requests: 25 | cpu: 50m 26 | memory: 64Mi 27 | nodeSelector: 28 | kubernetes.io/arch: arm64 29 | tolerations: 30 | - key: "kubernetes.io/arch" 31 | operator: "Equal" 32 | value: "arm64" 33 | effect: "NoSchedule" 34 | -------------------------------------------------------------------------------- /clusters/infracijioagents2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | helmDefaults: 3 | atomic: true 4 | force: false 5 | timeout: 300 6 | wait: true 7 | repositories: 8 | # https://github.com/DataDog/helm-charts/ 9 | - name: datadog 10 | url: https://helm.datadoghq.com 11 | # https://github.com/jenkins-infra/helm-charts/ 12 | - name: jenkins-infra 13 | url: https://jenkins-infra.github.io/helm-charts 14 | releases: 15 | - name: datadog 16 | namespace: datadog 17 | chart: datadog/datadog 18 | version: 3.154.1 19 | values: 20 | - ../config/datadog.yaml.gotmpl 21 | - ../config/datadog_infracijioagents2.yaml 22 | secrets: 23 | - ../secrets/config/datadog/infracijioagents2-secrets.yaml 24 | - name: jenkins-infra-agents 25 | namespace: jenkins-infra-agents 26 | chart: jenkins-infra/jenkins-kubernetes-agents 27 | version: 1.1.1 28 | values: 29 | - ../config/jenkins-infra-agents-infracijioagents2.yaml 30 | -------------------------------------------------------------------------------- /config/publick8s_redis.yaml: -------------------------------------------------------------------------------- 1 | auth: enabled 2 | sentinel: 3 | # Mirrorbits does not support sentinel auth 4 | auth: false 5 | resources: 6 | limits: 7 | cpu: 1000m 8 | memory: 1024Mi 9 | requests: 10 | cpu: 200m 11 | memory: 256Mi 12 | redis: 13 | resources: 14 | limits: 15 | cpu: 2000m 16 | memory: 4096Mi 17 | requests: 18 | cpu: 150m 19 | memory: 750Mi 20 | podAnnotations: 21 | ad.datadoghq.com/redis.checks: | 22 | { 23 | "redisdb": { 24 | "init_config": {}, 25 | "instances": [ 26 | { 27 | "host": "%%host%%", 28 | "port":"6379", 29 | "password":"%%env_AUTH%%" 30 | } 31 | ] 32 | } 33 | } 34 | nodeSelector: 35 | kubernetes.io/arch: arm64 36 | tolerations: 37 | - key: "kubernetes.io/arch" 38 | operator: "Equal" 39 | value: "arm64" 40 | effect: "NoSchedule" 41 | -------------------------------------------------------------------------------- /config/publick8s_rating-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | className: public-nginx 4 | annotations: 5 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 6 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 7 | hosts: 8 | - host: rating.jenkins.io 9 | paths: 10 | - path: / 11 | pathType: Prefix 12 | tls: 13 | - secretName: rating-tls 14 | hosts: 15 | - rating.jenkins.io 16 | 17 | readinessProbe: 18 | enabled: false 19 | 20 | # Specify the "hard" scheduling constraints 21 | nodeSelector: 22 | # Ensure ARM64 is used to decrease cloud bill (instead of using `amd64` 23 | kubernetes.io/arch: arm64 24 | 25 | # Tolerates to run on tainted `arm64` nodes 26 | tolerations: 27 | - key: "kubernetes.io/arch" 28 | operator: "Equal" 29 | value: "arm64" 30 | effect: "NoSchedule" 31 | 32 | podAnnotations: 33 | ad.datadoghq.com/rating.logs: | 34 | [ 35 | {"source":"apache","service":"rating.jenkins.io"} 36 | ] 37 | -------------------------------------------------------------------------------- /config/datadog_privatek8s.yaml: -------------------------------------------------------------------------------- 1 | providers: 2 | aks: 3 | enabled: true 4 | datadog: 5 | clusterName: 'privatek8s' 6 | env: 7 | - name: DD_HOSTNAME 8 | valueFrom: 9 | fieldRef: 10 | fieldPath: spec.nodeName 11 | agents: 12 | tolerations: 13 | - key: "kubernetes.io/arch" 14 | operator: "Equal" 15 | value: "arm64" 16 | effect: "NoSchedule" 17 | - key: "CriticalAddonsOnly" 18 | operator: "Equal" 19 | value: "true" 20 | effect: "NoSchedule" 21 | - key: "jenkins" 22 | operator: "Equal" 23 | value: "infra.ci.jenkins.io" 24 | effect: "NoSchedule" 25 | - key: "jenkins" 26 | operator: "Equal" 27 | value: "release.ci.jenkins.io" 28 | effect: "NoSchedule" 29 | - key: "jenkins-component" 30 | operator: "Equal" 31 | value: "controller" 32 | effect: "NoSchedule" 33 | - key: "kubernetes.azure.com/scalesetpriority" 34 | operator: "Equal" 35 | value: "spot" 36 | effect: "NoSchedule" 37 | -------------------------------------------------------------------------------- /config/publick8s_plugin-site-issues-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | className: public-nginx 4 | annotations: 5 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 6 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 7 | "nginx.ingress.kubernetes.io/enable-cors": "true" 8 | "nginx.ingress.kubernetes.io/cors-allow-methods": "GET, OPTIONS" 9 | "nginx.ingress.kubernetes.io/cors-allow-origin": "*" 10 | hosts: 11 | - host: plugin-site-issues.jenkins.io 12 | paths: 13 | - path: / 14 | pathType: Prefix 15 | tls: 16 | - secretName: plugin-site-issues-tls 17 | hosts: 18 | - plugin-site-issues.jenkins.io 19 | 20 | nodeSelector: 21 | kubernetes.io/arch: arm64 22 | 23 | tolerations: 24 | - key: "kubernetes.io/arch" 25 | operator: "Equal" 26 | value: "arm64" 27 | effect: "NoSchedule" 28 | 29 | podAnnotations: 30 | ad.datadoghq.com/plugin-site-issues.logs: | 31 | [ 32 | {"source":"nodejs","service":"plugin-site-issues.jenkins.io"} 33 | ] 34 | -------------------------------------------------------------------------------- /config/publick8s_private-nginx-ingress.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | replicaCount: 2 3 | affinity: 4 | podAntiAffinity: 5 | requiredDuringSchedulingIgnoredDuringExecution: 6 | - labelSelector: 7 | matchExpressions: 8 | - key: "app.kubernetes.io/instance" 9 | operator: In 10 | values: 11 | - private-nginx-ingress 12 | topologyKey: "kubernetes.io/hostname" 13 | ingressClass: private-ingress 14 | service: 15 | annotations: 16 | # TODO: track with updatecli 17 | service.beta.kubernetes.io/azure-load-balancer-internal-subnet: publick8s 18 | nodeSelector: 19 | kubernetes.io/arch: arm64 20 | tolerations: 21 | - key: "kubernetes.io/arch" 22 | operator: "Equal" 23 | value: "arm64" 24 | effect: "NoSchedule" 25 | defaultBackend: 26 | nodeSelector: 27 | kubernetes.io/arch: arm64 28 | tolerations: 29 | - key: "kubernetes.io/arch" 30 | operator: "Equal" 31 | value: "arm64" 32 | effect: "NoSchedule" 33 | -------------------------------------------------------------------------------- /config/public-nginx-ingress_privatek8s.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | config: 3 | ## Ingress controller level 4 | # Only allow GitHub's webhooks requests - https://api.github.com/meta ("hooks", tracked by updatecli) 5 | whitelist-source-range: 140.82.112.0/20,143.55.64.0/20,185.199.108.0/22,192.30.252.0/22 6 | service: 7 | annotations: 8 | service.beta.kubernetes.io/azure-load-balancer-internal: false 9 | # TODO: track with updatecli from https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 10 | service.beta.kubernetes.io/azure-pip-name: public-privatek8s 11 | # TODO: track with updatecli from https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 12 | service.beta.kubernetes.io/azure-load-balancer-resource-group: prod-public-ips 13 | externalTrafficPolicy: Local 14 | ## Public LB level 15 | # Only allow GitHub's webhooks requests - https://api.github.com/meta ("hooks", tracked by updatecli) 16 | loadBalancerSourceRanges: ["140.82.112.0/20", "143.55.64.0/20", "185.199.108.0/22", "192.30.252.0/22"] 17 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Vernin Olivier 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /config/publick8s_uplink-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | className: public-nginx 4 | annotations: 5 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 6 | "nginx.ingress.kubernetes.io/rewrite-target": / 7 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 8 | hosts: 9 | - host: uplink.jenkins.io 10 | paths: 11 | - path: / 12 | tls: 13 | - secretName: uplink-tls 14 | hosts: 15 | - uplink.jenkins.io 16 | 17 | replicaCount: 1 18 | 19 | nodeSelector: 20 | kubernetes.io/arch: arm64 21 | 22 | tolerations: 23 | - key: "kubernetes.io/arch" 24 | operator: "Equal" 25 | value: "arm64" 26 | effect: "NoSchedule" 27 | 28 | affinity: 29 | podAntiAffinity: 30 | requiredDuringSchedulingIgnoredDuringExecution: 31 | - labelSelector: 32 | matchExpressions: 33 | - key: "app.kubernetes.io/name" 34 | operator: In 35 | values: 36 | - uplink 37 | topologyKey: "kubernetes.io/hostname" 38 | 39 | podAnnotations: 40 | ad.datadoghq.com/uplink.logs: | 41 | [ 42 | {"source":"nodejs","service":"uplink.jenkins.io"} 43 | ] 44 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/falco.yaml: -------------------------------------------------------------------------------- 1 | name: Bump falco helm chart version 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://falcosecurity.github.io/charts 21 | name: falco 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "falco/falco Helm Chart" 26 | kind: yaml 27 | scmid: default 28 | spec: 29 | files: 30 | - clusters/publick8s.yaml 31 | engine: yamlpath 32 | key: $.releases[?(@.chart == 'falco/falco')].version 33 | 34 | actions: 35 | default: 36 | kind: github/pullrequest 37 | scmid: default 38 | title: Bump `falco` helm chart version to {{ source "lastChartVersion" }} 39 | spec: 40 | labels: 41 | - dependencies 42 | - falco 43 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/httpd.yaml: -------------------------------------------------------------------------------- 1 | name: Bump httpd Helm Chart Version 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: httpd 22 | 23 | targets: 24 | updateChartVersion: 25 | name: Update httpd chart version 26 | kind: yaml 27 | spec: 28 | engine: yamlpath 29 | file: clusters/publick8s.yaml 30 | key: $.releases[?(@.chart == 'jenkins-infra/httpd')].version 31 | scmid: default 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `httpd` Helm Chart Version to {{ source "lastChartVersion" }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - httpd 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/ldap.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump LDAP Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: ldap 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for ldap" 26 | kind: yaml 27 | spec: 28 | file: clusters/publick8s.yaml 29 | engine: yamlpath 30 | key: $.releases[?(@.chart == 'jenkins-infra/ldap')].version 31 | scmid: default 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `ldap` helm chart version to {{ source "lastChartVersion" }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - ldap 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/wiki.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump wiki Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: wiki 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for wiki" 26 | kind: yaml 27 | spec: 28 | file: clusters/publick8s.yaml 29 | engine: yamlpath 30 | key: $.releases[?(@.chart == 'jenkins-infra/wiki')].version 31 | scmid: default 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `wiki` helm chart version to {{ source "lastChartVersion" }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - wiki 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/uplink.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump uplink Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: uplink 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for uplink" 26 | kind: yaml 27 | spec: 28 | file: clusters/publick8s.yaml 29 | engine: yamlpath 30 | key: $.releases[?(@.chart == 'jenkins-infra/uplink')].version 31 | scmid: default 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `uplink` helm chart version to {{ source "lastChartVersion" }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - uplink 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/rsyncd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bump `rsyncd` helm chart version 3 | 4 | scms: 5 | default: 6 | kind: github 7 | spec: 8 | user: "{{ .github.user }}" 9 | email: "{{ .github.email }}" 10 | owner: "{{ .github.owner }}" 11 | repository: "{{ .github.repository }}" 12 | token: "{{ requiredEnv .github.token }}" 13 | username: "{{ .github.username }}" 14 | branch: "{{ .github.branch }}" 15 | 16 | sources: 17 | lastChartVersion: 18 | kind: helmchart 19 | name: get last chart version 20 | spec: 21 | url: https://jenkins-infra.github.io/helm-charts 22 | name: rsyncd 23 | 24 | targets: 25 | updateChartVersion: 26 | name: Update the chart version for rsyncd 27 | kind: yaml 28 | spec: 29 | file: clusters/publick8s.yaml 30 | engine: yamlpath 31 | key: $.releases[?(@.chart == 'jenkins-infra/rsyncd')].version 32 | scmid: default 33 | 34 | actions: 35 | default: 36 | kind: github/pullrequest 37 | scmid: default 38 | title: Bump `rsyncd` helm chart version to {{ source "lastChartVersion" }} 39 | spec: 40 | labels: 41 | - dependencies 42 | - rsyncd 43 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/codecentric-keycloak.yaml: -------------------------------------------------------------------------------- 1 | name: Bump keycloak helm chart version 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://codecentric.github.io/helm-charts 21 | name: keycloak 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "codecentric/keycloak Helm Chart" 26 | kind: yaml 27 | scmid: default 28 | spec: 29 | file: clusters/publick8s.yaml 30 | engine: yamlpath 31 | key: $.releases[?(@.chart == 'codecentric/keycloak')].version 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `keycloak` helm chart version to {{ source "lastChartVersion" }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - keycloak 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/rating.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump rating Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: "Get the latest helm chart version" 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: rating 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for rating" 26 | kind: yaml 27 | spec: 28 | file: clusters/publick8s.yaml 29 | engine: yamlpath 30 | key: $.releases[?(@.chart == 'jenkins-infra/rating')].version 31 | scmid: default 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `rating` helm chart version to {{ source "lastChartVersion" }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - rating 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/accountapp.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump Account App Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: accountapp 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for accountapp" 26 | kind: yaml 27 | scmid: default 28 | spec: 29 | file: clusters/publick8s.yaml 30 | engine: yamlpath 31 | key: $.releases[?(@.chart == 'jenkins-infra/accountapp')].version 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `accountapp` helm chart version to {{ source "lastChartVersion" }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - accountapp 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/mirrorbits.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bump `mirrorbits` helm chart version 3 | 4 | scms: 5 | default: 6 | kind: github 7 | spec: 8 | user: "{{ .github.user }}" 9 | email: "{{ .github.email }}" 10 | owner: "{{ .github.owner }}" 11 | repository: "{{ .github.repository }}" 12 | token: "{{ requiredEnv .github.token }}" 13 | username: "{{ .github.username }}" 14 | branch: "{{ .github.branch }}" 15 | 16 | sources: 17 | lastChartVersion: 18 | kind: helmchart 19 | name: get last chart version 20 | spec: 21 | url: https://jenkins-infra.github.io/helm-charts 22 | name: mirrorbits 23 | 24 | targets: 25 | updateChartVersion: 26 | name: Update the chart version for mirrorbits 27 | kind: yaml 28 | spec: 29 | file: clusters/publick8s.yaml 30 | engine: yamlpath 31 | key: $.releases[?(@.chart == 'jenkins-infra/mirrorbits')].version 32 | scmid: default 33 | 34 | actions: 35 | default: 36 | kind: github/pullrequest 37 | scmid: default 38 | title: Bump `mirrorbits` helm chart version to {{ source "lastChartVersion" }} 39 | spec: 40 | labels: 41 | - dependencies 42 | - mirrorbits 43 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/plugin-site.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump plugin-site Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: plugin-site 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for plugin-site" 26 | kind: yaml 27 | spec: 28 | file: clusters/publick8s.yaml 29 | engine: yamlpath 30 | key: $.releases[?(@.chart == 'jenkins-infra/plugin-site')].version 31 | scmid: default 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `plugin-site` helm chart version to {{ source "lastChartVersion" }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - plugin-site 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/rss2twitter.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump rss2twitter Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: rss2twitter 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for rss2twitter" 26 | kind: yaml 27 | spec: 28 | file: clusters/privatek8s.yaml 29 | engine: yamlpath 30 | key: $.releases[?(@.chart == 'jenkins-infra/rss2twitter')].version 31 | scmid: default 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `rss2twitter` helm chart version to {{ source `lastChartVersion` }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - rss2twitter 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/acme.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump Acme Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: acme 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for acme" 26 | kind: yaml 27 | spec: 28 | files: 29 | - clusters/privatek8s.yaml 30 | - clusters/publick8s.yaml 31 | engine: yamlpath 32 | key: $.releases[?(@.chart == 'jenkins-infra/acme')].version 33 | scmid: default 34 | 35 | actions: 36 | default: 37 | kind: github/pullrequest 38 | scmid: default 39 | title: Bump `acme` helm chart version to {{ source "lastChartVersion" }} 40 | spec: 41 | labels: 42 | - dependencies 43 | - acme 44 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | name: Bump cert-manager helm chart version 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://charts.jetstack.io 21 | name: cert-manager 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "jetstack/cert-manager Helm Chart" 26 | kind: yaml 27 | spec: 28 | files: 29 | - clusters/privatek8s.yaml 30 | - clusters/publick8s.yaml 31 | engine: yamlpath 32 | key: $.releases[?(@.chart == 'jetstack/cert-manager')].version 33 | scmid: default 34 | 35 | actions: 36 | default: 37 | kind: github/pullrequest 38 | scmid: default 39 | title: Bump `cert-manager` helm chart version to {{ source "lastChartVersion" }} 40 | spec: 41 | labels: 42 | - dependencies 43 | - cert-manager 44 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/ipv6-lb-service.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump `ipv6-lb-service` helm chart version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: ipv6-lb-service 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for ipv6-lb-service" 26 | kind: yaml 27 | scmid: default 28 | spec: 29 | file: clusters/publick8s.yaml 30 | engine: yamlpath 31 | key: $.releases[?(@.chart == 'jenkins-infra/ipv6-lb-service')].version 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `ipv6-lb-service` helm chart version to {{ source `lastChartVersion` }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - ipv6-lb-service 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/docker-registry.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump `docker-registry` helm chart version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: docker-registry 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for docker-registry" 26 | kind: yaml 27 | spec: 28 | files: 29 | - clusters/cijioagents2.yaml 30 | engine: yamlpath 31 | key: $.releases[?(@.chart == 'jenkins-infra/docker-registry')].version 32 | scmid: default 33 | 34 | actions: 35 | default: 36 | kind: github/pullrequest 37 | scmid: default 38 | title: Bump `docker-registry` helm chart version to {{ source `lastChartVersion` }} 39 | spec: 40 | labels: 41 | - dependencies 42 | - docker-registry 43 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/maven-cacher.yaml: -------------------------------------------------------------------------------- 1 | name: Bump `maven-cacher` Helm Chart Version 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: maven-cacher 22 | 23 | targets: 24 | updateChartVersion: 25 | name: Update the chart version for maven-cacher 26 | kind: yaml 27 | spec: 28 | files: 29 | - clusters/cijioagents2.yaml 30 | engine: yamlpath 31 | key: $.releases[?(@.chart == 'jenkins-infra/maven-cacher')].version 32 | scmid: default 33 | 34 | actions: 35 | default: 36 | kind: github/pullrequest 37 | scmid: default 38 | title: Bump `maven-cacher` Helm Chart Version to {{ source "lastChartVersion" }} 39 | spec: 40 | labels: 41 | - dependencies 42 | - charts 43 | - maven-cacher 44 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/plugin-site-issues.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump plugin-site-issues Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: plugin-site-issues 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for plugin-site-issues" 26 | kind: yaml 27 | spec: 28 | file: clusters/publick8s.yaml 29 | engine: yamlpath 30 | key: $.releases[?(@.chart == 'jenkins-infra/plugin-site-issues')].version 31 | scmid: default 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `plugin-site-issues` helm chart version to {{ source "lastChartVersion" }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - plugin-site-issues 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/github-comment-ops.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump github-comment-ops Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://timja.github.io/github-comment-ops 21 | name: github-comment-ops 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for github-comment-ops" 26 | kind: yaml 27 | spec: 28 | file: clusters/privatek8s.yaml 29 | engine: yamlpath 30 | key: $.releases[?(@.chart == 'github-comment-ops/github-comment-ops')].version 31 | scmid: default 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `github-comment-ops` helm chart version to {{ source "lastChartVersion" }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - github-comment-ops 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/jenkins-infra-jobs.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump jenkins-infra/jenkins-jobs Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: jenkins-jobs 22 | 23 | targets: 24 | updateChartVersionPrivate: 25 | name: "Update the chart version for jenkins-jobs" 26 | kind: yaml 27 | spec: 28 | files: 29 | - clusters/privatek8s.yaml 30 | engine: yamlpath 31 | key: $.releases[?(@.chart == 'jenkins-infra/jenkins-jobs')].version 32 | scmid: default 33 | 34 | actions: 35 | default: 36 | kind: github/pullrequest 37 | scmid: default 38 | title: Bump `jenkins-jobs` helm chart version to {{ source "lastChartVersion" }} 39 | spec: 40 | labels: 41 | - dependencies 42 | - jenkins-jobs 43 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/datadog.yaml: -------------------------------------------------------------------------------- 1 | name: Bump datadog helm chart 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://helm.datadoghq.com 21 | name: datadog 22 | 23 | targets: 24 | updateClusters: 25 | name: "Datadog Helm Chart" 26 | kind: yaml 27 | scmid: default 28 | spec: 29 | files: 30 | - clusters/privatek8s.yaml 31 | - clusters/publick8s.yaml 32 | - clusters/infracijioagents2.yaml 33 | - clusters/cijioagents2.yaml 34 | engine: yamlpath 35 | key: $.releases[?(@.chart == 'datadog/datadog')].version 36 | 37 | actions: 38 | default: 39 | kind: github/pullrequest 40 | scmid: default 41 | title: Bump `datadog` helm chart version to {{ source "lastChartVersion" }} 42 | spec: 43 | labels: 44 | - dependencies 45 | - datadog 46 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/incrementals-publisher.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump incrementals-publisher Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: incrementals-publisher 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for incrementals-publisher" 26 | kind: yaml 27 | spec: 28 | file: clusters/publick8s.yaml 29 | engine: yamlpath 30 | key: $.releases[?(@.chart == 'jenkins-infra/incrementals-publisher')].version 31 | scmid: default 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `incremental-publisher` helm chart version to {{ source "lastChartVersion" }} 38 | spec: 39 | labels: 40 | - dependencies 41 | - incrementals-publisher 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/artifact-caching-proxy.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump `artifact-caching-proxy` helm chart version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: artifact-caching-proxy 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for artifact-caching-proxy" 26 | kind: yaml 27 | spec: 28 | files: 29 | - clusters/cijioagents2.yaml 30 | engine: yamlpath 31 | key: $.releases[?(@.chart == 'jenkins-infra/artifact-caching-proxy')].version 32 | scmid: default 33 | 34 | actions: 35 | default: 36 | kind: github/pullrequest 37 | scmid: default 38 | title: Bump `artifact-caching-proxy` helm chart version to {{ source `lastChartVersion` }} 39 | spec: 40 | labels: 41 | - dependencies 42 | - artifact-caching-proxy 43 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/jenkins.yaml: -------------------------------------------------------------------------------- 1 | name: Bump Jenkins Upstream Helm Charts 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://charts.jenkins.io 21 | name: jenkins 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "jenkinsci/jenkins Helm Chart" 26 | kind: yaml 27 | spec: 28 | files: 29 | - clusters/privatek8s.yaml 30 | - clusters/publick8s.yaml 31 | engine: yamlpath 32 | key: $.releases[?(@.chart == 'jenkins/jenkins')].version 33 | scmid: default 34 | 35 | actions: 36 | default: 37 | kind: github/pullrequest 38 | scmid: default 39 | title: Bump `jenkins` helm chart version to {{ source "lastChartVersion" }} 40 | spec: 41 | labels: 42 | - dependencies 43 | - infra.ci.jenkins.io 44 | - release.ci.jenkins.io 45 | - weekly.ci.jenkins.io 46 | - jenkins 47 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/plugin-health-scoring.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump plugin-health-scoring Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: plugin-health-scoring 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for plugin-health-scoring" 26 | kind: yaml 27 | spec: 28 | file: clusters/publick8s.yaml 29 | engine: yamlpath 30 | key: $.releases[?(@.chart == 'jenkins-infra/plugin-health-scoring')].version 31 | scmid: default 32 | 33 | actions: 34 | default: 35 | kind: github/pullrequest 36 | scmid: default 37 | title: Bump `plugin-health-scoring` helm chart version to {{ source `lastChartVersion` }} 38 | spec: 39 | description: "cc @alecharp" 40 | labels: 41 | - dependencies 42 | - plugin-health-scoring 43 | -------------------------------------------------------------------------------- /config/datadog_cijenkinsio-agents-2.yaml: -------------------------------------------------------------------------------- 1 | datadog: 2 | clusterName: cijenkinsio-agents-2 3 | env: 4 | - name: DD_HOSTNAME 5 | valueFrom: 6 | fieldRef: 7 | fieldPath: spec.nodeName 8 | clusterAgent: 9 | nodeSelector: 10 | kubernetes.io/arch: arm64 11 | jenkins: ci.jenkins.io 12 | role: applications 13 | tolerations: 14 | - key: "ci.jenkins.io/applications" 15 | operator: "Equal" 16 | value: "true" 17 | effect: "NoSchedule" 18 | agents: 19 | tolerations: 20 | # These tolerations are needed to run the agents on the bom node pool 21 | - key: "ci.jenkins.io/bom" 22 | operator: "Equal" 23 | value: "true" 24 | effect: "NoSchedule" 25 | - key: "ci.jenkins.io/applications" 26 | operator: "Equal" 27 | value: "true" 28 | effect: "NoSchedule" 29 | - key: "ci.jenkins.io/agents" 30 | operator: "Equal" 31 | value: "true" 32 | effect: "NoSchedule" 33 | - key: "CriticalAddonsOnly" 34 | operator: "Equal" 35 | value: "true" 36 | effect: "NoSchedule" 37 | - key: "ci.jenkins.io/windows-2019" 38 | operator: "Equal" 39 | value: "true" 40 | effect: "NoSchedule" 41 | - key: "ci.jenkins.io/windows-2022" 42 | operator: "Equal" 43 | value: "true" 44 | effect: "NoSchedule" 45 | -------------------------------------------------------------------------------- /config/publick8s_plugin-health-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | className: public-nginx 4 | annotations: 5 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 6 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 7 | hosts: 8 | - host: plugin-health.jenkins.io 9 | paths: 10 | - path: / 11 | pathType: Prefix 12 | tls: 13 | - secretName: plugin-health-scoring-tls 14 | hosts: 15 | - plugin-health.jenkins.io 16 | 17 | podAnnotations: 18 | ad.datadoghq.com/plugin-health-scoring.logs: | 19 | [ 20 | {"source":"java","service":"plugin-health.jenkins.io"} 21 | ] 22 | 23 | database: 24 | username: plugin_health 25 | server: public-db.postgres.database.azure.com 26 | name: plugin_health 27 | config: 28 | github: 29 | # https://github.com/apps/plugins-health-scoring 30 | appId: 281243 31 | # org or username where the app is installed 32 | appInstallationName: jenkinsci 33 | 34 | # Specify the "hard" scheduling constraints 35 | nodeSelector: 36 | # Ensure ARM64 is used to decrease cloud bill (instead of using `amd64` 37 | kubernetes.io/arch: arm64 38 | 39 | # Tolerates to run on tainted `arm64` nodes 40 | tolerations: 41 | - key: "kubernetes.io/arch" 42 | operator: "Equal" 43 | value: "arm64" 44 | effect: "NoSchedule" 45 | -------------------------------------------------------------------------------- /Jenkinsfile_updatecli: -------------------------------------------------------------------------------- 1 | final String cronExpr = env.BRANCH_IS_PRIMARY ? 'H/30 * * * *' : '' 2 | 3 | properties([ 4 | buildDiscarder(logRotator(numToKeepStr: '10')), 5 | disableConcurrentBuilds(abortPrevious: true), 6 | pipelineTriggers([cron(cronExpr)]), 7 | ]) 8 | 9 | node('jnlp-linux-arm64') { 10 | timeout(time: 30, unit: 'MINUTES') { 11 | withCredentials([ 12 | azureServicePrincipal('updatecli-azure-serviceprincipal'), // needed for Azure login 13 | usernamePassword( 14 | credentialsId: 'github-app-updatecli-on-jenkins-infra', // needed for updatecli 15 | usernameVariable: 'USERNAME_VALUE', 16 | passwordVariable: 'UPDATECLI_GITHUB_TOKEN' 17 | ) 18 | ]) { 19 | // Preliminary Azure login steps 20 | sh 'az login --service-principal -u "$AZURE_CLIENT_ID" -p "$AZURE_CLIENT_SECRET" -t "$AZURE_TENANT_ID"' 21 | sh 'az account set -s "$AZURE_SUBSCRIPTION_ID"' 22 | final String updatecliAction = env.BRANCH_IS_PRIMARY ? 'apply' : 'diff' 23 | stage("Run updatecli action: ${updatecliAction}") { 24 | updatecli( 25 | action: updatecliAction, 26 | runInCurrentAgent: true, 27 | ) 28 | } 29 | } 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/nginx-website.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Bump nginx-website Helm Chart Version" 3 | 4 | scms: 5 | default: 6 | kind: github 7 | spec: 8 | user: "{{ .github.user }}" 9 | email: "{{ .github.email }}" 10 | owner: "{{ .github.owner }}" 11 | repository: "{{ .github.repository }}" 12 | token: "{{ requiredEnv .github.token }}" 13 | username: "{{ .github.username }}" 14 | branch: "{{ .github.branch }}" 15 | 16 | sources: 17 | lastChartVersion: 18 | kind: helmchart 19 | name: get last chart version 20 | spec: 21 | url: https://jenkins-infra.github.io/helm-charts 22 | name: nginx-website 23 | 24 | targets: 25 | updateChartVersion: 26 | name: "Update the chart version for nginx-website" 27 | kind: yaml 28 | spec: 29 | file: clusters/publick8s.yaml 30 | engine: yamlpath 31 | key: $.releases[?(@.chart == 'jenkins-infra/nginx-website')].version 32 | scmid: default 33 | 34 | actions: 35 | default: 36 | kind: github/pullrequest 37 | scmid: default 38 | title: Bump `nginx-website` helm chart version to {{ source "lastChartVersion" }} 39 | spec: 40 | labels: 41 | - dependencies 42 | - nginx-website 43 | - contributors.jenkins.io 44 | - reports.jenkins.io 45 | - javadoc.jenkins.io 46 | - builds.reports.jenkins.io 47 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/nginx-ingress.yaml: -------------------------------------------------------------------------------- 1 | name: Bump nginx-ingress helm chart 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | name: "Retrieve latest version of the chart ingress-nginx" 18 | kind: helmchart 19 | spec: 20 | url: https://kubernetes.github.io/ingress-nginx 21 | name: ingress-nginx 22 | versionfilter: 23 | kind: semver 24 | pattern: "~4.11" 25 | 26 | targets: 27 | updateChartVersion: 28 | name: "Update the version of the Helm chart ingress-nginx" 29 | kind: yaml 30 | spec: 31 | files: 32 | - clusters/privatek8s.yaml 33 | - clusters/publick8s.yaml 34 | engine: yamlpath 35 | key: $.releases[?(@.chart == 'ingress-nginx/ingress-nginx')].version 36 | scmid: default 37 | 38 | actions: 39 | default: 40 | kind: github/pullrequest 41 | scmid: default 42 | title: Bump `nginx-ingress` helm chart version to {{ source "lastChartVersion" }} 43 | spec: 44 | labels: 45 | - dependencies 46 | - nginx-ingress 47 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/configs/cijenkinsioagents2-maven-cacher.yaml: -------------------------------------------------------------------------------- 1 | name: Update `maven-cacher` configuration 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | getPVCName: 17 | kind: yaml 18 | name: Retrieve the PVC name from the AWS Sponsored Terraform report 19 | spec: 20 | file: https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json 21 | key: $.'aws.ci.jenkins.io'.agents_kubernetes_clusters.cijenkinsio-agents-2.services.maven-cacher.pvc 22 | transformers: 23 | - trimprefix: '"' 24 | - trimsuffix: '"' 25 | 26 | targets: 27 | updatePVCNameInConfig: 28 | name: Update PVC name in the configuration 29 | kind: yaml 30 | sourceid: getPVCName 31 | spec: 32 | file: ./config/cijioagents2-maven-cacher.yaml 33 | key: $.cachePvc 34 | scmid: default 35 | 36 | actions: 37 | default: 38 | kind: github/pullrequest 39 | scmid: default 40 | title: Update `maven-cacher` configuration 41 | spec: 42 | labels: 43 | - maven-cacher 44 | - cijenkinsioagents2 45 | -------------------------------------------------------------------------------- /config/publick8s_wiki.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | className: public-nginx 4 | annotations: 5 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 6 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 7 | hosts: 8 | - host: wiki.jenkins.io 9 | paths: 10 | - path: / 11 | pathType: Prefix 12 | - host: wiki.jenkins-ci.org 13 | paths: 14 | - path: / 15 | pathType: Prefix 16 | tls: 17 | - secretName: wiki-tls 18 | hosts: 19 | - wiki.jenkins.io 20 | - wiki.jenkins-ci.org 21 | 22 | resources: 23 | limits: 24 | cpu: 200m 25 | memory: 256Mi 26 | requests: 27 | cpu: 100m 28 | memory: 128Mi 29 | 30 | replicaCount: 2 31 | 32 | nodeSelector: 33 | kubernetes.io/arch: arm64 34 | 35 | tolerations: 36 | - key: "kubernetes.io/arch" 37 | operator: "Equal" 38 | value: "arm64" 39 | effect: "NoSchedule" 40 | 41 | affinity: 42 | podAntiAffinity: 43 | requiredDuringSchedulingIgnoredDuringExecution: 44 | - labelSelector: 45 | matchExpressions: 46 | - key: "app.kubernetes.io/name" 47 | operator: In 48 | values: 49 | - wiki 50 | topologyKey: "kubernetes.io/hostname" 51 | 52 | podAnnotations: 53 | ad.datadoghq.com/wiki.logs: | 54 | [ 55 | {"source":"nginx","service":"wiki.jenkins.io"} 56 | ] 57 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/charts/jenkins-kubernetes-agent.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump jenkins-kubernetes-agents Helm Chart Version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | lastChartVersion: 17 | kind: helmchart 18 | name: get last chart version 19 | spec: 20 | url: https://jenkins-infra.github.io/helm-charts 21 | name: jenkins-kubernetes-agents 22 | 23 | targets: 24 | updateChartVersion: 25 | name: "Update the chart version for jenkins kubernetes agent" 26 | kind: yaml 27 | spec: 28 | files: 29 | - clusters/privatek8s.yaml 30 | - clusters/infracijioagents2.yaml 31 | - clusters/cijioagents2.yaml 32 | engine: yamlpath 33 | key: $.releases[?(@.chart == 'jenkins-infra/jenkins-kubernetes-agents')].version 34 | scmid: default 35 | 36 | actions: 37 | default: 38 | kind: github/pullrequest 39 | scmid: default 40 | title: Bump `jenkins-kubernetes-agents` helm chart version to {{ source "lastChartVersion" }} 41 | spec: 42 | labels: 43 | - dependencies 44 | - jenkins-kubernetes-agents 45 | -------------------------------------------------------------------------------- /config/publick8s_plugins-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | className: public-nginx 4 | annotations: 5 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 6 | "nginx.ingress.kubernetes.io/rewrite-target": /$1 7 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 8 | "nginx.ingress.kubernetes.io/enable-cors": "true" 9 | "nginx.ingress.kubernetes.io/cors-allow-methods": "GET, OPTIONS" 10 | "nginx.ingress.kubernetes.io/cors-allow-origin": "*" 11 | hosts: 12 | - host: plugins.origin.jenkins.io 13 | - host: plugins.jenkins.io 14 | # plugins.jenkins.io certificate is managed by Fastly 15 | tls: 16 | - secretName: plugins-tls 17 | hosts: 18 | - plugins.origin.jenkins.io 19 | restApiUrl: https://plugins.jenkins.io/api 20 | frontend: 21 | podAnnotations: 22 | ad.datadoghq.com/plugin-site-frontend.logs: | 23 | [ 24 | {"source":"nginx","service":"plugins.jenkins.io"} 25 | ] 26 | backend: 27 | replicaCount: 1 28 | podAnnotations: 29 | ad.datadoghq.com/plugin-site-backend.logs: | 30 | [ 31 | {"source":"java","service":"plugins.jenkins.io"} 32 | ] 33 | htmlVolume: 34 | persistentVolumeClaim: 35 | claimName: plugins-jenkins-io 36 | 37 | nodeSelector: 38 | kubernetes.io/arch: arm64 39 | 40 | tolerations: 41 | - key: "kubernetes.io/arch" 42 | operator: "Equal" 43 | value: "arm64" 44 | effect: "NoSchedule" 45 | -------------------------------------------------------------------------------- /config/publick8s_staging-get-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ingress: 3 | enabled: true 4 | ingressClassName: private-nginx 5 | annotations: 6 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 7 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 8 | hosts: 9 | - host: staging.get.jenkins.io 10 | paths: 11 | - path: / 12 | serviceName: staging-get-jenkins-io 13 | tls: 14 | - secretName: staging-get-jenkins-io 15 | hosts: 16 | - staging.get.jenkins.io 17 | 18 | resources: 19 | limits: 20 | cpu: 200m 21 | memory: 256Mi 22 | requests: 23 | cpu: 20m 24 | memory: 32Mi 25 | 26 | htmlVolume: 27 | persistentVolumeClaim: 28 | claimName: staging-get-jenkins-io 29 | htmlVolumeSubDir: ./get.jenkins.io/mirrorbits-staging/ 30 | 31 | replicaCount: 1 32 | 33 | nodeSelector: 34 | kubernetes.io/arch: arm64 35 | 36 | tolerations: 37 | - key: "kubernetes.io/arch" 38 | operator: "Equal" 39 | value: "arm64" 40 | effect: "NoSchedule" 41 | 42 | affinity: 43 | podAntiAffinity: 44 | requiredDuringSchedulingIgnoredDuringExecution: 45 | - labelSelector: 46 | matchExpressions: 47 | - key: "app.kubernetes.io/name" 48 | operator: In 49 | values: 50 | - stats-jenkins-io 51 | topologyKey: "kubernetes.io/hostname" 52 | 53 | podAnnotations: 54 | ad.datadoghq.com/nginx-website.logs: | 55 | [ 56 | {"source":"nginx","service":"staging.get.jenkins.io"} 57 | ] 58 | -------------------------------------------------------------------------------- /config/datadog.yaml.gotmpl: -------------------------------------------------------------------------------- 1 | datadog: 2 | clusterName: {{ .Values | get "datadog.clusterName" nil }} 3 | collectEvents: true 4 | leaderElection: true 5 | leaderLeaseDuration: 60 6 | criSocketPath: /var/run/containerd/containerd.sock 7 | apm: 8 | portEnabled: true 9 | processAgent: 10 | enabled: true 11 | processCollection: true 12 | logs: 13 | enabled: true 14 | containerCollectAll: true 15 | networkMonitoring: 16 | enabled: true 17 | {{- if .Values }} 18 | {{- if hasKey .Values.datadog "kubelet" }} 19 | kubelet: 20 | host: 21 | valueFrom: 22 | fieldRef: 23 | fieldPath: {{ .Values | get "datadog.kubelet.host.valueFrom.fieldRef.fieldPath" "status.hostIP" }} 24 | {{- if hasKey .Values.datadog.kubelet "hostCAPath" }} 25 | hostCAPath: {{ .Values | get "datadog.kubelet.hostCAPath" nil }} 26 | {{- end }} 27 | {{- end }} 28 | {{- end }} 29 | remoteConfiguration: 30 | # We don't want Datadog to be able to access agents through their UI 31 | enabled: false 32 | agents: 33 | rbac: 34 | create: true 35 | # The updateStrategy ensures that there are no rollback, even when auto-scalingup/down the clusters (as the agent is deployed as DaemonSet by default) 36 | updateStrategy: 37 | rollingUpdate: 38 | maxUnavailable: "33%" 39 | type: RollingUpdate 40 | clusterAgent: 41 | metricsProvider: 42 | enabled: true 43 | rbac: 44 | create: true 45 | # Run the clusterAgent in HA mode 46 | replicas: 2 47 | createPodDisruptionBudget: true 48 | -------------------------------------------------------------------------------- /config/cijioagents2-maven-cacher.yaml: -------------------------------------------------------------------------------- 1 | image: 2 | tag: 2.76.0 3 | 4 | nodeSelector: 5 | kubernetes.io/arch: arm64 6 | jenkins: ci.jenkins.io 7 | role: applications 8 | 9 | tolerations: 10 | - key: "ci.jenkins.io/applications" 11 | operator: "Equal" 12 | value: "true" 13 | effect: "NoSchedule" 14 | 15 | resources: 16 | limits: 17 | # No CPU limit to avoid throttling 18 | memory: 4096Mi 19 | requests: 20 | cpu: 2 21 | memory: 2048Mi 22 | 23 | podSecurityContext: 24 | runAsUser: 1001 # User 'jenkins' 25 | runAsGroup: 1001 # Group 'jenkins' 26 | runAsNonRoot: true 27 | 28 | containerSecurityContext: 29 | readOnlyRootFilesystem: true 30 | allowPrivilegeEscalation: false 31 | capabilities: 32 | drop: 33 | - ALL 34 | 35 | cachePvc: ci-jenkins-io-maven-cache 36 | #TODO: track with updatecli from https://github.com/jenkins-infra/jenkins-infra/blob/17784f9d822e974154515cddf589eb3beb3a7813/hieradata/common.yaml#L218 37 | javaHome: /opt/jdk-21 38 | mavenMirror: 39 | enable: true 40 | # TODO: track with updatecli from jenkins)-infra/kubernetes-management (acp release) 41 | url: http://k8s-artifact-artifact-3d1949c260-a3739c22ffe2d924.elb.us-east-2.amazonaws.com:8080/ 42 | # TODO: track with updatecli from https://github.com/jenkins-infra/jenkins-infra/blob/production/dist/profile/templates/jenkinscontroller/casc/artifact-caching-proxy.yaml.erb#L14 43 | mirrorOf: "external:*,!chimera-releases,!chimera-snapshots,!atlassian-public,!org.zowe.sdk,!jitpack.io,!space-maven" 44 | mirrorId: artifact-caching-proxy 45 | -------------------------------------------------------------------------------- /config/publick8s_docs-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ingress: 3 | enabled: true 4 | className: public-nginx 5 | annotations: 6 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 7 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 8 | hosts: 9 | - host: docs.jenkins.io 10 | paths: 11 | - path: / 12 | serviceName: docs-jenkins-io 13 | - host: docs.origin.jenkins.io 14 | paths: 15 | - path: / 16 | serviceName: docs-jenkins-io 17 | # docs.jenkins.io certificate is managed by Fastly 18 | tls: 19 | - secretName: docs-jenkins-io-tls 20 | hosts: 21 | - docs.origin.jenkins.io 22 | 23 | resources: 24 | limits: 25 | cpu: 200m 26 | memory: 256Mi 27 | requests: 28 | cpu: 50m 29 | memory: 64Mi 30 | htmlVolume: 31 | persistentVolumeClaim: 32 | claimName: docs-jenkins-io 33 | 34 | replicaCount: 2 35 | 36 | nodeSelector: 37 | kubernetes.io/arch: arm64 38 | 39 | tolerations: 40 | - key: "kubernetes.io/arch" 41 | operator: "Equal" 42 | value: "arm64" 43 | effect: "NoSchedule" 44 | 45 | affinity: 46 | podAntiAffinity: 47 | requiredDuringSchedulingIgnoredDuringExecution: 48 | - labelSelector: 49 | matchExpressions: 50 | - key: "app.kubernetes.io/name" 51 | operator: In 52 | values: 53 | - docs-jenkins-io 54 | topologyKey: "kubernetes.io/hostname" 55 | 56 | podAnnotations: 57 | ad.datadoghq.com/nginx-website.logs: | 58 | [ 59 | {"source":"nginx","service":"docs.jenkins.io"} 60 | ] 61 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/docker-images/jenkins-lts.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump Jenkins LTS docker image version" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | latestRelease: 17 | name: Get latest jenkins-lts version 18 | kind: githubrelease 19 | spec: 20 | owner: jenkins-infra 21 | repository: docker-jenkins-lts 22 | token: "{{ requiredEnv .github.token }}" 23 | username: "{{ .github.username }}" 24 | 25 | conditions: 26 | checkDockerImagePublished: 27 | name: Test dockerhubmirror.azurecr.io/jenkinsciinfra/jenkins-lts: docker image tag 28 | kind: dockerimage 29 | spec: 30 | image: dockerhubmirror.azurecr.io/jenkinsciinfra/jenkins-lts 31 | ## Tag from source 32 | architectures: 33 | - arm64 34 | 35 | targets: 36 | updateReleaseInConfig: 37 | name: Update jenkinsciinfra/jenkins-lts docker image tag 38 | kind: yaml 39 | spec: 40 | file: config/jenkins_release.ci.jenkins.io.yaml 41 | key: $.controller.image.tag 42 | scmid: default 43 | 44 | actions: 45 | default: 46 | kind: github/pullrequest 47 | scmid: default 48 | title: Bump Jenkins LTS docker image version to {{ source "latestRelease" }} 49 | spec: 50 | labels: 51 | - dependencies 52 | - jenkins-lts 53 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/docker-images/issue-redirect.yaml: -------------------------------------------------------------------------------- 1 | name: Bump `issue-redirect` docker image version 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | latestRelease: 17 | kind: githubrelease 18 | name: Get latest jenkins-infra/docker-issue-redirect release 19 | spec: 20 | owner: jenkins-infra 21 | repository: docker-issue-redirect 22 | token: "{{ requiredEnv .github.token }}" 23 | username: "{{ .github.username }}" 24 | 25 | conditions: 26 | checkDockerImagePublished: 27 | name: Test dockerhubmirror.azurecr.io/jenkinsciinfra/issue-redirect: docker image tag 28 | kind: dockerimage 29 | spec: 30 | image: dockerhubmirror.azurecr.io/jenkinsciinfra/issue-redirect 31 | ## Tag from source 32 | architectures: 33 | - arm64 34 | 35 | targets: 36 | updateImageTag: 37 | name: Update issue-redirect docker image tag 38 | kind: yaml 39 | spec: 40 | file: config/publick8s_issue-redirect-jenkins-io.yaml 41 | key: $.image.tag 42 | scmid: default 43 | 44 | actions: 45 | default: 46 | kind: github/pullrequest 47 | scmid: default 48 | title: Bump `issue-redirect` docker image version to {{ source "latestRelease" }} 49 | spec: 50 | labels: 51 | - dependencies 52 | - docker-issue-redirect 53 | -------------------------------------------------------------------------------- /config/publick8s_contributors-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ingress: 3 | enabled: true 4 | className: public-nginx 5 | annotations: 6 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 7 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 8 | hosts: 9 | - host: contributors.jenkins.io 10 | paths: 11 | - path: / 12 | serviceName: contributors-jenkins-io 13 | - host: contributors.origin.jenkins.io 14 | paths: 15 | - path: / 16 | serviceName: contributors-jenkins-io 17 | # contributors.jenkins.io certificate is managed by Fastly 18 | tls: 19 | - secretName: contributors-jenkins-io-tls 20 | hosts: 21 | - contributors.origin.jenkins.io 22 | 23 | resources: 24 | limits: 25 | cpu: 200m 26 | memory: 256Mi 27 | requests: 28 | cpu: 50m 29 | memory: 32Mi 30 | htmlVolume: 31 | persistentVolumeClaim: 32 | claimName: contributors-jenkins-io 33 | 34 | replicaCount: 2 35 | 36 | nodeSelector: 37 | kubernetes.io/arch: arm64 38 | 39 | tolerations: 40 | - key: "kubernetes.io/arch" 41 | operator: "Equal" 42 | value: "arm64" 43 | effect: "NoSchedule" 44 | 45 | affinity: 46 | podAntiAffinity: 47 | requiredDuringSchedulingIgnoredDuringExecution: 48 | - labelSelector: 49 | matchExpressions: 50 | - key: "app.kubernetes.io/name" 51 | operator: In 52 | values: 53 | - contributors-jenkins-io 54 | topologyKey: "kubernetes.io/hostname" 55 | 56 | podAnnotations: 57 | ad.datadoghq.com/nginx-website.logs: | 58 | [ 59 | {"source":"nginx","service":"contributors.jenkins.io"} 60 | ] 61 | -------------------------------------------------------------------------------- /config/publick8s_accounts-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | className: public-nginx 4 | annotations: 5 | cert-manager.io/cluster-issuer: "letsencrypt-prod" 6 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 7 | nginx.ingress.kubernetes.io/affinity: "cookie" 8 | nginx.ingress.kubernetes.io/configuration-snippet: | 9 | more_set_headers "X-Frame-Options: DENY"; 10 | more_set_headers "X-Content-Type-Options: nosniff"; 11 | hosts: 12 | - host: accounts.jenkins.io 13 | paths: 14 | - path: / 15 | - host: accounts.jenkins-ci.org 16 | paths: 17 | - path: / 18 | tls: 19 | - secretName: accounts-tls 20 | hosts: 21 | - accounts.jenkins.io 22 | - accounts.jenkins-ci.org 23 | 24 | resources: 25 | limits: 26 | cpu: 2000m 27 | memory: 1024Mi 28 | requests: 29 | cpu: 100m 30 | memory: 256Mi 31 | smtp: 32 | server: smtp.mailgun.org 33 | sender: accounts@jenkins.io 34 | port: 587 35 | 36 | replicaCount: 2 37 | 38 | nodeSelector: 39 | kubernetes.io/arch: arm64 40 | 41 | tolerations: 42 | - key: "kubernetes.io/arch" 43 | operator: "Equal" 44 | value: "arm64" 45 | effect: "NoSchedule" 46 | 47 | affinity: 48 | podAntiAffinity: 49 | requiredDuringSchedulingIgnoredDuringExecution: 50 | - labelSelector: 51 | matchExpressions: 52 | - key: "app.kubernetes.io/name" 53 | operator: In 54 | values: 55 | - accountapp 56 | topologyKey: "kubernetes.io/hostname" 57 | 58 | podAnnotations: 59 | ad.datadoghq.com/accountapp.logs: | 60 | [ 61 | {"source":"java","service":"accounts.jenkins.io"} 62 | ] 63 | -------------------------------------------------------------------------------- /config/publick8s_public-nginx-ingress.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | # Disable (default since 4.8.0) when https://github.com/kubernetes/ingress-nginx/issues/7811 is fixed 3 | # and replace custom headers (only reason for user snippets - search for `more_set_headers` in ./config) by the replacement. 4 | allowSnippetAnnotations: true 5 | replicaCount: 2 6 | affinity: 7 | podAntiAffinity: 8 | requiredDuringSchedulingIgnoredDuringExecution: 9 | - labelSelector: 10 | matchExpressions: 11 | - key: "app.kubernetes.io/instance" 12 | operator: In 13 | values: 14 | - public-nginx-ingress 15 | topologyKey: "kubernetes.io/hostname" 16 | service: 17 | annotations: 18 | service.beta.kubernetes.io/azure-load-balancer-internal: false 19 | # TODO: track with updatecli from https://github.com/jenkins-infra/azure/blob/main/publick8s.tf 20 | service.beta.kubernetes.io/azure-load-balancer-resource-group: prod-public-ips 21 | # TODO: track with updatecli from https://github.com/jenkins-infra/azure/blob/main/publick8s.tf 22 | service.beta.kubernetes.io/azure-pip-name: publick8s-public-ipv4 23 | externalTrafficPolicy: Local 24 | ipFamilies: 25 | - IPv4 26 | ipFamilyPolicy: SingleStack 27 | nodeSelector: 28 | kubernetes.io/arch: arm64 29 | tolerations: 30 | - key: "kubernetes.io/arch" 31 | operator: "Equal" 32 | value: "arm64" 33 | effect: "NoSchedule" 34 | defaultBackend: 35 | nodeSelector: 36 | kubernetes.io/arch: arm64 37 | tolerations: 38 | - key: "kubernetes.io/arch" 39 | operator: "Equal" 40 | value: "arm64" 41 | effect: "NoSchedule" 42 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/configs/pvc-ldap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Update PVC names for ldap.jenkins.io 3 | 4 | scms: 5 | default: 6 | kind: github 7 | spec: 8 | user: "{{ .github.user }}" 9 | email: "{{ .github.email }}" 10 | owner: "{{ .github.owner }}" 11 | repository: "{{ .github.repository }}" 12 | token: "{{ requiredEnv .github.token }}" 13 | username: "{{ .github.username }}" 14 | branch: "{{ .github.branch }}" 15 | 16 | sources: 17 | getDataPvcName: 18 | kind: json 19 | name: Retrieve LDAP data PVC name 20 | spec: 21 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 22 | key: .ldap\.jenkins\.io.data.pvc_name 23 | getBackupPvcName: 24 | kind: json 25 | name: Retrieve LDAP backup PVC name 26 | spec: 27 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 28 | key: .ldap\.jenkins\.io.backup.pvc_name 29 | 30 | targets: 31 | updateDataPvcName: 32 | sourceid: getDataPvcName 33 | name: Set data PVC name in LDAP Helm configuration 34 | kind: yaml 35 | spec: 36 | file: config/publick8s_ldap-jenkins-io.yaml 37 | key: $.persistence.customDataClaimName 38 | scmid: default 39 | updatePvcNameUnsecured: 40 | sourceid: getBackupPvcName 41 | name: Set backup PVC name in LDAP Helm configuration 42 | kind: yaml 43 | spec: 44 | file: config/publick8s_ldap-jenkins-io.yaml 45 | key: $.persistence.customBackupClaimName 46 | scmid: default 47 | 48 | actions: 49 | default: 50 | kind: github/pullrequest 51 | scmid: default 52 | title: Update PVC names for ldap.jenkins.io 53 | spec: 54 | labels: 55 | - ldap 56 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/configs/pvc-get-jenkins-io-httpd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Update PVC names for get.jenkins.io "httpd" service 3 | 4 | scms: 5 | default: 6 | kind: github 7 | spec: 8 | user: "{{ .github.user }}" 9 | email: "{{ .github.email }}" 10 | owner: "{{ .github.owner }}" 11 | repository: "{{ .github.repository }}" 12 | token: "{{ requiredEnv .github.token }}" 13 | username: "{{ .github.username }}" 14 | branch: "{{ .github.branch }}" 15 | 16 | sources: 17 | pvcName: 18 | kind: json 19 | name: Retrieve the pvc name for get-jenkins-io-httpd 20 | spec: 21 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 22 | key: .get\.jenkins\.io.httpd.pvc_name 23 | subDir: 24 | kind: json 25 | name: Retrieve the subDir name for get-jenkins-io-httpd 26 | spec: 27 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 28 | key: .get\.jenkins\.io.httpd.share_uri 29 | transformers: 30 | - addprefix: '.' 31 | 32 | targets: 33 | updatePvcName: 34 | sourceid: pvcName 35 | name: Update the PVC name for get-jenkins-io-httpd 36 | kind: yaml 37 | spec: 38 | file: config/publick8s_get-jenkins-io-httpd.yaml 39 | key: $.repository.name 40 | scmid: default 41 | updateSubDir: 42 | sourceid: subDir 43 | name: Update the PVC subDir for get-jenkins-io-httpd 44 | kind: yaml 45 | spec: 46 | file: config/publick8s_get-jenkins-io-httpd.yaml 47 | key: $.repository.subDir 48 | scmid: default 49 | 50 | actions: 51 | default: 52 | kind: github/pullrequest 53 | scmid: default 54 | title: Update PVC names for `get.jenkins.io` "httpd" service 55 | spec: 56 | labels: 57 | - get.jenkins.io 58 | -------------------------------------------------------------------------------- /config/publick8s_issue-redirect-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | className: public-nginx 4 | 5 | annotations: 6 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 7 | "nginx.ingress.kubernetes.io/configuration-snippet": | 8 | more_set_headers "X-Content-Type-Options: nosniff"; 9 | more_set_headers "X-Frame-Options: DENY"; 10 | hosts: 11 | - host: issue-redirect.jenkins.io 12 | paths: 13 | - path: / 14 | tls: 15 | - secretName: issue-redirect-jenkinsio-tls 16 | hosts: 17 | - issue-redirect.jenkins.io 18 | 19 | image: 20 | repository: dockerhubmirror.azurecr.io/jenkinsciinfra/issue-redirect 21 | tag: 0.3.6 22 | pullPolicy: IfNotPresent 23 | 24 | replicaCount: 2 25 | 26 | resources: 27 | limits: 28 | cpu: 500m 29 | memory: 512Mi 30 | requests: 31 | cpu: 50m 32 | memory: 128Mi 33 | 34 | nodeSelector: 35 | kubernetes.io/arch: arm64 36 | 37 | tolerations: 38 | - key: "kubernetes.io/arch" 39 | operator: "Equal" 40 | value: "arm64" 41 | effect: "NoSchedule" 42 | 43 | affinity: 44 | podAntiAffinity: 45 | requiredDuringSchedulingIgnoredDuringExecution: 46 | - labelSelector: 47 | matchExpressions: 48 | - key: "app.kubernetes.io/name" 49 | operator: In 50 | values: 51 | - issueredirect 52 | topologyKey: "kubernetes.io/hostname" 53 | 54 | nginx: 55 | overrideLocations: | 56 | root /htdocs; 57 | 58 | include includes/jira-to-github-redirects.conf; 59 | rewrite ^/issue/(.+) https://issues.jenkins.io/browse/JENKINS-$1 permanent; 60 | 61 | podAnnotations: 62 | ad.datadoghq.com/jenkinsio.logs: | 63 | [ 64 | {"source":"nginx","service":"issue-redirect.jenkins.io"} 65 | ] 66 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/docker-images/jenkins-weekly_infra.ci.jenkins.io.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump Jenkins Weekly docker image version on infra.ci.jenkins.io" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | latestRelease: 17 | name: Get latest jenkins-weekly version 18 | kind: githubrelease 19 | spec: 20 | owner: jenkins-infra 21 | repository: docker-jenkins-infraci 22 | token: "{{ requiredEnv .github.token }}" 23 | username: "{{ .github.username }}" 24 | 25 | conditions: 26 | checkDockerImagePublished: 27 | name: Check that the jenkinsciinfra/jenkins-infraci: Docker image is published 28 | kind: dockerimage 29 | spec: 30 | image: dockerhubmirror.azurecr.io/jenkinsciinfra/jenkins-infraci 31 | ## Tag from source 32 | architectures: 33 | - arm64 34 | 35 | targets: 36 | updateReleaseInConfig: 37 | sourceid: latestRelease 38 | name: Update jenkinsciinfra/jenkins-weekly docker image tag on infra.ci.jenkins.io 39 | kind: yaml 40 | spec: 41 | file: config/jenkins_infra.ci.jenkins.io.yaml 42 | key: $.controller.image.tag 43 | scmid: default 44 | 45 | actions: 46 | default: 47 | kind: github/pullrequest 48 | scmid: default 49 | title: Bump Jenkins Weekly docker image version on infra.ci.jenkins.io to {{ source "latestRelease" }} 50 | spec: 51 | labels: 52 | - dependencies 53 | - docker-jenkins-infraci 54 | - infra.ci.jenkins.io 55 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/docker-images/404.yaml: -------------------------------------------------------------------------------- 1 | name: Bump `404` docker image version 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | latestRelease: 17 | kind: githubrelease 18 | name: Get latest jenkins-infra/docker-404 release 19 | spec: 20 | owner: jenkins-infra 21 | repository: docker-404 22 | token: "{{ requiredEnv .github.token }}" 23 | username: "{{ .github.username }}" 24 | 25 | conditions: 26 | checkDockerImagePublished: 27 | name: Test dockerhubmirror.azurecr.io/jenkinsciinfra/404: docker image tag 28 | kind: dockerimage 29 | spec: 30 | image: dockerhubmirror.azurecr.io/jenkinsciinfra/404 31 | ## Tag from source 32 | architectures: 33 | - arm64 34 | 35 | targets: 36 | updatePrivateNginxIngress404: 37 | name: Update 404 docker image tag 38 | kind: yaml 39 | spec: 40 | file: config/private-nginx-ingress__common.yaml 41 | key: $.defaultBackend.image.tag 42 | scmid: default 43 | updatePublicNginxIngress404: 44 | name: Update 404 docker image tag 45 | kind: yaml 46 | spec: 47 | file: config/public-nginx-ingress__common.yaml 48 | key: $.defaultBackend.image.tag 49 | scmid: default 50 | 51 | actions: 52 | default: 53 | kind: github/pullrequest 54 | scmid: default 55 | title: Bump 404 docker image version to {{ source "latestRelease" }} 56 | spec: 57 | labels: 58 | - dependencies 59 | - docker-404 60 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/docker-images/jenkins-weekly_weekly.ci.jenkins.io.yaml: -------------------------------------------------------------------------------- 1 | name: "Bump Jenkins Weekly docker image version on weekly.ci.jenkins.io" 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | latestRelease: 17 | name: Get latest jenkins-weekly version 18 | kind: githubrelease 19 | spec: 20 | owner: jenkins-infra 21 | repository: docker-jenkins-weeklyci 22 | token: "{{ requiredEnv .github.token }}" 23 | username: "{{ .github.username }}" 24 | 25 | conditions: 26 | checkDockerImagePublished: 27 | name: Test dockerhubmirror.azurecr.io/jenkinsciinfra/jenkins-weeklyci: docker image tag is published 28 | kind: dockerimage 29 | spec: 30 | image: dockerhubmirror.azurecr.io/jenkinsciinfra/jenkins-weeklyci 31 | ## Tag from source 32 | architectures: 33 | - arm64 34 | 35 | targets: 36 | updateReleaseInConfig: 37 | sourceid: latestRelease 38 | name: Update jenkinsciinfra/jenkins-weekly docker image tag on weekly.ci.jenkins.io 39 | kind: yaml 40 | spec: 41 | file: config/publick8s_weekly-ci-jenkins-io.yaml 42 | key: $.controller.image.tag 43 | scmid: default 44 | 45 | actions: 46 | default: 47 | kind: github/pullrequest 48 | scmid: default 49 | title: Bump Jenkins Weekly docker image version on weekly.ci.jenkins.io to {{ source "latestRelease" }} 50 | spec: 51 | labels: 52 | - dependencies 53 | - docker-jenkins-weeklyci 54 | - weekly.ci.jenkins.io 55 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/docker-images/keycloak-theme.yaml: -------------------------------------------------------------------------------- 1 | name: Bump `keycloak-theme` docker image version 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | latestRelease: 17 | kind: githubrelease 18 | name: Get latest jenkins-infra/keycloak-theme release 19 | spec: 20 | owner: jenkins-infra 21 | repository: keycloak-theme 22 | token: "{{ requiredEnv .github.token }}" 23 | username: "{{ .github.username }}" 24 | 25 | conditions: 26 | checkDockerImagePublished: 27 | name: Verify the dockerhubmirror.azurecr.io/jenkinsciinfra/keycloak-theme: docker image is published 28 | kind: dockerimage 29 | spec: 30 | image: dockerhubmirror.azurecr.io/jenkinsciinfra/keycloak-theme 31 | ## Tag from source 32 | architectures: 33 | - arm64 34 | 35 | targets: 36 | updateReleaseInConfig: 37 | name: Update keycloak-theme docker image tag 38 | kind: file 39 | spec: 40 | file: config/publick8s_admin-accounts-jenkins-io.yaml 41 | matchpattern: "image: dockerhubmirror.azurecr.io/jenkinsciinfra/keycloak-theme:.*" 42 | replacepattern: 'image: dockerhubmirror.azurecr.io/jenkinsciinfra/keycloak-theme:{{ source "latestRelease" }}' 43 | # scmid: default 44 | 45 | actions: 46 | default: 47 | kind: github/pullrequest 48 | scmid: default 49 | title: Bump `keycloak-theme` docker image version to {{ source "latestRelease" }} 50 | spec: 51 | labels: 52 | - dependencies 53 | - keycloak-theme 54 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/docker-images/maven-cacher.yaml: -------------------------------------------------------------------------------- 1 | name: Bump `maven-cacher` Docker image version 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | getCurrentProductionImageTag: 17 | kind: yaml 18 | name: Retrieve the current image used in production on ci.jenkins.io 19 | spec: 20 | file: https://raw.githubusercontent.com/jenkins-infra/jenkins-infra/refs/heads/production/hieradata/common.yaml 21 | key: $.profile::jenkinscontroller::jcasc.agent_images.container_images.jnlp-maven-all-in-one 22 | transformers: 23 | - findsubmatch: 24 | pattern: '(.*):(.*)@(.*)' 25 | captureindex: 2 26 | 27 | conditions: 28 | checkDockerImagePublished: 29 | name: Check that jenkinsciinfra/jenkins-agent-ubuntu-22.04: docker image tag is published 30 | kind: dockerimage 31 | spec: 32 | image: jenkinsciinfra/jenkins-agent-ubuntu-22.04 33 | ## Tag from source 34 | architecture: arm64 35 | 36 | targets: 37 | updateReleaseInConfig: 38 | name: Update maven-cacher Docker image tag 39 | kind: yaml 40 | spec: 41 | files: 42 | - ./config/cijioagents2-maven-cacher.yaml 43 | key: $.image.tag 44 | scmid: default 45 | 46 | actions: 47 | default: 48 | kind: github/pullrequest 49 | scmid: default 50 | title: Bump `maven-cacher` Docker image tag version to {{ source "getCurrentProductionImageTag" }} 51 | spec: 52 | labels: 53 | - dependencies 54 | - maven-cacher 55 | - docker-image 56 | -------------------------------------------------------------------------------- /config/publick8s_get-jenkins-io-httpd.yaml: -------------------------------------------------------------------------------- 1 | enabled: true 2 | replicaCount: 2 3 | resources: 4 | limits: 5 | cpu: 500m 6 | memory: 1024Mi 7 | requests: 8 | cpu: 50m 9 | memory: 500Mi 10 | nodeSelector: 11 | kubernetes.io/arch: arm64 12 | tolerations: 13 | - key: "kubernetes.io/arch" 14 | operator: "Equal" 15 | value: "arm64" 16 | effect: "NoSchedule" 17 | affinity: 18 | podAntiAffinity: 19 | requiredDuringSchedulingIgnoredDuringExecution: 20 | - labelSelector: 21 | matchExpressions: 22 | - key: "app.kubernetes.io/name" 23 | operator: In 24 | values: 25 | - mirrorbits-files 26 | topologyKey: "kubernetes.io/hostname" 27 | repository: 28 | name: get-jenkins-io 29 | reuseExistingPersistentVolumeClaim: true 30 | subDir: ./get.jenkins.io/mirrorbits/ 31 | annotations: 32 | ad.datadoghq.com/httpd.logs: | 33 | [{"source":"apache","service":"get.jenkins.io"}] 34 | 35 | ingress: 36 | enabled: true 37 | className: public-nginx 38 | annotations: 39 | cert-manager.io/cluster-issuer: "letsencrypt-prod" 40 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 41 | nginx.ingress.kubernetes.io/force-ssl-redirect: "true" 42 | nginx.ingress.kubernetes.io/use-regex: "true" # Required to allow regexp path matching with Nginx 43 | hosts: 44 | - host: get.jenkins.io 45 | paths: 46 | - path: / 47 | - host: mirrors.jenkins.io 48 | paths: 49 | - path: / 50 | - host: mirrors.jenkins-ci.org 51 | paths: 52 | - path: / 53 | - host: fallback.get.jenkins.io 54 | paths: 55 | - path: / 56 | tls: 57 | - secretName: get-jenkins-io-tls 58 | hosts: 59 | - get.jenkins.io 60 | - mirrors.jenkins.io 61 | - mirrors.jenkins-ci.org 62 | - fallback.get.jenkins.io 63 | -------------------------------------------------------------------------------- /config/publick8s_updates-jenkins-io-redirections.yaml: -------------------------------------------------------------------------------- 1 | replicaCount: 2 2 | resources: 3 | limits: 4 | cpu: 1000m 5 | memory: 2048Mi 6 | requests: 7 | cpu: 50m 8 | memory: 100Mi 9 | nodeSelector: 10 | kubernetes.io/arch: arm64 11 | tolerations: 12 | - key: "kubernetes.io/arch" 13 | operator: "Equal" 14 | value: "arm64" 15 | effect: "NoSchedule" 16 | repository: 17 | name: updates-jenkins-io 18 | reuseExistingPersistentVolumeClaim: true 19 | subDir: ./updates.jenkins.io/redirections/ 20 | annotations: 21 | ad.datadoghq.com/httpd.logs: | 22 | [{"source":"apache","service":"updates.jenkins.io"}] 23 | 24 | ingress: 25 | enabled: true 26 | className: public-nginx 27 | annotations: 28 | cert-manager.io/cluster-issuer: "letsencrypt-prod" 29 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 30 | nginx.ingress.kubernetes.io/force-ssl-redirect: "true" 31 | nginx.ingress.kubernetes.io/use-regex: "true" # Required to allow regexp path matching with Nginx 32 | nginx.ingress.kubernetes.io/enable-rewrite-log: "true" # Only enabled if need to debug as it is resources-hungry (I/O) 33 | hosts: 34 | - host: azure.updates.jenkins.io 35 | paths: 36 | - path: / 37 | - host: updates.jenkins.io 38 | paths: 39 | - path: / 40 | - host: updates.jenkins-ci.org 41 | paths: 42 | - path: / 43 | tls: 44 | - secretName: updates-jenkins-io-httpd-tls 45 | hosts: 46 | - updates.jenkins.io 47 | - azure.updates.jenkins.io 48 | - updates.jenkins-ci.org 49 | 50 | httpdConf: 51 | # Specifying https scheme allow proper HTTP rewriting when the pattern is not an FQDN 52 | serverName: https://localhost 53 | serverLimit: 30 54 | threadsPerChild: 25 55 | maxRequestWorkers: 750 # serverLimit * threadsPerChild (MPM event) 56 | 57 | httpdRestart: 58 | enable: false 59 | -------------------------------------------------------------------------------- /clusters/cijioagents2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | helmDefaults: 3 | atomic: true 4 | force: false 5 | timeout: 300 6 | wait: true 7 | repositories: 8 | # https://github.com/DataDog/helm-charts/ 9 | - name: datadog 10 | url: https://helm.datadoghq.com 11 | # https://github.com/jenkins-infra/helm-charts/ 12 | - name: jenkins-infra 13 | url: https://jenkins-infra.github.io/helm-charts 14 | releases: 15 | - name: datadog 16 | namespace: datadog 17 | chart: datadog/datadog 18 | version: 3.154.1 19 | values: 20 | - ../config/datadog.yaml.gotmpl 21 | - ../config/datadog_cijenkinsio-agents-2.yaml 22 | secrets: 23 | - ../secrets/config/datadog/cijenkinsio-agents-2-secrets.yaml 24 | - name: artifact-caching-proxy 25 | namespace: artifact-caching-proxy 26 | chart: jenkins-infra/artifact-caching-proxy 27 | version: 1.6.9 28 | values: 29 | - ../config/artifact-caching-proxy_aws-cijenkinsio-agents-2.yaml 30 | - name: hub-mirror 31 | namespace: hub-mirror 32 | chart: jenkins-infra/docker-registry 33 | version: 1.0.0 34 | values: 35 | - ../config/hub-mirror_cijioagents2.yaml 36 | secrets: 37 | - ../secrets/config/hub-mirror/secrets.yaml 38 | - name: jenkins-agents 39 | namespace: jenkins-agents 40 | chart: jenkins-infra/jenkins-kubernetes-agents 41 | version: 1.1.1 42 | values: 43 | - ../config/jenkins-kubernetes-agents_ci.jenkins.io_cijioagents2.yaml 44 | - name: jenkins-agents-bom 45 | namespace: jenkins-agents-bom 46 | chart: jenkins-infra/jenkins-kubernetes-agents 47 | version: 1.1.1 48 | values: 49 | - ../config/jenkins-kubernetes-agents_ci.jenkins.io_cijioagents2-bom.yaml 50 | - name: maven-cacher 51 | namespace: maven-cache 52 | chart: jenkins-infra/maven-cacher 53 | version: 0.0.4 54 | values: 55 | - ../config/cijioagents2-maven-cacher.yaml 56 | -------------------------------------------------------------------------------- /config/javadoc-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ingress: 3 | enabled: true 4 | className: public-nginx 5 | annotations: 6 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 7 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 8 | hosts: 9 | - host: javadoc.jenkins.io 10 | paths: 11 | - path: / 12 | - host: javadoc.jenkins-ci.org 13 | paths: 14 | - path: / 15 | tls: 16 | - secretName: javadoc-tls 17 | hosts: 18 | - javadoc.jenkins.io 19 | - javadoc.jenkins-ci.org 20 | 21 | resources: 22 | limits: 23 | cpu: 200m 24 | memory: 256Mi 25 | requests: 26 | cpu: 50m 27 | memory: 128Mi 28 | htmlVolume: 29 | persistentVolumeClaim: 30 | claimName: javadoc-jenkins-io 31 | 32 | replicaCount: 2 33 | 34 | nodeSelector: 35 | kubernetes.io/arch: arm64 36 | 37 | # Tolerates to run on tainted `arm64` nodes 38 | tolerations: 39 | - key: "kubernetes.io/arch" 40 | operator: "Equal" 41 | value: "arm64" 42 | effect: "NoSchedule" 43 | 44 | affinity: 45 | podAntiAffinity: 46 | requiredDuringSchedulingIgnoredDuringExecution: 47 | - labelSelector: 48 | matchExpressions: 49 | - key: "app.kubernetes.io/name" 50 | operator: In 51 | values: 52 | - javadoc 53 | topologyKey: "kubernetes.io/hostname" 54 | 55 | nginx: 56 | overrideLocations: | 57 | # https://github.com/jenkins-infra/helpdesk/issues/4594 58 | location /component/github-api { 59 | return 308 https://hub4j.github.io/github-api/apidocs/org.kohsuke.github.api/module-summary.html; 60 | } 61 | 62 | location / { 63 | root /usr/share/nginx/html; 64 | index index.html index.htm; 65 | autoindex on; 66 | } 67 | 68 | podAnnotations: 69 | ad.datadoghq.com/nginx-website.logs: | 70 | [ 71 | {"source":"nginx","service":"javadoc.jenkins.io"} 72 | ] 73 | -------------------------------------------------------------------------------- /config/publick8s_javadoc-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ingress: 3 | enabled: true 4 | className: public-nginx 5 | annotations: 6 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 7 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 8 | hosts: 9 | - host: javadoc.jenkins.io 10 | paths: 11 | - path: / 12 | - host: javadoc.jenkins-ci.org 13 | paths: 14 | - path: / 15 | tls: 16 | - secretName: javadoc-tls 17 | hosts: 18 | - javadoc.jenkins.io 19 | - javadoc.jenkins-ci.org 20 | 21 | resources: 22 | limits: 23 | cpu: 200m 24 | memory: 256Mi 25 | requests: 26 | cpu: 50m 27 | memory: 128Mi 28 | htmlVolume: 29 | persistentVolumeClaim: 30 | claimName: javadoc-jenkins-io 31 | 32 | replicaCount: 2 33 | 34 | nodeSelector: 35 | kubernetes.io/arch: arm64 36 | 37 | # Tolerates to run on tainted `arm64` nodes 38 | tolerations: 39 | - key: "kubernetes.io/arch" 40 | operator: "Equal" 41 | value: "arm64" 42 | effect: "NoSchedule" 43 | 44 | affinity: 45 | podAntiAffinity: 46 | requiredDuringSchedulingIgnoredDuringExecution: 47 | - labelSelector: 48 | matchExpressions: 49 | - key: "app.kubernetes.io/name" 50 | operator: In 51 | values: 52 | - javadoc 53 | topologyKey: "kubernetes.io/hostname" 54 | 55 | nginx: 56 | overrideLocations: | 57 | # https://github.com/jenkins-infra/helpdesk/issues/4594 58 | location /component/github-api { 59 | return 308 https://hub4j.github.io/github-api/apidocs/org.kohsuke.github.api/module-summary.html; 60 | } 61 | 62 | location / { 63 | root /usr/share/nginx/html; 64 | index index.html index.htm; 65 | autoindex on; 66 | } 67 | 68 | podAnnotations: 69 | ad.datadoghq.com/nginx-website.logs: | 70 | [ 71 | {"source":"nginx","service":"javadoc.jenkins.io"} 72 | ] 73 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/configs/pvc-updates-jenkins-io-redirections.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Update PVC names for updates.jenkins.io "redirections" service (httpd) 3 | 4 | scms: 5 | default: 6 | kind: github 7 | spec: 8 | user: "{{ .github.user }}" 9 | email: "{{ .github.email }}" 10 | owner: "{{ .github.owner }}" 11 | repository: "{{ .github.repository }}" 12 | token: "{{ requiredEnv .github.token }}" 13 | username: "{{ .github.username }}" 14 | branch: "{{ .github.branch }}" 15 | 16 | sources: 17 | pvcName: 18 | kind: json 19 | name: Retrieve the pvc name for updates-jenkins-io-redirects 20 | spec: 21 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 22 | key: .updates\.jenkins\.io.redirections.pvc_name 23 | subDir: 24 | kind: json 25 | name: Retrieve the subDir name for updates-jenkins-io-redirects 26 | spec: 27 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 28 | key: .updates\.jenkins\.io.redirections.share_uri 29 | transformers: 30 | - addprefix: '.' 31 | 32 | targets: 33 | updatePvcName: 34 | sourceid: pvcName 35 | name: Update the PVC name for updates-jenkins-io-redirects 36 | kind: yaml 37 | spec: 38 | file: config/publick8s_updates-jenkins-io-redirections.yaml 39 | key: $.repository.name 40 | scmid: default 41 | updateSubDir: 42 | sourceid: subDir 43 | name: Update the PVC subDir for updates-jenkins-io-redirects 44 | kind: yaml 45 | spec: 46 | file: config/publick8s_updates-jenkins-io-redirections.yaml 47 | key: $.repository.subDir 48 | scmid: default 49 | 50 | actions: 51 | default: 52 | kind: github/pullrequest 53 | scmid: default 54 | title: Update PVC names for updates.jenkins.io "redirections" service (httpd) 55 | spec: 56 | labels: 57 | - updates.jenkins.io 58 | - updates.jenkins.io-redirects 59 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/configs/allowed-github-hooks-ips.yaml: -------------------------------------------------------------------------------- 1 | name: Update allowed GitHub hooks IPs 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | githubHooksIpV4: 17 | kind: shell 18 | name: get GitHub hooks IPv4s 19 | spec: 20 | command: curl --silent --show-error https://api.github.com/meta | jq -r '.hooks | map(select(contains(":") | not)) | sort | join(",")' 21 | githubHooksIpV4YamlArray: 22 | kind: shell 23 | dependson: 24 | - githubHooksIpV4 25 | name: Format the IP list 26 | spec: 27 | command: echo {{ source `githubHooksIpV4` }} | sed 's/,/", "/g' 28 | 29 | targets: 30 | allowIPsIngress: 31 | name: Update allowed IPs 32 | kind: yaml 33 | sourceid: githubHooksIpV4 34 | scmid: default 35 | spec: 36 | file: config/public-nginx-ingress_privatek8s.yaml 37 | key: controller.config.whitelist-source-range 38 | allowIPsLB: 39 | name: Update allowed IPs 40 | # It does not seem possible to split a string to a YAML array so using regexp in file mode instead 41 | kind: file 42 | sourceid: githubHooksIpV4YamlArray 43 | scmid: default 44 | spec: 45 | file: config/public-nginx-ingress_privatek8s.yaml 46 | matchpattern: 'loadBalancerSourceRanges(.*)' 47 | replacepattern: 'loadBalancerSourceRanges: ["{{ source `githubHooksIpV4YamlArray` }}"]' 48 | 49 | actions: 50 | default: 51 | kind: github/pullrequest 52 | scmid: default 53 | title: Update allowed GitHub hooks IPs in the public Nginx of privatek8s 54 | spec: 55 | labels: 56 | - public-nginx 57 | - privatek8s 58 | - github-hooks-ips 59 | -------------------------------------------------------------------------------- /config/publick8s_reports-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ingress: 3 | enabled: true 4 | className: public-nginx 5 | annotations: 6 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 7 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 8 | hosts: 9 | - host: reports.jenkins.io 10 | paths: 11 | - path: / 12 | tls: 13 | - secretName: reports-tls 14 | hosts: 15 | - reports.jenkins.io 16 | 17 | resources: 18 | limits: 19 | cpu: 200m 20 | memory: 256Mi 21 | requests: 22 | cpu: 20m 23 | memory: 32Mi 24 | htmlVolume: 25 | persistentVolumeClaim: 26 | claimName: reports-jenkins-io 27 | 28 | replicaCount: 2 29 | 30 | nodeSelector: 31 | kubernetes.io/arch: arm64 32 | 33 | tolerations: 34 | - key: "kubernetes.io/arch" 35 | operator: "Equal" 36 | value: "arm64" 37 | effect: "NoSchedule" 38 | 39 | affinity: 40 | podAntiAffinity: 41 | requiredDuringSchedulingIgnoredDuringExecution: 42 | - labelSelector: 43 | matchExpressions: 44 | - key: "app.kubernetes.io/name" 45 | operator: In 46 | values: 47 | - reports 48 | topologyKey: "kubernetes.io/hostname" 49 | nginx: 50 | overrideLocations: | 51 | location / { 52 | root /usr/share/nginx/html; 53 | index index.html index.htm; 54 | autoindex on; 55 | 56 | # Enable CORS from https://www.jenkins.io 57 | # 58 | add_header Access-Control-Allow-Origin "https://www.jenkins.io"; 59 | add_header Vary "Origin"; 60 | add_header Access-Control-Allow-Credentials true; 61 | add_header Access-Control-Allow-Headers $http_access_control_request_headers; 62 | add_header Access-Control-Allow-Methods $http_access_control_request_method; 63 | } 64 | 65 | podAnnotations: 66 | ad.datadoghq.com/nginx-website.logs: | 67 | [ 68 | {"source":"nginx","service":"reports.jenkins.io"} 69 | ] 70 | -------------------------------------------------------------------------------- /config/publick8s_builds-reports-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ingress: 3 | enabled: true 4 | className: public-nginx 5 | annotations: 6 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 7 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 8 | hosts: 9 | - host: builds.reports.jenkins.io 10 | paths: 11 | - path: / 12 | tls: 13 | - secretName: reports-tls 14 | hosts: 15 | - builds.reports.jenkins.io 16 | 17 | resources: 18 | limits: 19 | cpu: 200m 20 | memory: 256Mi 21 | requests: 22 | cpu: 20m 23 | memory: 32Mi 24 | htmlVolume: 25 | persistentVolumeClaim: 26 | claimName: builds-reports-jenkins-io 27 | 28 | # No HA needed 29 | replicaCount: 1 30 | 31 | nodeSelector: 32 | kubernetes.io/arch: arm64 33 | 34 | tolerations: 35 | - key: "kubernetes.io/arch" 36 | operator: "Equal" 37 | value: "arm64" 38 | effect: "NoSchedule" 39 | 40 | affinity: 41 | podAntiAffinity: 42 | requiredDuringSchedulingIgnoredDuringExecution: 43 | - labelSelector: 44 | matchExpressions: 45 | - key: "app.kubernetes.io/name" 46 | operator: In 47 | values: 48 | - reports 49 | topologyKey: "kubernetes.io/hostname" 50 | 51 | nginx: 52 | overrideLocations: | 53 | location / { 54 | root /usr/share/nginx/html; 55 | index index.html index.htm; 56 | autoindex on; 57 | 58 | # Enable CORS from https://www.jenkins.io 59 | # 60 | add_header Access-Control-Allow-Origin "https://www.jenkins.io"; 61 | add_header Vary "Origin"; 62 | add_header Access-Control-Allow-Credentials true; 63 | add_header Access-Control-Allow-Headers $http_access_control_request_headers; 64 | add_header Access-Control-Allow-Methods $http_access_control_request_method; 65 | } 66 | 67 | podAnnotations: 68 | ad.datadoghq.com/nginx-website.logs: | 69 | [ 70 | {"source":"nginx","service":"builds.reports.jenkins.io"} 71 | ] 72 | -------------------------------------------------------------------------------- /config/hub-mirror_cijioagents2.yaml: -------------------------------------------------------------------------------- 1 | nodeSelector: 2 | kubernetes.io/arch: arm64 3 | jenkins: ci.jenkins.io 4 | role: applications 5 | 6 | tolerations: 7 | - key: "ci.jenkins.io/applications" 8 | operator: "Equal" 9 | value: "true" 10 | effect: "NoSchedule" 11 | 12 | resources: 13 | limits: 14 | # No CPU limit to avoid throttling 15 | memory: 4096Mi 16 | requests: 17 | cpu: 1.5 18 | memory: 4096Mi 19 | 20 | service: 21 | type: LoadBalancer 22 | annotations: 23 | # Internal LB, with fixed IP in private subnet where EC2 VM agents are running 24 | # https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/guide/service/annotations/ 25 | service.beta.kubernetes.io/aws-load-balancer-type: "internal" 26 | service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" 27 | # We want the LB to directly send requests to the Pod IPs (requires VPC-CNI) 28 | service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" 29 | # Tracked by updatecli (updatecli/updatecli.d/configs/docker-registry-aws.yaml) 30 | service.beta.kubernetes.io/aws-load-balancer-subnets: "subnet-003b868ae937f290a" 31 | # Tracked by updatecli (updatecli/updatecli.d/configs/docker-registry-aws.yaml) 32 | service.beta.kubernetes.io/aws-load-balancer-private-ipv4-addresses: "10.0.131.247" 33 | service.beta.kubernetes.io/aws-load-balancer-ip-address-type: "ipv4" 34 | # Misc. 35 | service.beta.kubernetes.io/aws-load-balancer-alpn-policy: "HTTP2Preferred" 36 | 37 | proxy: 38 | enabled: true 39 | remoteurl: "https://registry-1.docker.io" 40 | 41 | persistence: 42 | enabled: true 43 | deleteEnabled: true 44 | size: "250Gi" 45 | storageClass: ebs-csi-premium-retain-us-east-2a 46 | 47 | initContainers: 48 | - name: permission-fix 49 | image: "busybox" 50 | command: ['chown', '-R', '1000:1000', '/var/lib/registry'] 51 | volumeMounts: 52 | - mountPath: /var/lib/registry 53 | name: data 54 | 55 | extraEnvVars: 56 | # Ref. https://github.com/distribution/distribution/issues/2367#issuecomment-1874449361 57 | - name: REGISTRY_STORAGE_CACHE_BLOBDESCRIPTOR 58 | value: dummyvalue 59 | -------------------------------------------------------------------------------- /config/private-nginx-ingress__common.yaml: -------------------------------------------------------------------------------- 1 | defaultBackend: 2 | enabled: true 3 | image: 4 | repository: dockerhubmirror.azurecr.io/jenkinsciinfra/404 5 | tag: 0.4.104 6 | pullPolicy: IfNotPresent 7 | ## Unprivileged port as non root user and no escalation allowed 8 | port: 8080 9 | ## Volumes are required because rootfs is readonly 10 | extraVolumeMounts: 11 | - name: nginx-cache 12 | mountPath: /var/cache/nginx 13 | - name: nginx-rundir 14 | mountPath: /var/run/nginx 15 | - name: nginx-logs 16 | mountPath: /var/logs/nginx 17 | extraVolumes: 18 | - name: nginx-cache 19 | emptyDir: {} 20 | - name: nginx-rundir 21 | emptyDir: {} 22 | - name: nginx-logs 23 | emptyDir: {} 24 | controller: 25 | # Endpoint not needed. We have to be careful when using annotations in ingress though (check logs). 26 | admissionWebhooks: 27 | enabled: false 28 | config: 29 | log-format-upstream: '[$namespace:$ingress_name][$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id' 30 | # In order to use geoIP from the ingress controller, 31 | # we need to provide a maxmind license key. 32 | # I doubt we need it at the moment, hence this comment. 33 | # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-geoip2 34 | use-geoip2: "true" 35 | replicaCount: 1 36 | ingressClassResource: 37 | enabled: true 38 | default: true 39 | controllerValue: k8s.io/ingress-private-nginx 40 | name: private-nginx 41 | # Parameters is a link to a custom resource containing additional 42 | # configuration for the controller. This is optional if the controller 43 | # does not require extra parameters. 44 | parameters: {} 45 | service: 46 | annotations: 47 | service.beta.kubernetes.io/azure-load-balancer-internal: true 48 | prometheus.io/scrape: "true" 49 | prometheus.io/port: "10254" 50 | externalTrafficPolicy: Local 51 | -------------------------------------------------------------------------------- /config/publick8s_stats-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ingress: 3 | enabled: true 4 | className: public-nginx 5 | annotations: 6 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 7 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 8 | hosts: 9 | - host: stats.jenkins.io 10 | paths: 11 | - path: / 12 | serviceName: stats-jenkins-io 13 | - host: new.stats.jenkins.io 14 | paths: 15 | - path: / 16 | serviceName: stats-jenkins-io 17 | tls: 18 | - secretName: stats-jenkins-io-tls 19 | hosts: 20 | - stats.jenkins.io 21 | - new.stats.jenkins.io 22 | 23 | resources: 24 | limits: 25 | cpu: 200m 26 | memory: 256Mi 27 | requests: 28 | cpu: 20m 29 | memory: 32Mi 30 | htmlVolume: 31 | persistentVolumeClaim: 32 | claimName: stats-jenkins-io 33 | 34 | replicaCount: 2 35 | 36 | nodeSelector: 37 | kubernetes.io/arch: arm64 38 | 39 | tolerations: 40 | - key: "kubernetes.io/arch" 41 | operator: "Equal" 42 | value: "arm64" 43 | effect: "NoSchedule" 44 | 45 | affinity: 46 | podAntiAffinity: 47 | requiredDuringSchedulingIgnoredDuringExecution: 48 | - labelSelector: 49 | matchExpressions: 50 | - key: "app.kubernetes.io/name" 51 | operator: In 52 | values: 53 | - stats-jenkins-io 54 | topologyKey: "kubernetes.io/hostname" 55 | 56 | nginx: 57 | overrideLocations: | 58 | location /pluginversions { 59 | root /usr/share/nginx/html; 60 | index index.html index.htm; 61 | autoindex on; 62 | } 63 | location /plugin-installation-trend { 64 | root /usr/share/nginx/html; 65 | index index.html index.htm; 66 | autoindex on; 67 | } 68 | location /jenkins-stats { 69 | root /usr/share/nginx/html; 70 | index index.html index.htm; 71 | autoindex on; 72 | } 73 | location / { 74 | root /usr/share/nginx/html; 75 | index index.html index.htm; 76 | autoindex on; 77 | try_files $uri /index.html; 78 | } 79 | 80 | podAnnotations: 81 | ad.datadoghq.com/nginx-website.logs: | 82 | [ 83 | {"source":"nginx","service":"stats.jenkins.io"} 84 | ] 85 | -------------------------------------------------------------------------------- /config/artifact-caching-proxy_aws-cijenkinsio-agents-2.yaml: -------------------------------------------------------------------------------- 1 | persistence: 2 | enabled: true 3 | size: 100 4 | storageClass: ebs-csi-premium-retain-us-east-2a 5 | 6 | nodeSelector: 7 | kubernetes.io/arch: arm64 8 | jenkins: ci.jenkins.io 9 | role: applications 10 | 11 | tolerations: 12 | - key: "ci.jenkins.io/applications" 13 | operator: "Equal" 14 | value: "true" 15 | effect: "NoSchedule" 16 | 17 | # We should never have 2 ACP replicas in the same host 18 | # Keep this even with only 1 replica 19 | affinity: 20 | podAntiAffinity: 21 | requiredDuringSchedulingIgnoredDuringExecution: 22 | - labelSelector: 23 | matchExpressions: 24 | - key: "app.kubernetes.io/name" 25 | operator: In 26 | values: 27 | - artifact-caching-proxy 28 | topologyKey: "kubernetes.io/hostname" 29 | 30 | service: 31 | type: LoadBalancer 32 | annotations: 33 | # Internal LB, with fixed IP in private subnet where EC2 VM agents are running 34 | # https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/guide/service/annotations/ 35 | service.beta.kubernetes.io/aws-load-balancer-type: "internal" 36 | service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" 37 | # We want the LB to directly send requests to the Pod IPs (requires VPC-CNI) 38 | service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" 39 | # Tracked by updatecli (updatecli/updatecli.d/configs/acp-lb-aws.yaml) 40 | service.beta.kubernetes.io/aws-load-balancer-subnets: "subnet-003b868ae937f290a" 41 | # Tracked by updatecli (updatecli/updatecli.d/configs/acp-lb-aws.yaml) 42 | service.beta.kubernetes.io/aws-load-balancer-private-ipv4-addresses: "10.0.131.248" 43 | service.beta.kubernetes.io/aws-load-balancer-ip-address-type: "ipv4" 44 | # Misc. 45 | service.beta.kubernetes.io/aws-load-balancer-alpn-policy: "HTTP2Preferred" 46 | 47 | resources: 48 | limits: 49 | # No CPU limit to avoid throttling 50 | memory: 8192Mi 51 | requests: 52 | cpu: 1.5 53 | memory: 8192Mi 54 | 55 | # Only 1 node - https://github.com/jenkins-infra/helpdesk/issues/4545 56 | replicaCount: 1 57 | 58 | proxy: 59 | dnsResolver: "kube-dns.kube-system.svc.cluster.local 9.9.9.9" 60 | proxySslServerNameEnabled: true # Pass SNI to upstreams 61 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/jenkins-controllers/tools-maven.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bump Maven version (Jenkins tools) on infra.ci.jenkins.io 3 | 4 | scms: 5 | default: 6 | kind: github 7 | spec: 8 | user: "{{ .github.user }}" 9 | email: "{{ .github.email }}" 10 | owner: "{{ .github.owner }}" 11 | repository: "{{ .github.repository }}" 12 | token: "{{ requiredEnv .github.token }}" 13 | username: "{{ .github.username }}" 14 | branch: "{{ .github.branch }}" 15 | 16 | sources: 17 | getDeployedPackerImageVersion: 18 | kind: file 19 | name: Retrieve the current version of the Packer images used in production 20 | spec: 21 | file: ./config/jenkins_infra.ci.jenkins.io.yaml 22 | matchpattern: 'galleryImageVersion:\s"(.*)"' 23 | transformers: 24 | - findsubmatch: 25 | pattern: 'galleryImageVersion:\s"(.*)"' 26 | captureindex: 1 27 | getMavenVersionFromPackerImages: 28 | kind: yaml 29 | name: Get the latest Maven version set in packer-images 30 | spec: 31 | file: https://raw.githubusercontent.com/jenkins-infra/packer-images/{{ source "getDeployedPackerImageVersion" }}/provisioning/tools-versions.yml 32 | key: $.maven_version 33 | 34 | conditions: 35 | checkIfMavenReleaseIsAvailable: 36 | kind: shell 37 | disablesourceinput: true 38 | spec: 39 | command: curl --connect-timeout 5 --location --head --fail --silent --show-error https://archive.apache.org/dist/maven/maven-3/{{ source `getMavenVersionFromPackerImages` }}/binaries/apache-maven-{{ source `getMavenVersionFromPackerImages` }}-bin.tar.gz 40 | 41 | targets: 42 | setMavenToolVersion: 43 | name: "Bump Maven tool version on infra.ci.jenkins.io" 44 | kind: file 45 | sourceid: getMavenVersionFromPackerImages 46 | spec: 47 | file: config/jenkins_infra.ci.jenkins.io.yaml 48 | matchpattern: '- maven:((\r\n|\r|\n)(\s+))id: .*' 49 | replacepattern: '- maven:${1}id: "{{ source "getMavenVersionFromPackerImages" }}"' 50 | scmid: default 51 | 52 | actions: 53 | default: 54 | kind: github/pullrequest 55 | scmid: default 56 | title: Bump Maven version (Jenkins tools) on infra.ci.jenkins.io to {{ source "getMavenVersionFromPackerImages" }} 57 | spec: 58 | labels: 59 | - dependencies 60 | - maven 61 | - infra.ci.jenkins.io 62 | -------------------------------------------------------------------------------- /config/publick8s_admin-accounts-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | ingressClassName: private-nginx 4 | annotations: 5 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 6 | "nginx.ingress.kubernetes.io/proxy-body-size": "500m" 7 | "nginx.ingress.kubernetes.io/affinity": "cookie" 8 | "nginx.ingress.kubernetes.io/affinity-mode": "persistent" 9 | rules: 10 | - host: admin.accounts.jenkins.io 11 | paths: 12 | - path: / 13 | pathType: Prefix 14 | tls: 15 | - hosts: 16 | - admin.accounts.jenkins.io 17 | secretName: keycloak-cert 18 | 19 | resources: 20 | limits: 21 | cpu: 2 22 | memory: 2048Mi 23 | requests: 24 | cpu: 200m 25 | memory: 1000Mi 26 | 27 | replicas: 1 28 | 29 | nodeSelector: 30 | kubernetes.io/arch: arm64 31 | 32 | tolerations: 33 | - key: "kubernetes.io/arch" 34 | operator: "Equal" 35 | value: "arm64" 36 | effect: "NoSchedule" 37 | 38 | extraInitContainers: | 39 | - name: theme-provider 40 | image: dockerhubmirror.azurecr.io/jenkinsciinfra/keycloak-theme:0.1.40 41 | imagePullPolicy: IfNotPresent 42 | command: 43 | - sh 44 | args: 45 | - -c 46 | - | 47 | echo "Copying theme..." 48 | cp -R /jenkins/* /theme 49 | volumeMounts: 50 | - name: theme 51 | mountPath: /theme 52 | 53 | extraVolumeMounts: | 54 | - name: theme 55 | mountPath: /opt/jboss/keycloak/themes/jenkins 56 | 57 | extraVolumes: | 58 | - name: theme 59 | emptyDir: {} 60 | 61 | ## Database Setup 62 | # We already have a postgresql database 63 | postgresql: 64 | enabled: false 65 | extraEnv: | 66 | - name: PROXY_ADDRESS_FORWARDING 67 | value: "true" 68 | - name: KEYCLOAK_STATISTICS 69 | value: all 70 | - name: JAVA_OPTS 71 | value: >- 72 | -Djava.net.preferIPv4Stack=false 73 | -Djava.net.preferIPv6Addresses=true 74 | -Djboss.bind.address.private=::1 75 | -Djboss.bind.address.management=:: 76 | -Djboss.bind.address=:: 77 | -Djboss.modules.system.pkgs=org.jboss.byteman 78 | -Djava.awt.headless=true 79 | 80 | extraEnvFrom: | 81 | - secretRef: 82 | name: '{{ include "keycloak.fullname" . }}-db' 83 | - secretRef: 84 | name: '{{ include "keycloak.fullname" . }}-http' 85 | 86 | podAnnotations: 87 | ad.datadoghq.com/keycloak.logs: | 88 | [ 89 | {"source":"keycloak","service":"admin.accounts.jenkins.io"} 90 | ] 91 | -------------------------------------------------------------------------------- /config/public-nginx-ingress__common.yaml: -------------------------------------------------------------------------------- 1 | defaultBackend: 2 | enabled: true 3 | image: 4 | repository: dockerhubmirror.azurecr.io/jenkinsciinfra/404 5 | tag: 0.4.104 6 | pullPolicy: IfNotPresent 7 | ## Unprivileged port as non root user and no escalation allowed 8 | port: 8080 9 | ## Volumes are required because rootfs is readonly 10 | extraVolumeMounts: 11 | - name: nginx-cache 12 | mountPath: /var/cache/nginx 13 | - name: nginx-rundir 14 | mountPath: /var/run/nginx 15 | - name: nginx-logs 16 | mountPath: /var/logs/nginx 17 | extraVolumes: 18 | - name: nginx-cache 19 | emptyDir: {} 20 | - name: nginx-rundir 21 | emptyDir: {} 22 | - name: nginx-logs 23 | emptyDir: {} 24 | controller: 25 | # Endpoint not needed. We have to be careful when using annotations in ingress though (check logs). 26 | admissionWebhooks: 27 | enabled: false 28 | config: 29 | log-format-upstream: '[$namespace:$ingress_name][$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id' 30 | # In order to use geoIP from the ingress controller, 31 | # we need to provide a maxmind license key. 32 | # I doubt we need it at the moment, hence this comment. 33 | # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-geoip2 34 | use-geoip2: "true" 35 | hsts: "true" 36 | hsts-preload: "true" 37 | hsts-include-subdomains: "true" 38 | # Strict-Transport-Security "max-age" directive recommended value is 2592000 (30 days). 39 | hsts-max-age: "2592000" 40 | use-gzip: true # gzip types are the defaults: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#gzip-types 41 | enable-brotli: true # see default settings in https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#enable-brotli 42 | replicaCount: 1 43 | ingressClassResource: 44 | enabled: true 45 | default: false 46 | name: public-nginx 47 | controllerValue: k8s.io/ingress-public-nginx 48 | # Parameters is a link to a custom resource containing additional 49 | # configuration for the controller. This is optional if the controller 50 | # does not require extra parameters. 51 | parameters: {} 52 | publishService: 53 | enabled: true 54 | -------------------------------------------------------------------------------- /config/publick8s_ldap-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | service: 2 | type: LoadBalancer 3 | # Public IPv4 defined as code in https://github.com/jenkins-infra/azure/blob/main/ldap.jenkins.io.tf instead of requesting a random new public IP, useful for DNS setup and changes 4 | # TODO: track with updatecli from reports 5 | azurePip: 6 | name: publick8s-ldap-ipv4 7 | resourceGroup: prod-public-ips 8 | lbAllowSources: 9 | publick8s-out-lb: 52.167.80.175/32,20.15.16.178/32,20.10.211.149/32 10 | publick8s-pods: '10.100.0.0/14' 11 | # Tracked by updatecli - updatecli/updatecli.d/configs/ldap-restricted-ips.yaml 12 | puppet.jenkins.io: '20.12.27.65/32' 13 | # TODO: track with updatecli - https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 14 | trusted.ci.jenkins.io: '104.209.128.236/32' 15 | # TODO: track with updatecli - https://reports.jenkins.io/jenkins-infra-data-reports/azure-net.json 16 | private.vpn.jenkins.io: '52.232.183.117/32' 17 | # TODO: track with updatecli - https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 18 | cert.ci.jenkins.io: '104.209.153.13/32' 19 | # Provided by LF 20 | linuxfoundation-staging: '34.211.101.61/32' 21 | # Provided by LF 22 | linuxfoundation-prod: '44.240.22.235/32' 23 | # TODO: track with updatecli - https://reports.jenkins.io/jenkins-infra-data-reports/azure-net.json 24 | privatek8s-nat: '20.57.120.46/32,52.179.141.53/32' 25 | # Tracked by updatecli - updatecli/updatecli.d/configs/ldap-restricted-ips.yaml 26 | jfrog-artifactory: 34.233.58.83/32,34.201.191.93/32,18.214.241.149/32,54.236.124.56/32,34.199.85.0/32,54.204.174.26/32,54.237.44.112/32,52.1.113.0/32,52.86.38.82/32,44.198.238.218/32 27 | # Tracked by updatecli - updatecli/updatecli.d/configs/ldap-restricted-ips.yaml 28 | aws.ci.jenkins.io: '18.217.202.59/32' 29 | 30 | resources: 31 | limits: 32 | cpu: 2 33 | memory: 2048Mi 34 | requests: 35 | cpu: 200m 36 | memory: 512Mi 37 | 38 | nodeSelector: 39 | kubernetes.io/arch: arm64 40 | 41 | tolerations: 42 | - key: "kubernetes.io/arch" 43 | operator: "Equal" 44 | value: "arm64" 45 | effect: "NoSchedule" 46 | 47 | persistence: 48 | # Tracked by updatecli - updatecli/updatecli.d/configs/pvc-ldap.yaml 49 | customDataClaimName: ldap-jenkins-io-data 50 | # Tracked by updatecli - updatecli/updatecli.d/configs/pvc-ldap.yaml 51 | customBackupClaimName: ldap-jenkins-io-backup 52 | 53 | podAnnotations: 54 | ad.datadoghq.com/slapd.logs: | 55 | [ 56 | {"source":"openldap","service":"ldap.jenkins.io"} 57 | ] 58 | ad.datadoghq.com/crond.logs: | 59 | [ 60 | {"source":"crond","service":"ldap.jenkins.io"} 61 | ] 62 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/configs/cijenkinsioagents2-hub-mirror.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Update Docker Registry Hub Mirror Settings for AWS 3 | 4 | scms: 5 | default: 6 | kind: github 7 | spec: 8 | user: "{{ .github.user }}" 9 | email: "{{ .github.email }}" 10 | owner: "{{ .github.owner }}" 11 | repository: "{{ .github.repository }}" 12 | token: "{{ requiredEnv .github.token }}" 13 | username: "{{ .github.username }}" 14 | branch: "{{ .github.branch }}" 15 | 16 | sources: 17 | hubMirrorStorageClass: 18 | kind: json 19 | name: Retrieve the storage class to use for the "Docker Hub Registry Mirror" storage 20 | spec: 21 | file: https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json 22 | key: aws\.ci\.jenkins\.io.agents_kubernetes_clusters.cijenkinsio-agents-2.services.hub-mirror.storage_class 23 | 24 | hubMirrorAwsSubnets: 25 | kind: json 26 | name: Retrieve the list of subnet IDS for the "Docker Hub Registry Mirror" AWS LB 27 | spec: 28 | file: https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json 29 | key: aws\.ci\.jenkins\.io.agents_kubernetes_clusters.cijenkinsio-agents-2.services.hub-mirror.subnet_ids 30 | transformers: 31 | - trimprefix: '[' 32 | - trimsuffix: ']' 33 | - replacer: 34 | from: ' ' 35 | to: ',' 36 | hubMirrorLbIps: 37 | kind: json 38 | name: Retrieve the list of subnet IDS for the "Docker Hub Registry Mirror" AWS LB 39 | spec: 40 | file: https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json 41 | key: aws\.ci\.jenkins\.io.agents_kubernetes_clusters.cijenkinsio-agents-2.services.hub-mirror.ips 42 | transformers: 43 | - trimprefix: '[' 44 | - trimsuffix: ']' 45 | - replacer: 46 | from: ' ' 47 | to: ',' 48 | targets: 49 | updateHubMirrorLbIps: 50 | name: Update the "Docker Hub Registry Mirror" LB IPv4 51 | sourceid: hubMirrorLbIps 52 | kind: yaml 53 | transformers: 54 | - addprefix: '"' 55 | - addsuffix: '"' 56 | spec: 57 | file: config/hub-mirror_cijioagents2.yaml 58 | key: $.service.annotations.'service.beta.kubernetes.io/aws-load-balancer-private-ipv4-addresses' 59 | scmid: default 60 | updateHubMirrorLbSubnets: 61 | name: Update the "Docker Hub Registry Mirror" LB Subnets 62 | disablesourceinput: true # We need to combine 2 sources 63 | kind: yaml 64 | spec: 65 | file: config/hub-mirror_cijioagents2.yaml 66 | key: $.service.annotations.'service.beta.kubernetes.io/aws-load-balancer-subnets' 67 | value: '"{{ source `hubMirrorAwsSubnets` }}"' 68 | scmid: default 69 | 70 | actions: 71 | default: 72 | kind: github/pullrequest 73 | scmid: default 74 | title: Update Docker Registry Hub Mirror Settings for AWS 75 | spec: 76 | labels: 77 | - docker-registry 78 | - hub-mirror 79 | - cijenkinsioagents2 80 | -------------------------------------------------------------------------------- /Jenkinsfile_k8s: -------------------------------------------------------------------------------- 1 | def cronExpr = env.BRANCH_IS_PRIMARY ? 'H/30 * * * *' : '' 2 | 3 | pipeline { 4 | agent none 5 | 6 | options { 7 | buildDiscarder(logRotator(numToKeepStr: '10')) 8 | timeout(time: 30, unit: 'MINUTES') 9 | disableConcurrentBuilds() 10 | } 11 | 12 | triggers { 13 | cron (cronExpr) 14 | } 15 | 16 | stages { 17 | stage('Yaml Lint') { 18 | agent { 19 | label 'jnlp-linux-arm64' 20 | } 21 | steps { 22 | sh 'yamllint --config-file yamllint.config config' 23 | } 24 | } // stage 'Yaml Lint' 25 | stage('Kubernetes Management Tasks') { 26 | matrix { 27 | axes { 28 | axis { 29 | name 'K8S_CLUSTER' 30 | values 'publick8s', 'privatek8s', 'cijioagents2', 'infracijioagents2' 31 | } 32 | } // axes 33 | agent { 34 | label 'jnlp-linux-arm64' 35 | } 36 | environment { 37 | KUBECONFIG = credentials("kubeconfig-${K8S_CLUSTER}") 38 | // Required for secret decryption 39 | AZURE_TENANT_ID = credentials('sops-tenant-id') 40 | AZURE_CLIENT_ID = credentials('sops-client-id') 41 | AZURE_CLIENT_SECRET = credentials('sops-client-secret') 42 | } 43 | stages { 44 | stage('Prepare Environment'){ 45 | steps { 46 | // Retrieve the private repository holding the SOPS encrypted YAML secrets into the local directory "./secrets" 47 | dir ('secrets'){ 48 | git branch: 'main', credentialsId: 'github-app-infra', url: 'https://github.com/jenkins-infra/charts-secrets.git' 49 | } 50 | sh 'kubectl cluster-info' 51 | } 52 | } 53 | stage('Helmfile Lint'){ 54 | steps { 55 | sh 'helmfile -f "clusters/${K8S_CLUSTER}.yaml" lint' 56 | } 57 | } // stage 58 | stage('Diff on Pull Request'){ 59 | when { 60 | changeRequest() 61 | } 62 | steps { 63 | script { 64 | def diff = sh( 65 | script:'helmfile -f "clusters/${K8S_CLUSTER}.yaml" diff --suppress-secrets --skip-deps --context=2 --concurrency=8', 66 | returnStdout: true, 67 | ).trim() 68 | // Note the GitHub markdown formatting for the diff, to have syntax coloration 69 | publishChecks name: "helmfile-diff-${K8S_CLUSTER}", title: "Helmfile Diff for cluster ${K8S_CLUSTER}", text: '```diff\n' + diff + '\n```' 70 | } 71 | } 72 | } // stage 73 | stage('Apply'){ 74 | when { 75 | branch 'main' 76 | } 77 | steps { 78 | sh 'helmfile -f "clusters/${K8S_CLUSTER}.yaml" apply --suppress-secrets --concurrency=8' 79 | } 80 | } // stage 81 | } // stages 82 | } // matrix 83 | } // stage 'stage('Kubernetes Management Tasks') 84 | } // stages 85 | } 86 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/configs/pvc-get-jenkins-io-mirrorbits.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Update PVC names for get.jenkins.io "mirrorbits" service 3 | 4 | scms: 5 | default: 6 | kind: github 7 | spec: 8 | user: "{{ .github.user }}" 9 | email: "{{ .github.email }}" 10 | owner: "{{ .github.owner }}" 11 | repository: "{{ .github.repository }}" 12 | token: "{{ requiredEnv .github.token }}" 13 | username: "{{ .github.username }}" 14 | branch: "{{ .github.branch }}" 15 | 16 | sources: 17 | contentPvcName: 18 | kind: json 19 | name: Retrieve the PVC name for get-jenkins-io 20 | spec: 21 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 22 | key: .get\.jenkins\.io.mirrorbits.pvc_name 23 | contentPvcSubdir: 24 | kind: json 25 | name: Retrieve the subdir inside the PVC for component "mirrorbits" in get-jenkins-io 26 | spec: 27 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 28 | key: .get\.jenkins\.io.mirrorbits.share_uri 29 | transformers: 30 | - addprefix: '.' 31 | geoipdataPvcName: 32 | kind: json 33 | name: Retrieve the pvc name for geoipdata 34 | spec: 35 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 36 | key: .get\.jenkins\.io.geoipdata.pvc_name 37 | geoipdataPvcSubdir: 38 | kind: json 39 | name: Retrieve the subdir inside the PVC for component "geoipdata" in get-jenkins-io 40 | spec: 41 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 42 | key: .get\.jenkins\.io.geoipdata.share_uri 43 | transformers: 44 | - addprefix: '.' 45 | 46 | targets: 47 | updateContentPvcName: 48 | sourceid: contentPvcName 49 | name: Update get-jenkins-io-mirrorbits "repository" PVC name 50 | kind: yaml 51 | spec: 52 | file: config/publick8s_get-jenkins-io-mirrorbits.yaml 53 | key: $.repository.name 54 | scmid: default 55 | updateContentPvcSubdir: 56 | sourceid: contentPvcSubdir 57 | kind: yaml 58 | name: Update get-jenkins-io-mirrorbits "repository" PVC subDir mount 59 | spec: 60 | file: config/publick8s_get-jenkins-io-mirrorbits.yaml 61 | key: $.repository.subDir 62 | scmid: default 63 | updateGeoipdataPvcName: 64 | sourceid: geoipdataPvcName 65 | name: Update get-jenkins-io-mirrorbits "geoipdata" PVC name 66 | kind: yaml 67 | spec: 68 | file: config/publick8s_get-jenkins-io-mirrorbits.yaml 69 | key: $.geoipdata.existingPVCName 70 | scmid: default 71 | updateGeoipdataPvcSubdir: 72 | sourceid: geoipdataPvcSubdir 73 | kind: yaml 74 | name: Update get-jenkins-io-mirrorbits "geoipdata" PVC subDir mount 75 | spec: 76 | file: config/publick8s_get-jenkins-io-mirrorbits.yaml 77 | key: $.geoipdata.subDir 78 | scmid: default 79 | 80 | actions: 81 | default: 82 | kind: github/pullrequest 83 | scmid: default 84 | title: Update PVC names for get.jenkins.io "mirrorbits" service (mirrorbits) 85 | spec: 86 | labels: 87 | - get.jenkins.io 88 | - geoipdata 89 | - mirrorbits 90 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/configs/cijenkinsioagents2-acp-lb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Update Artifact Caching Proxy AWS Settings 3 | 4 | scms: 5 | default: 6 | kind: github 7 | spec: 8 | user: "{{ .github.user }}" 9 | email: "{{ .github.email }}" 10 | owner: "{{ .github.owner }}" 11 | repository: "{{ .github.repository }}" 12 | token: "{{ requiredEnv .github.token }}" 13 | username: "{{ .github.username }}" 14 | branch: "{{ .github.branch }}" 15 | 16 | sources: 17 | acpAwsSubnets: 18 | kind: json 19 | name: Retrieve the list of subnet IDS for the ACP AWS LB from infra report 20 | spec: 21 | file: https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json 22 | key: aws\.ci\.jenkins\.io.agents_kubernetes_clusters.cijenkinsio-agents-2.services.artifact-caching-proxy.subnet_ids 23 | transformers: 24 | - trimprefix: '[' 25 | - trimsuffix: ']' 26 | - replacer: 27 | from: ' ' 28 | to: ',' 29 | acpLbIps: 30 | kind: json 31 | name: Retrieve the list of subnet IDS for the ACP AWS LB from infra report 32 | spec: 33 | file: https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json 34 | key: aws\.ci\.jenkins\.io.agents_kubernetes_clusters.cijenkinsio-agents-2.services.artifact-caching-proxy.ips 35 | transformers: 36 | - trimprefix: '[' 37 | - trimsuffix: ']' 38 | - replacer: 39 | from: ' ' 40 | to: ',' 41 | acpStorageClass: 42 | kind: json 43 | name: Retrieve the storage class to use for the ACP storage 44 | spec: 45 | file: https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json 46 | key: aws\.ci\.jenkins\.io.agents_kubernetes_clusters.cijenkinsio-agents-2.services.artifact-caching-proxy.storage_class 47 | 48 | targets: 49 | updateAcpLbIps: 50 | name: Update ACP LB IPv4 51 | sourceid: acpLbIps 52 | kind: yaml 53 | transformers: 54 | - addprefix: '"' 55 | - addsuffix: '"' 56 | spec: 57 | file: config/artifact-caching-proxy_aws-cijenkinsio-agents-2.yaml 58 | key: $.service.annotations.'service.beta.kubernetes.io/aws-load-balancer-private-ipv4-addresses' 59 | scmid: default 60 | updateAcpLbSubnets: 61 | name: Update ACP LB Subnets 62 | disablesourceinput: true # We need to combine 2 sources 63 | kind: yaml 64 | spec: 65 | file: config/artifact-caching-proxy_aws-cijenkinsio-agents-2.yaml 66 | key: $.service.annotations.'service.beta.kubernetes.io/aws-load-balancer-subnets' 67 | value: '"{{ source `acpAwsSubnets` }}"' 68 | scmid: default 69 | updateAcpStorageClass: 70 | name: Update ACP Storage Class 71 | sourceid: acpStorageClass 72 | kind: yaml 73 | spec: 74 | file: config/hub-mirror_cijioagents2.yaml 75 | key: $.persistence.storageClass 76 | scmid: default 77 | 78 | actions: 79 | default: 80 | kind: github/pullrequest 81 | scmid: default 82 | title: Update configuration of the Artifact Caching Proxy for AWS 83 | spec: 84 | labels: 85 | - artifact-caching-proxy 86 | - cijenkinsioagents2 87 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/configs/cijenkinsioagents2-jenkins-kubernetes-agents.yaml: -------------------------------------------------------------------------------- 1 | name: Update Jenkins Kubernetes Agents Configuration for cijenkinsioagents2 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | getMainGroup: 17 | kind: yaml 18 | name: Retrieve the main kubernetes group 19 | spec: 20 | file: https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json 21 | key: $.'aws.ci.jenkins.io'.agents_kubernetes_clusters.cijenkinsio-agents-2.kubernetes_groups[0] 22 | transformers: 23 | - trimprefix: '"' 24 | - trimsuffix: '"' 25 | ci.jenkins.io-agents-2_maxcapacity: 26 | kind: yaml 27 | name: get the maximum allowed pods capacity in ci.jenkins.io-agents-2, namespace 'jenkins-agents' 28 | spec: 29 | file: https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json 30 | key: $.'aws.ci.jenkins.io'.agents_kubernetes_clusters.cijenkinsio-agents-2.agents_namespaces.jenkins-agents.pods_quota 31 | ci.jenkins.io-agents-2_bom_maxcapacity: 32 | kind: yaml 33 | name: get the maximum allowed pods capacity in ci.jenkins.io-agents-2, namespace 'jenkins-agents-bom' 34 | spec: 35 | file: https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json 36 | key: $.'aws.ci.jenkins.io'.agents_kubernetes_clusters.cijenkinsio-agents-2.agents_namespaces.jenkins-agents-bom.pods_quota 37 | 38 | targets: 39 | updateGroupForAgents: 40 | sourceid: getMainGroup 41 | name: Update group in "normal" agents setup 42 | kind: yaml 43 | spec: 44 | file: config/jenkins-kubernetes-agents_ci.jenkins.io_cijioagents2.yaml 45 | key: $.groups[0] 46 | scmid: default 47 | updateGroupForBomAgents: 48 | sourceid: getMainGroup 49 | name: Update group in "BOM" agents setup 50 | kind: yaml 51 | spec: 52 | file: config/jenkins-kubernetes-agents_ci.jenkins.io_cijioagents2-bom.yaml 53 | key: $.groups[0] 54 | scmid: default 55 | pod_quotas_ci.jenkins.io-agents-2: 56 | name: "Update the pods quotas in kubernetes for ci.jenkins.io-agents-2" 57 | kind: yaml 58 | sourceid: ci.jenkins.io-agents-2_maxcapacity 59 | spec: 60 | file: config/jenkins-kubernetes-agents_ci.jenkins.io_cijioagents2.yaml 61 | key: $.quotas.pods 62 | scmid: default 63 | pod_quotas_ci.jenkins.io-agents-2_bom: 64 | name: "Update the pods quotas in kubernetes for ci.jenkins.io-agents-2-bom" 65 | kind: yaml 66 | sourceid: ci.jenkins.io-agents-2_bom_maxcapacity 67 | spec: 68 | file: config/jenkins-kubernetes-agents_ci.jenkins.io_cijioagents2-bom.yaml 69 | key: $.quotas.pods 70 | scmid: default 71 | 72 | actions: 73 | default: 74 | kind: github/pullrequest 75 | scmid: default 76 | title: Update Jenkins Kubernetes Agents Configuration for cijenkinsioagents-2 77 | spec: 78 | labels: 79 | - dependencies 80 | - jenkins-kubernetes-agents 81 | - cijenkinsioagents2 82 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/configs/pvc-updates-jenkins-io-content.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Update PVC names for updates.jenkins.io "content" service (mirrorbits) 3 | 4 | scms: 5 | default: 6 | kind: github 7 | spec: 8 | user: "{{ .github.user }}" 9 | email: "{{ .github.email }}" 10 | owner: "{{ .github.owner }}" 11 | repository: "{{ .github.repository }}" 12 | token: "{{ requiredEnv .github.token }}" 13 | username: "{{ .github.username }}" 14 | branch: "{{ .github.branch }}" 15 | 16 | sources: 17 | contentPvcName: 18 | kind: json 19 | name: Retrieve the PVC name for updates-jenkins-io 20 | spec: 21 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 22 | key: .updates\.jenkins\.io.content.pvc_name 23 | contentPvcSubdir: 24 | kind: json 25 | name: Retrieve the subdir inside the PVC for component "content" in updates-jenkins-io 26 | spec: 27 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 28 | key: .updates\.jenkins\.io.content.share_uri 29 | transformers: 30 | - addprefix: '.' 31 | geoipdataPvcName: 32 | kind: json 33 | name: Retrieve the pvc name for geoipdata 34 | spec: 35 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 36 | key: .updates\.jenkins\.io.geoipdata.pvc_name 37 | geoipdataPvcSubdir: 38 | kind: json 39 | name: Retrieve the subdir inside the PVC for component "geoipdata" in updates-jenkins-io 40 | spec: 41 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 42 | key: .updates\.jenkins\.io.geoipdata.share_uri 43 | transformers: 44 | - addprefix: '.' 45 | 46 | targets: 47 | updateContentPvcName: 48 | sourceid: contentPvcName 49 | name: Update updates-jenkins-io-content "repository" PVC name 50 | kind: yaml 51 | spec: 52 | file: config/publick8s_updates-jenkins-io-content.yaml 53 | key: $.repository.name 54 | scmid: default 55 | updateContentPvcSubdir: 56 | sourceid: contentPvcSubdir 57 | kind: yaml 58 | name: Update updates-jenkins-io-content "repository" PVC subDir mount 59 | spec: 60 | file: config/publick8s_updates-jenkins-io-content.yaml 61 | key: $.repository.subDir 62 | scmid: default 63 | updateRsyncContentPvcName: 64 | sourceid: contentPvcName 65 | name: Update updates-jenkins-io-rsync PVC name 66 | kind: yaml 67 | spec: 68 | file: config/publick8s_updates-jenkins-io-rsync.yaml 69 | key: $.configuration.components[0].volumeTpl 70 | scmid: default 71 | updateRsyncContentPvcSubdir: 72 | sourceid: contentPvcSubdir 73 | kind: yaml 74 | name: Update updates-jenkins-io-rsync PVC subDir mount 75 | spec: 76 | file: config/publick8s_updates-jenkins-io-rsync.yaml 77 | key: $.configuration.components[0].volumeSubDir 78 | scmid: default 79 | updateGeoipdataPvcName: 80 | sourceid: geoipdataPvcName 81 | name: Update updates-jenkins-io-content "geoipdata" PVC name 82 | kind: yaml 83 | spec: 84 | file: config/publick8s_updates-jenkins-io-content.yaml 85 | key: $.geoipdata.existingPVCName 86 | scmid: default 87 | updateGeoipdataPvcSubdir: 88 | sourceid: geoipdataPvcSubdir 89 | kind: yaml 90 | name: Update updates-jenkins-io-content "geoipdata" PVC subDir mount 91 | spec: 92 | file: config/publick8s_updates-jenkins-io-content.yaml 93 | key: $.geoipdata.subDir 94 | scmid: default 95 | 96 | actions: 97 | default: 98 | kind: github/pullrequest 99 | scmid: default 100 | title: Update PVC names for updates.jenkins.io "content" service (mirrorbits) 101 | spec: 102 | labels: 103 | - updates.jenkins.io 104 | - geoipdata 105 | - updates.jenkins.io-content 106 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | The Jenkins Infrastructure Charts project accepts contributions via GitHub pull requests. This document outlines the process to help get your contribution accepted. 4 | 5 | ## Sign Your Work 6 | 7 | The sign-off is a simple line at the end of the explanation for a commit. All commits needs to be signed. Your signature certifies that you wrote the patch or otherwise have the right to contribute the material. 8 | 9 | Then you just add a line to every git commit message: 10 | 11 | Signed-off-by: Joe Smith 12 | 13 | If you set your user.name and user.email git configs, you can sign your commit automatically with git commit -s. 14 | 15 | Note: If your git config information is set properly then viewing the git log information for your commit will look something like this: 16 | 17 | Author: Joe Smith 18 | Date: Thu Feb 2 11:41:15 2018 -0800 19 | 20 | Update README 21 | 22 | Signed-off-by: Joe Smith 23 | 24 | 25 | ## How to Contribute 26 | 27 | 28 | - If you want to contribute, to report an issue or a bug with one of the services run by the Jenkins project, open an issue on [the jenkins-infra/helpdesk repository](https://github.com/jenkins-infra/helpdesk) and explain the goal and expect results, before sending a Pull Request 29 | 30 | - The jenkins-infra chart contributions are described in another repository (link: https://github.com/jenkins-infra/helm-charts/blob/main/CONTRIBUTING.md) 31 | 32 | ### Technical Requirements 33 | 34 | * All Chart dependencies should also be submitted independently 35 | * Must pass the linter (helm lint) 36 | * Must successfully launch with default values (helm install .) 37 | * All pods go to the running state (or NOTES.txt provides further instructions if a required value is missing e.g. minecraft) 38 | * All services have at least one endpoint 39 | * Must include source GitHub repositories for images used in the Chart 40 | * Images should not have any major security vulnerabilities 41 | * Must be up-to-date with the latest stable Helm/Kubernetes features 42 | * Use Deployments in favor of ReplicationControllers 43 | * Should follow Kubernetes best practices 44 | * Include Health Checks wherever practical 45 | * Allow configurable resource requests and limits 46 | * Provide a method for data persistence (if applicable) 47 | * Support application upgrades 48 | * Allow customization of the application configuration 49 | * Provide a secure default configuration 50 | * Do not leverage alpha features of Kubernetes 51 | * Includes a NOTES.txt explaining how to use the application after install 52 | * Follows best practices (especially for labels and values) 53 | 54 | ### Documentation Requirements 55 | 56 | * Must include an in-depth README.md, including: 57 | * Short description of the Chart 58 | * Any prerequisites or requirements 59 | * Customization: explaining options in values.yaml and their defaults 60 | * Must include a short NOTES.txt, including: 61 | * Any relevant post-installation information for the Chart 62 | * Instructions on how to access the application or service provided by the Chart 63 | 64 | ### Merge Approval and Release Process 65 | 66 | A Jenkins infrastructure Charts maintainer will review the Chart change submission. No pull requests can be merged until at least one maintainer approve the pull request. 67 | 68 | Once the pull request has been merged, changes will automatically be applied. 69 | 70 | ## Support Channels 71 | 72 | Whether you are a user or contributor, you can contact us through the [chat channels](https://www.jenkins.io/chat/#jenkins-infra) or through the [community forum](https://community.jenkins.io/). 73 | 74 | Before opening a new issue or submitting a new pull request, it's helpful to search the project - it's likely that another user has already reported the issue you're facing, or it's a known issue that we're already aware of. 75 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Jenkins Infrastructure Kubernetes Management 2 | 3 | This repository contains the helmfile manifests' values used by the Jenkins infrastructure project to manage the applications on its Kubernetes clusters. 4 | 5 | The charts used come from [the helm charts repository](https://github.com/jenkins-infra/helm-charts/) and external providers. 6 | 7 | ## Contributing 8 | 9 | The Jenkins Infrastructure Kubernetes Management project accepts contributions via GitHub pull requests, 10 | more information in [CONTRIBUTING.md](https://github.com/jenkins-infra/kubernetes-management/blob/main/CONTRIBUTING.md) 11 | 12 | ## Issues 13 | 14 | Any issue can be reported on our [help desk issue tracker](https://github.com/jenkins-infra/helpdesk/). 15 | 16 | ## Repository Structure 17 | 18 | This project contains the following main directories: 19 | 20 | * `clusters`: This folder contains the per-cluster [helmfiles](https://github.com/helmfile/helmfile) with the releases to apply per cluster 21 | * `config`: This folder contains the specific configuration for our environments 22 | * `updatecli`: This folder contains the [updatecli](https://github.com/updatecli/updatecli/) manifests to keep all Helm charts and Docker images versions up to date 23 | 24 | ## Requirements 25 | 26 | This project requires the following tools (more details within the [DockerFile](https://github.com/jenkins-infra/docker-helmfile/blob/main/Dockerfile)): 27 | 28 | * `az` 29 | * `awscli` 30 | * `doctl` 31 | * `kubectl` 32 | * `helm` 33 | * `helmfile` 34 | * `sops` 35 | * the following 3 Helm plugins: 36 | * `helm-diff` 37 | * `helm-secrets` 38 | * `helm-git` 39 | 40 | 41 | ## Secrets 42 | 43 | Secrets are encrypted with [sops](https://github.com/mozilla/sops), a default configuration is defined in `.sops.yaml`. 44 | Currently there are two kinds of encryption keys: a GPG key and an Azure Key Vault (accessible from Kubernetes clusters). 45 | 46 | All secrets are expected to be found in the `./secrets` folder which is absent by default and [(git)ignored](https://git-scm.com/docs/gitignore). 47 | 48 | If you have the right to access the secrets, you can set up the local `./secrets` folder from the (private) repository [jenkins-infra/charts-secrets](https://github.com/jenkins-infra/charts-secrets.git) with the following command: 49 | 50 | ```bash 51 | git clone https://github.com/jenkins-infra/charts-secrets.git ./secrets 52 | ``` 53 | 54 | Then, you can edit an app secret by using the `sops ./secrets/config//secrets.yaml` command that will create a blank secrets.yaml file ready to get encrypted as soon as it's saved and closed (you may need to add your ip on the azure key vault to get access) [sops examples](https://github.com/mozilla/sops#creating-a-new-file). 55 | 56 | ## Remarks 57 | 58 | * We need one Jenkins instance per cluster to be able to split cluster orchestration tasks outside release.ci.jenkins.io 59 | 60 | * If RBAC is enabled on the cluster, before being able to use Helm we need to create a Service Account for Helm with the right Cluster Role Binding with this command: `kubectl apply -f helm/rbac.yaml` 61 | 62 | ## Minikube 63 | 64 | ```bash 65 | minikube start --kubernetes-version v1.20.13 66 | minikube addons enable ingress 67 | helm install stable/nginx-ingress nginx-ingress # we can't install the ingress defined in this repository for local testing 68 | kubectl -n release port-forward default-release-jenkins-77fd54976f-ns2c6 8081:8080 69 | 70 | kubectl get secrets -n release default-release-jenkins -o json 71 | ``` 72 | 73 | ## How to debug deployments 74 | 75 | ``` 76 | helmfile template --no-color -f clusters/.yaml -l name= 77 | ``` 78 | 79 | ## Links 80 | 81 | * [Helmfile](https://github.com/helmfile/helmfile) 82 | * [Kubernetes management](https://github.com/helm/kubernetes-management) 83 | * [Helm Charts](https://github.com/helm/helm-charts) 84 | * [Sops](https://github.com/mozilla/sops) 85 | * [Updatecli](https://github.com/updatecli/updatecli) 86 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/configs/ldap-restricted-ips.yaml: -------------------------------------------------------------------------------- 1 | name: Update list of IPs allowed to access LDAP 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | puppet.jenkins.io: 17 | kind: json 18 | spec: 19 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 20 | key: .puppet\.jenkins\.io.outbound_ips 21 | transformers: 22 | - addprefix: "'" 23 | - addsuffix: '/32' 24 | - addsuffix: "'" 25 | 26 | publick8s-lb: 27 | kind: json 28 | spec: 29 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 30 | key: .publick8s.lb_outbound_ips.ipv4 31 | transformers: 32 | - trimprefix: '[' 33 | - trimsuffix: ']' 34 | - replacer: 35 | from: ' ' 36 | to: '/32,' 37 | - addsuffix: '/32' 38 | 39 | publick8s-pods: 40 | kind: json 41 | spec: 42 | file: https://reports.jenkins.io/jenkins-infra-data-reports/azure.json 43 | # Ipv4 is always the first element 44 | key: .publick8s.pod_cidrs.[0] 45 | transformers: 46 | - addprefix: "'" 47 | - addsuffix: "'" 48 | 49 | # https://jfrog.com/knowledge-base/what-are-artifactory-cloud-nated-ips/ 50 | jfrog: 51 | kind: json 52 | spec: 53 | file: https://my.jfrog.com/api/jmis/v1/ip-ranges 54 | # Dasel v1 query 55 | key: .(cloud=aws)(region=us-east-1)(service=jfrog_cloud_cidr).cidr 56 | # Change the json list to a comma-separated list into a single string 57 | transformers: 58 | - trimprefix: '[' 59 | - trimsuffix: ']' 60 | - replacer: 61 | from: ' ' 62 | to: ',' 63 | 64 | aws-ci-jenkins-io: 65 | kind: json 66 | spec: 67 | file: https://reports.jenkins.io/jenkins-infra-data-reports/aws-sponsorship.json 68 | key: .aws\.ci\.jenkins\.io.service_ips.ipv4 69 | transformers: 70 | - addsuffix: "/32" 71 | 72 | targets: 73 | puppet.jenkins.io: 74 | name: Update puppet.jenkins.io CIDR in the LDAP configuration 75 | kind: yaml 76 | sourceid: puppet.jenkins.io 77 | spec: 78 | file: config/publick8s_ldap-jenkins-io.yaml 79 | key: $.service.lbAllowSources.'puppet.jenkins.io' 80 | scmid: default 81 | 82 | publick8s-pods: 83 | name: Update publick8s pod CIDRs in the LDAP configuration 84 | kind: yaml 85 | sourceid: publick8s-pods 86 | spec: 87 | file: config/publick8s_ldap-jenkins-io.yaml 88 | key: $.service.lbAllowSources.publick8s-pods 89 | scmid: default 90 | 91 | publick8s-lb: 92 | name: Update publick8s outbound LB CIDRs in the LDAP configuration 93 | kind: yaml 94 | sourceid: publick8s-lb 95 | spec: 96 | file: config/publick8s_ldap-jenkins-io.yaml 97 | key: $.service.lbAllowSources.publick8s-out-lb 98 | scmid: default 99 | 100 | aws-ci-jenkins-io: 101 | name: Update aws.ci.jenkins.io CIDR in the LDAP configuration 102 | kind: yaml 103 | sourceid: aws-ci-jenkins-io 104 | transformers: 105 | - addprefix: "'" 106 | - addsuffix: "'" 107 | spec: 108 | file: config/publick8s_ldap-jenkins-io.yaml 109 | key: $.service.lbAllowSources.'aws.ci.jenkins.io' 110 | scmid: default 111 | 112 | jfrog: 113 | name: Update JFrog CIDRs in the LDAP configuration 114 | kind: yaml 115 | sourceid: jfrog 116 | spec: 117 | file: config/publick8s_ldap-jenkins-io.yaml 118 | key: $.service.lbAllowSources.jfrog-artifactory 119 | scmid: default 120 | 121 | actions: 122 | default: 123 | kind: github/pullrequest 124 | scmid: default 125 | title: Update list of IPs allowed to access LDAP 126 | spec: 127 | labels: 128 | - enhancement 129 | - ldap 130 | -------------------------------------------------------------------------------- /config/publick8s_updates-jenkins-io-content.yaml: -------------------------------------------------------------------------------- 1 | enabled: true 2 | replicaCount: 2 3 | resources: 4 | limits: 5 | cpu: 2 6 | memory: 2048Mi 7 | requests: 8 | cpu: 100m 9 | memory: 200Mi 10 | nodeSelector: 11 | kubernetes.io/arch: arm64 12 | tolerations: 13 | - key: "kubernetes.io/arch" 14 | operator: "Equal" 15 | value: "arm64" 16 | effect: "NoSchedule" 17 | podSecurityContext: 18 | runAsUser: 1000 # User 'mirrorbits' 19 | runAsGroup: 1000 # Group 'mirrorbits' 20 | runAsNonRoot: true 21 | containerSecurityContext: 22 | readOnlyRootFilesystem: true 23 | allowPrivilegeEscalation: false 24 | capabilities: 25 | drop: 26 | - ALL 27 | repository: 28 | name: updates-jenkins-io 29 | existingPVC: true 30 | subDir: ./updates.jenkins.io/content/ 31 | config: 32 | # Ingress already does gzip/brotli 33 | gzip: false 34 | traceFile: /TIME 35 | # Do not answer mirrorbits API JSON content when accept header is set to application/json (behavior with default value "auto") 36 | outputMode: redirect 37 | redis: 38 | sentinelMasterName: mymaster 39 | sentinels: 40 | - redis-redis-ha.redis.svc.cluster.local:26379 41 | # password is stored in SOPS secrets 42 | ## RedisDB - Use 0 for staging and 1, get.jio production and 2 for update.jio production 43 | dbId: 2 44 | ## Interval between two scans of the local repository. 45 | ## This should, more or less, match the frequency where the local repo is updated. 46 | ## TODO: set it once a day once the update-center2 would run a `mirrorbits refresh` command by itself 47 | repositoryScanInterval: 10 48 | ## Interval in minutes between mirror scan 49 | ## Once a day is enough as jenkins-infra/update-center2 runs it every X min. 50 | scanInterval: 1440 51 | checkInterval: 1 52 | disallowRedirects: false 53 | disableOnMissingFile: false 54 | ## List of mirrors to use as fallback which will be used in case mirrorbits 55 | ## is unable to answer a request because the database is unreachable. 56 | ## Note: Mirrorbits will redirect to one of these mirrors based on the user 57 | ## location but won't be able to know if the mirror has the requested file. 58 | ## Therefore only put your most reliable and up-to-date mirrors here. 59 | fallbacks: 60 | # We always fall back to this mirror. Useful to serve stale file during a mirror scan 61 | - url: https://archives.jenkins.io/update-center/ 62 | countryCode: DE 63 | continentCode: EU 64 | cli: 65 | enabled: true 66 | service: 67 | type: LoadBalancer 68 | annotations: 69 | service.beta.kubernetes.io/azure-load-balancer-internal: "true" 70 | service.beta.kubernetes.io/azure-pls-create: "true" 71 | service.beta.kubernetes.io/azure-pls-name: "publick8s-updates.jenkins.io" 72 | service.beta.kubernetes.io/azure-pls-ip-configuration-subnet: "publick8s" 73 | service.beta.kubernetes.io/azure-pls-visibility: "dff2ec18-6a8e-405c-8e45-b7df7465acf0" 74 | service.beta.kubernetes.io/azure-pls-auto-approval: "dff2ec18-6a8e-405c-8e45-b7df7465acf0" 75 | geoipdata: 76 | existingPVCName: updates-jenkins-io 77 | subDir: ./updates.jenkins.io/geoipdata/ 78 | annotations: 79 | ad.datadoghq.com/mirrorbits.logs: | 80 | [{"source":"mirrorbits","service":"updates.jenkins.io"}] 81 | 82 | ingress: 83 | enabled: true 84 | className: public-nginx 85 | annotations: 86 | cert-manager.io/cluster-issuer: "letsencrypt-prod" 87 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 88 | nginx.ingress.kubernetes.io/force-ssl-redirect: "true" 89 | nginx.ingress.kubernetes.io/use-regex: "true" # Required to allow regexp path matching with Nginx 90 | nginx.ingress.kubernetes.io/enable-rewrite-log: "true" # Only enabled if need to debug as it is resources-hungry (I/O) 91 | hosts: 92 | - host: mirrors.updates.jenkins.io 93 | paths: 94 | # Only send request to files with these extensions to mirrorbits 95 | - path: /.*([.](html|json|txt|ico)|TIME)$ # Requires the regexp engine of Nginx to be enabled 96 | pathType: ImplementationSpecific 97 | tls: 98 | - secretName: updates-jenkins-io-mirrorbits-tls 99 | hosts: 100 | - mirrors.updates.jenkins.io 101 | -------------------------------------------------------------------------------- /config/publick8s_get-jenkins-io-mirrorbits.yaml: -------------------------------------------------------------------------------- 1 | enabled: true 2 | replicaCount: 2 3 | resources: 4 | limits: 5 | cpu: 2 6 | memory: 2048Mi 7 | requests: 8 | cpu: 100m 9 | memory: 400Mi 10 | nodeSelector: 11 | kubernetes.io/arch: arm64 12 | tolerations: 13 | - key: "kubernetes.io/arch" 14 | operator: "Equal" 15 | value: "arm64" 16 | effect: "NoSchedule" 17 | podSecurityContext: 18 | runAsUser: 1000 # User 'mirrorbits' 19 | runAsGroup: 1000 # Group 'mirrorbits' 20 | runAsNonRoot: true 21 | containerSecurityContext: 22 | readOnlyRootFilesystem: true 23 | allowPrivilegeEscalation: false 24 | capabilities: 25 | drop: 26 | - ALL 27 | affinity: 28 | podAntiAffinity: 29 | requiredDuringSchedulingIgnoredDuringExecution: 30 | - labelSelector: 31 | matchExpressions: 32 | - key: "app.kubernetes.io/name" 33 | operator: In 34 | values: 35 | - mirrorbits 36 | topologyKey: "kubernetes.io/hostname" 37 | repository: 38 | name: get-jenkins-io 39 | existingPVC: true 40 | subDir: ./get.jenkins.io/mirrorbits/ 41 | config: 42 | # Ingress already does gzip/brotli 43 | gzip: false 44 | traceFile: /TIME 45 | # Do not answer mirrorbits API JSON content when accept header is set to application/json (behavior with default value "auto") 46 | outputMode: redirect 47 | redis: 48 | sentinelMasterName: mymaster 49 | sentinels: 50 | - redis-redis-ha.redis.svc.cluster.local:26379 51 | # password is stored in SOPS secrets 52 | ## RedisDB - Use 0 for staging and 1, get.jio production and 2 for update.jio production 53 | dbId: 1 54 | ## Interval in minutes between mirrors scan 55 | scanInterval: 10 56 | ## Interval between two scans of the local repository. 57 | ## This should, more or less, match the frequency where the local repo is updated (e.g. update center) 58 | repositoryScanInterval: 5 59 | checkInterval: 1 60 | # Disable a mirror if it triggers HTTP/3xx redirects on its own (safer for mirrors we do not control) 61 | disallowRedirects: true 62 | disableOnMissingFile: false 63 | ## List of mirrors to use as fallback which will be used in case mirrorbits 64 | ## is unable to answer a request because the database is unreachable. 65 | ## Note: Mirrorbits will redirect to one of these mirrors based on the user 66 | ## location but won't be able to know if the mirror has the requested file. 67 | ## Therefore only put your most reliable and up-to-date mirrors here. 68 | fallbacks: 69 | ## archives.jenkins.io has ALL the artefacts 70 | - url: https://archives.jenkins.io/ 71 | countryCode: DE 72 | continentCode: EU 73 | geoipdata: 74 | existingPVCName: get-jenkins-io 75 | subDir: ./get.jenkins.io/geoipdata/ 76 | annotations: 77 | ad.datadoghq.com/mirrorbits.logs: | 78 | [{"source":"mirrorbits","service":"get.jenkins.io"}] 79 | 80 | ingress: 81 | enabled: true 82 | className: public-nginx 83 | annotations: 84 | cert-manager.io/cluster-issuer: "letsencrypt-prod" 85 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 86 | nginx.ingress.kubernetes.io/force-ssl-redirect: "true" 87 | nginx.ingress.kubernetes.io/use-regex: "true" # Required to allow regexp path matching with Nginx 88 | hosts: 89 | - host: get.jenkins.io 90 | paths: 91 | - path: /.*[.](deb|hpi|war|rpm|msi|pkg|sha256|md5sum|zip|gz|pdf|json|svg|sh|jpeg|ico|png|html)$ # Requires the regexp engine of Nginx to be enabled 92 | pathType: ImplementationSpecific 93 | - host: mirrors.jenkins.io 94 | paths: 95 | - path: /.*[.](deb|hpi|war|rpm|msi|pkg|sha256|md5sum|zip|gz|pdf|json|svg|sh|jpeg|ico|png|html)$ # Requires the regexp engine of Nginx to be enabled 96 | pathType: ImplementationSpecific 97 | - host: mirrors.jenkins-ci.org 98 | paths: 99 | - path: /.*[.](deb|hpi|war|rpm|msi|pkg|sha256|md5sum|zip|gz|pdf|json|svg|sh|jpeg|ico|png|html)$ # Requires the regexp engine of Nginx to be enabled 100 | pathType: ImplementationSpecific 101 | tls: 102 | - secretName: get-jenkins-io-tls 103 | hosts: 104 | - get.jenkins.io 105 | - mirrors.jenkins.io 106 | - mirrors.jenkins-ci.org 107 | -------------------------------------------------------------------------------- /config/publick8s_pkg-origin-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ingress: 3 | enabled: true 4 | className: public-nginx 5 | annotations: 6 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 7 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 8 | hosts: 9 | - host: pkg.origin.jenkins.io 10 | paths: 11 | - path: / 12 | serviceName: pkg-origin-jenkins-io 13 | # Legacy domain, should redirect to Fastly 14 | - host: pkg.jenkins-ci.org 15 | paths: 16 | - path: / 17 | serviceName: pkg-origin-jenkins-io 18 | # For requests coming from Fastly 19 | - host: pkg.jenkins.io 20 | paths: 21 | - path: / 22 | serviceName: pkg-origin-jenkins-io 23 | tls: 24 | - secretName: pkg-origin-jenkins-io 25 | hosts: 26 | - pkg.origin.jenkins.io 27 | - pkg.jenkins-ci.org 28 | 29 | resources: 30 | limits: 31 | cpu: 200m 32 | memory: 256Mi 33 | requests: 34 | cpu: 20m 35 | memory: 32Mi 36 | 37 | htmlVolume: 38 | persistentVolumeClaim: 39 | claimName: pkg-origin-jenkins-io 40 | htmlVolumeSubDir: ./pkg.jenkins.io/production/ 41 | 42 | replicaCount: 2 43 | 44 | nodeSelector: 45 | kubernetes.io/arch: arm64 46 | 47 | tolerations: 48 | - key: "kubernetes.io/arch" 49 | operator: "Equal" 50 | value: "arm64" 51 | effect: "NoSchedule" 52 | 53 | affinity: 54 | podAntiAffinity: 55 | requiredDuringSchedulingIgnoredDuringExecution: 56 | - labelSelector: 57 | matchExpressions: 58 | - key: "app.kubernetes.io/name" 59 | operator: In 60 | values: 61 | - stats-jenkins-io 62 | topologyKey: "kubernetes.io/hostname" 63 | 64 | podAnnotations: 65 | ad.datadoghq.com/nginx-website.logs: | 66 | [ 67 | {"source":"nginx","service":"pkg.origin.jenkins.io"} 68 | ] 69 | 70 | nginx: 71 | overrideLocations: | 72 | # Recommended to redirect to Fastly (unless a host header is present) 73 | if ( $host != 'pkg.jenkins.io') { 74 | return 301 https://pkg.jenkins.io$request_uri; 75 | } 76 | 77 | add_header X-Content-Type-Options "nosniff"; 78 | add_header X-Frame-Options "DENY"; 79 | 80 | root /usr/share/nginx/html; 81 | autoindex on; 82 | 83 | location / { 84 | absolute_redirect off; 85 | index index.html index.htm; 86 | } 87 | 88 | error_page 404 /404/index.html; 89 | 90 | # redirect server error pages to the static page /50x.html 91 | # 92 | error_page 500 502 503 504 /50x.html; 93 | location = /50x.html { 94 | root /usr/share/nginx/html; 95 | } 96 | 97 | ############### 98 | # Redirects requests for packages/binaries to the download service 99 | location ~* \/debian(.*)\/ { 100 | # Redirect requests for binaries/packages (e.g. heavy files consuming bandwidth) to mirrors 101 | rewrite ^\/(debian.*)\/binary/(.*)\.deb$ https://get.jenkins.io/$1/$2.deb redirect; 102 | } 103 | location ~* \/rpm(.*)\/ { 104 | rewrite ^\/(rpm.*)\/RPMS\/noarch\/(.*)\.rpm$ https://get.jenkins.io/$1/$2.rpm redirect; 105 | rewrite ^\/(rpm.*)\/(.*)\.rpm$ https://get.jenkins.io/$1/$2.rpm redirect; 106 | } 107 | 108 | location ~* \/redhat-stable\/ { 109 | rewrite ^\/(redhat.*)\/RPMS\/noarch\/(.*)\.rpm$ https://get.jenkins.io/$1/$2.rpm redirect; 110 | rewrite ^\/(redhat.*)\/(.*)\.rpm$ https://get.jenkins.io/$1/$2.rpm redirect; 111 | } 112 | location ~* \/opensuse-stable\/ { 113 | rewrite ^\/(opensuse.*)\/RPMS\/noarch\/(.*)\.rpm$ https://get.jenkins.io/$1/$2.rpm redirect; 114 | rewrite ^\/(opensuse.*)\/(.*)\.rpm$ https://get.jenkins.io/$1/$2.rpm redirect; 115 | } 116 | ############### 117 | 118 | ############### 119 | # Redirect to unified RPM (weekly only) 120 | location = /redhat { 121 | rewrite ^\/redhat$ https://pkg.jenkins.io/redhat/ permanent; 122 | } 123 | location /redhat/ { 124 | rewrite ^\/redhat(.*)$ https://pkg.jenkins.io/rpm$1 permanent; 125 | } 126 | location = /opensuse { 127 | rewrite ^\/opensuse$ https://pkg.jenkins.io/opensuse/ permanent; 128 | } 129 | location /opensuse/ { 130 | rewrite ^\/opensuse(.*)$ https://pkg.jenkins.io/rpm$1 permanent; 131 | } 132 | ############### 133 | -------------------------------------------------------------------------------- /updatecli/updatecli.d/jenkins-controllers/jenkins-agents-infra.ci.jenkins.io.yaml: -------------------------------------------------------------------------------- 1 | name: Bump agent templates version for infra.ci.jenkins.io 2 | 3 | scms: 4 | default: 5 | kind: github 6 | spec: 7 | user: "{{ .github.user }}" 8 | email: "{{ .github.email }}" 9 | owner: "{{ .github.owner }}" 10 | repository: "{{ .github.repository }}" 11 | token: "{{ requiredEnv .github.token }}" 12 | username: "{{ .github.username }}" 13 | branch: "{{ .github.branch }}" 14 | 15 | sources: 16 | packerImageVersion: 17 | kind: githubrelease 18 | name: get last packer-image release 19 | spec: 20 | owner: jenkins-infra 21 | repository: packer-images 22 | token: "{{ requiredEnv .github.token }}" 23 | username: "{{ .github.username }}" 24 | getLatestInboundAllInOneContainerImageX86: 25 | kind: dockerdigest 26 | name: Get digest of the jenkinsciinfra/jenkins-agent-ubuntu-22.04 image 27 | spec: 28 | image: jenkinsciinfra/jenkins-agent-ubuntu-22.04 29 | tag: '{{ source "packerImageVersion"}}' 30 | architecture: linux/amd64 31 | getLatestInboundAllInOneContainerImageARM: 32 | kind: dockerdigest 33 | name: Get digest of the jenkinsciinfra/jenkins-agent-ubuntu-22.04 image 34 | spec: 35 | image: jenkinsciinfra/jenkins-agent-ubuntu-22.04 36 | tag: '{{ source "packerImageVersion"}}' 37 | architecture: linux/arm64 38 | 39 | conditions: 40 | checkAllInOneContainerImages: 41 | # If the 2 Docker images are different, it means the release build of packer-images failed (and never pushed the multi-arch manifest as last stage) 42 | disablesourceinput: true 43 | name: Check that x86 and arm64 all-in-one images are different 44 | kind: shell 45 | spec: 46 | command: test {{ source "getLatestInboundAllInOneContainerImageX86" }} != {{ source "getLatestInboundAllInOneContainerImageARM" }} 47 | checkifazureimagejenkins-agent-ubuntu-22.04-amd64isavailable: 48 | kind: shell 49 | disablesourceinput: true 50 | spec: 51 | command: az sig image-version list --resource-group prod-packer-images --gallery-name prod_packer_images --gallery-image-definition jenkins-agent-ubuntu-22.04-amd64 --query "[?tags.version == '{{ source `packerImageVersion` }}']" --output tsv 52 | checkifazureimagejenkins-agent-windows-2019-amd64isavailable: 53 | kind: shell 54 | disablesourceinput: true 55 | spec: 56 | command: az sig image-version list --resource-group prod-packer-images --gallery-name prod_packer_images --gallery-image-definition jenkins-agent-windows-2019-amd64 --query "[?tags.version == '{{ source `packerImageVersion` }}']" --output tsv 57 | checkifazureimagejenkins-agent-ubuntu-22.04-arm64isavailable: 58 | kind: shell 59 | disablesourceinput: true 60 | spec: 61 | command: az sig image-version list --resource-group prod-packer-images --gallery-name prod_packer_images --gallery-image-definition jenkins-agent-ubuntu-22.04-arm64 --query "[?tags.version == '{{ source `packerImageVersion` }}']" --output tsv 62 | checkDockerImagePublishedInAcr: 63 | name: Check that the dockerhubmirror.azurecr.io/jenkinsciinfra/jenkins-agent-ubuntu-22.04: Docker image is published 64 | kind: dockerimage 65 | sourceid: packerImageVersion 66 | spec: 67 | image: dockerhubmirror.azurecr.io/jenkinsciinfra/jenkins-agent-ubuntu-22.04 68 | ## Tag from source 69 | architectures: 70 | - arm64 71 | - amd64 72 | 73 | targets: 74 | setAzureGalleryImageVersion: 75 | sourceid: packerImageVersion 76 | name: Bump Azure Gallery Image Version 77 | kind: file 78 | spec: 79 | file: config/jenkins_infra.ci.jenkins.io.yaml 80 | matchpattern: 'galleryImageVersion: ".*"' 81 | replacepattern: 'galleryImageVersion: "{{ source `packerImageVersion` }}"' 82 | scmid: default 83 | setJnlpLinuxArm64Image: 84 | sourceid: packerImageVersion 85 | name: Bump docker images version 86 | kind: file 87 | spec: 88 | file: config/jenkins_infra.ci.jenkins.io.yaml 89 | matchpattern: 'image: dockerhubmirror.azurecr.io/jenkinsciinfra/jenkins-agent-ubuntu-22.04:.*' 90 | replacepattern: 'image: dockerhubmirror.azurecr.io/jenkinsciinfra/jenkins-agent-ubuntu-22.04:{{ source `packerImageVersion` }}' 91 | scmid: default 92 | 93 | actions: 94 | default: 95 | kind: github/pullrequest 96 | scmid: default 97 | title: Bump agent templates for infra.ci.jenkins.io (packer-image {{ source `packerImageVersion` }}) 98 | spec: 99 | labels: 100 | - dependencies 101 | - agent-templates 102 | -------------------------------------------------------------------------------- /clusters/privatek8s.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | helmDefaults: 3 | atomic: true 4 | force: false 5 | timeout: 300 6 | wait: true 7 | repositories: 8 | # https://github.com/DataDog/helm-charts/ 9 | - name: datadog 10 | url: https://helm.datadoghq.com 11 | # https://github.com/timja/github-comment-ops/ 12 | - name: github-comment-ops 13 | url: https://timja.github.io/github-comment-ops/ 14 | # https://github.com/kubernetes/ingress-nginx/ 15 | - name: ingress-nginx 16 | url: https://kubernetes.github.io/ingress-nginx 17 | # https://github.com/jenkinsci/helm-charts/ 18 | - name: jenkins 19 | url: https://charts.jenkins.io 20 | # https://github.com/jenkins-infra/helm-charts/ 21 | - name: jenkins-infra 22 | url: https://jenkins-infra.github.io/helm-charts 23 | # https://github.com/cert-manager/cert-manager/ 24 | - name: jetstack 25 | url: https://charts.jetstack.io 26 | releases: 27 | - name: datadog 28 | namespace: datadog 29 | chart: datadog/datadog 30 | version: 3.154.1 31 | values: 32 | - ../config/datadog.yaml.gotmpl 33 | - ../config/datadog_privatek8s.yaml 34 | secrets: 35 | - ../secrets/config/datadog/privatek8s-secrets.yaml 36 | - name: cert-manager 37 | namespace: cert-manager 38 | chart: jetstack/cert-manager 39 | version: v1.19.2 40 | values: 41 | - ../config/cert-manager.yaml 42 | - name: acme 43 | namespace: cert-manager 44 | chart: jenkins-infra/acme 45 | version: 0.1.4 46 | needs: 47 | # CRDs must be installed BEFORE any diff or apply operation 48 | - cert-manager/cert-manager 49 | values: 50 | - ../config/acme.yaml 51 | secrets: 52 | - ../secrets/config/acme/jenkins.io-secrets.yaml 53 | - name: private-nginx-ingress 54 | namespace: private-nginx-ingress 55 | chart: ingress-nginx/ingress-nginx 56 | version: 4.11.8 57 | values: 58 | - ../config/private-nginx-ingress__common.yaml 59 | - ../config/private-nginx-ingress_privatek8s.yaml 60 | - name: public-nginx-ingress 61 | namespace: public-nginx-ingress 62 | chart: ingress-nginx/ingress-nginx 63 | version: 4.11.8 64 | values: 65 | - ../config/public-nginx-ingress__common.yaml 66 | - ../config/public-nginx-ingress_privatek8s.yaml 67 | - name: infra-ci-jenkins-io-jobs 68 | namespace: infra-ci-jenkins-io 69 | chart: jenkins-infra/jenkins-jobs 70 | version: 3.1.0 71 | values: 72 | - ../config/jenkins-jobs_infra.ci.jenkins.io.yaml 73 | - name: infra-ci-jenkins-io 74 | namespace: infra-ci-jenkins-io 75 | chart: jenkins/jenkins 76 | version: 5.8.114 77 | needs: 78 | # Required to generate the job definition in a configmap 79 | - infra-ci-jenkins-io-jobs 80 | # Required to expose the webhooks endpoint (secondary ingress of the jenkins helm chart) 81 | - public-nginx-ingress/public-nginx-ingress 82 | # Required to expose the Web UI to the VPN (primary ingress of the jenkins helm chart) 83 | - private-nginx-ingress/private-nginx-ingress 84 | values: 85 | - ../config/jenkins_infra.ci.jenkins.io.yaml 86 | secrets: 87 | - ../secrets/config/infra.ci.jenkins.io/jenkins-secrets.yaml 88 | - name: release-ci-jenkins-io-agents 89 | namespace: release-ci-jenkins-io-agents 90 | chart: jenkins-infra/jenkins-kubernetes-agents 91 | version: 1.1.1 92 | values: 93 | - ../config/jenkins-kubernetes-agents_release.ci.jenkins.io.yaml 94 | - name: release-ci-jenkins-io 95 | namespace: release-ci-jenkins-io 96 | chart: jenkins/jenkins 97 | version: 5.8.114 98 | timeout: 600 99 | needs: 100 | # Required to expose the webhooks endpoint (secondary ingress of the jenkins helm chart) 101 | - public-nginx-ingress/public-nginx-ingress 102 | # Required to expose the Web UI to the VPN (primary ingress of the jenkins helm chart) 103 | - private-nginx-ingress/private-nginx-ingress 104 | values: 105 | - ../config/jenkins_release.ci.jenkins.io.yaml 106 | secrets: 107 | - ../secrets/config/release.ci.jenkins.io/jenkins-secrets.yaml 108 | - name: rss2twitter 109 | namespace: rss2twitter 110 | chart: jenkins-infra/rss2twitter 111 | version: 0.1.0 112 | values: 113 | - ../config/rss2twitter.yaml 114 | secrets: 115 | # @jenkins_release Twitter dev account credentials 116 | - ../secrets/config/rss2twitter/secrets.yaml 117 | - name: github-comment-ops 118 | namespace: github-comment-ops 119 | chart: github-comment-ops/github-comment-ops 120 | version: 1.5.2 121 | needs: 122 | # Required to expose the webhooks endpoint 123 | - public-nginx-ingress/public-nginx-ingress 124 | values: 125 | - ../config/github-comment-ops.yaml 126 | secrets: 127 | - ../secrets/config/github-comment-ops/secrets.yaml 128 | -------------------------------------------------------------------------------- /config/publick8s_staging-pkg-origin-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ingress: 3 | enabled: true 4 | ingressClassName: private-nginx 5 | annotations: 6 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 7 | "nginx.ingress.kubernetes.io/ssl-redirect": "true" 8 | hosts: 9 | - host: staging.pkg.origin.jenkins.io 10 | paths: 11 | - path: / 12 | serviceName: staging-pkg-origin-jenkins-io 13 | # All dots in branch name must be replaced by an underscore (nested subdomains are not possible) 14 | - host: "*.staging.pkg.origin.jenkins.io" 15 | paths: 16 | - path: / 17 | serviceName: staging-pkg-origin-jenkins-io 18 | tls: 19 | - secretName: staging-pkg-origin-jenkins-io 20 | hosts: 21 | - staging.pkg.origin.jenkins.io 22 | # All dots in branch name must be replaced by an underscore (nested subdomains are not possible) 23 | - "*.staging.pkg.origin.jenkins.io" 24 | 25 | resources: 26 | limits: 27 | cpu: 200m 28 | memory: 256Mi 29 | requests: 30 | cpu: 20m 31 | memory: 32Mi 32 | 33 | htmlVolume: 34 | persistentVolumeClaim: 35 | claimName: staging-pkg-origin-jenkins-io 36 | htmlVolumeSubDir: ./pkg.jenkins.io/staging/ 37 | 38 | replicaCount: 1 39 | 40 | nodeSelector: 41 | kubernetes.io/arch: arm64 42 | 43 | tolerations: 44 | - key: "kubernetes.io/arch" 45 | operator: "Equal" 46 | value: "arm64" 47 | effect: "NoSchedule" 48 | 49 | affinity: 50 | podAntiAffinity: 51 | requiredDuringSchedulingIgnoredDuringExecution: 52 | - labelSelector: 53 | matchExpressions: 54 | - key: "app.kubernetes.io/name" 55 | operator: In 56 | values: 57 | - stats-jenkins-io 58 | topologyKey: "kubernetes.io/hostname" 59 | 60 | podAnnotations: 61 | ad.datadoghq.com/nginx-website.logs: | 62 | [ 63 | {"source":"nginx","service":"staging.pkg.origin.jenkins.io"} 64 | ] 65 | 66 | nginx: 67 | overrideLocations: | 68 | server_name staging.pkg.origin.jenkins.io '~^(?.*)\.staging\.pkg\.origin\.jenkins\.io$' _; 69 | 70 | root /usr/share/nginx/html/$subdomain; 71 | autoindex on; 72 | 73 | ############### 74 | # Only for staging: replace 'pkg.jenkins.io' by the current requested subdomain to ensure testing works 75 | # Otherwise the HTML instructions won't be up to date and RPM/Redhat/Opensuse repo files will never redirect to the staging.get repository 76 | # Do NOT enable this in production (performance is not good and will break fastly) 77 | sub_filter 'pkg.jenkins.io' '$subdomain.staging.pkg.origin.jenkins.io'; 78 | sub_filter_types '*'; 79 | sub_filter_once off; 80 | ############### 81 | 82 | location / { 83 | absolute_redirect off; 84 | index index.html index.htm; 85 | } 86 | 87 | add_header X-Content-Type-Options "nosniff"; 88 | add_header X-Frame-Options "DENY"; 89 | 90 | error_page 404 /404/index.html; 91 | 92 | # redirect server error pages to the static page /50x.html 93 | # 94 | error_page 500 502 503 504 /50x.html; 95 | location = /50x.html { 96 | root /usr/share/nginx/html; 97 | } 98 | 99 | ############### 100 | # Redirects requests for packages/binaries to the download service 101 | # Note: specific to staging, we have to redirect to a subpath of the staging webservice,"service":"staging.pkg.origin.jenkins.io", 102 | # which is the captured subdomain (e.g. jenkins-infra/release sanitized branch name) 103 | location ~* (.*)\/debian(.*)\/ { 104 | rewrite ^(.*)\/(debian.*)\/binary\/(.*)\.deb$ https://staging.get.jenkins.io/$subdomain/$2/$3.deb redirect; 105 | } 106 | location ~* (.*)\/rpm(.*)\/ { 107 | # Redirect requests for binaries/packages (e.g. heavy files consuming bandwidth) to mirrors 108 | rewrite ^(.*)\/(rpm.*)\/RPMS\/noarch\/(.*)\.rpm$ https://staging.get.jenkins.io/$subdomain/$2/$3.rpm redirect; 109 | rewrite ^(.*)\/(rpm.*)\/(.*)\.rpm$ https://staging.get.jenkins.io/$subdomain/$2/$3.rpm redirect; 110 | } 111 | ############### 112 | # Redirect to staging.get for Redhat/OpenSuse LTS until RPM are unified in LTS line 113 | location ~* (.*)\/redhat-stable\/ { 114 | # Redirect requests for binaries/packages (e.g. heavy files consuming bandwidth) to mirrors 115 | rewrite ^(.*)\/(redhat.*)\/RPMS\/noarch\/(.*)\.rpm$ https://staging.get.jenkins.io/$subdomain/$2/$3.rpm redirect; 116 | rewrite ^(.*)\/(redhat.*)\/(.*)\.rpm$ https://staging.get.jenkins.io/$subdomain/$2/$3.rpm redirect; 117 | } 118 | location ~* (.*)\/opensuse-stable\/ { 119 | # Redirect requests for binaries/packages (e.g. heavy files consuming bandwidth) to mirrors 120 | rewrite ^(.*)\/(opensuse.*)\/RPMS\/noarch\/(.*)\.rpm$ https://staging.get.jenkins.io/$subdomain/$2/$3.rpm redirect; 121 | rewrite ^(.*)\/(opensuse.*)\/(.*)\.rpm$ https://staging.get.jenkins.io/$subdomain/$2/$3.rpm redirect; 122 | } 123 | ############### 124 | 125 | ############### 126 | # Redirect to unified RPM (weekly only) 127 | location = /redhat { 128 | rewrite ^\/redhat$ https://staging.pkg.origin.jenkins.io/rpm/ permanent; 129 | } 130 | location ~* (.*)\/redhat\/ { 131 | rewrite ^\/redhat\/(.*)$ https://staging.pkg.origin.jenkins.io/rpm/$1 permanent; 132 | } 133 | location = /opensuse { 134 | rewrite ^\/opensuse$ https://staging.pkg.origin.jenkins.io/rpm/ permanent; 135 | } 136 | location ~* (.*)\/opensuse\/ { 137 | rewrite ^\/opensuse\/(.*)$ https://staging.pkg.origin.jenkins.io/rpm/$1 permanent; 138 | } 139 | ############### 140 | -------------------------------------------------------------------------------- /config/publick8s_www-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | className: public-nginx 4 | annotations: 5 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 6 | "nginx.ingress.kubernetes.io/configuration-snippet": | 7 | more_set_headers "X-Content-Type-Options: nosniff"; 8 | more_set_headers "X-Frame-Options: DENY"; 9 | hosts: 10 | - host: jenkins.io 11 | paths: 12 | - path: / 13 | - host: www.jenkins.io 14 | paths: 15 | - path: / 16 | - host: www.origin.jenkins.io 17 | paths: 18 | - path: / 19 | - host: jenkins-ci.org 20 | paths: 21 | - path: / 22 | - host: www.jenkins-ci.org 23 | paths: 24 | - path: / 25 | # www.jenkins.io certificate is managed by Fastly 26 | tls: 27 | - secretName: jenkinsio-tls 28 | hosts: 29 | - jenkins-ci.org 30 | - jenkins.io 31 | - www.jenkins-ci.org 32 | - www.origin.jenkins.io 33 | 34 | replicaCount: 2 35 | 36 | resources: 37 | limits: 38 | cpu: 500m 39 | memory: 512Mi 40 | requests: 41 | cpu: 50m 42 | memory: 128Mi 43 | 44 | htmlVolume: 45 | persistentVolumeClaim: 46 | claimName: www-jenkins-io 47 | htmlVolumeSubDir: ./www.jenkins.io/ 48 | 49 | nodeSelector: 50 | kubernetes.io/arch: arm64 51 | 52 | tolerations: 53 | - key: "kubernetes.io/arch" 54 | operator: "Equal" 55 | value: "arm64" 56 | effect: "NoSchedule" 57 | 58 | affinity: 59 | podAntiAffinity: 60 | requiredDuringSchedulingIgnoredDuringExecution: 61 | - labelSelector: 62 | matchExpressions: 63 | - key: "app.kubernetes.io/name" 64 | operator: In 65 | values: 66 | - jenkinsio 67 | topologyKey: "kubernetes.io/hostname" 68 | 69 | podAnnotations: 70 | ad.datadoghq.com/jenkinsio.logs: | 71 | [ 72 | {"source":"nginx","service":"www.origin.jenkins.io"} 73 | ] 74 | 75 | nginx: 76 | httpDirectives: | 77 | map $http_accept_language $lang { 78 | default ''; 79 | ~^zh zh; 80 | } 81 | overrideLocations: | 82 | # Recommended to redirect to Fastly (unless a host header is present) 83 | if ( $host != 'www.jenkins.io') { 84 | return 301 https://www.jenkins.io$request_uri; 85 | } 86 | 87 | add_header X-Content-Type-Options "nosniff"; 88 | add_header X-Frame-Options "DENY"; 89 | 90 | root /usr/share/nginx/html; 91 | 92 | location / { 93 | absolute_redirect off; 94 | index index.html index.htm; 95 | add_header Vary "Accept-Language"; 96 | # Language setting 97 | if ($lang) { 98 | rewrite ^/$ https://www.jenkins.io/$lang$1; 99 | } 100 | } 101 | 102 | location ~* \.(?:css|js|woff|eot|svg|ttf|otf|png|gif|jpe?g) { 103 | expires 2d; 104 | add_header Cache-Control "public"; 105 | } 106 | 107 | location ~* \.(html|json|xml)$ { 108 | expires 1h; 109 | add_header Cache-Control "public"; 110 | } 111 | 112 | error_page 404 /404/index.html; 113 | 114 | # redirect server error pages to the static page /50x.html 115 | # 116 | error_page 500 502 503 504 /50x.html; 117 | location = /50x.html { 118 | root /usr/share/nginx/html; 119 | } 120 | 121 | # compatibility with old package repository locations 122 | rewrite ^/redhat/(.*) https://pkg.jenkins.io/redhat/$1 permanent; 123 | rewrite ^/opensuse/(.*) https://pkg.jenkins.io/opensuse/$1 permanent; 124 | rewrite ^/debian/(.*) https://pkg.jenkins.io/debian/$1 permanent; 125 | 126 | # convenient short URLs 127 | rewrite ^/issue/(.+) https://issues.jenkins-ci.org/browse/JENKINS-$1 permanent; 128 | rewrite ^/commit/core/(.+) https://github.com/jenkinsci/jenkins/commit/$1 permanent; 129 | rewrite ^/commit/(.+)/(.+) https://github.com/jenkinsci/$1/commit/$2 permanent; 130 | rewrite ^/pull/(.+)/([0-9]+) https://github.com/jenkinsci/$1/pull/$2 permanent; 131 | 132 | rewrite ^/maven-site/hudson-core /maven-site/jenkins-core permanent; 133 | 134 | # https://issues.jenkins-ci.org/browse/INFRA-351 135 | rewrite ^/maven-hpi-plugin(.*) http://jenkinsci.github.io/maven-hpi-plugin/$1 permanent; 136 | 137 | # Probably not needed but, rating code moved a while ago 138 | rewrite ^/rate/(.*) https://rating.jenkins.io/$1 permanent; 139 | rewrite ^/census/(.*) https://census.jenkins.io/$1 permanent; 140 | rewrite ^/jenkins-ci.org.key$ https://pkg.jenkins.io/redhat/jenkins.io-2023.key permanent; 141 | 142 | # permalinks 143 | # - this one is referenced from 1.395.1 "sign post" release 144 | rewrite ^/why$ https://wiki.jenkins-ci.org/pages/viewpage.action?pageId=53608972 permanent; 145 | # baked in the help file to create account on Oracle for JDK downloads 146 | rewrite ^/oracleAccountSignup$ http://www.oracle.com/webapps/redirect/signon?nexturl=http://jenkins-ci.org/ permanent; 147 | # to the donation page 148 | rewrite ^/donate$ https://wiki.jenkins-ci.org/display/JENKINS/Donation permanent; 149 | # CLA links used in the CLA forms 150 | rewrite ^/license$ https://wiki.jenkins-ci.org/display/JENKINS/Governance+Document#GovernanceDocument-cla permanent; 151 | rewrite ^/licenses$ https://wiki.jenkins-ci.org/display/JENKINS/Governance+Document#GovernanceDocument-cla permanent; 152 | # used to advertise the project meeting 153 | rewrite ^/meetings/$ https://wiki.jenkins-ci.org/display/JENKINS/Governance+Meeting+Agenda permanent; 154 | # used from friends of Jenkins plugin to link to the thank you page 155 | rewrite ^/friend$ https://wiki.jenkins-ci.org/display/JENKINS/Donation permanent; 156 | # used by Gradle JPI plugin to include fragment 157 | rewrite ^/gradle-jpi-plugin/latest$ https://raw.github.com/jenkinsci/gradle-jpi-plugin/master/install permanent; 158 | # used when encouraging people to subscribe to security advisories 159 | rewrite ^/advisories$ https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories permanent; 160 | # used in slides and handouts to refer to survey 161 | rewrite ^/survey$ http://s.zoomerang.com/s/JenkinsSurvey permanent; 162 | # used by RekeySecretAdminMonitor in Jenkins 163 | rewrite ^/rekey$ https://wiki.jenkins-ci.org/display/SECURITY/Re-keying permanent; 164 | # persistent Google hangout link 165 | rewrite ^/hangout$ https://plus.google.com/hangouts/_/event/cjh74ltrnc8a8r2e3dbqlfnie38 permanent; 166 | # .16.203.43 repo.jenkins-ci.org 167 | rewrite ^/pull-request-greeting$ https://wiki.jenkins-ci.org/display/JENKINS/Pull+Request+to+Repositories permanent; 168 | # Mailer plugin uses this to redirect to Javamail jenkinsio page 169 | rewrite ^/javamail-properties$ https://javamail.java.net/nonav/docs/api/overview-summary.html#overview_description permanent; 170 | # baked in jenkins.war 1.587 / 1.580.1 171 | rewrite ^/security-144$ https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control permanent; 172 | # baked in 1.600 easter egg 173 | rewrite ^/100k$ https://www.jenkins.io/content/jenkins-celebration-day-february-26 permanent; 174 | rewrite ^/jep/([0-9]+) https://github.com/jenkinsci/jep/blob/master/jep/$1/README.adoc permanent; 175 | rewrite ^/iep/([0-9]+) https://github.com/jenkins-infra/iep/blob/master/iep/$1/README.adoc permanent; 176 | -------------------------------------------------------------------------------- /config/publick8s_weekly-ci-jenkins-io.yaml: -------------------------------------------------------------------------------- 1 | serviceAccount: 2 | create: true 3 | name: jenkins-controller 4 | serviceAccountAgent: 5 | create: false 6 | rbac: 7 | create: true 8 | readSecrets: true 9 | persistence: 10 | enabled: true 11 | existingClaim: weekly-ci-jenkins-io 12 | agent: 13 | componentName: "agent" 14 | controller: 15 | image: 16 | registry: dockerhubmirror.azurecr.io 17 | repository: jenkinsciinfra/jenkins-weeklyci 18 | tag: 3.10.7-2.542 19 | pullPolicy: IfNotPresent 20 | nodeSelector: 21 | kubernetes.io/arch: arm64 22 | tolerations: 23 | - key: "kubernetes.io/arch" 24 | operator: "Equal" 25 | value: "arm64" 26 | effect: "NoSchedule" 27 | resources: 28 | limits: 29 | cpu: 2 30 | memory: 4Gi 31 | requests: 32 | cpu: 1 33 | memory: 1Gi 34 | probes: 35 | startupProbe: 36 | initialDelaySeconds: 120 37 | livenessProbe: 38 | initialDelaySeconds: 120 39 | readinessProbe: 40 | initialDelaySeconds: 120 41 | testEnabled: false 42 | podAnnotations: 43 | ad.datadoghq.com/jenkins.logs: '[{"source":"jenkins", "service":"weekly.ci.jenkins.io"}]' 44 | podSecurityContextOverride: 45 | runAsNonRoot: true 46 | runAsUser: 1000 47 | supplementalGroups: [1000] 48 | overwritePlugins: true 49 | serviceType: "ClusterIP" 50 | javaOpts: >- 51 | -XshowSettings:vm -XX:+UseStringDeduplication -XX:+ParallelRefProcEnabled -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp/ -XX:+UseG1GC -Djava.net.preferIPv4Stack=true 52 | JCasC: 53 | enabled: true 54 | defaultConfig: false 55 | configScripts: 56 | credentials: | 57 | credentials: 58 | system: 59 | domainCredentials: 60 | - credentials: 61 | - gitHubApp: 62 | appID: "${GITHUB_APP_ID}" 63 | description: "GitHub App for weekly.ci.jenkins.io" 64 | id: "github-app-weekly" 65 | privateKey: "${GITHUB_APP_PRIVATE_KEY}" 66 | scope: GLOBAL 67 | agent-settings: | 68 | jenkins: 69 | numExecutors: 0 70 | clouds: [] 71 | security: | 72 | security: 73 | contentSecurityPolicy: 74 | enforce: true 75 | ldap-settings: | 76 | jenkins: 77 | securityRealm: 78 | ldap: 79 | configurations: 80 | - server: "${LDAP_SERVER}" 81 | rootDN: "${LDAP_ROOT_DN}" 82 | managerDN: "${LDAP_MANAGER_DN}" 83 | managerPasswordSecret: "${LDAP_MANAGER_PASSWORD}" 84 | mailAddressAttributeName: "mail" 85 | userSearch: cn={0} 86 | userSearchBase: "ou=people" 87 | groupSearchBase: "ou=groups" 88 | disableMailAddressResolver: false 89 | groupIdStrategy: "caseInsensitive" 90 | userIdStrategy: "caseInsensitive" 91 | cache: 92 | size: 100 93 | ttl: 300 94 | advisor-settings: | 95 | jenkins: 96 | disabledAdministrativeMonitors: 97 | - com.cloudbees.jenkins.plugins.advisor.Reminder 98 | pipeline-library: | 99 | unclassified: 100 | location: 101 | url: "https://weekly.ci.jenkins.io" 102 | globalLibraries: 103 | libraries: 104 | - defaultVersion: "master" 105 | implicit: true 106 | name: "pipeline-library" 107 | retriever: 108 | modernSCM: 109 | scm: 110 | gitSource: 111 | credentialsId: "github-app-weekly" 112 | remote: "https://github.com/jenkins-infra/pipeline-library.git" 113 | matrix-settings: | 114 | jenkins: 115 | authorizationStrategy: 116 | globalMatrix: 117 | entries: 118 | - group: 119 | name: "admins" 120 | permissions: 121 | - "Overall/Administer" 122 | - group: 123 | name: "authenticated" 124 | permissions: 125 | - "Job/Read" 126 | - "Overall/Read" 127 | - group: 128 | name: "jenkins-admins" 129 | permissions: 130 | - "Overall/Administer" 131 | - user: 132 | name: "anonymous" 133 | permissions: 134 | - "Job/Read" 135 | - "Overall/Read" 136 | timestamper-settings: | 137 | unclassified: 138 | timestamper: 139 | allPipelines: true 140 | system-settings: | 141 | unclassified: 142 | defaultFolderConfiguration: 143 | # Keep healthMetrics an empty list to ensure weather is disabled 144 | healthMetrics: [] 145 | appearance: 146 | pipelineGraphView: 147 | showGraphOnBuildPage: true 148 | showGraphOnJobPage: false # change to true if pipeline-stage-view is removed 149 | themeManager: 150 | disableUserThemes: false 151 | theme: "darkSystem" 152 | customHeader: 153 | enabled: true 154 | header: 155 | context: 156 | showFolderWeather: true 157 | showJobWeather: true 158 | headerColor: 159 | backgroundColor: "#3B3B3B" 160 | color: "white" 161 | logo: "default" 162 | logoText: "Jenkins" 163 | title: "with the customizable-header\ 164 | \ plugin" 165 | jenkins: 166 | quietPeriod: 0 # No need to wait between build scheduling 167 | disabledAdministrativeMonitors: 168 | - "jenkins.security.QueueItemAuthenticatorMonitor" 169 | views: 170 | - all: 171 | description: "

The Design Library makes it easy for developers to build complex and consistent interfaces using Jenkins UI components.

" 172 | name: "all" 173 | markupFormatter: 174 | rawHtml: 175 | disableSyntaxHighlighting: false 176 | tools-config: | 177 | tool: 178 | git: 179 | installations: 180 | - home: "git" 181 | name: "git-native" 182 | - name: "jgit" 183 | jobs-settings: | 184 | jobs: 185 | - script: > 186 | folder('folder') { 187 | displayName('folder') 188 | description('This is an example folder') 189 | } 190 | - script: > 191 | freeStyleJob('folder/freestyle') { 192 | displayName('Hello World') 193 | steps { 194 | shell 'echo Hello World' 195 | } 196 | } 197 | - script: > 198 | pipelineJob('folder/failing-pipeline') { 199 | definition { 200 | cps { 201 | sandbox() 202 | script("""\ 203 | pipeline { 204 | agent any 205 | stages { 206 | stage ('Failure') { 207 | steps { 208 | echo "This build fails." 209 | sh 'false' 210 | } 211 | } 212 | }""".stripIndent()) 213 | } 214 | } 215 | } 216 | - script: > 217 | pipelineJob('pipeline') { 218 | definition { 219 | cps { 220 | sandbox() 221 | script("""\ 222 | pipeline { 223 | agent any 224 | stages { 225 | stage ('Hello World') { 226 | steps { 227 | echo "Hello World" 228 | } 229 | } 230 | stage ('Hello World 2') 231 | steps { 232 | echo "Hello World 2" 233 | } 234 | } 235 | }""".stripIndent()) 236 | } 237 | } 238 | } 239 | default-notification-url: | 240 | unclassified: 241 | defaultDisplayUrlProvider: 242 | providerId: "org.jenkinsci.plugins.displayurlapi.ClassicDisplayURLProvider" 243 | sidecars: 244 | configAutoReload: 245 | env: 246 | # https://github.com/kiwigrid/k8s-sidecar#configuration-environment-variables 247 | - name: METHOD 248 | # Polling mode (instead of watching kube API) 249 | value: "SLEEP" 250 | # https://github.com/kiwigrid/k8s-sidecar#configuration-environment-variables 251 | - name: SLEEP_TIME 252 | # Time in seconds between two polls 253 | value: "60" 254 | installPlugins: false 255 | ingress: 256 | enabled: true 257 | hostName: weekly.ci.jenkins.io 258 | annotations: 259 | "cert-manager.io/cluster-issuer": "letsencrypt-prod" 260 | "nginx.ingress.kubernetes.io/proxy-body-size": "500m" 261 | ingressClassName: public-nginx 262 | tls: 263 | - hosts: 264 | - weekly.ci.jenkins.io 265 | secretName: weekly.ci.jenkins.io-cert 266 | -------------------------------------------------------------------------------- /clusters/publick8s.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | helmDefaults: 3 | atomic: true 4 | force: false 5 | timeout: 600 6 | wait: true 7 | repositories: 8 | # https://github.com/DataDog/helm-charts/ 9 | - name: datadog 10 | url: https://helm.datadoghq.com 11 | # https://github.com/falcosecurity/charts/ 12 | - name: falco 13 | url: https://falcosecurity.github.io/charts 14 | # https://github.com/kubernetes/ingress-nginx/ 15 | - name: ingress-nginx 16 | url: https://kubernetes.github.io/ingress-nginx 17 | # https://github.com/jenkinsci/helm-charts/ 18 | - name: jenkins 19 | url: https://charts.jenkins.io 20 | # https://github.com/jenkins-infra/helm-charts/ 21 | - name: jenkins-infra 22 | url: https://jenkins-infra.github.io/helm-charts 23 | # https://github.com/cert-manager/cert-manager/ 24 | - name: jetstack 25 | url: https://charts.jetstack.io 26 | # https://github.com/codecentric/helm-charts/ 27 | - name: codecentric 28 | url: https://codecentric.github.io/helm-charts 29 | - name: dandydev 30 | url: https://dandydeveloper.github.io/charts 31 | releases: 32 | - name: datadog 33 | namespace: datadog 34 | chart: datadog/datadog 35 | version: 3.154.1 36 | values: 37 | - ../config/datadog.yaml.gotmpl 38 | - ../config/datadog_publick8s.yaml 39 | - ../config/datadog_confd_checksd.yaml 40 | secrets: 41 | - ../secrets/config/datadog/publick8s-secrets.yaml 42 | - name: cert-manager 43 | namespace: cert-manager 44 | chart: jetstack/cert-manager 45 | version: v1.19.2 46 | values: 47 | - ../config/cert-manager.yaml 48 | - ../config/cert-manager_publick8s.yaml 49 | - name: acme 50 | namespace: cert-manager 51 | chart: jenkins-infra/acme 52 | version: 0.1.4 53 | needs: 54 | - cert-manager 55 | values: 56 | - ../config/acme.yaml 57 | secrets: 58 | - ../secrets/config/acme/secrets.yaml 59 | - name: public-nginx-ingress 60 | namespace: public-nginx-ingress 61 | chart: ingress-nginx/ingress-nginx 62 | version: 4.11.8 63 | values: 64 | - ../config/public-nginx-ingress__common.yaml 65 | - ../config/publick8s_public-nginx-ingress.yaml 66 | - name: private-nginx-ingress 67 | namespace: private-nginx-ingress 68 | chart: ingress-nginx/ingress-nginx 69 | version: 4.11.8 70 | values: 71 | - ../config/private-nginx-ingress__common.yaml 72 | - ../config/publick8s_private-nginx-ingress.yaml 73 | - name: falco 74 | namespace: falco 75 | chart: falco/falco 76 | version: 7.0.2 77 | values: 78 | - ../config/publick8s_falco.yaml 79 | - name: weekly-ci-jenkins-io 80 | namespace: weekly-ci-jenkins-io 81 | chart: jenkins/jenkins 82 | version: 5.8.114 83 | needs: 84 | - public-nginx-ingress/public-nginx-ingress # Required to expose both the UI and the webhooks endpoint 85 | values: 86 | - ../config/publick8s_weekly-ci-jenkins-io.yaml 87 | secrets: 88 | - ../secrets/config/weekly.ci.jenkins.io/jenkins-secrets.yaml 89 | - name: javadoc-jenkins-io 90 | namespace: javadoc-jenkins-io 91 | chart: jenkins-infra/nginx-website 92 | version: 0.6.0 93 | values: 94 | - ../config/publick8s_javadoc-jenkins-io.yaml 95 | - name: wiki-jenkins-io 96 | namespace: wiki-jenkins-io 97 | chart: jenkins-infra/wiki 98 | version: 0.8.1 99 | values: 100 | - ../config/publick8s_wiki.yaml 101 | - name: ldap-jenkins-io 102 | namespace: ldap-jenkins-io 103 | chart: jenkins-infra/ldap 104 | version: 4.2.5 105 | values: 106 | - ../config/publick8s_ldap-jenkins-io.yaml 107 | secrets: 108 | - ../secrets/config/ldap/secrets.yaml 109 | - name: admin-accounts-jenkins-io 110 | namespace: admin-accounts-jenkins-io 111 | chart: codecentric/keycloak 112 | version: 18.10.0 113 | values: 114 | - ../config/publick8s_admin-accounts-jenkins-io.yaml 115 | needs: 116 | - ldap-jenkins-io/ldap-jenkins-io 117 | secrets: 118 | - ../secrets/config/keycloak/public-db-secrets.yaml 119 | - ../secrets/config/keycloak/http-secrets.yaml 120 | - name: plugin-health-jenkins-io 121 | namespace: plugin-health-jenkins-io 122 | chart: jenkins-infra/plugin-health-scoring 123 | version: 3.1.3 124 | values: 125 | - ../config/publick8s_plugin-health-jenkins-io.yaml 126 | secrets: 127 | - ../secrets/config/plugin-health-scoring/secrets.yaml 128 | - name: incrementals-jenkins-io 129 | namespace: incrementals-jenkins-io 130 | chart: jenkins-infra/incrementals-publisher 131 | version: 0.8.2 132 | values: 133 | - ../config/publick8s_incrementals-jenkins-io.yaml 134 | secrets: 135 | - ../secrets/config/incrementals-publisher/secrets.yaml 136 | - name: rating-jenkins-io 137 | namespace: rating-jenkins-io 138 | chart: jenkins-infra/rating 139 | version: 0.5.2 140 | values: 141 | - ../config/publick8s_rating-jenkins-io.yaml 142 | secrets: 143 | - ../secrets/config/rating/secrets.yaml 144 | - name: uplink-jenkins-io 145 | namespace: uplink-jenkins-io 146 | chart: jenkins-infra/uplink 147 | version: 1.2.0 148 | values: 149 | - ../config/publick8s_uplink-jenkins-io.yaml 150 | secrets: 151 | - ../secrets/config/uplink/secrets.yaml 152 | - name: reports-jenkins-io 153 | namespace: reports-jenkins-io 154 | chart: jenkins-infra/nginx-website 155 | version: 0.6.0 156 | values: 157 | - ../config/publick8s_reports-jenkins-io.yaml 158 | - name: builds-reports-jenkins-io 159 | namespace: builds-reports-jenkins-io 160 | chart: jenkins-infra/nginx-website 161 | version: 0.6.0 162 | values: 163 | - ../config/publick8s_builds-reports-jenkins-io.yaml 164 | - name: accounts-jenkins-io 165 | namespace: accounts-jenkins-io 166 | chart: jenkins-infra/accountapp 167 | version: 0.10.18 168 | needs: 169 | - ldap-jenkins-io/ldap-jenkins-io 170 | values: 171 | - ../config/publick8s_accounts-jenkins-io.yaml 172 | secrets: 173 | - ../secrets/config/accountapp/secrets.yaml 174 | - name: get-jenkins-io-mirrorbits 175 | namespace: get-jenkins-io 176 | chart: jenkins-infra/mirrorbits 177 | version: 5.10.3 178 | values: 179 | - ../config/publick8s_get-jenkins-io-mirrorbits.yaml 180 | secrets: 181 | - ../secrets/config/get-jenkins-io/mirrorbits-secrets.yaml 182 | - name: get-jenkins-io-httpd 183 | namespace: get-jenkins-io 184 | chart: jenkins-infra/httpd 185 | version: 2.0.1 186 | values: 187 | - ../config/publick8s_get-jenkins-io-httpd.yaml 188 | - name: plugin-site-issues-jenkins-io 189 | namespace: plugin-site-issues-jenkins-io 190 | chart: jenkins-infra/plugin-site-issues 191 | version: 0.4.7 192 | values: 193 | - ../config/publick8s_plugin-site-issues-jenkins-io.yaml 194 | secrets: 195 | - ../secrets/config/plugin-site-issues/secrets.yaml 196 | - name: plugins-jenkins-io 197 | namespace: plugins-jenkins-io 198 | chart: jenkins-infra/plugin-site 199 | version: 0.5.2 200 | values: 201 | - ../config/publick8s_plugins-jenkins-io.yaml 202 | secrets: 203 | - ../secrets/config/plugins-jenkins-io/secrets.yaml 204 | - name: www-jenkins-io 205 | namespace: www-jenkins-io 206 | chart: jenkins-infra/nginx-website 207 | version: 0.6.0 208 | values: 209 | - ../config/publick8s_www-jenkins-io.yaml 210 | - name: issue-redirect-jenkins-io 211 | namespace: issue-redirect-jenkins-io 212 | chart: jenkins-infra/nginx-website 213 | version: 0.6.0 214 | values: 215 | - ../config/publick8s_issue-redirect-jenkins-io.yaml 216 | - name: ipv6-lb-service 217 | namespace: public-nginx-ingress 218 | chart: jenkins-infra/ipv6-lb-service 219 | version: 1.0.1 220 | needs: 221 | - public-nginx-ingress/public-nginx-ingress 222 | values: 223 | - ../config/publick8s_ipv6-lb-service.yaml 224 | - name: updates-jenkins-io-content 225 | namespace: updates-jenkins-io 226 | chart: jenkins-infra/mirrorbits 227 | version: 5.10.3 228 | values: 229 | - ../config/publick8s_updates-jenkins-io-content.yaml 230 | secrets: 231 | - ../secrets/config/updates.jenkins.io/secrets.yaml 232 | # Can be removed once mirrorbits support scanning through s3 - https://github.com/etix/mirrorbits/issues/141 233 | - name: updates-jenkins-io-rsync 234 | namespace: updates-jenkins-io 235 | chart: jenkins-infra/rsyncd 236 | version: 3.2.6 237 | values: 238 | - ../config/publick8s_updates-jenkins-io-rsync.yaml 239 | - name: updates-jenkins-io-redirections 240 | namespace: updates-jenkins-io 241 | chart: jenkins-infra/httpd 242 | version: 2.0.1 243 | values: 244 | - ../config/publick8s_updates-jenkins-io-redirections.yaml 245 | - name: contributors-jenkins-io 246 | namespace: contributors-jenkins-io 247 | chart: jenkins-infra/nginx-website 248 | version: 0.6.0 249 | values: 250 | - ../config/publick8s_contributors-jenkins-io.yaml 251 | - name: docs-jenkins-io 252 | namespace: docs-jenkins-io 253 | chart: jenkins-infra/nginx-website 254 | version: 0.6.0 255 | values: 256 | - ../config/publick8s_docs-jenkins-io.yaml 257 | - name: stats-jenkins-io 258 | namespace: stats-jenkins-io 259 | chart: jenkins-infra/nginx-website 260 | version: 0.6.0 261 | values: 262 | - ../config/publick8s_stats-jenkins-io.yaml 263 | - name: redis 264 | namespace: redis 265 | chart: dandydev/redis-ha 266 | version: 4.34.13 267 | values: 268 | - ../config/publick8s_redis.yaml 269 | secrets: 270 | - ../secrets/config/redis/publick8s-secrets.yaml 271 | - name: staging-pkg-origin-jenkins-io 272 | namespace: staging-pkg-origin-jenkins-io 273 | chart: jenkins-infra/nginx-website 274 | version: 0.6.0 275 | values: 276 | - ../config/publick8s_staging-pkg-origin-jenkins-io.yaml 277 | - name: staging-get-jenkins-io 278 | namespace: staging-get-jenkins-io 279 | chart: jenkins-infra/nginx-website 280 | version: 0.6.0 281 | values: 282 | - ../config/publick8s_staging-get-jenkins-io.yaml 283 | - name: pkg-origin-jenkins-io 284 | namespace: pkg-origin-jenkins-io 285 | chart: jenkins-infra/nginx-website 286 | version: 0.6.0 287 | values: 288 | - ../config/publick8s_pkg-origin-jenkins-io.yaml 289 | --------------------------------------------------------------------------------