From ecca73ae416cf2700ef41049ff5d2cff4a9df6f9 Mon Sep 17 00:00:00 2001 From: lusyoe Date: Mon, 16 Jul 2018 10:40:08 +0800 Subject: [PATCH] update jenkins and plugins (#258) --- manifests/jenkins/Chart.yaml | 4 +-- manifests/jenkins/README.md | 25 ++++++------- manifests/jenkins/templates/config.yaml | 11 +++--- .../templates/jenkins-master-deployment.yaml | 13 +++++-- manifests/jenkins/values.yaml | 36 +++++++++++++------ 5 files changed, 59 insertions(+), 30 deletions(-) diff --git a/manifests/jenkins/Chart.yaml b/manifests/jenkins/Chart.yaml index f0d539039..c6033f312 100644 --- a/manifests/jenkins/Chart.yaml +++ b/manifests/jenkins/Chart.yaml @@ -1,7 +1,7 @@ name: jenkins home: https://jenkins.io/ -version: 0.16.1 -appVersion: 2.107 +version: 0.16.6 +appVersion: 2.121.1 description: Open source continuous integration server. It supports multiple SCM tools including CVS, Subversion and Git. It can execute Apache Ant and Apache Maven-based projects as well as arbitrary scripts. diff --git a/manifests/jenkins/README.md b/manifests/jenkins/README.md index ce9b5e3d0..8757c3996 100644 --- a/manifests/jenkins/README.md +++ b/manifests/jenkins/README.md @@ -33,23 +33,24 @@ The following tables list the configurable parameters of the Jenkins chart and t | `Master.Name` | Jenkins master name | `jenkins-master` | | `Master.Image` | Master image name | `jenkinsci/jenkins` | | `Master.ImageTag` | Master image tag | `lts` | -| `Master.ImagePullPolicy` | Master image pull policy | `IfNotPresent` | +| `Master.ImagePullPolicy` | Master image pull policy | `Always` | | `Master.ImagePullSecret` | Master image pull secret | Not set | | `Master.Component` | k8s selector key | `jenkins-master` | | `Master.UseSecurity` | Use basic security | `true` | | `Master.AdminUser` | Admin username (and password) created as a secret if useSecurity is true | `admin` | -| `Master.Cpu` | Master requested cpu | `200m` | -| `Master.Memory` | Master requested memory | `512Mi` | +| `Master.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 50m, memory: 256Mi}, limits: {cpu: 2000m, memory: 2048Mi}}`| | `Master.InitContainerEnv` | Environment variables for Init Container | Not set | | `Master.ContainerEnv` | Environment variables for Jenkins Container | Not set | +| `Master.UsePodSecurityContext` | Enable pod security context (must be `true` if `RunAsUser` or `FsGroup` are set) | `true` | | `Master.RunAsUser` | uid that jenkins runs with | `0` | | `Master.FsGroup` | uid that will be used for persistent volume | `0` | | `Master.ServiceAnnotations` | Service annotations | `{}` | -| `Master.ServiceType` | k8s service type | `ClusterIP` | +| `Master.ServiceType` | k8s service type | `LoadBalancer` | | `Master.ServicePort` | k8s service port | `8080` | | `Master.NodePort` | k8s node port | Not set | | `Master.HealthProbes` | Enable k8s liveness and readiness probes | `true` | -| `Master.HealthProbesTimeout` | Set the timeout for the liveness and readiness probes | `120` | +| `Master.HealthProbesLivenessTimeout` | Set the timeout for the liveness probe | `120` | +| `Master.HealthProbesReadinessTimeout` | Set the timeout for the readiness probe | `60` | | `Master.HealthProbeLivenessFailureThreshold` | Set the failure threshold for the liveness probe | `12` | | `Master.ContainerPort` | Master listening port | `8080` | | `Master.SlaveListenerPort` | Listening port for agents | `50000` | @@ -72,10 +73,11 @@ The following tables list the configurable parameters of the Jenkins chart and t | `Master.NodeSelector` | Node labels for pod assignment | `{}` | | `Master.Affinity` | Affinity settings | `{}` | | `Master.Tolerations` | Toleration labels for pod assignment | `{}` | +| `Master.PodAnnotations` | Annotations for master pod | `{}` | | `NetworkPolicy.Enabled` | Enable creation of NetworkPolicy resources. | `false` | | `NetworkPolicy.ApiVersion` | NetworkPolicy ApiVersion | `extensions/v1beta1` | -| `rbac.install` | Create service account and ClusterRoleBinding for Kubernetes plugin | `true` | -| `rbac.apiVersion` | RBAC API version | `v1` | +| `rbac.install` | Create service account and ClusterRoleBinding for Kubernetes plugin | `false` | +| `rbac.apiVersion` | RBAC API version | `v1beta1` | | `rbac.roleRef` | Cluster role name to bind to | `cluster-admin` | ### Jenkins Agent @@ -84,12 +86,11 @@ The following tables list the configurable parameters of the Jenkins chart and t | ----------------------- | ----------------------------------------------- | ---------------------- | | `Agent.AlwaysPullImage` | Always pull agent container image before build | `false` | | `Agent.Enabled` | Enable Kubernetes plugin jnlp-agent podTemplate | `true` | -| `Agent.Image` | Agent image name | `jenkins/jnlp-slave` | +| `Agent.Image` | Agent image name | `jenkinsci/jnlp-slave` | | `Agent.ImagePullSecret` | Agent image pull secret | Not set | -| `Agent.ImageTag` | Agent image tag | `latest` | +| `Agent.ImageTag` | Agent image tag | `2.62` | | `Agent.Privileged` | Agent privileged container | `false` | -| `Agent.Cpu` | Agent requested cpu | `200m` | -| `Agent.Memory` | Agent requested memory | `256Mi` | +| `Agent.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 200m, memory: 256Mi}, limits: {cpu: 200m, memory: 256Mi}}`| | `Agent.volumes` | Additional volumes | `nil` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. @@ -149,7 +150,7 @@ It is possible to mount several volumes using `Persistence.volumes` and `Persist | `Persistence.Size` | The size of the PVC | `8Gi` | | `Persistence.volumes` | Additional volumes | `nil` | | `Persistence.mounts` | Additional mounts | `nil` | -| `Persistence.StorageClass` | The PV Provisioner | `nfs-dynamic-class`| +| `Persistence.StorageClass` | The PV Provisioner | `nfs-dynamic-class`| #### Existing PersistentVolumeClaim diff --git a/manifests/jenkins/templates/config.yaml b/manifests/jenkins/templates/config.yaml index 03d69fb65..bdcf238ac 100644 --- a/manifests/jenkins/templates/config.yaml +++ b/manifests/jenkins/templates/config.yaml @@ -67,10 +67,13 @@ data: ${computer.jnlpmac} ${computer.name} false - {{.Values.Agent.Cpu}} - {{.Values.Agent.Memory}} - {{.Values.Agent.Cpu}} - {{.Values.Agent.Memory}} + # Resources configuration is a little hacky. This was to prevent breaking + # changes, and should be cleanned up in the future once everybody had + # enough time to migrate. + {{.Values.Agent.Cpu | default .Values.Agent.resources.requests.cpu}} + {{.Values.Agent.Memory | default .Values.Agent.resources.requests.memory}} + {{.Values.Agent.Cpu | default .Values.Agent.resources.limits.cpu}} + {{.Values.Agent.Memory | default .Values.Agent.resources.limits.memory}} diff --git a/manifests/jenkins/templates/jenkins-master-deployment.yaml b/manifests/jenkins/templates/jenkins-master-deployment.yaml index 798f415f4..fcda37320 100644 --- a/manifests/jenkins/templates/jenkins-master-deployment.yaml +++ b/manifests/jenkins/templates/jenkins-master-deployment.yaml @@ -24,6 +24,9 @@ spec: component: "{{ .Release.Name }}-{{ .Values.Master.Component }}" annotations: checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} + {{- if .Values.Master.PodAnnotations }} +{{ toYaml .Values.Master.PodAnnotations | indent 8 }} + {{- end }} spec: {{- if .Values.Master.NodeSelector }} nodeSelector: @@ -37,12 +40,14 @@ spec: affinity: {{ toYaml .Values.Master.Affinity | indent 8 }} {{- end }} +{{- if .Values.Master.UsePodSecurityContext }} securityContext: runAsUser: {{ default 0 .Values.Master.RunAsUser }} {{- if and (.Values.Master.RunAsUser) (.Values.Master.FsGroup) }} {{- if not (eq .Values.Master.RunAsUser 0.0) }} fsGroup: {{ .Values.Master.FsGroup }} {{- end }} +{{- end }} {{- end }} serviceAccountName: {{ if .Values.rbac.install }}{{ template "jenkins.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }} initContainers: @@ -128,19 +133,23 @@ spec: httpGet: path: /login port: http - initialDelaySeconds: {{ .Values.Master.HealthProbesTimeout }} + initialDelaySeconds: {{ .Values.Master.HealthProbesLivenessTimeout }} timeoutSeconds: 5 failureThreshold: {{ .Values.Master.HealthProbeLivenessFailureThreshold }} readinessProbe: httpGet: path: /login port: http - initialDelaySeconds: {{ .Values.Master.HealthProbesTimeout }} + initialDelaySeconds: {{ .Values.Master.HealthProbesReadinessTimeout }} {{- end }} resources: +{{ if or .Values.Master.Cpu .Values.Master.Memory }} requests: cpu: "{{ .Values.Master.Cpu }}" memory: "{{ .Values.Master.Memory }}" +{{ else }} +{{ toYaml .Values.Master.resources | indent 12 }} +{{ end }} volumeMounts: {{- if .Values.Persistence.mounts }} {{ toYaml .Values.Persistence.mounts | indent 12 }} diff --git a/manifests/jenkins/values.yaml b/manifests/jenkins/values.yaml index c2c6c6611..9585da5c7 100644 --- a/manifests/jenkins/values.yaml +++ b/manifests/jenkins/values.yaml @@ -18,8 +18,13 @@ Master: UseSecurity: true AdminUser: admin AdminPassword: admin - Cpu: "200m" - Memory: "512Mi" + resources: + requests: + cpu: "50m" + memory: "256Mi" + limits: + cpu: "2000m" + memory: "2048Mi" # Environment variables that get added to the init container (useful for e.g. http_proxy) # InitContainerEnv: # - name: http_proxy @@ -31,6 +36,10 @@ Master: # JavaOpts: "-Xms512m -Xmx512m" # JenkinsOpts: "" # JenkinsUriPrefix: "/jenkins" + + # Enable pod security context (must be `true` if RunAsUser or FsGroup are set) + # UsePodSecurityContext: true + # Set RunAsUser to 1000 to let Jenkins run as non-root user 'jenkins' which exists in 'jenkins/jenkins' docker image. # When setting RunAsUser to a different value than 0 also set FsGroup to the same value: # RunAsUser: @@ -47,9 +56,10 @@ Master: # NodePort: